# Recovery lsass.dmp from Defender Quarantine During forensic investigations or red team operations, it's common for critical artifacts — such as memory dumps or credential caches — to be flagged and quarantined by **Microsoft Defender**. This is especially true for **LSASS process dumps**, which are often encrypted and stored under randomized names, making recovery a challenge. This tool allows you to **decrypt files quarantined by Microsoft Defender**, restoring them to their original state for analysis. #### 🧪 Use Case Imagine you're performing a **credential dumping assessment** in an Active Directory environment. You successfully dump the LSASS memory to `lsass.dmp`, but **Windows Defender instantly quarantines it**, encrypting and renaming the file. Even if you recover the quarantined file manually, it's **unreadable without decryption**. With this decryptor, you can restore the original `lsass.dmp` and proceed with offline analysis, such as: * Hash extraction * Password cracking * Memory analysis (e.g. with tools like pypykatz) ``` pypykatz lsa minidump lsass_decoded.bin ``` #### ✨ Features * 🔑 Implements **RC4 decryption** with Microsoft’s custom key scheduling. * 📦 Recovers both the **original file** and its **metadata**. * ⏱️ Displays **decryption duration** for performance tracking. * 💡 Lightweight, **no external dependencies**, and **cross-platform friendly**. 🔗 GitHub: \ \ You can combine this tool with:\ \ 🔗 GitHub: --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gitbook.seguranca-informatica.pt/credentials-exfiltration/recovery-lsass.dmp-from-defender-quarantine.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.