Dpapi

Quick Reference Attack Tool Privilege Required LSASS dump (live) Mimikatz LocalAdmin + SeDebugPrivilege LSASS dump (ProcDump) ProcDump / comsvcs.dll LocalAdmin DCSync Mimikatz lsadump::dcsync Domain Admin (or replication rights) Local SAM reg save + secretsdump LocalAdmin LSA Secrets Mimikatz lsadump::lsa SYSTEM Cached domain creds Mimikatz lsadump::cache SYSTEM GPP passwords PowerSploit Get-GPPPassword Domain User (SYSVOL read) DPAPI triage SharpDPAPI LocalAdmin (backup key needs DA) WDigest cleartext Mimikatz sekurlsa::wdigest LocalAdmin + WDigest enabled Skeleton key Mimikatz misc::skeleton Domain Admin (DC access) SSP injection Mimikatz misc::memssp SYSTEM on DC Password spray DomainPasswordSpray / Rubeus Domain User PPL bypass mimidrv.sys kernel driver SYSTEM + vulnerable driver Mimikatz — Core Commands Mimikatz is the primary credential extraction tool for Windows. Most operations require SeDebugPrivilege at minimum, and many require SYSTEM. ...

Quick Reference Table Technique Tool Requirement Stealth Level Golden Ticket Mimikatz / Rubeus krbtgt hash + DOMAIN_SID Medium Silver Ticket Mimikatz / Rubeus Service account hash High Diamond Ticket Rubeus krbtgt AES256 + DA creds High DCSync rights backdoor PowerView Domain Admin Low AdminSDHolder abuse PowerView Domain Admin Low DPAPI Backup Key SharpDPAPI Domain Admin High Skeleton Key Mimikatz Domain Admin (LSASS access) Low WMI Event Subscription PowerShell Local Admin Medium SID History Mimikatz Domain Admin Medium DCSync What it is: Abuse of the Directory Replication Service (DRS) protocol to impersonate a domain controller and request password data for any account directly from a legitimate DC. No file on disk needs to be touched — the DC simply hands over the hashes on request, because that is exactly what the DRS protocol is designed to do between DCs. ...