https://az0th.it/tags/lsass/ Recent content in Lsass on MrAzoth Hugo -- 0.154.5 en-us https://az0th.it/ad/windows/credential-attacks/ Mon, 01 Jan 0001 00:00:00 +0000 https://az0th.it/ad/windows/credential-attacks/ <h2 id="quick-reference">Quick Reference</h2> <table> <thead> <tr> <th>Attack</th> <th>Tool</th> <th>Privilege Required</th> </tr> </thead> <tbody> <tr> <td>LSASS dump (live)</td> <td>Mimikatz</td> <td>LocalAdmin + SeDebugPrivilege</td> </tr> <tr> <td>LSASS dump (ProcDump)</td> <td>ProcDump / comsvcs.dll</td> <td>LocalAdmin</td> </tr> <tr> <td>DCSync</td> <td>Mimikatz lsadump::dcsync</td> <td>Domain Admin (or replication rights)</td> </tr> <tr> <td>Local SAM</td> <td>reg save + secretsdump</td> <td>LocalAdmin</td> </tr> <tr> <td>LSA Secrets</td> <td>Mimikatz lsadump::lsa</td> <td>SYSTEM</td> </tr> <tr> <td>Cached domain creds</td> <td>Mimikatz lsadump::cache</td> <td>SYSTEM</td> </tr> <tr> <td>GPP passwords</td> <td>PowerSploit Get-GPPPassword</td> <td>Domain User (SYSVOL read)</td> </tr> <tr> <td>DPAPI triage</td> <td>SharpDPAPI</td> <td>LocalAdmin (backup key needs DA)</td> </tr> <tr> <td>WDigest cleartext</td> <td>Mimikatz sekurlsa::wdigest</td> <td>LocalAdmin + WDigest enabled</td> </tr> <tr> <td>Skeleton key</td> <td>Mimikatz misc::skeleton</td> <td>Domain Admin (DC access)</td> </tr> <tr> <td>SSP injection</td> <td>Mimikatz misc::memssp</td> <td>SYSTEM on DC</td> </tr> <tr> <td>Password spray</td> <td>DomainPasswordSpray / Rubeus</td> <td>Domain User</td> </tr> <tr> <td>PPL bypass</td> <td>mimidrv.sys kernel driver</td> <td>SYSTEM + vulnerable driver</td> </tr> </tbody> </table> <hr> <h2 id="mimikatz--core-commands">Mimikatz — Core Commands</h2> <p>Mimikatz is the primary credential extraction tool for Windows. Most operations require <code>SeDebugPrivilege</code> at minimum, and many require SYSTEM.</p>