LSASS and SAM

LSASS

LSASS is the king of post-exploitation targets in Windows environments. LSASS contains cached credentials for logon sessions, Kerberos tickets, and other secrets. This is the ideal target, but these days EDR vendors have it pretty locked down. Dumping smaller parts of the the LSASS process is less likely to get noticed, such as only grabbing Kerberos tickets.

The classic LSASS dump method is just to use mimikatz. There's countless other options and ports at this point, each made in different languages and for different reasons. Here are a few.

mimikatz sekurlsa::logonpasswords
nxc smb 10.10.10.10 -u admin -p pass --lsa

SAM

The SAM contains NTLM hashes of local-only accounts. This is useful to grab the local Administrator NTLM hash, but that's probably about it.

mimikatz lsadump::sam
nxc smb 10.10.10.10 -u admin -p --sam

PreviousPost-Exploitation NextKerberos Tickets

Last updated 4 months ago