I performed extensive research on how attackers dump credentials from LSASS and Active Directory, including pulling the Active Directory database (ntds.dit) remotely. This information is covered in two newer and greatly expanded posts:
Attackers can pull credentials from LSASS using a variety of techniques:
- Dump the LSASS process from memory to disk using Sysinternals ProcDump. Since ProcDump is a signed Microsoft utility, AV usually doesn’t trigger on it. ProcDump creates a minidump of the target process from which Mimikatz can extract credentials.
- The legitimate VMWare tool Vmss2core can be used to dump memory from a suspended VM (*.vmss) or saved VM (*.vmsn) file. The Volatility Framework can extract the hashes.
We all love grabbing credentials from Window machines that we have compromised, wether they are in clear-text or hashes. Sometimes, however, it is not possible to get those credentials immediately if at all. In this tutorial I want to briefly show two cases where you can dump memory to disk (exfiltrate it) and extract the credentials at a later time. I will demonstrate these test cases on a 32-bit Windows 7 VM that I use for testing purposes, these techniques should however apply to a wide variety of Windows builds.
ProcDump // Windows Sysinternals – here
Mimikatz // Blog de Gentil Kiwi – here
The Volatility Foundation // Homepage – here
Vmss2core // VMWare Labs – here
VMware Snapshot and Saved State Analysis // Volatility Labs – here
Read the details at FuzzySecurity.com