Credential Abuse

Interacting with Local Security Authority (LSA).

EDR usually looks for interactions with LSASS and LSA is usually overlooked, especaiily if targeted using "normal" looking activity.

Extract NTLMv2 hash from local system.

Command: Seatbelt.exe SecPackageCreds

If no other method of credential extraction is available, and you can't obtain the hash or cleartext of the compromised user (because of payload execution or RCE) then trying to crack the NTLMv2 can be useful.

Extract TGT tickets from LSA

Need local admin/system privileges to extract other users TGT

Command: Rubeus.exe dump /service:krbtgt

The base64 encoded ticket can be used in a pass-the-ticket attack using Rubeus.exe ptt /ticket:<base64_ticket>

Interacting with Data Protection API (DPAPI)

Decrypt DPAPI secrets

Command: SharpDPAPI.exe triage , SharpDPAPI.exe machinetriage

Two methods of doing this, one is to decrypt with the users password, and the other is to decrypt with the access token of the running process.

Interacting with Local Security Authority Subsystem Service (LSASS)

Mimikatz is the defacto program to use here. Either creaet an obfuscated version and execute on disk (good luck with EDR hooks). Cobalt Strike also has a build in mimikatz that can be used without writing to disk.

There's alternative ways to do this too. Including using SafetyKatz or SharpDump.