Credential access

← maldev README · docs/index

Pure-Go credential-extraction primitives for Windows: live LSASS process dumping, offline SAM hive parsing, in-process MINIDUMP parsing, and Kerberos ticket forging. The four packages chain end-to-end — lsassdump produces a dump, sekurlsa parses it into typed credentials, goldenticket re-uses an extracted krbtgt hash to mint a Golden TGT, and samdump covers the local-account branch when LSASS access is unavailable.

flowchart LR
    subgraph host [Live Windows host]
        L[lsass.exe<br>memory]
        S[SYSTEM + SAM<br>hives]
        K[krbtgt key<br>on a DC]
    end
    subgraph extract [credentials/*]
        LD[lsassdump<br>NtReadVirtualMemory<br>+ in-process MINIDUMP<br>+ optional PPL bypass]
        SE[sekurlsa<br>parse MINIDUMP<br>walk MSV / Wdigest /<br>Kerberos / DPAPI / TSPkg /<br>CloudAP / LiveSSP / CredMan]
        SD[samdump<br>REGF parser<br>+ syskey / hashed bootkey<br>+ AES/RC4/DES decrypt]
    end
    subgraph forge [credentials/*]
        GT[goldenticket<br>Forge + Submit]
    end
    L --> LD
    LD --> SE
    S --> SD
    K --> SE
    SE -.krbtgt hash.-> GT
    SD --> OUT[NTLM hashes / pwdump]
    SE --> OUT2[NTLM / Kerberos / DPAPI<br>/ CloudAP PRT / etc.]
    GT --> KIRBI[kirbi blob<br>+ LSA cache inject]

Where to start (novice path):

Want NTLM hashes / Kerberos tickets from the live host? → lsassdump → sekurlsa chain. The two-package pipeline covers 90% of credential extraction needs.

Want local SAM hashes (no LSASS access)? → samdump — offline-friendly REGF parser.

Already have a krbtgt hash and want long-dwell domain admin? → goldenticket — forge + submit.

The Quick decision tree below maps every common operator question to the exact entry point.

Packages

Package	Tech page	Detection	One-liner
`credentials/lsassdump`	lsassdump.md	noisy	`NtGetNextProcess` + in-process MINIDUMP + EPROCESS PPL unprotect via RTCore64
`credentials/sekurlsa`	sekurlsa.md	quiet (parser only)	Pure-Go MSV1_0 / Wdigest / Kerberos / DPAPI / TSPkg / CloudAP / LiveSSP / CredMan walkers + LSA-crypto unwrap + PTH write-back + Kerberos kirbi export
`credentials/samdump`	samdump.md	quiet (offline) / noisy (LiveDump)	Offline SAM hive dump — REGF parser + boot-key permutation + AES/RC4 hashed-bootkey + per-RID DES de-permutation
`credentials/goldenticket`	goldenticket.md	noisy (visible TGT lifetime)	PAC marshaling + KRB5 `Forge` + LSA `Submit` for Golden Ticket attacks

Quick decision tree

You want to…	Use
…get NTLM hashes / Kerberos tickets from a live host	`lsassdump` → `sekurlsa.Parse` chain
…parse a `.dmp` you obtained out-of-band	`sekurlsa.Parse`
…dump SAM offline (no LSASS access)	`samdump.Dump`
…acquire SAM/SYSTEM live (loud)	`samdump.LiveDump`
…forge a Golden Ticket	`goldenticket.Forge` → `Submit`
…pass-the-hash into a live LSASS	`sekurlsa.Pass` / `PassImpersonate`
…pass-the-ticket	`sekurlsa.KerberosTicket.ToKirbi` → `goldenticket.Submit`
…bypass PPL on lsass.exe	`lsassdump.Unprotect` + `kernel/driver/rtcore64`

MITRE ATT&CK

T-ID	Name	Packages	D3FEND counter
T1003.001	OS Credential Dumping: LSASS Memory	`credentials/lsassdump`, `credentials/sekurlsa`	D3-PSA, D3-SICA
T1003.002	OS Credential Dumping: SAM	`credentials/samdump`	D3-PSA, D3-FCA
T1068	Exploitation for Privilege Escalation	`credentials/lsassdump` (PPL bypass via BYOVD)	D3-SICA
T1550.002	Use Alternate Authentication Material: Pass the Hash	`credentials/sekurlsa`	D3-PSA, D3-SICA
T1550.003	Use Alternate Authentication Material: Pass the Ticket	`credentials/sekurlsa`, `credentials/goldenticket`	D3-NTA
T1558.001	Steal or Forge Kerberos Tickets: Golden Ticket	`credentials/goldenticket`	D3-AZET, D3-NTA
T1558.003	Steal or Forge Kerberos Tickets: Kerberoasting	`credentials/sekurlsa` (downstream consumer)	D3-NTA

maldev

Credential access

Packages

Quick decision tree

MITRE ATT&CK

See also