LSASS Memory
Dump LSASS (mimikatz, procdump, comsvcs) to extract plaintext, NT hashes, and Kerberos tickets.
§ Where this technique fits
T1003.001 is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 5 approved dossiers in the registry, typically at step 6 on average.
Authoritative reference: attack.mitre.org/techniques/T1003/001/.
§ Dossiers chaining this technique
- step 5 / 8
No creds → Domain Admin via LLMNR poisoning and NTLM relay
Unauthenticated attacker on the LAN poisons name resolution, relays the captured NetNTLMv2 to a host with SMB signing disabled, then escalates to Domain Admin.
- step 5 / 5
LAPS read → local admin on every endpoint
A delegated 'helpdesk' group gains read access to ms-Mcs-AdmPwd. Compromising any member of that group cascades to local admin on every LAPS-managed machine.
- step 6 / 6
Java deserialization → ysoserial → RCE
An endpoint deserializes a Java object from user-controlled bytes. ysoserial produces a gadget chain whose readObject() reaches Runtime.exec().
- step 6 / 6
MSSQL linked-server crawl → cross-host RCE
Linked-server trust chains in MSSQL let a low-priv login execute as a higher-priv login on a remote SQL host — and pivot recursively across the estate.
- step 8 / 8
AS-REP roast → cracked user → Kerberoast → service-account admin
Anonymous attacker recovers a user password via AS-REP roasting, authenticates, kerberoasts a service account with weak password, and lands on a high-value server.
§ What commonly comes next
- 01BloodHound / SharpHound Enumerationseen 1×AD-BLOODHOUND · Discovery