extracting-credentials-from-memory-dump
Extract cached credentials, password hashes, Kerberos tickets, and authentication tokens from memory dumps using Volatility and Mimikatz for forensic investigation.
What this skill does
# Extracting Credentials from Memory Dump
## When to Use
- During incident response to determine what credentials an attacker had access to
- When assessing the scope of credential compromise after a breach
- For identifying accounts that need immediate password resets
- When investigating lateral movement and pass-the-hash/pass-the-ticket attacks
- For recovering encryption keys or authentication tokens from process memory
## Prerequisites
- Memory dump in raw, ELF, or crash dump format
- Volatility 3 with Windows symbol tables
- Mimikatz (for offline analysis of extracted LSASS dumps)
- pypykatz (Python implementation of Mimikatz for Linux-based analysis)
- Understanding of Windows authentication (NTLM, Kerberos, DPAPI)
- Appropriate legal authorization for credential extraction
## Workflow
### Step 1: Prepare Tools and Verify Memory Dump
```bash
# Install analysis tools
pip install volatility3 pypykatz
# Verify memory dump integrity
sha256sum /cases/case-2024-001/memory/memory.raw
# Identify the OS version
vol -f /cases/case-2024-001/memory/memory.raw windows.info
# Verify LSASS process exists in memory
vol -f /cases/case-2024-001/memory/memory.raw windows.pslist | grep -i lsass
# Output:
# PID PPID ImageFileName Offset(V) Threads Handles SessionId
# 684 564 lsass.exe 0xffffe00123456 35 1234 0
```
### Step 2: Extract Credential Hashes with Volatility
```bash
# Dump SAM database hashes from memory
vol -f /cases/case-2024-001/memory/memory.raw windows.hashdump \
| tee /cases/case-2024-001/analysis/hashdump.txt
# Output format:
# User RID LM Hash NTLM Hash
# Administrator 500 aad3b435b51404eeaad3b435b51404ee fc525c9683e8fe067095ba2ddc971889
# Guest 501 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0
# DefaultAccount 503 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0
# svcbackup 1001 aad3b435b51404eeaad3b435b51404ee 2b576acbe6bcfda7294d6bd18041b8fe
# Extract LSA secrets
vol -f /cases/case-2024-001/memory/memory.raw windows.lsadump \
| tee /cases/case-2024-001/analysis/lsadump.txt
# Extract cached domain credentials
vol -f /cases/case-2024-001/memory/memory.raw windows.cachedump \
| tee /cases/case-2024-001/analysis/cachedump.txt
```
### Step 3: Dump LSASS Process Memory for Detailed Analysis
```bash
# Dump LSASS process memory (PID from Step 1)
vol -f /cases/case-2024-001/memory/memory.raw windows.memmap --pid 684 --dump \
-o /cases/case-2024-001/analysis/lsass_dump/
# Alternative: Dump all files associated with LSASS
vol -f /cases/case-2024-001/memory/memory.raw windows.dumpfiles --pid 684 \
-o /cases/case-2024-001/analysis/lsass_files/
# Use procdump plugin for cleaner process dump
vol -f /cases/case-2024-001/memory/memory.raw windows.dumpfiles \
--pid 684 -o /cases/case-2024-001/analysis/
# Rename the dump file for pypykatz/mimikatz
mv /cases/case-2024-001/analysis/lsass_dump/pid.684.dmp \
/cases/case-2024-001/analysis/lsass.dmp
```
### Step 4: Extract Credentials with pypykatz
```bash
# Run pypykatz against the full memory dump
pypykatz lsa minidump /cases/case-2024-001/analysis/lsass.dmp \
> /cases/case-2024-001/analysis/pypykatz_results.txt 2>&1
# Run pypykatz against the raw memory dump directly
pypykatz rekall /cases/case-2024-001/memory/memory.raw \
> /cases/case-2024-001/analysis/pypykatz_full.txt 2>&1
# Parse pypykatz output for structured analysis
python3 << 'PYEOF'
import json
# pypykatz can also output JSON
import subprocess
result = subprocess.run(
['pypykatz', 'lsa', 'minidump', '/cases/case-2024-001/analysis/lsass.dmp', '-j'],
capture_output=True, text=True
)
if result.stdout:
data = json.loads(result.stdout)
print("=== EXTRACTED CREDENTIALS ===\n")
for session_key, session in data.get('logon_sessions', {}).items():
username = session.get('username', 'Unknown')
domain = session.get('domainname', '')
logon_server = session.get('logon_server', '')
logon_time = session.get('logon_time', '')
sid = session.get('sid', '')
if username and username != '(null)':
print(f"Session: {domain}\\{username}")
print(f" SID: {sid}")
print(f" Logon Server: {logon_server}")
print(f" Logon Time: {logon_time}")
# NTLM hashes
msv = session.get('msv_creds', [])
for cred in msv:
nt = cred.get('NThash', '')
lm = cred.get('LMHash', '')
if nt:
print(f" NTLM Hash: {nt}")
if lm:
print(f" LM Hash: {lm}")
# Kerberos tickets
kerb = session.get('kerberos_creds', [])
for cred in kerb:
password = cred.get('password', '')
if password:
print(f" Kerberos Password: {password}")
tickets = cred.get('tickets', [])
for ticket in tickets:
print(f" Kerberos Ticket: {ticket.get('server', '')} (type: {ticket.get('enc_type', '')})")
# WDigest (plaintext on older systems)
wdigest = session.get('wdigest_creds', [])
for cred in wdigest:
pwd = cred.get('password', '')
if pwd:
print(f" WDigest Password: {pwd}")
# DPAPI master keys
dpapi = session.get('dpapi_creds', [])
for cred in dpapi:
mk = cred.get('masterkey', '')
if mk:
print(f" DPAPI Master Key: {mk[:40]}...")
print()
PYEOF
```
### Step 5: Extract Kerberos Tickets and Tokens
```bash
# Extract Kerberos tickets from memory
python3 << 'PYEOF'
import subprocess, json
result = subprocess.run(
['pypykatz', 'lsa', 'minidump', '/cases/case-2024-001/analysis/lsass.dmp', '-j', '-k', '/cases/case-2024-001/analysis/kerberos/'],
capture_output=True, text=True
)
# pypykatz exports .kirbi files to the specified directory
import os
kirbi_dir = '/cases/case-2024-001/analysis/kerberos/'
if os.path.exists(kirbi_dir):
for f in os.listdir(kirbi_dir):
if f.endswith('.kirbi'):
filepath = os.path.join(kirbi_dir, f)
size = os.path.getsize(filepath)
print(f" Kerberos ticket: {f} ({size} bytes)")
PYEOF
# Search process memory for authentication tokens and API keys
vol -f /cases/case-2024-001/memory/memory.raw windows.strings --pid 684 | \
grep -iE '(bearer |authorization:|api[_-]key|token=|password=|secret=)' \
> /cases/case-2024-001/analysis/auth_strings.txt
# Search for cloud credentials in memory
vol -f /cases/case-2024-001/memory/memory.raw windows.strings | \
grep -iE '(AKIA[A-Z0-9]{16}|ASIA[A-Z0-9]{16}|aws_secret_access_key)' \
> /cases/case-2024-001/analysis/aws_credentials.txt
# Search for browser session tokens
vol -f /cases/case-2024-001/memory/memory.raw windows.strings | \
grep -iE '(session_id=|PHPSESSID=|JSESSIONID=|_ga=|sid=)' \
> /cases/case-2024-001/analysis/session_tokens.txt
```
### Step 6: Compile Credential Findings Report
```bash
# Generate credential compromise assessment
python3 << 'PYEOF'
print("""
CREDENTIAL EXTRACTION REPORT
==============================
Case: 2024-001
Source: memory.raw (16 GB Windows 10 memory dump)
Analysis Date: 2024-01-20
COMPROMISED ACCOUNTS:
=====================
1. Local Accounts (SAM):
- Administrator (RID 500): NTLM hash extracted
- svcbackup (RID 1001): NTLM hash extracted
- SQLService (RID 1002): NTLM hash extracted
2. Domain Accounts (LSASS):
- CORP\\admin.user: NTLM hash + Kerberos TGT
- CORP\\svc.backup: NTLM hash + plaintext password (WDigest)
- CORP\\domain.admin: Kerberos TGS tickets for 3 services
3. Cached Domain Credentials:
- CORP\\helpdesk.user: DCC2 hash
- CORP\\it.manager: DCC2 hash
4. Cloud CrRelated in General
modeling-omnistudio-epc-catalog
IncludedSalesforce Industries CME EPC product-modeling skill for Product2-based catalog creation. Use when creating EPC products, configuring product attributes, building offer bundles with Product Child Items, or reviewing EPC DataPack JSON metadata for product catalog changes. TRIGGER when: user creates or updates Product2 EPC records, AttributeAssignment payloads, AttributeMetadata/AttributeDefaultValues, Offer bundles, or ProductChildItem relationships. DO NOT TRIGGER when: designing OmniScripts/FlexCards/Integration Procedures (use building-omnistudio-omniscript, building-omnistudio-flexcard, or building-omnistudio-integration-procedure), implementing Apex business logic (use generating-apex), or troubleshooting deployment pipelines (use deploying-metadata).
relationship-science-coach
IncludedUse this skill for direct, practical adult relationship coaching: couples conflict, repair, trust, marriage, dating, flirting, attachment patterns, emotional connection, sex, desire differences, eroticism, kink negotiation, affection, love languages, breakups, and long-term passion. Draw on Gottman, EFT and Hold Me Tight, attachment science, modern sex research, Perel, Nagoski, Kerner, Schnarch, Love and Stosny, and flexible love-language tools. Be concrete and low-hedge. Redirect only for imminent danger, abuse, coercive control, minors, non-consent, self-harm, stalking, or medical/legal/psychiatric decisions.
building-sf-integrations
IncludedSalesforce integration architecture and runtime plumbing with 120-point scoring. Use this skill to set up Named Credentials, External Credentials, External Services, REST/SOAP callout patterns, Platform Events, and Change Data Capture. TRIGGER when: user sets up Named Credentials, External Services, REST/SOAP callouts, Platform Events, CDC, or touches .namedCredential-meta.xml files. DO NOT TRIGGER when: Connected App/OAuth config (use configuring-connected-apps), Apex-only logic (use generating-apex), or data import/export (use handling-sf-data).
venue-templates
IncludedAccess comprehensive LaTeX templates, formatting requirements, and submission guidelines for major scientific publication venues (Nature, Science, PLOS, IEEE, ACM), academic conferences (NeurIPS, ICML, CVPR, CHI), research posters, and grant proposals (NSF, NIH, DOE, DARPA). This skill should be used when preparing manuscripts for journal submission, conference papers, research posters, or grant proposals and need venue-specific formatting requirements and templates.
let-fate-decide
IncludedDraws the 12 Houses of the Zodiac Tarot spread to inject entropy into planning when prompts are vague, ambiguous, or casually delegated. Interprets the spread to guide next steps. Use when the user says 'let fate decide', 'YOLO', 'whatever', 'idk', or other nonchalant phrases, makes Yu-Gi-Oh references, or when you are about to arbitrarily pick between multiple reasonable approaches. Prefer over ask-questions-if-underspecified when the user's tone is casual or playful rather than precision-seeking.
net-ops
IncludedCross-platform network troubleshooting (Windows, macOS, Linux) via local or remote shell. Use for: DNS broken, can't resolve hostnames, nslookup/dig works but apps fail, NRPT, WFP, scutil, /etc/resolver, systemd-resolved, /etc/resolv.conf, NetworkManager, VPN DNS leak residue (ProtonVPN/Mullvad/WireGuard/AnyConnect), AV/firewall blocking DNS or DoH, Tailscale DNS interaction, intermittent connectivity, remote diagnostics over SSH.