As always. This channel is gold. Thanks!

Very cool. I always enjoy learning new things from your videos! They give me great ideas for different detections.

Awesome technique, learned something knew today, thanks!

This was amazing and I will be using this lol thank you!

Funny I used the same technique with remote magnet capture but had trouble parsing out lsass with volatility. SAM worked great.

Great!!, I like computer forensic, and I will keep this topic in mind.

Thanks!!

I'm glad I watched this. What privileges did you need to run that .exe and successfully dump lsass? Steps up to that would be flagged easily. Our soc would also see that being run and notify the client.

Great content. i learn a lot from you as a red teamer. My question is, how did you learn or know about this.

Hi Brian, thank you so much the content you are putting out. In terms of detection, would it not be more robust to look for the winpmem driver hash? As modifying it would invalidate the signature. Of course, assuming that we would have the detection capabilities and incentives

Wow bro make more ❤❤❤

This is a great share. I am using it and dumped the RAM, and from it the SAM hashes using volatility3. However, it would be more useful to get the actual NTLM hashes of the AD users, and this is not in the LSA secrets method from volatility3. I thought, that maybe if I carved out somehow the process data from the Lsass.exe that is in the RAM dump it would be possible to analyze it with mimikatz minidump locally. But it just fails. Am I doing something that makes no sense?

Great video !!! Unfortunately Microsoft requirements for Credential Guard are pretty "heavy". For example it will work only on windows Enterprise edition.

Then how to bypass credential guard?

Was that from a low-priv user??

Wow

Man, stop burning tools just like that😅