> For the complete documentation index, see [llms.txt](https://www.ired.team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.ired.team/offensive-security/credential-access-and-credential-dumping.md). # Credential Access & Dumping - [Dumping Credentials from Lsass Process Memory with Mimikatz](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-credentials-from-lsass.exe-process-memory.md): Local Security Authority (LSA) credential dumping with in-memory Mimikatz using powershell. - [Dumping Lsass Without Mimikatz](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz.md) - [Dumping Lsass without Mimikatz with MiniDumpWriteDump](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass.md): Evasion, Credential Dumping - [Dumping Hashes from SAM via Registry](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-hashes-from-sam-registry.md): Security Accounts Manager (SAM) credential dumping with living off the land binary. - [Dumping SAM via esentutl.exe](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-sam-via-esentutl.exe.md) - [Dumping LSA Secrets](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets.md) - [Dumping and Cracking mscash - Cached Domain Credentials](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials.md) - [Dumping Domain Controller Hashes Locally and Remotely](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration.md): Dumping NTDS.dit with Active Directory users hashes - [Dumping Domain Controller Hashes via wmic and Vssadmin Shadow Copy](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-domain-controller-hashes-via-wmic-and-shadow-copy-using-vssadmin.md) - [Network vs Interactive Logons](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/network-vs-interactive-logons.md): This lab explores/compares when credentials are susceptible to credential dumping. - [Reading DPAPI Encrypted Secrets with Mimikatz and C++](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++.md) - [Credentials in Registry](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/t1214-credentials-in-registry.md): Internal recon, hunting for passwords in Windows registry - [Password Filter](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/t1174-password-filter-dll.md): Credential Access - [Forcing WDigest to Store Credentials in Plaintext](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/forcing-wdigest-to-store-credentials-in-plaintext.md) - [Dumping Delegated Default Kerberos and NTLM Credentials w/o Touching Lsass](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-delegated-default-kerberos-and-ntlm-credentials-without-touching-lsass.md) - [Intercepting Logon Credentials via Custom Security Support Provider and Authentication Packages](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-package.md): Credential Access, Persistence - [Pulling Web Application Passwords by Hooking HTML Input Fields](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/stealing-web-application-credentials-by-hooking-input-fields.md): Credential Access, Keylogger - [Intercepting Logon Credentials by Hooking msv1\_0!SpAcceptCredentials](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-by-hooking-msv1_0-spacceptcredentials.md): Hooking, Credential Stealing - [Credentials Collection via CredUIPromptForCredentials](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/credentials-collection-via-creduipromptforcredentials.md) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://www.ired.team/offensive-security/credential-access-and-credential-dumping.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.