In-Memory Password Recovery: LSASS Analysis, WDigest Extraction and Credential Cache Forensics

Why This Matters

The technique of extracting credentials from LSASS process memory was thrust into widespread awareness by the Mimikatz tool, released by Benjamin Delpy in 2011. Since then, virtually every major breach involving Windows infrastructure has included an LSASS dumping step: the 2017 WannaCry campaign, the 2020 SolarWinds compromise, and numerous ransomware deployments all leveraged plaintext credential recovery from memory to enable lateral movement. Windows maintains cached authentication material — including WDigest plaintext passwords (on pre-Windows 8.1 systems and those with the WDigest authentication provider re-enabled), NTLM hashes, Kerberos tickets, and Credential Manager secrets — in the LSASS process heap. Memory forensics provides offline access to this material without triggering EDR alerts from live Mimikatz execution.

Core Concept

LSASS (Local Security Authority Subsystem Service) is the Windows process (lsass.exe) responsible for enforcing security policy and managing authentication. It loads one or more Security Support Providers (SSPs) — DLLs that handle different authentication protocols. The three most forensically relevant SSPs are:

• msv1_0.dll: NTLM authentication. Stores NT hashes (MD4 of the password) in the LSASS heap. Volatility's hashdump plugin extracts these.
• wdigest.dll: HTTP Digest authentication. On Windows 7 and Server 2008 R2, and on later versions with the UseLogonCredential registry key set to 1, WDigest stores the plaintext password in memory. Volatility's lsadump plugin (and Mimikatz's sekurlsa::wdigest) targets this.
• kerberos.dll: Kerberos authentication. Stores Kerberos tickets (TGTs and service tickets) and, in some configurations, the pre-authentication key (derived from the password). Volatility's kerberos plugin extracts ticket structures.

SAM database: The Security Account Manager stores local account NTLM hashes in the registry hive HKLMSAM, encrypted with the SYSKEY (System Key, also called the BootKey). Both the SAM and SYSTEM hive images must be extracted to recover local account hashes offline.

Credential Manager: Windows Credential Manager stores credentials (web, Windows, certificate-based) encrypted with DPAPI (Data Protection API). DPAPI master keys are stored in the user profile and encrypted under the user's password. Volatility's lsadump plugin targets the LSA secrets that protect DPAPI.

Technical Deep-Dive

# Volatility 2: dump NTLM hashes from LSASS memory structures
vol.py -f memdump.raw --profile=Win7SP1x64 hashdump

# Volatility 2: dump LSA secrets (service account passwords, DPAPI keys, etc.)
vol.py -f memdump.raw --profile=Win7SP1x64 lsadump

# Volatility 2: list Kerberos tickets in memory
vol.py -f memdump.raw --profile=Win7SP1x64 kerberos

# Volatility 2: find LSASS process and dump its memory for offline Mimikatz
vol.py -f memdump.raw --profile=Win7SP1x64 pslist | grep lsass
vol.py -f memdump.raw --profile=Win7SP1x64 memdump --pid=<lsass_pid> --dump-dir=./lsass_dump/
# The resulting .dmp file can be analysed with Mimikatz:
# mimikatz # sekurlsa::minidump lsass_dump/lsass.exe_<pid>.dmp
# mimikatz # sekurlsa::logonpasswords

# strings approach: find password-like patterns in LSASS dump
strings -a ./lsass_dump/lsass.exe_<pid>.dmp | grep -iE "password|passwd|pwd" | head -30
strings -el ./lsass_dump/lsass.exe_<pid>.dmp | grep -i "password" | head -30

# Search for common password storage markers
strings -a memdump.raw | grep -oP '(?<=Password: )[^s]+'' | sort -u

# Extract NT hashes from hashdump output for cracking or lookup
# hashdump format: username:RID:LM_hash:NT_hash:::
import hashlib, re

hashdump_output = """
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
"""

for line in hashdump_output.strip().splitlines():
    parts = line.split(':')
    if len(parts) >= 4:
        username = parts[0]
        nt_hash  = parts[3]
        print(f"User: {username:20s}  NT Hash: {nt_hash}")
        # Submit nt_hash to NTLM lookup service (offline: hashcat or john)
        # hashcat -m 1000 hashes.txt wordlist.txt

Analytical Methodology

1. Identify the LSASS process in the memory dump using Volatility pslist: vol.py -f memdump.raw --profile=<profile> pslist | grep -i lsass. Verify that only one lsass.exe process is present (multiple LSASS processes indicate a masquerade or injection).
2. Run hashdump: vol.py -f memdump.raw --profile=<profile> hashdump. This decrypts the SAM database using the SYSKEY extracted from the SYSTEM hive in memory. Output is in username:RID:LM:NT format.
3. Run lsadump: vol.py -f memdump.raw --profile=<profile> lsadump. This extracts LSA secrets from LSASS memory — service account passwords, DPAPI master keys, and cached domain credentials.
4. Run kerberos plugin to list all cached Kerberos tickets. Note ticket lifetimes and target services — tickets for krbtgt (TGT) are particularly valuable for assessing domain compromise depth.
5. Extract the LSASS process memory with memdump and analyse offline with Mimikatz (sekurlsa::logonpasswords). This is more comprehensive than Volatility's plugin output for WDigest plaintext extraction.
6. Apply strings -a and strings -el to the LSASS dump with grep for password-related keywords. This catches credentials stored in non-standard SSP memory structures that Volatility plugins may not parse.
7. For each extracted credential, assess: is this a domain account or a local account? Does it appear in other processes (indicating reuse)? Is the NT hash present in any previously breached credential databases (check against offline lookup tables — never submit to online services from an investigation system).
8. Document all recovered credentials with: account name, credential type (NT hash, plaintext, Kerberos ticket), extraction method, and any contextual information about privilege level and domain membership.

Common Analytical Errors

• Running hashdump without verifying the profile: An incorrect Volatility profile causes hashdump to parse LSASS memory structures at wrong offsets, producing garbage or empty output. Always verify the profile with imageinfo first.
• Ignoring WDigest for modern systems: WDigest is disabled by default on Windows 8.1+ and Server 2012 R2+, but attackers routinely re-enable it via registry modification (HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigestUseLogonCredential = 1) before harvesting credentials. Always check the registry setting in the dump.
• Not checking for LSASS injection: Credential-stealing malware often injects into LSASS rather than dumping it. Volatility's malfind run against the LSASS PID specifically detects injected code that may have harvested credentials before the dump was taken.
• Treating NT hash recovery as the end goal: NT hashes can be passed directly (Pass-the-Hash) without cracking. The hash itself is the credential. Document hashes as high-value artifacts even when they cannot be cracked.
• Missing Credential Manager entries: DPAPI-protected Credential Manager entries are not extracted by hashdump or lsadump alone. The windows.credentials.Credentials plugin in Volatility 3 or dpapi::cred in Mimikatz is required.

NICE Framework Alignment

Further Reading

• The Art of Memory Forensics Ch. 20: Windows Credentials — Ligh, Case, Levy, Walters (Wiley)
• Windows Internals, Part 1 Ch. 7: Security — Russinovich, Solomon, Ionescu, Yosifovich (Microsoft Press)
• Mimikatz documentation and sekurlsa module — Benjamin Delpy (github.com/gentilkiwi/mimikatz)