LSA

• https://www.passcape.com/index.php?section=docsys&cmd=details&id=23

• https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets

• https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/

SharpSecDump

• https://github.com/G0ldenGunSec/SharpSecDump

• https://github.com/S3cur3Th1sSh1t/PowerSharpPack/blob/master/PowerSharpBinaries/Invoke-SharpSecDump.ps1

Decrypt LSA secrets on target:

PS > Invoke-SharpSecDump -C "-target=127.0.0.1"

LsaStorePrivateData (ksetup)

• https://pentest.party/posts/2025/ksetup-machine-password/

MSCash2/MSCache2 (DCC2)

• https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials

Domain cached credentials are stored within LSA secrets in HKLM:\SECURITY registry hive:

Cmd > reg save hklm\system system.hive
Cmd > reg save hklm\security security.hive

secretsdump.py

Export registry hives and extract cached creds locally with secretsdump.py:

mscache.py

• https://github.com/QAX-A-Team/mscache/blob/master/mscache.py

Export registry hives and extract cached creds locally with mscache.py:

Crack