Password stealing
The Local Security Authority Server Service (LSASS) is a crucial component of Microsoft Windows operating systems, tasked with the vital role of implementing the security policies on the system. Essentially, the system retains the local usernames and corresponding passwords or password hashes within its storage. The act of disposing of this material is a frequently seen practice among adversaries and red teamers.
Mimikatz is widely recognized as a famous post-exploitation tool that facilitates the extraction of new technology LAN manager (NTLM) hashes by dumping the lsass process.
Note
On a Windows machine, unencrypted passwords are never saved. That would be an extremely horrible thing to do.
Instead, with Windows, the password hash – more specifically, the NTLM hash – is saved. The hash is utilized as part of the Windows challenge-response authentication protocol. Essentially, users validate their identities by encrypting some random text...
