Skip to main content

Credential Theft Week 2

Continuing our J2 SOC Manager’s series on credential theft, this week we explore how attackers steal credentials on the local device. Future pieces will discuss other methods and prevention strategies. We hope you enjoy this series and feel free to get in contact us if you have questions, comments or want to further clarity.

 Attacking passwords on the local device

The password or hash can also be retrieved from the local device by malware or by a “hands-on” operator. We have listed which remote access methods leave retrievable passwords behind them. These should be used with caution, particularly with privileged credentials. To confirm, once you logon with one of these tools, the password remains in the user session until the next reboot.

Screenshot 2022 06 20 at 3.36.07 PM

There are three places we typically see credentials being stolen from. These are through LSA secrets, the SAM and LSASS. These are not the only places.


The Security Account Manager database is where your operating system stores information about user credentials. It stores hashes and usernames and is used to authenticate users on logon when they provide their password. It was common to dump the SAM database either with a tool or by directly copying the registry. Last year a security researcher found a flaw in windows 10 that allowed us to read the SAM as any user.

Once the database dump is complete, threat actors dump the hashes in an offline password cracker.


Local Security Authority is used to manage a system’s local security policy.

LSA secrets is a storage method used by the Local Security Authority. It contains private credential data. LSA secrets is a storage used by the Local Security Authority (LSA) in Windows. Typically, LSA secret storage is only allowed for the SYSTEM account process. Early versions of LSA secrets could be cracked by easily available tools.


Until Windows 8 was released, you could get the credentials in clear text from the Local Security Authority Subsystem Service (LSASS).

The Local Security Authority Subsystem Service (LSASS) process verifies users logging on to a Windows computer or server, handles password changes and creates access tokens. It also writes to the windows security log. It is a typical target for credential theft.

On less secure devices you could dump the contents directly from LSASS using task manager, and extract them using readily available free tools

 Fig 4. Dumping hashes from LSASS

 Fig 5: theft of a local password hash

It is also possible to extract user passwords from memory dump files, system hibernation files (hiberfil.sys) and. vmem of virtual machine files (virtual machine paging files and their snapshots).

Threat actors will often target remote desktop processes to retrieve passwords. Processes which are associated with the RDP protocol can also be in the scope of red teams to harvest credentials. These processes are svhost.exe and mstsc.exe.

The above processes can be targeted as an alternative method to retrieve credentials without touching LSASS which is a heavily monitored process typically by endpoint detection and response (EDR) products. The service host (svchost.exe) is a system process which can host multiple services to prevent consumption of resources. When a user authenticates via an RDP connection the terminal service is hosted by the svchost process.

 Fig 6: theft of a password from the svchost.exe process via the GUI

Fig 7: theft of a password from the svchost.exe process from the command line

A threat actor may use windows API (application interface) to perform hooking to intercept credentials provided by the user executing the mstsc.exe process. In the screenshot below we can see a freely available tool hooking the functions used by the mstsc.exe process to retrieve the credentials.


Users that tend to authenticate multiple times to a particular host via an RDP connection they might save the connections details for quick authentication. These credentials are stored in an encrypted form in the Credential Manager of Windows by using the Data Protection API. These can also be retrieved.

We often see specialised credential harvesters being executed from malware, such as obfuscated versions of the freely available lazagne app. These retrieved credentials are pooled and sold in bulk from specialised credential access brokers. Sometimes EDR solutions may only detect malware after credentials are stolen.

Screenshot 2022 06 20 at 3.43.15 PM

An additional method that received recent press was to attack the exposed print spooler service to the credential hash to a waiting device where is might be relayed or cracked. This so called ‘petitpotam’ exploit could be chained with known active directory certificate service misconfigurations to gain administrative access to domain controllers.

Most business may have no idea that an exposed print spooler service on their domain controller could result in privilege escalation and Microsoft continues to enable the print spooler service by default. It is just one of the misconfigurations we report on in our threat assessment tests which also provides a deep analysis of Active Directory and Azure misconfigurations.

If this concerns you, make sure you keep checking back for the rest of the series where we will cover more attack methods as well tips on how to detect and prevent credential theft. If you cannot wait that long, get in touch with us today.

J2 Cyber Security Centre

  • Hits: 678