Password Attacks | Attacking SAM

Sure, I can google it, or maybe it’s covered later in the course, but I don’t understand what is the significance of LSA Secrets? How is that like/unlike the hashes dumped from HLKM/SAM? I didn’t think it was clear in this module.

Not taking this course but came across your post.

So, not 100% sure of the context. However, to my knowledge (if it helps) local accounts are stored in SAM, for domain users the DC uses NTDS.dit as the AD database. So every time the LSASS process validate a logon it is stored in LSA secrets - which happens to be in MEMORY often in clear text.

This is what tools like Mimikatz use to obtain the clear text password and the hash (which can often be used in pass-the-hash).

But you can also just dump the process of memory for Lsass.exe with procexp, processhacker etc. and get the passwords.