🛡️ Methodology Checklist
- Understand auth path: LSASS → SAM (local) / DC (domain)
- Check SAM for local hashes: requires SYSTEM privileges
- Inspect LSASS memory for cached plaintext or hashes
- Enumerate cached domain logon credentials
- Check Credential Manager:
cmdkey /list - Note auth type in use: NTLM vs Kerberos (domain-joined)
- Review Windows event logs for auth activity: Event ID 4624/4625
🎯 Operational Context
Use when: Understanding Windows authentication to target credential interception points — NTLM challenge-response, Kerberos ticket flow, and where hashes are stored. Think Dumber First: Know where creds live before dumping: NTLM hashes in SAM (local) and NTDS.dit (domain), plaintext in LSASS (if WDigest enabled), Kerberos tickets in LSASS memory. Target the highest-value store you have access to. Skip when: N/A — conceptual reference; use with credential dump files for operational context.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
reg query HKLM\SAM | Confirm SAM hive location (requires SYSTEM) |
reg query HKLM\SECURITY | Confirm SECURITY hive (requires SYSTEM) |
🔬 Deep Dive & Workflow
Interactive Logon Chain
User input (keyboard)
→ Win32k.sys RPC
→ Winlogon.exe (trusted process)
→ LogonUI (credential prompt UI)
→ Credential Providers (COM DLLs)
→ LSASS (authentication gatekeeper)
→ SAM / Active Directory / Kerberos
Winlogon is the only process that intercepts keyboard input at logon — prevents credential interception by other processes. It also handles password changes and workstation lock/unlock.
LSASS Authentication DLLs
LSASS loads protocol-specific packages to handle each authentication type:
| DLL | Function |
|---|---|
Lsasrv.dll | Security policy enforcement; selects NTLM vs Kerberos via Negotiate |
Msv1_0.dll | Local (non-domain) interactive logons |
Kerberos.dll | Kerberos ticket-based authentication |
Samsrv.dll | SAM database interface; enforces local account policies |
Netlogon.dll | Network-based logon services |
Ntdsa.dll | AD database agent; handles NTDS.dit and LDAP — DC only |
Credential Storage Architecture
| Store | Location | Access Required | Content |
|---|---|---|---|
| SAM | %SystemRoot%\system32\config\SAM / HKLM\SAM | SYSTEM | Local account LM/NTLM hashes |
| NTDS.dit | %SystemRoot%\NTDS\ntds.dit (DC only) | DC SYSTEM | All domain account hashes, groups, GPOs |
| Credential Manager | %APPDATA%\Local\Microsoft\[Vault/Credentials]\ | User | Encrypted web/network/app credentials |
SAM Encryption (SYSKEY)
The SAM file on disk is encrypted by the SYSKEY boot key stored in HKLM\SYSTEM. This is why you need both the SAM hive and the SYSTEM hive to decrypt hashes offline — SAM alone is not enough.
Workgroup vs Domain
- Workgroup — authentication checked against local SAM only
- Domain — LSASS forwards credentials to the Domain Controller for validation; local cached hashes (DCC2) stored in SECURITY hive for offline logon
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| WDigest plaintext creds not in LSASS | WDigest disabled (post-KB2871997) | Check: reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential — if 0, no plaintext |
| NTLM auth fails but Kerberos works | NTLM disabled by GPO | Check: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel; value 5 = NTLMv2 only |
| Kerberos ticket not valid | Clock skew >5 minutes | Sync time: w32tm /resync /force or net time \\[DC] /set |
| Pass-the-Hash fails | Target requires NTLMv2 or Kerberos | Use Kerberos PtT instead; or check if NTLM is completely disabled on target |
| LSASS dump blocked by PPL | Protected Process Light enabled | Use Mimikatz !+ (driver) or alternative: ProcDump -ma lsass.exe may bypass PPL |
📝 Reporting Trigger
Finding Title: Windows Authentication Architecture Enables Credential Extraction Impact: Understanding Windows NTLM and Kerberos authentication flows identifies credential extraction points in LSASS, SAM, and NTDS.dit, enabling targeted attacks that recover both hashes and potentially plaintext credentials. Root Cause: Windows authentication protocols store credential material in memory and on disk as a function of their design. Default configurations enable legacy protocols that expose additional credential data. Recommendation: Enable Credential Guard to protect LSASS. Disable WDigest (ensure registry value = 0). Disable NTLMv1. Enable LSA protection (RunAsPPL). Deploy Microsoft Defender for Identity to detect credential dump attempts.