Summer maintenance! Expect some slowness on your tasks. More information here.
Using Procdump and Mimikatz to retrieve Windows Credentials
This page will help you to use procdump and mimikatz to retrieve windows credentials stored in memory (RAM)
Dump and extract credentials from memory
Procdump ?! Mimikatz ?!
Mimikatz is a well known tool that can extract Windows plaintexts passwords, hashes, PIN code and kerberos tickets from memory. Mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets.
Procdump, from Sysinternals, is a command-line utility whose primary purpose is monitoring an application and generating crash dumps.
Mimikatz is largely detected by AntiVirus software : VirusTotal report gives 36 / 56.
You might do not want / cannot use it on the target.
As Procdump is a legitimate Microsoft tool, it's not detected by AntiVirus. The goal is to dump the lsass.exe process, which contains the credentials, and then give this dump to mimikatz.
You should have Admin rights to use it. If you don't, you can use the "at" trick.
One can dump the lsass process which contains credentials :