Charles Kos

When hackers gain access to a Windows system, the biggest mistake they don’t make is rushing. Instead of running random tools or poking around files, skilled attackers go straight for credentials. Why? Because with passwords or NTLM hashes, they can move to other systems, escalate privileges, or impersonate users silently. Windows stores these credentials in memory, especially inside a process called lsass.exe (Local Security Authority Subsystem Service), which is responsible for handling logins. To extract this sensitive information, attackers use a common method: they dump the memory of lsass.exe using a tool like procdump, then load the dump into mimikatz, a powerful post-exploitation tool. Once that dump is opened in mimikatz, the tool can reveal the usernames and passwords of users who logged in, sometimes even domain admin accounts. This is how attackers quietly elevate their control and move across the network without triggering alerts, especially if logging isn’t properly configured. In the terminal output, we first locate the lsass.exe process using tasklist | findstr lsass.exe to get its PID. Then we use procdump.exe -ma <PID> lsass.dmp to dump the process memory into a file. After that, mimikatz is launched, and we load the dump using sekurlsa::minidump lsass.dmp, then run sekurlsa::logonpasswords to extract plaintext credentials from memory. This technique is extremely effective and often used by both red teams and real attackers during lateral movement.

The Segment Anything Collection has two new additions, both accessible on our Segment Anything Playground platform: • SAM 3: Detects and tracks objects in images and video using text prompts. • SAM 3D: Facilitates 3D reconstruction of objects and people from a single image. https://t.co/lIJkEpA6QE