Description
Dumps lsass.exe and extracts credentials from the dump entirely in memory without touching disk.
Invoke-ShadowExtract
Overview
Invoke-ShadowExtract acquires a minidump of lsass.exe using the selected technique, pipes the raw bytes directly into the in-process credential extractor without writing anything to disk, and emits one LogonSession object per session found in the dump.
Each LogonSession carries all credential material that was present and decryptable in the snapshot: MSV/NTLM hashes, WDigest plaintext, Kerberos keys, TsPkg, SSP, CredMan, CloudAP, DPAPI master keys, LiveSSP, and RDP credentials.
Parameters
| Parameter | Type | Mandatory | Default | Description |
|---|---|---|---|---|
Technique |
ExtractTechnique |
Yes | — | The in-memory dump method to use. See the Techniques table below. |
Techniques
| Technique | Description |
|---|---|
Simple |
Straightforward MiniDumpWriteDump call with SeDebugPrivilege. Most detectable; highest compatibility. |
Callbacks |
IoWriteAllCallback redirects all dbghelp file I/O into an in-memory buffer, avoiding a direct file write. |
Fork |
Creates a snapshot of lsass via RtlCreateProcessReflection (process fork) then calls MiniDumpWriteDump on the forked handle. |
Syscalls |
Resolves NtOpenProcess via a direct-syscall stub (SysWhispers3 style) to open lsass without touching the Win32 API surface. |
Native |
Fully native minidump writer: walks memory with VirtualQueryEx, reads pages with NtReadVirtualMemory, and serialises the MDMP format by hand — no MiniDumpWriteDump dependency. |
Output — LogonSession Properties
| Property | Type | Description |
|---|---|---|
UserName |
string |
Account name of the logon session. |
LogonDomain |
string |
Domain or computer name. |
LogonType |
string |
Session type (Interactive, Network, etc.). |
Session |
int |
Windows session ID. |
SID |
string |
Security identifier string. |
Msv |
MsvCredential |
MSV/NTLM credentials — LM hash, NT hash, SHA1, and DPAPI key. |
Kerberos |
KerberosCredential |
Kerberos plaintext password and NT hash. |
KerberosKeys |
KerberosKey[] |
Kerberos encryption keys (type and key value). |
Wdigest |
WDigestCredential[] |
WDigest plaintext passwords. |
Tspkg |
TspkgCredential[] |
Terminal Services package credentials. |
Ssp |
SspCredential[] |
Security Support Provider credentials. |
LiveSsp |
LiveSspCredential[] |
LiveSSP (Microsoft account) credentials. |
Credman |
CredManCredential[] |
Credential Manager stored credentials. |
Cloudap |
CloudapCredential[] |
CloudAP (Azure AD) PRTs and DPAPI keys. |
Dpapi |
DpapiCredential[] |
DPAPI master keys and GUIDs. |
Rdp |
RdpCredential[] |
RDP saved credentials. |
Dependencies
dumpermodule
Operating Systems
- Windows x64
Pre-Requisites
- SeDebugPrivilege (Administrator or equivalent elevated token)
Example Usage
Dump and extract all logon sessions using the Native technique:
Invoke-ShadowExtract -Technique Native
Return only sessions that have an NT hash:
Invoke-ShadowExtract Native | Where-Object { $_.Msv -ne $null } | Select-Object UserName, @{n='NT';e={$_.Msv.NT.Trim()}}
Collect all WDigest credentials with a plaintext password:
Invoke-ShadowExtract Callbacks | ForEach-Object { $_.Wdigest } | Where-Object { $_.Password }
Example Output
UserName : helpdesk
LogonDomain : LAB
LogonType : Interactive
Session : 1
SID : S-1-5-21-1234567890-1234567890-1234567890-1001
Msv : @{NT=8846f7eaee8fb117ad06bdd830b7586c; LM=; SHA1=...; Dpapi=...}
Kerberos : @{UserName=helpdesk; DomainName=LAB; Password=P@ssword1}
Wdigest : {@{HostName=DESKTOP-001; UserName=helpdesk; Password=P@ssword1}}
KerberosKeys : {@{Type=rc4_hmac; Key=8846f7eaee8fb117ad06bdd830b7586c}}