redttps

Description

This technique involves extracting the contents of the LSASS (Local Security Authority Subsystem Service) process from memory using a forensic memory acquisition tool, Magnet RAM Capture, to later analyze it offline. The goal is typically to retrieve sensitive credential material (like plaintext passwords, NTLM hashes, or Kerberos tickets) stored in memory by the LSASS process.

Steps

1. Download tool: https://www.magnetforensics.com/resources/magnet-ram-capture/
2. Use GUI or commandline:

MRCv120.exe /accepteula /silent /go