minidump -> kirbi - Githubissues

gentilkiwi / mimikatz

A little tool to play with Windows security

http://blog.gentilkiwi.com/mimikatz

19.3k stars 3.7k forks source link

minidump -> kirbi #232

Open s0i37 opened 4 years ago

s0i37 commented 4 years ago

Good day. I'm trying to extract kerberos tickets from memory with yara signatures. But:

I can find only 1 ticket however klist shows many
I see just first 100 bytes from my ticket, but another part is missing.

May you please tell me, how can extract kerberos tickets from memory (minidump)

gentilkiwi commented 4 years ago

Tickets in memory are not stored as kirbi (KRB-CRED). (not ASN1) I'm not aware of a yara rule around them, but it must not be complicated to make one.

s0i37 commented 4 years ago

Ok. Can !mimikatz windbg-extension extract kerberos tickets from memory dump?