SafetyKatz

To evade detection, tools like Mimikatz are often executed in-memory using .NET-based PE loaders such as PELoader. For example, sekurlsa::ekeys or sekurlsa::logonpasswords can be run directly from memory without writing the Mimikatz binary to disk.

SafetyKatz integrates this approach, combining a modified Mimikatz with an embedded loader. It first generates a minidump of LSASS via the MiniDumpWriteDump API (typically to C:\Windows\Temp\debug.bin), then loads the dump and parses credentials in-memory before cleaning up artifacts.

OverPass-the-Hash (OPtH) attacks start a new process with Logon Type 9 (runas /netonly) and inject Kerberos keys (e.g., aes256) to forge tickets. SafetyKatz supports this natively via sekurlsa::pth, but requires elevation. OPtH is distinct from traditional PtH: the latter replays NTLM hashes and works against services that accept NTLM, while OPtH crafts Kerberos tickets based on Kerberos keys, targeting services that rely on Kerberos authentication. OPtH offers broader access in domain environments and better evasion due to reduced NTLM use.

Tools like Rubeus can perform OPtH without elevation by injecting tickets into the current session, but this overwrites existing Kerberos tickets. To preserve session integrity, Rubeus supports createnetonly to spawn isolated sessions (if run from an elevated shell). This is often preferred in OPSEC-sensitive scenarios.

For domain-level credential extraction without touching the DC disk, DCSync attacks simulate a Domain Controller via LDAP to replicate user secrets. This method requires Replicating Directory Changes rights, which are held by Domain Admins and Enterprise Admins by default. SafetyKatz supports DCSync natively via lsadump::dcsync.

When extracting credentials from LSASS, attackers may obtain multiple credential forms: NTLM hashes, plaintext passwords, and Kerberos keys (AES-128/256). While NT hashes suffice for NTLM attacks (e.g., PtH), Kerberos operations benefit from AES keys, especially in hardened environments where RC4 is disabled. AES-256 is preferred for ticket forging and impersonation (e.g., via ticketer or Rubeus), offering better compatibility, stealth, and reliability under modern domain policies.