# In-memory secrets

## Theory

Just like the LSASS process on Windows systems allowing for [LSASS dumping](https://red.infiltr8.io/redteam/credentials/os-credentials/windows-and-active-directory/broken-reference), some programs sometimes handle credentials in the memory allocated to their processes, sometimes allowing attackers to dump them.

## Practice

{% hint style="info" %}
Just like [LSASS dumping](https://red.infiltr8.io/redteam/credentials/os-credentials/windows-and-active-directory/broken-reference), this technique needs the attacker to have admin access on the target machine since it involves dumping and handling volatile memory.
{% endhint %}

{% tabs %}
{% tab title="Windows" %}
On Windows systems, tools like [LaZagne](https://github.com/AlessandroZ/LaZagne) (Python) and [mimikatz](https://github.com/gentilkiwi/mimikatz) (C) can be used to extract passwords from memory but they focus on [LSASS dumping](https://red.infiltr8.io/redteam/credentials/os-credentials/windows-and-active-directory/broken-reference).

```powershell
LaZagne.exe all
```

{% endtab %}
{% endtabs %}