Obtains credentials stored in minidump files (of the LSASS process)

• By default this command doesn't dump the kerberos tickets, you will need to supply -k switch and provide a directory.
• Mindiump file MUST be created with full memory dump options.

None

None

• --json : Switches the output to JSON format, both in STDOUT and in FILE output modes
• --grep or -g : Switches the output to a greppable format, both in STDOUT and in FILE output modes
• -o : Write results to file, instead of printing it to STDOUT
• -k : Dumps the kerberos tickets to a given folder.
• -d : Indicates that the input file is in fact a directory to parse ALL files from as minidump files. Allows mass-parsing. Works with the minidump command only.
• -r : Tries to parse all files in all subfolders of the input folder. minidump command only.
• -e : If -d is active, this switch makes parsing stop on the first error encountered.
• -p : Specifies which LSASS packages to parse. Default: all

• pypykatz lsa minidump <input_file> : Parses the input minidump file and prints all credentials to STDOUT
• pypykatz lsa minidump <input_file> --json : Parses the input minidump file and prints all credentials to STDOUT in JSON format
• pypykatz lsa minidump <input_path> -d -o <output_file>: Parses all files in a folder as mindiump file and writes all credentials to <output_file>
• pypykatz lsa minidump <input_file> -k <kerb_dir> : Parses the input minidump file and prints all credentials to STDOUT, also dumps all kerberos tickets in KIRBI format to the kerb_dir folder