FrameworkGuidesModulesRelease NotesAbout

Veil-Pillage: Harvesting Credentials and Lateral Movement Techniques

Deep analysis of Veil-Pillage credential harvesting and lateral movement capabilities, with comprehensive detection strategies and hardening guidance for enterprise defenders.

Veil-Pillage: Harvesting Credentials and Lateral Movement Techniques

After initial access and execution, the next objective in most attack chains is credential harvesting and lateral movement. The attacker needs to escalate privileges, find additional credentials, and spread through the network to reach high-value targets. Veil-Pillage addresses this post-exploitation phase — providing modules for credential extraction, data discovery, and movement between systems in a controlled lab context.

For defenders, understanding Pillage's capabilities is a blueprint for where your detection must be strongest. Every technique Pillage exercises has a corresponding detection surface. This article maps those techniques to specific telemetry sources and detection strategies.

What Changed Recently

Post-exploitation credential harvesting continues to evolve as defensive controls improve:

  • Credential Guard adoption — Virtualization-based security (VBS) isolates LSASS credentials. This directly impacts traditional memory-based credential extraction. However, Credential Guard has coverage gaps (cached domain credentials, RDP credentials) that Pillage exercises.
  • Protected Process Light (PPL) for LSASS — Windows 11 and Server 2025 enable LSASS PPL by default. Direct memory access to LSASS requires higher privileges or BYOVD attacks.
  • Kerberos improvements — Enhancements to Kerberos authentication (AES-only enforcement, claims-based auth) affect the viability of certain credential abuse techniques.
  • Detection maturity — SOC teams have better tooling for detecting credential access. The challenge has shifted from detecting known tools to detecting the behavior patterns they represent.

Core Credential Harvesting Techniques

LSASS Memory Extraction

The Local Security Authority Subsystem Service (LSASS) process holds credentials for currently logged-in users: NTLM hashes, Kerberos tickets, and in some configurations, plaintext passwords.

How Pillage exercises this:

  • Direct memory reading through process access (OpenProcess with PROCESS_VM_READ)
  • Minidump creation for offline analysis
  • Use of alternative LSASS access methods that avoid common detection patterns

Detection surfaces:

  • Sysmon Event ID 10 (ProcessAccess) — Monitor for processes accessing LSASS (lsass.exe) with suspicious access masks (0x1010, 0x1FFFFF). This is the primary detection point.
  • Sysmon Event ID 11 (FileCreate) — Minidump files (.dmp) created by unexpected processes in unexpected locations.
  • ETW Threat Intelligence — Kernel-level monitoring of memory read operations on the LSASS process.
  • Windows Defender Credential Guard alerts — If Credential Guard is enabled, attempted credential extraction generates specific alerts.

SAM Database Extraction

The Security Accounts Manager (SAM) database contains local account NTLM hashes. It can be extracted from the registry or from volume shadow copies.

How Pillage exercises this:

  • Registry extraction via reg save HKLM\SAM and reg save HKLM\SYSTEM
  • Shadow copy access for offline SAM extraction
  • NTDSUtil for domain controller NTDS.dit extraction

Detection surfaces:

  • Process creation monitoringreg.exe with save arguments targeting SAM, SYSTEM, or SECURITY hives
  • Sysmon Event ID 1 — Process creation for ntdsutil.exe, vssadmin.exe, or wmic shadowcopy
  • File creation — SAM, SYSTEM, or NTDS.dit files appearing in unexpected directories

Cached Credentials

Domain credentials are cached on endpoints for offline logon. These cached credentials can be extracted and cracked offline.

Detection surfaces:

  • Registry access to HKLM\SECURITY\Cache — Sysmon registry monitoring
  • Unusual access to the SECURITY registry hive

Kerberos Ticket Extraction

Kerberos TGTs and service tickets in memory can be extracted for pass-the-ticket attacks.

Detection surfaces:

  • Kerberos anomalies — Tickets used from unexpected IP addresses or with unexpected encryption types
  • LSASS access — Same as LSASS memory extraction above
  • Event ID 4769 — TGS requests with unexpected encryption types (RC4 when AES should be enforced)

Lateral Movement Techniques

After credential harvesting, lateral movement uses those credentials to access additional systems:

Pass-the-Hash (PtH)

Using NTLM hashes directly for authentication without knowing the plaintext password.

Detection surfaces:

  • Event ID 4624 — Logon type 3 (network) with NTLM authentication from unexpected source endpoints
  • Event ID 4776 — Credential validation events showing NTLM authentication
  • Network monitoring for NTLM authentication traffic between workstations

Pass-the-Ticket (PtT)

Using stolen Kerberos tickets for authentication.

Detection surfaces:

  • Event ID 4768/4769 — TGT/TGS requests from unexpected IP addresses
  • Ticket lifetime anomalies — Tickets used beyond their normal lifetime or from hosts that should not hold them

Remote Service Exploitation

Using harvested credentials with remote administration tools (WMI, PSExec, WinRM).

Detection surfaces:

Sensitive Data Discovery

Beyond credentials, Pillage exercises data discovery:

  • File share enumeration and sensitive data identification
  • Email and document searches for credentials, keys, and configuration files
  • Registry searches for stored credentials and connection strings
  • Browser credential extraction

The Hunting Sensitive Data page covers the detailed methodology.

Practical Hardening and Monitoring Guidance

For System Administrators

  • Enable Credential Guard — VBS-based credential isolation is the most effective defense against LSASS credential extraction. Deploy on all supported endpoints.
  • Enable LSASS PPL — Protected Process Light for LSASS prevents unauthorized memory access. Combined with Credential Guard, this significantly raises the bar for credential harvesting.
  • Enforce AES-only Kerberos — Disable RC4 encryption for Kerberos authentication. This prevents downgrade attacks and makes certain credential abuse techniques harder.
  • Implement LAPS — Local Administrator Password Solution ensures unique local admin passwords on every endpoint. This prevents lateral movement via shared local admin credentials.
  • Reduce cached credentials — Limit the number of cached logon credentials stored on endpoints (Group Policy: Interactive logon: Number of previous logons to cache).

For SOC and Detection Teams

  • Monitor LSASS access relentlessly — Every process that opens a handle to LSASS should be investigated. Maintain a strict allow list of processes that legitimately access LSASS.
  • Detect credential dump patterns — Alert on: reg.exe save targeting SAM/SYSTEM, minidump file creation, ntdsutil execution, shadow copy creation.
  • Track NTLM authentication — NTLM should be declining as organizations enforce Kerberos. Unexpected NTLM authentication events, especially between workstations, indicate potential PtH activity.
  • Correlate logon events with endpoint context — A domain admin logon from a standard user's workstation is suspicious regardless of the authentication method.

Lab Testing

Use Pillage in a controlled lab environment to validate your credential access detection coverage. The testing workflow:

  1. Deploy Credential Guard and LSASS PPL on the target
  2. Attempt credential extraction — verify that the controls block it or that detection fires
  3. Test credential harvesting fallback techniques — verify detection for each
  4. Attempt lateral movement with harvested credentials — verify that logon event monitoring catches it

The Hunting Users resource provides additional context on user enumeration that typically precedes credential targeting. PowerView's AD reconnaissance capabilities identify which credentials are most valuable to harvest.

Related Reading

Credentials are the keys to lateral movement. Every credential your attacker harvests represents a detection opportunity you missed. Monitor LSASS, enforce Credential Guard, and track every authentication event — because the attacker's next move depends on what they find.