- It first checks the Privilege Level and OS.
- It will check if the is a Domain Controller.
- Based on this information it will prefer the of to get the hashes if possible, if not possible it will inject in to the lsass process if possible. For Domain Controllers it will use the to lsass.
- If the target is a 2008 server and the process is running with admin privileges it will to get system privilege using getsystem, if it gets SYSTEM privilege do to the way the token privileges are set it can still not inject in to the lsass process so will migrate to a process already running as SYSTEM and then inject in to the lsass process.
- If the code detects that it is running on a Windows 7/Vista box with UAC disabled and it is running as local admin it will run getsystem and it will use the read registry method.
- On Windows 2003/2000/XP it will use getsystem and if successful it will use the read registry method.
LINK TO OUR HOME PAGE :