A Windows Server 2019 host is recording unexpected interactive logons from multiple domain accounts after midnight. During incident triage, you copy Mimikatz to the server and launch it with administrative privileges. Which action within the tool will most directly expose any plaintext or hashed credentials currently stored in memory that could confirm attacker activity?
Invoke the sekurlsa::logonPasswords module to dump credentials from the live LSASS process
Enable a custom service that captures keystrokes at each login attempt
Export Windows Security and System event logs for manual correlation of logon events
Load the HKLM\SAM hive offline to search for plaintext local account data
Invoking the sekurlsa::logonPasswords command (or equivalent module) forces Mimikatz to read the live LSASS process, which caches usernames, plaintext passwords, NTLM hashes, and Kerberos tickets for every active session. This dump gives investigators immediate proof of which credentials an attacker may have leveraged. Exporting Windows event logs or loading the SAM registry hive can offer supporting evidence, but they will not reveal cleartext values. Creating a keystroke-logging service would gather data only for future logins and cannot validate the activity that already occurred.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Mimikatz, and how does it work?
Open an interactive chat with Bash
What is LSASS, and why is it targeted in attacks?
Open an interactive chat with Bash
What is the sekurlsa::logonPasswords module in Mimikatz?