Abuse Info
From an elevated command prompt on the computer where the sMSA resides, run mimikatz then execute the following commands:_SC_{262E99C9-6160-4871-ACEC-4E61736B6F21}__ suffixed by the name of the targeted sMSA. The next line contains cur/hex : followed with the sMSA’s password hex-encoded.
To use this password, its NT hash must be calculated. This can be done using a small python script:
SYSTEM and SECURITY registry hives from an elevated prompt:
SYSTEM and SECURITY that were saved at %temp% to another computer where mimikatz can be safely executed.
On this other computer, run mimikatz from a command prompt then execute the following command to obtain the hex-encoded password:
Opsec Considerations
Access to registry hives can be monitored and alerted via event ID 4656 (A handle to an object was requested).Edge Schema
Source: ComputerDestination: User
Traversable: Yes