1. Why Can a Local Admin Dump Domain Admin Credentials, but a Domain User Cannot?

This happens because of how LSASS (Local Security Authority Subsystem Service) manages credentials and how Windows security boundaries enforce access control.

1.1 LSASS and Credential Storage

• LSASS stores authentication credentials (passwords, hashes, and Kerberos tickets) in memory.
• When a user logs in, their credentials are temporarily cached in LSASS.
• High-privileged accounts (like Domain Admins) can have their credentials stored in LSASS on any machine they log into.

1.2 Why a Local Admin Can Dump Domain Admin Credentials

A Local Administrator has SeDebugPrivilege, which allows it to:

• Read LSASS memory using tools like Mimikatz.
• Access credentials of any user who logged into the system, including Domain Admins.

Scenario: A Domain Admin Logs Into a Local Machine

1. A Domain Admin (e.g., MARVEL\administrator) logs into a workstation (SPIDERMAN-PC).

2. Their credentials get stored in LSASS.

3. A Local Admin on SPIDERMAN-PC can run mimikatz.exe and dump Domain Admin credentials using:

   sekurlsa::logonpasswords
   

4. Now, the Local Admin has Domain Admin credentials and can use them for lateral movement (e.g., pass-the-hash, RDP, etc.).