While testing countermeasures against the famous hacking tool mimikatz, I stumbled upon something I cannot explain: following https://github.com/thomhastings/mimikatz-en
Mimikatz uses admin rights on Windows to display passwords of currently logged in users in plaintext
It says "currently
logged in" - not more. However, I noticed, it could even display the passwords of all
users that logged on today! OS: win7x64 SP1
Please let me assure you that caching of credentials is turned off (cachedlogonscount=0, verified at HKEY_LOCAL_MACHINE\SECURITY\Cache) and all password safes (credential manager) are empty!
Where does mimikatz get the passwords from? In other words: what part of the credential cache windows uses survives a logoff?
I noticed, that only after restarting the computer, these caches are emptied and can no longer be attacked.