Credentials

Enumerate AD using PowerShell, .Net, and Python tools.
Find interesting information like delegation issues, credentials in clear text, etc.
Enumerate and abuse Restricted Groups.

Once we elevated access to at least one target machine, we can go ahead and extract credentials from it.

A non-exhaustive list of locations on a Windows machine we can extract credentials from

– Memory of the lsass process

– LSASecrets

– SAM

– Credential Vault

– Unattend.xml and sysprep.xml

– Autologon credentials

– PowerShell console history

Location

LSASecrets

SAM

Credential Vault

Unattend.xml

sysprep.xml

Autologon credentials

PowerShell console history

Lsass Memory

Domain users, service accounts, clear text

Last updated 1 year ago

Was this helpful?