Conclusion

Recap

In this room, we discussed the various approaches to obtaining users' credentials, including the local computer and Domain Controller, which conclude the following:

We discussed accessing Windows memory, dumping an LSASS process, and extracting authentication hashes.
We discussed Windows Credentials Manager and methods to extract passwords.
We introduced the Windows LAPS feature and enumerated it to find the correct user and target to extract passwords.
We introduced AD attacks which led to dumping and extracting users' credentials.

The following tools may be worth trying to scan a target machine (files, memory, etc.) for hunting sensitive information. We suggest trying them out in the enumeration stage.

Snaffler
Seatbelt
Lazagne

Windows Domains

Active Directory

Managing Users

Managing Computers

Group Policies

Authentication Methods

Trees, Forests and Trusts

OSINT & Phishing

NTLM Authenticated Services

LDAP Bind Credentials

Authentication Relays

Microsoft Deployment Toolkit (MDT)

Configuration Files

Conclusion

Credential Injection

Microsoft Management Console

Enumeration through Command Prompt

Enumeration through PowerShell

BloodHound

Conclusion

Moving Through the Network

Spawning Processes Remotely

Moving Laterally Using WMI

Use of Alternate Authentication Material

Abusing User Behaviour

Port Forwarding

Conclusion

Exploiting Permission Delegation

Exploiting Kerberos Delegation

Exploiting Automated Relays

Exploiting AD Users

Exploiting GPOs

Exploiting Certificates

Exploiting Domain Trusts

Persistence through Credentials

Persistence through Tickets

Persistence through Certificates

Persistence through SID History

Persitence through Group Membership

Persistence through ACLs

Persistence through GPOs

Conclusion

Credential Access

Local Windows Credentials

Local Security Authority Subsystem Service (LSASS)

Windows Credential Manager

Domain Controller

Local Administrator Password Solution (LAPS)

Other Attacks

Conclusion

Conclusion

Recap