0x22bb/hacktricks
1
2
Fork 0
mirror of https://github.com/carlospolop/hacktricks.git synced 2023-12-14 19:12:55 +01:00
Code Releases Activity

GitBook: [#3228] No subject

Browse source
This commit is contained in:
CPol 2022-06-01 10:08:46 +00:00 committed by gitbook-bot
parent eb8ae2eee0
commit 43960f826e
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
2 changed files with 22 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
forensics/basic-forensic-methodology/windows-forensics/README.md
View file

@ -466,11 +466,16 @@ Inside the EventID 4634/4647 there are interesting sub-types:
* **3 (network)**: Connection to a shared folder
* **4 (Batch)**: Process executed
* **5 (service)**: Service started by the Service Control Manager
* **7**: Screen unblocked using password
* **6 (proxy):** Proxy Login
* **7 (Unlock)**: Screen unblocked using password
* **8 (network cleartext)**: User authenticated sendin clear text passwords. This event use to come from the IIS
* **9 (new credentials)**: It's generated when the command `RunAs` is used or the user access to a network service with different credentials.
* **10 (remote interactive)**: Authentication via Terminal Services or RDP
* **11 (cache interactive)**: Access using the last cached credentials because it wasn't possible to contact the domain controller
* **12 (cache remote interactive)**: Login remotely with cached credentials (a combination of 10 and 11).
* **13 (cached unlock)**: Unlock a locked machine with cached credentials.
In this post you can find how to mimic all these types of login and in which of them you will be able to dump credentials from memory: [https://www.alteredsecurity.com/post/fantastic-windows-logon-types-and-where-to-find-credentials-in-them](https://www.alteredsecurity.com/post/fantastic-windows-logon-types-and-where-to-find-credentials-in-them)
The Status and sub status information of the event s can indicate more details about the causes of the event. For example take a look to the following Status and Sub Status Codes of the Event ID 4625:

16
windows-hardening/stealing-credentials/README.md
View file

@ -114,6 +114,22 @@ We just have to keep in mind that this technique can only be executed as **SYSTE
**You can automate this process with** [**lssasy**](https://github.com/Hackndo/lsassy)**.**
### **Dumping lsass with Task Manager**
1. Right click on the Task Bar and click on Task Manager
2. Click on More details
3. Search for "Local Security Authority Process" process in the Processes tab
4. Right click on "Local Security Authority Process" process and click on "Create dump file".
### Dumping lsass with procdump
[Procdump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) is a Microsoft signed binary which is a part of [sysinternals](https://docs.microsoft.com/en-us/sysinternals/) suite.
```
Get-Process -Name LSASS
.\procdump.exe -ma 608 lsass.dmp
```
## CrackMapExec
### Dump SAM hashes