| Secret class | Location | Required access | Primary tools | Output | Immediate use |
|---|---|---|---|---|---|
| LAPS legacy password | ms-Mcs-AdmPwd on computer objects | Delegated LAPS read rights, All Extended Rights, or equivalent | nxc, LAPSToolkit, PowerView, bloodyAD, LDAP | Local administrator password | Admin access to one host |
| Windows LAPS password | msLAPS-Password, msLAPS-EncryptedPassword, related attributes | Delegated Windows LAPS read or decrypt rights | PowerShell LAPS cmdlets, LDAP, bloodyAD | Local admin password or encrypted blob | Admin access to one host |
| gMSA managed password | msDS-ManagedPassword on gMSA object | Principal listed in msDS-GroupMSAMembership or equivalent read rights | nxc, gMSADumper.py, bloodyAD | NTLM/AES material for gMSA | TGT, service access, lateral movement |
| GPP cpassword | SYSVOL XML | Domain user read access | smbclient, PowerShell, gpp-decrypt | Plaintext password | Password reuse, SMB, LDAP, WinRM |
| Scripts and config | SYSVOL, shares, NETLOGON | Read access to files | smbclient, nxc, Snaffler, PowerShell | Plaintext secrets, tokens, connection strings | Reuse or pivot to application/service |
| LDAP metadata | description, info, custom attributes | LDAP read access | LDAP queries, PowerView, AD cmdlets | Passwords accidentally stored in attributes | Direct authentication or spraying |
| Local SAM | Target registry hives | Local admin or offline hives | secretsdump.py, Mimikatz, pypykatz | Local account NTLM hashes | Pass-the-hash to reused local admin |
| LSA secrets | Target registry and LSASS-backed secrets | Local admin or offline hives | secretsdump.py, Mimikatz, pypykatz | Service secrets, DPAPI system keys, autologon | Service account compromise |
| Cached domain logons | SECURITY hive | Local admin or offline hives | secretsdump.py, Mimikatz | mscachev2 hashes | Offline cracking |
| NTDS domain hashes | DC replication or offline ntds.dit plus SYSTEM hive | DCSync rights, DC admin, backup access, or VSS | secretsdump.py, Mimikatz | Domain NTLM/AES hashes | Pass-the-hash, ticket forging, cracking |
| DPAPI and Vault | User profile, machine profile, LSASS/masterkeys | User context, local admin, DPAPI backup key | Mimikatz, pypykatz, SharpDPAPI | Browser creds, RDP creds, Wi-Fi keys, app secrets | Application and host pivoting |
OOTW / Chapter IV - Active Directory / 04. Techniques / Secrets