Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Secrets

Matrix

Secret classLocationRequired accessPrimary toolsOutputImmediate use
LAPS legacy passwordms-Mcs-AdmPwd on computer objectsDelegated LAPS read rights, All Extended Rights, or equivalentnxc, LAPSToolkit, PowerView, bloodyAD, LDAPLocal administrator passwordAdmin access to one host
Windows LAPS passwordmsLAPS-Password, msLAPS-EncryptedPassword, related attributesDelegated Windows LAPS read or decrypt rightsPowerShell LAPS cmdlets, LDAP, bloodyADLocal admin password or encrypted blobAdmin access to one host
gMSA managed passwordmsDS-ManagedPassword on gMSA objectPrincipal listed in msDS-GroupMSAMembership or equivalent read rightsnxc, gMSADumper.py, bloodyADNTLM/AES material for gMSATGT, service access, lateral movement
GPP cpasswordSYSVOL XMLDomain user read accesssmbclient, PowerShell, gpp-decryptPlaintext passwordPassword reuse, SMB, LDAP, WinRM
Scripts and configSYSVOL, shares, NETLOGONRead access to filessmbclient, nxc, Snaffler, PowerShellPlaintext secrets, tokens, connection stringsReuse or pivot to application/service
LDAP metadatadescription, info, custom attributesLDAP read accessLDAP queries, PowerView, AD cmdletsPasswords accidentally stored in attributesDirect authentication or spraying
Local SAMTarget registry hivesLocal admin or offline hivessecretsdump.py, Mimikatz, pypykatzLocal account NTLM hashesPass-the-hash to reused local admin
LSA secretsTarget registry and LSASS-backed secretsLocal admin or offline hivessecretsdump.py, Mimikatz, pypykatzService secrets, DPAPI system keys, autologonService account compromise
Cached domain logonsSECURITY hiveLocal admin or offline hivessecretsdump.py, Mimikatzmscachev2 hashesOffline cracking
NTDS domain hashesDC replication or offline ntds.dit plus SYSTEM hiveDCSync rights, DC admin, backup access, or VSSsecretsdump.py, MimikatzDomain NTLM/AES hashesPass-the-hash, ticket forging, cracking
DPAPI and VaultUser profile, machine profile, LSASS/masterkeysUser context, local admin, DPAPI backup keyMimikatz, pypykatz, SharpDPAPIBrowser creds, RDP creds, Wi-Fi keys, app secretsApplication and host pivoting