Our great sponsors
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
Because the SYSVOL share is open to Authenticated Users, any user in the organization can read the files stored there. Therefore, any user account can find and decrypt the Group Policy file and thereby gain access to the plaintext passwords for Administrator accounts. The PowerSploit command Get-GPPPassword will find and decrypt these passwords for you.
Typically, Mimikatz is used to extract NTLM password hashes or Kerberos tickets from memory. However, one of its lesser-known capabilities is the ability to extract plaintext passwords from dumps created for the LSASS process. This means that an attacker can compromise plaintext passwords without running any nefarious code on domain controllers. Dump files can be created interactively or using ProcDump , and in either case, the activity is unlikely to be flagged by anti-virus software. Once the dumps are created, they can be copied off the domain controller and the plaintext credentials can be harvested using Mimikatz offline.