• 🛑 Admin credentials need to be logged in at least once on a machine for them to be available for dumping.

  • If the machine is rebooted or shut down, the credentials will not be removed unless the session is terminated, but typically, cached credentials remain accessible.
    • A session is the active login instance of a user.
    • Cached credentials are stored locally and are often available even after a reboot unless the session is manually terminated.

• 🧠 LSASS Dumping (e.g., Mimikatz, lsassy, secretsdump) → Retrieves cached credentials from memory.

• 🔑 SAM Dumping → Only gets local account hashes, not domain admin unless they logged in locally.

• 🏰 DCSync Attack (Domain Controllers) → No prior login needed, pulls hashes directly from the DC.

• ⚠️ WDigest Enabled? → Can reveal cleartext passwords on older or misconfigured machines.

• ⏳ Watering Hole Tactic → Force-enable WDigest, then wait for an admin to log in and steal creds.

✔️ Always check if the target machine had a privileged user session before attempting credential dumping!