| Category | Tool | Detals |
|---|---|---|
| Command Execution | PsExec | Executes a command on a remote host. |
| wmic | Used for Windows system management. | |
| schtasks | Executes a task at the specified time. | |
| wmiexec.vbs | Used for Windows system management. | |
| BeginX | Executes a command from a client to the server. | |
| WinRM | Steals information from a remote host. | |
| WinRS | Executes a command on a remote host. | |
| BITS | Sends and receives files in background. | |
| Password and Hash Dump | PWDump7 | Displays a list of password hashes in the host. |
| PWDumpX | Acquires a password hash from a remote host. | |
| Quarks PwDump | Acquires the password hashes of domain and local accounts as well as cached passwords. | |
| Mimikatz (Password and Hash Dump lsadump::sam) |
Steals authentication information stored in the OS. | |
| Mimikatz (Password and Hash Dump sekurlsa::logonpasswords) |
Steals authentication information stored in the OS. | |
| Mimikatz (Ticket Acquisition sekurlsa::tickets) |
Acquires tickets for logged-on sessions. | |
| WCE | Acquires a password hash in the memory of a host. | |
| gsecdump | SAM/Extracts a password hash from SAM/AD or logon sessions. | |
| lslsass | Acquires a password hash of active logon sessions from the Isass process. | |
| AceHash | Acquires the password hash value and logs on to the host. | |
| Find-GPOPasswords.ps1 | Acquires passwords written in a group policy file. | |
| Get-GPPPassword (PowerSploit) |
Acquires plaintext passwords and other account information written in the group policy. | |
| Invoke-Mimikatz (PowerSploit) |
Loads Mimikatz into memory and starts it up. | |
| Out-Minidump (PowerSploit) |
Dumps a process into memory. | |
| PowerMemory (RWMC Tool) |
Acquires authentication information existing in files and memory. | |
| WebBrowserPassView | Extracts user names and passwords saved in the web browser. | |
| Malicious Communication Relay | Htran | Bypasses communications. |
| Fake wpad | Acquires and changes communication contents from the client by operating as the wpad server. | |
| Remote Login | RDP | Connects to a server on which Remote Desktop Service (RDS) is running. |
| Pass-the-hash Pass-the-ticket |
WCE (Remote Login) | Executes a command from a remote host using the acquired password hash. |
| Mimikatz (Remote Login) | Executes a command from a remote host using the acquired password hash. | |
| Escalation to SYSTEM Privilege | MS14-058 Exploit | Executes a specified executable file with SYSTEM privileges. |
| MS15-078 Exploit | Executes a specified executable file with SYSTEM privileges. | |
| SDB UAC Bypass | Uses Application Compatibility Database (SDB) to execute applications that are controlled by User Account Control (UAC) as a user with administrator privileges. | |
| Capturing Domain Administrator Rights Account | MS14-068 Exploit | Changes the privileges of the domain user to domain administrator privileges. |
| Golden Ticket (Mimikatz) |
Forges Kerberos authentication tickets and connects to a remote host. | |
| Silver Ticket (Mimikatz) |
Forges Kerberos authentication tickets and connects to a remote host. | |
| Information Collection | ntdsutil | Used to maintain Active Directory databases. |
| vssadmin | Creates Volume Shadow Copy and extracts NTDS.DIT, registries, and other system files. | |
| csvde | Outputs account information on the Active Directory in CSV format. | |
| ldifde | Outputs account information on the Active Directory in LDIF format. | |
| dsquery | Acquires information, such as users and groups, from the Active Directory. | |
| dcdiag | Analyzes and examines the status of the Domain Controller. | |
| nltest | Acquires the Domain Controller used and its IP address. | |
| nmap | Used for network investigation. | |
| Adding or Deleting Local User and Group | net user | Adds a user account in a host or domain. |
| File Sharing | net use | Connects to shared folders that are publicly available on the network. |
| Deleting Evidence | sdelete | Deletes a file after overwriting it several times. |
| timestomp | Changes the file timestamp. | |
| klist purge | Deletes saved Kerberos tickets. | |
| wevtutil | Deletes Windows event logs. |