Credential Access

T1110.003 - Brute Force: Password Spraying

Variation 1

This module uses the LogonUser Win32 API to test a single password across random users obtained via LDAP.

Variation 2

This module uses the WNetAddConnection2 Win32 API to test a single password across random users and random hosts obtained via LDAP.

T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting

This module uses the KerberosRequestorSecurityToken Class to obtain Kerberos service tickets.

T1003.001 - OS Credential Dumping: LSASS Memory

This module uses the GetProcessesByName and MiniDumpWriteDump Win32 API functions to create a memory dump of the lsass.exe process.