Password Spray Campaign

Enumerating the domain password policy is a concrete discovery technique that directly informs credential attack decisions. This lesson explains how to retrieve the policy, what each setting means for attack planning, what the attacker gains from this information, and how to explain the findings in interviews, reports, and stakeholder conversations.

Password spraying is a credential access technique that tests a small number of commonly used passwords against many accounts simultaneously, staying under the lockout threshold. This lesson explains why the technique works, how the domain password policy shapes attacker decisions, what the attacker gains, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.

Extracting credentials from LSASS targets the Local Security Authority Subsystem Service process to recover authentication material — NT hashes, Kerberos tickets, and plaintext credentials — from memory on a compromised host. This lesson explains what LSASS holds, why extracting from it is impactful, what preconditions matter, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.

Pass the Hash is a lateral movement technique that uses a stolen NTLM password hash to authenticate as a user without knowing the plaintext password. This lesson explains why the attack works, what material is needed, where it fits in post-compromise movement, and how to explain the significance of NTLM hash reuse clearly in interviews, reports, and stakeholder conversations.

Lateral movement via WinRM uses the Windows Remote Management service to execute commands and access systems remotely with valid credentials. This lesson explains what WinRM provides operationally, what preconditions matter, what the attacker gains, where it fits in post-credential lateral movement, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.

DCSync uses Active Directory's built-in replication protocol to request password data for any account in the domain — without accessing a domain controller's file system, memory, or running processes. This lesson explains why the technique works, what permissions enable it, what the attacker gains, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.