You are here: local admin / SYSTEM on a host (or admin on a member server), and you need domain dominance.

Local admin is a credential factory. Dump everything the host knows, then reuse it — the path to DA is usually a credential or a delegation right you just unlocked, not a new exploit.

▶️ Next moves (in order)

  1. Dump local secrets. SAM + LSA, LSASS memory, and DPAPI / Credential Manager. → Windows_Credential_Dump_SAM · Windows_Credential_Dump_LSASS · Windows_Credential_Manager
  2. Reuse the loot. Pass-the-Hash and ticket reuse laterally; spray recovered hashes across the estate. → Pass_the_Hash · Pass_the_Ticket_Windows · NetExec_PostExploitation
  3. Hunt privileged sessions / tokens. Logged-on Domain Admins, impersonable tokens. → Windows_PrivEsc_Token_Privileges
  4. Re-BloodHound recovered principals. Does any newly recovered account have DCSync rights or a DA path? → Stuck_In_AD · NetExec_BloodHound
  5. DCSync when a controlled principal has replication rights. → AD_DCSync
  6. On a DC / with DA-equivalent: dump the domain database. → Windows_Credential_Dump_NTDS
  7. Certificate / delegation finishers if direct credential reuse stalls. → Pass_the_Certificate · AD_Privileged_Access

⚠️ Common stalls

  • Dumped SAM but not LSASS (domain creds live in LSASS/tickets).
  • Recovered a hash but never reused it across other hosts.
  • Didn’t re-run BloodHound on the recovered accounts.
  • Forgot DPAPI / Credential Manager / browser-stored secrets.
  • Reached a DA hash and kept exploiting instead of closing out and documenting.

⏱️ Stop condition

You’ve dumped SAM/LSA/LSASS/DPAPI, reused every hash and ticket across hosts, hunted privileged sessions, and re-BloodHounded recovered principals. If no DA path, the next credential is on a different host — stop re-dumping this one. Spray the loot outward, take the next host, repeat. And the hard stop: once you hold a Domain Admin / Administrator hash, stop escalating and switch to closing out + Reporting_SysReptor. Work past the objective is wasted time and added risk, not extra points.

🔀 Route on