If you are like me, at some point in most penetration tests you’ll have a session on a Windows host, and you’ll have an opportunity to dump Windows credentials from that host, usually using Mimikatz. Mimikatz parses credentials (either clear-text or hashes) out of the LSASS process, or at least that’s where it started - since it’s original version back in the day, it has expanded to cover several different attack vectors. An attacker can then use these credentials to “pivot” to attack other resources in the network - this is commonly called “lateral movement”, though in many cases you’re actually walking “up the tree” to ever-more-valuable targets in the infrastructure.
Article Link: https://isc.sans.edu/diary/rss/24612