Unattended Install Files (Cleartext Passwords)

1. C:\unattend.xml

2. C:\Windows\Panther\Unattend.xml

3. C:\Windows\Panther\Unattend\Unattend.xml

4. C:\windows\system32\sysprep.inf

5. C:\Windows\System32\sysprep\sysprep.xml

• This files often store local admin password or domain join credentials in cleartext or base64-encoded:

Log Files and System FIles

1. %SYSTEMDRIVE%\pagefile.sys - Potentially contains sensitive data in memory dumps

2. %WINDIE%\debug\NetSetup.log - may contain domain join credentials

3. %WINDIR%\iis6.log - Can Expose web app credentials or session info.

Registry Hives (Direct Hash Extraction)

1. %WINDIR%\repair\sam - Local user hashes

2. %WINDIR%\repair\system - may store LSA Secret Keys

3. %WINDIR%\repair\software - can store service credentials

4. %WINDIR%\repair\security - might hold DPAPI keys or security info

Event Logs and COnfig Files

1. %WINDIR%\system32\config\AppEvent.Evt

2. %WINDIR%\system32\config\SecEvent.Evt

3. %WINDIR%\system32\config\default.sav

4. %WINDIR%\system32\config\security.sav

5. %WINDIR%\system32\config\software.sav

6. %WINDIR%\system32\config\system.sav

• Event logs might capture failed logins or successful authentication sttempts

Example with Powershell

Get-WinEvent -LogName Security | Where-Object {$_.ID -eq 4624}

Remote Management Credentisld

1. %WINDIR%\system32\CCM\logs*.log - May contain SSCM deploment credentials

2. %USERPROFILE%\ntuser.dat -Holds registry settings for the user. (most Common)

3. %USERPROFILE%\LocalS1\ContentIES\index.dat - Stores browser history and saved credentials.

Extract NTUSER.DAT settings:

reg load HKU\TempUser C:\Users\<username>\ntuser.dat
reg query HKU\TempUser

VNC Config Files (Saved Passwords)

1. dir c:*vnc.ini /s /b

2. dir c:*ultravnc.ini /s /b