Almost every targeted attack includes the Credentials Dumping. After the initial penetration into the target corporate network, attackers will surely try to get credentials of privileged users, which have rights on many hosts in corporate network. Here is where they have many different opportunities like using mimikatz/pwdump/wce and other utilities, memory dump of the lsass process, shadow copy service, copying files with credentials through raw access to the drive etc. The speaker will explore all known ways to get access to credentials in Windows infrastructure and show, how can you identify these ways using extended auditing feature of publicly-available Sysmon.