A short but sweet blog post today. If you ever find yourself with local admin credentials on a server that manages VM's, such as vCenter and esxi, think blue team. Years ago someone from work spoke about how they were able to get credentials from a virtual image by using a snapshot or a VM that was paused. This recollection inspired me to try a new technique that utilizes my relatively new forensic skills in an interesting attack.
Instead of relying on extracting registry files, assuming that is what he did, you could instead use volatility on the snapshot data to extract the hashes from a target system. These hashes can then be used with any pass the hash technique to get a shell. I wish I could remember who used the technique and what exactly they did but that was over 3 years ago and I am not as perfect at recollecting things as computers. Also, I am by no means the first person to do this, I just happened to be inspired by my circumstance at the time to try something new. I figured this may be useful to other folks as well.
See short and sweet.