42 found logs that suggest the threat actors used PwDump and the built-incomsvcs.dllto create a mini dump of thelsass.exeprocess for credential theft; however, when the actor wished to steal credentials from a domain controller, they installed their custom tool that we track as KdcSponge. ...