How can an attacker extract all domain user hashes from a snapshot of a domain controller running on VMware ESXi?

After obtaining a snapshot with memory, use volatility's `filescan` plugin to locate the `ntds.dit` file (the Active Directory database) and extract it with `dumpfiles`. Also extract the SYSTEM and SECURITY registry hive files. Then locally run `secretsdump -system SYSTEM -security SECURITY -ntds ntds.dit local` to dump all domain user password hashes. This allows the attacker to compromise the entire domain. Alternatively, the mimikatz plugin in volatility can extract credentials from the `lsass` process directly, but requires downloading the full `.vmem` file. This domain-wide credential theft is a high-impact outcome of the lateral movement technique described in the original article.