Why is it necessary to extract hashes from the SAM database during a penetration test, even after using sekurlsa::logonpasswords?

While `sekurlsa::logonpasswords` retrieves credentials of currently logged-in users by reading lsass process memory, it does not cover all local accounts. To comprehensively obtain password hashes for every local user, you must extract data from the SAM database. This is covered in detail in Penetration Techniques - Obtaining Local User Hashes via SAM Database. Both online and offline methods can be used to dump these hashes.