Added “ghost” machine to the Active Directory (we’ll call it
GHOSTY)
RBCD attack to be able to impersonate a domain admin using the
CIFS/SMB service against the victim system where some higher-priv
users were sitting
Use net.py to add myself to local
admin on the victim host
Find a vulnerable service to hijack and have run an evil,
TGT-gathering Rubeus.exe – found that Credential Guard was cramping
my style!
Pulled the TGT from a host not protected
with Credential Guard
Figured out the stolen user’s account has some “write”
privileges to a domain controller
Use rbcd.py to
delegate from GHOSTY
and to the domain controller
Request a TGT for GHOSTY
Use getST.py to impersonate CIFS using
a domain admin account on the domain controller (important thing
here was to specify the DC by its FQDN, not just hostname)
Final move: use the domain admin ccache file to leverage net.py
and add myself to the Active Directory Administrators group
About the Podcast
7 Minute Security is a weekly information security podcast focusing on penetration testing, blue teaming and building a career in security. The podcast also features in-depth interviews with industry leaders who share their insights, tools, tips and tricks for being a successful security engineer.