CINXE.COM
mimikatz – Active Directory Security
<!DOCTYPE html><!--[if IE 7]> <html class="ie ie7" lang="en-US" prefix="og: http://ogp.me/ns#"> <![endif]--> <!--[if IE 8]> <html class="ie ie8" lang="en-US" prefix="og: http://ogp.me/ns#"> <![endif]--> <!--[if !(IE 7) & !(IE 8)]><!--> <html lang="en-US" prefix="og: http://ogp.me/ns#"> <!--<![endif]--> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>mimikatz – Active Directory Security</title> <meta name='robots' content='max-image-preview:large' /> <link rel="alternate" type="application/rss+xml" title="Active Directory Security » Feed" href="https://adsecurity.org/?feed=rss2" /> <link rel="alternate" type="application/rss+xml" title="Active Directory Security » Comments Feed" href="https://adsecurity.org/?feed=comments-rss2" /> <link rel="alternate" type="application/rss+xml" title="Active Directory Security » mimikatz Tag Feed" href="https://adsecurity.org/?feed=rss2&tag=mimikatz" /> <script type="text/javascript"> /* <![CDATA[ */ window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/adsecurity.org\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); /* ]]> */ </script> <style id='wp-emoji-styles-inline-css' type='text/css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='wp-block-library-css' href='https://adsecurity.org/wp-includes/css/dist/block-library/style.min.css?ver=6.5.5' type='text/css' media='all' /> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 14px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 20px;--wp--preset--font-size--x-large: 42px;--wp--preset--font-size--tiny: 10px;--wp--preset--font-size--regular: 16px;--wp--preset--font-size--larger: 26px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}body .is-layout-flex{flex-wrap: wrap;align-items: center;}body .is-layout-flex > *{margin: 0;}body .is-layout-grid{display: grid;}body .is-layout-grid > *{margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} .wp-block-navigation a:where(:not(.wp-element-button)){color: inherit;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} .wp-block-pullquote{font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='bootstrap-css' href='https://adsecurity.org/wp-content/themes/graphene/bootstrap/css/bootstrap.min.css?ver=6.5.5' type='text/css' media='all' /> <link rel='stylesheet' id='font-awesome-css' href='https://adsecurity.org/wp-content/themes/graphene/fonts/font-awesome/css/font-awesome.min.css?ver=6.5.5' type='text/css' media='all' /> <link rel='stylesheet' id='graphene-css' href='https://adsecurity.org/wp-content/themes/graphene/style.css?ver=2.8.4' type='text/css' media='screen' /> <link rel='stylesheet' id='graphene-responsive-css' href='https://adsecurity.org/wp-content/themes/graphene/responsive.css?ver=2.8.4' type='text/css' media='all' /> <link rel='stylesheet' id='graphene-blocks-css' href='https://adsecurity.org/wp-content/themes/graphene/blocks.css?ver=2.8.4' type='text/css' media='all' /> <style id='akismet-widget-style-inline-css' type='text/css'> .a-stats { --akismet-color-mid-green: #357b49; --akismet-color-white: #fff; --akismet-color-light-grey: #f6f7f7; max-width: 350px; width: auto; } .a-stats * { all: unset; box-sizing: border-box; } .a-stats strong { font-weight: 600; } .a-stats a.a-stats__link, .a-stats a.a-stats__link:visited, .a-stats a.a-stats__link:active { background: var(--akismet-color-mid-green); border: none; box-shadow: none; border-radius: 8px; color: var(--akismet-color-white); cursor: pointer; display: block; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Roboto', 'Oxygen-Sans', 'Ubuntu', 'Cantarell', 'Helvetica Neue', sans-serif; font-weight: 500; padding: 12px; text-align: center; text-decoration: none; transition: all 0.2s ease; } /* Extra specificity to deal with TwentyTwentyOne focus style */ .widget .a-stats a.a-stats__link:focus { background: var(--akismet-color-mid-green); color: var(--akismet-color-white); text-decoration: none; } .a-stats a.a-stats__link:hover { filter: brightness(110%); box-shadow: 0 4px 12px rgba(0, 0, 0, 0.06), 0 0 2px rgba(0, 0, 0, 0.16); } .a-stats .count { color: var(--akismet-color-white); display: block; font-size: 1.5em; line-height: 1.4; padding: 0 13px; white-space: nowrap; } </style> <script type="text/javascript" src="https://adsecurity.org/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script type="text/javascript" src="https://adsecurity.org/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/bootstrap/js/bootstrap.min.js?ver=2.8.4" id="bootstrap-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/bootstrap-hover-dropdown/bootstrap-hover-dropdown.min.js?ver=2.8.4" id="bootstrap-hover-dropdown-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/bootstrap-submenu/bootstrap-submenu.min.js?ver=2.8.4" id="bootstrap-submenu-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/jquery.infinitescroll.min.js?ver=2.8.4" id="infinite-scroll-js"></script> <script type="text/javascript" id="graphene-js-extra"> /* <![CDATA[ */ var grapheneJS = {"siteurl":"https:\/\/adsecurity.org","ajaxurl":"https:\/\/adsecurity.org\/wp-admin\/admin-ajax.php","templateUrl":"https:\/\/adsecurity.org\/wp-content\/themes\/graphene","isSingular":"","enableStickyMenu":"","shouldShowComments":"","commentsOrder":"newest","sliderDisable":"","sliderInterval":"7000","infScrollBtnLbl":"Load more","infScrollOn":"","infScrollCommentsOn":"","totalPosts":"29","postsPerPage":"10","isPageNavi":"","infScrollMsgText":"Fetching window.grapheneInfScrollItemsPerPage of window.grapheneInfScrollItemsLeft items left ...","infScrollMsgTextPlural":"Fetching window.grapheneInfScrollItemsPerPage of window.grapheneInfScrollItemsLeft items left ...","infScrollFinishedText":"All loaded!","commentsPerPage":"50","totalComments":"0","infScrollCommentsMsg":"Fetching window.grapheneInfScrollCommentsPerPage of window.grapheneInfScrollCommentsLeft comments left ...","infScrollCommentsMsgPlural":"Fetching window.grapheneInfScrollCommentsPerPage of window.grapheneInfScrollCommentsLeft comments left ...","infScrollCommentsFinishedMsg":"All comments loaded!","disableLiveSearch":"1","txtNoResult":"No result found.","isMasonry":""}; /* ]]> */ </script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/graphene.js?ver=2.8.4" id="graphene-js"></script> <script type="text/javascript" id="wpstg-global-js-extra"> /* <![CDATA[ */ var wpstg = {"nonce":"9c0d1c8fec"}; /* ]]> */ </script> <script type="text/javascript" src="https://adsecurity.org/wp-content/plugins/wp-staging-pro/assets/js/dist/wpstg-blank-loader.min.js?ver=6.5.5" id="wpstg-global-js"></script> <link rel="https://api.w.org/" href="https://adsecurity.org/index.php?rest_route=/" /><link rel="alternate" type="application/json" href="https://adsecurity.org/index.php?rest_route=/wp/v2/tags/207" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://adsecurity.org/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.5.5" /> <script> WebFontConfig = { google: { families: ["Lato:400,400i,700,700i&display=swap"] } }; (function(d) { var wf = d.createElement('script'), s = d.scripts[0]; wf.src = 'https://ajax.googleapis.com/ajax/libs/webfont/1.6.26/webfont.js'; wf.async = true; s.parentNode.insertBefore(wf, s); })(document); </script> <style type="text/css"> .header_title, .header_title a, .header_title a:visited, .header_title a:hover, .header_desc {color:#000000}.carousel, .carousel .item{height:400px}@media (max-width: 991px) {.carousel, .carousel .item{height:250px}}#header{max-height:198px}@media (min-width: 1200px) {.container {width:1280px}} </style> <style type="text/css">.recentcomments a{display:inline !important;padding:0 !important;margin:0 !important;}</style> </head> <body class="archive tag tag-mimikatz tag-207 custom-background wp-embed-responsive layout-boxed two_col_left two-columns"> <div class="container boxed-wrapper"> <div id="top-bar" class="row clearfix top-bar "> <div class="col-md-12 top-bar-items"> <ul class="social-profiles"> <li class="social-profile social-profile-rss"> <a href="https://adsecurity.org/?feed=rss2" title="Subscribe to Tech, News, and Other Ideations's RSS feed" id="social-id-1" class="mysocial social-rss"> <i class="fa fa-rss"></i> </a> </li> </ul> <button type="button" class="search-toggle navbar-toggle collapsed" data-toggle="collapse" data-target="#top_search"> <span class="sr-only">Toggle search form</span> <i class="fa fa-search-plus"></i> </button> <div id="top_search" class="top-search-form"> <form class="searchform" method="get" action="https://adsecurity.org"> <div class="input-group"> <div class="form-group live-search-input"> <label for="s" class="screen-reader-text">Search for:</label> <input type="text" id="s" name="s" class="form-control" placeholder="Search"> </div> <span class="input-group-btn"> <button class="btn btn-default" type="submit"><i class="fa fa-search"></i></button> </span> </div> </form> </div> </div> </div> <div id="header" class="row"> <img src="https://adsecurity.org/wp-content/themes/graphene/images/headers/fluid.jpg" alt="Active Directory Security" title="Active Directory Security" width="960" height="198" /> </div> <nav class="navbar row navbar-inverse"> <div class="navbar-header align-center"> <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#header-menu-wrap, #secondary-menu-wrap"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <p class="header_title"> <a href="https://adsecurity.org" title="Go back to the front page"> Active Directory Security </a> </p> <p class="header_desc">Active Directory & Enterprise Security, Methods to Secure Active Directory, Attack Methods & Effective Defenses, PowerShell, Tech Notes, & Geek Trivia…</p> </div> <div class="collapse navbar-collapse" id="header-menu-wrap"> <ul class="nav navbar-nav flip"><li ><a href="https://adsecurity.org/">Home</a></li><li class="menu-item menu-item-8"><a href="https://adsecurity.org/?page_id=8" >About</a></li><li class="menu-item menu-item-41"><a href="https://adsecurity.org/?page_id=41" >AD Resources</a></li><li class="menu-item menu-item-4031"><a href="https://adsecurity.org/?page_id=4031" >Attack Defense & Detection</a></li><li class="menu-item menu-item-293"><a href="https://adsecurity.org/?page_id=293" >Contact</a></li><li class="menu-item menu-item-1821"><a href="https://adsecurity.org/?page_id=1821" >Mimikatz</a></li><li class="menu-item menu-item-1352"><a href="https://adsecurity.org/?page_id=1352" >Presentations</a></li><li class="menu-item menu-item-195"><a href="https://adsecurity.org/?page_id=195" >Schema Versions</a></li><li class="menu-item menu-item-399"><a href="https://adsecurity.org/?page_id=399" >Security Resources</a></li><li class="menu-item menu-item-183"><a href="https://adsecurity.org/?page_id=183" >SPNs</a></li><li class="menu-item menu-item-2532"><a href="https://adsecurity.org/?page_id=2532" >Top Posts</a></li></ul> </div> </nav> <div id="content" class="clearfix hfeed row"> <div id="content-main" class="clearfix content-main col-md-8"> <h1 class="page-title archive-title"> Tag: <span>mimikatz</span> </h1> <div class="entries-wrapper"> <div id="post-4367" class="clearfix post post-4367 type-post status-publish format-standard hentry category-activedirectorysecurity category-hacking category-microsoft-security tag-clear-text-password tag-computer-account tag-convertto-nthash tag-dsinternals tag-get-adreplaccount tag-get-adserviceaccount tag-gmsa tag-gmsa-password tag-gmsa-password-hash tag-gmsa-spn tag-group-managed-service-accounts tag-kerberos tag-kerberos-spn tag-lsass tag-mimikatz tag-msds-groupmanagedserviceaccount tag-msds-groupmsamembership tag-msds-managedpassword tag-msds-managedpasswordid tag-msds-managedpasswordinterval tag-msds-managepasswordinterval tag-principalsallowedtoretrivemanagedpassword tag-psexec tag-sekurlsaekeys tag-sekurlsalogonpasswords tag-service-principal-name tag-serviceprincipalnames tag-spn tag-system tag-_sa_ item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">May</span> <span class="day">29</span> <span class="year">2020</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=4367" rel="bookmark" title="Permalink to Attacking Active Directory Group Managed Service Accounts (GMSAs)"> Attacking Active Directory Group Managed Service Accounts (GMSAs) </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-565" href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a>, <a class="term term-category term-1039" href="https://adsecurity.org/?cat=1039">Hacking</a>, <a class="term term-category term-11" href="https://adsecurity.org/?cat=11">Microsoft Security</a></span></span> </li> </ul> <div class="entry-content clearfix"> <div class="excerpt-thumb"><a href="https://adsecurity.org/?p=4367"><img width="282" height="300" src="https://adsecurity.org/wp-content/uploads/2020/05/image-41-282x300.png" class="attachment-medium size-medium" alt="" decoding="async" fetchpriority="high" srcset="https://adsecurity.org/wp-content/uploads/2020/05/image-41-282x300.png 282w, https://adsecurity.org/wp-content/uploads/2020/05/image-41.png 732w" sizes="(max-width: 282px) 100vw, 282px" /></a></div> <p>In May 2020, I presented some Active Directory security topics in a Trimarc Webcast called “Securing Active Directory: Resolving Common Issues” and included some information I put together relating to the security of AD Group Managed Service Accounts (GMSA). This post includes the expanded version of attacking and defending GMSAs I covered in the webcast.I … </p> <p><a class="more-link btn" href="https://adsecurity.org/?p=4367">Continue reading</a></p> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-1444" href="https://adsecurity.org/?tag=clear-text-password">clear-text password</a>, <a class="term term-tagpost_tag term-1446" href="https://adsecurity.org/?tag=computer-account">Computer Account</a>, <a class="term term-tagpost_tag term-1442" href="https://adsecurity.org/?tag=convertto-nthash">ConvertTo-NTHash</a>, <a class="term term-tagpost_tag term-602" href="https://adsecurity.org/?tag=dsinternals">DSInternals</a>, <a class="term term-tagpost_tag term-1448" href="https://adsecurity.org/?tag=get-adreplaccount">Get-ADReplAccount</a>, <a class="term term-tagpost_tag term-1432" href="https://adsecurity.org/?tag=get-adserviceaccount">Get-ADServiceAccount</a>, <a class="term term-tagpost_tag term-1430" href="https://adsecurity.org/?tag=gmsa">GMSA</a>, <a class="term term-tagpost_tag term-1431" href="https://adsecurity.org/?tag=gmsa-password">GMSA password</a>, <a class="term term-tagpost_tag term-1438" href="https://adsecurity.org/?tag=gmsa-password-hash">GMSA password hash</a>, <a class="term term-tagpost_tag term-1436" href="https://adsecurity.org/?tag=gmsa-spn">GMSA SPN</a>, <a class="term term-tagpost_tag term-1429" href="https://adsecurity.org/?tag=group-managed-service-accounts">Group Managed Service Accounts</a>, <a class="term term-tagpost_tag term-81" href="https://adsecurity.org/?tag=kerberos">Kerberos</a>, <a class="term term-tagpost_tag term-1435" href="https://adsecurity.org/?tag=kerberos-spn">Kerberos SPN</a>, <a class="term term-tagpost_tag term-71" href="https://adsecurity.org/?tag=lsass">LSASS</a>, <a class="term term-tagpost_tag term-207" href="https://adsecurity.org/?tag=mimikatz">mimikatz</a>, <a class="term term-tagpost_tag term-1449" href="https://adsecurity.org/?tag=msds-groupmanagedserviceaccount">msDS-GroupManagedServiceAccount</a>, <a class="term term-tagpost_tag term-1451" href="https://adsecurity.org/?tag=msds-groupmsamembership">msDS-GroupMSAMembership</a>, <a class="term term-tagpost_tag term-1443" href="https://adsecurity.org/?tag=msds-managedpassword">msds-ManagedPassword</a>, <a class="term term-tagpost_tag term-1452" href="https://adsecurity.org/?tag=msds-managedpasswordid">msDS-ManagedPasswordId</a>, <a class="term term-tagpost_tag term-1450" href="https://adsecurity.org/?tag=msds-managedpasswordinterval">msDS-ManagedPasswordInterval</a>, <a class="term term-tagpost_tag term-1440" href="https://adsecurity.org/?tag=msds-managepasswordinterval">msDS-ManagePasswordInterval</a>, <a class="term term-tagpost_tag term-1439" href="https://adsecurity.org/?tag=principalsallowedtoretrivemanagedpassword">PrincipalsAllowedToRetriveManagedPassword</a>, <a class="term term-tagpost_tag term-1447" href="https://adsecurity.org/?tag=psexec">PSEXEC</a>, <a class="term term-tagpost_tag term-1434" href="https://adsecurity.org/?tag=sekurlsaekeys">Sekurlsa::ekeys</a>, <a class="term term-tagpost_tag term-776" href="https://adsecurity.org/?tag=sekurlsalogonpasswords">sekurlsa::logonpasswords</a>, <a class="term term-tagpost_tag term-1137" href="https://adsecurity.org/?tag=service-principal-name">service principal name</a>, <a class="term term-tagpost_tag term-1441" href="https://adsecurity.org/?tag=serviceprincipalnames">ServicePrincipalNames</a>, <a class="term term-tagpost_tag term-294" href="https://adsecurity.org/?tag=spn">SPN</a>, <a class="term term-tagpost_tag term-1445" href="https://adsecurity.org/?tag=system">SYSTEM</a>, <a class="term term-tagpost_tag term-1433" href="https://adsecurity.org/?tag=_sa_">_SA_</a></span></li> </ul> </div> </div> <div id="post-3592" class="clearfix post post-3592 type-post status-publish format-standard hentry category-activedirectorysecurity category-hacking category-microsoft-security tag-allowed-rodc-password-replication-policy tag-dcsync tag-denied-rodc-password-replication-policy tag-directory-services-restore-mode-password tag-discovering-rodcs tag-domain-controller tag-dsrm tag-golden-ticket tag-hacking-rodcs tag-harden-read-only-domain-controllers tag-harden-rodcs tag-invoke-mimikatz tag-krbtgt tag-krbtgt_ tag-mimikatz tag-msds-authenticatedtoaccountlist tag-msds-keyversionnumber tag-msds-neverrevealgroup tag-msds-reveal-ondemandgroup tag-msds-revealedlist tag-read-only-domain-controller tag-readonly-domain-controller tag-rodc tag-rodc-active-directory tag-rodc-administration tag-rodc-administrators tag-rodc-backlink tag-rodc-golden-ticket tag-rodc-in-the-dmz tag-rodc-krbtgt tag-rodc-managedby-attribute tag-rodc-manager tag-rodc-password tag-rodc-password-replication-policy tag-rodc-replication tag-rodc-security tag-rodc-sysvol tag-silver-tickets item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">Jan</span> <span class="day">01</span> <span class="year">2018</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=3592" rel="bookmark" title="Permalink to Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory"> Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-565" href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a>, <a class="term term-category term-1039" href="https://adsecurity.org/?cat=1039">Hacking</a>, <a class="term term-category term-11" href="https://adsecurity.org/?cat=11">Microsoft Security</a></span></span> </li> </ul> <div class="entry-content clearfix"> <div class="excerpt-thumb"><a href="https://adsecurity.org/?p=3592"><img width="300" height="282" src="https://adsecurity.org/wp-content/uploads/2017/12/RODC-PasswordPolicy-PrepopulatePasswords-02-300x282.png" class="attachment-medium size-medium" alt="" decoding="async" srcset="https://adsecurity.org/wp-content/uploads/2017/12/RODC-PasswordPolicy-PrepopulatePasswords-02-300x282.png 300w, https://adsecurity.org/wp-content/uploads/2017/12/RODC-PasswordPolicy-PrepopulatePasswords-02-768x722.png 768w, https://adsecurity.org/wp-content/uploads/2017/12/RODC-PasswordPolicy-PrepopulatePasswords-02.png 846w" sizes="(max-width: 300px) 100vw, 300px" /></a></div> <p>I have been fascinated with Read-Only Domain Controllers (RODCs) since RODC was released as a new DC promotion option with Windows Server 2008. Microsoft customers wanted a DC that wasn’t really a DC. – something that could be deployed in a location that’s not physically secure and still be able to authenticate users. This post … </p> <p><a class="more-link btn" href="https://adsecurity.org/?p=3592">Continue reading</a></p> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-1296" href="https://adsecurity.org/?tag=allowed-rodc-password-replication-policy">Allowed RODC Password Replication Policy</a>, <a class="term term-tagpost_tag term-598" href="https://adsecurity.org/?tag=dcsync">DCSync</a>, <a class="term term-tagpost_tag term-1297" href="https://adsecurity.org/?tag=denied-rodc-password-replication-policy">Denied RODC Password Replication Policy</a>, <a class="term term-tagpost_tag term-1285" href="https://adsecurity.org/?tag=directory-services-restore-mode-password">Directory Services Restore Mode password</a>, <a class="term term-tagpost_tag term-1302" href="https://adsecurity.org/?tag=discovering-rodcs">discovering RODCs</a>, <a class="term term-tagpost_tag term-79" href="https://adsecurity.org/?tag=domain-controller">Domain Controller</a>, <a class="term term-tagpost_tag term-590" href="https://adsecurity.org/?tag=dsrm">DSRM</a>, <a class="term term-tagpost_tag term-1286" href="https://adsecurity.org/?tag=golden-ticket">golden ticket</a>, <a class="term term-tagpost_tag term-1308" href="https://adsecurity.org/?tag=hacking-rodcs">Hacking RODCs</a>, <a class="term term-tagpost_tag term-1310" href="https://adsecurity.org/?tag=harden-read-only-domain-controllers">harden Read-Only Domain Controllers</a>, <a class="term term-tagpost_tag term-1311" href="https://adsecurity.org/?tag=harden-rodcs">harden RODCs</a>, <a class="term term-tagpost_tag term-336" href="https://adsecurity.org/?tag=invoke-mimikatz">Invoke-Mimikatz</a>, <a class="term term-tagpost_tag term-394" href="https://adsecurity.org/?tag=krbtgt">KRBTGT</a>, <a class="term term-tagpost_tag term-1298" href="https://adsecurity.org/?tag=krbtgt_">KRBTGT_######</a>, <a class="term term-tagpost_tag term-207" href="https://adsecurity.org/?tag=mimikatz">mimikatz</a>, <a class="term term-tagpost_tag term-1306" href="https://adsecurity.org/?tag=msds-authenticatedtoaccountlist">msDS-AuthenticatedToAccountList</a>, <a class="term term-tagpost_tag term-1301" href="https://adsecurity.org/?tag=msds-keyversionnumber">msDS-KeyVersionNumber</a>, <a class="term term-tagpost_tag term-1304" href="https://adsecurity.org/?tag=msds-neverrevealgroup">msDS-NeverRevealGroup</a>, <a class="term term-tagpost_tag term-1303" href="https://adsecurity.org/?tag=msds-reveal-ondemandgroup">msDS-Reveal-OnDemandGroup</a>, <a class="term term-tagpost_tag term-1305" href="https://adsecurity.org/?tag=msds-revealedlist">msDS-RevealedList</a>, <a class="term term-tagpost_tag term-106" href="https://adsecurity.org/?tag=read-only-domain-controller">Read-Only Domain Controller</a>, <a class="term term-tagpost_tag term-1157" href="https://adsecurity.org/?tag=readonly-domain-controller">ReadOnly Domain Controller</a>, <a class="term term-tagpost_tag term-104" href="https://adsecurity.org/?tag=rodc">RODC</a>, <a class="term term-tagpost_tag term-1292" href="https://adsecurity.org/?tag=rodc-active-directory">RODC Active Directory</a>, <a class="term term-tagpost_tag term-1294" href="https://adsecurity.org/?tag=rodc-administration">RODC Administration</a>, <a class="term term-tagpost_tag term-1289" href="https://adsecurity.org/?tag=rodc-administrators">RODC administrators</a>, <a class="term term-tagpost_tag term-1300" href="https://adsecurity.org/?tag=rodc-backlink">RODC backlink</a>, <a class="term term-tagpost_tag term-1287" href="https://adsecurity.org/?tag=rodc-golden-ticket">RODC golden ticket</a>, <a class="term term-tagpost_tag term-1309" href="https://adsecurity.org/?tag=rodc-in-the-dmz">RODC in the DMZ</a>, <a class="term term-tagpost_tag term-1299" href="https://adsecurity.org/?tag=rodc-krbtgt">RODC Krbtgt</a>, <a class="term term-tagpost_tag term-1290" href="https://adsecurity.org/?tag=rodc-managedby-attribute">RODC ManagedBy attribute</a>, <a class="term term-tagpost_tag term-1288" href="https://adsecurity.org/?tag=rodc-manager">RODC Manager</a>, <a class="term term-tagpost_tag term-1284" href="https://adsecurity.org/?tag=rodc-password">RODC password</a>, <a class="term term-tagpost_tag term-1295" href="https://adsecurity.org/?tag=rodc-password-replication-policy">RODC Password Replication Policy</a>, <a class="term term-tagpost_tag term-1293" href="https://adsecurity.org/?tag=rodc-replication">RODC replication</a>, <a class="term term-tagpost_tag term-1312" href="https://adsecurity.org/?tag=rodc-security">RODC security</a>, <a class="term term-tagpost_tag term-1291" href="https://adsecurity.org/?tag=rodc-sysvol">RODC SYSVOL</a>, <a class="term term-tagpost_tag term-1307" href="https://adsecurity.org/?tag=silver-tickets">Silver Tickets</a></span></li> <li class="comment-link col-sm-4"><i class="fa fa-comments"></i> <a href="https://adsecurity.org/?p=3592#comments">1 comments</a></li> </ul> </div> </div> <div id="post-3299" class="clearfix post post-3299 type-post status-publish format-standard hentry category-microsoft-security category-security-recommendation category-technical-reference tag-applocker tag-block-macros tag-block-macros-from-running-in-office-files-from-the-internet tag-cmd tag-control-local-administrator-account tag-control-macros tag-dhcp-option-43-hex-0104-0000-0002 tag-direct-hosting-of-smb-over-tcpip tag-disable-llmnr tag-disable-netbios tag-disable-netsession-enumeration tag-disable-powershell-version-2 tag-disable-smb-1 tag-disable-windows-scripting-host-wsh tag-disable-wpad tag-emet tag-group-policy tag-jscript tag-kb2871997 tag-kb3177451 tag-lanman-authentication tag-laps tag-llmnr tag-microsoft-office-macro-security tag-microsoft-office-macros tag-mimikatz tag-netcease tag-ntlm-session-security tag-office-2013-macro tag-office-2016-macro-security tag-office-ole tag-ole tag-packager-dll tag-port-445 tag-responder tag-rid-500 tag-secure-windows-workstation tag-server-message-block tag-smb tag-telemetry-dashboard tag-vba tag-vbscript tag-wdigest tag-windows-10-build-image tag-wpad tag-wscript item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">Oct</span> <span class="day">21</span> <span class="year">2016</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=3299" rel="bookmark" title="Permalink to Securing Windows Workstations: Developing a Secure Baseline"> Securing Windows Workstations: Developing a Secure Baseline </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-11" href="https://adsecurity.org/?cat=11">Microsoft Security</a>, <a class="term term-category term-1045" href="https://adsecurity.org/?cat=1045">Security Recommendation</a>, <a class="term term-category term-2" href="https://adsecurity.org/?cat=2">Technical Reference</a></span></span> </li> </ul> <div class="entry-content clearfix"> <div class="excerpt-thumb"><a href="https://adsecurity.org/?p=3299"><img width="300" height="239" src="https://adsecurity.org/wp-content/uploads/2016/10/KevinB-OLE-In-Email-300x239.jpg" class="attachment-medium size-medium" alt="" decoding="async" srcset="https://adsecurity.org/wp-content/uploads/2016/10/KevinB-OLE-In-Email-300x239.jpg 300w, https://adsecurity.org/wp-content/uploads/2016/10/KevinB-OLE-In-Email-768x612.jpg 768w, https://adsecurity.org/wp-content/uploads/2016/10/KevinB-OLE-In-Email.jpg 800w" sizes="(max-width: 300px) 100vw, 300px" /></a></div> <p>Securing workstations against modern threats is challenging. It seems like every week there鈥檚 some new method attackers are using to compromise a system and user credentials. Post updated on March 8th, 2018 with recommended event IDs to audit. The best way to create a secure Windows workstation is to download the Microsoft Security Compliance Manager … </p> <p><a class="more-link btn" href="https://adsecurity.org/?p=3299">Continue reading</a></p> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-818" href="https://adsecurity.org/?tag=applocker">AppLocker</a>, <a class="term term-tagpost_tag term-1081" href="https://adsecurity.org/?tag=block-macros">block macros</a>, <a class="term term-tagpost_tag term-1077" href="https://adsecurity.org/?tag=block-macros-from-running-in-office-files-from-the-internet">Block macros from running in Office files from the Internet</a>, <a class="term term-tagpost_tag term-1067" href="https://adsecurity.org/?tag=cmd">cmd</a>, <a class="term term-tagpost_tag term-1060" href="https://adsecurity.org/?tag=control-local-administrator-account">Control Local Administrator Account</a>, <a class="term term-tagpost_tag term-1074" href="https://adsecurity.org/?tag=control-macros">Control Macros</a>, <a class="term term-tagpost_tag term-1057" href="https://adsecurity.org/?tag=dhcp-option-43-hex-0104-0000-0002">DHCP option 43 hex 0104.0000.0002</a>, <a class="term term-tagpost_tag term-1055" href="https://adsecurity.org/?tag=direct-hosting-of-smb-over-tcpip">Direct hosting of SMB over TCP/IP</a>, <a class="term term-tagpost_tag term-1052" href="https://adsecurity.org/?tag=disable-llmnr">Disable LLMNR</a>, <a class="term term-tagpost_tag term-1054" href="https://adsecurity.org/?tag=disable-netbios">Disable NetBIOS</a>, <a class="term term-tagpost_tag term-1050" href="https://adsecurity.org/?tag=disable-netsession-enumeration">Disable NetSession Enumeration</a>, <a class="term term-tagpost_tag term-1069" href="https://adsecurity.org/?tag=disable-powershell-version-2">Disable PowerShell version 2</a>, <a class="term term-tagpost_tag term-1070" href="https://adsecurity.org/?tag=disable-smb-1">Disable SMB 1</a>, <a class="term term-tagpost_tag term-1058" href="https://adsecurity.org/?tag=disable-windows-scripting-host-wsh">Disable Windows Scripting Host (WSH)</a>, <a class="term term-tagpost_tag term-1053" href="https://adsecurity.org/?tag=disable-wpad">Disable WPAD</a>, <a class="term term-tagpost_tag term-260" href="https://adsecurity.org/?tag=emet">EMET</a>, <a class="term term-tagpost_tag term-1059" href="https://adsecurity.org/?tag=group-policy">Group Policy</a>, <a class="term term-tagpost_tag term-1063" href="https://adsecurity.org/?tag=jscript">jscript</a>, <a class="term term-tagpost_tag term-305" href="https://adsecurity.org/?tag=kb2871997">KB2871997</a>, <a class="term term-tagpost_tag term-1079" href="https://adsecurity.org/?tag=kb3177451">KB3177451</a>, <a class="term term-tagpost_tag term-1072" href="https://adsecurity.org/?tag=lanman-authentication">Lanman Authentication</a>, <a class="term term-tagpost_tag term-631" href="https://adsecurity.org/?tag=laps">LAPS</a>, <a class="term term-tagpost_tag term-1046" href="https://adsecurity.org/?tag=llmnr">LLMNR</a>, <a class="term term-tagpost_tag term-1075" href="https://adsecurity.org/?tag=microsoft-office-macro-security">Microsoft Office Macro Security</a>, <a class="term term-tagpost_tag term-1048" href="https://adsecurity.org/?tag=microsoft-office-macros">Microsoft Office Macros</a>, <a class="term term-tagpost_tag term-207" href="https://adsecurity.org/?tag=mimikatz">mimikatz</a>, <a class="term term-tagpost_tag term-1051" href="https://adsecurity.org/?tag=netcease">NetCease</a>, <a class="term term-tagpost_tag term-1073" href="https://adsecurity.org/?tag=ntlm-session-security">NTLM session security</a>, <a class="term term-tagpost_tag term-1080" href="https://adsecurity.org/?tag=office-2013-macro">Office 2013 macro</a>, <a class="term term-tagpost_tag term-1078" href="https://adsecurity.org/?tag=office-2016-macro-security">Office 2016 macro security</a>, <a class="term term-tagpost_tag term-1082" href="https://adsecurity.org/?tag=office-ole">Office OLE</a>, <a class="term term-tagpost_tag term-1047" href="https://adsecurity.org/?tag=ole">OLE</a>, <a class="term term-tagpost_tag term-1083" href="https://adsecurity.org/?tag=packager-dll">packager.dll</a>, <a class="term term-tagpost_tag term-1056" href="https://adsecurity.org/?tag=port-445">port 445</a>, <a class="term term-tagpost_tag term-1032" href="https://adsecurity.org/?tag=responder">Responder</a>, <a class="term term-tagpost_tag term-1061" href="https://adsecurity.org/?tag=rid-500">RID 500</a>, <a class="term term-tagpost_tag term-1049" href="https://adsecurity.org/?tag=secure-windows-workstation">Secure Windows Workstation</a>, <a class="term term-tagpost_tag term-1071" href="https://adsecurity.org/?tag=server-message-block">Server Message Block</a>, <a class="term term-tagpost_tag term-455" href="https://adsecurity.org/?tag=smb">SMB</a>, <a class="term term-tagpost_tag term-1076" href="https://adsecurity.org/?tag=telemetry-dashboard">Telemetry Dashboard</a>, <a class="term term-tagpost_tag term-1065" href="https://adsecurity.org/?tag=vba">VBA</a>, <a class="term term-tagpost_tag term-1066" href="https://adsecurity.org/?tag=vbscript">VBScript</a>, <a class="term term-tagpost_tag term-1062" href="https://adsecurity.org/?tag=wdigest">WDigest</a>, <a class="term term-tagpost_tag term-1068" href="https://adsecurity.org/?tag=windows-10-build-image">Windows 10 build image</a>, <a class="term term-tagpost_tag term-1031" href="https://adsecurity.org/?tag=wpad">WPAD</a>, <a class="term term-tagpost_tag term-1064" href="https://adsecurity.org/?tag=wscript">wscript</a></span></li> <li class="comment-link col-sm-4"><i class="fa fa-comments"></i> <a href="https://adsecurity.org/?p=3299#comments">6 comments</a></li> </ul> </div> </div> <div id="post-2753" class="clearfix post post-2753 type-post status-publish format-standard has-post-thumbnail hentry category-activedirectorysecurity category-microsoft-security category-technical-reference tag-activedirectorysecurity tag-adcomputerrights tag-adexploit tag-adpersistence tag-computeraccount tag-computeraccountpassword tag-dcpersistence tag-domaincontroller tag-domaincontrollersilverticket tag-mimikatz tag-silverticket tag-sneakyadpersistence item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">Mar</span> <span class="day">09</span> <span class="year">2016</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=2753" rel="bookmark" title="Permalink to Sneaky Active Directory Persistence #16: Computer Accounts & Domain Controller Silver Tickets"> Sneaky Active Directory Persistence #16: Computer Accounts & Domain Controller Silver Tickets </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-565" href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a>, <a class="term term-category term-11" href="https://adsecurity.org/?cat=11">Microsoft Security</a>, <a class="term term-category term-2" href="https://adsecurity.org/?cat=2">Technical Reference</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p class="excerpt-thumb"> <a href="https://adsecurity.org/?p=2753" rel="bookmark" title="Permalink to Sneaky Active Directory Persistence #16: Computer Accounts & Domain Controller Silver Tickets"> <img width="300" height="89" src="https://adsecurity.org/wp-content/uploads/2015/11/SilverTicket-DC-LDAP-300x89.png" class="attachment-medium size-medium wp-post-image" alt="" decoding="async" loading="lazy" srcset="https://adsecurity.org/wp-content/uploads/2015/11/SilverTicket-DC-LDAP-300x89.png 300w, https://adsecurity.org/wp-content/uploads/2015/11/SilverTicket-DC-LDAP.png 838w" sizes="(max-width: 300px) 100vw, 300px" /> </a> </p> <p>The content in this post describes a method by which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for about 5 minutes. All posts in my Sneaky Active Directory Persistence Tricks series This post explores how an attacker could leverage computer account credentials to persist in an enterprise … </p> <p><a class="more-link btn" href="https://adsecurity.org/?p=2753">Continue reading</a></p> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-113" href="https://adsecurity.org/?tag=activedirectorysecurity">ActiveDirectorySecurity</a>, <a class="term term-tagpost_tag term-913" href="https://adsecurity.org/?tag=adcomputerrights">ADComputerRights</a>, <a class="term term-tagpost_tag term-915" href="https://adsecurity.org/?tag=adexploit">ADExploit</a>, <a class="term term-tagpost_tag term-544" href="https://adsecurity.org/?tag=adpersistence">ADPersistence</a>, <a class="term term-tagpost_tag term-911" href="https://adsecurity.org/?tag=computeraccount">ComputerAccount</a>, <a class="term term-tagpost_tag term-675" href="https://adsecurity.org/?tag=computeraccountpassword">ComputerAccountPassword</a>, <a class="term term-tagpost_tag term-912" href="https://adsecurity.org/?tag=dcpersistence">DCPersistence</a>, <a class="term term-tagpost_tag term-101" href="https://adsecurity.org/?tag=domaincontroller">DomainController</a>, <a class="term term-tagpost_tag term-914" href="https://adsecurity.org/?tag=domaincontrollersilverticket">DomainControllerSilverTicket</a>, <a class="term term-tagpost_tag term-207" href="https://adsecurity.org/?tag=mimikatz">mimikatz</a>, <a class="term term-tagpost_tag term-304" href="https://adsecurity.org/?tag=silverticket">SilverTicket</a>, <a class="term term-tagpost_tag term-596" href="https://adsecurity.org/?tag=sneakyadpersistence">SneakyADPersistence</a></span></li> <li class="comment-link col-sm-4"><i class="fa fa-comments"></i> <a href="https://adsecurity.org/?p=2753#comments">4 comments</a></li> </ul> </div> </div> <div id="post-2696" class="clearfix post post-2696 type-post status-publish format-standard hentry category-activedirectorysecurity category-microsoft-security category-technical-reference tag-invoke-mimikatz tag-mimikatz tag-mimikatzcommandreference tag-mimikatzupdate item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">Mar</span> <span class="day">02</span> <span class="year">2016</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=2696" rel="bookmark" title="Permalink to ADSecurity.org’s Unofficial Guide to Mimikatz & Command Reference Updated for Mimikatz v2.1 alpha 20160229"> ADSecurity.org’s Unofficial Guide to Mimikatz & Command Reference Updated for Mimikatz v2.1 alpha 20160229 </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-565" href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a>, <a class="term term-category term-11" href="https://adsecurity.org/?cat=11">Microsoft Security</a>, <a class="term term-category term-2" href="https://adsecurity.org/?cat=2">Technical Reference</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p>ADSecurity.org’s Unofficial Guide to Mimikatz & Command Reference page is updated for the new modules/features in Mimikatz v2.1 alpha 20160229. According to Mimikatz author, Benjamin Delpy, the following updates are included in the most recent Mimikatz version(s): Mimikatz Release Date: 2/29/2016 2.1 alpha 20160229 (oe.eo) edition System Environment Variables & other stuff [new] System Environment … </p> <p><a class="more-link btn" href="https://adsecurity.org/?p=2696">Continue reading</a></p> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-336" href="https://adsecurity.org/?tag=invoke-mimikatz">Invoke-Mimikatz</a>, <a class="term term-tagpost_tag term-207" href="https://adsecurity.org/?tag=mimikatz">mimikatz</a>, <a class="term term-tagpost_tag term-906" href="https://adsecurity.org/?tag=mimikatzcommandreference">MimikatzCommandReference</a>, <a class="term term-tagpost_tag term-907" href="https://adsecurity.org/?tag=mimikatzupdate">MimikatzUpdate</a></span></li> </ul> </div> </div> <div id="post-2495" class="clearfix post post-2495 type-post status-publish format-standard has-post-thumbnail hentry category-activedirectorysecurity category-microsoft-security tag-activedirectory tag-activedirectorysecurity tag-adsecurity tag-detectforgedkerberoticket tag-detectgoldenticket tag-detectingforgedkerberosticket tag-detectsilverticket tag-forgedkerberosticket tag-goldenticket tag-kerberosgolden tag-mimikatz tag-silverticket item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">Jan</span> <span class="day">05</span> <span class="year">2016</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=2495" rel="bookmark" title="Permalink to Mimikatz Update Fixes Forged Kerberos Ticket Domain Field Anomaly – Golden Ticket Invalid Domain Field Event Detection No Longer Works"> Mimikatz Update Fixes Forged Kerberos Ticket Domain Field Anomaly – Golden Ticket Invalid Domain Field Event Detection No Longer Works </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-565" href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a>, <a class="term term-category term-11" href="https://adsecurity.org/?cat=11">Microsoft Security</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p class="excerpt-thumb"> <a href="https://adsecurity.org/?p=2495" rel="bookmark" title="Permalink to Mimikatz Update Fixes Forged Kerberos Ticket Domain Field Anomaly – Golden Ticket Invalid Domain Field Event Detection No Longer Works"> <img width="300" height="24" src="https://adsecurity.org/wp-content/uploads/2015/05/GT-DomainFieldUpdate-20150105-300x24.jpg" class="attachment-medium size-medium wp-post-image" alt="" decoding="async" loading="lazy" srcset="https://adsecurity.org/wp-content/uploads/2015/05/GT-DomainFieldUpdate-20150105-300x24.jpg 300w, https://adsecurity.org/wp-content/uploads/2015/05/GT-DomainFieldUpdate-20150105-768x62.jpg 768w, https://adsecurity.org/wp-content/uploads/2015/05/GT-DomainFieldUpdate-20150105-1024x83.jpg 1024w, https://adsecurity.org/wp-content/uploads/2015/05/GT-DomainFieldUpdate-20150105.jpg 1495w" sizes="(max-width: 300px) 100vw, 300px" /> </a> </p> <p>In late 2014, I discovered that the domain field in many events in the Windows security event log are not properly populated when forged Kerberos tickets are used. The key indicator is that the domain field is blank or contains the FQDN instead of the short (netbios) name and depending on the tool used to … </p> <p><a class="more-link btn" href="https://adsecurity.org/?p=2495">Continue reading</a></p> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-20" href="https://adsecurity.org/?tag=activedirectory">ActiveDirectory</a>, <a class="term term-tagpost_tag term-113" href="https://adsecurity.org/?tag=activedirectorysecurity">ActiveDirectorySecurity</a>, <a class="term term-tagpost_tag term-86" href="https://adsecurity.org/?tag=adsecurity">ADSecurity</a>, <a class="term term-tagpost_tag term-790" href="https://adsecurity.org/?tag=detectforgedkerberoticket">DetectForgedKerberoTicket</a>, <a class="term term-tagpost_tag term-481" href="https://adsecurity.org/?tag=detectgoldenticket">DetectGoldenTicket</a>, <a class="term term-tagpost_tag term-480" href="https://adsecurity.org/?tag=detectingforgedkerberosticket">DetectingForgedKerberosTicket</a>, <a class="term term-tagpost_tag term-482" href="https://adsecurity.org/?tag=detectsilverticket">DetectSilverTicket</a>, <a class="term term-tagpost_tag term-479" href="https://adsecurity.org/?tag=forgedkerberosticket">ForgedKerberosTicket</a>, <a class="term term-tagpost_tag term-303" href="https://adsecurity.org/?tag=goldenticket">GoldenTicket</a>, <a class="term term-tagpost_tag term-791" href="https://adsecurity.org/?tag=kerberosgolden">kerberos::golden</a>, <a class="term term-tagpost_tag term-207" href="https://adsecurity.org/?tag=mimikatz">mimikatz</a>, <a class="term term-tagpost_tag term-304" href="https://adsecurity.org/?tag=silverticket">SilverTicket</a></span></li> </ul> </div> </div> <div id="post-2398" class="clearfix post post-2398 type-post status-publish format-standard has-post-thumbnail hentry category-activedirectorysecurity category-microsoft-security category-technical-reference tag-784 tag-785 tag-activedirectorydatabase tag-administrator tag-copy-ntds-dit tag-copyntds-dit tag-dcsync tag-ditsnapshotviewer tag-dumpactivedirectory tag-dumpadcredentials tag-dumpadcreds tag-dumpcredentials tag-dumpcreds tag-esentutl tag-invoke-mimikatz tag-invoke-ninjacopy tag-invoke-reflectivepeinjection tag-krbtgt tag-lsadumpdcsync tag-lsadumplsa tag-mimikatz tag-mimikatzdcsync tag-ntds-dit tag-ntdsutil tag-passtheticket tag-powershellremoting tag-powersploit tag-sekurlsalogonpasswords tag-volumeshadowcopy tag-vss tag-vssntds-dit tag-wmi tag-wmic tag-wmicpasstheticket tag-wmiptt item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">Jan</span> <span class="day">03</span> <span class="year">2016</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=2398" rel="bookmark" title="Permalink to How Attackers Dump Active Directory Database Credentials"> How Attackers Dump Active Directory Database Credentials </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-565" href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a>, <a class="term term-category term-11" href="https://adsecurity.org/?cat=11">Microsoft Security</a>, <a class="term term-category term-2" href="https://adsecurity.org/?cat=2">Technical Reference</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p class="excerpt-thumb"> <a href="https://adsecurity.org/?p=2398" rel="bookmark" title="Permalink to How Attackers Dump Active Directory Database Credentials"> <img width="214" height="300" src="https://adsecurity.org/wp-content/uploads/2016/01/InvokeMimikatz-RunFromInternet-LSADumpLSA-Inject-Computer-RDLABDC02-214x300.jpg" class="attachment-medium size-medium wp-post-image" alt="" decoding="async" loading="lazy" srcset="https://adsecurity.org/wp-content/uploads/2016/01/InvokeMimikatz-RunFromInternet-LSADumpLSA-Inject-Computer-RDLABDC02-214x300.jpg 214w, https://adsecurity.org/wp-content/uploads/2016/01/InvokeMimikatz-RunFromInternet-LSADumpLSA-Inject-Computer-RDLABDC02-768x1078.jpg 768w, https://adsecurity.org/wp-content/uploads/2016/01/InvokeMimikatz-RunFromInternet-LSADumpLSA-Inject-Computer-RDLABDC02-730x1024.jpg 730w, https://adsecurity.org/wp-content/uploads/2016/01/InvokeMimikatz-RunFromInternet-LSADumpLSA-Inject-Computer-RDLABDC02.jpg 1199w" sizes="(max-width: 214px) 100vw, 214px" /> </a> </p> <p>I previously posted some information on dumping AD database credentials before in a couple of posts: “How Attackers Pull the Active Directory Database (NTDS.dit) from a Domain Controller” and “Attack Methods for Gaining Domain Admin Rights in Active Directory“. This post covers many different ways that an attacker can dump credentials from Active Directory, both … </p> <p><a class="more-link btn" href="https://adsecurity.org/?p=2398">Continue reading</a></p> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-784" href="https://adsecurity.org/?tag=500">500</a>, <a class="term term-tagpost_tag term-785" href="https://adsecurity.org/?tag=502">502</a>, <a class="term term-tagpost_tag term-777" href="https://adsecurity.org/?tag=activedirectorydatabase">ActiveDirectorydatabase</a>, <a class="term term-tagpost_tag term-786" href="https://adsecurity.org/?tag=administrator">Administrator</a>, <a class="term term-tagpost_tag term-794" href="https://adsecurity.org/?tag=copy-ntds-dit">copy ntds.dit</a>, <a class="term term-tagpost_tag term-795" href="https://adsecurity.org/?tag=copyntds-dit">CopyNTDS.dit</a>, <a class="term term-tagpost_tag term-598" href="https://adsecurity.org/?tag=dcsync">DCSync</a>, <a class="term term-tagpost_tag term-773" href="https://adsecurity.org/?tag=ditsnapshotviewer">DITSnapshotViewer</a>, <a class="term term-tagpost_tag term-796" href="https://adsecurity.org/?tag=dumpactivedirectory">dumpActiveDirectory</a>, <a class="term term-tagpost_tag term-772" href="https://adsecurity.org/?tag=dumpadcredentials">DumpADCredentials</a>, <a class="term term-tagpost_tag term-797" href="https://adsecurity.org/?tag=dumpadcreds">DumpADCreds</a>, <a class="term term-tagpost_tag term-771" href="https://adsecurity.org/?tag=dumpcredentials">DumpCredentials</a>, <a class="term term-tagpost_tag term-787" href="https://adsecurity.org/?tag=dumpcreds">DumpCreds</a>, <a class="term term-tagpost_tag term-792" href="https://adsecurity.org/?tag=esentutl">Esentutl</a>, <a class="term term-tagpost_tag term-336" href="https://adsecurity.org/?tag=invoke-mimikatz">Invoke-Mimikatz</a>, <a class="term term-tagpost_tag term-770" href="https://adsecurity.org/?tag=invoke-ninjacopy">Invoke-NinjaCopy</a>, <a class="term term-tagpost_tag term-249" href="https://adsecurity.org/?tag=invoke-reflectivepeinjection">Invoke-ReflectivePEInjection</a>, <a class="term term-tagpost_tag term-394" href="https://adsecurity.org/?tag=krbtgt">KRBTGT</a>, <a class="term term-tagpost_tag term-774" href="https://adsecurity.org/?tag=lsadumpdcsync">lsadump::dcsync</a>, <a class="term term-tagpost_tag term-775" href="https://adsecurity.org/?tag=lsadumplsa">lsadump::lsa</a>, <a class="term term-tagpost_tag term-207" href="https://adsecurity.org/?tag=mimikatz">mimikatz</a>, <a class="term term-tagpost_tag term-599" href="https://adsecurity.org/?tag=mimikatzdcsync">MimikatzDCSync</a>, <a class="term term-tagpost_tag term-691" href="https://adsecurity.org/?tag=ntds-dit">ntds.dit</a>, <a class="term term-tagpost_tag term-793" href="https://adsecurity.org/?tag=ntdsutil">ntdsutil</a>, <a class="term term-tagpost_tag term-316" href="https://adsecurity.org/?tag=passtheticket">PassTheTicket</a>, <a class="term term-tagpost_tag term-477" href="https://adsecurity.org/?tag=powershellremoting">PowerShellRemoting</a>, <a class="term term-tagpost_tag term-232" href="https://adsecurity.org/?tag=powersploit">PowerSploit</a>, <a class="term term-tagpost_tag term-776" href="https://adsecurity.org/?tag=sekurlsalogonpasswords">sekurlsa::logonpasswords</a>, <a class="term term-tagpost_tag term-780" href="https://adsecurity.org/?tag=volumeshadowcopy">VolumeShadowCopy</a>, <a class="term term-tagpost_tag term-779" href="https://adsecurity.org/?tag=vss">VSS</a>, <a class="term term-tagpost_tag term-781" href="https://adsecurity.org/?tag=vssntds-dit">VSSNTDS.dit</a>, <a class="term term-tagpost_tag term-546" href="https://adsecurity.org/?tag=wmi">WMI</a>, <a class="term term-tagpost_tag term-778" href="https://adsecurity.org/?tag=wmic">WMIC</a>, <a class="term term-tagpost_tag term-782" href="https://adsecurity.org/?tag=wmicpasstheticket">WMICPassTheTicket</a>, <a class="term term-tagpost_tag term-783" href="https://adsecurity.org/?tag=wmiptt">WMIPTT</a></span></li> </ul> </div> </div> <div id="post-2362" class="clearfix post post-2362 type-post status-publish format-standard has-post-thumbnail hentry category-activedirectorysecurity category-microsoft-security category-technical-reference tag-activedirectory tag-administratorpassword tag-aesprivatekey tag-aessharedsecret tag-cpassword tag-credentialtheft tag-credentialtheftshuffle tag-domainadmins tag-domaincontroller tag-dumpcredentiasls tag-dumplsass tag-enterpriseadmins tag-get-gpppassword tag-goldentickets tag-gpp tag-grouppolicypreferences tag-groups-xml tag-ifm tag-installfrommedia tag-kb2962486 tag-kb3011780 tag-kekeo tag-kerberoast tag-kerberos tag-kerberoshacking tag-laps tag-lateralmovement tag-localadministratoraccountpassword tag-lsass tag-lsassdumpfile tag-microsoftlaps tag-mimikatz tag-ms14068 tag-ms14068-exe tag-ms14068exploit tag-msdn tag-ntds-dit tag-paws tag-persistence tag-powersploit tag-pykek tag-rc4_hmac_md5 tag-rdp tag-runas tag-scheduledtasks-xml tag-separateadminworkstation tag-serviceprincipalname tag-services-xml tag-spn tag-systemcompromise tag-sysvol tag-tgs tag-tgscracking tag-tgt tag-xml item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">Jan</span> <span class="day">01</span> <span class="year">2016</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=2362" rel="bookmark" title="Permalink to Attack Methods for Gaining Domain Admin Rights in Active Directory"> Attack Methods for Gaining Domain Admin Rights in Active Directory </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-565" href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a>, <a class="term term-category term-11" href="https://adsecurity.org/?cat=11">Microsoft Security</a>, <a class="term term-category term-2" href="https://adsecurity.org/?cat=2">Technical Reference</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p class="excerpt-thumb"> <a href="https://adsecurity.org/?p=2362" rel="bookmark" title="Permalink to Attack Methods for Gaining Domain Admin Rights in Active Directory"> <img width="300" height="235" src="https://adsecurity.org/wp-content/uploads/2015/12/MS14068-01-300x235.png" class="attachment-medium size-medium wp-post-image" alt="" decoding="async" loading="lazy" srcset="https://adsecurity.org/wp-content/uploads/2015/12/MS14068-01-300x235.png 300w, https://adsecurity.org/wp-content/uploads/2015/12/MS14068-01-768x602.png 768w, https://adsecurity.org/wp-content/uploads/2015/12/MS14068-01.png 882w" sizes="(max-width: 300px) 100vw, 300px" /> </a> </p> <p>There are many ways an attacker can gain Domain Admin rights in Active Directory. This post is meant to describe some of the more popular ones in current use. The techniques described here “assume breach” where an attacker already has a foothold on an internal system and has gained domain user credentials (aka post-exploitation). The … </p> <p><a class="more-link btn" href="https://adsecurity.org/?p=2362">Continue reading</a></p> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-20" href="https://adsecurity.org/?tag=activedirectory">ActiveDirectory</a>, <a class="term term-tagpost_tag term-758" href="https://adsecurity.org/?tag=administratorpassword">administratorpassword</a>, <a class="term term-tagpost_tag term-745" href="https://adsecurity.org/?tag=aesprivatekey">AESprivatekey</a>, <a class="term term-tagpost_tag term-789" href="https://adsecurity.org/?tag=aessharedsecret">AESsharedsecret</a>, <a class="term term-tagpost_tag term-747" href="https://adsecurity.org/?tag=cpassword">cpassword</a>, <a class="term term-tagpost_tag term-540" href="https://adsecurity.org/?tag=credentialtheft">CredentialTheft</a>, <a class="term term-tagpost_tag term-752" href="https://adsecurity.org/?tag=credentialtheftshuffle">CredentialTheftShuffle</a>, <a class="term term-tagpost_tag term-384" href="https://adsecurity.org/?tag=domainadmins">DomainAdmins</a>, <a class="term term-tagpost_tag term-101" href="https://adsecurity.org/?tag=domaincontroller">DomainController</a>, <a class="term term-tagpost_tag term-753" href="https://adsecurity.org/?tag=dumpcredentiasls">DumpCredentiasls</a>, <a class="term term-tagpost_tag term-761" href="https://adsecurity.org/?tag=dumplsass">DumpLSASS</a>, <a class="term term-tagpost_tag term-385" href="https://adsecurity.org/?tag=enterpriseadmins">EnterpriseAdmins</a>, <a class="term term-tagpost_tag term-744" href="https://adsecurity.org/?tag=get-gpppassword">Get-GPPPassword</a>, <a class="term term-tagpost_tag term-765" href="https://adsecurity.org/?tag=goldentickets">GoldenTickets</a>, <a class="term term-tagpost_tag term-12" href="https://adsecurity.org/?tag=gpp">GPP</a>, <a class="term term-tagpost_tag term-742" href="https://adsecurity.org/?tag=grouppolicypreferences">GroupPolicyPreferences</a>, <a class="term term-tagpost_tag term-748" href="https://adsecurity.org/?tag=groups-xml">groups.xml</a>, <a class="term term-tagpost_tag term-764" href="https://adsecurity.org/?tag=ifm">IFM</a>, <a class="term term-tagpost_tag term-763" href="https://adsecurity.org/?tag=installfrommedia">InstallFromMedia</a>, <a class="term term-tagpost_tag term-726" href="https://adsecurity.org/?tag=kb2962486">KB2962486</a>, <a class="term term-tagpost_tag term-337" href="https://adsecurity.org/?tag=kb3011780">KB3011780</a>, <a class="term term-tagpost_tag term-531" href="https://adsecurity.org/?tag=kekeo">Kekeo</a>, <a class="term term-tagpost_tag term-673" href="https://adsecurity.org/?tag=kerberoast">Kerberoast</a>, <a class="term term-tagpost_tag term-81" href="https://adsecurity.org/?tag=kerberos">Kerberos</a>, <a class="term term-tagpost_tag term-298" href="https://adsecurity.org/?tag=kerberoshacking">KerberosHacking</a>, <a class="term term-tagpost_tag term-631" href="https://adsecurity.org/?tag=laps">LAPS</a>, <a class="term term-tagpost_tag term-755" href="https://adsecurity.org/?tag=lateralmovement">lateralmovement</a>, <a class="term term-tagpost_tag term-757" href="https://adsecurity.org/?tag=localadministratoraccountpassword">localadministratoraccountpassword</a>, <a class="term term-tagpost_tag term-71" href="https://adsecurity.org/?tag=lsass">LSASS</a>, <a class="term term-tagpost_tag term-762" href="https://adsecurity.org/?tag=lsassdumpfile">LSASSDumpFile</a>, <a class="term term-tagpost_tag term-629" href="https://adsecurity.org/?tag=microsoftlaps">MicrosoftLAPS</a>, <a class="term term-tagpost_tag term-207" href="https://adsecurity.org/?tag=mimikatz">mimikatz</a>, <a class="term term-tagpost_tag term-295" href="https://adsecurity.org/?tag=ms14068">MS14068</a>, <a class="term term-tagpost_tag term-751" href="https://adsecurity.org/?tag=ms14068-exe">ms14068.exe</a>, <a class="term term-tagpost_tag term-334" href="https://adsecurity.org/?tag=ms14068exploit">MS14068Exploit</a>, <a class="term term-tagpost_tag term-746" href="https://adsecurity.org/?tag=msdn">MSDN</a>, <a class="term term-tagpost_tag term-691" href="https://adsecurity.org/?tag=ntds-dit">ntds.dit</a>, <a class="term term-tagpost_tag term-759" href="https://adsecurity.org/?tag=paws">PAWS</a>, <a class="term term-tagpost_tag term-766" href="https://adsecurity.org/?tag=persistence">Persistence</a>, <a class="term term-tagpost_tag term-232" href="https://adsecurity.org/?tag=powersploit">PowerSploit</a>, <a class="term term-tagpost_tag term-329" href="https://adsecurity.org/?tag=pykek">PyKEK</a>, <a class="term term-tagpost_tag term-708" href="https://adsecurity.org/?tag=rc4_hmac_md5">RC4_HMAC_MD5</a>, <a class="term term-tagpost_tag term-478" href="https://adsecurity.org/?tag=rdp">RDP</a>, <a class="term term-tagpost_tag term-754" href="https://adsecurity.org/?tag=runas">RunAs</a>, <a class="term term-tagpost_tag term-749" href="https://adsecurity.org/?tag=scheduledtasks-xml">scheduledtasks.xml</a>, <a class="term term-tagpost_tag term-760" href="https://adsecurity.org/?tag=separateadminworkstation">separateAdminWorkstation</a>, <a class="term term-tagpost_tag term-83" href="https://adsecurity.org/?tag=serviceprincipalname">ServicePrincipalName</a>, <a class="term term-tagpost_tag term-750" href="https://adsecurity.org/?tag=services-xml">Services.xml</a>, <a class="term term-tagpost_tag term-294" href="https://adsecurity.org/?tag=spn">SPN</a>, <a class="term term-tagpost_tag term-756" href="https://adsecurity.org/?tag=systemcompromise">systemcompromise</a>, <a class="term term-tagpost_tag term-621" href="https://adsecurity.org/?tag=sysvol">SYSVOL</a>, <a class="term term-tagpost_tag term-528" href="https://adsecurity.org/?tag=tgs">TGS</a>, <a class="term term-tagpost_tag term-743" href="https://adsecurity.org/?tag=tgscracking">TGSCracking</a>, <a class="term term-tagpost_tag term-529" href="https://adsecurity.org/?tag=tgt">TGT</a>, <a class="term term-tagpost_tag term-728" href="https://adsecurity.org/?tag=xml">xml</a></span></li> <li class="comment-link col-sm-4"><i class="fa fa-comments"></i> <a href="https://adsecurity.org/?p=2362#comments">2 comments</a></li> </ul> </div> </div> <div id="post-2293" class="clearfix post post-2293 type-post status-publish format-standard has-post-thumbnail hentry category-activedirectorysecurity category-microsoft-security category-technical-reference tag-activedirectory tag-crackpasswords tag-crackserviceaccountpassword tag-cracktgs tag-diamondpac tag-domaincontroller tag-forgedpac tag-goldenticket tag-kerberoast tag-kerberos tag-kerberossilverticket tag-mimikatz tag-ms14068 tag-mssql tag-powershell tag-python tag-rc4hmacmd5 tag-rc4_hmac_md5 tag-serviceprincipalname tag-silverticket tag-skeletonkey tag-spn tag-spnscanning tag-sql tag-tgs tag-tgscracker tag-tgt item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">Dec</span> <span class="day">31</span> <span class="year">2015</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=2293" rel="bookmark" title="Permalink to Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain"> Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-565" href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a>, <a class="term term-category term-11" href="https://adsecurity.org/?cat=11">Microsoft Security</a>, <a class="term term-category term-2" href="https://adsecurity.org/?cat=2">Technical Reference</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p class="excerpt-thumb"> <a href="https://adsecurity.org/?p=2293" rel="bookmark" title="Permalink to Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain"> <img width="300" height="25" src="https://adsecurity.org/wp-content/uploads/2015/12/Kerberoast-03-300x25.jpg" class="attachment-medium size-medium wp-post-image" alt="" decoding="async" loading="lazy" srcset="https://adsecurity.org/wp-content/uploads/2015/12/Kerberoast-03-300x25.jpg 300w, https://adsecurity.org/wp-content/uploads/2015/12/Kerberoast-03.jpg 666w" sizes="(max-width: 300px) 100vw, 300px" /> </a> </p> <p>Microsoft’s Kerberos implementation in Active Directory has been targeted over the past couple of years by security researchers and attackers alike. The issues are primarily related to the legacy support in Kerberos when Active Directory was released in the year 2000 with Windows Server 2000. This legacy support is enabled when using Kerberos RC4 encryption … </p> <p><a class="more-link btn" href="https://adsecurity.org/?p=2293">Continue reading</a></p> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-20" href="https://adsecurity.org/?tag=activedirectory">ActiveDirectory</a>, <a class="term term-tagpost_tag term-736" href="https://adsecurity.org/?tag=crackpasswords">CrackPasswords</a>, <a class="term term-tagpost_tag term-738" href="https://adsecurity.org/?tag=crackserviceaccountpassword">CrackServiceAccountPassword</a>, <a class="term term-tagpost_tag term-737" href="https://adsecurity.org/?tag=cracktgs">CrackTGS</a>, <a class="term term-tagpost_tag term-735" href="https://adsecurity.org/?tag=diamondpac">DiamondPAC</a>, <a class="term term-tagpost_tag term-101" href="https://adsecurity.org/?tag=domaincontroller">DomainController</a>, <a class="term term-tagpost_tag term-734" href="https://adsecurity.org/?tag=forgedpac">ForgedPAC</a>, <a class="term term-tagpost_tag term-303" href="https://adsecurity.org/?tag=goldenticket">GoldenTicket</a>, <a class="term term-tagpost_tag term-673" href="https://adsecurity.org/?tag=kerberoast">Kerberoast</a>, <a class="term term-tagpost_tag term-81" href="https://adsecurity.org/?tag=kerberos">Kerberos</a>, <a class="term term-tagpost_tag term-206" href="https://adsecurity.org/?tag=kerberossilverticket">KerberosSilverTicket</a>, <a class="term term-tagpost_tag term-207" href="https://adsecurity.org/?tag=mimikatz">mimikatz</a>, <a class="term term-tagpost_tag term-295" href="https://adsecurity.org/?tag=ms14068">MS14068</a>, <a class="term term-tagpost_tag term-140" href="https://adsecurity.org/?tag=mssql">MSSQL</a>, <a class="term term-tagpost_tag term-575" href="https://adsecurity.org/?tag=powershell">PowerShell</a>, <a class="term term-tagpost_tag term-740" href="https://adsecurity.org/?tag=python">Python</a>, <a class="term term-tagpost_tag term-741" href="https://adsecurity.org/?tag=rc4hmacmd5">RC4HMACMD5</a>, <a class="term term-tagpost_tag term-708" href="https://adsecurity.org/?tag=rc4_hmac_md5">RC4_HMAC_MD5</a>, <a class="term term-tagpost_tag term-83" href="https://adsecurity.org/?tag=serviceprincipalname">ServicePrincipalName</a>, <a class="term term-tagpost_tag term-304" href="https://adsecurity.org/?tag=silverticket">SilverTicket</a>, <a class="term term-tagpost_tag term-414" href="https://adsecurity.org/?tag=skeletonkey">SkeletonKey</a>, <a class="term term-tagpost_tag term-294" href="https://adsecurity.org/?tag=spn">SPN</a>, <a class="term term-tagpost_tag term-471" href="https://adsecurity.org/?tag=spnscanning">SPNScanning</a>, <a class="term term-tagpost_tag term-732" href="https://adsecurity.org/?tag=sql">SQL</a>, <a class="term term-tagpost_tag term-528" href="https://adsecurity.org/?tag=tgs">TGS</a>, <a class="term term-tagpost_tag term-739" href="https://adsecurity.org/?tag=tgscracker">TGSCracker</a>, <a class="term term-tagpost_tag term-529" href="https://adsecurity.org/?tag=tgt">TGT</a></span></li> <li class="comment-link col-sm-4"><i class="fa fa-comments"></i> <a href="https://adsecurity.org/?p=2293#comments">1 comments</a></li> </ul> </div> </div> <div id="post-2207" class="clearfix post post-2207 type-post status-publish format-standard has-post-thumbnail hentry category-microsoft-security category-technical-reference tag-detectingmimikatz tag-invoke-mimikatz tag-kerberos tag-mimikatz tag-mimikatzcommands tag-mimikatzmitigation tag-sekurlsa item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">Dec</span> <span class="day">14</span> <span class="year">2015</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=2207" rel="bookmark" title="Permalink to Unofficial Guide to Mimikatz & Command Reference"> Unofficial Guide to Mimikatz & Command Reference </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-11" href="https://adsecurity.org/?cat=11">Microsoft Security</a>, <a class="term term-category term-2" href="https://adsecurity.org/?cat=2">Technical Reference</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p class="excerpt-thumb"> <a href="https://adsecurity.org/?p=2207" rel="bookmark" title="Permalink to Unofficial Guide to Mimikatz & Command Reference"> <img width="300" height="283" src="https://adsecurity.org/wp-content/uploads/2015/11/Mimikatz-Sekurlsa-LogonPasswords-300x283.png" class="attachment-medium size-medium wp-post-image" alt="" decoding="async" loading="lazy" srcset="https://adsecurity.org/wp-content/uploads/2015/11/Mimikatz-Sekurlsa-LogonPasswords-300x283.png 300w, https://adsecurity.org/wp-content/uploads/2015/11/Mimikatz-Sekurlsa-LogonPasswords.png 672w" sizes="(max-width: 300px) 100vw, 300px" /> </a> </p> <p>A new page on ADSecurity.org just went live which is an “unofficial” guide to Mimikatz which also contains an expansive command reference of all available Mimikatz commands. Screenshots, descriptions, and parameters are included where available and appropriate. This page includes the following topics: Mimikatz Overview Mimikatz & Credentials Available Credentials by OS PowerShell & Mimikatz … </p> <p><a class="more-link btn" href="https://adsecurity.org/?p=2207">Continue reading</a></p> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-857" href="https://adsecurity.org/?tag=detectingmimikatz">DetectingMimikatz</a>, <a class="term term-tagpost_tag term-336" href="https://adsecurity.org/?tag=invoke-mimikatz">Invoke-Mimikatz</a>, <a class="term term-tagpost_tag term-81" href="https://adsecurity.org/?tag=kerberos">Kerberos</a>, <a class="term term-tagpost_tag term-207" href="https://adsecurity.org/?tag=mimikatz">mimikatz</a>, <a class="term term-tagpost_tag term-854" href="https://adsecurity.org/?tag=mimikatzcommands">MimikatzCommands</a>, <a class="term term-tagpost_tag term-856" href="https://adsecurity.org/?tag=mimikatzmitigation">MimikatzMitigation</a>, <a class="term term-tagpost_tag term-855" href="https://adsecurity.org/?tag=sekurlsa">Sekurlsa</a></span></li> <li class="comment-link col-sm-4"><i class="fa fa-comments"></i> <a href="https://adsecurity.org/?p=2207#comments">1 comments</a></li> </ul> </div> </div> </div> <div class="pagination-wrapper"> <ul class="pagination"> <li class="disabled"><span class="page-numbers"><i class="fa fa-angle-left"></i></span></li> <li class="active"><span aria-current="page" class="page-numbers current">1</span></li><li><a class="page-numbers" href="https://adsecurity.org/?paged=2&tag=mimikatz">2</a></li><li><a class="page-numbers" href="https://adsecurity.org/?paged=3&tag=mimikatz">3</a></li><li><a class="next page-numbers" href="https://adsecurity.org/?paged=2&tag=mimikatz"><i class="fa fa-angle-right"></i></a></li> </ul> </div> </div><!-- #content-main --> <div id="sidebar1" class="sidebar sidebar-right widget-area col-md-4"> <div id="recent-posts-4" class="sidebar-wrap widget_recent_entries"> <h3>Recent Posts</h3> <ul> <li> <a href="https://adsecurity.org/?p=4436">BSides Dublin – The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations – Sean Metcalf</a> </li> <li> <a href="https://adsecurity.org/?p=4434">DEFCON 2017: Transcript – Hacking the Cloud</a> </li> <li> <a href="https://adsecurity.org/?p=4432">Detecting the Elusive: Active Directory Threat Hunting</a> </li> <li> <a href="https://adsecurity.org/?p=4430">Detecting Kerberoasting Activity</a> </li> <li> <a href="https://adsecurity.org/?p=4428">Detecting Password Spraying with Security Event Auditing</a> </li> </ul> </div><div id="text-3" class="sidebar-wrap widget_text"><h3>Trimarc Active Directory Security Services</h3> <div class="textwidget">Have concerns about your Active Directory environment? Trimarc helps enterprises improve their security posture. <p> <a href="http://trimarcsecurity.com/security-services">Find out how...</a> TrimarcSecurity.com</div> </div><div id="widget_tptn_pop-4" class="sidebar-wrap tptn_posts_list_widget"><h3>Popular Posts</h3><div class="tptn_posts tptn_posts_widget tptn_posts_widget4"><ul><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=478" class="tptn_link"><span class="tptn_title">PowerShell Encoding & Decoding (Base64)</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=2362" class="tptn_link"><span class="tptn_title">Attack Methods for Gaining Domain Admin Rights in…</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=483" class="tptn_link"><span class="tptn_title">Kerberos & KRBTGT: Active Directory’s…</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=2288" class="tptn_link"><span class="tptn_title">Finding Passwords in SYSVOL & Exploiting Group…</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3377" class="tptn_link"><span class="tptn_title">Securing Domain Controllers to Improve Active…</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3299" class="tptn_link"><span class="tptn_title">Securing Windows Workstations: Developing a Secure Baseline</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3458" class="tptn_link"><span class="tptn_title">Detecting Kerberoasting Activity</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=1729" class="tptn_link"><span class="tptn_title">Mimikatz DCSync Usage, Exploitation, and Detection</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3658" class="tptn_link"><span class="tptn_title">Scanning for Active Directory Privileges &…</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3164" class="tptn_link"><span class="tptn_title">Microsoft LAPS Security & Active Directory LAPS…</span></a></span></li></ul><div class="tptn_clear"></div></div></div><div id="categories-4" class="sidebar-wrap widget_categories"><h3>Categories</h3> <ul> <li class="cat-item cat-item-565"><a href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a> </li> <li class="cat-item cat-item-55"><a href="https://adsecurity.org/?cat=55">Apple Security</a> </li> <li class="cat-item cat-item-431"><a href="https://adsecurity.org/?cat=431">Cloud Security</a> </li> <li class="cat-item cat-item-17"><a href="https://adsecurity.org/?cat=17">Continuing Education</a> </li> <li class="cat-item cat-item-396"><a href="https://adsecurity.org/?cat=396">Entertainment</a> </li> <li class="cat-item cat-item-347"><a href="https://adsecurity.org/?cat=347">Exploit</a> </li> <li class="cat-item cat-item-1039"><a href="https://adsecurity.org/?cat=1039">Hacking</a> </li> <li class="cat-item cat-item-168"><a href="https://adsecurity.org/?cat=168">Hardware Security</a> </li> <li class="cat-item cat-item-172"><a href="https://adsecurity.org/?cat=172">Hypervisor Security</a> </li> <li class="cat-item cat-item-126"><a href="https://adsecurity.org/?cat=126">Linux/Unix Security</a> </li> <li class="cat-item cat-item-343"><a href="https://adsecurity.org/?cat=343">Malware</a> </li> <li class="cat-item cat-item-11"><a href="https://adsecurity.org/?cat=11">Microsoft Security</a> </li> <li class="cat-item cat-item-819"><a href="https://adsecurity.org/?cat=819">Mitigation</a> </li> <li class="cat-item cat-item-48"><a href="https://adsecurity.org/?cat=48">Network/System Security</a> </li> <li class="cat-item cat-item-7"><a href="https://adsecurity.org/?cat=7">PowerShell</a> </li> <li class="cat-item cat-item-698"><a href="https://adsecurity.org/?cat=698">RealWorld</a> </li> <li class="cat-item cat-item-21"><a href="https://adsecurity.org/?cat=21">Security</a> </li> <li class="cat-item cat-item-234"><a href="https://adsecurity.org/?cat=234">Security Conference Presentation/Video</a> </li> <li class="cat-item cat-item-1045"><a href="https://adsecurity.org/?cat=1045">Security Recommendation</a> </li> <li class="cat-item cat-item-24"><a href="https://adsecurity.org/?cat=24">Technical Article</a> </li> <li class="cat-item cat-item-4"><a href="https://adsecurity.org/?cat=4">Technical Reading</a> </li> <li class="cat-item cat-item-2"><a href="https://adsecurity.org/?cat=2">Technical Reference</a> </li> <li class="cat-item cat-item-156"><a href="https://adsecurity.org/?cat=156">TheCloud</a> </li> <li class="cat-item cat-item-930"><a href="https://adsecurity.org/?cat=930">Vulnerability</a> </li> </ul> </div><div id="tag_cloud-3" class="sidebar-wrap widget_tag_cloud"><h3>Tags</h3><div class="tagcloud"><a href="https://adsecurity.org/?tag=activedirectory" class="tag-cloud-link tag-link-20 tag-link-position-1" style="font-size: 22pt;" aria-label="ActiveDirectory (55 items)">ActiveDirectory</a> <a href="https://adsecurity.org/?tag=active-directory" class="tag-cloud-link tag-link-75 tag-link-position-2" style="font-size: 10.453608247423pt;" aria-label="Active Directory (8 items)">Active Directory</a> <a href="https://adsecurity.org/?tag=active-directory-security" class="tag-cloud-link tag-link-976 tag-link-position-3" style="font-size: 9.7319587628866pt;" aria-label="Active Directory Security (7 items)">Active Directory Security</a> <a href="https://adsecurity.org/?tag=activedirectorysecurity" class="tag-cloud-link tag-link-113 tag-link-position-4" style="font-size: 13.773195876289pt;" aria-label="ActiveDirectorySecurity (14 items)">ActiveDirectorySecurity</a> <a href="https://adsecurity.org/?tag=adreading" class="tag-cloud-link tag-link-5 tag-link-position-5" style="font-size: 13.340206185567pt;" aria-label="ADReading (13 items)">ADReading</a> <a href="https://adsecurity.org/?tag=ad-security" class="tag-cloud-link tag-link-100 tag-link-position-6" style="font-size: 8pt;" aria-label="AD Security (5 items)">AD Security</a> <a href="https://adsecurity.org/?tag=adsecurity" class="tag-cloud-link tag-link-86 tag-link-position-7" style="font-size: 10.453608247423pt;" aria-label="ADSecurity (8 items)">ADSecurity</a> <a href="https://adsecurity.org/?tag=azure" class="tag-cloud-link tag-link-25 tag-link-position-8" style="font-size: 8pt;" aria-label="Azure (5 items)">Azure</a> <a href="https://adsecurity.org/?tag=azuread" class="tag-cloud-link tag-link-136 tag-link-position-9" style="font-size: 8pt;" aria-label="AzureAD (5 items)">AzureAD</a> <a href="https://adsecurity.org/?tag=dcsync" class="tag-cloud-link tag-link-598 tag-link-position-10" style="font-size: 10.453608247423pt;" aria-label="DCSync (8 items)">DCSync</a> <a href="https://adsecurity.org/?tag=domaincontroller" class="tag-cloud-link tag-link-101 tag-link-position-11" style="font-size: 15.216494845361pt;" aria-label="DomainController (18 items)">DomainController</a> <a href="https://adsecurity.org/?tag=goldenticket" class="tag-cloud-link tag-link-303 tag-link-position-12" style="font-size: 11.175257731959pt;" aria-label="GoldenTicket (9 items)">GoldenTicket</a> <a href="https://adsecurity.org/?tag=grouppolicy" class="tag-cloud-link tag-link-196 tag-link-position-13" style="font-size: 8pt;" aria-label="GroupPolicy (5 items)">GroupPolicy</a> <a href="https://adsecurity.org/?tag=hyperv" class="tag-cloud-link tag-link-3 tag-link-position-14" style="font-size: 8pt;" aria-label="HyperV (5 items)">HyperV</a> <a href="https://adsecurity.org/?tag=invoke-mimikatz" class="tag-cloud-link tag-link-336 tag-link-position-15" style="font-size: 10.453608247423pt;" aria-label="Invoke-Mimikatz (8 items)">Invoke-Mimikatz</a> <a href="https://adsecurity.org/?tag=kb3011780" class="tag-cloud-link tag-link-337 tag-link-position-16" style="font-size: 9.7319587628866pt;" aria-label="KB3011780 (7 items)">KB3011780</a> <a href="https://adsecurity.org/?tag=kdc" class="tag-cloud-link tag-link-80 tag-link-position-17" style="font-size: 8pt;" aria-label="KDC (5 items)">KDC</a> <a href="https://adsecurity.org/?tag=kerberos" class="tag-cloud-link tag-link-81 tag-link-position-18" style="font-size: 15.216494845361pt;" aria-label="Kerberos (18 items)">Kerberos</a> <a href="https://adsecurity.org/?tag=kerberoshacking" class="tag-cloud-link tag-link-298 tag-link-position-19" style="font-size: 11.752577319588pt;" aria-label="KerberosHacking (10 items)">KerberosHacking</a> <a href="https://adsecurity.org/?tag=krbtgt" class="tag-cloud-link tag-link-394 tag-link-position-20" style="font-size: 9.7319587628866pt;" aria-label="KRBTGT (7 items)">KRBTGT</a> <a href="https://adsecurity.org/?tag=laps" class="tag-cloud-link tag-link-631 tag-link-position-21" style="font-size: 9.0103092783505pt;" aria-label="LAPS (6 items)">LAPS</a> <a href="https://adsecurity.org/?tag=lsass" class="tag-cloud-link tag-link-71 tag-link-position-22" style="font-size: 11.175257731959pt;" aria-label="LSASS (9 items)">LSASS</a> <a href="https://adsecurity.org/?tag=mcm" class="tag-cloud-link tag-link-6 tag-link-position-23" style="font-size: 14.061855670103pt;" aria-label="MCM (15 items)">MCM</a> <a href="https://adsecurity.org/?tag=microsoftemet" class="tag-cloud-link tag-link-58 tag-link-position-24" style="font-size: 11.175257731959pt;" aria-label="MicrosoftEMET (9 items)">MicrosoftEMET</a> <a href="https://adsecurity.org/?tag=microsoftwindows" class="tag-cloud-link tag-link-102 tag-link-position-25" style="font-size: 9.7319587628866pt;" aria-label="MicrosoftWindows (7 items)">MicrosoftWindows</a> <a href="https://adsecurity.org/?tag=mimikatz" class="tag-cloud-link tag-link-207 tag-link-position-26" style="font-size: 18.103092783505pt;" aria-label="mimikatz (29 items)">mimikatz</a> <a href="https://adsecurity.org/?tag=ms14068" class="tag-cloud-link tag-link-295 tag-link-position-27" style="font-size: 11.175257731959pt;" aria-label="MS14068 (9 items)">MS14068</a> <a href="https://adsecurity.org/?tag=passthehash" class="tag-cloud-link tag-link-44 tag-link-position-28" style="font-size: 9.7319587628866pt;" aria-label="PassTheHash (7 items)">PassTheHash</a> <a href="https://adsecurity.org/?tag=powershell" class="tag-cloud-link tag-link-575 tag-link-position-29" style="font-size: 18.536082474227pt;" aria-label="PowerShell (31 items)">PowerShell</a> <a href="https://adsecurity.org/?tag=powershellcode" class="tag-cloud-link tag-link-22 tag-link-position-30" style="font-size: 14.927835051546pt;" aria-label="PowerShellCode (17 items)">PowerShellCode</a> <a href="https://adsecurity.org/?tag=powershellhacking" class="tag-cloud-link tag-link-68 tag-link-position-31" style="font-size: 8pt;" aria-label="PowerShellHacking (5 items)">PowerShellHacking</a> <a href="https://adsecurity.org/?tag=powershellv5" class="tag-cloud-link tag-link-69 tag-link-position-32" style="font-size: 8pt;" aria-label="PowerShellv5 (5 items)">PowerShellv5</a> <a href="https://adsecurity.org/?tag=powersploit" class="tag-cloud-link tag-link-232 tag-link-position-33" style="font-size: 10.453608247423pt;" aria-label="PowerSploit (8 items)">PowerSploit</a> <a href="https://adsecurity.org/?tag=presentation" class="tag-cloud-link tag-link-422 tag-link-position-34" style="font-size: 9.7319587628866pt;" aria-label="Presentation (7 items)">Presentation</a> <a href="https://adsecurity.org/?tag=security" class="tag-cloud-link tag-link-576 tag-link-position-35" style="font-size: 8pt;" aria-label="Security (5 items)">Security</a> <a href="https://adsecurity.org/?tag=silverticket" class="tag-cloud-link tag-link-304 tag-link-position-36" style="font-size: 11.175257731959pt;" aria-label="SilverTicket (9 items)">SilverTicket</a> <a href="https://adsecurity.org/?tag=sneakyadpersistence" class="tag-cloud-link tag-link-596 tag-link-position-37" style="font-size: 9.0103092783505pt;" aria-label="SneakyADPersistence (6 items)">SneakyADPersistence</a> <a href="https://adsecurity.org/?tag=spn" class="tag-cloud-link tag-link-294 tag-link-position-38" style="font-size: 9.0103092783505pt;" aria-label="SPN (6 items)">SPN</a> <a href="https://adsecurity.org/?tag=tgs" class="tag-cloud-link tag-link-528 tag-link-position-39" style="font-size: 9.0103092783505pt;" aria-label="TGS (6 items)">TGS</a> <a href="https://adsecurity.org/?tag=tgt" class="tag-cloud-link tag-link-529 tag-link-position-40" style="font-size: 9.0103092783505pt;" aria-label="TGT (6 items)">TGT</a> <a href="https://adsecurity.org/?tag=windows7" class="tag-cloud-link tag-link-117 tag-link-position-41" style="font-size: 8pt;" aria-label="Windows7 (5 items)">Windows7</a> <a href="https://adsecurity.org/?tag=windows10" class="tag-cloud-link tag-link-494 tag-link-position-42" style="font-size: 10.453608247423pt;" aria-label="Windows10 (8 items)">Windows10</a> <a href="https://adsecurity.org/?tag=windowsserver2008r2" class="tag-cloud-link tag-link-46 tag-link-position-43" style="font-size: 9.0103092783505pt;" aria-label="WindowsServer2008R2 (6 items)">WindowsServer2008R2</a> <a href="https://adsecurity.org/?tag=windowsserver2012" class="tag-cloud-link tag-link-47 tag-link-position-44" style="font-size: 11.175257731959pt;" aria-label="WindowsServer2012 (9 items)">WindowsServer2012</a> <a href="https://adsecurity.org/?tag=windowsserver2012r2" class="tag-cloud-link tag-link-54 tag-link-position-45" style="font-size: 9.7319587628866pt;" aria-label="WindowsServer2012R2 (7 items)">WindowsServer2012R2</a></div> </div><div id="search-2" class="sidebar-wrap widget_search"><form class="searchform" method="get" action="https://adsecurity.org"> <div class="input-group"> <div class="form-group live-search-input"> <label for="s" class="screen-reader-text">Search for:</label> <input type="text" id="s" name="s" class="form-control" placeholder="Search"> </div> <span class="input-group-btn"> <button class="btn btn-default" type="submit"><i class="fa fa-search"></i></button> </span> </div> </form></div> <div id="recent-posts-2" class="sidebar-wrap widget_recent_entries"> <h3>Recent Posts</h3> <ul> <li> <a href="https://adsecurity.org/?p=4436">BSides Dublin – The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations – Sean Metcalf</a> </li> <li> <a href="https://adsecurity.org/?p=4434">DEFCON 2017: Transcript – Hacking the Cloud</a> </li> <li> <a href="https://adsecurity.org/?p=4432">Detecting the Elusive: Active Directory Threat Hunting</a> </li> <li> <a href="https://adsecurity.org/?p=4430">Detecting Kerberoasting Activity</a> </li> <li> <a href="https://adsecurity.org/?p=4428">Detecting Password Spraying with Security Event Auditing</a> </li> </ul> </div><div id="recent-comments-2" class="sidebar-wrap widget_recent_comments"><h3>Recent Comments</h3><ul id="recentcomments"><li class="recentcomments"><span class="comment-author-link">Derek</span> on <a href="https://adsecurity.org/?p=3592#comment-13603">Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory</a></li><li class="recentcomments"><span class="comment-author-link"><a href="https://ADSecurity.org" class="url" rel="ugc">Sean Metcalf</a></span> on <a href="https://adsecurity.org/?p=3782#comment-13545">Securing Microsoft Active Directory Federation Server (ADFS)</a></li><li class="recentcomments"><span class="comment-author-link">Brad</span> on <a href="https://adsecurity.org/?p=3782#comment-13544">Securing Microsoft Active Directory Federation Server (ADFS)</a></li><li class="recentcomments"><span class="comment-author-link">Joonas</span> on <a href="https://adsecurity.org/?p=3719#comment-13229">Gathering AD Data with the Active Directory PowerShell Module</a></li><li class="recentcomments"><span class="comment-author-link"><a href="https://ADSecurity.org" class="url" rel="ugc">Sean Metcalf</a></span> on <a href="https://adsecurity.org/?p=3719#comment-13215">Gathering AD Data with the Active Directory PowerShell Module</a></li></ul></div><div id="archives-2" class="sidebar-wrap widget_archive"><h3>Archives</h3> <ul> <li><a href='https://adsecurity.org/?m=202406'>June 2024</a></li> <li><a href='https://adsecurity.org/?m=202405'>May 2024</a></li> <li><a href='https://adsecurity.org/?m=202005'>May 2020</a></li> <li><a href='https://adsecurity.org/?m=202001'>January 2020</a></li> <li><a href='https://adsecurity.org/?m=201908'>August 2019</a></li> <li><a href='https://adsecurity.org/?m=201903'>March 2019</a></li> <li><a href='https://adsecurity.org/?m=201902'>February 2019</a></li> <li><a href='https://adsecurity.org/?m=201810'>October 2018</a></li> <li><a href='https://adsecurity.org/?m=201808'>August 2018</a></li> <li><a href='https://adsecurity.org/?m=201805'>May 2018</a></li> <li><a href='https://adsecurity.org/?m=201801'>January 2018</a></li> <li><a href='https://adsecurity.org/?m=201711'>November 2017</a></li> <li><a href='https://adsecurity.org/?m=201708'>August 2017</a></li> <li><a href='https://adsecurity.org/?m=201706'>June 2017</a></li> <li><a href='https://adsecurity.org/?m=201705'>May 2017</a></li> <li><a href='https://adsecurity.org/?m=201702'>February 2017</a></li> <li><a href='https://adsecurity.org/?m=201701'>January 2017</a></li> <li><a href='https://adsecurity.org/?m=201611'>November 2016</a></li> <li><a href='https://adsecurity.org/?m=201610'>October 2016</a></li> <li><a href='https://adsecurity.org/?m=201609'>September 2016</a></li> <li><a href='https://adsecurity.org/?m=201608'>August 2016</a></li> <li><a href='https://adsecurity.org/?m=201607'>July 2016</a></li> <li><a href='https://adsecurity.org/?m=201606'>June 2016</a></li> <li><a href='https://adsecurity.org/?m=201604'>April 2016</a></li> <li><a href='https://adsecurity.org/?m=201603'>March 2016</a></li> <li><a href='https://adsecurity.org/?m=201602'>February 2016</a></li> <li><a href='https://adsecurity.org/?m=201601'>January 2016</a></li> <li><a href='https://adsecurity.org/?m=201512'>December 2015</a></li> <li><a href='https://adsecurity.org/?m=201511'>November 2015</a></li> <li><a href='https://adsecurity.org/?m=201510'>October 2015</a></li> <li><a href='https://adsecurity.org/?m=201509'>September 2015</a></li> <li><a href='https://adsecurity.org/?m=201508'>August 2015</a></li> <li><a href='https://adsecurity.org/?m=201507'>July 2015</a></li> <li><a href='https://adsecurity.org/?m=201506'>June 2015</a></li> <li><a href='https://adsecurity.org/?m=201505'>May 2015</a></li> <li><a href='https://adsecurity.org/?m=201504'>April 2015</a></li> <li><a href='https://adsecurity.org/?m=201503'>March 2015</a></li> <li><a href='https://adsecurity.org/?m=201502'>February 2015</a></li> <li><a href='https://adsecurity.org/?m=201501'>January 2015</a></li> <li><a href='https://adsecurity.org/?m=201412'>December 2014</a></li> <li><a href='https://adsecurity.org/?m=201411'>November 2014</a></li> <li><a href='https://adsecurity.org/?m=201410'>October 2014</a></li> <li><a href='https://adsecurity.org/?m=201409'>September 2014</a></li> <li><a href='https://adsecurity.org/?m=201408'>August 2014</a></li> <li><a href='https://adsecurity.org/?m=201407'>July 2014</a></li> <li><a href='https://adsecurity.org/?m=201406'>June 2014</a></li> <li><a href='https://adsecurity.org/?m=201405'>May 2014</a></li> <li><a href='https://adsecurity.org/?m=201404'>April 2014</a></li> <li><a href='https://adsecurity.org/?m=201403'>March 2014</a></li> <li><a href='https://adsecurity.org/?m=201402'>February 2014</a></li> <li><a href='https://adsecurity.org/?m=201307'>July 2013</a></li> <li><a href='https://adsecurity.org/?m=201211'>November 2012</a></li> <li><a href='https://adsecurity.org/?m=201203'>March 2012</a></li> <li><a href='https://adsecurity.org/?m=201202'>February 2012</a></li> </ul> </div><div id="categories-2" class="sidebar-wrap widget_categories"><h3>Categories</h3> <ul> <li class="cat-item cat-item-565"><a href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a> </li> <li class="cat-item cat-item-55"><a href="https://adsecurity.org/?cat=55">Apple Security</a> </li> <li class="cat-item cat-item-431"><a href="https://adsecurity.org/?cat=431">Cloud Security</a> </li> <li class="cat-item cat-item-17"><a href="https://adsecurity.org/?cat=17">Continuing Education</a> </li> <li class="cat-item cat-item-396"><a href="https://adsecurity.org/?cat=396">Entertainment</a> </li> <li class="cat-item cat-item-347"><a href="https://adsecurity.org/?cat=347">Exploit</a> </li> <li class="cat-item cat-item-1039"><a href="https://adsecurity.org/?cat=1039">Hacking</a> </li> <li class="cat-item cat-item-168"><a href="https://adsecurity.org/?cat=168">Hardware Security</a> </li> <li class="cat-item cat-item-172"><a href="https://adsecurity.org/?cat=172">Hypervisor Security</a> </li> <li class="cat-item cat-item-126"><a href="https://adsecurity.org/?cat=126">Linux/Unix Security</a> </li> <li class="cat-item cat-item-343"><a href="https://adsecurity.org/?cat=343">Malware</a> </li> <li class="cat-item cat-item-11"><a href="https://adsecurity.org/?cat=11">Microsoft Security</a> </li> <li class="cat-item cat-item-819"><a href="https://adsecurity.org/?cat=819">Mitigation</a> </li> <li class="cat-item cat-item-48"><a href="https://adsecurity.org/?cat=48">Network/System Security</a> </li> <li class="cat-item cat-item-7"><a href="https://adsecurity.org/?cat=7">PowerShell</a> </li> <li class="cat-item cat-item-698"><a href="https://adsecurity.org/?cat=698">RealWorld</a> </li> <li class="cat-item cat-item-21"><a href="https://adsecurity.org/?cat=21">Security</a> </li> <li class="cat-item cat-item-234"><a href="https://adsecurity.org/?cat=234">Security Conference Presentation/Video</a> </li> <li class="cat-item cat-item-1045"><a href="https://adsecurity.org/?cat=1045">Security Recommendation</a> </li> <li class="cat-item cat-item-24"><a href="https://adsecurity.org/?cat=24">Technical Article</a> </li> <li class="cat-item cat-item-4"><a href="https://adsecurity.org/?cat=4">Technical Reading</a> </li> <li class="cat-item cat-item-2"><a href="https://adsecurity.org/?cat=2">Technical Reference</a> </li> <li class="cat-item cat-item-156"><a href="https://adsecurity.org/?cat=156">TheCloud</a> </li> <li class="cat-item cat-item-930"><a href="https://adsecurity.org/?cat=930">Vulnerability</a> </li> </ul> </div><div id="meta-2" class="sidebar-wrap widget_meta"><h3>Meta</h3> <ul> <li><a href="https://adsecurity.org/wp-login.php">Log in</a></li> <li><a href="https://adsecurity.org/?feed=rss2">Entries feed</a></li> <li><a href="https://adsecurity.org/?feed=comments-rss2">Comments feed</a></li> <li><a href="https://wordpress.org/">WordPress.org</a></li> </ul> </div> </div><!-- #sidebar1 --> </div><!-- #content --> <div id="sidebar_bottom" class="sidebar widget-area row footer-widget-col-3"> <div id="text-2" class="sidebar-wrap widget_text col-sm-4"><h3>Copyright</h3> <div class="textwidget">Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright 漏 2011 - 2020.</div> </div> </div> <div id="footer" class="row default-footer"> <div class="copyright-developer"> <div id="copyright"> <p>Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. </p> </div> <div id="developer"> <p> Made with <i class="fa fa-heart"></i> by <a href="https://www.graphene-theme.com/" rel="nofollow">Graphene Themes</a>. </p> </div> </div> </div><!-- #footer --> </div><!-- #container --> <!-- Start of StatCounter Code --> <script> <!-- var sc_project=10100711; var sc_security="4b306538"; var sc_invisible=1; </script> <script type="text/javascript" src="https://www.statcounter.com/counter/counter.js" async></script> <noscript><div class="statcounter"><a title="web analytics" href="https://statcounter.com/"><img class="statcounter" src="https://c.statcounter.com/10100711/0/4b306538/1/" alt="web analytics" /></a></div></noscript> <!-- End of StatCounter Code --> <a href="#" id="back-to-top" title="Back to top"><i class="fa fa-chevron-up"></i></a> <script defer type="text/javascript" src="https://adsecurity.org/wp-includes/js/comment-reply.min.js?ver=6.5.5" id="comment-reply-js" async="async" data-wp-strategy="async"></script> </body> </html>