In this video, Trenton Ivey, Secureworks Offensive Researcher, Counter Threat Unit and Adversarial Security Testing, gives a demonstration of how, after initial compromise, an attacker would obtain a domain administrator's password using Mimikatz.
We now have administrative level access to a system owned by a domain controller. Let's use MIMIKATZ to try to pull credentials from memory and recover the domain administrator's password. Mimikatz has recovered the user's domain password, this password isn't bad. This credential would've taken a very long time for us to crack.
Fortunately for us, local admin access enabled us to read system memory with Mimikatz and get a clear text domain admin credential. While not the most stealthy approach, let's see if we can get access to the domain controller by using Invoke_wmi once again.
We now have administrative access to the domain controller. Let's use Mimikatz one more time. This time, we'll dump domain user hashes from the LSAs process. There are safer and stealthier ways to do this but this method will be good enough for now. Now we can become anyone we want.
With a KRBTGT token, we can create our own KERBROSE tickets for anyone in the domain. Now the only way for blue team to keep us out of the domain account is to reset the whole domain. All we need to do now is to complete the remaining objectives.
Secureworks (NASDAQ: SCWX) a global cybersecurity leader, enables our customers and partners to outpace and outmaneuver adversaries with more precision, so they can rapidly adapt and respond to market forces to meet their business needs. With a unique combination of cloud-native, SaaS security platform and intelligence-driven security solutions, informed by 20+ years of threat intelligence and research, no other security platform is grounded and informed with this much real-world experience.