I’m back-filling the blog with some of my older content. This was a golden ticket kerberos attack to simulate a SWIFT back heist. I presented this at a customer event in Boston as well as the Dallas Hackers Association.
Here’s basically what happens in the attack (if I can remember it correctly):
- Victim is compromised via malicious excel macro.
- Reconnaissance occurs to find the machines required to grab a domain admin’s hash
- Pivot to machine with DA session and dump creds.
- Execute a DC sync in order to get KBRTGT ticket.
- Create Golden Ticket