Privilege Escalation

Compromise local admin

• ASREPRoasting
• Kerberoasting
• Captured NTKNv2

Pass the Hash

Once you have the hash of a user, you can use it to impersonate it. You need to use some tool that will perform the NTLM authentication using that hash, or you could create a new sessionlogon and inject that hash inside the LSASS, so when any NTLM authentication is performed, that hash will be used. The last option is what mimikatz does.

• Pass the hash

Over Pass the Hash/Pass the Key

This attack aims to use the user NTLM hash to request Kerberos tickets, as an alternative to the common Pass The Hash over NTLM protocol. Therefore, this could be especially useful in networks where NTLM protocol is disabled and only Kerberos is allowed as authentication protocol.

• Overpass the hash

Pass the Ticket

This attack is similar to Pass the Key, but instead of using hashes to request a ticket, the ticket itself is stolen and used to authenticate as its owner.

• Pass the ticket

ACLs Abuse

The compromised user could have some interesting privileges over some domain objects that could let you move laterally/escalate privileges.

• Abusing ACLs

Attacking Domain Trusts

• ExtraSids Attack from windows
• ExtraSids Attack from linux