This blog post aims to provide a bit more information about what Benjamin Delpy wrote in this tweet:
For this demo I run mimikatz as a least privilege, local user on a Windows workstation that is a member of my demo domain. The first step is to generate and use a golden ticket to obtain domain admin rights. The second step is to use dcsync to retrieve hashes from the domain controller.
As a freshly logged-on local user, I have no tickets:
Then I create a golden ticket for the domain admin:
And I use it:
Now my least privilege, local user is impersonating the domain administrator:
Then I retrieve the hashes for user user01 from the domain control via the DRSR protocol:
Compare the LM and NTLM hashes with the hashes in this blogpost: they are the same.
All the arguments (krbtgt, domain, domain admin username, domain SID) needed for the kerberos::golden command can be extracted from the ntds.dit file we obtained. More info on alternative methods to obtain the arguments can be found here.
@gentilkiwi told me that the domain admin username and RID can also be faked, as long that it is part of the domain admins group. It will work for about 20 minutes without checks.
If we don’t have the necessary rights (for example domain admin) to query a DC with DRSR, we get an error 5 (access denied):
You also get this error when the krbtgt NTLM hash has changed. Command ptt will seem to succeed however:
Remember that unless the password for user krbtgt is changed (which is not a standard practice), the krbtgt NTLM hash never changes. So even very old copies of ntds.dit can be used to recover hashes as described in this method.
The ticket is stored on file using asn1:
Benjamin has a YARA rule (mimikatz_kirbi_ticket) to detect such tickets:
Unfortunately, the mimikatz I use (version 2.1) uses another asn1 encoder and the rule no longer works.
Until Benjamin makes a more generic rule, you can use this updated rule:
rule mimikatz_kirbi_ticket
{
meta:
description = "KiRBi ticket for mimikatz"
author = "Benjamin DELPY (gentilkiwi); Didier Stevens"
strings:
$asn1 = { 76 82 ?? ?? 30 82 ?? ?? a0 03 02 01 05 a1 03 02 01 16 }
$asn1_84 = { 76 84 ?? ?? ?? ?? 30 84 ?? ?? ?? ?? a0 84 00 00 00 03 02 01 05 a1 84 00 00 00 03 02 01 16 }
condition:
$asn1 at 0 or $asn1_84 at 0
}
This ticket file is created on disk because I use kerberos::golden’s option /ticket:, but if I use option /ptt, the ticket is immediately passed, and not written to disk.
@gentilkiwi also told me that if you impersonate a domain controller account for kerberos::dcsync, then no events are logged.
Didier Stevens 
[…] also have a video for my mimikatz: Golden Ticket + DCSync blog […]
Pingback by Video: mimikatz: Golden Ticket + DCSync | Didier Stevens — Monday 15 August 2016 @ 0:01
[…] mimikatz: Golden Ticket + DCSync […]
Pingback by Overview of Content Published In August | Didier Stevens — Sunday 18 September 2016 @ 18:36
[…] Blogpost: mimikatz: Golden Ticket + DCSync […]
Pingback by ntds.dit: Mimikatz Golden Ticket & DCSync | Didier Stevens Videos — Friday 7 October 2016 @ 12:24
[…] Delpy/@gentilkiwi’s Brucon workshop on Mimikatz inspired me to resume my work on detecting DCSync usage inside […]
Pingback by Quickpost: Mimikatz DCSync Detection | Didier Stevens — Sunday 8 October 2017 @ 22:40