Maximizing Value for the Client

• Thoroughly assess alternative attack paths:
  • If you've achieved Domain Admin, don’t stop—retrace your steps and explore other potential paths.
  • Identify misconfigurations, privilege escalation opportunities, or lateral movement techniques that could lead to Domain Admin access.
• Extract valuable intelligence:
  • Dump and crack the NTDS.dit to analyze password security and potential credential reuse.
  • Enumerate network shares to uncover sensitive information.
  • Ensure that unnecessary or improperly secured data is not exposed on the network.

Planning for Persistence

• What if Domain Admin access is lost?
  • Create a backup method to regain access, ensuring you can continue assessments effectively.
• Consider creating a temporary Domain Admin account:
  • Having a dedicated account provides flexibility during engagements.
  • Use it for detection testing: If you're able to create a Domain Admin account without triggering alerts, it's a major security gap that should be addressed.
  • IMPORTANT: Always delete the account after testing to restore the environment to its original state.
• Golden Tickets can provide long-term access:
  • A Golden Ticket (forged Kerberos TGT) allows persistence without needing password hashes, making it a powerful option.
• Leave no trace:
  • Ensure the environment is exactly as you found it. Any persistence mechanisms used for testing should be removed to maintain integrity.
• And finally—celebrate your success! 🎉