SAERXCIT

For what it's worth I'm currently doing the same thing for Scheduled Tasks (domain account credentials are stored DPAPI-encrypted on the machine's file system) and this might be more interesting...

Great idea ! However from what I understand NTLMv1 is also enabled if `LmCompatibilityLevel` is set to `2`. https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level

This PR has not updated `raiseChild.py`, only `ticketer.py`. That's why you don't see the `-extra-pac` flag in the help of `raiseChild.py`. If you want to exploit a child/parent trust, you...

I didn't mention that but since that update (I think) you have to create the golden ticket for an existing user and with a matching RID. I think that's why...

You can, but with a few caveats: 1. The trusting forest (FORESTB) needs to have disabled SID filtering towards your compromised forest (FORESTA). 2. You need to find an interesting...