Hello,
I had 2 questions regarding you post, if you don't mind:
1. In your last screenshot, you're performing dcsync under bob's account (who's a local admin on the compromise machine anyway). Did you manage to achieve the same under tim's account, who you just privilege escalated under?
2. Secondly, if the attack was successful (under tim's account), is there a way embedded in your PowerPriv script to remove tim's elevated privileges after the attack has completed? (We wouldn't want to leave clients' networks more vulnerable than before).
Other than that, very cool and useful post. Can't wait to test it out! :) Thanks for this!
