I was faced with a difficult situation where I had to find a why a SentinelOne agent will not communicate with the management portal for some reason. I ran the troubleshooting script which generated many files and among them there was a packet captured file as we can see below:
We can use the etl2pcapng.exe to convert the log files into the pcap file. The executable for the application is in the reference section
When we have reverse shell from that shell we need to create a user so that we can access the domain as domain admin. However, sometimes you might have only hash of that user but unable to login locally.
In such situation, it could be beneficial to create a AD Domain user and work on it
To create the user
PS C:\users\robb.stark\Desktop> New-ADUser adm1n
New-ADUser adm1n
To check if the user has been successfully created.
Dig deeper into the PowerShell base64 encoder
Grab hash using responder.py tool
Grab hash using responder.py tool