https://github.com/ccob/drsat
Disconnected RSAT - A method of running Group Policy Manager, Certificate Authority and Certificate Templates MMC snap-ins from non-domain joined machies
https://github.com/ccob/drsat
bypass gpo hook inject rsat
Last synced: over 1 year ago
JSON representation
Disconnected RSAT - A method of running Group Policy Manager, Certificate Authority and Certificate Templates MMC snap-ins from non-domain joined machies
- Host: GitHub
- URL: https://github.com/ccob/drsat
- Owner: CCob
- License: apache-2.0
- Created: 2024-09-04T16:35:02.000Z (almost 2 years ago)
- Default Branch: master
- Last Pushed: 2024-12-27T11:44:18.000Z (over 1 year ago)
- Last Synced: 2025-04-04T09:43:48.016Z (over 1 year ago)
- Topics: bypass, gpo, hook, inject, rsat
- Language: C#
- Homepage:
- Size: 25.4 KB
- Stars: 229
- Watchers: 3
- Forks: 25
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE.txt
Awesome Lists containing this project
README
# Disconnected RSAT
## Introduction
Disconnected RSAT is a launcher for the official Group Policy Manager, Certificate Authority and Certificate Templates snap-in to bypass the domain joined requirement that is needed when using the official MMC snap-in.
The tool works by injecting a C# library into MMC that will hook the various API calls to trick MMC into believing that the logged on user is a domain user. Hooks are also placed on the `NtCreateFile` API to redirect file paths that would typically be resolved via DFS to a specific domain controller.
## Prerequisites
Since Disconnected RSAT relies on the official snap-ins, you'll first need to install the Windows Remote Server Administration Tools (RSAT) on the non domain joined host you'll be operating from.
## Usage
mmc.exe is marked for auto elevation, therefore launching of `DRSAT.exe` should be performed from an elevated command prompt that has either got a relevant TGT with correct permissions imported into the same luid session or alternatively the session has been created using `runas /netonly`. This will ensure that the relevant Kerberos tickets will be fetched automatically or NTLM credentials are used for outbound network connections when `runas /netonly` has been used.
### Launching Group Policy Manager
To launch GPM to target a specific Active Directory domain, simply supply the DNS domain name of the target.
```
DRSAT gpo ad.target.com
```
### Launching Certificate Authority
Whilst the certificate authority snap-in works when disconnected from the domain, template resolution doesn't work correctly, this can be solved by launching via DRSAT
```
DRSAT cert ad.target.com
```
### Launching Certifictate Template edittor
You can also directly edit certificate templates by using the following command
```
DRSAT template ad.target.com
```
### Release
Precompiled binaries can be found on the [Releases](https://github.com/CCob/DRSAT/releases) page