Sendai starts with a password spray to get some initial credentials for two users. These users are in a group that can make a couple of AD hops to read a GMSA password and get a shell. From here, there are two paths. One involves finding creds for a user in a running service command line, and then abusing that user’s access to ADCS to exploit ESC4. The other involves MSSQL credentials from an SMB share, tunneling with Chisel, a Silver Ticket, and SeImpersonate.
