Grupos con privilegios que contienen demasiados miembros.
Grupos que no deberían existir (por ejemplo, restos de pruebas o configuraciones antiguas).
Grupos anidados que pueden ser explotados para elevar privilegios de forma indirecta.
Grupos relevantes en AD:
Administradores del Dominio (Domain Admins): Miembros de este grupo tienen permisos completos y de control total en el dominio. Es el grupo más poderoso y es el objetivo principal para muchos atacantes.
Administradores de la Empresa (Enterprise Admins): Estos administradores tienen permisos en todos los dominios de un bosque. Si una organización tiene múltiples dominios, este grupo es aún más poderoso que "Domain Admins".
Administradores de Esquema (Schema Admins): Los miembros de este grupo pueden modificar el esquema del AD, que es la estructura subyacente que define objetos y atributos.
Usuarios del Dominio (Domain Users): Este grupo incluye todas las cuentas de usuario en un dominio. A menudo se verifica para identificar posibles cuentas huérfanas o no utilizadas.
Computadoras del Dominio (Domain Computers): Este grupo incluye todas las estaciones de trabajo y servidores unidos al dominio.
Controladores de Dominio (Domain Controllers): Este grupo incluye todos los controladores de dominio en un dominio. Es esencial garantizar que sólo las máquinas confiables sean parte de este grupo.
Política de replicación de lectura (Read-Only Domain Controllers - RODC): Si la organización utiliza RODCs, es esencial garantizar que estén configurados correctamente.
Enumeración de Computadoras
Vulnerabilidades posibles:
Sistemas sin parches o desactualizados.
Computadoras con servicios vulnerables expuestos.
Identificación de sistemas críticos, como servidores de bases de datos o controladores de dominio.
Enumeración de GPO
Vulnerabilidades posibles:
Políticas mal configuradas que podrían permitir a un atacante moverse libremente o elevar privilegios.
GPOs que establecen configuraciones inseguras o permisos laxos.
Información sobre scripts de inicio o cierre de sesión que podrían ser explotados.
GPOs relevantes en AD:
Default Domain Policy: Esta es la GPO que se aplica a todo el dominio. A menudo se revisa para configuraciones de seguridad, como políticas de contraseñas y restricciones de cuenta.
Default Domain Controllers Policy: Se aplica específicamente a los controladores de dominio. Es crucial revisarla para configuraciones que afecten la seguridad de los controladores de dominio, como configuraciones de auditoría y derechos de usuario.
Account Lockout Policy: Esta política define cuántos intentos de inicio de sesión fallidos causarán que una cuenta sea bloqueada y durante cuánto tiempo. Es fundamental para proteger contra intentos de fuerza bruta.
Password Policy: Define los requisitos para contraseñas de usuario, como longitud mínima, complejidad y duración máxima.
Enumeración de ACL
Vulnerabilidades posibles:
ACLs mal configuradas que otorgan acceso excesivo a recursos críticos.
Permisos heredados que no deberían aplicarse a ciertos recursos.
Posibilidades de escalada de privilegios debido a permisos inapropiados.
Get-NetDomain #Basic domain info
#User info
Get-NetUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname, description, pwdlastset, logoncount, badpwdcount #Basic user enabled info
Get-NetUser -LDAPFilter '(sidHistory=*)' #Find users with sidHistory set
Get-NetUser -PreauthNotRequired #ASREPRoastable users
Get-NetUser -SPN #Kerberoastable users
#Groups info
Get-NetGroup | select samaccountname, admincount, description
Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=EGOTISTICAL-BANK,DC=local' | %{ $_.SecurityIdentifier } | Convert-SidToName #Get AdminSDHolders
#Computers
Get-NetComputer | select samaccountname, operatingsystem
Get-NetComputer -Unconstrained | select samaccountname #DCs always appear but aren't useful for privesc
Get-NetComputer -TrustedToAuth | select samaccountname #Find computers with Constrained Delegation
Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*$'} #Find any machine accounts in privileged groups
#Shares
Find-DomainShare -CheckShareAccess #Search readable shares
#Domain trusts
Get-NetDomainTrust #Get all domain trusts (parent, children and external)
Get-NetForestDomain | Get-NetDomainTrust #Enumerate all the trusts of all the domains found
#LHF
#Check if any user passwords are set
$FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl
#Asks DC for all computers, and asks every compute if it has admin access (very noisy). You need RCP and SMB ports opened.
Find-LocalAdminAccess
#Get members from Domain Admins (default) and a list of computers and check if any of the users is logged in any machine running Get-NetSession/Get-NetLoggedon on each host. If -Checkaccess, then it also check for LocalAdmin access in the hosts.
Invoke-UserHunter -CheckAccess
#Find interesting ACLs
Invoke-ACLScanner -ResolveGUIDs | select IdentityReferenceName, ObjectDN, ActiveDirectoryRights | fl
# Domain Info
Get-NetDomain #Get info about the current domain
Get-NetDomain -Domain mydomain.local
Get-DomainSID #Get domain SID
## Policy
Get-DomainPolicy #Get info about the policy
(Get-DomainPolicy)."KerberosPolicy" #Kerberos tickets info(MaxServiceAge)
(Get-DomainPolicy)."SystemAccess" #Password policy
(Get-DomainPolicy).PrivilegeRights #Check your privileges
## Domain Controller
Get-NetDomainController -Domain mydomain.local #Get Domain Controller
# Users
Get-NetUser #Get users with several (not all) properties
Get-NetUser | select -ExpandProperty samaccountname #List all usernames
Get-NetUser -UserName student107 #Get info about a user
Get-NetUser -properties name, description #Get all descriptions
Get-NetUser -properties name, pwdlastset, logoncount, badpwdcount #Get all pwdlastset, logoncount and badpwdcount
Find-UserField -SearchField Description -SearchTerm "built" #Search account with "something" in a parameter
## Users Filters
Get-NetUser -UACFilter NOT_ACCOUNTDISABLE -properties distinguishedname #All enabled users
Get-NetUser -UACFilter ACCOUNTDISABLE #All disabled users
Get-NetUser -UACFilter SMARTCARD_REQUIRED #Users that require a smart card
Get-NetUser -UACFilter NOT_SMARTCARD_REQUIRED -Properties samaccountname #Not smart card users
Get-NetUser -LDAPFilter '(sidHistory=*)' #Find users with sidHistory set
Get-NetUser -PreauthNotRequired #ASREPRoastable users
Get-NetUser -SPN | select serviceprincipalname #Kerberoastable users
Get-NetUser -SPN | ?{$_.memberof -match 'Domain Admins'} #Domain admins kerberostable
Get-Netuser -TrustedToAuth #Useful for Kerberos constrain delegation
Get-NetUser -AllowDelegation -AdminCount #All privileged users that aren't marked as sensitive/not for delegation
# retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync)
Get-ObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {
($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')
}
#Groups
Get-NetGroup #Get groups
Get-NetGroup -Domain mydomain.local #Get groups of an specific domain
Get-NetGroup 'Domain Admins' #Get all data of a group
Get-NetGroup -AdminCount #Search admin grups
Get-NetGroup -UserName "myusername" #Get groups of a user
Get-NetGroupMember -Identity "Administrators" -Recurse #Get users inside "Administrators" group. If there are groups inside of this grup, the -Recurse option will print the users inside the others groups also
Get-NetGroupMember -Identity "Enterprise Admins" -Domain mydomain.local #Remember that "Enterprise Admins" group only exists in the rootdomain of the forest
Get-NetLocalGroup -ComputerName dc.mydomain.local -ListGroups #Get Local groups of a machine (you need admin rights in no DC hosts)
Get-NetLocalGroupMember -computername dcorp-dc.dollarcorp.moneycorp.local #Get users of localgroups in computer
Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -ResolveGUIDs #Check AdminSDHolder users
Get-NetGPOGroup #Get restricted groups
# Computers
Get-NetComputer #Get all computer objects
Get-NetComputer -Ping #Send a ping to check if the computers are working
Get-NetComputer -Unconstrained #DCs always appear but aren't useful for privesc
Get-NetComputer -TrustedToAuth #Find computers with Constrined Delegation
Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*$'} #Find any machine accounts in privileged groups
Get-NetLoggedon -ComputerName <servername> #Get net logon users at the moment in a computer (need admins rights on target)
Get-NetSession -ComputerName <servername> #Get active sessions on the host
Get-LoggedOnLocal -ComputerName <servername> #Get locally logon users at the moment (need remote registry (default in server OS))
Get-LastLoggedon -ComputerName <servername> #Get last user logged on (needs admin rigths in host)
Get-NetRDPSession -ComputerName <servername> #List RDP sessions inside a host (needs admin rights in host)
Get-NetFileServer #Search file servers. Lot of users use to be logged in this kind of servers
Find-DomainShare -CheckShareAccess #Search readable shares
Find-InterestingDomainShareFile #Find interesting files, can use filters
#GPO
Get-NetGPO #Get all policies with details
Get-NetGPO | select displayname #Get the names of the policies
Get-NetGPO -ComputerName <servername> #Get the policy applied in a computer
gpresult /V #Get current policy
# Enumerate permissions for GPOs where users with RIDs of > -1000 have some kind of modification/control rights
Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')}
Get-NetGPO -GPOName '{3E04167E-C2B6-4A9A-8FB7-C811158DC97C}' #Get GPO of an OU
#OU
Get-NetOU #Get Organization Units
Get-NetOU StudentMachines | %{Get-NetComputer -ADSPath $_} #Get all computers inside an OU (StudentMachines in this case)
Get-ObjectAcl -SamAccountName <username> -ResolveGUIDs #Get ACLs of an object (permissions of other objects over the indicated one)
Get-PathAcl -Path "\\dc.mydomain.local\sysvol" #Get permissions of a file
Find-InterestingDomainAcl -ResolveGUIDs #Find intresting ACEs (Interesting permisions of "unexpected objects" (RID>1000 and modify permissions) over other objects
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReference -match "RDPUsers"} #Check if any of the interesting permissions founds is realated to a username/group
Get-NetGroupMember -GroupName "Administrators" -Recurse | ?{$_.IsGroup -match "false"} | %{Get-ObjectACL -SamAccountName $_.MemberName -ResolveGUIDs} | select ObjectDN, IdentityReference, ActiveDirectoryRights #Get special rights over All administrators in domain
Get-NetDomainTrust #Get all domain trusts (parent, children and external)
Get-NetForestDomain | Get-NetDomainTrust #Enumerate all the trusts of all the domains found
Get-DomainTrustMapping #Enumerate also all the trusts
Get-ForestGlobalCatalog #Get info of current forest (no external)
Get-ForestGlobalCatalog -Forest external.domain #Get info about the external forest (if possible)
Get-DomainTrust -SearchBase "GC://$($ENV:USERDNSDOMAIN)"
Get-NetForestTrust #Get forest trusts (it must be between 2 roots, trust between a child and a root is just an external trust)
Get-DomainForeingUser #Get users with privileges in other domains inside the forest
Get-DomainForeignGroupMember #Get groups with privileges in other domains inside the forest
PS C:\> Get-NetUser -properties name, description
name description
---- -----------
Administrator Built-in account for administering the computer/domain
Guest Built-in account for guest access to the computer/domain
admin
krbtgt Key Distribution Center Service Account
regular.user
dnsadmin.user
unconstrained.user
constrained.user
userwrite.user
userall.user
compwrite.user
gpowrite.user
lapsread.user LAPS yet to be implemented
groupwrite.user
writedacldc.user
readgmsa.user GMSA yet to be implemented
clearpass.user Remember to remove this! Password@1
roast.user
asrep.user
AdminWebServer
PS C:\v> Get-NetGroup | select samaccountname, admincount, description
samaccountname admincount description
-------------- ---------- -----------
Administrators 1 Administrators have complete and unrestricted access to the compu...
Users Users are prevented from making accidental or intentional system-...
Guests Guests have the same access as members of the Users group by defa...
Print Operators 1 Members can administer printers installed on domain controllers
Backup Operators 1 Backup Operators can override security restrictions for the sole ...
Replicator 1 Supports file replication in a domain
Remote Desktop Users Members in this group are granted the right to logon remotely
Network Configuration Operators Members in this group can have some administrative privileges to ...
Performance Monitor Users Members of this group can access performance counter data locally...
Performance Log Users Members of this group may schedule logging of performance counter...
Distributed COM Users Members are allowed to launch, activate and use Distributed COM o...
IIS_IUSRS Built-in group used by Internet Information Services.
Cryptographic Operators Members are authorized to perform cryptographic operations.
Event Log Readers Members of this group can read event logs from local machine
Certificate Service DCOM Access Members of this group are allowed to connect to Certification Aut...
RDS Remote Access Servers Servers in this group enable users of RemoteApp programs and pers...
RDS Endpoint Servers Servers in this group run virtual machines and host sessions wher...
RDS Management Servers Servers in this group can perform routine administrative actions ...
Hyper-V Administrators Members of this group have complete and unrestricted access to al...
Access Control Assistance Operators Members of this group can remotely query authorization attributes...
Remote Management Users Members of this group can access WMI resources over management pr...
Storage Replica Administrators Members of this group have complete and unrestricted access to al...
Domain Computers All workstations and servers joined to the domain
Domain Controllers 1 All domain controllers in the domain
Schema Admins 1 Designated administrators of the schema
Enterprise Admins 1 Designated administrators of the enterprise
Cert Publishers Members of this group are permitted to publish certificates to th...
Domain Admins 1 Designated administrators of the domain
Domain Users All domain users
Domain Guests All domain guests
Group Policy Creator Owners Members in this group can modify group policy for the domain
RAS and IAS Servers Servers in this group can access remote access properties of users
Server Operators 1 Members can administer domain servers
Account Operators 1 Members can administer domain user and group accounts
Pre-Windows 2000 Compatible Access A backward compatibility group which allows read access on all us...
Incoming Forest Trust Builders Members of this group can create incoming, one-way trusts to this...
Windows Authorization Access Group Members of this group have access to the computed tokenGroupsGlob...
Terminal Server License Servers Members of this group can update user accounts in Active Director...
Allowed RODC Password Replication Group Members in this group can have their passwords replicated to all ...
Denied RODC Password Replication Group Members in this group cannot have their passwords replicated to a...
Read-only Domain Controllers 1 Members of this group are Read-Only Domain Controllers in the domain
Enterprise Read-only Domain Controllers Members of this group are Read-Only Domain Controllers in the ent...
Cloneable Domain Controllers Members of this group that are domain controllers may be cloned.
Protected Users Members of this group are afforded additional protections against...
Key Admins 1 Members of this group can perform administrative actions on key o...
Enterprise Key Admins 1 Members of this group can perform administrative actions on key o...
DnsAdmins DNS Administrators Group
DnsUpdateProxy DNS clients who are permitted to perform dynamic updates on behal...
PS C:\> Get-NetComputer | select samaccountname, operatingsystem
samaccountname operatingsystem
-------------- ---------------
FIRST-DC$ Windows Server 2019 Datacenter
Suspicious-PC$
USER-SERVER$ Windows Server 2019 Datacenter
WEBSERVER$ Windows Server 2022 Datacenter
