spotless
has GenericAll rights
on the AD object for the user delegate
:spotless
has the GenericAll
rights, effectively enabling the attacker to take over the account:delegate
password without knowing the current password:Domain admins
group has any weak permissions. First of, let's get its distinguishedName
:spotless
has GenericAll
rights once again:spotless
) to the Domain Admin
group:WriteProperty
right on All
objects for Domain Admin
group:Domain Admins
group and escalate privileges:ExtendedRight
on User-Force-Change-Password
object type, we can reset the user's password without knowing their current password:Domain Admins
is Domain Admins
:WriteOwner
rights on ObjectType:All
Domain Admins
object's owner to our user, which in our case is spotless
. Note that the SID specified with -Identity
is the SID of the Domain Admins
group:WriteProperty
on an ObjectType
, which in this particular case is Script-Path
, allows the attacker to overwrite the logon script path of the delegate
user, which means that the next time, when the user delegate
logs on, their system will execute our malicious script:delegate
logon script field got updated in the AD:Test
AD group:WriteDACL
on that AD object:Set-Acl
/ Get-Acl
cmdlets: