10 AD PrivEsc Concepts You MUST Know for Mastering OSCP

Schedule one-on-one coaching to pass the OSCP: https://live.vcita.com/site/unknownartists - Master these 10 Terms/Concepts and you'll be a Beast! 10. ReadGMSAPassword Description: ReadGMSAPassword allows an attacker to use the password of a Group Managed Service Account which usually has elevated privileges. Environment: Search from HacktheBox Timestamp: 2:30 9. GenericWrite/GenericAll/AllExtendedRights Description: GenericAll allows an attacker to modify the object in question. In this example, we change the password of a Domain Administrator. GenericWrite allows the modification of certain things (More on this in Object from Hackthebox). Environment: Search from HacktheBox Timestamp: 12:20 8. ForceChangePassword Description: ForceChangePassword allows an attacker to change the password of the object in question. Environment: Object from Hackthebox Timestamp: 16:31 7. PowerView Description: Allows for additional manipulation of Active Directory. Many of the commands presented by BloodHound require PowerView. Environment: Object from Hackthebox Timestamp: 17:00 6. WriteOwner Description: WriteOwner permissions allows an attacker to set the owner of the object and make him/herself a member of the object. Environment: Object from HackTheBox Timestamp: 23:48 5. SeBackupPrivilege and SeRestorePrivilege Description: SeBackupPrivilege and SeRestorePrivilege allows the attacker access to any file on the machine given he/her takes the appropriate steps. In this example, we acquire NTDS.dit and System.hive Environment: Blackfield from Hackthebox Timestamp: 28:12 4. NTDS.dit and System.hive Description: With these files and the appropriate permissions, an attacker can dump hashes from the Domain Controller using DCSync. Environment: Blackfield from Hackthebox Timestamp: 34:38 3. Account Operators/WriteDACL Description: In the account operators group, an attacker can create users and place them in non-protected groups. Placing a new user in a group with WriteDACL, enables an attacker to modify the new user's DACL. In this example, we give our new user DCSync rights. Environment: Forest from Hackthebox Timestamp: 42:24 2. ByPassing AMSI Description: It may be necessary to bypass the anti-virus in Active Directory. Attackers can attempt to bypass AMSI with the Bypass-4MSI command in Evil-WinRM. Always run this command before introducing a malicious script to the environment. Environment: Forest from Hackthebox Timestamp: 48:11 1.DCSYNC/GetChangesAll/Replication Description: This is number one because its the most fun. DCSync allows an attacker to impersonate a Failover Domain Controller. In that context, the production Domain Controller shares all user hashes upon request, ergo DCSYNC. GetChangesAll, Replication and AllowedToDelegate all point toward the possibility of DCSYNC. Environment: Forest/Sizzle Timestamp: 53:14 - Patreon: https://www.patreon.com/cyberthreatdivision Patreon helps keep this channel live. Support our Patreon Today. - Bio ----- Daily job is Threat Hunting APTs for a Large Organization. I'm Blue during my day job and Red during my self-training. 100% Active Directory. 5 Years of Cyber Security experience 4 Years of HackTheBox membership OSCP (2021) GXPN (2020) CEH (2017) CHFI (2017)