Logo

Attack Path Analysis – TRAINING.LOCAL

Report generated: 26 May 2026

This report identifies privilege escalation paths discovered in the TRAINING.LOCAL Active Directory environment. Each path shows how a standard user or computer account could escalate privileges to reach a high-value target such as a Domain Controller, Domain Admin account, or Certificate Authority.

Some of the relationships identified may be intentional and required for normal operations. For example, a helpdesk team may legitimately need password reset rights on user accounts, or a service account may require delegation permissions to function correctly. These should be reviewed against your organization's access requirements to confirm they are appropriate.

However, every path listed in this report represents a potential route to privilege escalation. Even where individual permissions are expected, the combination of relationships in a path may create unintended risk. Each finding should be carefully reviewed and, where the path is not operationally required, the unnecessary permissions should be removed.

37
users with escalation paths
115
computers with escalation paths

Hover any node or arrow for details.

CRITICALUsers with Escalation Paths

3-step escalation path to SCCMDB.TRAINING.LOCAL (Computer) 32 affected users

Users (32) MemberOf DOMAIN USERS Group MemberOf AUTHENTICATED USERS Group CoerceAndRelayToSMB SCCMDB.TRAINING.LOCAL Computer
Overview

32 users are members of DOMAIN USERS, then AUTHENTICATED USERS, which means they can coerce authentication and relay it via SMB to SCCMDB.TRAINING.LOCAL. An attacker could coerce SCCMDB.TRAINING.LOCAL into authenticating, relay the credentials to an SMB service to gain admin or share access, and use that foothold to harvest further credentials, particularly on SCCM-managed hosts.

Affected Users (32)
Open to load affected entities.
    Mitigation

    MemberOf: Review membership of the group regularly, especially if it grants administrative or sensitive rights, and remove any accounts that no longer require it. Consider whether group nesting is needed, since nested groups obscure who ultimately holds the access. Legitimate members (service accounts, role-based groups) should be documented and reviewed against your access management policy.

    CoerceAndRelayToSMB: Enable SMB signing on all Windows hosts, particularly file servers, SCCM site servers, and domain controllers, so that relayed sessions are rejected by the receiving service. Patch operating systems against known coercion techniques (PetitPotam, PrinterBug, DFSCoerce). Disable the Print Spooler and WebClient services on hosts that do not need them to reduce coercion surface.

    How to Confirm
    These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

    Step 1

    ADCS MemberOf DOMAIN USERS

    What it checks: Checks whether ADCS is a member of the DOMAIN USERS group.

    Import-Module ActiveDirectory
    $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4767"} -server "training.local" -Properties memberOf,primaryGroupID,Name -EA 0
    $target = Get-ADGroup -Filter {objectSID -eq 'S-1-5-21-1468306160-356025236-3522329279-513'} -server "training.local" -Properties Name -EA 0
    
    if ($target) {
        $isMember = $source.memberOf -contains $target.DistinguishedName
        if (-not $isMember -and $source.primaryGroupID) {
            $targetRID = ($target.SID.Value -split '-')[-1]
            $isMember = $source.primaryGroupID -eq [int]$targetRID
        }
        if ($isMember) {
            [PSCustomObject]@{
                Member = $source.Name
                Group = $target.Name
                Status = "Member"
            } | Format-Table -AutoSize
        }
    }

    Confirmed if the output shows a row with Status equal to Member.

    Step 2

    DOMAIN USERS MemberOf AUTHENTICATED USERS

    What it checks: Checks whether DOMAIN USERS is a member of the AUTHENTICATED USERS group.

    # Domain Users is a member of Authenticated Users by default (inherited membership)

    Confirmed if the output shows a row with Status equal to Member.

    Step 3

    AUTHENTICATED USERS CoerceAndRelayToSMB SCCMDB.TRAINING.LOCAL

    What it checks: Checks the conditions that allow authentication from SCCMDB.TRAINING.LOCAL to be coerced and relayed to an SMB service, as identified through SCCM relay analysis.

    Import-Module ActiveDirectory
    $target = (Get-ADComputer -Filter {objectSID -eq 'S-1-5-21-1468306160-356025236-3522329279-1105'} -server "training.local" -Properties DNSHostName -EA 0).DNSHostName
    Invoke-Command -ComputerName $target -ScriptBlock {
        Get-SmbServerConfiguration | Select-Object RequireSecuritySignature
    }

    Confirmed if SMB signing is not required on the target service and SCCMDB.TRAINING.LOCAL can be coerced to authenticate.

    2-step escalation path to IVORY_MCCULLOUGH (User) 2 affected users

    Users (2) MemberOf FA-MIGORDOBE-DISTLIST1 Group GenericAll IVORY_MCCULLOUGH User
    Overview

    2 users are members of the FA-MIGORDOBE-DISTLIST1 group, which means they can fully control IVORY_MCCULLOUGH. An attacker could reset IVORY_MCCULLOUGH's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.

    Affected Users (2)
    Open to load affected entities.
      Mitigation

      MemberOf: Review membership of the group regularly, especially if it grants administrative or sensitive rights, and remove any accounts that no longer require it. Consider whether group nesting is needed, since nested groups obscure who ultimately holds the access. Legitimate members (service accounts, role-based groups) should be documented and reviewed against your access management policy.

      GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.

      How to Confirm
      These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

      Step 1

      CHERILYNN.ROSELIA MemberOf FA-MIGORDOBE-DISTLIST1

      What it checks: Checks whether CHERILYNN.ROSELIA is a member of the FA-MIGORDOBE-DISTLIST1 group.

      Import-Module ActiveDirectory
      $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1488"} -server "training.local" -Properties memberOf,primaryGroupID,Name -EA 0
      $target = Get-ADGroup -Filter {objectSID -eq 'S-1-5-21-1468306160-356025236-3522329279-4356'} -server "training.local" -Properties Name -EA 0
      
      if ($target) {
          $isMember = $source.memberOf -contains $target.DistinguishedName
          if (-not $isMember -and $source.primaryGroupID) {
              $targetRID = ($target.SID.Value -split '-')[-1]
              $isMember = $source.primaryGroupID -eq [int]$targetRID
          }
          if ($isMember) {
              [PSCustomObject]@{
                  Member = $source.Name
                  Group = $target.Name
                  Status = "Member"
              } | Format-Table -AutoSize
          }
      }

      Confirmed if the output shows a row with Status equal to Member.

      Step 2

      FA-MIGORDOBE-DISTLIST1 GenericAll IVORY_MCCULLOUGH

      What it checks: Queries the access control list on IVORY_MCCULLOUGH for permissions held by FA-MIGORDOBE-DISTLIST1.

      Import-Module ActiveDirectory
      $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4356"} -server "training.local" -Properties Name -EA 0
      $target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-3402"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
      $target.nTSecurityDescriptor.Access | Where-Object {
          $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4356"
      } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

      Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

      1-step escalation path to DC01.TRAINING.LOCAL (Computer), affects JOE.PATHFINDER

      JOE.PATHFINDER GenericAll DC01.TRAINING.LOCAL Computer
      Overview

      This user can fully control DC01.TRAINING.LOCAL (domain controller). Because DC01.TRAINING.LOCAL is a domain controller, this access leads to full domain compromise. An attacker could extract every password hash from the directory (including the krbtgt key needed to forge Kerberos tickets) and gain administrative control over every system and account in the domain.

      Affected Users (1)
      Open to load affected entities.
        Mitigation

        GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.

        How to Confirm
        These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

        Step 1

        JOE.PATHFINDER GenericAll DC01.TRAINING.LOCAL

        What it checks: Queries the access control list on DC01.TRAINING.LOCAL for permissions held by JOE.PATHFINDER.

        Import-Module ActiveDirectory
        $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1154"} -server "training.local" -Properties Name -EA 0
        $target = Get-ADComputer -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1000"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
        $target.nTSecurityDescriptor.Access | Where-Object {
            $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-1154"
        } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

        Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

        1-step escalation path to SCCMDB.TRAINING.LOCAL (Computer), affects SQLSVC

        SQLSVC GenericAll SCCMDB.TRAINING.LOCAL Computer
        Overview

        This user can fully control SCCMDB.TRAINING.LOCAL. An attacker could configure SCCMDB.TRAINING.LOCAL to allow them to impersonate any user who accesses it (including administrators), set up an alternative login to authenticate as the machine account, or use it to move to other systems on the network.

        Affected Users (1)
        Open to load affected entities.
          Mitigation

          GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.

          How to Confirm
          These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

          Step 1

          SQLSVC GenericAll SCCMDB.TRAINING.LOCAL

          What it checks: Queries the access control list on SCCMDB.TRAINING.LOCAL for permissions held by SQLSVC.

          Import-Module ActiveDirectory
          $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1112"} -server "training.local" -Properties Name -EA 0
          $target = Get-ADComputer -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1105"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
          $target.nTSecurityDescriptor.Access | Where-Object {
              $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-1112"
          } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

          Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

          1-step escalation path to DC01.TRAINING.LOCAL (Computer), affects WELCOMEUSER1

          WELCOMEUSER1 GenericWrite DC01.TRAINING.LOCAL Computer
          Overview

          This user can modify attributes on DC01.TRAINING.LOCAL (domain controller). Because DC01.TRAINING.LOCAL is a domain controller, this access leads to full domain compromise. An attacker could extract every password hash from the directory (including the krbtgt key needed to forge Kerberos tickets) and gain administrative control over every system and account in the domain.

          Affected Users (1)
          Open to load affected entities.
            Mitigation

            GenericWrite: Restrict write access across all properties to administrative accounts. Where a specific attribute (such as a description or phone number) needs to be updated by a service, grant the right to only that attribute rather than all. Monitor changes to sensitive attributes, particularly service principal names and delegation settings, as these are common escalation paths.

            How to Confirm
            These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

            Step 1

            WELCOMEUSER1 GenericWrite DC01.TRAINING.LOCAL

            What it checks: Queries the permissions on DC01.TRAINING.LOCAL for write access held by WELCOMEUSER1.

            Import-Module ActiveDirectory
            $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1160"} -server "training.local" -Properties Name -EA 0
            $target = Get-ADComputer -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1000"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
            $target.nTSecurityDescriptor.Access | Where-Object {
                $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-1160"
            } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

            Confirmed if a row is returned with ActiveDirectoryRights containing GenericWrite or WriteProperty.

            HIGHComputers with Escalation Paths

            3-step escalation path to SCCMDB.TRAINING.LOCAL (Computer) 90 affected computers

            Computers (90) MemberOf DOMAIN COMPUTERS Group MemberOf AUTHENTICATED USERS Group CoerceAndRelayToSMB SCCMDB.TRAINING.LOCAL Computer
            Overview

            90 computers are members of DOMAIN COMPUTERS, then AUTHENTICATED USERS, which means they can coerce authentication and relay it via SMB to SCCMDB.TRAINING.LOCAL. An attacker could coerce SCCMDB.TRAINING.LOCAL into authenticating, relay the credentials to an SMB service to gain admin or share access, and use that foothold to harvest further credentials, particularly on SCCM-managed hosts.

            Affected Computers (90)
            Open to load affected entities.
              Mitigation

              MemberOf: Review membership of the group regularly, especially if it grants administrative or sensitive rights, and remove any accounts that no longer require it. Consider whether group nesting is needed, since nested groups obscure who ultimately holds the access. Legitimate members (service accounts, role-based groups) should be documented and reviewed against your access management policy.

              CoerceAndRelayToSMB: Enable SMB signing on all Windows hosts, particularly file servers, SCCM site servers, and domain controllers, so that relayed sessions are rejected by the receiving service. Patch operating systems against known coercion techniques (PetitPotam, PrinterBug, DFSCoerce). Disable the Print Spooler and WebClient services on hosts that do not need them to reduce coercion surface.

              How to Confirm
              These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

              Step 1

              ADTEST_SOURCEC.TRAININ.. MemberOf DOMAIN COMPUTERS

              What it checks: Checks whether ADTEST_SOURCEC.TRAINING.LOCAL is a member of the DOMAIN COMPUTERS group.

              Import-Module ActiveDirectory
              $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4773"} -server "training.local" -Properties memberOf,primaryGroupID,Name -EA 0
              $target = Get-ADGroup -Filter {objectSID -eq 'S-1-5-21-1468306160-356025236-3522329279-515'} -server "training.local" -Properties Name -EA 0
              
              if ($target) {
                  $isMember = $source.memberOf -contains $target.DistinguishedName
                  if (-not $isMember -and $source.primaryGroupID) {
                      $targetRID = ($target.SID.Value -split '-')[-1]
                      $isMember = $source.primaryGroupID -eq [int]$targetRID
                  }
                  if ($isMember) {
                      [PSCustomObject]@{
                          Member = $source.Name
                          Group = $target.Name
                          Status = "Member"
                      } | Format-Table -AutoSize
                  }
              }

              Confirmed if the output shows a row with Status equal to Member.

              Step 2

              DOMAIN COMPUTERS MemberOf AUTHENTICATED USERS

              What it checks: Checks whether DOMAIN COMPUTERS is a member of the AUTHENTICATED USERS group.

              # Domain Computers is a member of Authenticated Users by default (inherited membership)

              Confirmed if the output shows a row with Status equal to Member.

              Step 3

              AUTHENTICATED USERS CoerceAndRelayToSMB SCCMDB.TRAINING.LOCAL

              What it checks: Checks the conditions that allow authentication from SCCMDB.TRAINING.LOCAL to be coerced and relayed to an SMB service, as identified through SCCM relay analysis.

              Import-Module ActiveDirectory
              $target = (Get-ADComputer -Filter {objectSID -eq 'S-1-5-21-1468306160-356025236-3522329279-1105'} -server "training.local" -Properties DNSHostName -EA 0).DNSHostName
              Invoke-Command -ComputerName $target -ScriptBlock {
                  Get-SmbServerConfiguration | Select-Object RequireSecuritySignature
              }

              Confirmed if SMB signing is not required on the target service and SCCMDB.TRAINING.LOCAL can be coerced to authenticate.

              1-step escalation path to LAMBERT.LOTTE (User) 3 affected computers

              Computers (3) GenericAll LAMBERT.LOTTE User
              Overview

              3 computers can fully control LAMBERT.LOTTE. An attacker could reset LAMBERT.LOTTE's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.

              Affected Computers (3)
              Open to load affected entities.
                Mitigation

                GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.

                How to Confirm
                These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

                Step 1

                AWSWWKS1000001.TRAININ.. GenericAll LAMBERT.LOTTE

                What it checks: Queries the access control list on LAMBERT.LOTTE for permissions held by AWSWWKS1000001.TRAINING.LOCAL.

                Import-Module ActiveDirectory
                $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4695"} -server "training.local" -Properties Name -EA 0
                $target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1217"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
                $target.nTSecurityDescriptor.Access | Where-Object {
                    $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4695"
                } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

                Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

                1-step escalation path to SCCMDB.TRAINING.LOCAL (Computer) 2 affected computers

                Computers (2) AllowedToAct SCCMDB.TRAINING.LOCAL Computer
                Overview

                2 computers can impersonate users on SCCMDB.TRAINING.LOCAL. An attacker could log in to services on SCCMDB.TRAINING.LOCAL as any user, including administrators.

                Affected Computers (2)
                Open to load affected entities.
                  Mitigation

                  AllowedToAct: Audit the list of principals in the target's resource-based constrained delegation configuration and remove any that are no longer required. Delegation is a legitimate feature where a service needs to forward user credentials to another service, but it should be reviewed periodically. Monitor writes to the delegation attribute so unauthorised grants are detected.

                  How to Confirm
                  These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

                  Step 1

                  ACPLBGLD.TRAINING.LOCAL AllowedToAct SCCMDB.TRAINING.LOCAL

                  What it checks: Checks whether ACPLBGLD.TRAINING.LOCAL is listed in the resource-based constrained delegation configuration on SCCMDB.TRAINING.LOCAL.

                  Import-Module ActiveDirectory
                  $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4760"} -server "training.local" -Properties Name -EA 0
                  $target = Get-ADComputer -Filter {objectSID -eq 'S-1-5-21-1468306160-356025236-3522329279-1105'} -server "training.local" -Properties msDS-AllowedToActOnBehalfOfOtherIdentity,Name -EA 0
                  if($target."msDS-AllowedToActOnBehalfOfOtherIdentity") {
                      $target."msDS-AllowedToActOnBehalfOfOtherIdentity".Access | Where-Object {
                          $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4760"
                      } | Select-Object @{Name='IdentityReference';Expression={$source.Name}}, @{Name='ActiveDirectoryRights';Expression={'AllowedToAct'}}
                  }

                  Confirmed if the output returns a row with ActiveDirectoryRights equal to AllowedToAct and IdentityReference matching ACPLBGLD.TRAINING.LOCAL.

                  2-step escalation path to SCCMDB.TRAINING.LOCAL (Computer) 2 affected computers

                  Computers (2) GenericAll ADRIENNE_BRITT User GenericAll SCCMDB.TRAINING.LOCAL Computer
                  Overview

                  2 computers can fully control ADRIENNE_BRITT, which means they can fully control SCCMDB.TRAINING.LOCAL. An attacker could configure SCCMDB.TRAINING.LOCAL to allow them to impersonate any user who accesses it (including administrators), set up an alternative login to authenticate as the machine account, or use it to move to other systems on the network.

                  Affected Computers (2)
                  Open to load affected entities.
                    Mitigation

                    GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.

                    How to Confirm
                    These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

                    Step 1

                    AWSWSECS1000000.TRAINI.. GenericAll ADRIENNE_BRITT

                    What it checks: Queries the access control list on ADRIENNE_BRITT for permissions held by AWSWSECS1000000.TRAINING.LOCAL.

                    Import-Module ActiveDirectory
                    $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4735"} -server "training.local" -Properties Name -EA 0
                    $target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-2329"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
                    $target.nTSecurityDescriptor.Access | Where-Object {
                        $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4735"
                    } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

                    Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

                    Step 2

                    ADRIENNE_BRITT GenericAll SCCMDB.TRAINING.LOCAL

                    What it checks: Queries the access control list on SCCMDB.TRAINING.LOCAL for permissions held by ADRIENNE_BRITT.

                    Import-Module ActiveDirectory
                    $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-2329"} -server "training.local" -Properties Name -EA 0
                    $target = Get-ADComputer -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1105"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
                    $target.nTSecurityDescriptor.Access | Where-Object {
                        $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-2329"
                    } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

                    Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

                    1-step escalation path to LAWANDA_FRANKS (User), affects AZRWSECS1000000

                    AZRWSECS1000000 GenericAll LAWANDA_FRANKS User
                    Overview

                    This computer can fully control LAWANDA_FRANKS. An attacker could reset LAWANDA_FRANKS's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.

                    Affected Computers (1)
                    Open to load affected entities.
                      Mitigation

                      GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.

                      How to Confirm
                      These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

                      Step 1

                      AZRWSECS1000000.TRAINI.. GenericAll LAWANDA_FRANKS

                      What it checks: Queries the access control list on LAWANDA_FRANKS for permissions held by AZRWSECS1000000.TRAINING.LOCAL.

                      Import-Module ActiveDirectory
                      $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4731"} -server "training.local" -Properties Name -EA 0
                      $target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-2924"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
                      $target.nTSecurityDescriptor.Access | Where-Object {
                          $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4731"
                      } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

                      Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

                      3-step escalation path to SCCMDB.TRAINING.LOCAL (Computer), affects BDEWSECS1000000

                      BDEWSECS1000000 MemberOf LA-MAURICIO2-DISTLIST1 Group GenericAll MI-838-ADMINGROUP1 Group GenericAll SCCMDB.TRAINING.LOCAL Computer
                      Overview

                      This computer is a member of the LA-MAURICIO2-DISTLIST1 group, which means it can fully control MI-838-ADMINGROUP1, and from there can fully control SCCMDB.TRAINING.LOCAL. An attacker could configure SCCMDB.TRAINING.LOCAL to allow them to impersonate any user who accesses it (including administrators), set up an alternative login to authenticate as the machine account, or use it to move to other systems on the network.

                      Affected Computers (1)
                      Open to load affected entities.
                        Mitigation

                        MemberOf: Review membership of the group regularly, especially if it grants administrative or sensitive rights, and remove any accounts that no longer require it. Consider whether group nesting is needed, since nested groups obscure who ultimately holds the access. Legitimate members (service accounts, role-based groups) should be documented and reviewed against your access management policy.

                        GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.

                        How to Confirm
                        These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

                        Step 1

                        BDEWSECS1000000.TRAINI.. MemberOf LA-MAURICIO2-DISTLIST1

                        What it checks: Checks whether BDEWSECS1000000.TRAINING.LOCAL is a member of the LA-MAURICIO2-DISTLIST1 group.

                        Import-Module ActiveDirectory
                        $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4700"} -server "training.local" -Properties memberOf,primaryGroupID,Name -EA 0
                        $target = Get-ADGroup -Filter {objectSID -eq 'S-1-5-21-1468306160-356025236-3522329279-4597'} -server "training.local" -Properties Name -EA 0
                        
                        if ($target) {
                            $isMember = $source.memberOf -contains $target.DistinguishedName
                            if (-not $isMember -and $source.primaryGroupID) {
                                $targetRID = ($target.SID.Value -split '-')[-1]
                                $isMember = $source.primaryGroupID -eq [int]$targetRID
                            }
                            if ($isMember) {
                                [PSCustomObject]@{
                                    Member = $source.Name
                                    Group = $target.Name
                                    Status = "Member"
                                } | Format-Table -AutoSize
                            }
                        }

                        Confirmed if the output shows a row with Status equal to Member.

                        Step 2

                        LA-MAURICIO2-DISTLIST1 GenericAll MI-838-ADMINGROUP1

                        What it checks: Queries the access control list on MI-838-ADMINGROUP1 for permissions held by LA-MAURICIO2-DISTLIST1.

                        Import-Module ActiveDirectory
                        $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4597"} -server "training.local" -Properties Name -EA 0
                        $target = Get-ADGroup -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4169"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
                        $target.nTSecurityDescriptor.Access | Where-Object {
                            $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4597"
                        } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

                        Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

                        Step 3

                        MI-838-ADMINGROUP1 GenericAll SCCMDB.TRAINING.LOCAL

                        What it checks: Queries the access control list on SCCMDB.TRAINING.LOCAL for permissions held by MI-838-ADMINGROUP1.

                        Import-Module ActiveDirectory
                        $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4169"} -server "training.local" -Properties Name -EA 0
                        $target = Get-ADComputer -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1105"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
                        $target.nTSecurityDescriptor.Access | Where-Object {
                            $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4169"
                        } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

                        Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

                        2-step escalation path to VERNA_BRANCH (User), affects BDEWVIR1000001

                        BDEWVIR1000001 GenericAll RICH_CANNON User GenericAll VERNA_BRANCH User
                        Overview

                        This computer can fully control RICH_CANNON, which means it can fully control VERNA_BRANCH. An attacker could reset VERNA_BRANCH's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.

                        Affected Computers (1)
                        Open to load affected entities.
                          Mitigation

                          GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.

                          How to Confirm
                          These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

                          Step 1

                          BDEWVIR1000001.TRAININ.. GenericAll RICH_CANNON

                          What it checks: Queries the access control list on RICH_CANNON for permissions held by BDEWVIR1000001.TRAINING.LOCAL.

                          Import-Module ActiveDirectory
                          $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4661"} -server "training.local" -Properties Name -EA 0
                          $target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-2885"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
                          $target.nTSecurityDescriptor.Access | Where-Object {
                              $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4661"
                          } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

                          Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

                          Step 2

                          RICH_CANNON GenericAll VERNA_BRANCH

                          What it checks: Queries the access control list on VERNA_BRANCH for permissions held by RICH_CANNON.

                          Import-Module ActiveDirectory
                          $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-2885"} -server "training.local" -Properties Name -EA 0
                          $target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-2409"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
                          $target.nTSecurityDescriptor.Access | Where-Object {
                              $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-2885"
                          } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

                          Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

                          1-step escalation path to CAROLE_ALFORD (User), affects HREWWEBS1000000

                          HREWWEBS1000000 GenericAll CAROLE_ALFORD User
                          Overview

                          This computer can fully control CAROLE_ALFORD. An attacker could reset CAROLE_ALFORD's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.

                          Affected Computers (1)
                          Open to load affected entities.
                            Mitigation

                            GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.

                            How to Confirm
                            These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

                            Step 1

                            HREWWEBS1000000.TRAINI.. GenericAll CAROLE_ALFORD

                            What it checks: Queries the access control list on CAROLE_ALFORD for permissions held by HREWWEBS1000000.TRAINING.LOCAL.

                            Import-Module ActiveDirectory
                            $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4676"} -server "training.local" -Properties Name -EA 0
                            $target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-3642"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
                            $target.nTSecurityDescriptor.Access | Where-Object {
                                $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4676"
                            } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

                            Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

                            1-step escalation path to SCCMDB.TRAINING.LOCAL (Computer), affects HREWWEBS1000001

                            HREWWEBS1000001 GenericAll SCCMDB.TRAINING.LOCAL Computer
                            Overview

                            This computer can fully control SCCMDB.TRAINING.LOCAL. An attacker could configure SCCMDB.TRAINING.LOCAL to allow them to impersonate any user who accesses it (including administrators), set up an alternative login to authenticate as the machine account, or use it to move to other systems on the network.

                            Affected Computers (1)
                            Open to load affected entities.
                              Mitigation

                              GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.

                              How to Confirm
                              These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

                              Step 1

                              HREWWEBS1000001.TRAINI.. GenericAll SCCMDB.TRAINING.LOCAL

                              What it checks: Queries the access control list on SCCMDB.TRAINING.LOCAL for permissions held by HREWWEBS1000001.TRAINING.LOCAL.

                              Import-Module ActiveDirectory
                              $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4686"} -server "training.local" -Properties Name -EA 0
                              $target = Get-ADComputer -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1105"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
                              $target.nTSecurityDescriptor.Access | Where-Object {
                                  $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4686"
                              } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

                              Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

                              2-step escalation path to LOTTIE_BLANCHARD (User), affects HREWWKS1000000

                              HREWWKS1000000 MemberOf NE-DAN-DISTLIST1 Group GenericAll LOTTIE_BLANCHARD User
                              Overview

                              This computer is a member of the NE-DAN-DISTLIST1 group, which means it can fully control LOTTIE_BLANCHARD. An attacker could reset LOTTIE_BLANCHARD's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.

                              Affected Computers (1)
                              Open to load affected entities.
                                Mitigation

                                MemberOf: Review membership of the group regularly, especially if it grants administrative or sensitive rights, and remove any accounts that no longer require it. Consider whether group nesting is needed, since nested groups obscure who ultimately holds the access. Legitimate members (service accounts, role-based groups) should be documented and reviewed against your access management policy.

                                GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.

                                How to Confirm
                                These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

                                Step 1

                                HREWWKS1000000.TRAININ.. MemberOf NE-DAN-DISTLIST1

                                What it checks: Checks whether HREWWKS1000000.TRAINING.LOCAL is a member of the NE-DAN-DISTLIST1 group.

                                Import-Module ActiveDirectory
                                $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4728"} -server "training.local" -Properties memberOf,primaryGroupID,Name -EA 0
                                $target = Get-ADGroup -Filter {objectSID -eq 'S-1-5-21-1468306160-356025236-3522329279-4338'} -server "training.local" -Properties Name -EA 0
                                
                                if ($target) {
                                    $isMember = $source.memberOf -contains $target.DistinguishedName
                                    if (-not $isMember -and $source.primaryGroupID) {
                                        $targetRID = ($target.SID.Value -split '-')[-1]
                                        $isMember = $source.primaryGroupID -eq [int]$targetRID
                                    }
                                    if ($isMember) {
                                        [PSCustomObject]@{
                                            Member = $source.Name
                                            Group = $target.Name
                                            Status = "Member"
                                        } | Format-Table -AutoSize
                                    }
                                }

                                Confirmed if the output shows a row with Status equal to Member.

                                Step 2

                                NE-DAN-DISTLIST1 GenericAll LOTTIE_BLANCHARD

                                What it checks: Queries the access control list on LOTTIE_BLANCHARD for permissions held by NE-DAN-DISTLIST1.

                                Import-Module ActiveDirectory
                                $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4338"} -server "training.local" -Properties Name -EA 0
                                $target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-2974"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
                                $target.nTSecurityDescriptor.Access | Where-Object {
                                    $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4338"
                                } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

                                Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

                                1-step escalation path to FREIDA_GROSS (User), affects ITSWLPT1000002

                                ITSWLPT1000002 GenericAll FREIDA_GROSS User
                                Overview

                                This computer can fully control FREIDA_GROSS. An attacker could reset FREIDA_GROSS's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.

                                Affected Computers (1)
                                Open to load affected entities.
                                  Mitigation

                                  GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.

                                  How to Confirm
                                  These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

                                  Step 1

                                  ITSWLPT1000002.TRAININ.. GenericAll FREIDA_GROSS

                                  What it checks: Queries the access control list on FREIDA_GROSS for permissions held by ITSWLPT1000002.TRAINING.LOCAL.

                                  Import-Module ActiveDirectory
                                  $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4708"} -server "training.local" -Properties Name -EA 0
                                  $target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-3586"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
                                  $target.nTSecurityDescriptor.Access | Where-Object {
                                      $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4708"
                                  } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

                                  Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

                                  1-step escalation path to BRADFORD_BUCKNER (User), affects KIOSK01

                                  KIOSK01 GenericAll BRADFORD_BUCKNER User
                                  Overview

                                  This computer can fully control BRADFORD_BUCKNER. An attacker could reset BRADFORD_BUCKNER's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.

                                  Affected Computers (1)
                                  Open to load affected entities.
                                    Mitigation

                                    GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.

                                    How to Confirm
                                    These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

                                    Step 1

                                    KIOSK01.TRAINING.LOCAL GenericAll BRADFORD_BUCKNER

                                    What it checks: Queries the access control list on BRADFORD_BUCKNER for permissions held by KIOSK01.TRAINING.LOCAL.

                                    Import-Module ActiveDirectory
                                    $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1109"} -server "training.local" -Properties Name -EA 0
                                    $target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-3032"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
                                    $target.nTSecurityDescriptor.Access | Where-Object {
                                        $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-1109"
                                    } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

                                    Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

                                    3-step escalation path to SCCMDB.TRAINING.LOCAL (Computer), affects OGCWLPT1000000

                                    OGCWLPT1000000 GenericAll PASQUALE_SIMS User MemberOf SE-JAG-DISTLIST1 Group GenericAll SCCMDB.TRAINING.LOCAL Computer
                                    Overview

                                    This computer can fully control PASQUALE_SIMS, which is a member of SE-JAG-DISTLIST1, and from there can fully control SCCMDB.TRAINING.LOCAL. An attacker could configure SCCMDB.TRAINING.LOCAL to allow them to impersonate any user who accesses it (including administrators), set up an alternative login to authenticate as the machine account, or use it to move to other systems on the network.

                                    Affected Computers (1)
                                    Open to load affected entities.
                                      Mitigation

                                      GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.

                                      MemberOf: Review membership of the group regularly, especially if it grants administrative or sensitive rights, and remove any accounts that no longer require it. Consider whether group nesting is needed, since nested groups obscure who ultimately holds the access. Legitimate members (service accounts, role-based groups) should be documented and reviewed against your access management policy.

                                      How to Confirm
                                      These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

                                      Step 1

                                      OGCWLPT1000000.TRAININ.. GenericAll PASQUALE_SIMS

                                      What it checks: Queries the access control list on PASQUALE_SIMS for permissions held by OGCWLPT1000000.TRAINING.LOCAL.

                                      Import-Module ActiveDirectory
                                      $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4742"} -server "training.local" -Properties Name -EA 0
                                      $target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-2679"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
                                      $target.nTSecurityDescriptor.Access | Where-Object {
                                          $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4742"
                                      } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

                                      Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

                                      Step 2

                                      PASQUALE_SIMS MemberOf SE-JAG-DISTLIST1

                                      What it checks: Checks whether PASQUALE_SIMS is a member of the SE-JAG-DISTLIST1 group.

                                      Import-Module ActiveDirectory
                                      $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-2679"} -server "training.local" -Properties memberOf,primaryGroupID,Name -EA 0
                                      $target = Get-ADGroup -Filter {objectSID -eq 'S-1-5-21-1468306160-356025236-3522329279-4594'} -server "training.local" -Properties Name -EA 0
                                      
                                      if ($target) {
                                          $isMember = $source.memberOf -contains $target.DistinguishedName
                                          if (-not $isMember -and $source.primaryGroupID) {
                                              $targetRID = ($target.SID.Value -split '-')[-1]
                                              $isMember = $source.primaryGroupID -eq [int]$targetRID
                                          }
                                          if ($isMember) {
                                              [PSCustomObject]@{
                                                  Member = $source.Name
                                                  Group = $target.Name
                                                  Status = "Member"
                                              } | Format-Table -AutoSize
                                          }
                                      }

                                      Confirmed if the output shows a row with Status equal to Member.

                                      Step 3

                                      SE-JAG-DISTLIST1 GenericAll SCCMDB.TRAINING.LOCAL

                                      What it checks: Queries the access control list on SCCMDB.TRAINING.LOCAL for permissions held by SE-JAG-DISTLIST1.

                                      Import-Module ActiveDirectory
                                      $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4594"} -server "training.local" -Properties Name -EA 0
                                      $target = Get-ADComputer -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1105"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
                                      $target.nTSecurityDescriptor.Access | Where-Object {
                                          $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4594"
                                      } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

                                      Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

                                      2-step escalation path to SHELBY_ROBBINS (User), affects OGCWWKS1000000

                                      OGCWWKS1000000 MemberOf LY-BETITASBO-ADMINGROUP1 Group GenericAll SHELBY_ROBBINS User
                                      Overview

                                      This computer is a member of the LY-BETITASBO-ADMINGROUP1 group, which means it can fully control SHELBY_ROBBINS. An attacker could reset SHELBY_ROBBINS's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.

                                      Affected Computers (1)
                                      Open to load affected entities.
                                        Mitigation

                                        MemberOf: Review membership of the group regularly, especially if it grants administrative or sensitive rights, and remove any accounts that no longer require it. Consider whether group nesting is needed, since nested groups obscure who ultimately holds the access. Legitimate members (service accounts, role-based groups) should be documented and reviewed against your access management policy.

                                        GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.

                                        How to Confirm
                                        These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

                                        Step 1

                                        OGCWWKS1000000.TRAININ.. MemberOf LY-BETITASBO-ADMINGROUP1

                                        What it checks: Checks whether OGCWWKS1000000.TRAINING.LOCAL is a member of the LY-BETITASBO-ADMINGROUP1 group.

                                        Import-Module ActiveDirectory
                                        $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4739"} -server "training.local" -Properties memberOf,primaryGroupID,Name -EA 0
                                        $target = Get-ADGroup -Filter {objectSID -eq 'S-1-5-21-1468306160-356025236-3522329279-4408'} -server "training.local" -Properties Name -EA 0
                                        
                                        if ($target) {
                                            $isMember = $source.memberOf -contains $target.DistinguishedName
                                            if (-not $isMember -and $source.primaryGroupID) {
                                                $targetRID = ($target.SID.Value -split '-')[-1]
                                                $isMember = $source.primaryGroupID -eq [int]$targetRID
                                            }
                                            if ($isMember) {
                                                [PSCustomObject]@{
                                                    Member = $source.Name
                                                    Group = $target.Name
                                                    Status = "Member"
                                                } | Format-Table -AutoSize
                                            }
                                        }

                                        Confirmed if the output shows a row with Status equal to Member.

                                        Step 2

                                        LY-BETITASBO-ADMINGROUP1 GenericAll SHELBY_ROBBINS

                                        What it checks: Queries the access control list on SHELBY_ROBBINS for permissions held by LY-BETITASBO-ADMINGROUP1.

                                        Import-Module ActiveDirectory
                                        $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4408"} -server "training.local" -Properties Name -EA 0
                                        $target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-3074"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
                                        $target.nTSecurityDescriptor.Access | Where-Object {
                                            $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4408"
                                        } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

                                        Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

                                        3-step escalation path to SCCMDB.TRAINING.LOCAL (Computer), affects SECRET

                                        SECRET MemberOf DOMAIN USERS Group MemberOf AUTHENTICATED USERS Group CoerceAndRelayToSMB SCCMDB.TRAINING.LOCAL Computer
                                        Overview

                                        This computer is a member of DOMAIN USERS, then AUTHENTICATED USERS, which means it can coerce authentication and relay it via SMB to SCCMDB.TRAINING.LOCAL. An attacker could coerce SCCMDB.TRAINING.LOCAL into authenticating, relay the credentials to an SMB service to gain admin or share access, and use that foothold to harvest further credentials, particularly on SCCM-managed hosts.

                                        Affected Computers (1)
                                        Open to load affected entities.
                                          Mitigation

                                          MemberOf: Review membership of the group regularly, especially if it grants administrative or sensitive rights, and remove any accounts that no longer require it. Consider whether group nesting is needed, since nested groups obscure who ultimately holds the access. Legitimate members (service accounts, role-based groups) should be documented and reviewed against your access management policy.

                                          CoerceAndRelayToSMB: Enable SMB signing on all Windows hosts, particularly file servers, SCCM site servers, and domain controllers, so that relayed sessions are rejected by the receiving service. Patch operating systems against known coercion techniques (PetitPotam, PrinterBug, DFSCoerce). Disable the Print Spooler and WebClient services on hosts that do not need them to reduce coercion surface.

                                          How to Confirm
                                          These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

                                          Step 1

                                          SECRET$ MemberOf DOMAIN USERS

                                          What it checks: Checks whether SECRET$ is a member of the DOMAIN USERS group.

                                          Import-Module ActiveDirectory
                                          $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1118"} -server "training.local" -Properties memberOf,primaryGroupID,Name -EA 0
                                          $target = Get-ADGroup -Filter {objectSID -eq 'S-1-5-21-1468306160-356025236-3522329279-513'} -server "training.local" -Properties Name -EA 0
                                          
                                          if ($target) {
                                              $isMember = $source.memberOf -contains $target.DistinguishedName
                                              if (-not $isMember -and $source.primaryGroupID) {
                                                  $targetRID = ($target.SID.Value -split '-')[-1]
                                                  $isMember = $source.primaryGroupID -eq [int]$targetRID
                                              }
                                              if ($isMember) {
                                                  [PSCustomObject]@{
                                                      Member = $source.Name
                                                      Group = $target.Name
                                                      Status = "Member"
                                                  } | Format-Table -AutoSize
                                              }
                                          }

                                          Confirmed if the output shows a row with Status equal to Member.

                                          Step 2

                                          DOMAIN USERS MemberOf AUTHENTICATED USERS

                                          What it checks: Checks whether DOMAIN USERS is a member of the AUTHENTICATED USERS group.

                                          # Domain Users is a member of Authenticated Users by default (inherited membership)

                                          Confirmed if the output shows a row with Status equal to Member.

                                          Step 3

                                          AUTHENTICATED USERS CoerceAndRelayToSMB SCCMDB.TRAINING.LOCAL

                                          What it checks: Checks the conditions that allow authentication from SCCMDB.TRAINING.LOCAL to be coerced and relayed to an SMB service, as identified through SCCM relay analysis.

                                          Import-Module ActiveDirectory
                                          $target = (Get-ADComputer -Filter {objectSID -eq 'S-1-5-21-1468306160-356025236-3522329279-1105'} -server "training.local" -Properties DNSHostName -EA 0).DNSHostName
                                          Invoke-Command -ComputerName $target -ScriptBlock {
                                              Get-SmbServerConfiguration | Select-Object RequireSecuritySignature
                                          }

                                          Confirmed if SMB signing is not required on the target service and SCCMDB.TRAINING.LOCAL can be coerced to authenticate.

                                          2-step escalation path to LAMBERT.LOTTE (User), affects SECWAPPS1000000

                                          SECWAPPS1000000 GenericAll CL-PIRATAS12-DISTLIST1 Group GenericAll LAMBERT.LOTTE User
                                          Overview

                                          This computer can fully control CL-PIRATAS12-DISTLIST1, which means it can fully control LAMBERT.LOTTE. An attacker could reset LAMBERT.LOTTE's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.

                                          Affected Computers (1)
                                          Open to load affected entities.
                                            Mitigation

                                            GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.

                                            How to Confirm
                                            These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

                                            Step 1

                                            SECWAPPS1000000.TRAINI.. GenericAll CL-PIRATAS12-DISTLIST1

                                            What it checks: Queries the access control list on CL-PIRATAS12-DISTLIST1 for permissions held by SECWAPPS1000000.TRAINING.LOCAL.

                                            Import-Module ActiveDirectory
                                            $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4665"} -server "training.local" -Properties Name -EA 0
                                            $target = Get-ADGroup -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4190"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
                                            $target.nTSecurityDescriptor.Access | Where-Object {
                                                $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4665"
                                            } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

                                            Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

                                            Step 2

                                            CL-PIRATAS12-DISTLIST1 GenericAll LAMBERT.LOTTE

                                            What it checks: Queries the access control list on LAMBERT.LOTTE for permissions held by CL-PIRATAS12-DISTLIST1.

                                            Import-Module ActiveDirectory
                                            $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4190"} -server "training.local" -Properties Name -EA 0
                                            $target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1217"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
                                            $target.nTSecurityDescriptor.Access | Where-Object {
                                                $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4190"
                                            } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

                                            Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

                                            3-step escalation path to SCCMDB.TRAINING.LOCAL (Computer), affects SECWLPT1000001

                                            SECWLPT1000001 GenericAll TERENCE_NASH User MemberOf 94-SUK-DISTLIST1 Group GenericAll SCCMDB.TRAINING.LOCAL Computer
                                            Overview

                                            This computer can fully control TERENCE_NASH, which is a member of 94-SUK-DISTLIST1, and from there can fully control SCCMDB.TRAINING.LOCAL. An attacker could configure SCCMDB.TRAINING.LOCAL to allow them to impersonate any user who accesses it (including administrators), set up an alternative login to authenticate as the machine account, or use it to move to other systems on the network.

                                            Affected Computers (1)
                                            Open to load affected entities.
                                              Mitigation

                                              GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.

                                              MemberOf: Review membership of the group regularly, especially if it grants administrative or sensitive rights, and remove any accounts that no longer require it. Consider whether group nesting is needed, since nested groups obscure who ultimately holds the access. Legitimate members (service accounts, role-based groups) should be documented and reviewed against your access management policy.

                                              How to Confirm
                                              These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

                                              Step 1

                                              SECWLPT1000001.TRAININ.. GenericAll TERENCE_NASH

                                              What it checks: Queries the access control list on TERENCE_NASH for permissions held by SECWLPT1000001.TRAINING.LOCAL.

                                              Import-Module ActiveDirectory
                                              $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4749"} -server "training.local" -Properties Name -EA 0
                                              $target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-2563"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
                                              $target.nTSecurityDescriptor.Access | Where-Object {
                                                  $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4749"
                                              } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

                                              Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

                                              Step 2

                                              TERENCE_NASH MemberOf 94-SUK-DISTLIST1

                                              What it checks: Checks whether TERENCE_NASH is a member of the 94-SUK-DISTLIST1 group.

                                              Import-Module ActiveDirectory
                                              $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-2563"} -server "training.local" -Properties memberOf,primaryGroupID,Name -EA 0
                                              $target = Get-ADGroup -Filter {objectSID -eq 'S-1-5-21-1468306160-356025236-3522329279-4654'} -server "training.local" -Properties Name -EA 0
                                              
                                              if ($target) {
                                                  $isMember = $source.memberOf -contains $target.DistinguishedName
                                                  if (-not $isMember -and $source.primaryGroupID) {
                                                      $targetRID = ($target.SID.Value -split '-')[-1]
                                                      $isMember = $source.primaryGroupID -eq [int]$targetRID
                                                  }
                                                  if ($isMember) {
                                                      [PSCustomObject]@{
                                                          Member = $source.Name
                                                          Group = $target.Name
                                                          Status = "Member"
                                                      } | Format-Table -AutoSize
                                                  }
                                              }

                                              Confirmed if the output shows a row with Status equal to Member.

                                              Step 3

                                              94-SUK-DISTLIST1 GenericAll SCCMDB.TRAINING.LOCAL

                                              What it checks: Queries the access control list on SCCMDB.TRAINING.LOCAL for permissions held by 94-SUK-DISTLIST1.

                                              Import-Module ActiveDirectory
                                              $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4654"} -server "training.local" -Properties Name -EA 0
                                              $target = Get-ADComputer -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1105"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
                                              $target.nTSecurityDescriptor.Access | Where-Object {
                                                  $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4654"
                                              } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

                                              Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

                                              1-step escalation path to LOTTIE_BLANCHARD (User), affects SECWWEBS1000001

                                              SECWWEBS1000001 GenericAll LOTTIE_BLANCHARD User
                                              Overview

                                              This computer can fully control LOTTIE_BLANCHARD. An attacker could reset LOTTIE_BLANCHARD's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.

                                              Affected Computers (1)
                                              Open to load affected entities.
                                                Mitigation

                                                GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.

                                                How to Confirm
                                                These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

                                                Step 1

                                                SECWWEBS1000001.TRAINI.. GenericAll LOTTIE_BLANCHARD

                                                What it checks: Queries the access control list on LOTTIE_BLANCHARD for permissions held by SECWWEBS1000001.TRAINING.LOCAL.

                                                Import-Module ActiveDirectory
                                                $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4707"} -server "training.local" -Properties Name -EA 0
                                                $target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-2974"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
                                                $target.nTSecurityDescriptor.Access | Where-Object {
                                                    $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4707"
                                                } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

                                                Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

                                                2-step escalation path to LAMBERT.LOTTE (User), affects SECWWKS1000000

                                                SECWWKS1000000 GenericAll AWSWWKS1000001.TRAINING.LO.. Computer GenericAll LAMBERT.LOTTE User
                                                Overview

                                                This computer can fully control AWSWWKS1000001.TRAINING.LOCAL, which means it can fully control LAMBERT.LOTTE. An attacker could reset LAMBERT.LOTTE's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.

                                                Affected Computers (1)
                                                Open to load affected entities.
                                                  Mitigation

                                                  GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.

                                                  How to Confirm
                                                  These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

                                                  Step 1

                                                  SECWWKS1000000.TRAININ.. GenericAll AWSWWKS1000001.TRAININ..

                                                  What it checks: Queries the access control list on AWSWWKS1000001.TRAINING.LOCAL for permissions held by SECWWKS1000000.TRAINING.LOCAL.

                                                  Import-Module ActiveDirectory
                                                  $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4655"} -server "training.local" -Properties Name -EA 0
                                                  $target = Get-ADComputer -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4695"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
                                                  $target.nTSecurityDescriptor.Access | Where-Object {
                                                      $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4655"
                                                  } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

                                                  Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

                                                  Step 2

                                                  AWSWWKS1000001.TRAININ.. GenericAll LAMBERT.LOTTE

                                                  What it checks: Queries the access control list on LAMBERT.LOTTE for permissions held by AWSWWKS1000001.TRAINING.LOCAL.

                                                  Import-Module ActiveDirectory
                                                  $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4695"} -server "training.local" -Properties Name -EA 0
                                                  $target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1217"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
                                                  $target.nTSecurityDescriptor.Access | Where-Object {
                                                      $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4695"
                                                  } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

                                                  Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

                                                  1-step escalation path to DC01.TRAINING.LOCAL (Computer), affects SQLSERVER10

                                                  SQLSERVER10 WriteDacl DC01.TRAINING.LOCAL Computer
                                                  Overview

                                                  This computer can change the permissions of DC01.TRAINING.LOCAL (domain controller). Because DC01.TRAINING.LOCAL is a domain controller, this access leads to full domain compromise. An attacker could extract every password hash from the directory (including the krbtgt key needed to forge Kerberos tickets) and gain administrative control over every system and account in the domain.

                                                  Affected Computers (1)
                                                  Open to load affected entities.
                                                    Mitigation

                                                    WriteDacl: Remove the right to modify access controls on sensitive objects from any account that does not need it. Backup or identity management products may legitimately hold this right on specific objects; these should be documented, limited in scope, and monitored for changes. Enabling auditing on the object's access list helps detect unauthorised modifications.

                                                    How to Confirm
                                                    These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

                                                    Step 1

                                                    SQLSERVER10.TRAINING.L.. WriteDacl DC01.TRAINING.LOCAL

                                                    What it checks: Checks whether SQLSERVER10.TRAINING.LOCAL can modify the security descriptor of DC01.TRAINING.LOCAL.

                                                    Import-Module ActiveDirectory
                                                    $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1671"} -server "training.local" -Properties Name -EA 0
                                                    $target = Get-ADComputer -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1000"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
                                                    $target.nTSecurityDescriptor.Access | Where-Object {
                                                        $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-1671"
                                                    } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

                                                    Confirmed if a row is returned with ActiveDirectoryRights containing WriteDacl.

                                                    1-step escalation path to JANELL_ALFORD (User), affects TSTWAPPS1000001

                                                    TSTWAPPS1000001 GenericAll JANELL_ALFORD User
                                                    Overview

                                                    This computer can fully control JANELL_ALFORD. An attacker could reset JANELL_ALFORD's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.

                                                    Affected Computers (1)
                                                    Open to load affected entities.
                                                      Mitigation

                                                      GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.

                                                      How to Confirm
                                                      These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

                                                      Step 1

                                                      TSTWAPPS1000001.TRAINI.. GenericAll JANELL_ALFORD

                                                      What it checks: Queries the access control list on JANELL_ALFORD for permissions held by TSTWAPPS1000001.TRAINING.LOCAL.

                                                      Import-Module ActiveDirectory
                                                      $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4681"} -server "training.local" -Properties Name -EA 0
                                                      $target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-2299"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
                                                      $target.nTSecurityDescriptor.Access | Where-Object {
                                                          $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4681"
                                                      } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

                                                      Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.

                                                      1-step escalation path to MOSES_KRAMER (User), affects TSTWLPT1000000

                                                      TSTWLPT1000000 GenericAll MOSES_KRAMER User
                                                      Overview

                                                      This computer can fully control MOSES_KRAMER. An attacker could reset MOSES_KRAMER's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.

                                                      Affected Computers (1)
                                                      Open to load affected entities.
                                                        Mitigation

                                                        GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.

                                                        How to Confirm
                                                        These commands verify each step in the path. The first step uses a sample entity from the affected list above. Replace it with any affected entity to confirm the same path exists.

                                                        Step 1

                                                        TSTWLPT1000000.TRAININ.. GenericAll MOSES_KRAMER

                                                        What it checks: Queries the access control list on MOSES_KRAMER for permissions held by TSTWLPT1000000.TRAINING.LOCAL.

                                                        Import-Module ActiveDirectory
                                                        $source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4658"} -server "training.local" -Properties Name -EA 0
                                                        $target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-3541"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
                                                        $target.nTSecurityDescriptor.Access | Where-Object {
                                                            $null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4658"
                                                        } | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights

                                                        Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.