This report identifies privilege escalation paths discovered in the TRAINING.LOCAL Active Directory environment. Each path shows how a standard user or computer account could escalate privileges to reach a high-value target such as a Domain Controller, Domain Admin account, or Certificate Authority.
Some of the relationships identified may be intentional and required for normal operations. For example, a helpdesk team may legitimately need password reset rights on user accounts, or a service account may require delegation permissions to function correctly. These should be reviewed against your organization's access requirements to confirm they are appropriate.
However, every path listed in this report represents a potential route to privilege escalation. Even where individual permissions are expected, the combination of relationships in a path may create unintended risk. Each finding should be carefully reviewed and, where the path is not operationally required, the unnecessary permissions should be removed.
Hover any node or arrow for details.
32 users are members of DOMAIN USERS, then AUTHENTICATED USERS, which means they can coerce authentication and relay it via SMB to SCCMDB.TRAINING.LOCAL. An attacker could coerce SCCMDB.TRAINING.LOCAL into authenticating, relay the credentials to an SMB service to gain admin or share access, and use that foothold to harvest further credentials, particularly on SCCM-managed hosts.
MemberOf: Review membership of the group regularly, especially if it grants administrative or sensitive rights, and remove any accounts that no longer require it. Consider whether group nesting is needed, since nested groups obscure who ultimately holds the access. Legitimate members (service accounts, role-based groups) should be documented and reviewed against your access management policy.
CoerceAndRelayToSMB: Enable SMB signing on all Windows hosts, particularly file servers, SCCM site servers, and domain controllers, so that relayed sessions are rejected by the receiving service. Patch operating systems against known coercion techniques (PetitPotam, PrinterBug, DFSCoerce). Disable the Print Spooler and WebClient services on hosts that do not need them to reduce coercion surface.
Step 1
What it checks: Checks whether ADCS is a member of the DOMAIN USERS group.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4767"} -server "training.local" -Properties memberOf,primaryGroupID,Name -EA 0
$target = Get-ADGroup -Filter {objectSID -eq 'S-1-5-21-1468306160-356025236-3522329279-513'} -server "training.local" -Properties Name -EA 0
if ($target) {
$isMember = $source.memberOf -contains $target.DistinguishedName
if (-not $isMember -and $source.primaryGroupID) {
$targetRID = ($target.SID.Value -split '-')[-1]
$isMember = $source.primaryGroupID -eq [int]$targetRID
}
if ($isMember) {
[PSCustomObject]@{
Member = $source.Name
Group = $target.Name
Status = "Member"
} | Format-Table -AutoSize
}
}
Confirmed if the output shows a row with Status equal to Member.
Step 2
What it checks: Checks whether DOMAIN USERS is a member of the AUTHENTICATED USERS group.
# Domain Users is a member of Authenticated Users by default (inherited membership)
Confirmed if the output shows a row with Status equal to Member.
Step 3
What it checks: Checks the conditions that allow authentication from SCCMDB.TRAINING.LOCAL to be coerced and relayed to an SMB service, as identified through SCCM relay analysis.
Import-Module ActiveDirectory
$target = (Get-ADComputer -Filter {objectSID -eq 'S-1-5-21-1468306160-356025236-3522329279-1105'} -server "training.local" -Properties DNSHostName -EA 0).DNSHostName
Invoke-Command -ComputerName $target -ScriptBlock {
Get-SmbServerConfiguration | Select-Object RequireSecuritySignature
}
Confirmed if SMB signing is not required on the target service and SCCMDB.TRAINING.LOCAL can be coerced to authenticate.
2 users are members of the FA-MIGORDOBE-DISTLIST1 group, which means they can fully control IVORY_MCCULLOUGH. An attacker could reset IVORY_MCCULLOUGH's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.
MemberOf: Review membership of the group regularly, especially if it grants administrative or sensitive rights, and remove any accounts that no longer require it. Consider whether group nesting is needed, since nested groups obscure who ultimately holds the access. Legitimate members (service accounts, role-based groups) should be documented and reviewed against your access management policy.
GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.
Step 1
What it checks: Checks whether CHERILYNN.ROSELIA is a member of the FA-MIGORDOBE-DISTLIST1 group.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1488"} -server "training.local" -Properties memberOf,primaryGroupID,Name -EA 0
$target = Get-ADGroup -Filter {objectSID -eq 'S-1-5-21-1468306160-356025236-3522329279-4356'} -server "training.local" -Properties Name -EA 0
if ($target) {
$isMember = $source.memberOf -contains $target.DistinguishedName
if (-not $isMember -and $source.primaryGroupID) {
$targetRID = ($target.SID.Value -split '-')[-1]
$isMember = $source.primaryGroupID -eq [int]$targetRID
}
if ($isMember) {
[PSCustomObject]@{
Member = $source.Name
Group = $target.Name
Status = "Member"
} | Format-Table -AutoSize
}
}
Confirmed if the output shows a row with Status equal to Member.
Step 2
What it checks: Queries the access control list on IVORY_MCCULLOUGH for permissions held by FA-MIGORDOBE-DISTLIST1.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4356"} -server "training.local" -Properties Name -EA 0
$target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-3402"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4356"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
This user can fully control DC01.TRAINING.LOCAL (domain controller). Because DC01.TRAINING.LOCAL is a domain controller, this access leads to full domain compromise. An attacker could extract every password hash from the directory (including the krbtgt key needed to forge Kerberos tickets) and gain administrative control over every system and account in the domain.
GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.
Step 1
What it checks: Queries the access control list on DC01.TRAINING.LOCAL for permissions held by JOE.PATHFINDER.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1154"} -server "training.local" -Properties Name -EA 0
$target = Get-ADComputer -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1000"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-1154"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
This user can fully control SCCMDB.TRAINING.LOCAL. An attacker could configure SCCMDB.TRAINING.LOCAL to allow them to impersonate any user who accesses it (including administrators), set up an alternative login to authenticate as the machine account, or use it to move to other systems on the network.
GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.
Step 1
What it checks: Queries the access control list on SCCMDB.TRAINING.LOCAL for permissions held by SQLSVC.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1112"} -server "training.local" -Properties Name -EA 0
$target = Get-ADComputer -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1105"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-1112"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
This user can modify attributes on DC01.TRAINING.LOCAL (domain controller). Because DC01.TRAINING.LOCAL is a domain controller, this access leads to full domain compromise. An attacker could extract every password hash from the directory (including the krbtgt key needed to forge Kerberos tickets) and gain administrative control over every system and account in the domain.
GenericWrite: Restrict write access across all properties to administrative accounts. Where a specific attribute (such as a description or phone number) needs to be updated by a service, grant the right to only that attribute rather than all. Monitor changes to sensitive attributes, particularly service principal names and delegation settings, as these are common escalation paths.
Step 1
What it checks: Queries the permissions on DC01.TRAINING.LOCAL for write access held by WELCOMEUSER1.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1160"} -server "training.local" -Properties Name -EA 0
$target = Get-ADComputer -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1000"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-1160"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericWrite or WriteProperty.
90 computers are members of DOMAIN COMPUTERS, then AUTHENTICATED USERS, which means they can coerce authentication and relay it via SMB to SCCMDB.TRAINING.LOCAL. An attacker could coerce SCCMDB.TRAINING.LOCAL into authenticating, relay the credentials to an SMB service to gain admin or share access, and use that foothold to harvest further credentials, particularly on SCCM-managed hosts.
MemberOf: Review membership of the group regularly, especially if it grants administrative or sensitive rights, and remove any accounts that no longer require it. Consider whether group nesting is needed, since nested groups obscure who ultimately holds the access. Legitimate members (service accounts, role-based groups) should be documented and reviewed against your access management policy.
CoerceAndRelayToSMB: Enable SMB signing on all Windows hosts, particularly file servers, SCCM site servers, and domain controllers, so that relayed sessions are rejected by the receiving service. Patch operating systems against known coercion techniques (PetitPotam, PrinterBug, DFSCoerce). Disable the Print Spooler and WebClient services on hosts that do not need them to reduce coercion surface.
Step 1
What it checks: Checks whether ADTEST_SOURCEC.TRAINING.LOCAL is a member of the DOMAIN COMPUTERS group.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4773"} -server "training.local" -Properties memberOf,primaryGroupID,Name -EA 0
$target = Get-ADGroup -Filter {objectSID -eq 'S-1-5-21-1468306160-356025236-3522329279-515'} -server "training.local" -Properties Name -EA 0
if ($target) {
$isMember = $source.memberOf -contains $target.DistinguishedName
if (-not $isMember -and $source.primaryGroupID) {
$targetRID = ($target.SID.Value -split '-')[-1]
$isMember = $source.primaryGroupID -eq [int]$targetRID
}
if ($isMember) {
[PSCustomObject]@{
Member = $source.Name
Group = $target.Name
Status = "Member"
} | Format-Table -AutoSize
}
}
Confirmed if the output shows a row with Status equal to Member.
Step 2
What it checks: Checks whether DOMAIN COMPUTERS is a member of the AUTHENTICATED USERS group.
# Domain Computers is a member of Authenticated Users by default (inherited membership)
Confirmed if the output shows a row with Status equal to Member.
Step 3
What it checks: Checks the conditions that allow authentication from SCCMDB.TRAINING.LOCAL to be coerced and relayed to an SMB service, as identified through SCCM relay analysis.
Import-Module ActiveDirectory
$target = (Get-ADComputer -Filter {objectSID -eq 'S-1-5-21-1468306160-356025236-3522329279-1105'} -server "training.local" -Properties DNSHostName -EA 0).DNSHostName
Invoke-Command -ComputerName $target -ScriptBlock {
Get-SmbServerConfiguration | Select-Object RequireSecuritySignature
}
Confirmed if SMB signing is not required on the target service and SCCMDB.TRAINING.LOCAL can be coerced to authenticate.
3 computers can fully control LAMBERT.LOTTE. An attacker could reset LAMBERT.LOTTE's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.
GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.
Step 1
What it checks: Queries the access control list on LAMBERT.LOTTE for permissions held by AWSWWKS1000001.TRAINING.LOCAL.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4695"} -server "training.local" -Properties Name -EA 0
$target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1217"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4695"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
2 computers can impersonate users on SCCMDB.TRAINING.LOCAL. An attacker could log in to services on SCCMDB.TRAINING.LOCAL as any user, including administrators.
AllowedToAct: Audit the list of principals in the target's resource-based constrained delegation configuration and remove any that are no longer required. Delegation is a legitimate feature where a service needs to forward user credentials to another service, but it should be reviewed periodically. Monitor writes to the delegation attribute so unauthorised grants are detected.
Step 1
What it checks: Checks whether ACPLBGLD.TRAINING.LOCAL is listed in the resource-based constrained delegation configuration on SCCMDB.TRAINING.LOCAL.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4760"} -server "training.local" -Properties Name -EA 0
$target = Get-ADComputer -Filter {objectSID -eq 'S-1-5-21-1468306160-356025236-3522329279-1105'} -server "training.local" -Properties msDS-AllowedToActOnBehalfOfOtherIdentity,Name -EA 0
if($target."msDS-AllowedToActOnBehalfOfOtherIdentity") {
$target."msDS-AllowedToActOnBehalfOfOtherIdentity".Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4760"
} | Select-Object @{Name='IdentityReference';Expression={$source.Name}}, @{Name='ActiveDirectoryRights';Expression={'AllowedToAct'}}
}
Confirmed if the output returns a row with ActiveDirectoryRights equal to AllowedToAct and IdentityReference matching ACPLBGLD.TRAINING.LOCAL.
2 computers can fully control ADRIENNE_BRITT, which means they can fully control SCCMDB.TRAINING.LOCAL. An attacker could configure SCCMDB.TRAINING.LOCAL to allow them to impersonate any user who accesses it (including administrators), set up an alternative login to authenticate as the machine account, or use it to move to other systems on the network.
GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.
Step 1
What it checks: Queries the access control list on ADRIENNE_BRITT for permissions held by AWSWSECS1000000.TRAINING.LOCAL.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4735"} -server "training.local" -Properties Name -EA 0
$target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-2329"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4735"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
Step 2
What it checks: Queries the access control list on SCCMDB.TRAINING.LOCAL for permissions held by ADRIENNE_BRITT.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-2329"} -server "training.local" -Properties Name -EA 0
$target = Get-ADComputer -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1105"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-2329"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
This computer can fully control LAWANDA_FRANKS. An attacker could reset LAWANDA_FRANKS's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.
GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.
Step 1
What it checks: Queries the access control list on LAWANDA_FRANKS for permissions held by AZRWSECS1000000.TRAINING.LOCAL.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4731"} -server "training.local" -Properties Name -EA 0
$target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-2924"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4731"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
This computer is a member of the LA-MAURICIO2-DISTLIST1 group, which means it can fully control MI-838-ADMINGROUP1, and from there can fully control SCCMDB.TRAINING.LOCAL. An attacker could configure SCCMDB.TRAINING.LOCAL to allow them to impersonate any user who accesses it (including administrators), set up an alternative login to authenticate as the machine account, or use it to move to other systems on the network.
MemberOf: Review membership of the group regularly, especially if it grants administrative or sensitive rights, and remove any accounts that no longer require it. Consider whether group nesting is needed, since nested groups obscure who ultimately holds the access. Legitimate members (service accounts, role-based groups) should be documented and reviewed against your access management policy.
GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.
Step 1
What it checks: Checks whether BDEWSECS1000000.TRAINING.LOCAL is a member of the LA-MAURICIO2-DISTLIST1 group.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4700"} -server "training.local" -Properties memberOf,primaryGroupID,Name -EA 0
$target = Get-ADGroup -Filter {objectSID -eq 'S-1-5-21-1468306160-356025236-3522329279-4597'} -server "training.local" -Properties Name -EA 0
if ($target) {
$isMember = $source.memberOf -contains $target.DistinguishedName
if (-not $isMember -and $source.primaryGroupID) {
$targetRID = ($target.SID.Value -split '-')[-1]
$isMember = $source.primaryGroupID -eq [int]$targetRID
}
if ($isMember) {
[PSCustomObject]@{
Member = $source.Name
Group = $target.Name
Status = "Member"
} | Format-Table -AutoSize
}
}
Confirmed if the output shows a row with Status equal to Member.
Step 2
What it checks: Queries the access control list on MI-838-ADMINGROUP1 for permissions held by LA-MAURICIO2-DISTLIST1.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4597"} -server "training.local" -Properties Name -EA 0
$target = Get-ADGroup -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4169"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4597"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
Step 3
What it checks: Queries the access control list on SCCMDB.TRAINING.LOCAL for permissions held by MI-838-ADMINGROUP1.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4169"} -server "training.local" -Properties Name -EA 0
$target = Get-ADComputer -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1105"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4169"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
This computer can fully control RICH_CANNON, which means it can fully control VERNA_BRANCH. An attacker could reset VERNA_BRANCH's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.
GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.
Step 1
What it checks: Queries the access control list on RICH_CANNON for permissions held by BDEWVIR1000001.TRAINING.LOCAL.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4661"} -server "training.local" -Properties Name -EA 0
$target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-2885"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4661"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
Step 2
What it checks: Queries the access control list on VERNA_BRANCH for permissions held by RICH_CANNON.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-2885"} -server "training.local" -Properties Name -EA 0
$target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-2409"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-2885"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
This computer can fully control CAROLE_ALFORD. An attacker could reset CAROLE_ALFORD's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.
GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.
Step 1
What it checks: Queries the access control list on CAROLE_ALFORD for permissions held by HREWWEBS1000000.TRAINING.LOCAL.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4676"} -server "training.local" -Properties Name -EA 0
$target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-3642"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4676"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
This computer can fully control SCCMDB.TRAINING.LOCAL. An attacker could configure SCCMDB.TRAINING.LOCAL to allow them to impersonate any user who accesses it (including administrators), set up an alternative login to authenticate as the machine account, or use it to move to other systems on the network.
GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.
Step 1
What it checks: Queries the access control list on SCCMDB.TRAINING.LOCAL for permissions held by HREWWEBS1000001.TRAINING.LOCAL.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4686"} -server "training.local" -Properties Name -EA 0
$target = Get-ADComputer -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1105"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4686"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
This computer is a member of the NE-DAN-DISTLIST1 group, which means it can fully control LOTTIE_BLANCHARD. An attacker could reset LOTTIE_BLANCHARD's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.
MemberOf: Review membership of the group regularly, especially if it grants administrative or sensitive rights, and remove any accounts that no longer require it. Consider whether group nesting is needed, since nested groups obscure who ultimately holds the access. Legitimate members (service accounts, role-based groups) should be documented and reviewed against your access management policy.
GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.
Step 1
What it checks: Checks whether HREWWKS1000000.TRAINING.LOCAL is a member of the NE-DAN-DISTLIST1 group.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4728"} -server "training.local" -Properties memberOf,primaryGroupID,Name -EA 0
$target = Get-ADGroup -Filter {objectSID -eq 'S-1-5-21-1468306160-356025236-3522329279-4338'} -server "training.local" -Properties Name -EA 0
if ($target) {
$isMember = $source.memberOf -contains $target.DistinguishedName
if (-not $isMember -and $source.primaryGroupID) {
$targetRID = ($target.SID.Value -split '-')[-1]
$isMember = $source.primaryGroupID -eq [int]$targetRID
}
if ($isMember) {
[PSCustomObject]@{
Member = $source.Name
Group = $target.Name
Status = "Member"
} | Format-Table -AutoSize
}
}
Confirmed if the output shows a row with Status equal to Member.
Step 2
What it checks: Queries the access control list on LOTTIE_BLANCHARD for permissions held by NE-DAN-DISTLIST1.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4338"} -server "training.local" -Properties Name -EA 0
$target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-2974"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4338"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
This computer can fully control FREIDA_GROSS. An attacker could reset FREIDA_GROSS's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.
GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.
Step 1
What it checks: Queries the access control list on FREIDA_GROSS for permissions held by ITSWLPT1000002.TRAINING.LOCAL.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4708"} -server "training.local" -Properties Name -EA 0
$target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-3586"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4708"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
This computer can fully control BRADFORD_BUCKNER. An attacker could reset BRADFORD_BUCKNER's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.
GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.
Step 1
What it checks: Queries the access control list on BRADFORD_BUCKNER for permissions held by KIOSK01.TRAINING.LOCAL.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1109"} -server "training.local" -Properties Name -EA 0
$target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-3032"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-1109"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
This computer can fully control PASQUALE_SIMS, which is a member of SE-JAG-DISTLIST1, and from there can fully control SCCMDB.TRAINING.LOCAL. An attacker could configure SCCMDB.TRAINING.LOCAL to allow them to impersonate any user who accesses it (including administrators), set up an alternative login to authenticate as the machine account, or use it to move to other systems on the network.
GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.
MemberOf: Review membership of the group regularly, especially if it grants administrative or sensitive rights, and remove any accounts that no longer require it. Consider whether group nesting is needed, since nested groups obscure who ultimately holds the access. Legitimate members (service accounts, role-based groups) should be documented and reviewed against your access management policy.
Step 1
What it checks: Queries the access control list on PASQUALE_SIMS for permissions held by OGCWLPT1000000.TRAINING.LOCAL.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4742"} -server "training.local" -Properties Name -EA 0
$target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-2679"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4742"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
Step 2
What it checks: Checks whether PASQUALE_SIMS is a member of the SE-JAG-DISTLIST1 group.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-2679"} -server "training.local" -Properties memberOf,primaryGroupID,Name -EA 0
$target = Get-ADGroup -Filter {objectSID -eq 'S-1-5-21-1468306160-356025236-3522329279-4594'} -server "training.local" -Properties Name -EA 0
if ($target) {
$isMember = $source.memberOf -contains $target.DistinguishedName
if (-not $isMember -and $source.primaryGroupID) {
$targetRID = ($target.SID.Value -split '-')[-1]
$isMember = $source.primaryGroupID -eq [int]$targetRID
}
if ($isMember) {
[PSCustomObject]@{
Member = $source.Name
Group = $target.Name
Status = "Member"
} | Format-Table -AutoSize
}
}
Confirmed if the output shows a row with Status equal to Member.
Step 3
What it checks: Queries the access control list on SCCMDB.TRAINING.LOCAL for permissions held by SE-JAG-DISTLIST1.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4594"} -server "training.local" -Properties Name -EA 0
$target = Get-ADComputer -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1105"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4594"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
This computer is a member of the LY-BETITASBO-ADMINGROUP1 group, which means it can fully control SHELBY_ROBBINS. An attacker could reset SHELBY_ROBBINS's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.
MemberOf: Review membership of the group regularly, especially if it grants administrative or sensitive rights, and remove any accounts that no longer require it. Consider whether group nesting is needed, since nested groups obscure who ultimately holds the access. Legitimate members (service accounts, role-based groups) should be documented and reviewed against your access management policy.
GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.
Step 1
What it checks: Checks whether OGCWWKS1000000.TRAINING.LOCAL is a member of the LY-BETITASBO-ADMINGROUP1 group.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4739"} -server "training.local" -Properties memberOf,primaryGroupID,Name -EA 0
$target = Get-ADGroup -Filter {objectSID -eq 'S-1-5-21-1468306160-356025236-3522329279-4408'} -server "training.local" -Properties Name -EA 0
if ($target) {
$isMember = $source.memberOf -contains $target.DistinguishedName
if (-not $isMember -and $source.primaryGroupID) {
$targetRID = ($target.SID.Value -split '-')[-1]
$isMember = $source.primaryGroupID -eq [int]$targetRID
}
if ($isMember) {
[PSCustomObject]@{
Member = $source.Name
Group = $target.Name
Status = "Member"
} | Format-Table -AutoSize
}
}
Confirmed if the output shows a row with Status equal to Member.
Step 2
What it checks: Queries the access control list on SHELBY_ROBBINS for permissions held by LY-BETITASBO-ADMINGROUP1.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4408"} -server "training.local" -Properties Name -EA 0
$target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-3074"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4408"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
This computer is a member of DOMAIN USERS, then AUTHENTICATED USERS, which means it can coerce authentication and relay it via SMB to SCCMDB.TRAINING.LOCAL. An attacker could coerce SCCMDB.TRAINING.LOCAL into authenticating, relay the credentials to an SMB service to gain admin or share access, and use that foothold to harvest further credentials, particularly on SCCM-managed hosts.
MemberOf: Review membership of the group regularly, especially if it grants administrative or sensitive rights, and remove any accounts that no longer require it. Consider whether group nesting is needed, since nested groups obscure who ultimately holds the access. Legitimate members (service accounts, role-based groups) should be documented and reviewed against your access management policy.
CoerceAndRelayToSMB: Enable SMB signing on all Windows hosts, particularly file servers, SCCM site servers, and domain controllers, so that relayed sessions are rejected by the receiving service. Patch operating systems against known coercion techniques (PetitPotam, PrinterBug, DFSCoerce). Disable the Print Spooler and WebClient services on hosts that do not need them to reduce coercion surface.
Step 1
What it checks: Checks whether SECRET$ is a member of the DOMAIN USERS group.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1118"} -server "training.local" -Properties memberOf,primaryGroupID,Name -EA 0
$target = Get-ADGroup -Filter {objectSID -eq 'S-1-5-21-1468306160-356025236-3522329279-513'} -server "training.local" -Properties Name -EA 0
if ($target) {
$isMember = $source.memberOf -contains $target.DistinguishedName
if (-not $isMember -and $source.primaryGroupID) {
$targetRID = ($target.SID.Value -split '-')[-1]
$isMember = $source.primaryGroupID -eq [int]$targetRID
}
if ($isMember) {
[PSCustomObject]@{
Member = $source.Name
Group = $target.Name
Status = "Member"
} | Format-Table -AutoSize
}
}
Confirmed if the output shows a row with Status equal to Member.
Step 2
What it checks: Checks whether DOMAIN USERS is a member of the AUTHENTICATED USERS group.
# Domain Users is a member of Authenticated Users by default (inherited membership)
Confirmed if the output shows a row with Status equal to Member.
Step 3
What it checks: Checks the conditions that allow authentication from SCCMDB.TRAINING.LOCAL to be coerced and relayed to an SMB service, as identified through SCCM relay analysis.
Import-Module ActiveDirectory
$target = (Get-ADComputer -Filter {objectSID -eq 'S-1-5-21-1468306160-356025236-3522329279-1105'} -server "training.local" -Properties DNSHostName -EA 0).DNSHostName
Invoke-Command -ComputerName $target -ScriptBlock {
Get-SmbServerConfiguration | Select-Object RequireSecuritySignature
}
Confirmed if SMB signing is not required on the target service and SCCMDB.TRAINING.LOCAL can be coerced to authenticate.
This computer can fully control CL-PIRATAS12-DISTLIST1, which means it can fully control LAMBERT.LOTTE. An attacker could reset LAMBERT.LOTTE's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.
GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.
Step 1
What it checks: Queries the access control list on CL-PIRATAS12-DISTLIST1 for permissions held by SECWAPPS1000000.TRAINING.LOCAL.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4665"} -server "training.local" -Properties Name -EA 0
$target = Get-ADGroup -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4190"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4665"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
Step 2
What it checks: Queries the access control list on LAMBERT.LOTTE for permissions held by CL-PIRATAS12-DISTLIST1.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4190"} -server "training.local" -Properties Name -EA 0
$target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1217"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4190"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
This computer can fully control TERENCE_NASH, which is a member of 94-SUK-DISTLIST1, and from there can fully control SCCMDB.TRAINING.LOCAL. An attacker could configure SCCMDB.TRAINING.LOCAL to allow them to impersonate any user who accesses it (including administrators), set up an alternative login to authenticate as the machine account, or use it to move to other systems on the network.
GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.
MemberOf: Review membership of the group regularly, especially if it grants administrative or sensitive rights, and remove any accounts that no longer require it. Consider whether group nesting is needed, since nested groups obscure who ultimately holds the access. Legitimate members (service accounts, role-based groups) should be documented and reviewed against your access management policy.
Step 1
What it checks: Queries the access control list on TERENCE_NASH for permissions held by SECWLPT1000001.TRAINING.LOCAL.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4749"} -server "training.local" -Properties Name -EA 0
$target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-2563"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4749"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
Step 2
What it checks: Checks whether TERENCE_NASH is a member of the 94-SUK-DISTLIST1 group.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-2563"} -server "training.local" -Properties memberOf,primaryGroupID,Name -EA 0
$target = Get-ADGroup -Filter {objectSID -eq 'S-1-5-21-1468306160-356025236-3522329279-4654'} -server "training.local" -Properties Name -EA 0
if ($target) {
$isMember = $source.memberOf -contains $target.DistinguishedName
if (-not $isMember -and $source.primaryGroupID) {
$targetRID = ($target.SID.Value -split '-')[-1]
$isMember = $source.primaryGroupID -eq [int]$targetRID
}
if ($isMember) {
[PSCustomObject]@{
Member = $source.Name
Group = $target.Name
Status = "Member"
} | Format-Table -AutoSize
}
}
Confirmed if the output shows a row with Status equal to Member.
Step 3
What it checks: Queries the access control list on SCCMDB.TRAINING.LOCAL for permissions held by 94-SUK-DISTLIST1.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4654"} -server "training.local" -Properties Name -EA 0
$target = Get-ADComputer -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1105"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4654"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
This computer can fully control LOTTIE_BLANCHARD. An attacker could reset LOTTIE_BLANCHARD's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.
GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.
Step 1
What it checks: Queries the access control list on LOTTIE_BLANCHARD for permissions held by SECWWEBS1000001.TRAINING.LOCAL.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4707"} -server "training.local" -Properties Name -EA 0
$target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-2974"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4707"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
This computer can fully control AWSWWKS1000001.TRAINING.LOCAL, which means it can fully control LAMBERT.LOTTE. An attacker could reset LAMBERT.LOTTE's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.
GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.
Step 1
What it checks: Queries the access control list on AWSWWKS1000001.TRAINING.LOCAL for permissions held by SECWWKS1000000.TRAINING.LOCAL.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4655"} -server "training.local" -Properties Name -EA 0
$target = Get-ADComputer -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4695"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4655"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
Step 2
What it checks: Queries the access control list on LAMBERT.LOTTE for permissions held by AWSWWKS1000001.TRAINING.LOCAL.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4695"} -server "training.local" -Properties Name -EA 0
$target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1217"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4695"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
This computer can change the permissions of DC01.TRAINING.LOCAL (domain controller). Because DC01.TRAINING.LOCAL is a domain controller, this access leads to full domain compromise. An attacker could extract every password hash from the directory (including the krbtgt key needed to forge Kerberos tickets) and gain administrative control over every system and account in the domain.
WriteDacl: Remove the right to modify access controls on sensitive objects from any account that does not need it. Backup or identity management products may legitimately hold this right on specific objects; these should be documented, limited in scope, and monitored for changes. Enabling auditing on the object's access list helps detect unauthorised modifications.
Step 1
What it checks: Checks whether SQLSERVER10.TRAINING.LOCAL can modify the security descriptor of DC01.TRAINING.LOCAL.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1671"} -server "training.local" -Properties Name -EA 0
$target = Get-ADComputer -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-1000"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-1671"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing WriteDacl.
This computer can fully control JANELL_ALFORD. An attacker could reset JANELL_ALFORD's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.
GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.
Step 1
What it checks: Queries the access control list on JANELL_ALFORD for permissions held by TSTWAPPS1000001.TRAINING.LOCAL.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4681"} -server "training.local" -Properties Name -EA 0
$target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-2299"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4681"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.
This computer can fully control MOSES_KRAMER. An attacker could reset MOSES_KRAMER's password and log in as them, configure an alternative login method to access the account without the password, or if the account runs a service, crack its password offline.
GenericAll: Remove GenericAll from non-admin principals where possible. Replace it with the minimum specific rights needed, for example ForceChangePassword for helpdesk password resets, rather than full control. Helpdesk teams and service accounts may have legitimate broad rights, so document these, audit the list, and monitor for changes.
Step 1
What it checks: Queries the access control list on MOSES_KRAMER for permissions held by TSTWLPT1000000.TRAINING.LOCAL.
Import-Module ActiveDirectory
$source = Get-ADObject -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-4658"} -server "training.local" -Properties Name -EA 0
$target = Get-ADUser -Filter {objectSID -eq "S-1-5-21-1468306160-356025236-3522329279-3541"} -Properties nTSecurityDescriptor -server "training.local" -EA 0
$target.nTSecurityDescriptor.Access | Where-Object {
$null -ne $_.IdentityReference -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq "S-1-5-21-1468306160-356025236-3522329279-4658"
} | Select-Object @{Name='Source';Expression={$source.Name}}, @{Name='Target';Expression={$target.Name}}, ActiveDirectoryRights
Confirmed if a row is returned with ActiveDirectoryRights containing GenericAll.