You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I just tested AD-miner on my personal lab and found out that there may be an incomplete/incorrect short-cut.
Lets say we own the walter.white user which has a GenericAll on the Users container as shown below:
According to AD-miner, we could get to the Domain Admins group, which I think is not feasable (even though it's a member of the container). The exploitation steps could be as below:
Change the inheritance in the Users container to "This object and all descendant objects" (we assume it previously was "This object only").
The difficulty starts from here: In an ideal world we could add ourselves to the Domain Admins group. However, since this group has by default AdminCount=1, it won't inherit ACEs from their parents containers or OU ; so we can't. There are some groups that can be abused to become domain admin such as the Cert Publishers group under some circumstances or maybe the Group Policy Creator Owners group (I believe, I haven't tested).
My take on this: If my analysis is right, then I believe this path should not be so straightforward. Having a GenericAll privilege on the Users container means we can reach some Tier-0 groups that are not protected by this AdminCount=1. So, I think it may be better to either point out these groups directly, or create a transitive link from these groups to the Domain Admins group if there's indeed a path.
I just tested AD-miner on my personal lab and found out that there may be an incomplete/incorrect short-cut.
Lets say we own the
walter.whiteuser which has aGenericAllon theUserscontainer as shown below:According to AD-miner, we could get to the
Domain Adminsgroup, which I think is not feasable (even though it's a member of the container). The exploitation steps could be as below:Userscontainer to "This object and all descendant objects" (we assume it previously was "This object only").Domain Adminsgroup. However, since this group has by defaultAdminCount=1, it won't inherit ACEs from their parents containers or OU ; so we can't. There are some groups that can be abused to become domain admin such as theCert Publishersgroup under some circumstances or maybe theGroup Policy Creator Ownersgroup (I believe, I haven't tested).My take on this: If my analysis is right, then I believe this path should not be so straightforward. Having a
GenericAllprivilege on theUserscontainer means we can reach some Tier-0 groups that are not protected by thisAdminCount=1. So, I think it may be better to either point out these groups directly, or create a transitive link from these groups to theDomain Adminsgroup if there's indeed a path.References:
Edit: I just realized it was probably due to how BloodHound works, rather than AD-miner. I think it's best to close the issue then 😅
The text was updated successfully, but these errors were encountered: