GenericAll On Group

GenericAll

GenericAll : Is a permission that gives full rights to an active directory objects. If you have GenericAll on group object, you can add users to the group.

Enumeration

PowerView

GenericAll Enumeration

We will get current user’s sid by executing whoami /user, import powerview, then execute the below command to get the list of objects on which we have GenericAll right.

Command

get-objectacl -resolveguids | ? {($_.securityidentifier -eq "[our_current_user_sid]") -and ($_.activedirectoryrights -eq "GenericAll")}

Below image shows the current user usman has GenericAll right on Domain Admins group.

BloodHound

We can also get thesame result using bloodhound.

Below image shows the current user usman has GenericAll right on Domain Admins group.

Exploitation

Let’s check our current group.

Here usman is a member of Domain Users group. We are going to exploit GenericAll to add usman to Domain Admins group.

PowerView

Since we have GenericAll right on Domain Admins group, we can add usman to the group by executing the below command

Command

add-domaingroupmember -identity "Domain Admins" -members usman

Let’s check it by executing get-netgroup -memberidentity usman

As you can see, usman has been added to Domain Admins group.

References

• https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=netframework-4.7.2
• https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse