GenericWrite On Group

GenericWrite

GenericWrite : If you have GenericWrite on group object, you can add users to the group.

Enumeration

PowerView

GenericWrite Enumeration

We will get current user’s sid by executing whoami /user, import powerview, then execute the below command to get the list of objects on which we have GenericWrite right.

Command

get-objectacl -resolveguids | ? {($_.securityidentifier -eq "[our_current_user_sid]") -and ($_.activedirectoryrights -like "*GenericWrite*")}

Below image shows the current user usman has GenericWrite right on Domain Admins group.

BloodHound

We can also get thesame result using bloodhound.

Below image shows the current user usman has GenericWrite right on Domain Admins group.

Exploitation

Let’s check our current group.

Here usman is a member of Domain Users group. We are going to exploit GenericWrite to add usman to Domain Admins group.

PowerView

Since we have GenericWrite right on Domain Admins group, we can add usman to the group by executing the below command

Command

add-domaingroupmember -identity "Domain Admins" -members usman

Let’s check it by executing get-netgroup -memberidentity usman

As you can see, usman has been added to Domain Admins group.

References

• https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=netframework-4.7.2
• https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse