Privileged Group
Machine accounts could be added to privileged groups for establishing domain persistence.
Note: This is a domain persistence technigue, therefore, assume we have compromised domain administrator's account and we are trying to achieve persistence in the domain.
Exploitation
Since we have compromised administrator account, we will create a new machine account using powermad and add it to domain admins group.
1
2
3
new-machineaccount -machineaccount backdoor -domain cyber.local -domaincontroller dc01.cyber.local
As you can see, we have created new machine backdoor.
We will now add the machine to Domain Admins group.
Our machine account has been added to Domain Admins.
We will login to our newly created machine account backdoor and get powershell session of the domain controller.
1
2
runas /netonly /user:cyber.local\backdoor$ cmd.exe
Done.