SharpGPOAbuse icon indicating copy to clipboard operation
SharpGPOAbuse copied to clipboard

Published 20 hours ago verified publisher icon FSecureLABS

Enhancement: --Add Local Admin User Change

Open jstigerwalt opened this issue 5 years ago • 2 comments

The way the admin user is added should be changed to create a group and add the user of choice into this group, then assigning the group to the local administrators.

I have only done testing around adding a user into an already created AD group, and then assigning that group to a GPO to gain access to domain controllers and servers. The current way is dangerous and will remove all previous users from the administrators group.

Using this option in an engagement is impossible due to the nature of being detected by removing admins from servers administrators group.

jstigerwalt avatar Oct 23 '20 11:10 jstigerwalt

Just ran into this myself. Conducting a pentes I found a GPO that authenticated users had write access to that was gplinked to the Domain Controller OU. Adding my initial breach user as a local admin kicked all domain admins out. If changing this behavior is not going to happen the documentation should be updated to reflect what is happening so that people know the implications of the attack.

Pyro57000 avatar Oct 30 '24 16:10 Pyro57000

++

Currently the Local Admins group is overwritten which is really bad lol

image

Anon-Exploiter avatar Dec 04 '24 23:12 Anon-Exploiter