search
githubEdit

Account Operators (todo)

hashtag
Configuring

hashtag
Prerequisite

The membership of the "Account Operators" group is configured in the Dumping DPAPI page.

Dumping DPAPIchevron-right

hashtag
Attacking

hashtag
How it works

The Account Operators group is a built in group in AD. By default it has no members.

The group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers.

By default it has no direct path to Domain Admin, but these groups might be able to add members to other groups which have other ACL's etc. In this lab (as far as I know) you cant become DA with these privileges.

hashtag
Executing the attack

  • Login to the DC locally (Not through RDP but only locally).

  • Create users.

  • Add users to low privileged groups. This can be achieved through the cmdlet Add-DomainGroupMember from PowerView. Since we didn't create any groups in the domain we will use the "Domain Guests" group.

Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the Administratorsarrow-up-right, Server Operatorsarrow-up-right, Account Operatorsarrow-up-right, Backup Operatorsarrow-up-right, or Print Operatorsarrow-up-right groups. Members of this group cannot modify user rights.

hashtag
Defending

hashtag
Recommendations

  • Never use any of the "Operator" groups. Create specialised groups and minimal permissions for the tasks the different IT departments/roles need. Use the least privilege principal.

hashtag
Detection

hashtag
References

LogoActive Directory Security GroupsMicrosoftLearnchevron-right
PreviousDNS-Admins (todo)NextBackup Operators

Last updated