Account Operators (todo)

Configuring

Prerequisite

The membership of the "Account Operators" group is configured in the Dumping DPAPI page.

Dumping DPAPI

Attacking

How it works

The Account Operators group is a built in group in AD. By default it has no members.

The group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers.

By default it has no direct path to Domain Admin, but these groups might be able to add members to other groups which have other ACL's etc. In this lab (as far as I know) you cant become DA with these privileges.

Executing the attack

• Login to the DC locally (Not through RDP but only locally).

• Create users.

• Add users to low privileged groups. This can be achieved through the cmdlet Add-DomainGroupMember from PowerView. Since we didn't create any groups in the domain we will use the "Domain Guests" group.

Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups. Members of this group cannot modify user rights.

Defending

Recommendations

• Never use any of the "Operator" groups. Create specialised groups and minimal permissions for the tasks the different IT departments/roles need. Use the least privilege principal.

Detection

References

Active Directory Security Groups - Windows securitydocsmsft