Interesting Groups

Active Directory (AD) contains several built-in groups that grant extensive privileges to their members. These groups can be leveraged by attackers to escalate privileges and compromise the entire domain. Here are some of the most critical groups:

Default Administrators

Domain Admins and Enterprise Admins "super" groups.

Server Operators

Members can modify services, access SMB shares, and backup files.

Backup Operators

Can make shadow copies of the SAM/NTDS database, read the registry remotely, and access the file system on the DC via SMB.

Print Operators

Logon to DCs locally and "trick" Windows into loading a malicious driver.

Hyper-V Administrators

If there are virtual DCs, any virtualization admins, such as members of Hyper-V Administrators, should be considered Domain Admins.

Account Operators

Can modify non-protected accounts and groups in the domain.

Remote Desktop Users

Often granted additional rights such as Allow Login Through Remote Desktop Services.

Remote Management Users

Members are allowed to logon to DCs with PSRemoting.

Group Policy Creator Owners

Members can create new GPOs but would need to be delegated additional permissions to link GPOs.

Schema Admins

Members can modify the Active Directory schema structure and can backdoor any to-be-created Group/GPO by adding a compromised account to the default object ACL.

DNS Admins

They can load a malicious DLL and wait for a reboot as a persistence mechanism.

Enumerate

# Get group detail
Get-ADGroup -Identity "Schema Admins" -Properties *

Last updated 7 months ago

Was this helpful?