Moving objects between OUs?

[dkjajhqu2h3j]

Hi,

Thank you for this tool.

I am currently testing out the attack shown here in which the presenter uses a member of the Exchange domain group Exchange Trusted Subsystem to create a new OU, enable inheritance on that then move the Domain Controller OU into the new OU after which it is possible RBCD a DC. I don't think you can move the Domain Controller OU anymore but it is still possible to target individual computers or users as long as they don't have "adminCount" set to "1".

I see that Powerview.py can add OUs and grant yourself GenericAll rights on that. However, I cannot find a way to move an object into the added OU. Is that possible?

[H0j3n]

Hi! We already implemented the Set-DomainObjectDN module in dev branch. Please verify in your environment if it works as intended. Example command:

Set-DomainObjectDN -Identity 'CN=DC,OU=Domain Controllers,DC=RANGE,DC=local' -BaseDN 'OU=EvilOU,DC=RANGE,DC=local'

[dkjajhqu2h3j]

Great. That works! Thanks!

However, it seems using the command Add-DomainObjectAcl -PrincipalIdentity adlab1_domainuser2 -Rights all -TargetIdentity 'OU=test5,DC=adlab1,DC=local' does not enable inheritance. After moving an object into the new OU it is still not possible to for example write Shadow credentials on it.

If I use Impacket's dacledit.py (PR 1291) to enable inheritance on the new OU things works. My GenericAll rights are inherited which means I can for example write Shadow credentials.

Here is the DACL of OU test5 after using the Add-DomainObjectAcl command above:

Here is the DACL of OU test5 after enabling inheritance using dacledit.py. As you can see there are differences:

Is it possible to toggle inheritance using Powerview.py? If yes, how? If not, can that be implemented?

[aniqfakhrul]

Hi, thanks for pointing this out. We did implemented it previously but with incorrect ACEFlags used. We've added -Inheritance flag under Add-DomainObjectACL module.

Here is the full command example tested in my lab.

After applied.

Please verify is this resolves the issue. Thanks!

[dkjajhqu2h3j]

I checked out the updated Dev branch and tested this again. The parameter -Inheritance is now available but either GenericAll rights or inheritance is not set since writing shadow credentials fails.

Using the command Add-DomainObjectACL with the new parameter:

DACL of OU pentest after the command Add-DomainObjectACL:

To me it seems ACE [10] is missing. See earlier screenshot.

[H0j3n]

Hi, thank you for your patience. We have updated the "dev" branch, you may need to pull the latest version.

You can use the same command previously mentioned by @aniqfakhrul:

Add-DomainObjectAcl -PrincipalIdentity 'CN=Issue75_compr_user,OU=Issue75_OU,DC=RANGE,DC=local' -TargetIdentity 'Issue75_OU' -Rights FullControl -Inheritance

After applied:

Can you please verify is this resolves the issue. Thanks!

[dkjajhqu2h3j]

Good work! Now it works. Thank you!

I did however find a small issue. The installation of the current Dev branch fails due to the trailing "´´" on line 2 in requirements.txt. After removing those the installation works.

[H0j3n]

Thanks! The issue in requirements.txt has been fixed. Appreciate it.