Domain Persistence - Machine Account
ฝัง
- เผยแพร่เมื่อ 3 ก.พ. 2025
- Any user on the network can create by default up to 10 machine accounts. Modification of the userAccountControl attribute will transform the machine account to a domain controller and therefore the DCSync technique could be used to retrieve domain password hashes by utilizing the credentials of that account.
Article: pentestlab.blo...
Great content!
Thank you!
This is pretty cool, but if you need DA privileges to make the change to the machine account's userAccountControl attribute, what's the point if you already have DA? Can't stealing the krbtgt be a better way to have persistence?
There is a lot of focus from detection point of view on the creation of golden tickets. Using a computer account to act as a DC and dump hashes you might go undetected. On the video the account is used to access DC but on the article dumping hashes can be used using the arbitrary machine account. Imagine a SOC team to have high alerts for any changes on the DC but they don't monitor machine account creation etc. Furthermore, if you work in an internal security team it is beneficial for the SOC to know alternative ways of persistence.