1

2

3

Reference: https://docs.microsoft.com/en-us/windows/win32/secauthz/how-dacls-control-access-to-an-object

4

5

6

7

8

9

Reference: https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemotePSRemoting.ps1

10

11

Reference - https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemoteWMI.ps1

12

13

14

15

16

https://docs.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-string-format

17

18

19

20

21

Reference: https://docs.microsoft.com/en-us/powershell/jea/overview

22

23

24

25

26

27

28

29

References: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html

30

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory

31

32

Reference: http://techgenix.com/aquicktiptoallowdsrmaccounttologonnormally/

33

34

Reference: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#generic-dacl-abuse

35

36

37

38

39

40

Reference: https://docs.microsoft.com/en-us/windows/win32/adschema/r-user-force-change-password

41

References: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directoryhttps://adsecurity.org/?p=1906

42

43

References: https://www.dcshadow.com/https://www.labofapenetrationtester.com/2018/04/dcshadow.htmlhttps://www.labofapenetrationtester.com/2018/05/dcshadow-sacl.html

44

45

46

47

48

[1] - http://active-undelete.com/dcom-configuration.htm[2] - https://redmondmag.com/articles/2002/02/01/securing-remote-management-with-wmi.aspx

49

https://github.com/BloodHoundAD/BloodHound/tree/masterhttps://github.com/canix1/ADACLScannerhttps://www.pingcastle.com/https://github.com/samratashok/Deploy-Deception

50

51

52