https://github.com/Kevin-Robertson/Powermad/wiki

Beyond LLMNR/NBNS Spoofing - Exploiting Active Directory-Integrated DNS

MachineAccountQuota Functions

DNS Functions

Dynamic Updates Functions

ADIDNS Functions

Miscellaneous Functions

The default Active Directory ms-DS-MachineAccountQuota attribute setting allows all domain users to add up to 10 machine accounts to a domain. Powermad includes a set of functions for exploiting ms-DS-MachineAccountQuota without attaching an actual system to AD.

This function can return values populated in a machine account attribute.

Get the value of 'description' from a machine account names 'test'.Get-MachineAccountAttribute -MachineAccount test -Attribute discription

This function leverages the ms-DS-CreatorSID property on machine accounts to return a list of usernames or SIDs and the associated machine account. The ms-DS-CreatorSID property is only populated when a machine account is created by an unprivileged user.

Get a list of all populated ms-DS-CreatorSID attributes.Get-MachineAccountCreator

This function can disable a machine account that was added through New-MachineAccount. This function should be used with the same user that created the machine account.

Disable a machine account named test.Disable-MachineAccount -MachineAccount test

This function can enable a machine account that was disabled through Disable-MachineAccount. This function should be used with the same user that created the machine account.

Enable a machine account named test.Enable-MachineAccount -MachineAccount test

This function can add a new machine account directly through an LDAP add request to a domain controller and not by impacting the host system’s attachment status to Active Directory.

The LDAP add request is modeled after the add request used when joining a system to a domain. The following (mostly validated by the DC) attributes are set:

objectClass = Computer

SamAccountName = Machine account name with trailing $

userAccountControl = 4096

DnsHostName = FQDN

ServicePrincipalName = 2 HOST and 2 RestrictedKrbHost SPNs using both the FQDN and account name

unicodePwd = the specified password

A new machine account can be used for tasks such as leveraging privilege provided to the ‘Domain Computers’ group or as an additional account for domain enumeration, DNS exploits, etc. By default, machine accounts do not have logon locally permission. You can either use tools/clients that accept network credentials directly or through the use of ‘runsas /netonly’ or @harmj0y’s Invoke-UserImpersonation/Invoke-RevertToSelf included with PowerView.

https://github.com/PowerShellMafia/PowerSploit/tree/dev/Recon

Machine accounts created with standard users will have the mS-DS-CreatorSID populated with the standard user’s SID.

Note that ms-DS-MachineAccountQuota does not provide the ability for authenticated users to delete added machine accounts from AD. Elevated privilege will need to be acquired to remove the account if you want to avoid passing the task off to your client.

Add a new machine accountNew-MachineAccount -MachineAccount test

Use the added account with runas /netonlyrunas /netonly /user:domain\test$ powershell

This function removes a machine account with a privileged account.

Remove a machine account named test with domain admin credentialsRemove-MachineAccount -MachineAccount test -Credential $domainadmin

This function can populate some attributes for an account that was added through New-MachineAccount, if a user has write access. This function should be used with the same user that created the machine account.

Here is a list of some of the usual write access enabled attributes:

AccountDisabled

description

displayName

DnsHostName

ServicePrincipalName

userParameters

userAccountControl

msDS-AdditionalDnsHostName

msDS-AllowedToActOnBehalfOfOtherIdentity

SamAccountName

Remove the trailing '