Semachineaccountprivilege Hacktricks 🆕

Understanding SeMachineAccountPrivilege: A Deep Dive into Active Directory Exploitation

MATCH (u:User)-[r:MemberOf|AddMember|AllowedToAct*1..]->(c:Computer) WHERE u.name CONTAINS "your_compromised_user" RETURN u,r,c

Add Domain Admins and other Tier-0 accounts to the group. This prevents credential delegation (Kerberos TGTs for these users cannot be forwarded or used for delegation). semachineaccountprivilege hacktricks

They then configure that account to allow delegation to a target service (like a web server or even a DC), allowing them to impersonate any user to that target.

For pentesters and red teamers, always check for this privilege. For blue teamers, reduce the machine quota and monitor event 4741 like a hawk. For pentesters and red teamers, always check for

Before you abuse it, you need to find it. Here’s how to enumerate who has this privilege, just like HackTricks teaches.

If you created a machine account, you can set a SPN (Service Principal Name) on it (by default, machine accounts have SPNs). You can then request a TGS for that SPN and crack the password offline. Here’s how to enumerate who has this privilege,

HackTricks and similar cybersecurity resources have highlighted several exploitation techniques related to the Semi-Machine Account Privilege. Here are some key methods:

If an attacker has "GenericWrite" or "WriteProperty" over a target computer object (e.g., a file server or even a Domain Controller in specific scenarios), they can use a machine account they created to impersonate any user to that target. 2. The Execution

If you have this privilege, you can create a new domain computer account. Why is this dangerous?

Machine accounts are not just devices connected to the network; they are also identities within the Active Directory. Being able to manipulate these can facilitate lateral movement, persistence, and even elevation of privileges within a compromised domain. For instance, an attacker with the Semi-Machine Account Privilege can: