Semachineaccountprivilege Hacktricks !!top!!

Create a machine account with a name similar to a Domain Controller (e.g., DC1 ). Rename the account to DC1 (without the trailing $ ). Request a Kerberos ticket.

MATCH (u:User)-[r:MemberOf|AddMember|AllowedToAct*1..]->(c:Computer) WHERE u.name CONTAINS "your_compromised_user" RETURN u,r,c

By requesting a Kerberos TGT and then renaming the account back, they can often impersonate the DC itself, leading to full domain compromise. You can find detailed hunting strategies for this on Medium . Attackers create a machine account they control. semachineaccountprivilege hacktricks

In most Active Directory environments, the default quota is:

When a user with this privilege creates a machine account, they are granted permissions over that specific object. This ownership is the "hook" that attackers use to manipulate AD attributes for malicious purposes. Create a machine account with a name similar

If you have this privilege, you can create a new domain computer account. Why is this dangerous?

This is a classic "self-Kerberoast" and can reveal the password if it's weak. MATCH (u:User)-[r:MemberOf|AddMember|AllowedToAct*1

If an attacker has "GenericWrite" or "WriteProperty" over a target computer object (e.g., a file server or even a Domain Controller in specific scenarios), they can use a machine account they created to impersonate any user to that target. 2. The Execution