net.exe vs C# - Adding Users and Changing Passwords
On a penetration test, we were performing for a customer, an odd scenario popped up, which caused us to write some code. We found an account that could add itself to another domain group, typically an easy thing to do, right? However, when we ran net group /domain, we discovered that the group wasn't listed.
We knew that the group did exist, but when trying to view group details, such as group membership, or anything else about the group via the net command, all we got back was that the group name could not be found. At this point, we could not add our account to that specific group using net.exe.
This led us to look at how we could potentially use C# to join our user to the group. While we could not add the user to the group by its name, we did have the targeted group's SID. The GroupManagement.FindByIdentity method allows us to find a group by name, or we could also choose to find it by SID.
Using the code above, we were able to specify the SID of the group and join our account to it successfully.
We also encountered another scenario where the net.exe application wasn't working as expected when we tried changing a domain account's password. Our account had the permission to do so; however, when we were trying to change the password with net.exe, we received error messages, and the password remained unchanged. This was also quickly resolved by writing some additional C# code.
We can use the SetPassword method to specify a password that we want to set for the account being targeted. While the net.exe command didn't work for us, this code snippet did, and we could modify the account's password.
Both code snippets have been added into EDD as modules (along with a more basic module adding an account to a group via the group name). They have been published to its repo, so hopefully, if you encounter a similar scenario, these modules will be able to help save you some time!