This article provides a detailed net rpc operations performed against the ignite.local domain (DC: 192.168.1.11).

Introduction

Active Directory (AD) is the backbone of identity and access management in enterprise Windows environments. The net rpc is one of the most efficient, stealthy, and versatile tools available for Active Directory attacks — precisely because it requires nothing beyond valid credentials and a standard Linux installation.

The said tool is part of the Samba suite on Linux, allowing communication with Windows systems over the Remote Procedure Call (RPC) and SMB protocols. It essentially gives a Linux machine the ability to talk to Windows Domain Controllers and perform administrative operations — the same ones a Windows admin would do through GUI tools like Active Directory Users and Computers.

Table of Contents:

• Introduction
• User Enumeration & Management
• Adding a New Domain User
• Deleting a Domain User
• Querying User Information
• Changing a User Password
• Group Enumeration & Management
• Listing All Domain Groups
• Adding & Deleting a Domain Group
• Listing Members of Domain Admins Group
• Adding & removing a member — ACL Abuse
• Share Enumeration
• Privilege & Rights Management
• Enumerating All Privileges
• Granting a Privilege to a User
• Remote Registry Manipulation
• Enumerating Registry Hive Keys
• Reading a Registry Value — RDP Status
• Modifying a Registry Value (Enabling RDP)
• Conclusion
• Mitigation Strategies

User Enumeration & Management

User enumeration is often the first step in Active Directory reconnaissance. Knowing the usernames present in a domain allows an attacker to build a target list for password spraying, brute-force, or phishing campaigns. The net rpc tool makes this trivially easy when valid credentials are available.

We will use the following command to find the authenticating users in the domain. -U in the command specifies the users, while -S points to the target domain controller.

net rpc user -U ignite.local/raj%'Password@1' -S 192.168.1.11

The output reveals 13 accounts, and each username is a potential target for password spraying, phishing, or credential stuffing. The presence of the krbtgt account confirms this is a genuine Active Directory domain. If an attacker obtains the NTLM hash of krbtgt, they can forge Kerberos tickets (Golden Ticket attack) and gain unrestricted access to the entire domain indefinitely.

Adding a New Domain User

To add a new domain user, we can use the following command:

net rpc user add kinjal 'Password@1' -U ignite.local/administrator%'Ignite@987' -S 192.168.1.11

Executing the above command confirms “Added user ‘kinjal’.” with no further prompts. The real danger here is persistence: a backdoor account planted with an unremarkable name blend into the existing user list and survives remediation of the original access vector.

Deleting a Domain User

To delete a domain user, we can use the following command:

net rpc user delete kinjal -U ignite.local/administrator%'Ignite@987' -S 192.168.1.11

Executing the above command confirms “Deleted user ‘kinjal’.” instantaneously. While this is used here to clean up the previously created test account, an adversary could weaponise this capability in multiple ways: erasing their own backdoor accounts after establishing alternative persistence, locking out key personnel during a critical operation by deleting their domain accounts, or contributing to broader destructive objectives in sabotage scenarios.

Querying User Information

To get detailed information of a domain user we can use the following command:

net rpc user info sanjeet -U ignite.local/raj%'Password@1' -S 192.168.1.11

The output shows sanjeet belongs to “Domain Users” only — no elevated group memberships. Running this command iteratively against every enumerated account builds a complete privilege map of the domain. Accounts with memberships in Domain Admins, Backup Operators, DnsAdmins, or Server Operators immediately become high-priority targets.

Changing a User Password

The following command will allow you to change the password of any desired user:

net rpc user password yashika Password@987 -U ignite.local/raj%'Password@1' -S 192.168.1.11

A standard domain user (raj) successfully resets another user’s password. This is not a feature of standard domain user rights — it is only possible because the Domain Controller has a misconfigured Access Control Entry (ACE) granting raj the ForceChangePassword right over yashika’s user object. This type of ACL misconfiguration is one of the most prevalent vulnerabilities discovered in real-world Active Directory environments. It enables silent account takeover without any administrative credentials, without any GUI interaction, and without generating the high-severity log events typically associated with administrative password resets.

Group Enumeration & Management

Active Directory groups define access boundaries. Understanding which groups exist, who belongs to privileged groups, and being able to modify group membership are core capabilities in any Active Directory attack or audit.

Listing All Domain Groups

To enumerate the domain groups, use the following command:

net rpc group -U ignite.local/raj%'Password@1' -S 192.168.1.11

The entire group catalogue is returned in a single query. From an attacker’s perspective, several groups stand out as critical targets. Domain Admins provides full control over every object in the domain. Enterprise Admins extends that control to the entire forest. Schema Admins can modify the AD schema itself. DnsAdmins can load arbitrary DLL files into the DNS service — a well-documented privilege escalation technique. Backup Operators can bypass NTFS permissions to read any file including the NTDS.dit database. Group Policy Creator Owners can deploy malicious Group Policy Objects to push code or configurations to every machine in the domain. This single query maps the entire privilege attack surface.

Adding & Deleting a Domain Group

To add a group, execute the following command:

net rpc group add sales -U ignite.local/administrator%'Ignite@987' -S 192.168.1.11

This command creates a new security group named “sales” in the Active Directory domain using administrator credentials. While creating a group itself is not inherently harmful, an attacker could create groups with names that mimic legitimate groups to confuse administrators or use newly created groups as containers to assign permissions to backdoor accounts in a way less obvious than directly adding users to Domain Admins.

To delete a group following command is used:

net rpc group delete sales -U ignite.local/administrator%'Ignite@987' -S 192.168.1.11

This command deletes the previously created “sales” group from Active Directory. It shows no confirmation, but a lack of errors indicates that the deletion succeeded. Removing groups can break access control if they were used to grant permissions to resources. Attackers may delete security groups during destructive operations to block legitimate users from accessing network resources.

Listing Members of Domain Admins Group

This command lists all members of the highly privileged “Domain Admins” group:

net rpc group members "Domain Admins" -U ignite.local/raj%'Password@1' -S 192.168.1.11

The fact that “aaru” is a Domain Admin is a critical finding. In a real penetration test, this account would immediately become a high‑priority target. If “aaru” is compromised via password spraying, phishing, or other credential theft, an attacker would obtain full domain administrator privileges. The principle of least privilege is violated if a regular user-style account (such as “aaru”) holds Domain Admin rights without strong justification. Domain Admin membership should be tightly limited, clearly documented, and audited on a regular basis.

Adding & Removing a Member – ACL Abuse

The following command is used to add a member:

net rpc group addmem "Domain Admins" raj -U ignite.local/raj%'Password@1' -S 192.168.1.11

Running the following command will delete a member:

net rpc group delmem "Domain Admins" raj -U ignite.local/raj%'Password@1' -S 192.168.1.11

This adding and removing of a user is a textbook Active Directory ACL abuse attack. A misconfigured Access Control Entry has granted raj the AddMember right on the Domain Admins group object. Without any administrator involvement, raj escalates from standard user to Domain Admin in a single command. The immediate follow-up — removing themselves from the group — is a deliberate OPSEC move. Many organisations only audit the current membership of privileged groups, not the historical changes. By cleaning up, the attacker erases the most obvious indicator of compromise while retaining domain admin access through other established footholds.

Share Enumeration

Following command lists all network shares hosted on the Domain Controller:

net rpc share -U ignite.local/raj%'Password@1' -S 192.168.1.11

Six shares are returned. ADMIN$ provides remote access to the Windows system directory and is a prerequisite for many lateral movement techniques including PsExec and Impacket’s smbexec. C$ exposes the entire root filesystem of the Domain Controller. IPC$ enables named pipe communications required by RPC-based tools. NETLOGON hosts logon scripts that execute on every domain user login — an attacker with write access can inject malicious code here. SYSVOL is readable by every authenticated domain user and historically contains Group Policy Preference (GPP) files that store reversibly encrypted administrator passwords — a vulnerability known as MS14-025. The custom NewShare warrants immediate investigation to assess what sensitive data it may expose to any authenticated domain user.

Privilege & Rights Management

Windows uses a system of user rights and privileges to control what actions accounts can perform beyond simple file access permissions. These privileges can be assigned to users or groups and represent some of the most powerful capabilities in the Windows security model.

Enumerating All Privileges

The command that is used to enumerate all the windows privileges is:

net rpc rights list -U ignite.local/raj%'Password@1' -S 192.168.1.11

All Windows User Rights are enumerated. The question marks next to each entry indicate that raj’s privileges are insufficient to view current assignments, but the full list of available rights is visible. The most dangerous privileges from an attacker’s perspective are: SeBackupPrivilege, which allows reading any file regardless of NTFS permissions — including the NTDS.dit Active Directory database and the SAM hive, enabling a full offline credential dump; SeDebugPrivilege, which allows attaching a debugger to any running process including LSASS, the target of credential-harvesting tools such as Mimikatz; SeImpersonatePrivilege, which enables token impersonation attacks using tools like PrintSpoofer or RoguePotato to escalate to SYSTEM; and SeLoadDriverPrivilege, which allows loading arbitrary kernel drivers and is a known vector for rootkit installation.

Granting a Privilege to a User

The command to give privileges to users is:

net rpc rights grant kinjal SeBackupPrivilege -U ignite.local/administrator%'Ignite@987' -S 192.168.1.11

The system confirms “Successfully granted rights.” SeBackupPrivilege allows its holder to bypass all file system access controls and read any file on the system, including the Active Directory database (NTDS.dit) and the SAM registry hive. An attacker who assigns this privilege to a backdoor account effectively creates a Domain Admin equivalent that never appears in the Domain Admins group membership, making it invisible to the most common privilege audit queries. This technique is actively used in post-exploitation frameworks and represents one of the stealthiest forms of privilege persistence available in Active Directory.

Remote Registry Manipulation

The Windows Registry is a hierarchical database that stores configuration settings for the operating system, applications, and security policies. Remote registry access via RPC allows an attacker to read and modify system configuration without any GUI access — enabling everything from credential harvesting to enabling Remote Desktop Protocol (RDP).

Enumerating Registry Hive Keys

This command enumerates the top-level keys within the HKEY_LOCAL_MACHINE (HKLM) registry hive on the remote domain controller.

net rpc registry enumerate 'HKLM' -U ignite.local/administrator%'Ignite@987' -S 192.168.1.11

Six root keys are returned: BCD00000000, HARDWARE, SAM, SECURITY, SOFTWARE, and SYSTEM. The SAM hive holds local account credential hashes. The SECURITY hive contains LSA Secrets, which include cached domain credentials, service account passwords stored in plaintext, and the DPAPI master key used to decrypt user-stored secrets. The SYSTEM hive contains the boot key required to decrypt the SAM database offline. Together, SAM and SYSTEM are the minimum required to perform an offline pass-the-hash attack against any local account on the Domain Controller.

Reading a Registry Value — RDP Status

This command reads the registry value “fDenyTSConnections” from the Terminal Server control key.

net rpc registry getvalue 'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server' 'fDenyTSConnections' -U ignite.local/administrator%'Ignite@987' -S 192.168.1.11

Executing the above command showed us that — RDP is currently disabled. Reading this value before making changes is deliberate reconnaissance: the attacker confirms the current state to understand what modification is needed, reduce the risk of error, and avoid generating unexpected connection failures that might alert a monitoring team. This read-then-write pattern mirrors the behaviour of legitimate administrators, further blending the activity into normal operational traffic.

Modifying a Registry Value (Enabling RDP)

The following command will writs the value 0 to the fDenyTSConnections registry key, effectively enabling Remote Desktop Protocol on the Domain Controller. After executing this command, the domain controller will accept RDP connections on TCP port 3389.

net rpc registry setvalue 'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server' 'fDenyTSConnections' dword '0' -U ignite.local/administrator%'Ignite@987' -S 192.168.1.11

This is one of the most impactful operations demonstrated in this article. An attacker who has compromised domain administrator credentials can now establish a full graphical remote desktop session to the domain controller — giving them complete, persistent, and interactive access to the most privileged system in the entire environment.

Combined with the earlier technique of adding a backdoor user account, this creates a complete and stealthy persistence mechanism: a backdoor account with a known password can now RDP directly into the domain controller from anywhere on the network.

Security Implication: Remote registry writes to enable RDP should trigger immediate alerts in any mature security environment. This change should be monitored via Windows Event ID 4657 (registry value modified) and network detection of unexpected RDP connections to domain controllers.

Conclusion

The operations demonstrated against the ignite.local domain form a complete attack chain, progressing from initial reconnaissance through privilege escalation to establishing persistence. What makes this especially concerning is that net rpc relies on legitimate SMB and RPC protocols required for normal domain functionality, which makes malicious use hard to distinguish from routine administration without robust logging and behavioral analysis.

The key takeaway for defenders is that compromise of even a single standard user account can lead to full domain compromise when misconfigured ACLs, excessive privileges, or weak monitoring are present. In practice, Active Directory security is only as strong as the weakest permission granted to the lowest‑privilege account in the domain.

Mitigation Strategies

1. Enforce 14-character minimum passwords and enable MFA for all privileged accounts.
2. Add privileged accounts to the Protected Users group to prevent credential caching and delegation abuse.
3. Rotate the krbtgt password twice consecutively at least annually to invalidate any forged Kerberos tickets.
4. Run BloodHound or PingCastle quarterly to identify dangerous ACL paths such as GenericWrite, AddMember, or ForceChangePassword on privileged objects.
5. Limit Domain Admins, Enterprise Admins, and Schema Admins to a minimal, reviewed set of accounts and enforce JIT (Just-In-Time) privileged access.
6. Treat SeBackupPrivilege, SeDebugPrivilege, and SeImpersonatePrivilege as Domain Admin equivalents — audit and restrict assignments on all domain controllers.
7. Audit all User Rights Assignments via Group Policy on a scheduled basis and alert on any unexpected changes.
8. Scan SYSVOL for GPP cPassword fields and remove immediately; verify MS14-025 is applied across all domain controllers.
9. Disable RDP on all domain controllers by default; if required, restrict to specific management IPs and enforce Network Level Authentication (NLA).
10. Disable the Remote Registry service on domain controllers unless operationally required and restrict access via the winreg registry key.
11. Forward Windows Event IDs 4720, 4726, 4728, 4732, 4657, and 4625 to a SIEM with correlation rules for after-hours or high-frequency AD changes.
12. Deploy Microsoft Defender for Identity or equivalent NDR solution to detect LDAP enumeration, DCSync, and abnormal Kerberos activity.
13. Create honeypot Domain Admin accounts — any authentication attempt against them triggers an immediate high-severity alert.

Author: Ankur Pachauri is a Cyber Security Researcher, Penetration Tester, Red Teamer, Purple Team enthusiast. Contact him on Linkedin