Group membership will take its sweet time to be updated within target user's TGT. To the update one may purge existing tickets and request new TGT:
Cmd > klist purgeCmd > gpupdate /forceCmd > dir \\dc1.megacorp.local\c$
WriteOwner on Group
before the attack the owner of Domain Admins is Domain Admins. After the ACE enumeration, if we find that a user in our control has WriteOwner rights on ObjectType:All
we can change the Domain Admins object's owner to our user, which in our case is spotless. Note that the SID specified with -Identity is the SID of the Domain Admins group:
WriteProperty on an ObjectType, which in this particular case is Script-Path, allows the attacker to overwrite the logon script path of the delegate user, which means that the next time, when the user delegate logs on, their system will execute our malicious script:
the user's delegate logon script field gets updated in the AD.
WriteDACL + WriteOwner
If you are the owner of a group And you have a WriteDACL on that AD object, you can give yourself GenericAll privileges with a sprinkle of ADSI sorcery: