Skip to content

Add DHCP administrators #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
JonasBK merged 1 commit into from
Nov 26, 2025
Merged

Add DHCP administrators #11

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions TierZeroTable.csv
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,13 @@ This security group was introduced in Windows Vista SP1, and it hasn't changed i
There are no known ways to abuse the membership of the group to compromise Tier Zero. The local privilege the group has on the domain controllers is considered security dependencies, and the group is therefore considered Tier Zero.";"MATCH (n:Group)
WHERE n.objectid ENDS WITH 'S-1-5-32-569'
RETURN n";YES;NO;1;https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#cryptographic-operators
DHCP Administrators;AD group;Active Directory;CN: DHCP Administrators;"Members of the DHCP Administrators group have administrative access to DHCP servers. This group is created when the DHCP Server role is installed on a Windows Server. Members can view and modify all aspects of DHCP server configuration.

The security impact of this group depends on where the DHCP service is running. According to Akamai research, 57% of organizations have a DHCP server installed on a domain controller.";NO;YES - Takeover;IT DEPENDS;"DHCP Administrators can escalate privileges to Tier Zero when DHCP runs on domain controllers or Tier Zero systems. Akamai research demonstrates privilege escalation via DHCP option abuse, enabling Kerberos coercion attacks followed by AD CS relay attacks. This can lead to compromise of the DHCP machine account and potentially the domain controller.

When DHCP runs only on network appliances without access to domain infrastructure, the group is limited to Tier 1. However, with 57% of environments running DHCP on domain controllers, this represents a Tier Zero risk in common deployments.";"MATCH (n:Group)
WHERE n.name STARTS WITH 'DHCP ADMINISTRATORS@'
RETURN n";NO;NO;Community contribution;"https://www.akamai.com/blog/security-research/abusing-dhcp-administrators-group-for-privilege-escalation-in-windows-domains"
Distributed COM Users;DC group;Active Directory;SID: S-1-5-32-562;"Members of the Distributed COM Users group can launch, activate, and use Distributed COM objects on the computer. Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. Distributed Component Object Model (DCOM) allows applications to be distributed across locations that make the most sense to you and to the application. This group appears as an SID until the domain controller is made the primary domain controller and it holds the operations master (also called the flexible single master operations or FSMO) role.

The Distributed COM Users group applies to the Windows Server operating system in Default Active Directory security groups.";NO;NO;YES;"The Distributed COM Users group has local privileges on domain controllers to launch, activate, and use Distributed COM objects but no privilege to log in.
Expand Down