π»Hyper-V Administrators
π― Overview
Hyper-V Administrators have full access to all Hyper-V features. If Domain Controllers are virtualized, members should be considered Domain Admins due to their ability to clone VMs and extract NTDS.dit offline.
π₯οΈ Virtual Machine Attack Vectors
Domain Controller VM Compromise
# Attack scenario:
1. Create clone of live Domain Controller VM
2. Mount virtual disk (.vhdx) offline
3. Extract NTDS.dit from mounted filesystem
4. Use secretsdump.py for credential extractionRisk Assessment:
Virtualized DCs = Full domain compromise potential
VM cloning bypasses all online protections
Offline analysis undetectable by security tools
π Hard Link Exploitation
Attack Mechanism
Target File Example
Exploitation Steps
β οΈ Limitations
Patching Status
Alternative Vectors
π Detection & Defense
Monitoring
Hardening
π‘ Key Takeaways
Hyper-V Administrators = potential Domain Admin access on virtualized DCs
VM cloning attack most reliable vector
Hard link exploitation patched since March 2020
Virtualization security critical for domain protection
Hyper-V Administrators group represents significant risk in virtualized environments, particularly when Domain Controllers are virtualized.
Last updated