Enhancement: --Add Local Admin User Change

[jstigerwalt]

The way the admin user is added should be changed to create a group and add the user of choice into this group, then assigning the group to the local administrators.

I have only done testing around adding a user into an already created AD group, and then assigning that group to a GPO to gain access to domain controllers and servers. The current way is dangerous and will remove all previous users from the administrators group.

Using this option in an engagement is impossible due to the nature of being detected by removing admins from servers administrators group.

[Pyro57000]

Just ran into this myself. Conducting a pentes I found a GPO that authenticated users had write access to that was gplinked to the Domain Controller OU. Adding my initial breach user as a local admin kicked all domain admins out. If changing this behavior is not going to happen the documentation should be updated to reflect what is happening so that people know the implications of the attack.