search

Security Descriptors

hashtag
Format

Security Descriptor Definition Language (SDDL) defines the format which is used to describe a security descriptor.

ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid

Detailed docs about SDDL:

LogoACE Strings - Win32 appsMicrosoftLearnchevron-right

hashtag
Exploitation

Once we have administrator privileges it is possible to create a backdoor by modifying Security Descriptors like Owner, primary group, DACL and SACL of multiple remote access methods to allow access to non-admin users.

hashtag
WMI - GUI

It is possible to add the non-admin user to the ACE using the Component Services and Computer Management.

Component Services
Computer Management

Apply to all namespaces

Computer Management

hashtag
WMI - PowerShell

ACE for built-in administrators for WMI namespaces A;CI;CCDCLCSWRPWPRCWD;;;SID

in order to get access to WMI namespaces attacker needs to create a new ACE with the SID to non-admin user which he controls.

ACLs can be modified to allow non-admin users using the RACE toolkitarrow-up-right:

triangle-exclamation

Require Domain Admin privileges

PS Remoting (not stable after August 2020 patches)

hashtag
Remote Registry

Reg backdoor using DAMParrow-up-right Tool allows to non-admin user to retrieve the hash of the computer, the SAM and cached credentials in the computer:

Last updated