Security Descriptors

Format

Security Descriptor Definition Language (SDDL) defines the format which is used to describe a security descriptor.

ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid

Detailed docs about SDDL:

LogoACE Strings - Win32 appsMicrosoftLearn

Exploitation

Once we have administrator privileges it is possible to create a backdoor by modifying Security Descriptors like Owner, primary group, DACL and SACL of multiple remote access methods to allow access to non-admin users.

WMI - GUI

It is possible to add the non-admin user to the ACE using the Component Services and Computer Management.

Component Services
Computer Management

Apply to all namespaces

Computer Management

WMI - PowerShell

ACE for built-in administrators for WMI namespaces A;CI;CCDCLCSWRPWPRCWD;;;SID

in order to get access to WMI namespaces attacker needs to create a new ACE with the SID to non-admin user which he controls.

ACLs can be modified to allow non-admin users using the RACE toolkit:

Require Domain Admin privileges

PS Remoting (not stable after August 2020 patches)

Remote Registry

Reg backdoor using DAMP Tool allows to non-admin user to retrieve the hash of the computer, the SAM and cached credentials in the computer:

Last updated

Was this helpful?