From ad336b4d551010103a95847a34663441e63fe55a Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 9 Jun 2022 11:30:43 +0200 Subject: [PATCH] Privileged Access Management (PAM) Trust --- .../Active Directory Attack.md | 32 ++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 809fe026..aa4a24b9 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -102,6 +102,7 @@ - [Trust relationship between domains](#trust-relationship-between-domains) - [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking) - [Forest to Forest Compromise - Trust Ticket](#forest-to-forest-compromise---trust-ticket) + - [Privileged Access Management (PAM) Trust](#privileged-access-management-pam-trust) - [Kerberos Unconstrained Delegation](#kerberos-unconstrained-delegation) - [SpoolService Abuse with Unconstrained Delegation](#spoolservice-abuse-with-unconstrained-delegation) - [MS-EFSRPC Abuse with Unconstrained Delegation](#ms---efsrpc-abuse-with-unconstrained-delegation) @@ -3030,6 +3031,34 @@ kirbikator lsa .\ticket.kirbi ls \\machine.domain.local\c$ ``` +### Privileged Access Management (PAM) Trust + +Require: Windows Server 2016 or earlier +If we compromise the bastion we get `Domain Admins` privileges on the other domain + +* Default configuration for PAM Trust + ```ps1 + # execute on our forest + netdom trust lab.local /domain:bastion.local /ForestTransitive:Yes + netdom trust lab.local /domain:bastion.local /EnableSIDHistory:Yes + netdom trust lab.local /domain:bastion.local /EnablePIMTrust:Yes + netdom trust lab.local /domain:bastion.local /Quarantine:No + # execute on our bastion + netdom trust bastion.local /domain:lab.local /ForestTransitive:Yes + ``` +* Enumerate + ```ps1 + # Using ADModule + Get-ADTrust -Filter {(ForestTransitive -eq $True) -and (SIDFilteringQuarantined -eq $False)} + + # Enumerate shadow security principals + Get-ADObject -SearchBase ("CN=Shadow Principal Configuration,CN=Services," + (Get-ADRootDSE).configurationNamingContext) -Filter * -Properties * | select Name,member,msDS-ShadowPrincipalSid | fl + ``` +* Compromise + * Using SID History + * Using the previously found Shadow Security Principal + + ### Kerberos Unconstrained Delegation > The user sends a TGS to access the service, along with their TGT, and then the service can use the user's TGT to request a TGS for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html @@ -3798,4 +3827,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [Introducing MalSCCM - Phil Keeble -May 4, 2022](https://labs.nettitude.com/blog/introducing-malsccm/) * [Certifried: Active Directory Domain Privilege Escalation (CVE-2022–26923) - Oliver Lyak](https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4) * [bloodyAD and CVE-2022-26923 - soka - 11 May 2022](https://cravaterouge.github.io/ad/privesc/2022/05/11/bloodyad-and-CVE-2022-26923.html) -* [DIVING INTO PRE-CREATED COMPUTER ACCOUNTS - May 10, 2022 - By Oddvar Moe](https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/) \ No newline at end of file +* [DIVING INTO PRE-CREATED COMPUTER ACCOUNTS - May 10, 2022 - By Oddvar Moe](https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/) +* [How NOT to use the PAM trust - Leveraging Shadow Principals for Cross Forest Attacks - Thursday, April 18, 2019 - Nikhil SamratAshok Mittal](http://www.labofapenetrationtester.com/2019/04/abusing-PAM.html) \ No newline at end of file