Exploitation - ACL exploiting
Overview
Every Active Directory security principal object, uniquely identified by a Security Identifier (SID)
across a domain, has a security descriptor, which dictates the trustees that are granted permissions over the object.
The security descriptor is formatted according to the Security Descriptor Definition Language (SDDL)
and will usually be divided into two types of ACL
:
A
Discretionary Access Control List (DACL)
which define the trustees that are allowed or denied permissions to the objectA
System Access Control List (SACL)
which can be used to log attempts to access the object.
The SDDL
uses Access Control Entry (ACE)
strings in the DACL
and SACL
components of a security descriptor string. Each ACE
in a security descriptor string is composed of a trustee SID and an access mask defining their associated permissions / access rights. Moreover, a bit flag determine whether child containers or objects can inherit the ACE from the primary object to which the ACL is attached.
Each ACE
in the SACL
specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log.
Active Directory ExtendedRights
A number of extended rights (ExtendedRight
) are defined by Active Directory to allow permission control on predefined tasks.
Some of these tasks, detailed below, can be exploited to different ends:
AllExtendedRights
Any.
00000000-0000-0000-0000-000000000000
All ExtendedRight
. On computers
objects, includes the possibility to retrieve the LAPS
password (if LAPS
is deployed on the affected computers).
User-Force-Change-Password
User and computer accounts.
00299570-246d-11d0-a768-00aa006e0529
ExtendedRight
that permits the resetting of an user account password.
DS-Replication-Get-Changes
Domain root object.
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
ExtendedRight
that permits, in combination with DS-Replication-Get-Changes-All
, replication requests through DRSUAPI
functions.
DS-Replication-Get-Changes-All
Domain root object.
1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
ExtendedRight
that permits, in combination with DS-Replication-Get-Changes
, replication requests through DRSUAPI
functions.
Enumeration of DACL
Unitary enumeration
DSACLS.exe
or Get-ACL
from the Remote Server Administration Tools (RSAT)
and PowerView
's Get-DomainObjectAcl
(previously Get-ObjectAcl
) can be used to enumerate the DACL
of an Active Directory object.
For a more fine grained enumeration, and translation of extended rights GUID to human readable names, the Active Directory Users and Computers (dsa.msc)
utility, integrated in the Remote Server Administration Tools (RSAT)
tools suite, can be used. The dsa.msc
can be started on out-of-the domain machines and using Pass-the-hash attack through the Microsoft Management Console (MMC)
utility. For more information, refer to the Active Directory - Domain Recon
note.
Domain-wide automated enumeration
The BloodHound
ingestor SharpHound
(ACL
or All
collection methods) and the PingCastle
's compromise graph
can be used to automatically enumerate security objects DACL
in order to find exploitable paths. Refer to the Active Directory - AD scanners
note for more information.
PowerView
can also be used for domain-wide enumeration and filtering on potentially exploitable ACEs
. The absence of multi-threading however prevents the use of such queries on larger Active Directory domains.
The AD ACL Scanner
GUI tool, written in PowerShell, can be used to enumerate all the domain objects' ACL and export the result either to an HTML document or a csv / xml file. The scan can be run on all the domain objects or recursively on all objects in a specific Organizational Unit (Users, Computers, etc.).
For a full domain-wide scan, it is recommended to activate the following options:
Scan depth
->Subtree
Objects to scan
->All objects
View in report
->View Owner
,Skip Default Permissions
andSD Modified date
Output options
->Translate GUID's in CSV ouput
(to convert the properties GUID into their name)
The following objects classes may be specified in Objects to scan
for a more targeted scan approach:
Admin SD Holders:
(AdminCount=1)
For GPO:
(objectClass=groupPolicyContainer)
Grouper2
can also be used, notably in a more thorough review of GPO including the definition of user rights (Active Directory - GPO users rights
) and permissions on scripts and MSI packages executed / deployed through GPO.
The exploitable permissions, presented below, are of particular interest if attributed for one of the following groups:
Everyone
, SID:S-1-1-0
Anonymous
, SID:S-1-5-7
Authenticated Users
, SID:S-1-5-11
Users
, SID:S-1-5-32-545
Domain Users
, SID:S-1-5-<DOMAIN>-513
Domain Computers
, SID:S-1-5-<DOMAIN>-515
Domain root object exploitation
The domain root object yields the replication rights on the domain, necessary to make use of the DRSUAPI
replication functions and that can be leveraged to conduct a DCSync
attack.
The privileges on the domain root object
necessary to make replication requests through the DRSUAPI
are as follow:
Replicating Directory Changes (
Ds-Replication-Get-Changes
,ACE GUID: 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
)Replicating Directory Changes All (
Ds-Replication-Get-Changes-All
,ACE GUID: 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
)
The ownership of the domain root object
, or the WriteOwner
, WriteDACL
, GenericAll
(on all properties, i.e the ObjectGuid
of the ACE
being equal to 00000000-0000-0000-0000-000000000000
) privileges on the domain root object
can be, directly or indirectly, leveraged to grant the Ds-Replication-Get-Changes
and Ds-Replication-Get-Changes-All
privileges on the domain.
The privileges above can be exploited either using the GUI RSAT
's dsa.msc
utility or using the following PowerView
PowerShell cmdlets:
Alternatively, a more manual approach, using the RSAT
Get-Acl
and Set-Acl
PowerShell cmdlets can be conducted (script largely inspired from gdedrouas
's Exchange-AD-Privesc
):
Users and groups permissions exploitation
Summary
The access rights detailed below can be exploited to gain control over an Active Directory object.
The GenericAll
and WriteProperty
rights apply over the attribute specified by its ObjectGuid
(ObjectType
property from PowerShell cmdlet). If the ObjectGuid
is equal to 00000000-0000-0000-0000-000000000000
, the right apply to all the properties of the object.
If the InheritedObjectType
(PropagationFlags
) is set to InheritOnly
, the access right define by the ACE only apply to the child objects and not the object itself.
User
GenericAll
(RIGHT_GENERIC_ALL
).
Full rights on the security object (including WriteOwner
and WriteDacl
rights), can be used to change the user password.
User
GenericWrite
(RIGHT_GENERIC_WRITE
).
The associated Rights-GUID
should normally be undefined (if retrieved using PowerView) or equal to 00000000-0000-0000-0000-000000000000
.
Ability to update any non-protected object (almost) all properties values and notably update the Script-Path
or servicePrincipalName
properties.
Does not provide the ability to reset an user password.
Equivalent to: RIGHT_READ_CONTROL
| RIGHT_DS_WRITE_PROPERTY
(on all properties) | RIGHT_DS_WRITE_PROPERTY_EXTENDED
.
User
WriteProperty
(RIGHT_DS_WRITE_PROPERTY
) to all properties
.
Rights-GUID
undefined (if retrieved using PowerView
) or equal to 00000000-0000-0000-0000-000000000000
.
Similar to the GenericWrite
right.
User
ExtendedRight
(RIGHT_DS_WRITE_PROPERTY_EXTENDED
)'s ForceChangePassword
.
Rights-GUID
: 00299570-246d-11d0-a768-00aa006e0529
.
Ability to change the user password with out knowledge of the current user's password.
User
AllExtendedRights
(RIGHT_DS_WRITE_PROPERTY_EXTENDED
).
ActiveDirectoryRights
: ExtendedRight
and Rights-GUID
undefined (if retrieved using PowerView
) or equal to 00000000-0000-0000-0000-000000000000
.
Ability to perform any action associated with extended Active Directory rights against the object, and notably ForceChangePassword
which be used to change the user password.
User
WriteOwner
(RIGHT_WRITE_OWNER
).
Ability to change the owner of the user, thus granting complete control over the user and notably the ability to change the user's password.
User
WriteDacl
(RIGHT_WRITE_DAC
).
Ability to change the DACL
of the user, thus granting complete control over the user and notably the ability to add ACE to change the user's password.
User
WriteProperty
(RIGHT_DS_WRITE_PROPERTY
) to Script-Path
.
Rights-GUID
: bf9679a8-0de6-11d0-a285-00aa003049e2
.
Ability to update the user logon script path
which will be executed on the system upon user logon.
User
WriteProperty
(RIGHT_DS_WRITE_PROPERTY
) to Public-Information
or Public-Information/servicePrincipalName
.
Public-Information
's Rights-GUID
: e48d0154-bcf8-11d1-8702-00c04fb96050
.
servicePrincipalName
's Rights-GUID
: f3a64788-5306-11d1-a9c5-0000f80367c1
.
Ability to define or update the Public-Information
allows to define or write an user servicePrincipalName
, which exposes the account to Kerberoasting.
User
WriteProperty
(RIGHT_DS_WRITE_PROPERTY
) to Public-Information
or Public-Information/User-Principal-Name
and Public-Information/Alt-Security-Identities
.
Public-Information
's Rights-GUID
: e48d0154-bcf8-11d1-8702-00c04fb96050
.
User-Principal-Name
's Rights-GUID
: 28630ebb-41d5-11d1-a9c1-0000f80367c1
.
Alt-Security-Identities
's Rights-GUID
: 00fbf30c-91fe-11d1-aebc-0000f80367c1
.
Ability to define or update the Public-Information
allows to define or write the User-Principal-Name
or Alt-Security-Identities
, which can be used to authenticate using a controlled trusted certificate.
User
WriteProperty
(RIGHT_DS_WRITE_PROPERTY
) to msDS-KeyCredentialLink
.
msDS-KeyCredentialLink
's Rights-GUID
: 5b47d60f-6090-40b2-9f37-2a4de88f3063
.
Ability to define or update the msDS-KeyCredentialLink
attribute allows to set a Key Credential
to request TGT
for the user through PKINIT
authentication (Key Trust
model).
Group
GenericAll
(RIGHT_GENERIC_ALL
).
Full rights on the security object (including WriteOwner
and WriteDacl
rights), can be used to add an user to the group.
Group
GenericWrite
(RIGHT_GENERIC_WRITE
)
The associated Rights-GUID
should normally be undefined (if retrieved using PowerView) or equal to 00000000-0000-0000-0000-000000000000
Ability to update any non-protected object (almost) all attributes and notably the member attribute, thus allowing oneself to add others security principals to the group.
Equivalent to: RIGHT_READ_CONTROL
| RIGHT_DS_WRITE_PROPERTY
(on all properties) | RIGHT_DS_WRITE_PROPERTY_EXTENDED
.
Group
WriteProperty
(RIGHT_DS_WRITE_PROPERTY
) to all properties
Rights-GUID
undefined (if retrieved using PowerView
) or equal to 00000000-0000-0000-0000-000000000000
Similar to the GenericWrite
rights.
Group
Self
All validated write
or Self-Membership
(RIGHT_DS_WRITE_PROPERTY_EXTENDED
).
All validated write
: Rights-GUID
undefined (if retrieved using PowerView
) or equal to 00000000-0000-0000-0000-000000000000
.
Self-Membership
's Rights-GUID
: bf9679c0-0de6-11d0-a285-00aa003049e2
.
Ability to update any non-protected group members by adding/removing one's own account to the group.
Group
WriteOwner
(RIGHT_WRITE_OWNER
).
Ability to change the owner of the group, thus granting complete control over the group and notably the ability to add others security objects to the group.
Group
WriteDacl
(RIGHT_WRITE_DAC
).
Ability to change the DACL
of the group, thus granting complete control over the group and notably the ability to add others security objects to the group.
Group
WriteProperty
(RIGHT_DS_WRITE_PROPERTY
) to the Member
attribute.
Member
's Rights-GUID
: bf9679c0-0de6-11d0-a285-00aa003049e2
.
Ability to update any non-protected group members, thus allowing to add others security principals to the group.
User - GenericAll / ExtendedRight's ForceChangePassword / AllExtendedRights
The net user
built-in utility, RSAT
's Set-ADAccountPassword
/ PowerView
's Set-DomainUserPassword
PowerShell cmdlets, and mimikatz
's lsadump::setntlm
function can be used to reset a vulnerable user's password:
User - GenericWrite / Write-Property to all attributes or to the Script-Path attribute
The RSAT
's Set-ADObject
and PowerView
's Set-DomainObject
PowerShell cmdlets can be used to modify the properties of a security object.
User - GenericWrite / Write-Property to all attributes or to the Public-Information/servicePrincipalName attribute
The Public-Information
attribute contains, among others, the User-Principal-Name
and Alt-Security-Identities
properties.
The ObjectType
of the Public-Information
is e48d0154-bcf8-11d1-8702-00c04fb96050
.
The RSAT
's Set-ADUser
PowerShell cmdlet can be used to define or update the specified user servicePrincipalName
.
User - GenericWrite / Write-Property to all attributes or to the Public-Information/User-Principal-Name & Public-Information/Alt-Security-Identities attributes
The Public-Information
attribute contains, among others, the User-Principal-Name
and Alt-Security-Identities
properties.
The ObjectType
of the Public-Information
is e48d0154-bcf8-11d1-8702-00c04fb96050
.
A certificate issued by a Certificate Authority (CA)
trusted by the domain must be controlled in order to be able to authenticate using a certificate.
The certificate must allow for remote client authentication, meaning the EnhancedKeyUsageList
certificate attribute must contain the value (1.3.6.1.5.5.7.3.2)
. If so, the certificate will be marked as:
The following utilities can be used to interact with the Windows certificate stores:
Setting the User-Principal-Name
and Alt-Security-Identities
properties is more easily done through the Microsoft Management Console (MMC)
utility. The properties should be set to the RFC822
name format found in the certificate details using the mmc.exe
utility.
Once the modification is made, the kekeo
tool can be used to request a Ticket-Granting Ticket (TGT)
for the targeted security principal:
Note that in order to get around the replication time between Domain Controllers, it is recommended to request a TGT
from the KDC
of the Domain Controller on which was done the user object update.
User - GenericWrite / Write-Property to all attributes or to the msDS-KeyCredentialLink attribute
The ability to write a principal (user or computer object)'s msDS-KeyCredentialLink
attribute can lead to the retrieval of the principal's NTLM
hash.
An user's msDS-KeyCredentialLink
attribute holds Key Credentials
information for the given user. Key Credentials
are part of the Key Trust
model, introduced to support PKINIT
authentication in environments without a Public Key Infrastructure (PKI)
trusted by Active Directory (as required to implement the Certificate Trust
model).
PKINIT
is a Kerberos
preauthentication mechanism which uses digital certificates to mutually authenticate the Key Distribution Center (KDC)
and clients for Ticket Granting Ticket (TGT)
requests (in AS-REQ
and AS-REP
messages). In environments with a PKI
trusted by both parties, such as Active Directory Certificate Services (ADCS)
, digital certificates generated and signed by the trusted Certificate Authority (CA)
will be used for the PKINIT
authentication. However, to support password-less authentication through PKINIT
(for example Windows Hello
) in environments without a trusted PKI
, the Key Trust
model was introduced. In this model, PKINIT
authentication is established using a client's public key that is stored as a Key Credentials
object in its msDS-KeyCredentialLink
attribute. The ability to modify an user (or computer) object's msDS-KeyCredentialLink
attribute can thus be used to obtain a TGT
for the principal through a PKINIT
authentication.
To support subsequent NTLM
SSO
authentications for users that authenticated using PKINIT
, Kerberos User-to-User (U2U)
special service tickets (ST)
allow a client to retrieve their NTLM
hash. For more information on User-to-User (U2U)
ST
refer to the [ActiveDirectory] Certificate Services
note (NTHash retrieval through User-to-User (U2U) special service tickets
section).
The Whisker
C# tool can be used to automate the generation of public / private keys and the modification of a targeted object's msDS-KeyCredentialLink
attribute (given sufficient privileges). Using the generated private key, a TGT
and subsequently a U2U
ST
can be requested using Rubeus
(Whisker
will print the Rubeus
command to request both tickets).
Group - GenericAll / GenericWrite / AddMembers / AllExtendedRights / WriteProperty to all properties / WriteProperty to the Member attribute / Self all or Self-Membership
Generic Write access grants the ability to write to any non-protected attribute on the target object, including members
for a group.
net group
, RSAT
's Add-ADGroupMember
, and PowerView
's Add-DomainGroupMember
PowerShell cmdlets can be used to add others security objects to the specified group. Additionally, the Active Directory Users and Computers
snap-in can be used to add or remove members from Active Directory groups using a graphical interface.
Note that the Self-Membership
right does not seem to be exploitable using the net group
command but can be exploited using the PowerShell ActiveDirectory
module Add-ADGroupMember
.
User / group - WriteOwner
The RSAT
Get-ACL
and Set-ACL
, and PowerView
's Set-DomainObjectOwner
PowerShell cmdlets can be used to change the owner of a security object. Being the owner of an user can be leveraged to change the user password and being the owner of a group can allows for the addition of others security objects to the group.
User / group - WriteDacl
PowerView
's Add-DomainObjectAcl
and the ActiveDirectory
module's Get-Acl
/ Set-Acl
PowerShell cmdlet can be used to modify the specified object ACL
.
Add-DomainObjectAcl
can be used to add the following rights: GenericAll
and ExtendedRight
's ForceChangePassword
. The WriteMembers
option is documented as WriteProperty
to the Member
attribute but is non functional.
Additionally, the Active Directory Users and Computers
snap-in can be used to modify ACL
using a graphical interface.
Automated exploitation
The PowerShell cmdlet Invoke-ACLpwn
, leveraging SharpHound.exe
and thus .NET 3.5
, can be used to exhaustively enumerate the domain security principal objects DACLs
and find potential paths leading to privileges escalation.
Note that Invoke-ACLpwn
will actively add the specified user to security groups it has control over.
Computer machine account ACL exploitation
Summary
Computer
GenericAll
(RIGHT_GENERIC_ALL
)
Full rights on the computer account (including WriteOwner
and WriteDacl
rights), sufficient for all the following compromise techniques.
Computer
WriteOwner
(RIGHT_WRITE_OWNER
)
Ability to change the owner of the computer account, granting sufficient privileges for all the following compromise techniques.
Computer
WriteDacl
(RIGHT_WRITE_DAC
)
Ability to change the DACL
of the computer account, allowing oneself to grant any rights on the computer account.
Computer
AllExtendedRights
(RIGHT_DS_WRITE_PROPERTY_EXTENDED
)
ActiveDirectoryRights
: ExtendedRight
and Rights-GUID
undefined (if retrieved using PowerView
) or equal to 00000000-0000-0000-0000-000000000000
Ability to perform any action associated with extended Active Directory rights against the object.
Includes the possibility to retrieve the LAPS
password (if LAPS
is deployed on the affected computers) or reset the computer account password.
Computer
ExtendedRight
(RIGHT_DS_WRITE_PROPERTY_EXTENDED
)'s ForceChangePassword
Rights-GUID
: 00299570-246d-11d0-a768-00aa006e0529
Ability to change the computer account password with out knowledge of the current password, which can be leveraged to impersonate the computer account from an Active Directory standpoint.
The password update will not be replicated on the computer itself, preventing remote code execution (through Kerberos
service tickets
) and will greatly impact the computer operability.
Computer
GenericWrite
(RIGHT_GENERIC_WRITE
)
WriteProperty
(RIGHT_DS_WRITE_PROPERTY
) to all properties
The associated Rights-GUID
should normally be undefined (if retrieved using PowerView) or equal to 00000000-0000-0000-0000-000000000000
Ability to update all (non protected) attributes of the computer account and notably the msDS-AllowedToActOnBehalfOfOtherIdentity
attribute.
Does not provide the ability to reset a computer account password.
Computer
GenericWrite
/ WriteProperty
to the msDS-AllowedToActOnBehalfOfOtherIdentity
attribute.
msDS-AllowedToActOnBehalfOfOtherIdentity
's Rights-GUID
: 3f78c3e5-f79a-46bd-a0b8-9d18116ddc79`
Ability to write a computer account's msDS-AllowedToActOnBehalfOfOtherIdentity
attribute, which can lead to remote code execution on the targeted computer through Kerberos
resource-based constrained delegation
.
Computer
WriteProperty
(RIGHT_DS_WRITE_PROPERTY
) to msDS-KeyCredentialLink
.
msDS-KeyCredentialLink
's Rights-GUID
: 5b47d60f-6090-40b2-9f37-2a4de88f3063
.
Ability to define or update the msDS-KeyCredentialLink
attribute allows to set a Key Credential
to request TGT
for the machine account through PKINIT
authentication (Key Trust
model).
An User to User
TGT
can be requested, permitting the retrieval of the machine account NTLM
hash and ultimately leading to remote code execution on the host (through silver tickets
for instance).
LAPS password (ms-Mcs-AdmPwd attribute)
The Microsoft Local Administrator Password Solution (LAPS)
solution provides management capacity of local account passwords of domain joined computers. Whenever LAPS
is installed in an Active Directory domain, the domain schema is modified with the addition of two attributes for the computer machine objects:
ms-Mcs-AdmPwd
, aconfidential
attribute, which can store one of the machine's local account password (such as the local built-in Administrator for example).ms-Mcs-AdmPwdExpirationTime
, which defines the expiration date of the password stored.
The access to the LAPS
password is protected through the ACL
defined on the computer machine account and its ms-Mcs-AdmPwd
attribute. By default, only the members of the Domain Admins
group can access (ReadProperty
) the LAPS
password. The right to access the LAPS
password is usually delegated, through utilities such as Set-AdmPwdReadPasswordPermission
, at the Organisational Unit (OU)
level, to be applied to every computers object in the OU
.
The PowerShell cmdlets of the ActiveDirectory
and the LAPSToolkit
suite, based on PowerView
, can be used to enumerate the access to the LAPS
password:
Kerberos delegation (msDS-AllowedToActOnBehalfOfOtherIdentity attribute)
The right to write the msDS-AllowedToActOnBehalfOfOtherIdentity
attribute of a domain machine account can lead to the remote compromise of the machine, through the exploitation of Kerberos
resource-based constrained delegation
implementation. It authorize the service accounts specified in the computer account's msDS-AllowedToActOnBehalfOfOtherIdentity
attribute to impersonate other users on the computer accounts through delegated / S4U2self
service tickets
.
This right may be granted:
specifically through
WriteProperty
/GenericWrite
on themsDS-AllowedToActOnBehalfOfOtherIdentity
attribute (GUID: 3f78c3e5-f79a-46bd-a0b8-9d18116ddc79
),indirectly through ownership of the machine account,
directly and indirectly through broader control rights on the machine account (
GenericAll
,WriteOwner
,WriteDACL
,WriteProperty
/GenericWrite
on all attributes).
Refer to the [ActiveDirectory] Kerberos delegations
note for more information on how to conduct the machine takeover (after acquiring the right to write the msDS-AllowedToActOnBehalfOfOtherIdentity
attribute of a targeted machine).
WriteOwner to WriteProperty msDS-AllowedToActOnBehalfOfOtherIdentity
PowerView
's Set-DomainObjectOwner
PowerShell cmdlet can be used to change the owner of a domain service or machine account. Ownership of a domain service or machine account can be subsequently leveraged, using PowerView
's Add-DomainObjectAcl
PowerShell cmdlet, to modify the object's ACL
in order to obtain the right to modify its msDS-AllowedToActOnBehalfOfOtherIdentity
attribute.
Ownership / WriteDACL to WriteProperty msDS-AllowedToActOnBehalfOfOtherIdentity
PowerView
's Add-DomainObjectAcl
PowerShell cmdlet can be used to modify the targeted domain service or machine account's ACL
in order to grant the specified security principal the WriteProperty
right on the targeted account msDS-AllowedToActOnBehalfOfOtherIdentity
attribute.
Computer account's password reset
The right to reset (ExtendedRight
's ForceChangePassword
) a computer account's password can be leveraged to impersonate the computer account from an Active Directory standpoint. The password update will not be replicated by the Active Directory services to the computer itself. Remote code execution on the computer (through Kerberos service tickets) thus cannot be achieved through a reset of the computer account's password in Active Directory.
Resetting a computer account's password using the technique below will greatly impact the computer operability. For instance, the computer will no longer be able to process domain logons (error: The trust relationship between this workstation and the primary domain failed
). If conducted on a Domain Controller machine account, the targeted Domain Controller would not be able to authenticate to others Domain Controllers for replication operations.
This attack path can notably be leveraged on computer accounts that are granted the rights to conduct replication operations through the DRSUAPI
(Ds-Replication-Get-Changes
and / or Ds-Replication-Get-Changes-All
rights), such as Domain Controllers.
The net
Windows built-in utility and mimikatz
's lsadump::setntlm
function can be used to reset a computer account's password. As the Domain Controller that will process the modification cannot be specified using the net
utility, it is recommended to use mimikatz
. Knowledge of the Domain Controller on which the update took place is indeed necessary for further authentication using the computer account without waiting for the replication of the new password across the domain. Additionally, mimikatz
allows the specification of an NTLM
hash, which can be used to eventually restore the original computer account password.
Ability to write the msDS-KeyCredentialLink attribute
The ability to write a computer object's msDS-KeyCredentialLink
attribute can lead to the retrieval of the computer account's NTLM
hash. Refer to the User - GenericWrite / Write-Property to all attributes or to the msDS-KeyCredentialLink attribute
section of the present note for more information and tooling to modify a computer object's msDS-KeyCredentialLink
attribute and retrieve its NTLM
hash.
Using the retrieved computer account's NTLM
hash:
Authenticated Active Directory requests can be made under the identity of the computer account.
Remote code execution can be achieved on the computer using
silver tickets
. Aservice ticket (ST)
to the host's services (HOST/<MACHINE_HOSTNAME>
for instance) can indeed be forged using theNTLM
hash (which correspond to the KerberosRC4
key) of the computer account. Any privileged principals can be impersonated in the forgedST
in order to remotely execute code on the targeted host. Refer to the[ActiveDirectory] Exploitation - Kerberos Silver Tickets
note for more information on how to craft and usesilver tickets
for remote code execution.
group Managed Service Accounts (gMSA)
The ability to write a group Managed Service Account (gMSA)
object's msDS-GroupMSAMembership
attribute can lead to the retrieval of the gMSA
account's password. The right can be directly (WriteProperty
on the msDS-GroupMSAMembership
attribute - Rights-GUID
: 888eedd6-ce04-df40-b462-b8a50e41ba38
) or indirectly (GenericAll
, WriteOwner
, or WriteDacl
) held.
For more information on gMSAs
, as well as tools and techniques to retrieve and use a gMSAs
's password, refer to the [ActiveDirectory] gMS accounts
note.
gMSAs ACL enumeration
The following PowerShell code snippet leverage the PowerShell ActiveDirectory module to retrieve the principals with the direct or indirect rights to modify gMSAs
's msDS-GroupMSAMembership
attribute.
GenericAll | Write-Property to all attributes or to the msDS-GroupMSAMembership attribute
The following PowerShell code snippet uses cmdlets from the PowerShell ActiveDirectory module to add a principal to the msDS-GroupMSAMembership
attribute of a specified gMSA
(while preserving the existing entries):
GPO ACEs exploitation
GPO enforcement
GPO can be linked to an Organizational Unit (OU) but not necessarily applied, as an OU can blocks inheritance
on an not enforced
linked (GPLink
) GPO or a conflicting GPO with a higher precedence order may supplant the exploitable GPO.
The precedence order respect the principle that, in case of conflicting settings in GPOs, the last GPO applied will overwrite any settings applied earlier and the GPO closest to the client location in the directory structure will be applied last. Concretely, the precedence order is as follow (from the applied first / lowest in the precedence order to the applied last / highest in the precedence order):
local GPO
site GPO
domain GPO
OU (for nested OU, the GPO closer to the object being the highest in the precedence order)
Others mechanisms, such as WMI filtering
(which restrains the application of the GPO depending on the result of a true / false WMI query), or Security filtering
(which restrains to specific members - users and groups - of security groups) may further influence the GPO enforcement.
For now, BloodHound
takes into account the block inheritance
/ enforced
mechanism but not the precedence order nor the WMI filtering
and security filtering
.
PowerView
can also be used to find where exploitable GPO are linked and possibly applied by retrieving the GPLink
attribute of an OU.
However, this will not take into account the rules of inheritance and precedence.
Exploitable access rights
The following access rights can be exploited to ultimately edit a GPO:
WriteProperty
Right to modify the GPO. This specific right is assigned when delegating the permission Edit settings
through the Group Management Policy Console (GMPC)
. Note that if the attribute ObjectAceFlags
has for value ObjectAceTypePresent
then only the property identified by the ObjectAceType
attribute will be editable.
WriteOwner
Ability to change the owner of the GPO, thus granting complete control over the GPO and notably the ability to edit it. This right is assigned when delegating the permission Edit settings, delete, modify security
through the Group Management Policy Console (GMPC)
.
WriteDacl
Ability to change the DACL
of the GPO object, thus granting complete control over the GPO and notably the ability to edit it. This right is assigned when delegating the permission Edit settings, delete, modify security
through the Group Management Policy Console (GMPC)
.
GenericAll
Full rights on the GPO object (including WriteProperty
, WriteOwner
and WriteDacl
). This right can only be assigned through the Advanced Security Settings
of the Group Management Policy Console (GMPC)
(Full control
) or by manually modifying the GPO object's ACL.
GenericWrite
Ability to update any non-protected object (almost) all properties values. Similar to WriteProperty
to all properties
. Does not appear to be settable through the Group Management Policy Console (GMPC)
.
The WriteOwner
access right can be exploited to take ownership of the GPO folder in the SYSVOL
share using the Windows explorer utility. The advanced Security properties (Right click -> Properties -> Security -> Advanced
) has an option the change the GPO owner.
Version numbers
A GPO can be modified by directly editing the GPO files in the SYSVOL
directory. However, if doing so, a number of parameters must also be updated.
Indeed, the versionNumber
attribute of the GPO object and the Version
attribute within the GPT.ini
file in the SYSVOL must be increased, otherwise the change made to the GPO won't be replicated on others domain controllers and clients will not pull the changes during normal GPO update cycle.
The GPT.ini
, located in \\<DOMAIN>\SYSVOL\<DOMAIN_FQDN>\Policies\<GPO_GUID>
, is a simple text file that can be edited using any text editor or with the following PowerShell one-liner:
The versionNumber
attribute of the GPO object can be modified using PowerView
. Note that the Group Policy
module for PowerShell does not provides any editing cmdlets for existing GPO.
gPCMachineExtensionNames / gPCUserExtensionNames
The gPCMachineExtensionNames
or gPCUserExtensionNames
attributes of a GPO object refer to the machine / user settings modified.
For example, the following GUID must be added in the gPCMachineExtensionNames
attribute in order to make possible the creation of a new user and/or the update of a local group of the computer the GPO is applied to:
The gPCMachineExtensionNames
and gPCUserExtensionNames
attributes of the GPO object can be modified using PowerView
. Note that the Group Policy
module for PowerShell does not provides any editing cmdlets for existing GPO:
[Example - GPO Machine] User rights
The GptTmpl.inf
file, located in \\<DOMAIN>\SYSVOL\<DOMAIN_FQDN>\Policies\<GPO_GUID>\MACHINE\Microsoft\Windows NT\SecEdit\
, can be edited to add user rights to the specified domain or local user.
From an opsec perspective, note that modifying a GPO [Privilege Rights]
assignation may override another assignation in a GPO with a lower precedence order, resulting in a possible loss of access for legitimate personal. It is thus recommended to first enumerate all GPO being applied on the Organizational Unit before undertaking any changes.
The full list of privileges assign to an user when being added as a member of the local built-in Administrators group is as follow. The SeRemoteInteractiveLogonRight
and SeDebugPrivilege
privileges are enough to dump the LSASS
process through a Remote Desktop access.
The following GUID must be added in the gPCMachineExtensionNames
attribute if user rights and privileges are defined in the GPO:
[Example - GPO Computer / User] Immediate task
An immediate task is a task that will be run as soon as the client the GPO is applied to, a computer or an user, refresh its Group Policy.
Computer immediate task can be run under the NT AUTHORITY\SYSTEM
local built-in account while user immediate task may only run under the identity of the domain account opening the session (with out specifying password, otherwise the tasks impersonate the given domain account).
Computer immediate task
A computer immediate task can be created using the Group Policy Management
utility:
Or using the following template, in the ScheduledTasks
file, that will create an immediate task running under the NT AUTHORITY\SYSTEM
account the specified PowerShell script <INLINE-POWERSHELL | IEX_REMOTE_SCRIPT>
, with three retries, one every minute.
The computer immediate task GPO file paths is:
\\<DOMAIN>\SYSVOL\<DOMAIN_FQDN>\Policies\<GPO_GUID>\Machine\Preferences\ScheduledTasks
The following GUID must be added in the gPCMachineExtensionNames
attribute in order to make the immediate task effective:
User immediate task
An user immediate task can be created using the Group Policy Management
utility:
Or using the following template, in the ScheduledTasks
file, that will create an immediate task running, under the identity of any account on which the GPO is applied, the specified PowerShell script <INLINE-POWERSHELL | IEX_REMOTE_SCRIPT>
, with three retries, one every minute.
The user immediate task GPO file paths is:
\\<DOMAIN>\SYSVOL\<DOMAIN_FQDN>\Policies\<GPO_GUID>\USER\Preferences\ScheduledTasks
The following GUID must be added in the gPCUserExtensionNames
attribute in order to make the immediate task effective:
SharpGPOAbuse
SharpGPOAbuse
is a C# tool that can be used to automate the process of exploiting an editable GPO. The utility supports the following exploitation techniques:
add the specified rights to a domain user
add a domain user to the local Administrators group of the computer
add a new computer start up script
add a new user logon script
add a computer or user immediate task
Active Directory Certificate Services
Exploitable access control on certificate templates
The access rights defined on a certificate template
govern the operations that can be conducted on the template itself as well as the principals that can enroll to the template (request certificate(s) based on the specific certificate template
). These access rights are enforced by the Certificate Authority (CA)
.
ExtendedRight
(RIGHT_DS_CONTROL_ACCESS
)'s Certificate-Enrollment
.
Rights-GUID
: 0e10c968-78fb-11d2-90d4-00c04f79dc55
.
Ability to enroll to the certificate template
(manually request certificate(s) based on the template).
The certificate template
must also be published in a Certificate Authority
for which the user can enroll certificates.
ExtendedRight
(RIGHT_DS_CONTROL_ACCESS
)'s Certificate-AutoEnrollment
.
Rights-GUID
: 0e10c968-78fb-11d2-90d4-00c04f79dc55
.
AllExtendedRights
(RIGHT_DS_CONTROL_ACCESS
).
ActiveDirectoryRights
: ExtendedRight
and Rights-GUID
undefined (if retrieved using PowerView
) or equal to 00000000-0000-0000-0000-000000000000
.
All extended rights, including the Certificate-Enrollment
and Certificate-AutoEnrollment
rights.
WriteProperty
(RIGHT_DS_WRITE_PROPERTY
) to msPKI-Certificate-Name-Flag
.
Rights-GUID
: ea1dddc4-60ff-416e-8cc0-17cee534bce7
.
Ability to write the msPKI-Certificate-Name-Flag
attribute of the certificate template
, allowing to set the template to build the subject information from user-supplied input (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
flag).
Can be leveraged for privilege escalation if the certificate template
can be used for client authentication and oneself can enroll to it.
WriteProperty
(RIGHT_DS_WRITE_PROPERTY
) to msPKI-Certificate-Application-Policy
.
Rights-GUID
: dbd90548-aa37-4202-9966-8c537ba5ce32
.
Ability to write the msPKI-Certificate-Application-Policy
attribute of the certificate template
, thus allowing to add support for client authentication in the template.
WriteProperty
(RIGHT_DS_WRITE_PROPERTY
) to msPKI-Enrollment-Flag
.
Rights-GUID
: d15ef7d8-f226-46db-ae79-b34e560bd12c
.
Ability to write the msPKI-Enrollment-Flag
attribute of the certificate template
, thus allowing to disable the need for approval of a CA manager certificate to validate the certificate request (CT_FLAG_PEND_ALL_REQUESTS
flag).
WriteProperty
(RIGHT_DS_WRITE_PROPERTY
) to all properties
.
Rights-GUID
undefined (if retrieved using PowerView
) or equal to 00000000-0000-0000-0000-000000000000
.
Ability to modify all the attributes of the certificate template
, including the ones mentioned above.
Cannot be used to give oneself enrollment right to the certificate template
(as enrollment is restricted through the ACL
on the template object and not the attributes of the template). If the WriteProperty
applies to an enrollable certificate template, privilege escalation can however be achieved.
WriteOwner
.
Ability to change the owner of the certificate template
, thus granting complete control over the template and notably the ability to edit it and give oneself enrollment rights.
This right is assigned when delegating the permission Write
through the Certificate Templates
snap-in.
WriteDacl
.
Ability to change the DACL
of the certificate template
, thus granting complete control over the template and notably the ability to edit it and give oneself enrollment rights.
This right is assigned when delegating the permission Write
through the Certificate Templates
snap-in.
GenericAll
(RIGHT_GENERIC_ALL
).
Full control on the certificate template
, including the ability to modify all the parameters / attributes of the template and enroll to the template.
Certificate templates - ACL enumeration
Certify
and the PowerShell
Get-Acl
cmdlet (if the Remote Server Administration Tools (RSAT)
are installed) can be used to enumerate the ACL
of the certificate templates
. Certify
presents the advantage of retrieving additional information on the certificate templates
: validity period, msPKI-Certificates-Name-Flag
attribute, Extended / Enhanced Key Usage (EKU)
extension, etc.
Refer to the Enumeration of DACL
section above for cmdlets and code snippets to conduct ACL
enumeration trough PowerShell.
Certificate templates - Certificate-Enrollment / Certificate-AutoEnrollment
Refer to the [ActiveDirectory] Certificate Services
for more information on how to enumerate and request certificates from enrollable certificate templates
.
Certificate templates - WriteOwner / WriteDACL
Refer to the User / group - WriteOwner
and User / group - WriteDACL
sections above for general techniques and tools to exploit the WriteOwner
and WriteDACL
rights.
The modifications of the ACL
can also be done through the Microsoft Management Console (MMC)
's ADSI Edit (adsiedit.msc)
snap-in (among others):
Certificate templates - GenericAll / WriteProperty to all properties / WriteProperty to msPKI-Certificate-Name-Flag + msPKI-Certificate-Application-Policy (+ msPKI-Enrollment-Flag)
The following PowerShell code snippet leverage cmdlets of the ActiveDirectory
module to make an editable certificate template
vulnerable for privilege escalation purposes. The certificate template
is modified to use an user-supplied Subject Name
and allow for client authentication. The eventual approval of the request by a certificate manager can be optionally disabled.
The modifications done by the code above can also be done manually through the Microsoft Management Console (MMC)
's Certificate Templates (certtmpl.msc)
snap-in (on a machine joined to the target domain):
References
https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists
https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
https://wald0.com/?p=112
https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/
https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces
https://www.ssi.gouv.fr/uploads/IMG/pdf/Audit_des_permissions_en_environnement_Active_Directory_article.pdf
https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors-wp.pdf
https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/
https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
https://github.com/gdedrouas/Exchange-AD-Privesc
https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
https://www.microsoft.com/en-us/download/details.aspx?id=46899
https://blog.stealthbits.com/running-laps-in-the-race-to-security/
https://github.com/leoloobeek/LAPSToolkit
https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab
https://www.rfc-archive.org/getrfc.php?rfc=4556
https://web.mit.edu/kerberos/krb5-1.12/doc/admin/pkinit.html
https://docs.microsoft.com/fr-fr/archive/blogs/openspecification/how-kerberos-user-to-user-authentication-works
Last updated