Exploitation - Credentials theft shuffling
Local groups enumeration
Enumerating local groups members, and notably the (local or domain-joined) members of the local Administrators
/ Administratreurs
(SID
: S-1-5-32-544
) built-in group, is a crucial step in the credentials theft shuffling process. Indeed, an enumeration of local groups members is a more efficient and stealthy way to find what computers the compromised accounts have access to than direct connection attempts. In additions to the local Administrators
group, membership to the Remote Desktop Users
/ Utilisateurs du Bureau à distance
(SID
: S-1-5-32-555
) and Distributed COM users
/ Utilisateurs du modèle COM distribués
(SID
: S-1-5-32-562
) groups should be enumerated as well as such membership can be leveraged for remote code execution.
Two techniques, and associated tooling, can be used to enumerate the local groups members of remote hosts:
Queries to the
Security Accounts Manager
database of the remote host using theSecurity Account Manager (SAM) Remote Protocol (MS-SAMR)
(through theMSRPC
SAMR
interface).Enumeration of the local administrators configured through Active Directory
Group Policy Objects (GPO)
.
One-time enumeration across the whole target Active Directory domain or forest.
-
Local Administrators
groups members.
BloodHound
(collection using SharpHound
's All
or LocalAdmin
collection methods).
PingCastle
's localadmin
module. PingCastle
presents the advantage of usually not being flagged by anti-virus solutions.
Both SharpHound
and PingCastle
's localadmin
module rely on direct and curated SAMR
RPC
calls (notably SamGetMembersInAlias
) and conduct the enumeration using the RID 544
alias (DOMAIN_ALIAS_RID_ADMINS
).
One-time enumeration across the whole target Active Directory domain or forest.
-
Administrators
and others local groups that yield remote execution privileges.
BloodHound
(collection using SharpHound
's All
or LocalGroup
collection methods). In additions to members of the local Administrator
group, SharpHound
can enumerate members of the Remote Desktop Users
and Distributed COM users
groups.
Complementary manual enumeration on one host.
PingCastle
's localadmin
module executed in interactive mode
to manually specify the targeted host.
Complementary manual enumeration on a limited number of hosts.
PowerView
's Find-DomainLocalGroupMember
PowerShell cmdlet.
Find-DomainLocalGroupMember
present the notable disadvantage of conducting the enumeration using the group name (by default Administrators
) instead of the RID 544
alias, and thus is not able to enumerate local groups members of Windows operating systems in different languages at the same time.
Relies on the NetLocalGroupGetMembers
API (by default) or on the Active Directory Service Interfaces (ADSI) WinNT
provider.
In a covert scenario in which the completeness of the results is traded for stealth.
BloodHound
(collection using SharpHound
's GPOLocalGroup
or DcOnly
collection methods).
PowerView
's Get-DomainGPOUserLocalGroupMapping
PowerShell cmdlet.
RPC calls to the MSRPC SAMR interface
Numerous tools can be used to conduct the local groups members enumeration through RPC
queries to the MSRPC
SAMR
interface of remote hosts.
The RPC
calls can be implemented through the Win32API
's NetLocalGroupGetMembers
API, the Active Directory Service Interfaces (ADSI) WinNT
provider or direct and curated RPC
calls (as implemented by SharpHound
).
Note that the possibility to make remote calls to the SAM
of remote hosts through the SAMRPC
protocol is by default restricted to members of the local Administrators
group starting from the Windows 10, version 1607
and Windows Server 2016
operating systems. Specific Knowledge Base (KB)
can also be installed on Windows operating systems, starting from Windows 7
and Windows Server 2008 R2
, to configure the aforementioned restriction (KB 4012218
- KB 4012220
, KB 4012606
or KB 4103198
depending on the operating system).
BloodHound / PingCastle
BloodHound
's SharpHound
collector or PingCastle
can be used for an automated enumeration of the local groups members of all the computers joined in the targeted Active Directory domain.
PingCastle
returns a text file with the enumerated computers fully qualified hostnames and the members of their local built-in Administrators
group. SharpHound
returns a ZIP
archive (containing JSON
files) that can be imported into a Neo4j
database using BloodHound
.
For more information on both tools, refer to the [Active Directory] AD scanner
note.
PowerView
From Group Policy Objects
The second technique pulls the local administrators configured through Group Policy Objects (GPO)
. Local group membership can be defined using Restricted Groups
in GptTmpl.inf
file or group membership in Group Policy Preferences groups.xml
files.
In the GptTmpl.inf
, users or group will added in the built-in Administrators group using the line:
This technique present the advantage of being stealthier as no direct queries to each computers are made to retrieve the local administrators group members. However, any user or group added in the local Administrators group directly on the master image will be missed.
Note: GPO can be linked to an OU but not necessarily applied, as an OU can blocks inheritance
on an not enforced
GPO or a conflicting GPO with a higher precedence order may supplant the exploitable GPO.
Note that the tooling of this technique is still experimental and that the tools presented below may not yield comprehensive results.
Moreover, GPO can be used to define user rights on the computers the GPO is applied to, such as the logon right SeRemoteInteractiveLogonRight
and specific privileges. Some of these privileges can be used to locally elevate privileges or directly dump the LSASS
process. Reviewing the user rights defined in GPO can thus lead to more vectors of credentials re-use. Refer to the Active Directory - GPO users rights
for more information.
Local groups BloodHound Cypher queries
SharpHound
result can be consulted through the BloodHound
graphical interface or queried using direct Neo4j
's Cypher
queries (executed in the Neo4j
web console).
Sessions hunting
Enumerating the sessions established on the machines of the Active Directory domain is also a crucial step in the credentials theft shuffling process. Indeed, an enumeration of the current sessions is tremendously faster than large scale dumping and credentials extraction from LSASS
processes on a domain level. Additionally, it allows for the addition of sessions in the computation of more complex attack paths through graph theory (using BloodHound
for example).
Multiple techniques, and associated tooling, can be used to enumerate the sessions established across the targeted Active Directory domain:
Enumeration of the sessions established on the machines in the domain using the Windows
Win32API
'sNetSessionEnum
function. This method does not directly query the systems to enumerate their currently logged-on users but rely on retrieving the sessions established on a machine (likely a server) from others Windows systems. While this method only returns partial results, notably for logged-on users that did not establish any session on remote servers, it is the only one that does not require elevated privileges on the queried host.Access of remote hosts
user profile
registry hives using theRemote Registry
RPC
protocol. As a newuser profile
hive is created each time a new user logs on to a computer, theuser profile
registry hives of a computer give information about past and present logged-on users. This method does not require elevated privileges but the WindowsRemote Registry
service to be running on the remote host.Direct querying of remote hosts for information about all users currently logged-on using the
Win32API
'sNetWkstaUserEnum
function orWMI
'sWin32_LoggedOnUser
class. This method requires elevated privileges on the queried host.Remote listing of the processes of hosts and enumerating the ones being executed in the security context of a domain user, which requires elevated privileges on the queried host.
Remote extraction of the Windows
Security
events4624: An account was successfully logged on
on hosts'Security
hives and listing of the domain users connections. This method requires the right to access theSecurity
EVTX
hive on the remote host.
While leveraging the Windows Win32API
's NetSessionEnum
function and access to user profile
hives do not require elevated privileges on the remote hosts, if an account member of the Administrators
group of a number of machines could be compromised, others options may be used to enumerate sessions with a better precision. Notably, these alternative methods may prove useful if Find-DomainUserLocation
or SharpHound
's Session
or All
collection methods did not manage to detect Domain Admins
sessions. In order to find on which machines compromised accounts are member of the local Administrators
group, refer to Local groups enumeration
section above.
One-time enumeration across the whole target Active Directory domain or forest using an unprivileged domain user.
BloodHound
(collection using SharpHound
's All
or Session
collection methods).
-> Leverages Win32API
's NetSessionEnum
function.
One-time enumeration across the whole target Active Directory domain or forest using a privileged domain user for a more comprehensive sessions enumeration (in a security review kind of engagement for example).
BloodHound
(collection using SharpHound
's All
or LoggedOn
collection methods).
-> Leverages both Win32API
's NetWkstaUserEnum
function and access to Users
registry hives using the Remote Registry
RPC
protocol.
Complementary manual enumeration on one or a limited number of hosts using an unprivileged domain user.
PowerView
's Find-DomainUserLocation
PowerShell cmdlet.
BloodHound (collection using SharpHound's Session
collection method and by specifying the targeted systems using the -ComputerFile
(SharpHound.ps1
) / --computerfile
(SharpHound.exe
) parameter.)
PowerView
's Get-RegLoggedOn
(which requires the Windows Remote Registry
service to be running on the targeted hosts).
Complementary manual enumeration on one or a limited number of hosts using an account with Administrators
privileges on the targeted hosts.
This use case may arise after the compromise of an additional domain or local account.
Get-WmiObject Win32_LoggedOnUser
and Get-WmiObject Win32_LoggedOnUser
using the provided PowerShell code snippets below.
PowerView
's Find-DomainUserLocation
PowerShell cmdlet.
This technique reduces the number of false positives induced by using the Users
registry hives as implemented by SharpHound
's LoggedOn
collection method.
Unprivileged calls to the Win32API's NetSessionEnum function
The Windows Win32API
's NetSessionEnum
function provide information about sessions established on a computer. It does not provide information about users that are directly logged-on on the queried host but returns information on the sessions established on the host (likely a server) from others Windows computers.
While different level of information can be retrieved using the NetSessionEnum
function, only the level 0
or level 10
calls are allowed for users with out elevated privileges on the remote host. The level 10
calls, leveraged by offensive tools, return SESSION_INFO_10
structure(s), which contain:
sesi10_cname
: the name of the computer that established the session;sesi10_username
: the name of the user who established the session;sesi10_time
: the number of seconds the session has been active;sesi10_idle_time
: the number of seconds the session has been idle.
The PowerView
's Get-NetSession
cmdlet as well as the SharpHound
's Session
collection method wrap around the NetSessionEnum
function.
Additionally, the PowerView
's Find-DomainUserLocation
cmdlet combine the Get-NetSession
and Get-NetLoggedon
, introduced below, cmdlets to find machines where the specified user or group's members are logged-on. The ShowAll
flag can also be specified to return all user's session, on all machines or on the specified machine.
If the Stealth
flag is specified, then servers with likely highly-traffic are enumerated with Get-DomainFileServer
and Get-DomainController
and session enumeration is executed only against those servers using Get-NetSession
.
If the CheckAccess
flag is specified, the PowerView
cmdlet Test-AdminAccess
will be called to check if the current user context has local administrator access to the machine on which the target members have a session on. Note that the CheckAccess
does not take into account credentials specified using the Credential
parameter. The CheckAccess
call can be patched using the following code:
Unprivileged access to Users registry hives through the Remote Registry protocol
Each time a new user logs on to a computer, a new user profile
hive is created for that user under the HKEY_USERS
key. This hive contains registry information relative to the user's settings. The user profile
registry hives of a computer thus give information about past and present logged-on users.
As user profile
registry hives are not automatically purged, this enumeration can induce false positives by identifying users that are no longer logged-on the targeted host.
While remote access to the user profile
registry hives of a given host does not require elevated privileges on the remote host, the Windows Remote Registry
service must be running on the host (which is not the case by default). The registry access is made through the Remote Registry
protocol.
The PowerView
's Get-RegLoggedon
cmdlet as well as the SharpHound
's LoggedOn
collection method implement this enumeration method. The SharpHound
's LoggedOn
collection method additionally tries to enumerate the logged-on users using the Win32API
's NetWkstaUserEnum
function (which will only be successful if SharpHound
is being executed under a security context with elevated privileges on the remote hosts).
Privileged calls to the Win32API's NetWkstaUserEnum function
The Windows Win32API
's NetWkstaUserEnum
function provides information about users logged on a computer. Note that on newer versions of Windows, the use of the NetWkstaUserEnum
function requires Administrators
privileges on the remote system.
The PowerView
's Get-NetLoggedon
cmdlet as well as the SharpHound
's LoggedOn
collection method wrap around the NetWkstaUserEnum
function. The SharpHound
's LoggedOn
collection method additionally leverages the Remote Registry
protocol to enumerate user profile
registry hives, which can induce false positives about users that are no longer logged on the targeted host.
This enumeration can also be done directly using the WMI
's Win32_LoggedOnUser
class:
Privileged remote listing of processes
The users running processes on the remote machine can be enumerated to find active session. The PowerView
's cmdlet Find-DomainProcess
leverages Get-WMIProcess
to remotely list the processes running on the targeted machine, or all machines integrated in the current (or specified) domain. It can be used to list processes being executed by a specific user or by users in a specific group.
This enumeration can also be done directly using the WMI
's Win32_Process
class:
Privileged remote searches of Security EVTX hives
The PowerView
's cmdlet Find-DomainUserEvent
can be used to find Security
's 4624: An account was successfully logged on
events on all domain controllers or on the specified machines.
This method requires the right to access the Security
EVTX
hive on the targeted machines, which is granted to members of the local Administrators
(SID
: S-1-5-32-548
) and Event Log Readers
(SID
: S-1-5-32-573
) groups.
Optional checking of remote local admin access
While enumerating local administrators and active sessions is a good way to quickly approximate if any compromised accounts may be used for lateral movement, only direct authentication requests on targeted computers can yield comprehensive results.
The PowerShell cmdlets Invoke-CheckLocalAdminAccess
, replacing Test-AdminAccess
, of PowerView
and Check-LocalAdminHash
can be used to do so, respectively using PSCredential
or NTLM hashes.
Test-AdminAccess
relies on the Windows API OpenSCManagerW Win32API
while Check-LocalAdminHash
passes a NTLM hash into the NTLMv2 authentication protocol over SMB or WMI (by default).
The CrackMapExec
utility can be used as well, to test local admin access using either passwords or NTLM hashes over SMB or WMI.
Lateral movements
Multiples mechanisms and tools can be used for lateral movements in a Windows environment.
The Windows - Lateral movements
note introduces the main techniques and tooling.
Credentials dumping
Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system. The Windows operating system notably stores user accounts authentication information in the HKEY_LOCAL_MACHINE\Security Account Manager (SAM)
and HKEY_LOCAL_MACHINE\SECURITY
registry hives as well as the Local Security Authority Subsystem (LSASS)
process.
For techniques and tools to efficiently dump credentials on a Windows host, refer to the [Windows] Post Exploit
note.
References
https://stackoverflow.com/questions/18113651/powershell-remoting-policy-does-not-allow-the-delegation-of-user-credentials https://www.pdq.com/blog/secure-password-with-powershell-encrypting-credentials-part-1/ https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/ https://powersploit.readthedocs.io/en/latest/Recon/Find-DomainUserLocation/ https://blog.cptjesus.com/posts/sharphoundtechnical https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-hives https://docs.microsoft.com/en-us/windows/win32/api/lmshare/nf-lmshare-netsessionenum https://docs.microsoft.com/en-us/windows/win32/api/lmwksta/nf-lmwksta-netwkstauserenum https://docs.microsoft.com/en-us/windows/win32/api/lmshare/ns-lmshare-session_info_10
Last updated