Post Exploitation - Persistence
Kerberos "golden" / "silver" tickets
SID History
The access to securable resources, that is resources that define a security descriptor
, is based on the security principal
's (user or machine account and security group notably) SID
, eventual extra SIDs
, and security group SIDs
. Indeed, these SIDs
are compared to the access rights defined in the Access Control Entries (ACEs)
of the accessed object's Discretionary Access Control List (DACL)
.
Adding a privileged SID
, such as the one of the built-in domain Administrator account (SID
S-1-5-21-<DOMAIN>-500
), in the SID History
of a non privileged user can thus be leveraged to maintain persistence in the domain through a seemingly standard user. In order to avoid detection, a non built-in user (RID
> 1000) member of a privileged group (Enterprise Admins
, Domain Admins
, Administrators
, etc.) may be preferred. The persistence will be operational until the impersonated user is deleted or removed from the privileged group(s).
Under normal circumstances, SIDs
will only be added (automatically) to the SIDHistory
attribute of a security principal during domain migration and cannot be manually added (but can be manually removed).
This restriction can be bypassed and SIDs
added to a security principal
's SIDHistory
attribute with mimikatz
by either:
executing code locally on a Domain Controller to patch its
NTDS
serviceregistering a rogue Domain Controller to inject and replicate arbitrary modifications (attack known as
DCShadow
)
The following command can be used to validate the SIDHistory
attribute modification:
SID History modification through local patch of the NTDS service
This technique of modification of the SIDHistory
attribute requires privileges granted to the Domain Admins
group and must be conducted on a Domain Controller as the Windows NT Directory Services (NTDS)
service must be locally patched. While the SID History
modification will persist, the NTDS
service patch will not be persistent across reboot of the Domain Controller.
mimikatz
's sid
module can be used to add SIDs
in the SIDHistory
attribute of any users of the current domain (the following commands must be executed directly on a Domain Controller):
SID History modification through DCShadow
The restriction on the modification of the SIDHistory
attribute can be also bypassed through a DCShadow
attack to arbitrarily set an account SIDHistory
attribute. For more details on the DCShadow
attack, refer to the "DCShadow ACL" section of this note.
This technique will override any SID(s)
currently present in the security principal
's SIDHistory
attribute.
PrimaryGroupID
The PrimaryGroupID
attribute of an user or machine account contains the Relative IDentifier (RID)
of a domain group and gives an implicit membership to the specified group. The PrimaryGroupID
attribute is used to support integration of UNIX POSIX
clients but is not otherwise specifically used in Active Directory
.
The group membership granted by the PrimaryGroupID
attribute does not appear in the account's MemberOf
nor in the group's Members
LDAP
attributes. It will however be included in constructed attributes
"constructed" through Microsoft APIs (such as group membership returned by the Active Directory
PowerShell module, MMC
's snappins, the net
utility, etc.). It can thus be used, to a certain extent, to dissimulate membership of a standard account to a privileged group.
In kerberos
authentication, the PrimaryGroupID
attribute of an account populate the account's kerberos
tickets _KERB_VALIDATION_INFO
's PrimaryGroupId
and GroupIds
fields (in the tickets' Privilege Attribute Certificate (PAC)
).
Depending on the account type, the account's PrimaryGroupID
attribute takes a different default value:
User account
513
Domain Users
constant: DOMAIN_GROUP_RID_USERS
Guest
account
514
Domain Guests
Machine account
515
Domain Computers
constant: DOMAIN_GROUP_RID_COMPUTERS
Domain Controllers machine account
516
Domain Controllers
constant: DOMAIN_GROUP_RID_CONTROLLERS
Read Only Domain Controllers machine account
521
Read-only Domain Controllers
constant: DOMAIN_GROUP_RID_READONLY_CONTROLLERS
Under normal circumstances, the account must be a member of the group specified in its PrimaryGroupID
attribute. An error indeed occurs whenever trying to set the PrimaryGroupID
attribute of an account to the RID
of a group the account is a not a member of (error: "The specified user account is a not a member of the specified group account"). A similar error occurs whenever attempting to remove an account from the group set in its PrimaryGroupID
(error: "The primary group cannot be removed. Set another group as primary if you want to remove this one".)
The restriction of membership can be bypassed through a DCShadow
attack to arbitrarily set an account PrimaryGroupID
attribute. For more details on the DCShadow
attack, refer to the "DCShadow ACL" section of this note.
The following command can be used to validate the PrimaryGroupID
attribute modification:
AdminSDHolder ACL
For a general overview of Access Control Lists (ACL)
, refer to the [ActiveDirectory] ACL exploiting
note.
A number of predefined privileged built-in accounts and groups (including their members) are protected by the SDProp
mechanism. SDProp
is an automated process that ensure that the ACL
defined on the aforementioned protected security principals match the AdminSDHolder
object's ACL
(and restore the expected ACL
in case of mismatch).
In addition to verifying and eventually restoring ACL
, the SDProp
mechanism also disable ACL
inheritance and set the adminCount
attribute of the protected principals to 0x1
. Note that users and groups removed from the predefined privileged groups will no longer be protected by the SDProp
mechanism but will keep their adminCount
attribute set to 0x1
and ACL
inheritance disabled.
The SDProp
process runs every 60 minutes by default. This frequency of execution can be modified using the HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\AdminSDProtectFrequency
registry key on the domain's PDC Emulator. Valid values range from 60 to 7200 seconds.
As of Windows Server 2008
, the following privileged accounts and groups are protected by the SDProp
mechanism:
Account Operators
Administrator
Administrators
Backup Operators
Domain Admins
Domain Controllers
Enterprise Admins
Krbtgt
Print Operators
Domain Controllers
Replicator
Schema Admins
Server Operators
Any ACE
set directly on a protected account or group will not persist the SDProp
process. Only the modification of the AdminSDHolder
object's ACL
may thus be used as a persistence mechanism on privileged principals.
The domain's AdminSDHolder
object is a Container
located at CN=AdminSDHolder,CN=System,<DOMAIN_ROOT_OBJECT>
. By default, only the Domain Admins
, Enterprise Admins
, and Administrators
domain groups are granted the right to modify the ACL
of the AdminSDHolder
object:
The following PowerShell script can be used to manually trigger the SDProp
mechanism (without interfering with the normal execution schedule):
A number of ACE
may be used to maintain persistence by creating a control path through AdminSDHolder
object's ACL
:
GenericAll
WriteOwner
WriteDacl
WriteProperty
/GenericWrite
to all properties or property that can be used to take control of the object (Member
attribute for groups,Script-Path
for users, etc.)AllExtendedRights
orExtendedRight
that grant control over the object (such asForceChangePassword
)
For more details on the aforementioned ACE
, and techniques and tools to leverage them, refer to the [ActiveDirectory] ACL exploiting
note (section Users and groups permissions exploitation
).
The ACL
modification can be done with mmc.exe
's Active Directory Users and Computers (ADUC)
graphical snap-in or in PowerShell using the PowerView
's Add-DomainObjectAcl
and ActiveDirectory
module's Get-Acl
/ Set-Acl
cmdlets.
The PowerView
's Get-DomainObjectAcl
and ActiveDirectory
PowerShell module's Get-Acl
cmdlets can be used to validate the modification:
DRSUAPI replication operations (DCSync attack) rights
Refer to the [ActiveDirectory] ntds.dit dumping
note for tools and techniques to conduct replication operations (DCSync attack).
Minimal ACEs
Machine account with SERVER_TRUST_ACCOUNT
A machine account that has its UserAccountControl
attribute with the SERVER_TRUST_ACCOUNT
(0x2000
/ 8192
) bit set is able to perform replication operations (DCSync
attack) implicitly. The machine account will indeed be considered as a Domain Controller and be able to replicate AD objects with out the Ds-Replication-Get-Changes
and Ds-Replication-Get-Changes-All
extended rights.
The DS-Install-Replica
extended right, on the domain root object, is required to set an account UserAccountControl
attribute's SERVER_TRUST_ACCOUNT
bit. This right is by default granted to the Domain Admins
, Administrators
, and Enterprise Admins
groups. Granting the DS-Install-Replica
extended right to an otherwise unprivileged account may thus also be used as a mean of persistence.
Whenever an machine account UserAccountControl
attribute's SERVER_TRUST_ACCOUNT
bit is set, the primaryGroupId
of the account will be set to 516
(DOMAIN_GROUP_RID_CONTROLLERS
) and the account added to the group referenced by the previous primaryGroupId
value. While the SERVER_TRUST_ACCOUNT
bit is set, the primaryGroupId
of the machine account will not be modifiable (error: "Cannot change the primary group ID of a domain controller account").
As the machine account will considered as a Domain Controller, no Windows Security
events Event 4662: An operation was performed on an object
will be generated upon replication operations. For maximum stealthiness, it is possible to overpass-the-hash to mimic legitimate Domain Controller authentication. Doing so will generate Windows Security
events Event 4662: An account was successfully logged on
with the Kerberos
(instead of NTLM
) authentication package. Refer to the [ActiveDirectory] Kerberos tickets usage
note for more information on the overpass-the-hash technique.
The PowerShell ActiveDirectory
module's New-ADComputer
and Set-ADComputer
can be used to create a new machine account and set its UserAccountControl
attribute.
DCShadow
DCShadow minimal ACE
The following access rights are sufficient to conduct a DCShadow
attack (without the need of being part of a privileged group such as Domain Admins
):
DS-Install-Replica
(right's GUID:9923a32a-3607-11d2-b9be-0000f87a36b2
)DS-Replication-Manage-Topology
(right's GUID:1131f6ac-9c07-11d1-f79f-00c04fc2dcd2
)DS-Replication-Synchronize
(right's GUID:1131f6ab-9c07-11d1-f79f-00c04fc2dcd2
)
DCShadow realisation
Make sure that the local Firewall policy allows inbound connection on the dynamic TCP ports range.
Directory Services Restore Mode account
The Directory Services Restore Mode (DSRM)
account correspond to the local built-in Administrator
(username language dependent name, SID
S-1-5-21-<DC_SPECIFIC>-500
) of a Domain Controller. The DRSM
account password is specific to each Domain Controller and is setup during the Domain Controller promulgation. The DRSM
accounts are local to each Domain Controller and have no link with the built-in Administrator
(SID
S-1-5-21-<DOMAIN>-500
) of the domain.
Note that since Windows Server 2008
(KB961320
), the DSRM
account password can be one-time synchronized with a domain account (further synchronization are however not automated and must be done manually).
The usage of the DSRM
account is controlled by the DsrmAdminLogonBehavior
registry key:
0x0
Undefined
The DSRM
account can only be used if the Domain Controller is booted in DSRM
.
bcdedit /set safeboot dsrepair
shutdown /r /f /t 5
0x1
The DSRM
account can login on the Domain Controller if the Active Directory Domain Service (AD DS)
of the Domain Controller are (locally) stopped.
0x2
The DSRM
account can login with out any restriction.
By default, the DsrmAdminLogonBehavior
key is undefined (and thus the DSRM
account can only be used to connect to the Domain Controller if it has been restarted in DSRM
).
To maintain persistence after a compromise of an Active Directory domain, the local built-in Administrator
password of a Domain Controller can be retrieved (or set) and the DsrmAdminLogonBehavior
of the Domain Controller set to 0x2
. The DSRM
account will be usable over the network even if the Domain Controller is not started in DSRM
and persistence maintained until its password is renewed. In this scenario, the DSRM
account can notably be used to remotely connect to the Domain Controller or conduct replication operations (DCSync
attack).
The following commands can be used to retrieve and set the value of the DsrmAdminLogonBehavior
registry key (on a Domain Controller):
The following techniques can be used to retrieve or set the DRSM
account password:
If the DsrmAdminLogonBehavior
key of the targeted Domain Controller is set to 0x2
, remote code execution or replication operations can be conducted using the DRSM
account:
Kerberos delegations
Certificates (User-Principal-Name
or Alt-Security-Identities
)
User-Principal-Name
or Alt-Security-Identities
)Skeleton key
Domain Controller local persistence
References
https://adsecurity.org/?p=1714 https://adsecurity.org/?p=1785 https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#primary_group_id_1000 https://blog.alsid.eu/dcshadow-explained-4510f52fc19d https://www.alsid.com/2020/07/14/primary-group-id-attack/ https://www.youtube.com/watch?v=6thBskwsOss http://www.labofapenetrationtester.com/2018/04/dcshadow.html https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory https://github.com/edemilliere/ADSI/blob/master/Invoke-ADSDPropagation.ps1 https://stealthbits.com/blog/server-untrust-account/
Last updated