diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index ad4ff3c..72ad555 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -1061,7 +1061,17 @@ ntlmrelayx -smb2support --no-smb-server --gpotato-startup rat.exe ### Dangerous Built-in Groups Usage -If you do not want modified ACLs to be overwrite every hour, you should change ACL template on the object "CN=AdminSDHolder,CN=System," or set "adminCount" attribute to 0 for the required objec +If you do not want modified ACLs to be overwrite every hour, you should change ACL template on the object "CN=AdminSDHolder,CN=System," or set "adminCount" attribute to 0 for the required object. + +> The AdminCount attribute is set to 1 automatically when a user is assigned to any privileged group, but it is never automatically unset when the user is removed from these group(s). + + +Find users with `AdminCount=1`. + +```powershell +python ldapdomaindump.py -u example.com\john -p pass123 -d ';' 10.100.20.1 +jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json +``` AdminSDHolder @@ -1073,7 +1083,8 @@ or ``` #### AdminSDHolder Abuse -if you modify the permissions of AdminSDHolder, that permission template will be pushed out to all protected accounts automatically by SDProp + +If you modify the permissions of **AdminSDHolder**, that permission template will be pushed out to all protected accounts automatically by SDProp. ```powershell # right to reset password for toto using the account titi diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 7f77e38..814adcb 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -748,8 +748,9 @@ Example: "Windows Help and Support" (Windows + F1), search for "command prompt", Look for vuln drivers loaded, we often don't spend enough time looking at this: ```powershell -PS C:\Users\Swissky> driverquery.exe /fo table +# https://github.com/matterpreter/OffensiveCSharp/tree/master/DriverQuery +PS C:\Users\Swissky> driverquery.exe /fo table Module Name Display Name Driver Type Link Date ============ ====================== ============= ====================== 1394ohci 1394 OHCI Compliant Ho Kernel 12/10/2006 4:44:38 PM @@ -762,6 +763,18 @@ AcpiPmi ACPI Power Meter Drive Kernel 11/19/2006 9:20:15 PM acpitime ACPI Wake Alarm Driver Kernel 2/9/1974 7:10:30 AM ADP80XX ADP80XX Kernel 4/9/2015 4:49:48 PM + +PS C:\Users\Swissky> DriverQuery.exe --no-msft +[+] Enumerating driver services... +[+] Checking file signatures... +Citrix USB Filter Driver + Service Name: ctxusbm + Path: C:\Windows\system32\DRIVERS\ctxusbm.sys + Version: 14.11.0.138 + Creation Time (UTC): 17/05/2018 01:20:50 + Cert Issuer: CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US + Signer: CN="Citrix Systems, Inc.", OU=XenApp(ClientSHA256), O="Citrix Systems, Inc.", L=Fort Lauderdale, S=Florida, C=US + ``` ## EoP - Runas