8.7.3 - Security Descriptors
Security Descriptors
Security Descriptors define access control for securable objects in Windows (e.g., services, WMI namespaces, registry keys). The format is described using SDDL (Security Descriptor Definition Language). SDDL strings are built from Access Control Entries (ACEs), which follow this structure:
Example ACE for built-in administrators on WMI namespaces:
This ACE grants administrators full control over WMI resources.
Using RACE Toolkit for Security Descriptor Abuse
You can abuse security descriptors to grant non-admin users access to protected resources. The RACE toolkit simplifies this process:
Load the toolkit:
Modify WMI Security Descriptors
On the local machine:
On a remote machine without credentials:
On a remote machine with credentials:
To remove permissions from the remote machine:
Persistence via PowerShell Remoting Descriptors
Note: PS Remoting backdoors via ACLs became unstable after August 2020 patches.
🔸 On the local machine:
🔸 On a remote machine:
🔸 To remove remoting access:
Persistence via Remote Registry Descriptors
Using RACE or DAMP, you can grant registry access to users and retrieve sensitive hashes:
🔸 Add a backdoor via Remote Registry:
🔸 As
student1
, dump the machine account hash:
🔸 Retrieve local account hashes:
🔸 Retrieve domain cached credentials:
Labs
Last updated