search
HomeGitHubPortfolioTwitter/XMediumCont@ct

8.7.3 - Security Descriptors

hashtag
Security Descriptors

Security Descriptors define access control for securable objects in Windows (e.g., services, WMI namespaces, registry keys). The format is described using SDDL (Security Descriptor Definition Language). SDDL strings are built from Access Control Entries (ACEs), which follow this structure:

ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid

Example ACE for built-in administrators on WMI namespaces:

A;CI;CCDCLCSWRPWPRCWD;;;SID

This ACE grants administrators full control over WMI resources.

hashtag
Using RACE Toolkit for Security Descriptor Abuse

You can abuse security descriptors to grant non-admin users access to protected resources. The RACE toolkit simplifies this process:

Load the toolkit:

. C:\AD\Tools\RACE-master\RACE.ps1

Modify WMI Security Descriptors

  • On the local machine:

Set-RemoteWMI -SamAccountName student1 -Verbose

  • On a remote machine without credentials:

Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc -namespace 'root\cimv2' -Verbose

  • On a remote machine with credentials:

  • To remove permissions from the remote machine:

hashtag
Persistence via PowerShell Remoting Descriptors

Note: PS Remoting backdoors via ACLs became unstable after August 2020 patches.

  • 🔸 On the local machine:

  • 🔸 On a remote machine:

  • 🔸 To remove remoting access:

hashtag
Persistence via Remote Registry Descriptors

Using RACE or DAMP, you can grant registry access to users and retrieve sensitive hashes:

  • 🔸 Add a backdoor via Remote Registry:

  • 🔸 As student1, dump the machine account hash:

  • 🔸 Retrieve local account hashes:

  • 🔸 Retrieve domain cached credentials:

hashtag
Labs

Previous8.7.2 - DCSync AttackNext9 - Detection and Defense

Last updated