SlideShare une entreprise Scribd logo

Ace Up the Sleeve

Will Schroeder
Will Schroeder

This document summarizes a presentation on designing Active Directory DACL backdoors for persistence after gaining initial domain elevation. It discusses how DACL misconfigurations can provide stealthy, long-term access. Specific techniques covered include hiding DACLs and principals from easy enumeration, as well as case studies on backdoors involving DCSync rights, AdminSDHolder, LAPS passwords, Exchange objects, and abusing GPOs. Defenses discussed include proper event log collection and SACL auditing. The document provides an overview of how DACLs can be stealthily misconfigured to maintain access without immediate detection.

Technologie
1  sur  60
Télécharger pour lire hors ligne
An ACE Up the Sleeve Designing Active Directory DACL Backdoors Andy Robbins and Will Schroeder SpecterOps
@_wald0 ▪ Job: Adversary Resilience Lead at SpecterOps ▪ Co-founder/developer: BloodHound ▪ Trainer: BlackHat 2016 ▪ Presenter: DEF CON, DerbyCon, ekoparty, Paranoia, ISSA Intl, ISC2 World Congress, various Security BSides ▪ Other: ask me about ACH
@harmj0y ▪ Job: Offensive Engineer at SpecterOps ▪ Co-founder/developer: Veil-Framework, Empire/EmPyre, PowerView/PowerUp, BloodHound, KeeThief ▪ Trainer: BlackHat 2014-2016 ▪ Presenter: DEF CON, DerbyCon, ShmooCon, Troopers, BlueHat Israel, various BSides ▪ Other: PowerSploit developer and Microsoft PowerShell MVP
tl;dr ▪ DACL/ACE Background ▪ DACL Misconfiguration and Abuse ▪ Analysis with BloodHound ▪ Designing ACL Based Backdoors ▪ Case Studies and Demos ▪ Defenses
Disclaimer ▪ There is no exploit/CVE/whatnot here, just ways to purposely implement Active Directory DACL misconfigurations ▪ These backdoors are post-elevation techniques that require some type of elevated access to the objects you’re manipulating
Why Care? ▪ It’s often difficult to determine whether a specific AD DACL misconfiguration was set maliciously or configured by accident ▪ These changes also have a minimal forensic footprint and often survive OS and domain functional level upgrades □ This makes them a great chance for subtle, long-term domain persistence! ▪ These may have been in your environment for YEARS!
“As an offensive researcher, if you can dream it, someone has likely already done it...and that someone isn’t the kind of person who speaks at security cons” Matt Graeber “Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asynchronous, and Fileless Backdoor” - BlackHat 2015
Background From ACLs to ACEs 1.
https://www.sstic.org/2014/presentation/chemins_de_controle_active_directory/ Previous Work
Previous Work https://blogs.technet.microsoft.com/pfesweplat/2017/01/28/forensics-active-directory-acl-investigation/
Previous Work https://bitbucket.org/iwseclabs/bta/
https://habrahabr.ru/post/90990/ Previous (Offensive) Work
SECURITY_DESCRIPTOR https://msdn.microsoft.com/en-us/library/windows/hardware/ff556610(v=vs.85).aspx
ACLs, DACLs, and SACLs ▪ Access Control List (ACL) is basically shorthand for the DACL/SACL superset ▪ An object’s Discretionary Access Control List (DACL) and System Access Control List (SACL) are ordered collections of Access Control Entries (ACEs) □ The DACL specifies what principals/trustees have what rights over the object □ The SACL allows for auditing of access attempts to the object
The Access Control Mask (GUI Edition)
DS_CONTROL_ACCESS ▪ AD access mask bit that grants privileges that aren’t easily expressed in the access mask ▪ Interpreted a few different ways... ▪ If the ObjectAceType of an ACE with CONTROL_ACCESS set is the GUID of a confidential property or property set, this bit controls read access to that property □ E.g. in the case of the Local Administrator Password Soltution (LAPS)
DS_CONTROL_ACCESS and Extended Rights ▪ If the ObjectAceType GUID matches a registered extended-right GUID in the schema, then control_access grants that particular “control access right” □ User-Force-Change-Password on user objects □ DS-Replication-Get-Changes and DS-Replication-Get- Changes-All on the domain object itself
SRM and Canonical ACE Order
DACL (Mis)configurations Object Takeover and Abuse 2.
Elevation vs. Persistence ▪ Our work in this area was first motivated by a desire to find AD misconfigurations for the purposes of domain privilege escalation □ I.e. searching for specific ACE relationships that result in a lesser-privileged object modifying a higher-privileged one ▪ This presentation is about modifying/adding ACEs (or chains of ACEs) in order to provide persistence in a domain environment
▪ The two takeover primitives are forcing a password reset, and targeted Kerberoasting through SPN modification (to recover creds) ▪ So the additional rights we care about are: □ WriteProperty to all properties □ WriteProperty to servicePrincipalName □ All extended rights □ User-Force-Change-Password (extended) ▪ Abusable through Set-DomainObjectOwner and Set- DomainUserPassword Target: User Objects
▪ The main takeover primitive involves adding a user to the target group ▪ So the additional rights we care about are: □ WriteProperty to all properties □ WriteProperty to the member property ▪ Abusable through Add-DomainGroupMember Target: Group Objects
▪ If LAPS is enabled: □ We care about DS_CONTROL_ACCESS or GenericAll to the ms-MCS-AdmPwd (plaintext password) property ▪ Otherwise, we don’t know of a practical way to abuse a control relationship to computer objects :( □ If you have any ideas, please let us know! Target: Computer Objects
▪ The main takeover primitive involves granting a user domain replications rights (for DCSync) □ Or someone who currently has DCSync rights ▪ So the main effective right we care about is WriteDacl, so we can grant a principal DCSync rights with Add-DomainObjectAcl □ Or explicit DS-Replication-Get-Changes/ DS- Replication-Get-Changes-All Target: Domain Objects
▪ The main takeover primitive involves the right to edit the group policy (that’s then linked to an OU/site/domain) □ This gives the ability to compromise users/computers in these containers ▪ So the additional rights we care about are: □ WriteProperty to all properties □ WriteProperty to GPC-File-Sys-Path ▪ GPOs can be edited on SYSVOL Target: GPOs
AD Generic Rights ▪ GenericAll □ Allows ALL generic rights to the specified object □ Also grants “control rights” (see next slide) ▪ GenericWrite □ Allows for the modification of (almost) all properties on a specified object ▪ Both are abusable with PowerView’s Set- DomainObject, and these two rights generally apply to most objects for takeover
AD Control Rights ▪ Rights that allow a trustee/principal to take control of the object in some way ▪ WriteDacl grants the ability to modify the DACL in the object security descriptor □ Abusable with PowerView: Add-DomainObjectAcl ▪ WriteOwner grants the ability to take ownership of the object □ Object owners implicitly have full rights! □ Abusable with PowerView: Set-DomainObjectOwner
BloodHound Analysis Arroooooooooo 3.
BloodHound Analysis ▪ BloodHound enables simple, graphical analysis of control relationships in AD ▪ Defenders can use this for: □ least privilege enforcement □ identifying misconfigured ACLs □ detecting “non-stealthy” ACL-enabled backdoors ▪ Attackers can use this to: □ identify ACL-enabled escalation paths □ select targets for highly stealthy backdoors □ understand privilege relationships in the target domain
Designing Active Directory DACL Backdoors (Stealth) Primitives for Pwnage 4.
Objective ▪ We want to implement an Active Directory DACL-based backdoor that: □ Facilitates the regaining of elevated control in the AD environment □ Blends in with normal ACL configurations (“hiding in plain sight”), or is otherwise hidden from easy enumeration by defenders ▪ Let’s see what we can come up with!
Stealth Primitive: Hiding the DACL ▪ Effectively hiding DACLs from defenders requires two steps ▪ Change the object owner from “Domain Admins” to the attacker account. ▪ Add a new explicit ACE, denying the “Everyone” principal the “Read Permissions” privilege.
Stealth Primitive: Hiding the DACL
▪ Hiding a principal from defenders requires three steps: a.Change the principal owner to itself, or another controlled principal b.Grant explicit control of the principal to either itself, or another controlled principal c.On the OU containing your hidden principal, deny the “List Contents” privilege to “Everyone” Stealth Primitive: Hiding the Principal
Stealth Primitive: Hiding the Principal
Primitives: Summary ▪ We know which ACEs result in object takeover ▪ We can control who can enumerate the DACL ▪ We can hide principals/trustees that are present in a specific ACE
Backdoor Case Studies “If you can dream it…” 5.
A Hidden DCSync Backdoor ▪ Backdoor: □ Add DS-Replication-Get-Changes and DS-Replication- Get-Changes-All on the domain object itself where the principal is a user/computer account the attacker controls □ The user/computer doesn’t have to be in any special groups or have any other special privileges! ▪ Execution: □ DCSync whoever you want!
AdminSDHolder ▪ Backdoor: □ Attacker grants themselves the User-Force-Change- Password (or GenericAll) right on CN=AdminSDHolder,CN=System,DC=domain,… □ Every 60 minutes, this permission is cloned to every sensitive/protected AD object through SDProp □ Attacker “hides” their account using methods described ▪ Execution: □ Attacker force resets the password for any adminCount=1 account
LAPS ▪ Microsoft’s “Local Administrator Password Solution” ▪ Randomizes the a machine’s local admin password every 30 days □ The password is stored in the confidential ms-Mcs- AdmPwd attribute on computer objects ▪ Administered with the AdmPwd.PS cmdlets □ Find-AdmPwdExtendedRights “Audits” who can read ms-Mcs-AdmPwd https://technet.microsoft.com/en-us/mt227395.aspx
Who can read AdmPwd?* ▪ DS_CONTROL_ACCESSS where the ACE □ applies to AdmPwd and all descendant computers □ applies to AdmPwd and all descendant objects □ applies to any object and all descendant objects □ applies to any object and all descendant computers ▪ Above checks are also necessary for GENERIC_ALL ▪ Object control == Ability to grant the above rights □ You are the owner □ You can become the owner: □ WriteDACL, WriteOwner * See the whitepaper for more details - the list here is not comprehensive
Shortcomings of Find- AdmPwdExtendedRights ▪ DS_CONTROL_ACCESSS where the ACE □ applies to AdmPwd and all descendant computers □ applies to AdmPwd and all descendant objects □ applies to any object and all descendant objects □ applies to any object and all descendant computers ▪ Above checks are also necessary for GENERIC_ALL ▪ Object control == Ability to grant the above rights □ You are the owner □ You can become the owner □ WriteDACL, WriteOwner ▪ Only analyzes OUs and (optionally) computers
Normal user can’t access ms-mcs-AdmPwd
Privileged attacker adds backdoor to Servers OU
Domain user can access AdmPwd! LAPS cmdlet doesn’t detect it!
Exchange Strikes Back ▪ Exchange Server introduces several schema changes, new nested security groups, and MANY control relationships to Active Directory, making it a perfect spot to blend in amongst the noise. ▪ Pre Exchange Server 2007 SP1, this included the “WriteDACL” privilege against the domain object itself, which was distributed down to ALL securable objects!
Exchange Strikes Back ▪ Backdoor: □ Identify a non-protected security group with local admin rights on one or more Exchange servers □ Grant “Authenticated Users” full control over this security group □ Change the owner of the group to an Exchange server □ Deny “Read Permissions” on this group to the “Everyone” principal
▪ Execution: □ Regain access to the Active Directory domain as any user □ Add your current user to the back-doored security group □ Use your new local admin rights on an Exchange server to execute commands as the SYSTEM user on that computer. □ Exchange Trusted Subsystem often has full control of the domain, so this may include DCSync! Exchange Strikes Back
Abusing GPOs ▪ Backdoor: □ Attacker grants herself GenericAll to any user object with the attacker as the trustee □ Grant that “patsy” user WriteDacl to the default domain controllers GPO ▪ Execution: □ Force resets the “patsy” account password □ Adds a DACL to the GPO that allows write access for the patsy to GPC- File-Sys-Path of the GPO □ Grants the attack SeEnableDelegationPrivilege rights in GptTmpl.inf □ Executes a constrained delegation attack using the patsy account’s credentials
Defenses All is (Probably) Not Lost ;) 6.
Event Logs ▪ Proper event log tuning and monitoring is pretty much your only hope for performing real “forensics” on these actions □ But if you weren’t collecting event logs when the backdoor was implemented, you might not ever know who the perpetrator was :( ▪ For example: □ Event log 4738 (“A user account was changed”), filtered by the property modified
Replication Metadata ▪ Metadata remnants from domain controller replication can grant a few clues □ Specifically, when a given attribute was modified, and from what domain controller the modification event occurred on ▪ This points you in the right direction, but needs to be used with event logs to get the full picture □ More information in a post soon on http://blog.harmj0y.net
SACLs ▪ SACLs contain ACEs that, “specify the types of access attempts that generate audit records in the security event log of a domain controller” ▪ You don’t have to SACL every success/failure action on every object type and property: □ A great start- build SACLs for all of the attack primitives we’ve talked about on the specific target objects we’ve outlined □ More information: http://bit.ly/2tOAGn7
▪ We were not able to utilize NULL DACLs or otherwise manipulate the header control bits (i.e. SE_DACL_PRESENT) □ Any attempts to set ntSecurityDescriptor on an object remotely ignores any header bits, however this warrants another look ▪ Research additional control relationships □ Particularly any relationship that allows for computer object takeover Future Work
Credits Special thanks to all the people who helped us with this research and slide deck: ▪ Lee Christensen (@tifkin_) ▪ Jeff Dimmock (@bluscreenofjeff) ▪ Everyone else at SpecterOps! ▪ Matt Graeber (@mattifestation)
Questions? Contact us at: ▪ @_wald0 (robbins.andy [at] gmail.com) ▪ @harmj0y (will [at] harmj0y.net)

Recommandé

DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 

Recommandé

DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"Will Schroeder
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-OwnedWill Schroeder
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouDouglas Bienstock
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Understanding and hiding your operations
Understanding and hiding your operationsUnderstanding and hiding your operations
Understanding and hiding your operationsDaniel López Jiménez
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The EmpireRyan Cobb
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 

Contenu connexe

Tendances

SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouDouglas Bienstock
 
Understanding and hiding your operations
Understanding and hiding your operationsUnderstanding and hiding your operations
Understanding and hiding your operationsDaniel López Jiménez
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 

Tendances (20)

Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Understanding and hiding your operations
Understanding and hiding your operationsUnderstanding and hiding your operations
Understanding and hiding your operations
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 

En vedette

Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The EmpireRyan Cobb
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017Alexander Polce Leary
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedAlex Davies
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Alexander Polce Leary
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...Puppet
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Frode Hommedal
 
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...Chris Thompson
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamKeeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamPriyanka Aash
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniquesSymantec Security Response
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalPacSecJP
 

En vedette (16)

Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The Empire
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 
WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
 
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 
Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)
 
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamKeeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
 
Catching fileless attacks
Catching fileless attacksCatching fileless attacks
Catching fileless attacks
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-final
 

Similaire à Ace Up the Sleeve

I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsVlad Fedosov
 
DOAG Oracle Database Vault
DOAG Oracle Database VaultDOAG Oracle Database Vault
DOAG Oracle Database VaultStefan Oehrli
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot
 
Role-Based Access Control (RBAC) in Neo4j
Role-Based Access Control (RBAC) in Neo4jRole-Based Access Control (RBAC) in Neo4j
Role-Based Access Control (RBAC) in Neo4jNeo4j
 
Dear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckDear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckPaula Januszkiewicz
 
Ibm informix security functionality overview
Ibm informix security functionality overviewIbm informix security functionality overview
Ibm informix security functionality overviewBeGooden-IT Consulting
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory EnumerationDaniel López Jiménez
 
airflowpresentation1-180717183432.pptx
airflowpresentation1-180717183432.pptxairflowpresentation1-180717183432.pptx
airflowpresentation1-180717183432.pptxVIJAYAPRABAP
 
Privilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabasePrivilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabaseMarkus Flechtner
 
Database security best_practices
Database security best_practicesDatabase security best_practices
Database security best_practicesTarik Essawi
 
Cassandra Lunch #92: Securing Apache Cassandra - Managing Roles and Permissions
Cassandra Lunch #92: Securing Apache Cassandra - Managing Roles and PermissionsCassandra Lunch #92: Securing Apache Cassandra - Managing Roles and Permissions
Cassandra Lunch #92: Securing Apache Cassandra - Managing Roles and PermissionsAnant Corporation
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
 
Ingres For Oracle Users
Ingres For Oracle UsersIngres For Oracle Users
Ingres For Oracle UsersMichael Sale
 
Odv oracle customer_demo
Odv oracle customer_demoOdv oracle customer_demo
Odv oracle customer_demoViaggio Italia
 
OpenLDAP - Installation and Configuration
OpenLDAP - Installation and ConfigurationOpenLDAP - Installation and Configuration
OpenLDAP - Installation and ConfigurationWildan Maulana
 

Similaire à Ace Up the Sleeve (20)

I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
 
DOAG Oracle Database Vault
DOAG Oracle Database VaultDOAG Oracle Database Vault
DOAG Oracle Database Vault
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
 
Role-Based Access Control (RBAC) in Neo4j
Role-Based Access Control (RBAC) in Neo4jRole-Based Access Control (RBAC) in Neo4j
Role-Based Access Control (RBAC) in Neo4j
 
Dear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckDear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality Check
 
Ibm informix security functionality overview
Ibm informix security functionality overviewIbm informix security functionality overview
Ibm informix security functionality overview
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
 
airflowpresentation1-180717183432.pptx
airflowpresentation1-180717183432.pptxairflowpresentation1-180717183432.pptx
airflowpresentation1-180717183432.pptx
 
Terraform Cosmos DB
Terraform Cosmos DBTerraform Cosmos DB
Terraform Cosmos DB
 
Privilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabasePrivilege Analysis with the Oracle Database
Privilege Analysis with the Oracle Database
 
Vault_KT.pptx
Vault_KT.pptxVault_KT.pptx
Vault_KT.pptx
 
Database security best_practices
Database security best_practicesDatabase security best_practices
Database security best_practices
 
Cassandra Lunch #92: Securing Apache Cassandra - Managing Roles and Permissions
Cassandra Lunch #92: Securing Apache Cassandra - Managing Roles and PermissionsCassandra Lunch #92: Securing Apache Cassandra - Managing Roles and Permissions
Cassandra Lunch #92: Securing Apache Cassandra - Managing Roles and Permissions
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 
Ingres For Oracle Users
Ingres For Oracle UsersIngres For Oracle Users
Ingres For Oracle Users
 
Odv oracle customer_demo
Odv oracle customer_demoOdv oracle customer_demo
Odv oracle customer_demo
 
OpenLDAP - Installation and Configuration
OpenLDAP - Installation and ConfigurationOpenLDAP - Installation and Configuration
OpenLDAP - Installation and Configuration
 
Catalyst MVC
Catalyst MVCCatalyst MVC
Catalyst MVC
 

Plus de Will Schroeder

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfWill Schroeder
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conWill Schroeder
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with PythonWill Schroeder
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have MissedWill Schroeder
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 

Plus de Will Schroeder (15)

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdf
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44con
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with Python
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 

Dernier

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Dernier (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Ace Up the Sleeve

  • 1. An ACE Up the Sleeve Designing Active Directory DACL Backdoors Andy Robbins and Will Schroeder SpecterOps
  • 2. @_wald0 ▪ Job: Adversary Resilience Lead at SpecterOps ▪ Co-founder/developer: BloodHound ▪ Trainer: BlackHat 2016 ▪ Presenter: DEF CON, DerbyCon, ekoparty, Paranoia, ISSA Intl, ISC2 World Congress, various Security BSides ▪ Other: ask me about ACH
  • 3. @harmj0y ▪ Job: Offensive Engineer at SpecterOps ▪ Co-founder/developer: Veil-Framework, Empire/EmPyre, PowerView/PowerUp, BloodHound, KeeThief ▪ Trainer: BlackHat 2014-2016 ▪ Presenter: DEF CON, DerbyCon, ShmooCon, Troopers, BlueHat Israel, various BSides ▪ Other: PowerSploit developer and Microsoft PowerShell MVP
  • 4. tl;dr ▪ DACL/ACE Background ▪ DACL Misconfiguration and Abuse ▪ Analysis with BloodHound ▪ Designing ACL Based Backdoors ▪ Case Studies and Demos ▪ Defenses
  • 5. Disclaimer ▪ There is no exploit/CVE/whatnot here, just ways to purposely implement Active Directory DACL misconfigurations ▪ These backdoors are post-elevation techniques that require some type of elevated access to the objects you’re manipulating
  • 6. Why Care? ▪ It’s often difficult to determine whether a specific AD DACL misconfiguration was set maliciously or configured by accident ▪ These changes also have a minimal forensic footprint and often survive OS and domain functional level upgrades □ This makes them a great chance for subtle, long-term domain persistence! ▪ These may have been in your environment for YEARS!
  • 7. “As an offensive researcher, if you can dream it, someone has likely already done it...and that someone isn’t the kind of person who speaks at security cons” Matt Graeber “Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asynchronous, and Fileless Backdoor” - BlackHat 2015
  • 14. ACLs, DACLs, and SACLs ▪ Access Control List (ACL) is basically shorthand for the DACL/SACL superset ▪ An object’s Discretionary Access Control List (DACL) and System Access Control List (SACL) are ordered collections of Access Control Entries (ACEs) □ The DACL specifies what principals/trustees have what rights over the object □ The SACL allows for auditing of access attempts to the object
  • 16. DS_CONTROL_ACCESS ▪ AD access mask bit that grants privileges that aren’t easily expressed in the access mask ▪ Interpreted a few different ways... ▪ If the ObjectAceType of an ACE with CONTROL_ACCESS set is the GUID of a confidential property or property set, this bit controls read access to that property □ E.g. in the case of the Local Administrator Password Soltution (LAPS)
  • 17. DS_CONTROL_ACCESS and Extended Rights ▪ If the ObjectAceType GUID matches a registered extended-right GUID in the schema, then control_access grants that particular “control access right” □ User-Force-Change-Password on user objects □ DS-Replication-Get-Changes and DS-Replication-Get- Changes-All on the domain object itself
  • 18. SRM and Canonical ACE Order
  • 20. Elevation vs. Persistence ▪ Our work in this area was first motivated by a desire to find AD misconfigurations for the purposes of domain privilege escalation □ I.e. searching for specific ACE relationships that result in a lesser-privileged object modifying a higher-privileged one ▪ This presentation is about modifying/adding ACEs (or chains of ACEs) in order to provide persistence in a domain environment
  • 21. ▪ The two takeover primitives are forcing a password reset, and targeted Kerberoasting through SPN modification (to recover creds) ▪ So the additional rights we care about are: □ WriteProperty to all properties □ WriteProperty to servicePrincipalName □ All extended rights □ User-Force-Change-Password (extended) ▪ Abusable through Set-DomainObjectOwner and Set- DomainUserPassword Target: User Objects
  • 22. ▪ The main takeover primitive involves adding a user to the target group ▪ So the additional rights we care about are: □ WriteProperty to all properties □ WriteProperty to the member property ▪ Abusable through Add-DomainGroupMember Target: Group Objects
  • 23. ▪ If LAPS is enabled: □ We care about DS_CONTROL_ACCESS or GenericAll to the ms-MCS-AdmPwd (plaintext password) property ▪ Otherwise, we don’t know of a practical way to abuse a control relationship to computer objects :( □ If you have any ideas, please let us know! Target: Computer Objects
  • 24. ▪ The main takeover primitive involves granting a user domain replications rights (for DCSync) □ Or someone who currently has DCSync rights ▪ So the main effective right we care about is WriteDacl, so we can grant a principal DCSync rights with Add-DomainObjectAcl □ Or explicit DS-Replication-Get-Changes/ DS- Replication-Get-Changes-All Target: Domain Objects
  • 25. ▪ The main takeover primitive involves the right to edit the group policy (that’s then linked to an OU/site/domain) □ This gives the ability to compromise users/computers in these containers ▪ So the additional rights we care about are: □ WriteProperty to all properties □ WriteProperty to GPC-File-Sys-Path ▪ GPOs can be edited on SYSVOL Target: GPOs
  • 26. AD Generic Rights ▪ GenericAll □ Allows ALL generic rights to the specified object □ Also grants “control rights” (see next slide) ▪ GenericWrite □ Allows for the modification of (almost) all properties on a specified object ▪ Both are abusable with PowerView’s Set- DomainObject, and these two rights generally apply to most objects for takeover
  • 27. AD Control Rights ▪ Rights that allow a trustee/principal to take control of the object in some way ▪ WriteDacl grants the ability to modify the DACL in the object security descriptor □ Abusable with PowerView: Add-DomainObjectAcl ▪ WriteOwner grants the ability to take ownership of the object □ Object owners implicitly have full rights! □ Abusable with PowerView: Set-DomainObjectOwner
  • 29. BloodHound Analysis ▪ BloodHound enables simple, graphical analysis of control relationships in AD ▪ Defenders can use this for: □ least privilege enforcement □ identifying misconfigured ACLs □ detecting “non-stealthy” ACL-enabled backdoors ▪ Attackers can use this to: □ identify ACL-enabled escalation paths □ select targets for highly stealthy backdoors □ understand privilege relationships in the target domain
  • 30.
  • 32. Objective ▪ We want to implement an Active Directory DACL-based backdoor that: □ Facilitates the regaining of elevated control in the AD environment □ Blends in with normal ACL configurations (“hiding in plain sight”), or is otherwise hidden from easy enumeration by defenders ▪ Let’s see what we can come up with!
  • 33. Stealth Primitive: Hiding the DACL ▪ Effectively hiding DACLs from defenders requires two steps ▪ Change the object owner from “Domain Admins” to the attacker account. ▪ Add a new explicit ACE, denying the “Everyone” principal the “Read Permissions” privilege.
  • 35. ▪ Hiding a principal from defenders requires three steps: a.Change the principal owner to itself, or another controlled principal b.Grant explicit control of the principal to either itself, or another controlled principal c.On the OU containing your hidden principal, deny the “List Contents” privilege to “Everyone” Stealth Primitive: Hiding the Principal
  • 37. Primitives: Summary ▪ We know which ACEs result in object takeover ▪ We can control who can enumerate the DACL ▪ We can hide principals/trustees that are present in a specific ACE
  • 38. Backdoor Case Studies “If you can dream it…” 5.
  • 39. A Hidden DCSync Backdoor ▪ Backdoor: □ Add DS-Replication-Get-Changes and DS-Replication- Get-Changes-All on the domain object itself where the principal is a user/computer account the attacker controls □ The user/computer doesn’t have to be in any special groups or have any other special privileges! ▪ Execution: □ DCSync whoever you want!
  • 40.
  • 41. AdminSDHolder ▪ Backdoor: □ Attacker grants themselves the User-Force-Change- Password (or GenericAll) right on CN=AdminSDHolder,CN=System,DC=domain,… □ Every 60 minutes, this permission is cloned to every sensitive/protected AD object through SDProp □ Attacker “hides” their account using methods described ▪ Execution: □ Attacker force resets the password for any adminCount=1 account
  • 42.
  • 43. LAPS ▪ Microsoft’s “Local Administrator Password Solution” ▪ Randomizes the a machine’s local admin password every 30 days □ The password is stored in the confidential ms-Mcs- AdmPwd attribute on computer objects ▪ Administered with the AdmPwd.PS cmdlets □ Find-AdmPwdExtendedRights “Audits” who can read ms-Mcs-AdmPwd https://technet.microsoft.com/en-us/mt227395.aspx
  • 44. Who can read AdmPwd?* ▪ DS_CONTROL_ACCESSS where the ACE □ applies to AdmPwd and all descendant computers □ applies to AdmPwd and all descendant objects □ applies to any object and all descendant objects □ applies to any object and all descendant computers ▪ Above checks are also necessary for GENERIC_ALL ▪ Object control == Ability to grant the above rights □ You are the owner □ You can become the owner: □ WriteDACL, WriteOwner * See the whitepaper for more details - the list here is not comprehensive
  • 45. Shortcomings of Find- AdmPwdExtendedRights ▪ DS_CONTROL_ACCESSS where the ACE □ applies to AdmPwd and all descendant computers □ applies to AdmPwd and all descendant objects □ applies to any object and all descendant objects □ applies to any object and all descendant computers ▪ Above checks are also necessary for GENERIC_ALL ▪ Object control == Ability to grant the above rights □ You are the owner □ You can become the owner □ WriteDACL, WriteOwner ▪ Only analyzes OUs and (optionally) computers
  • 46. Normal user can’t access ms-mcs-AdmPwd
  • 48. Domain user can access AdmPwd! LAPS cmdlet doesn’t detect it!
  • 49. Exchange Strikes Back ▪ Exchange Server introduces several schema changes, new nested security groups, and MANY control relationships to Active Directory, making it a perfect spot to blend in amongst the noise. ▪ Pre Exchange Server 2007 SP1, this included the “WriteDACL” privilege against the domain object itself, which was distributed down to ALL securable objects!
  • 50. Exchange Strikes Back ▪ Backdoor: □ Identify a non-protected security group with local admin rights on one or more Exchange servers □ Grant “Authenticated Users” full control over this security group □ Change the owner of the group to an Exchange server □ Deny “Read Permissions” on this group to the “Everyone” principal
  • 51. ▪ Execution: □ Regain access to the Active Directory domain as any user □ Add your current user to the back-doored security group □ Use your new local admin rights on an Exchange server to execute commands as the SYSTEM user on that computer. □ Exchange Trusted Subsystem often has full control of the domain, so this may include DCSync! Exchange Strikes Back
  • 52.
  • 53. Abusing GPOs ▪ Backdoor: □ Attacker grants herself GenericAll to any user object with the attacker as the trustee □ Grant that “patsy” user WriteDacl to the default domain controllers GPO ▪ Execution: □ Force resets the “patsy” account password □ Adds a DACL to the GPO that allows write access for the patsy to GPC- File-Sys-Path of the GPO □ Grants the attack SeEnableDelegationPrivilege rights in GptTmpl.inf □ Executes a constrained delegation attack using the patsy account’s credentials
  • 54. Defenses All is (Probably) Not Lost ;) 6.
  • 55. Event Logs ▪ Proper event log tuning and monitoring is pretty much your only hope for performing real “forensics” on these actions □ But if you weren’t collecting event logs when the backdoor was implemented, you might not ever know who the perpetrator was :( ▪ For example: □ Event log 4738 (“A user account was changed”), filtered by the property modified
  • 56. Replication Metadata ▪ Metadata remnants from domain controller replication can grant a few clues □ Specifically, when a given attribute was modified, and from what domain controller the modification event occurred on ▪ This points you in the right direction, but needs to be used with event logs to get the full picture □ More information in a post soon on http://blog.harmj0y.net
  • 57. SACLs ▪ SACLs contain ACEs that, “specify the types of access attempts that generate audit records in the security event log of a domain controller” ▪ You don’t have to SACL every success/failure action on every object type and property: □ A great start- build SACLs for all of the attack primitives we’ve talked about on the specific target objects we’ve outlined □ More information: http://bit.ly/2tOAGn7
  • 58. ▪ We were not able to utilize NULL DACLs or otherwise manipulate the header control bits (i.e. SE_DACL_PRESENT) □ Any attempts to set ntSecurityDescriptor on an object remotely ignores any header bits, however this warrants another look ▪ Research additional control relationships □ Particularly any relationship that allows for computer object takeover Future Work
  • 59. Credits Special thanks to all the people who helped us with this research and slide deck: ▪ Lee Christensen (@tifkin_) ▪ Jeff Dimmock (@bluscreenofjeff) ▪ Everyone else at SpecterOps! ▪ Matt Graeber (@mattifestation)
  • 60. Questions? Contact us at: ▪ @_wald0 (robbins.andy [at] gmail.com) ▪ @harmj0y (will [at] harmj0y.net)