Ws 2012 active directory-clase4 - Configuración de Rol Active Directory
Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory...
Transcript of Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory...
![Page 1: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/1.jpg)
Understanding Active Directory
Security Descriptors
ATTL4S & ElephantSe4l
![Page 2: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/2.jpg)
www.crummie5.club
# ATTL4S
• Daniel López Jiménez (a.k.a. ATTL4S)• Twitter: @DaniLJ94• GitHub: @ATTL4S• Youtube: ATTL4S
• Loves Windows and Active Directory security• Senior Security Consultant at NCC Group• Associate Teacher at Universidad Castilla-La Mancha (MCSI)
Confs: NavajaNegra, No cON Name, h-c0n, Hack&Beers
Posts: Crummie5, NCC Group’s blog, Hackplayers
Certs: CRTO, PACES, OSCP, CRTE
![Page 3: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/3.jpg)
www.crummie5.club
WWW.CRUMMIE5.CLUB
![Page 4: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/4.jpg)
www.crummie5.club
The goal of this talk is understanding – from an offensive perspective – Windows
Security Descriptors and how to leverage them in your pentests and operations for
privilege escalation and persistence opportunities
![Page 5: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/5.jpg)
www.crummie5.club
Agenda
1. Introduction
2. Securable Objects
3. ACL Enumeration
4. Abusing Rights
![Page 6: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/6.jpg)
www.crummie5.club
Introduction
![Page 7: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/7.jpg)
www.crummie5.club
Why?
• Active Directory environments consist of countless objects (users, groups, computers…)
• Security Descriptors provide a way to (mis)configure access relationships between objects • Administrators often configure too many permissions• Legitimate solutions sometimes require high privileges (Exchange, AD
connect…)• Some privileges are there for legit reasons!
• Abuses of this field include privilege escalation and persistence opportunities
![Page 8: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/8.jpg)
www.crummie5.club
We are talking about features (no CVE / exploits required)
![Page 9: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/9.jpg)
www.crummie5.club
![Page 10: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/10.jpg)
www.crummie5.club
![Page 11: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/11.jpg)
www.crummie5.club
![Page 12: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/12.jpg)
www.crummie5.club
Securable Objects
![Page 13: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/13.jpg)
www.crummie5.clubhttps://docs.microsoft.com/es-es/windows/win32/secauthz/securable-objects?redirectedfrom=MSDN
Securable Objects
A securable object is an object that can have a security descriptor
Examples
Files / directories Named Pipes
Processes / Threads Access Tokens
Windows Desktops Registry Keys
Services Printers
Shares AD Objects
![Page 14: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/14.jpg)
www.crummie5.clubhttps://docs.microsoft.com/es-es/windows/win32/secauthz/security-descriptors
Security Descriptors
• A security descriptor contains the security information associated with a securable object
• A security descriptor can include the following information• Object Owner (SID)
• Discretionary Access Control List (DACL)
• System Access Control List (SACL)
• Set of control bits
![Page 15: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/15.jpg)
www.crummie5.clubhttps://docs.microsoft.com/es-es/windows/win32/secauthz/security-descriptors
Security Descriptors (cont.)
![Page 16: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/16.jpg)
www.crummie5.clubhttps://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists
• Object owners can modify an object’s DACL• WriteDACL and RIGHT_READ_CONTROL
Security Descriptors - Object Owners
![Page 17: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/17.jpg)
www.crummie5.clubhttps://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors-wp.pdf
• A DACL is a list of Access Control Entries (ACEs)
• Each ACE defines who (principal / trustee) has permissions over the concerned object
Security Descriptors - DACL
![Page 18: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/18.jpg)
Passwords.txt
DACL
Object’s Security Descriptors
Access Denied
S-1-5-21-domain-1004 (wint3r)
Read, Write, Execute
ACE 1
Access Allowed
S-1-5-32-544 (Administrators)
Write
ACE 2
…
Attl4s’s Process
…
S-1-5-32-544 (Administrators)
…
Groups
Wint3r’s Process
…
S-1-5-21-domain-1004
User SID
Access Token
Access Token
https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokenshttps://docs.microsoft.com/en-us/windows/win32/secauthz/security-descriptors
![Page 19: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/19.jpg)
www.crummie5.clubhttps://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists
▪ Logging attempts to access a secured object
Security Descriptors - SACL
![Page 20: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/20.jpg)
www.crummie5.club
As an attacker, we'd like one of these over an interesting object:
▪ Being the owner or controlling its ownership
▪ Having rights to control/modify its DACL
▪ Having object-specific rights to compromise it
![Page 21: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/21.jpg)
www.crummie5.club
ACL Enumeration
![Page 22: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/22.jpg)
DACL
ACE 1ACE 2ACE 3
…
DACL
ACE 1ACE 2ACE 3
…
DACL
ACE 1ACE 2ACE 3
…
DACL
ACE 1ACE 2ACE 3
…
![Page 23: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/23.jpg)
www.crummie5.club
ACL Enumeration
• If doing manual work, focus on interesting objects• Domains, specific groups, computers, users…
• To get the full picture, you will need to check every-single-object’s DACL• Bloodhound
• Powerview’s Invoke-ACLScanner
• Filter ACL information to remove junk (we already know DA has privileges…)• SID > 1000
![Page 24: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/24.jpg)
www.crummie5.club
![Page 25: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/25.jpg)
www.crummie5.clubhttps://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1
Powerview - DACL
▪ Get-DomainObjectAcl
• SecurityIdentifier = Trustee
• ActiveDirectoryRights
• AceType
![Page 26: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/26.jpg)
www.crummie5.clubhttps://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1
Powerview - DACL (cont.)
Get-DomainObjectAcl [OBJECT] | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$')} | select SecurityIdentifier,ActiveDirectoryRights, @{name='Whois';expression= {Convert-SIDToName $_.SecurityIdentifier }}
![Page 27: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/27.jpg)
www.crummie5.clubhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7
AD Module - DACL
(Get-Acl "AD:$(Get-ADUser vegeta_sa)").Access | ? { ((Convert-NameToSid $_.IdentityReference) -match '^S-1-5-.*-[1-9]\d{3,}$')}
![Page 28: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/28.jpg)
www.crummie5.clubhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7
AD Module - Owner
(Get-Acl "AD:$(Get-ADUser vegeta_sa)").Owner
![Page 29: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/29.jpg)
www.crummie5.clubhttps://docs.microsoft.com/en-us/windows/win32/adschema/control-access-rights
Extended Rights
![Page 30: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/30.jpg)
www.crummie5.club
ACL Abuses
![Page 31: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/31.jpg)
www.crummie5.clubhttps://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors-wp.pdf
Right Categories
• Generic rights: grouping of different specific rights
• Control rights: allow controlling objects by modifying their ownerships or DACLs
• Object-specific rights: depending the right over the concerned object, they mayallow compromising it
![Page 32: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/32.jpg)
www.crummie5.club
Generic Rights
• GenericAll
• GenericWrite
![Page 33: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/33.jpg)
www.crummie5.club
![Page 34: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/34.jpg)
www.crummie5.club
Control Rights
• WriteDacl
• WriteOwner
![Page 35: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/35.jpg)
www.crummie5.club
Set-DomainObjectOwner –Identity “Tier 1 Admins” –OwnerIdentity Bulma -Verbose
Control Rights (cont.)
![Page 36: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/36.jpg)
www.crummie5.club
Add-DomainObjectAcl –TargetIdentity “Tier 1 Admins” –PrincipalIdentity Bulma –Rights WriteMembers -Verbose
Control Rights (cont.)
![Page 37: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/37.jpg)
www.crummie5.club
Object-specific Rights
• Users
• Groups
• GPOs
• OUs
• Computers
• Domains
![Page 38: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/38.jpg)
www.crummie5.club
Object-specific Rights - Users
• Things you could do
• Resetting passwords
• Kerberoasting
• As-Reproasting
![Page 39: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/39.jpg)
www.crummie5.club
![Page 40: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/40.jpg)
www.crummie5.club
![Page 41: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/41.jpg)
www.crummie5.club
Object-specific Rights - Groups
• Things you could do
• Adding new members
![Page 42: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/42.jpg)
www.crummie5.club
Object-specific Rights - GPOs
• Things you could do
• Editing GPOs
![Page 43: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/43.jpg)
www.crummie5.club
![Page 44: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/44.jpg)
www.crummie5.club
Interesting Links
• Will Schroeder – Abusing GPO Permissions
• http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
• Rastamouse – GPO Abuse
• https://rastamouse.me/blog/gpo-abuse-pt1/
• https://rastamouse.me/blog/gpo-abuse-pt2/
• Wald0 - A Red Teamer’s Guide to GPOs and OUs
• https://wald0.com/?p=179
![Page 45: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/45.jpg)
www.crummie5.club
Object-specific Rights - OUs
• Things you could do
• Linking arbitrary GPOs
![Page 46: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/46.jpg)
www.crummie5.clubhttps://markgamache.blogspot.com/2020/07/exploiting-ad-gplink-for-good-or-evil.html
Object-specific Rights – OUs (cont.)
![Page 47: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/47.jpg)
www.crummie5.club
Object-specific Rights - Computers
• Things you could do
• Reading LAPS password
• Setting Kerberos RBCD
![Page 48: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/48.jpg)
www.crummie5.club
![Page 49: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/49.jpg)
www.crummie5.club
![Page 50: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/50.jpg)
www.crummie5.club
Object-specific Rights - Domains
▪ Things you could do
▪ DCSync
![Page 51: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/51.jpg)
www.crummie5.club
![Page 52: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/52.jpg)
Acknowledgments
An ACE Up the Sleeve: Designing Active Directory DACL BackdoorsAndy Robbins and Will Schroeder
Black Hat 2017
![Page 53: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/53.jpg)
www.crummie5.club
Interesting Links
• Will Schroeder• https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors-wp.pdf
• https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors.pdf
• https://es.slideshare.net/harmj0y/an-ace-in-the-hole-stealthy-host-persistence-via-security-descriptors
• https://www.harmj0y.net/blog/activedirectory/s4u2pwnage
• http://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
• http://www.harmj0y.net/blog/redteaming/rubeus-now-with-more-kekeo/
• http://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
• http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
• http://www.harmj0y.net/blog/powershell/running-laps-with-powerview/
• Andrew Robbins• https://wald0.com/?p=112
• https://wald0.com/?p=68
• https://es.slideshare.net/AndyRobbins3/bloodhound-13-the-acl-attack-path-update-paranoia17-oslo
• https://es.slideshare.net/AndyRobbins3/here-be-dragons-the-unexplored-land-of-active-directory-acls
• https://www.youtube.com/watch?v=bHuetBOeOOQ
• Elad Shamir• https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
• Sean Metcalf• https://adsecurity.org/?p=1667
• https://adsecurity.org/?p=4056
• Dirk-jan Mollema• https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
![Page 54: Understanding Active Directory Security Descriptors · 2021. 4. 29. · •Active Directory environments consist of countless objects (users, groups, computers…) •Security Descriptors](https://reader035.fdocuments.us/reader035/viewer/2022062612/6141637ca2f84929c3045bd0/html5/thumbnails/54.jpg)
Is anybody awake?
MANY THANKS!Any Question?