Who Can Push Ransomware Domain Wide?

$root = (Get-ADDomain).DistinguishedName ; Get-ADObject -Filter * -SearchBase “cn=policies,cn=system,$root” -Properties * | Select-Object DisplayName, Name
(Get-Acl “\\test.local\SYSVOL\test.local”).Access | Where-Object {($_.FileSystemRights -match “TakeOwnership|ChangePermissions|FullControl|Write”)}Get-SmbShareAccess -Name “SYSVOL”
  • GenericAll (grants all privileges)
  • WriteDACL (grants one the right to give oneself privileges)
  • WriteOwner (grants the right to seize ownership, and then give oneself privileges)
  • GenericWrite (Functionally the same thing as WriteProperty with ObjectType all 0s)
  • WriteProperty (with ObjectType = f30e3bbe-9ff0–11d1-b603–0000f80367c, or all 0s, or just any WriteProperty)
  • Delete (self-explanatory)
  • DeleteChild (delete the items in the OU)
  • CreateChild (create items, aka users, in the OU)
  • DeleteTree (self-explanatory)
Import-Module ActiveDirectory
Set-Location AD:
$object = “ou=clients,dc=test,dc=local”
$DangerousRights = “GenericAll|WriteDACL|WriteOwner|GenericWrite|WriteProperty|DeleteTree|Delete|DeleteChild|CreateChild”
Get-Acl $object).Access | Where-Object {($_.ActiveDirectoryRights -match $DangerousRights) -and ($_.AccessControlType -eq “Allow”)}
#Borrowed from Sean Metcalf, works :)
#Basically it scans the ACL of every OU & flags anyone who has DangerousRights and is not a Safe_User
#Most of the variable names are Sean Metcalf’s, I just tweaked it to check OUs instead of AD CS
$ADRoot = (Get-ADRootDSE).rootDomainNamingContext
$DomainSID = (Get-ADDomain).DomainSID.Value
$ADCS_Objects = (Get-ADOrganizationalUnit -Filter * -SearchBase $ADRoot).DistinguishedName
$Safe_Users = “Domain Admins|Enterprise Admins|BUILTIN\\Administrators|NT AUTHORITY\\SYSTEM|$env:userdomain\\CERT Publishers|$env:userdomain\\Administrator|BUILTIN\\Account Operators|$env:userdomain\\MSOL_xyz|$DomainSID-519|S-1–5–32–548|NT AUTHORITY\\SELF|$env:userdomain\\Enterprise Key Admins|$env:userdomain\\Key Admins|BUILTIN\\Print Operators”$DangerousRights = “GenericAll|WriteDACL|WriteOwner|GenericWrite|WriteProperty|DeleteTree|Delete|DeleteChild|CreateChild”ForEach ($object in $ADCS_Objects)
{
$BadACE = (Get-Acl $object).Access | Where-Object {($_.IdentityReference -notmatch $Safe_Users) -and ($_.ActiveDirectoryRights -match $DangerousRights) -and ($_.AccessControlType -eq “Allow”)}
If ($BadACE)
{
Write-Host “Object: $object” -ForegroundColor Red
$BadACE
}
}
$ReallyBadACE = (Get-Acl $ADRoot).Access | Where-Object {($_.IdentityReference -notmatch $Safe_Users) -and ($_.ActiveDirectoryRights -match $DangerousRights) -and ($_.AccessControlType -eq “Allow”)}If ($ReallyBadACE)
{
Write-Host “Object: $ADRoot” -ForegroundColor Red
$ReallyBadACE
}
Import-Module ActiveDirectory
Set-Location AD:
$root = (Get-ADDomain).DistinguishedName
#Give a group GenericAll, aka Full Control, over a given OU
$victim = (Get-ADOrganizationalUnit “ou=vips,$root” -Properties *).DistinguishedName
$acl = Get-ACL $victim
$user = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity “Minions”).SID
#Allow GenericAll
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $user,”GenericAll”,”ALLOW”,([GUID](“00000000–0000–0000–0000–000000000000”)).guid,”None”,([GUID](“00000000–0000–0000–0000–000000000000”)).guid))
#Apply above ACL rules
Set-ACL $victim $acl
Import-Module ActiveDirectory
Set-Location AD:
$root = (Get-ADDomain).DistinguishedName
$victim = (Get-ADOrganizationalUnit “ou=vips,$root” -Properties *).DistinguishedName
$acl = Get-ACL $victim
$user = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity “Minions”).SID
#Allow GenericAll
$acl.RemoveAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $user,”GenericAll”,”ALLOW”,([GUID](“00000000–0000–0000–0000–000000000000”)).guid,”None”,([GUID](“00000000–0000–0000–0000–000000000000”)).guid))
#Apply above ACL rules
Set-ACL $victim $acl
Import-Module ActiveDirectory
Set-Location AD:
#https://ex-shell.com/2017/06/16/remove-a-usergroup-permission-on-an-ad-object-via-powershell/$DistinguishedName = (Get-ADDomain).DistinguishedName
#$user = “domainjdoe” (to use this substitute $user for $Stale_SID on line 15)
$Stale_SID = “S-1–5–21–4103247791–2828088783–3009141321–3631”
#Collect the current ACL
$Acl = Get-Acl $DistinguishedName
#Loop each access permission in the ACL
foreach ($access in $acl.Access)
{
if ($access.IdentityReference.Value -eq $Stale_SID)
{
$acl.RemoveAccessRule($access)
}
}
#Set the ACL Back to the AD Object
set-acl $DistinguishedName -AclObject $acl

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rich

Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from work or the lab.