RedTeam
5.Machine
3.Active-Directory
General
Exploitation
6.Persistence-AD
6.persistence through Acls

==This technique is incredibly invasive and hard to remove. Even if you have signoff on your red team exercise to perform these techniques, you must take the utmost caution when performing these techniques. In real-world scenarios, the exploitation of most of these techniques would result in a full domain rebuild.==

General

Persisting through AD Group Templates

While we can just add an account we control to every single privileged group we can find, the blue team would still be able to perform cleanup and remove our membership. In order to ensure a bit better persistence, we should rather inject into the templates that generate the default groups. By injecting into these templates, even if they remove our membership, we just need to wait until the template refreshes, and we will once again be granted membership.

One such template is the AdminSDHolder container. This container exists in every AD domain, and its Access Control List (ACL) is used as a template to copy permissions to all protected groups. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins. If you are looking for the full list of groups, you can find them here (opens in a new tab)

A process called SDProp takes the ACL of the AdminSDHolder container and applies it to all protected groups every 60 minutes. We can thus write an ACE that will grant us full permissions on all protected groups.

Commands

Requirements

  • Login has administrator (Or same priv)
  • Connect via RDP ta a station

Launch MMC (Microsoft Management Console)

  • Add the Users and Groups Snap-in (File->Add Snap-In->Active Directory Users and Groups)
  • Make sure to enable Advanced Features (View->Advanced Features)
  • We can find the AdminSDHolder group under Domain->System

Navigate to the Security of the group (Right-click->Properties->Security)

Add our desired user and grant Full Control

  1. Click Add.
  2. Search for your low-privileged username and click Check Names.
  3. Click OK.
  4. Click Allow on Full Control.
  5. Click Apply.
  6. Click OK.

It should look something like this:

SDProp

Now we just need to wait 60 minutes, and our user will have full control over all Protected Groups. This is because the Security Descriptor Propagator (SDProp) service executes automatically every 60 minutes and will propagate this change to all Protected Groups. However, since we do not like to wait, let's kick off the process manually using Powershell using the following script.

Script ---> https://github.com/edemilliere/ADSI/blob/master/Invoke-ADSDPropagation.ps1 (opens in a new tab)

PS C:\Tools> Import-Module .\Invoke-ADSDPropagation.ps1 
PS C:\Tools> Invoke-ADSDPropagation

Once done, give it a minute and then review the security permissions of a Protected Group such as the Domain Admins group (you can use the search command to find this group):

As can be seen, our user has full control over the group. You can verify that this will continue to propagate by removing your user from the security permissions and rerunning the PowerShell script. Your user will be added again. Interestingly, although we have permissions to modify the group, it does not automatically add us to the group:

However, using our new permissions, we can add ourselves to this group: