an ace in the hole - stealthy host persistence via security descriptors
TRANSCRIPT
![Page 1: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/1.jpg)
An ACE in the Hole Stealthy Host Persistence via
Security Descriptors
![Page 2: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/2.jpg)
Who We Are× @tifkin_ / @enigma0x3 / @harmj0y× Red teamers/researchers at
SpecterOps× Code on code on code× Cons on cons on cons
2
![Page 3: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/3.jpg)
What This Is× Offensive applications× Intro to securable objects× Our Research Process× Securable object takeover primitives× Case studies/demos× Defense
3
![Page 4: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/4.jpg)
1.Offensive ApplicationsWHY this is useful
4
![Page 5: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/5.jpg)
“As an offensive researcher, if you can dream it, someone has
likely already done it...and that someone
isn’t the kind of person who speaks at security
cons”
5
Matt “f’ing” GraeberBlackHat 2015
![Page 6: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/6.jpg)
6
![Page 7: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/7.jpg)
7
![Page 8: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/8.jpg)
Why Care (really)?× It’s often difficult to determine whether a
specific security descriptor misconfiguration was set maliciously or configured by accident
× These changes also have a minimal different forensic footprint and grant:
× Bug longevity! Privesc! Persistence!
× They might already be on your system ;)
× Living off the land++ (existed since NT was born!)
8
![Page 9: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/9.jpg)
Big Point(s)× Most defenders are not aware of this
general persistence approach, much less how to find and remediate it!
× You don’t need to leave malicious code/logic on a system to regain access!
× What if this change was made to an organization’s “gold image”?
9
![Page 10: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/10.jpg)
Responsibly Evil ;)× Also, you don’t need to set the
principal/trustee (who has the rights) to S-1-1-0!
× Security descriptor backdoors can be set for specific trustees in a targeted manner so exposure in the environment is minimized
10
![Page 11: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/11.jpg)
¯\_(ツ)_/¯× “if an attacker has code execution on your
system, you’re screwed already, so who cares“
× “You need admin rights to do this, this is stupid!“
× To this we say: domain joined boxes != isolated home systems
× we guess the defensive industry should just pack up and leave…
11
![Page 12: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/12.jpg)
2.Intro to Securable ObjectsSecurity Descriptors 101
12
![Page 13: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/13.jpg)
What is a“Securable Object”?A windows object
that can have a security descriptor
![Page 14: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/14.jpg)
SECURITY_DESCRIPTOR
https://msdn.microsoft.com/en-us/library/windows/hardware/ff556610(v=vs.85).aspx 14
![Page 15: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/15.jpg)
15
DACLACE’s
![Page 16: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/16.jpg)
Where are these descriptors?× Found in the registry, the file system, in
the kernel, ntds.dit....× Really depends on the type of object
× Finding what objects are securable, much less exactly where their descriptors are located, isn’t as easy as you’d think...
16
![Page 17: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/17.jpg)
From DACLs to SACLs
17
× Access Control List (ACL) is basically shorthand for the DACL/SACL superset
× An object’s Discretionary Access Control List (DACL) and Security Access Control List (SACL) are ordered collections of Access Control Entries (ACEs)
× DACL - What principals/trustees have what rights over the object
× The SACL - Specifies how to audit access to the object
![Page 18: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/18.jpg)
Standard vs. Object-Specific
18http://searchwindowsserver.techtarget.com/feature/The-structure-of-an-ACE
![Page 19: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/19.jpg)
More on DACLs
19
× Null DACL != no DACL
× Inheritance… can be a >_<
× General interpretation:× Explicit Deny× Explicit Allow× Inherited Deny× Inherited Allow
![Page 20: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/20.jpg)
Our Securable Object Research Methodology
20
![Page 21: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/21.jpg)
Our Research ApproachObjects accessible from user-mode with a focus on one's usable for persistence/lateral movement
1. Discover securable object1. Offline and Online Security Descriptors Enumeration1. Analyze Access mask
a. What object-specific rights are there (if any)?b. What rights permit persistence/lateral movement?
1. Operational Weaponization and Detection
21
![Page 22: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/22.jpg)
1. Discovering Securable Objects× Windows documentation lists about 20-30 securable
objects*
× We’ve identified 70+! (There’s *many* more)
× Microsoft Protocol Specifications× Very useful for RPC servers
× Find-RegistrySecurityDescriptors.ps1
22*https://msdn.microsoft.com/en-us/library/windows/desktop/aa379557(v=vs.85).aspx
![Page 23: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/23.jpg)
23
Find-RegistrySecurityDescriptors
![Page 24: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/24.jpg)
2. Online vs Offline Security Descriptors
× Where do objects get their security descriptor?× Offline - Security descriptor derived from
registry, file, ntds.dit, etc.× Online - Security descriptor is in memory
Our approach to enumeration:× Locally as an unprivileged user× Locally as a privileged user× Remotely as an unprivileged user× Remotely as a privileged user 24
![Page 25: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/25.jpg)
Existing Tooling× Use existing tools
× Accesschk.exe× WindowsDACLEnumProject× Google’s sandbox analysis tools
× NtObjectManager woot woot!× BloodHound
× Most do not distinguish between online/offline security descriptors
× Implication: How do you know if an object has been modified after creation?
25
![Page 26: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/26.jpg)
Enumeration Caveats× “Online” vs offline security descriptors
× Necessary token privileges
× Some objects are “invisible” to user-mode enumeration
× Kernel private namespaces
× Does an object with no name have a security descriptor?
× https://googleprojectzero.blogspot.co.uk/2014/10/did-man-with-no-name-feel-insecure.html
26
![Page 27: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/27.jpg)
3.Access Mask AnalysisTaking back what’s yours ;)
27
![Page 28: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/28.jpg)
Deriving Access Mask Meaning× MSDN Documentation
× Technical Specifications
× Reversing
× Trial and error ¯\_(ツ)_/¯
28
![Page 29: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/29.jpg)
Generic Object Takeover Primitives× Attacker is owner (implies WRITE_DAC)× Attacker has WRITE_DAC/WRITE_OWNER× Attacks has STANDARD_RIGHTS_ALL× Attacker has GENERIC_ALL*× Object has NULL security descriptor (implies
Everyone has GENERIC_ALL)
29Depends on how the object maps the generic right to standard/object-specific rights. Usually this includes WRITE_DAC/WRITE_OWNER, but doesn’t have to
![Page 30: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/30.jpg)
Object-specific Takeover Primitives× Each securable object can define its own
rights× Example: Process Rights
× PROCESS_CREATE_PROCESS× PROCESS_CREATE_THREAD× PROCESS_SUSPEND_RESUME× PROCESS_QUERY_INFORMATION× PROCESS_TERMINATE
× The specific object and its rights determine its offensive usefulness (priv esc, lateral movement, persistence, etc.)
30
![Page 31: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/31.jpg)
4.Operational Weaponization and DetectionCase studies of certain securable objects
31
![Page 32: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/32.jpg)
Service Control Manager RPC Server× “RPC server that enables service
configuration and control of service programs.” - MS-SCMR
× Applicable Securable Objects× Service Control Manager Server× Windows Services
32
![Page 33: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/33.jpg)
SCM Server Applicable Rights
33
SC_MANAGER_CONNECT Permits connecting to service
SC_MANAGER_CREATE_SERVICE Ability to add a new service
SC_MANAGER_ENUMERATE_SERVICE List out services
By default, unauthenticated users can enumerate the security descriptor of the SCM Server!
![Page 34: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/34.jpg)
34
SCM Demo
https://youtu.be/tETNO22zVKM
![Page 35: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/35.jpg)
WinRM/WinRS× Windows Remote
Management/Windows Remote Shell× Provides the ability to remotely interface
with a host× Think PowerShell Remoting
× Create backdoored ACE and apply it to either the WinRM or WinRS DACL
× Or both!!
× Defined user (via SID) will be able to remotely interact with the host without admin privs 35
![Page 36: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/36.jpg)
WinRM/WinRS× Security Descriptor can be accessed by pulling the
SecurityDescriptorSDDL property of Get-PSSessionConfiguration
× Build the new DACL via DiscretionaryAcl.AddAccess() of Security.AccessControl.CommonSecurityDescriptor
× PowerShell Remoting: × Set the new DACL via -SecurityDescriptorSddl of
Set-PSSessionConfiguration × WinRS
× Set WSMan:\localhost\Service\RootSDDL to the new DACL via Set-Item
36
![Page 37: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/37.jpg)
WinRM/WinRS× Already weaponized here:
https://github.com/ssOleg/Useful_code/blob/master/Set-RemoteShellAccess.ps1
× In 2014….
× Takes a domain SID and adds an ACE for that SID to both PowerShell Remoting and WinRS DACLs
× Allows that specific user/group to remotely interface with WinRM/WinRS without having any additional privilege
37
![Page 38: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/38.jpg)
DCOM× Distributed Component Object Model
× Been around since 1996… >_<
× Secured via Launch and Activation Permissions
× Local/Remote, perms reside in the registry
× Can you use interesting DCOM applications to get code-execution?
× Applications with “ExecuteShellCommand()” × Backdoor your favorite DCOM application for a
specific user/group’s SID :-)
38
![Page 39: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/39.jpg)
DCOM× Access is determined via machine-wide permissions first
and then application specific permissions× Add target user/group to allow machine-wide Remote
Activation/Launch Permissions× Instead of editing the Default, just edit the Limit
× HKLM:\Software\microsoft\ole\MachineLaunchRestriction
× A;;CCRPLC;;;$SID
× Backdoor a specific DCOM Application for a domain user/group× HKLM:\Software\Classes\AppID\{GUID}\LaunchPermission× HKLM:\Software\Classes\AppID\{GUID}\AccessPermission× Requires: SeTakeOwnershipPrivilege, SeRestorePrivilege,
SeSecurityPrivilege if installing locally 39
![Page 40: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/40.jpg)
DCOM
40https://msdn.microsoft.com/en-us/library/windows/desktop/ms679714(v=vs.85).aspx
![Page 41: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/41.jpg)
41
DCOM Demo
https://youtu.be/e-tYtfmcoWk
![Page 42: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/42.jpg)
WMI NameSpaces× Contains a collection of WMI classes that
host various methods/properties× Each namespace has associated DACLs
× Windows checks the DCOM machine-wide launch permissions for the first stage of access
× If successful, the DACLs on the WMI namespace are then checked
× Backdoor a NameSpace that contains a class with a useful method
× Create() method of Win32_Process, for example42
![Page 43: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/43.jpg)
WMI NameSpaces× Call GetSecurityDescriptor() on the target WMI
namespace (local requires SeSecurityPrivilege)
× Use Win32_Ace to set our Access Mask and flags
× Use Win32_Trustee to assign the user× Set the “Trustee” property of Win32_Ace to our
Win32_Trustee object
× Add our new ACE to the target namespace DACL: $NameSpaceACL.DACL += $Ace.PSObject.ImmediateBaseObject
× Call SetSecurityDescriptor() with the newly updated NameSpace object to set it
43
![Page 44: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/44.jpg)
WMI NameSpaces
44https://msdn.microsoft.com/en-us/library/aa394679(v=vs.85).aspx
![Page 45: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/45.jpg)
45
WMI Namespace Demo
https://youtu.be/C1OpX_n7HlY
![Page 46: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/46.jpg)
× Securable Objectsa. Printer Servers
HKLM\SYSTEM\CurrentControlSet\Control\Print\ServerSecurityDescriptor
a. Printer ObjectsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Security
a. Print Jobs - Not very interesting offensively
Specifications: MS-RPRN, MS-PAR, MS-PAN, MS-PRSOD46
Printers
![Page 47: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/47.jpg)
47
Print Server Control - Spooler
![Page 48: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/48.jpg)
48
Print Server Control - Drivers
![Page 49: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/49.jpg)
49
Get-NetPrinter
![Page 50: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/50.jpg)
50
Get-NetShare Additions
![Page 51: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/51.jpg)
Remote Registry× Allows permitted users/groups to access the
registry remotely via .NET/Win32 API× [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey()
× The RemoteRegistry service has to be enabled and the calling user has to have access
× By default in Windows 7/10, this service is disabled
× Remote access to the registry == ability to dump hashes (among other things) 😈
51
![Page 52: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/52.jpg)
Remote Registry× Imagine this scenario: Remotely dumping an
endpoint’s machine account hash as an unprivileged user
× Remotely backdoor the winreg key for a specified user/group
× Located at HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
× The DACL on this key decides who is allowed to connect via remote registry
52
![Page 53: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/53.jpg)
Remote Registry× Can be accomplished via WMI’s StdRegProv
provider× Call SetSecurityDescriptor() with an ACE that defines the
user/permissions for the backdoor
× Why not just use StdRegProv?× Dumping the machine account hash requires obtaining
various Registry Key classes.× Can only be obtained via RegQueryInfoKey()
× Use Set-Service to remotely set the service StartupType to “Manual”
× Set-Service -Name "RemoteRegistry" -ComputerName $Computer -StartupType "Manual"
53
![Page 54: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/54.jpg)
Remote Registry× Remotely take ownership of the SECURITY registry hive
and add an ACE to the DACL for the backdoor user× As that user, remotely call RegConnectRegistry()
× Open the required keys and pull the Key’s Class× SYSTEM\CurrentControlSet\Control\Lsa\<JD,Skew1,GBG,DATA>× RegOpenKeyEx(), RegQueryInfoKey()
× Combine these Class values and compute the BootKey
× Use the BootKey to decrypt the LSA key
× Use the LSA key to decrypt the machine account hash54
![Page 55: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/55.jpg)
55
Remote Registry
![Page 56: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/56.jpg)
56
Remote Registry Demo
https://youtu.be/pOHO3hdTKyw
![Page 57: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/57.jpg)
6.DefenseAll is not lost!
57
![Page 58: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/58.jpg)
× A system access control list
× “Enables administrators to log attempts to access a secured object”
× Not used as extensively as they should be!
SACLs:the other ACL
58
![Page 59: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/59.jpg)
Defensive Enumeration× More research is needed- you can’t
defend against what you aren’t aware of!× Defensive PowerUp++ ? Operational
test framework for the detection of backdoor scenarios?
× Integration into BloodHound?59
![Page 60: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/60.jpg)
Takeaways× The host-control graph is *MUCH* bigger than
“is member of local admin group”
× What is the real attack surface of a Windows host?
× Many “forgotten” or unexplored RPC/DCOM servers
× Many other securable objects we haven’t looked at
60
![Page 61: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/61.jpg)
61
![Page 62: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/62.jpg)
× Implications of other securable objects× Real-time analysis× Enumeration of objects visible only to the
kernel× Chaining host + AD security descriptor
abuse
Takeaways & Future Work
62
![Page 63: An ACE in the Hole - Stealthy Host Persistence via Security Descriptors](https://reader033.vdocument.in/reader033/viewer/2022061307/5a6479357f8b9a8e568b461f/html5/thumbnails/63.jpg)
Thanks!Any questions?
@tifkin_ / @enigma0x3 / @harmj0yhttps://specterops.io/
63