Security Descriptors
Last updated
Last updated
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
: Security Descriptor Definition Language (SDDL) defines the format which is used to describe a security descriptor. SDDL uses ACE strings for DACL and SACL: ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid;
The security descriptors are used to store the permissions an object has over an object. If you can just make a little change in the security descriptor of an object, you can obtain very interesting privileges over that object without needing to be member of a privileged group.
Then, this persistence technique is based on the ability to win every privilege needed against certain objects, to be able to perform a task that usually requires admin privileges but without the need of being admin.
You can give a user access to execute remotely WMI :
Give access to winrm PS console to a user :
Access the registry and dump hashes creating a Reg backdoor using , so you can at any moment retrieve the hash of the computer, the SAM and any cached AD credential in the computer. So, it's very useful to give this permission to a regular user against a Domain Controller computer:
Check to learn how you could use the hash of the computer account of a Domain Controller.
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Check the !
Join the 💬 or the or follow us on Twitter 🐦 .
Share hacking tricks by submitting PRs to the and github repos.