Skip to content

Commit

Permalink
Write gPLink abuse (#607)
Browse files Browse the repository at this point in the history
* feat: adding Organizational Units GenericWrite and ManageGPLink compromise edge ; adding OU GenericAll abuse warning about adminCount=1 objects

* Renaming ManageGPLink edge to WriteGPLink; additional elements added to help texts related to Organizational Units GPLink exploitation

* Additional Organizational Units ACLs (#567)

* feat: adding Organizational Units GenericWrite and WriteGPLink compromise edge ; adding OU GenericAll abuse warning about adminCount=1 objects

* feat: GenericWrite and WriteGPLink for Domain

---------

Co-authored-by: Quentin Roland <[email protected]>
Co-authored-by: q-roland <[email protected]>
  • Loading branch information
3 people authored Aug 26, 2024
1 parent 048d9ad commit e88dad4
Show file tree
Hide file tree
Showing 23 changed files with 1,667 additions and 16 deletions.
8 changes: 8 additions & 0 deletions packages/cue/bh/ad/ad.cue
Original file line number Diff line number Diff line change
Expand Up @@ -1115,6 +1115,11 @@ WriteAccountRestrictions: types.#Kind & {
schema: "active_directory"
}

WriteGPLink: types.#Kind & {
symbol: "WriteGPLink"
schema: "active_directory"
}

GetChangesInFilteredSet: types.#Kind & {
symbol: "GetChangesInFilteredSet"
schema: "active_directory"
Expand Down Expand Up @@ -1329,6 +1334,7 @@ RelationshipKinds: [
RemoteInteractiveLogonPrivilege,
SyncLAPSPassword,
WriteAccountRestrictions,
WriteGPLink,
RootCAFor,
DCFor,
PublishedTo,
Expand Down Expand Up @@ -1384,6 +1390,7 @@ ACLRelationships: [
GetChangesAll,
GetChangesInFilteredSet,
WriteAccountRestrictions,
WriteGPLink,
SyncLAPSPassword,
DCSync,
ManageCertificates,
Expand Down Expand Up @@ -1426,6 +1433,7 @@ PathfindingRelationships: [
AddKeyCredentialLink,
SyncLAPSPassword,
WriteAccountRestrictions,
WriteGPLink,
GoldenCert,
ADCSESC1,
ADCSESC3,
Expand Down
7 changes: 4 additions & 3 deletions packages/go/graphschema/ad/ad.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -342,6 +342,77 @@ const LinuxAbuse: FC<EdgeInfoProps & { targetId: string; haslaps: boolean }> = (
<Typography component={'pre'}>
{'pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'}
</Typography>

<Typography variant='body1'>Generic Descendent Object Takeover</Typography>
<Typography variant='body2'>
The simplest and most straight forward way to obtain control of the objects of the domain is to
apply a GenericAll ACE on the domain that will inherit down to all object types. This can be
done using Impacket's dacledit (cf. "grant rights" reference for the link).
</Typography>

<Typography component={'pre'}>
{
"dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'JKHOLER' -target-dn 'DomainDistinguishedName' 'domain'/'user':'password'"
}
</Typography>

<Typography variant='body2'>
Now, the "JKOHLER" user will have full control of all descendent objects of each type.
</Typography>

<Typography variant='body1'>Objects for which ACL inheritance is disabled</Typography>

<Typography variant='body2'>
The compromise vector described above relies on ACL inheritance and will not work for objects
with ACL inheritance disabled, such as objects protected by AdminSDHolder (attribute
adminCount=1). This observation applies to any user or computer with inheritance disabled,
including objects located in nested OUs.
</Typography>

<Typography variant='body2'>
In such a situation, it may still be possible to exploit GenericAll permissions on a domain
object through an alternative attack vector. Indeed, with GenericAll permissions over a domain
object, you may make modifications to the gPLink attribute of the domain. The ability to alter
the gPLink attribute of a domain may allow an attacker to apply a malicious Group Policy Object
(GPO) to all of the domain user and computer objects (including the ones located in nested OUs).
This can be exploited to make said child objects execute arbitrary commands through an immediate
scheduled task, thus compromising them.
</Typography>

<Typography variant='body2'>
Successful exploitation will require the possibility to add non-existing DNS records to the
domain and to create machine accounts. Alternatively, an already compromised domain-joined
machine may be used to perform the attack. Note that the attack vector implementation is not
trivial and will require some setup.
</Typography>

<Typography variant='body2'>
From a Linux machine, the gPLink manipulation attack vector may be exploited using the{' '}
<Link target='_blank' rel='noopener' href='https://github.com/synacktiv/OUned'>
OUned.py
</Link>{' '}
tool. For a detailed outline of exploit requirements and implementation, you can refer to{' '}
<Link
target='_blank'
rel='noopener'
href='https://www.synacktiv.com/publications/ounedpy-exploiting-hidden-organizational-units-acl-attack-vectors-in-active-directory'>
the article associated to the OUned.py tool
</Link>
.
</Typography>

<Typography variant='body2'>
Be mindful of the number of users and computers that are in the given domain as they all will
attempt to fetch and apply the malicious GPO.
</Typography>

<Typography variant='body2'>
Alternatively, the ability to modify the gPLink attribute of a domain can be exploited in
conjunction with write permissions on a GPO. In such a situation, an attacker could first inject
a malicious scheduled task in the controlled GPO, and then link the GPO to the target domain
through its gPLink attribute, making all child users and computers apply the malicious GPO and
execute arbitrary commands.
</Typography>
</>
);
case 'GPO':
Expand Down Expand Up @@ -399,6 +470,60 @@ const LinuxAbuse: FC<EdgeInfoProps & { targetId: string; haslaps: boolean }> = (
right you want to apply to precisely which kinds of descendent objects. Refer to the Windows
Abuse info for this.
</Typography>

<Typography variant='body1'>Objects for which ACL inheritance is disabled</Typography>

<Typography variant='body2'>
It is important to note that the compromise vector described above relies on ACL inheritance and
will not work for objects with ACL inheritance disabled, such as objects protected by
AdminSDHolder (attribute adminCount=1). This observation applies to any OU child user or
computer with ACL inheritance disabled, including objects located in nested sub-OUs.
</Typography>

<Typography variant='body2'>
In such a situation, it may still be possible to exploit GenericAll permissions on an OU through
an alternative attack vector. Indeed, with GenericAll permissions over an OU, you may make
modifications to the gPLink attribute of the OU. The ability to alter the gPLink attribute of an
OU may allow an attacker to apply a malicious Group Policy Object (GPO) to all of the OU's child
user and computer objects (including the ones located in nested sub-OUs). This can be exploited
to make said child objects execute arbitrary commands through an immediate scheduled task, thus
compromising them.
</Typography>

<Typography variant='body2'>
Successful exploitation will require the possibility to add non-existing DNS records to the
domain and to create machine accounts. Alternatively, an already compromised domain-joined
machine may be used to perform the attack. Note that the attack vector implementation is not
trivial and will require some setup.
</Typography>

<Typography variant='body2'>
From a Linux machine, the gPLink manipulation attack vector may be exploited using the{' '}
<Link target='_blank' rel='noopener' href='https://github.com/synacktiv/OUned'>
OUned.py
</Link>{' '}
tool. For a detailed outline of exploit requirements and implementation, you can refer to{' '}
<Link
target='_blank'
rel='noopener'
href='https://www.synacktiv.com/publications/ounedpy-exploiting-hidden-organizational-units-acl-attack-vectors-in-active-directory'>
the article associated to the OUned.py tool
</Link>
.
</Typography>

<Typography variant='body2'>
Be mindful of the number of users and computers that are in the given OU as they all will
attempt to fetch and apply the malicious GPO.
</Typography>

<Typography variant='body2'>
Alternatively, the ability to modify the gPLink attribute of an OU can be exploited in
conjunction with write permissions on a GPO. In such a situation, an attacker could first inject
a malicious scheduled task in the controlled GPO, and then link the GPO to the target OU through
its gPLink attribute, making all child users and computers apply the malicious GPO and execute
arbitrary commands.
</Typography>
</>
);
case 'Container':
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,17 @@ const References: FC = () => {
href='https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab'>
https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab
</Link>
<br />
<Link target='_blank' rel='noopener' href='https://labs.withsecure.com/publications/ou-having-a-laugh'>
https://labs.withsecure.com/publications/ou-having-a-laugh
</Link>
<br />
<Link
target='_blank'
rel='noopener'
href='https://www.synacktiv.com/publications/ounedpy-exploiting-hidden-organizational-units-acl-attack-vectors-in-active-directory'>
https://www.synacktiv.com/publications/ounedpy-exploiting-hidden-organizational-units-acl-attack-vectors-in-active-directory
</Link>
</Box>
);
};
Expand Down
Loading

0 comments on commit e88dad4

Please sign in to comment.