SharpHoundCommon icon indicating copy to clipboard operation
SharpHoundCommon copied to clipboard

Published 20 hours ago verified publisher icon BloodHoundAD

Minor Change to Computer ACL

Open api0cradle opened this issue 3 years ago • 5 comments
trafficstars

Added AllExtendedRights to computers even if LAPS is not installed in the environment.

api0cradle avatar Apr 26 '22 23:04 api0cradle

Blog post https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/

api0cradle avatar May 10 '22 13:05 api0cradle

@api0cradle A few questions:

  1. Is the AllExtendedRights ACE only abusable if "Assign this computer account as a pre-Windows 2000 computer" is set to true?
  2. When you use NetUserChangePassword or Kpasswd to reset the computer account password, does that break the trust between the computer and AD, or does the password change trickle down to the computer as well?
  3. Does AllExtendedRights against a computer also allow you to perform RBCD?

Andy

andyrobbins avatar May 10 '22 19:05 andyrobbins

1. Is the AllExtendedRights ACE only abusable if "Assign this computer account as a pre-Windows 2000 computer" is set to true? The group/user you choose when creating a computer account will have the AllExtendedRights regardless of the "Assign this computer account as pre-Windows 2000 computer".

2. When you use NetUserChangePassword or Kpasswd to reset the computer account password, does that break the trust between the computer and AD, or does the password change trickle down to the computer as well? This breaks the trust. Password is not replicated down so abusing the AllExtendedRights (reset/change password) would break the trust between the computer and the domain. In my blog post I am targeting unused pre-created computer accounts and of course there is a responsibility on the tester to verify (as with all attacks) that it is okay to actually perform the attack after AllExtendedRights is identified.

3. Does AllExtendedRights against a computer also allow you to perform RBCD? This would be same scenario as before (same flow as documented attacks), except that you are not creating a computer account to perform the attack, instead taking over an existing. So if someone finds a computer account that they have AllExtendedRights they could change the password and use it to perform a RBCD attack. However, it would of course be up to the operator to figure out if that is really a path worth taking since you can break the trust relationship (as mentioned in 2).

The AllExtendedRights are already gathered today by SharpHound if the environment has LAPS installed, so in my opinion this is not a big change in functionality if this PR would be approved.

api0cradle avatar May 11 '22 09:05 api0cradle

Hey Oddvar,

We'd like to add this in as a new edge called "ResetComputerPassword" instead of slotting it in under existing ones. Can you update the PR to add that? We want to make help text on this edge abundantly clear that this is a destructive action and will break the computer trust.

rvazarkar avatar Jul 18 '22 19:07 rvazarkar

I will try to get that fixed and make a new PR

api0cradle avatar Aug 01 '22 18:08 api0cradle

Any reason this was closed? I wanna know about AllExtendedRights on computer objects even when LAPS doesn't exist.

Acebond avatar May 25 '23 00:05 Acebond

It closed when @api0cradle deleted his fork of SharpHoundCommon, as the PR came from that fork.

JonasBK avatar May 25 '23 09:05 JonasBK