AD is mission critical for most of the enterprises today. Here is an article to explain how to dump the AD extended rights applied to AD objects, in order to audit the results to identity persistent threats or persistent hackers gaining control of AD.
Netwrix Auditor for Active Directory overcomes the limitation of PowerShell scripting by delivering a comprehensive report listing all objects that a particular user has access to and whether the rights were granted through group membership or explicitly. You can easily drill down for more details, such as exactly which permissions the user has on a specific object.
AD – PowerShell script to dump extended rights
If you try to run the task it may show an error like "cannot be loaded becauserunning scripts is disabled on this system". To run the script without error,you need to set the execution policy to RemoteSigned, run the commandSet-ExecutionPolicy with administrator rights.
To find accounts with extended rights, run Find-AdmPwdExtendedRights -OrgUnit 'OU=Workstations,DC=contoso,DC=com' Select -ExpandProperty ExtendedRightHolders ensuring to replace your OU and domain name.
3. Click on the Security tab and then click the Advanced button.4. Find the account or group that you want to remove the extended rights for and remove it by selecting it and clicking on Remove.
Monitor executed commands and arguments that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Look for command-lines that invoke AuditD or the Security Accounts Manager (SAM). Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, [33] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.
Mimikatz (1) is a big-name tool in penetration testing used to dump credentials from memory on Windows. As a penetration tester, this method is invaluable for lateral and vertical privilege escalation in Windows Active Directory environments and is used on nearly every internal penetration test. Because of its popularity, the Mimikatz executable and PowerShell script are detected by the majority of Antivirus (AV) solutions out there. This post will cover several alternative methods to achieve the same goal without the need for modifying Mimikatz to evade AV, as well as some methods for preventing and detecting this attack.
While Windows 7 and Server 2008 are now out of extended support and should be decommissioned where possible, many organizations still have a large percentage of their workstations and servers on these older versions of Windows operating systems. This makes them a prime target for Mimikatz-style LSASS dumping by attackers.
PowerShell Empire has two modules which can retrieve domain hashes via the DCSync attack. Both modules needs to be executed from the perspective of domain administrator and they are using Microsoft replication services. These modules rely on the Invoke-Mimikatz PowerShell script in order to execute Mimikatz commands related to DCSync. The following module will extract the domain hashes to a format similar to the output of Metasploit hashdump command.
It is also possible to establish a direct PowerShell session with the command powershell_shell in order to extract the files once the script has been imported to the existing Meterpreter session.
Impacket is a collection of python scripts that can be used to perform various tasks including extraction of contents of the NTDS file. The impacket-secretsdump module requires the SYSTEM and the NTDS database file.
@Tad let me add other thing.If somebody works with powershell every day, he has set his own profile.ps1.The script fails on permissions for that file.To avoid these red lines add this parameter in action.xml file:-NoProfile
[CmdletBinding()]Param( [Parameter(Mandatory=$True,ParameterSetName='Trustee')]$Trustee, [Parameter(Mandatory=$True,ParameterSetName='AccessTemplate')]$AccessTemplate, [Parameter(Mandatory=$True,ParameterSetName='DirectoryObject')]$DirectoryObject, [switch]$ListPermissions, [switch]$ExportToHTML = $False, [string]$ExportPath = "C:\Temp\", [string]$AdministrationService, [switch]$UseClientLocaleForDisplaySpecifiers = $False)$ErrorActionPreference = "continue"$ExportFileName = ""if ($AdministrationService) Out-Null else Connect-QADService -Proxy function Get-DisplaySpecifierPath # If -UseClientLocaleForDisplaySpecifiers, the local is calculated and the appropriate display specifiers for that language is used instead of the default EN-US. if ($UseClientLocaleForDisplaySpecifiers) if (Get-QADObject ('CN=' + ('0:x' -f (Get-Culture).LCID) + ',CN=Consolidated Display Specifiers,CN=Application Configuration,CN=Configuration')) return ('CN=' + ('0:x' -f (Get-Culture).LCID) + ',CN=Consolidated Display Specifiers,CN=Application Configuration,CN=Configuration') else return 'CN=409,CN=Consolidated Display Specifiers,CN=Application Configuration,CN=Configuration' else return 'CN=409,CN=Consolidated Display Specifiers,CN=Application Configuration,CN=Configuration' function Get-ClassDisplayName # Retrieve the object class display name as well as checks to see if there is a Display Specifier for the object class and returns that value if so. Param( $guid ) $ldapDisp = (Get-QADObject $guid -DontUseDefaultIncludedProperties -IncludedProperties ldapDisplayName).ldapDisplayName $DisplaySpec = Get-QADObject ($ldapDisp + '-Display') -SearchRoot (Get-DisplaySpecifierPath) -DontUseDefaultIncludedProperties -IncludedProperties classDisplayName,attributeDisplayNames if ($DisplaySpec.classDisplayName) return $DisplaySpec.classDisplayName else return $ldapDisp function Get-AttDisplayName # Retrieve the attribute display name as well as checks to see if there is a Display Specifier for the attribute and returns that value if so. Param( $attGuid, $objGuid ) $attClassDisp = Get-ClassDisplayName -guid $attGuid if ($objGuid -ne "") $objLdapDisp = (Get-QADObject $objGuid -DontUseDefaultIncludedProperties -IncludedProperties ldapDisplayName).ldapDisplayName $DisplaySpec = Get-QADObject ($objLdapDisp + '-Display') -SearchRoot (Get-DisplaySpecifierPath) -DontUseDefaultIncludedProperties -IncludedProperties classDisplayName,attributeDisplayNames if ($DisplaySpec.attributeDisplayNames) $attDisp = "" $DisplaySpec.attributeDisplayNames else $attDisp = $attClassDisp return $attDispfunction Get-ExtendedRights # Retrive extended rights from the administration service. # These are not visible in the admin console. Param( $guid ) $extRight = (Get-QADObject -SearchRoot 'CN=Extended Rights,CN=Application Configuration,CN=Configuration' -DontUseDefaultIncludedProperties -IncludedProperties rightsguid -LdapFilter "(rightsguid=$guid)").DisplayName.toString() return $extRightfunction List-Permissions # Permissions are stored in an SDDL-type format. The following parses these and returns the actual permissions that are set. Param( $AT ) $permissions = @() $reg = [regex] "\[([^\[]*)\]" # REGEX to pull out SDDL entries without the closing brackets. ((Get-QARSAccessTemplate $AT -DontUseDefaultIncludedProperties -IncludedProperties edsvaEffectiveATEList).edsvaEffectiveATEList function Get-ATLinkbyATguid # Get Access Template Links by Access Template GUID. Param( $atDN, $atName ) Write-Output "Retrieving access template links..." $results = @() Get-QARSAccessTemplateLink -AccessTemplate $atDN -DontUseDefaultIncludedProperties -IncludedProperties edsvaAccessTemplateDN,edsvaSecObjectDN,edsaTrusteeSID -SizeLimit 0 function Get-ATLinkbyTrustee # Get Access Template Links by Trustee. Param( $trusteeName ) Write-Output "Retrieving access template links..." $results = @() $trusteeObject = Get-QADObject $trusteeName -DontUseDefaultIncludedProperties -IncludedProperties objectSid,name $tName = $trusteeObject.name Get-QARSAccessTemplateLink -Trustee $trusteeObject.dn -DontUseDefaultIncludedProperties -IncludedProperties edsvaAccessTemplateDN,edsvaSecObjectDN,edsaTrusteeSID -SizeLimit 0 function Get-ATLinkbyDirectoryObject ForEach-Object $template = Get-QARSAccessTemplate $_.edsvaAccessTemplateDN $trustee = Get-QADObject $_.edsaTrusteeSID $results += [pscustomobject]@ Template = $template.DN Trustee = $trustee.DN if ($results) ForEach-Object Write-Output ("Access Template: " + $_.Template) Write-Output ("Target Object: " + $_.Trustee) Write-Output "" if ($ExportToHTML) ExportTo-HTML -inputObject $_ -newEntry if ($ListPermissions) Write-Output "Permissions Included in Access Template" List-Permissions -AT $_.Template Write-Output "===============================" else ReportInfo-Export -ReportBy "directoryobject" -Source $DirectoryObject.dn Write-Output "The following links were found for the directory object '$atName'" Write-Output "===============================" Write-Output "NONE" Write-Output "" if ($ExportToHTML) ExportTo-HTML -inputObject "NONE" -newEntry function SetExport-Filename # Sets unique filename based on the date and time of run. $Script:ExportFileName = ("ATLinkInfo_" + (Get-Date -Format "yyyy-MM-dd_hh.mm.ss.fff") + ".html")function Pre-Export # Export the beginning of the HTML including CSS. if ($ExportToHTML) Out-File -FilePath (Join-Path -Path $ExportPath -ChildPath $ExportFileName) function Post-Export # Export the end of the HTML. if ($ExportToHTML) Out-File -FilePath (Join-Path -Path $ExportPath -ChildPath $ExportFileName) -Append Write-Host ("Report exported to: " + (Join-Path -Path $ExportPath -ChildPath $ExportFileName)) Set-Clipboard -Value (Join-Path -Path $ExportPath -ChildPath $ExportFileName) Write-Host ("The full path has been copied to the clipboard.") function ReportInfo-Export # Export the report summary information as HTML. Param( $ReportBy, $Source ) # Report summary changes based on the type of input object used. if ($ExportToHTML) $ReportInfo = "The following Access Template Link information was found for " switch($ReportBy) "trustee" $ReportInfo += "Trustee: $Source" "directoryobject" $ReportInfo += "Directory Object: $Source" "template" $ReportInfo += "Access Template: $Source" $ReportInfo += "" $ReportInfo function ExportTo-HTML # Export the input information as HTML. Param( $inputObject, [switch]$newEntry ) if ($newEntry) Out-File -FilePath (Join-Path -Path $ExportPath -ChildPath $ExportFileName) -Append if ($inputObject -eq "NONE") $inputObject else Out-File -FilePath (Join-Path -Path $ExportPath -ChildPath $ExportFileName) -Append function Begin-Processing # Check parameters and begin processing. if ($ExportPath) if (-not (Test-Path -Path $ExportPath)) Out-Null if ($DirectoryObject) SetExport-Filename Pre-Export foreach ($input in $DirectoryObject) $targetObject = Get-QADObject $input -DontUseDefaultIncludedProperties -ShowProgress -SizeLimit 0 if ($null -eq $targetObject) Write-Error "Directory Object '$input' does not exist or you don't have permission to view it. Make sure to run as an Active Roles Administrator." else foreach ($object in $targetObject) Get-ATLinkbyDirectoryObject -DirectoryObject $object Write-Host "`n`n`n" Post-Export if ($AccessTemplate) SetExport-Filename Pre-Export foreach ($input in $AccessTemplate) $ATObject = Get-QARSAccessTemplate $input -DontUseDefaultIncludedProperties -IncludedProperties objectGUID -ShowProgress -SizeLimit 0 if ($null -eq $ATObject) Write-Error "Access template '$input' does not exist or you don't have permission to view it. Make sure to run as an Active Roles Administrator." else foreach ($object in $ATObject) Get-ATLinkbyATguid -atDN $Object.DN -atName $Object.Name Write-Host "`n`n`n" Post-Export if ($Trustee) SetExport-Filename Pre-Export foreach ($input in $Trustee) $trusteeObject = Get-QADObject $input -DontUseDefaultIncludedProperties -ShowProgress -SizeLimit 0 if ($null -eq $trusteeObject) Write-Error "Trustee '$input' does not exist or you don't have permission to view it. Make sure to run as an Active Roles Administrator." else foreach ($object in $trusteeObject) Get-ATLinkbyTrustee -trusteeName $object Write-Host "`n`n`n" Post-Export # Disconnect from the Administration Service. Disconnect-QADService Begin-Processing 2ff7e9595c
Comments