Press "Enter" to skip to content

Tag: powerview

The PowerView PowerUsage Series #5

Published July 17, 2018 by harmj0y

This is the fifth post in my “PowerView PowerUsage” series, and follows the same Scenario/Solution/Explanation pattern as the previous entries. The original post contains a constantly updated list of the entire series. The Scenario You discovered on an engagement that most user workstations contain the user’s Active Directory samaccount name, e.g. John Smith’s (jsmith@domain.local) machine is named something like jsmith-workstation.domain.local. You want to find all user->workstation mappings, exported as a CSV. The Solution The Explanation To start off, we enumerate all user samaccountnames in the environment, using the -Properties parameter of Get-DomainUser to again “optimize to the left.” This signals the…

Continue ReadingThe PowerView PowerUsage Series #5

The PowerView PowerUsage Series #4

Published November 20, 2017 by harmj0y

This is a short follow-up to my “A Guide to Attacking Domain Trusts” post, and the fourth post in my “PowerView PowerUsage” series. It follows the same Scenario/Solution/Explanation pattern as the previous entries, with the original post containing a constantly updated list of the entire series. One of the methods for trust hopping that I briefly covered in the trust post (under the “Case 3: Foreign ACL Principals” section) was the enumeration of DACL/ACE entries on domain objects where the principal (i.e. the user/group that holds the right over the specified object) is in a different domain than the target…

Continue ReadingThe PowerView PowerUsage Series #4

A Guide to Attacking Domain Trusts

Published October 30, 2017 by harmj0y

It’s been a while (nearly 2 years) since I wrote a post purely on Active Directory domain trusts. After diving into group scoping, I realized a few subtle misconceptions I previously had concerning trusts and group memberships. That, combined with the changes made to PowerView last year, convinced me to publish an up-to-date guide on enumerating and attacking domain trusts. This will likely be the last post focusing on domain trusts I publish for a while, and at over 8000 words, it’s not exactly a light read (not that anyone reads long posts ;) In general, I don’t just blog my operational…

Continue ReadingA Guide to Attacking Domain Trusts

The PowerView PowerUsage Series #3

Published September 19, 2017 by harmj0y

This is the third post in my “PowerView PowerUsage” series, and follows the same Scenario/Solution/Explanation pattern as the previous entries. The original post contains a constantly updated list of the entire series. Active Directory access control is something my workmates and I have been very interested in over the past year. So far, this has resulted in the release of BloodHound’s ACL Attack Path Update, as well as work on Active Directory DACL backdooring by @_wald0 and myself (whitepaper here). This post will cover DACL enumeration for GPOs in a foreign domain. Why care about this? Well, if you are…

Continue ReadingThe PowerView PowerUsage Series #3

Hunting With Active Directory Replication Metadata

Published September 6, 2017 by harmj0y

With the recent release of BloodHound’s ACL Attack Path Update as well as the work on Active Directory DACL backdooring by @_wald0 and myself (whitepaper here), I started to investigate ACL-based attack paths from a defensive perspective. Sean Metcalf has done some great work concerning Active Directory threat hunting (see his 2017 BSides Charm “Detecting the Elusive: Active Directory Threat Hunting” presentation) and I wanted to show how replication metadata can help in detecting this type of malicious activity. Also, after this post had been drafted, Grégory LUCAND pointed out to me the extensive article (in French) he authored on…

Continue ReadingHunting With Active Directory Replication Metadata

The PowerView PowerUsage Series #2

Published August 16, 2017 by harmj0y

This is the second post in my “PowerView PowerUsage” series. The original post contains a constantly updated list of the entire series. This post will follow the same scenario/solution/explanation format, and is definitely a bit simpler than the first post. The Scenario While on an engagement in a multi-domain forest, you end up with a number of computer “short names” (like WINDOWS1) in a file computers.txt that you want to resolve to complete DNS host names. The Solution The Explanation This one’s fairly straight-forward. We use gc (Get-Content) to output the list of computer shortnames, piping it to Sort-Object -Unique…

Continue ReadingThe PowerView PowerUsage Series #2

The PowerView PowerUsage Series #1

Published July 17, 2017 by harmj0y

PowerView is probably my favorite bit of code I’ve written, and definitely the one I most regularly use (as evidenced by my recent posts). My team also heavily utilizes the toolkit, and we’ve come up with some cool uses for it over the past several years. For a long time I’ve wanted to share some of the real “power” uses of PowerView, like the PowerView “tricks” highlighted here. My intention for this series is to demonstrate how you can use PowerView to solve interesting problems and the thought process we put behind each solution. These posts should be short-and-sweet, less…

Continue ReadingThe PowerView PowerUsage Series #1

A Pentester’s Guide to Group Scoping

Published June 20, 2017 by harmj0y

Scopes for Active Directory groups were always a bit murky for me. For anyone with an AD sysadmin background, this topic is probably second nature, but it wasn’t until I read this SS64 entry that everything started to fall into place. I wanted to document some relevant notes on the topic (as I understand it) in case anyone else had the same confusion I did. I’ll also cover how these group scopes interact with the forest global catalog and domain trusts, sprinkling in new PowerView functionality along the way. Active Directory Groups Active Directory groups can have one of two types:…

Continue ReadingA Pentester’s Guide to Group Scoping

Targeted Kerberoasting

Published January 19, 2017 by harmj0y

This is a short followup demonstrating a technique that dawned on me after posting about decrypting AS-REPs earlier this week. As mentioned previously, @_wald0, @cptjesus, and I are currently working Active Directory ACL integration for BloodHound. One of the control relationships we’re interested in is GenericAll/GenericWrite over a target user object, say victimuser in this instance. If we want to utilize the user’s access, we could force a password reset, but this is fairly ‘destructive’ in that the target user would notice. We’ve been brainstorming another method to abuse these types of relationships with the target remaining unaware, and we…

Continue ReadingTargeted Kerberoasting

The Most Dangerous User Right You (Probably) Have Never Heard Of

Published January 10, 2017 by harmj0y

I find Windows user rights pretty interesting. Separate from machine/domain object DACLs, user rights govern things like “by what method can specific users log into a particular system” and are managed under User Rights Assignment in Group Policy. Sidenote: I recently integrated privilege enumeration into PowerUp in the Get-ProcessTokenPrivilege function, with -Special returning ‘privileged’ privileges. SeEnableDelegationPrivilege One user right I overlooked, until Ben Campbell’s post on constrained delegation, was SeEnableDelegationPrivilege. This right governs whether a user account can “Enable computer and user accounts to be trusted for delegation.” Part of the reason I overlooked it is stated right in the…

Continue ReadingThe Most Dangerous User Right You (Probably) Have Never Heard Of