Write gPLink abuse (#607)

* feat: adding Organizational Units GenericWrite and ManageGPLink compromise edge ; adding OU GenericAll abuse warning about adminCount=1 objects * Renaming ManageGPLink edge to WriteGPLink; additional elements added to help texts related to Organizational Units GPLink exploitation * Additional Organizational Units ACLs (#567) * feat: adding Organizational Units GenericWrite and WriteGPLink compromise edge ; adding OU GenericAll abuse warning about adminCount=1 objects * feat: GenericWrite and WriteGPLink for Domain --------- Co-authored-by: Quentin Roland <[email protected]> Co-authored-by: q-roland <[email protected]>
SpecterOps · Aug 26, 2024 · e88dad4 · e88dad4
1 parent 048d9ad
commit e88dad4
Show file tree

Hide file tree

Showing 23 changed files with 1,667 additions and 16 deletions.
diff --git a/packages/cue/bh/ad/ad.cue b/packages/cue/bh/ad/ad.cue
@@ -1115,6 +1115,11 @@ WriteAccountRestrictions: types.#Kind & {
  schema: "active_directory"
 }
 
+WriteGPLink: types.#Kind & {
+ symbol: "WriteGPLink"
+ schema: "active_directory"
+}
+
 GetChangesInFilteredSet: types.#Kind & {
  symbol: "GetChangesInFilteredSet"
  schema: "active_directory"
@@ -1329,6 +1334,7 @@ RelationshipKinds: [
  RemoteInteractiveLogonPrivilege,
  SyncLAPSPassword,
  WriteAccountRestrictions,
+ WriteGPLink,
  RootCAFor,
  DCFor,
  PublishedTo,
@@ -1384,6 +1390,7 @@ ACLRelationships: [
  GetChangesAll,
  GetChangesInFilteredSet,
  WriteAccountRestrictions,
+ WriteGPLink,
  SyncLAPSPassword,
  DCSync,
  ManageCertificates,
@@ -1426,6 +1433,7 @@ PathfindingRelationships: [
  AddKeyCredentialLink,
  SyncLAPSPassword,
  WriteAccountRestrictions,
+ WriteGPLink,
  GoldenCert,
  ADCSESC1,
  ADCSESC3,

diff --git a/packages/go/graphschema/ad/ad.go b/packages/go/graphschema/ad/ad.go
diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/LinuxAbuse.tsx
@@ -342,6 +342,77 @@ const LinuxAbuse: FC<EdgeInfoProps & { targetId: string; haslaps: boolean }> = (
  <Typography component={'pre'}>
  {'pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'}
  </Typography>
+
+ <Typography variant='body1'>Generic Descendent Object Takeover</Typography>
+ <Typography variant='body2'>
+ The simplest and most straight forward way to obtain control of the objects of the domain is to
+ apply a GenericAll ACE on the domain that will inherit down to all object types. This can be
+ done using Impacket's dacledit (cf. "grant rights" reference for the link).
+ </Typography>
+
+ <Typography component={'pre'}>
+ {
+ "dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'JKHOLER' -target-dn 'DomainDistinguishedName' 'domain'/'user':'password'"
+ }
+ </Typography>
+
+ <Typography variant='body2'>
+ Now, the "JKOHLER" user will have full control of all descendent objects of each type.
+ </Typography>
+
+ <Typography variant='body1'>Objects for which ACL inheritance is disabled</Typography>
+
+ <Typography variant='body2'>
+ The compromise vector described above relies on ACL inheritance and will not work for objects
+ with ACL inheritance disabled, such as objects protected by AdminSDHolder (attribute
+ adminCount=1). This observation applies to any user or computer with inheritance disabled,
+ including objects located in nested OUs.
+ </Typography>
+
+ <Typography variant='body2'>
+ In such a situation, it may still be possible to exploit GenericAll permissions on a domain
+ object through an alternative attack vector. Indeed, with GenericAll permissions over a domain
+ object, you may make modifications to the gPLink attribute of the domain. The ability to alter
+ the gPLink attribute of a domain may allow an attacker to apply a malicious Group Policy Object
+ (GPO) to all of the domain user and computer objects (including the ones located in nested OUs).
+ This can be exploited to make said child objects execute arbitrary commands through an immediate
+ scheduled task, thus compromising them.
+ </Typography>
+
+ <Typography variant='body2'>
+ Successful exploitation will require the possibility to add non-existing DNS records to the
+ domain and to create machine accounts. Alternatively, an already compromised domain-joined
+ machine may be used to perform the attack. Note that the attack vector implementation is not
+ trivial and will require some setup.
+ </Typography>
+
+ <Typography variant='body2'>
+ From a Linux machine, the gPLink manipulation attack vector may be exploited using the{' '}
+ <Link target='_blank' rel='noopener' href='https://github.com/synacktiv/OUned'>
+ OUned.py
+ </Link>{' '}
+ tool. For a detailed outline of exploit requirements and implementation, you can refer to{' '}
+ <Link
+ target='_blank'
+ rel='noopener'
+ href='https://www.synacktiv.com/publications/ounedpy-exploiting-hidden-organizational-units-acl-attack-vectors-in-active-directory'>
+ the article associated to the OUned.py tool
+ </Link>
+ .
+ </Typography>
+
+ <Typography variant='body2'>
+ Be mindful of the number of users and computers that are in the given domain as they all will
+ attempt to fetch and apply the malicious GPO.
+ </Typography>
+
+ <Typography variant='body2'>
+ Alternatively, the ability to modify the gPLink attribute of a domain can be exploited in
+ conjunction with write permissions on a GPO. In such a situation, an attacker could first inject
+ a malicious scheduled task in the controlled GPO, and then link the GPO to the target domain
+ through its gPLink attribute, making all child users and computers apply the malicious GPO and
+ execute arbitrary commands.
+ </Typography>
  </>
  );
  case 'GPO':
@@ -399,6 +470,60 @@ const LinuxAbuse: FC<EdgeInfoProps & { targetId: string; haslaps: boolean }> = (
  right you want to apply to precisely which kinds of descendent objects. Refer to the Windows
  Abuse info for this.
  </Typography>
+
+ <Typography variant='body1'>Objects for which ACL inheritance is disabled</Typography>
+
+ <Typography variant='body2'>
+ It is important to note that the compromise vector described above relies on ACL inheritance and
+ will not work for objects with ACL inheritance disabled, such as objects protected by
+ AdminSDHolder (attribute adminCount=1). This observation applies to any OU child user or
+ computer with ACL inheritance disabled, including objects located in nested sub-OUs.
+ </Typography>
+
+ <Typography variant='body2'>
+ In such a situation, it may still be possible to exploit GenericAll permissions on an OU through
+ an alternative attack vector. Indeed, with GenericAll permissions over an OU, you may make
+ modifications to the gPLink attribute of the OU. The ability to alter the gPLink attribute of an
+ OU may allow an attacker to apply a malicious Group Policy Object (GPO) to all of the OU's child
+ user and computer objects (including the ones located in nested sub-OUs). This can be exploited
+ to make said child objects execute arbitrary commands through an immediate scheduled task, thus
+ compromising them.
+ </Typography>
+
+ <Typography variant='body2'>
+ Successful exploitation will require the possibility to add non-existing DNS records to the
+ domain and to create machine accounts. Alternatively, an already compromised domain-joined
+ machine may be used to perform the attack. Note that the attack vector implementation is not
+ trivial and will require some setup.
+ </Typography>
+
+ <Typography variant='body2'>
+ From a Linux machine, the gPLink manipulation attack vector may be exploited using the{' '}
+ <Link target='_blank' rel='noopener' href='https://github.com/synacktiv/OUned'>
+ OUned.py
+ </Link>{' '}
+ tool. For a detailed outline of exploit requirements and implementation, you can refer to{' '}
+ <Link
+ target='_blank'
+ rel='noopener'
+ href='https://www.synacktiv.com/publications/ounedpy-exploiting-hidden-organizational-units-acl-attack-vectors-in-active-directory'>
+ the article associated to the OUned.py tool
+ </Link>
+ .
+ </Typography>
+
+ <Typography variant='body2'>
+ Be mindful of the number of users and computers that are in the given OU as they all will
+ attempt to fetch and apply the malicious GPO.
+ </Typography>
+
+ <Typography variant='body2'>
+ Alternatively, the ability to modify the gPLink attribute of an OU can be exploited in
+ conjunction with write permissions on a GPO. In such a situation, an attacker could first inject
+ a malicious scheduled task in the controlled GPO, and then link the GPO to the target OU through
+ its gPLink attribute, making all child users and computers apply the malicious GPO and execute
+ arbitrary commands.
+ </Typography>
  </>
  );
  case 'Container':

diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/References.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/References.tsx
@@ -136,6 +136,17 @@ const References: FC = () => {
  href='https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab'>
  https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab
  </Link>
+ <br />
+ <Link target='_blank' rel='noopener' href='https://labs.withsecure.com/publications/ou-having-a-laugh'>
+ https://labs.withsecure.com/publications/ou-having-a-laugh
+ </Link>
+ <br />
+ <Link
+ target='_blank'
+ rel='noopener'
+ href='https://www.synacktiv.com/publications/ounedpy-exploiting-hidden-organizational-units-acl-attack-vectors-in-active-directory'>
+ https://www.synacktiv.com/publications/ounedpy-exploiting-hidden-organizational-units-acl-attack-vectors-in-active-directory
+ </Link>
  </Box>
  );
 };