In this article we talk about one of the most common vulnerability exist in modern enterprise windows network infrastructure. We demonstrate how an attacker elevate privilege from administrator account to NT/ SYSTEM Authority privilege which is highest privilege in local windows system. The idea is to use NT authority system privilege to interact with LSA secrets and extract passwords from services account. Often these services accounts misconfigured in modern windows enterprise, which likely enable low privilege user to gain higher privileges.
- Attacker has an elevated privilege (Local Admin)
- Attacker identified a service account AwesomeService.exe installed locally and runs under the local administrator privilege
Regedit Registry editor permission with SAM hive file requires NT/Authority SYSTEM Privilege, we can not access the SAM File hive with windows local administrative permission.
Figure 1 SAM Hive set to full control permission
We Launch registry editor under the local administrative privilege – we are not able to read/write and modify SAM files.
Figure 2 Regedit under the windows administrator privilege account.
We elevate the local administrator privilege to NT/Authority SYSTEM privilege using the SysInternals PsExec Mark Russinovich copy of the PsExec Here with the -i interactive, -s run remote process in the system account and -d dot wait for process to terminate.
Figure 3 PsExec elevated privilege from local admin to NT/Authority SYSTEM
NT Authority\SYSTEM has access to SAM hive files
Figure 4 Corroborates the SAM hive access via SYSTEM privilege
We not really interested in SAM/SYSTEM contents – We are after LSA Secrets and Service Account password extraction, however we need to create and compile a windows 10 compatible service and install it locally on our windows 10.
Figure 5 – We created AwesomeService.exe with DisplayName “Windows Update” using SC Service Control to install and set the run time to auto start.
Display Name set as Windows Update
Figure 6 AwesomeService.exe runs as service under the local administrator privilege.
AwesomeService current value is in binary mode
Figure 7 AwesomeService in binary value
lsasecret.exe /service AwesomeService command to dump clear text password from the registry.
Figure 8 extracted openSSHd and AwesomeService accounts from registry.
Link to github lsasecre.exe the original source code from “Timothy D.Morgan”
There are couple of solutions to mitigate against this particular vulnerability – the easiest and Microsoft recommended approach is the use of native windows feature, Managed Service Account (MSA) and Group Managed Service Account (gMSA) .
Switch to your Server 2012 domain controller generate KDS root key for use with managed MSA and Group Managed Service Accounts (gMSA) New-KdsRootKey Powershell cmdlet to initialize the key. The reason that we need to generate this once because this will be used in generating passwords for the Group Managed Service Accounts.
Run this under the windows administrator Powershell console; The -EffectiveImmeditely takes 10 hours from the time of creation to allow all domain controllers to replicate before allowing the creation of a gMSA. The idea behind 10 hours delay is a safety measure to prevent password generation from occurring before all domain controller are capable of responding to gMSA requests.
Perhaps yo may want to run this over the weekend over the night in production environment?
Service Account Creation
It’s straightforward to create gMSAs (Group Managed Service Account) Switch to the server you want to add service account, you need active directory Powershell module part of the RSAT for this to work.
New-ADServiceAccount -Name svc_Secure -DNSHostName cryptoambient.local -PrincipalsAllowedToRetriveManagedPassword WIN-12-AV$
Command Breakdown :
-Name service name of your choice
-DNSHostName – FQDN for our domain controller that holds KDS root key in my case ambientcrypto.local
PrincipalsAllowedToRetriveManagedPassword – This parameter allows you to specify the server(s) that you are going to be running particular (gMSA) on.
That’s it, simple and extremely reliable to manage service accounts. Good luck 🙂