Server (Un)Trust Account is an Active Directory persistence technique we uncovered during some other research, and have not seen previously documented. It allows an attacker to regain domain administrator privileges after losing them or being evicted from the network; simply, they must only regain a foothold on any computer. With that, the attacker can abuse documented behavior of the userAccountControl
value SERVER_TRUST_ACCOUNT
to promote a previously staged computer account to domain controller privileges.
This code accompanies a blog post, which provides greater detail.
This function creates a computer object with a known password and grants the necessary permissions to exploit SERVER_TRUST_ACCOUNT
persistence. It is designed to run with domain administrator privileges and performs the following activities:
- Creates a computer object with a known password
- Creates new ACE on the domain object to grant AuthenticatedUsers the Ds-Install-Replica permission
- Creates new ACE on the created computer object to grant AuthenticatedUsers Write UserAccountControl permission
PS > . .\ServerUntrustAccount.ps1
PS > Add-ServerUntrustAccount -ComputerName FakeComputer123 -Password "Abc123!@#"
PS >
This function utilizes the permissions and computer object created by Add-ServerUntrustAccount in order to regain domain dominance. It sets the UAC bit flag for SERVER_TRUST_ACCOUNT
, then uses mimikatz to pass-the-hash as the staged computer account, and finally performs a DCSync to replicate the krbtgt hashes. It is designed to be run by any authenticated user in the domain.
PS > . .\ServerUntrustAccount.ps1
PS > Invoke-ServerUntrustAccount -ComputerName FakeComputer123 -Password "Abc123!@#" -MimikatzPath "C:\Windows\Temp\mimikatz.exe"
Hashes for KRBTGT:
NTHash: a3dd...
AES128: j916...
AES256: k093...
This function removes accounts and permissions created using Add-ServerUntrustAccount
. It performs the following actions:
- Remove the DS-Install-Replica permission on the domain object for the specified computer or managed service account
- Remove the modify userAccountControl permission on the specified computer or managed service account object
- With the deleteComputer switch enabled, also deletes the specified computer or managed service account object
PS > . .\ServerUntrustAccount.ps1
PS > Remove-ServerUntrustAccount -ComputerName FakeComputer123 -DeleteComputer
Confirm
Are you sure you want to perform this action?
Performing the operation "Remove" on target "CN=FakeComputer123,CN=Computers,DC=domain,DC=local".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):
PS >