search

Security Descriptors

Red teamers can exploit Windows security descriptors (SDs) to establish stealthy, privilege-independent access to remote management interfaces such as WMI, PSRemoting, and the Remote Registry. These descriptors control who can access and interact with system objects, including remote services. By modifying the Discretionary Access Control List (DACL) of these interfaces using a privileged account, it's possible to grant access to a low-privileged or compromised user without altering group memberships or raising alarms.

Windows represents these permissions using the Security Descriptor Definition Language (SDDL), which structures access control entries (ACEs) in the following format:

ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid

For offensive purposes, the key component is the account_sid — replacing or appending a compromised user’s SID into the descriptor grants that user access. This technique allows backdoor persistence that bypasses typical group membership detection.

hashtag
WMI

When a user authenticates to a system via WMI, two components enforce permissions: the DCOM security descriptor (viewable in Component Services) and the WMI namespace descriptor (modifiable via WMI Control under Services and Applications). Both must be adjusted for successful access. These can be modified remotely using the RACE toolkitarrow-up-right:

# On local machine
Set-RemoteWMI -SamAccountName student337 -Verbose

# On remote machine without explicit credentials
Set-RemoteWMI -SamAccountName dcorp\student337 -ComputerName dcorp-dc -namespace 'root\cimv2' -Verbose

# On remote machine with explicit credentials
Set-RemoteWMI -SamAccountName dcorp\student337 -ComputerName dcorp-dc -Credential Administrator -namespace 'root\cimv2' -Verbose

This modifies both the WMI namespace and DCOM ACLs to include the SID of student337, granting them WMI query and execution rights. This user can then run WMI queries without having administrative rights:

# Access the target via WMI
Get-WmiObject -Class Win32_OperatingSystem -ComputerName dcorp-dc

The permissions can be cleaned up:

hashtag
PSRemoting

triangle-exclamation

This method is not stable post-August 2020 → sometimes it crashes the WinRM service!

PowerShell Remoting, backed by WinRM, is secured through session configurations — specifically the microsoft.powershell configuration accessed via Get-PSSessionConfiguration. Access is controlled by its security descriptor. Like WMI, this can be altered to include a low-privileged user.

The ACL of microsoft.powershell can be read on the UI as follows:

Running Set-RemotePSRemoting with the target username and computer name modifies the underlying ACL, giving the user WinRM access. Even if the command returns an error due to transport issues, the change is typically still applied:

Once the descriptor includes the user’s SID, they can open an interactive session without being a member of the Remote Management Users group:

hashtag
Remote Registry

Remote Registry is a Windows service that enables remote access to the registry over the network via RPC. When running, it allows reading and writing to critical hives like SAM and SECURITY without shell access.

By modifying registry ACLs to include a user’s SID—using tools like RACE or DAMParrow-up-right—non-admin users can gain access to sensitive data such as local hashes, cached credentials, or the machine account hash. This provides a stealthy method for credential extraction and persistence. Though often disabled by default, it may be active in enterprise environments for legacy management. Unlike WinRM or WMI, it offers no code execution but enables silent post-exploitation.

PreviousGolden TicketNextShadow Copies

Last updated