20.Privileged Access

Windows (PowerShell)

Enumerate RDP and WinRM Users:

Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Desktop Users"
Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Management Users"

Establish a Secure WinRM Session:

$password = ConvertTo-SecureString "Klmcargo2" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ("INLANEFREIGHT\forend", $password)
Enter-PSSession -ComputerName ACADEMY-EA-MS01 -Credential $cred

To exit the session:

Exit-PSSession

PowerUpSQL for SQL Server Enumeration:

cd .\PowerUpSQL\  # Navigate to PowerUpSQL directory
Import-Module .\PowerUpSQL.ps1  # Import PowerUpSQL module
Get-SQLInstanceDomain  # Enumerate SQL instances

Execute SQL Query:

Get-SQLQuery -Verbose -Instance "172.16.5.150,1433" -Username "inlanefreight\damundsen" -Password "SQL1234!" -Query 'SELECT @@version'

Linux-Based Enumeration

Install and Use Evil-WinRM:

gem install evil-winrm  # Install evil-winrm
evil-winrm -i 10.129.201.234 -u forend  # Establish WinRM session

MSSQLClient for SQL Enumeration:

mssqlclient.py INLANEFREIGHT/DAMUNDSEN@172.16.5.150 -windows-auth  # Connect to MSSQL
help  # Display help within MSSQL client
enable_xp_cmdshell  # Enable xp_cmdshell
xp_cmdshell whoami /priv  # Run OS command

BloodHound (Cypher Queries)

Find WinRM Access:

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group))
MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer)
RETURN p2

Find SQL Admin Access:

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group))
MATCH p2=(u1)-[:SQLAdmin*1..]->(c:Computer)
RETURN p2

Best Practices & Mitigations

  1. Restrict Privileged Access: Limit RDP and WinRM access to necessary personnel.

  2. Monitor Privileged Actions: Enable auditing for RDP logins and PowerShell execution logs.

  3. SQL Security: Disable xp_cmdshell and enforce strong authentication mechanisms.

  4. Least Privilege Principle: Regularly audit and limit high-privilege group memberships.

  5. Use MFA and Network Segmentation: Add extra security layers to critical services.

By implementing these best practices, organizations can significantly reduce the risk of privilege escalation attacks.

Previous8.Stacking The DeckNext21.Kerberos Double Hop Problem

Last updated