Full Report
tl;dr: In this writeup I am going to describe how to abuse a GenericWrite ACE misconfiguration in Active Directory to run arbitrary executables. During a recent assessment I found a new way to abuse Access Control Entries in a misconfigured Active Directory instance. Before jumping into the juicy bits, I’d first like to explain what these misconfigurations are, how we find them and finally how to abuse them. If you have preexisting knowledge on this topic you can jump to the section titled ‘A new way of abusing GenericWrite‘.
Analysis Summary
# Tool/Technique: Abusing GenericWrite ACE Misconfiguration for Arbitrary Code Execution
## Overview
This technique describes how an attacker can leverage a misconfigured Access Control Entry (ACE) in Active Directory, specifically one granting `GenericWrite` permissions on a user object, to achieve arbitrary executable code execution on a domain-joined system, often via the Remote Control Manager (RCM) mechanism used during user login on RDS/Terminal Servers.
## Technical Details
- Type: Technique
- Platform: Microsoft Active Directory, Windows Server (specifically targeting systems with Remote Desktop Services/Terminal Server role installed for RCM abuse).
- Capabilities: Privilege escalation/lateral movement leading to Remote Code Execution (RCE) by manipulating unprotected attributes that trigger code execution upon user authentication.
- First Seen: Article published July 24, 2020, describing a "new way" of abuse discovered during a recent assessment.
## MITRE ATT&CK Mapping
- **TA0005 - Privilege Escalation**
- **T1134 - Access Token Manipulation** (Indirectly, by gaining the ability to execute code as a target user)
- **TA0008 - Lateral Movement**
- **T1021 - Remote Services** (Abusing RCM functionality)
- **TA0002 - Execution**
- **T1204.002 - User Execution: Malicious File** (If the payload execution relies on a targeted user logging in)
- **T1059.001 - Command and Scripting Interpreter: PowerShell** (Tools used for identification and exploitation are often PowerShell-based)
## Functionality
### Core Capabilities
- **Identification:** Tools like PowerView and BloodHound are used to scan the Active Directory environment for security principals (users/groups) holding `GenericWrite` ACEs on target objects (like user accounts).
- **Manipulation:** Utilizing the identified `GenericWrite` access to modify "unprotected" attributes on target user objects.
- **RCE Trigger:** Specifically targeting unprotected attributes whose modification results in code execution upon that user's next login session, often leveraging the Remote Control Manager (RCM).
### Advanced Features
- **RCM Abuse:** The technique specifically mentions abusing RCM, which is active on servers with the Terminal Server/Remote Desktop Services Host role. Modifying specific attributes can potentially trick the RCM process into executing arbitrary code during user login initialization.
- **Hiding Execution:** Successful execution requires the payload to hide its process window and spawn the normal graphical environment, suggesting capability for stealthy persistence or immediate execution.
## Indicators of Compromise
- File Hashes: N/A (Focus is on configuration changes, not specific malware hashes)
- File Names: N/A (Focus is on configuration changes, not specific malware hashes)
- Registry Keys: Monitoring for the creation of `fQueryUserConfigFromDC` set to `0x00000000` on Server 2016+ to potentially disable RCM (important for defense).
- Network Indicators: N/A
- Behavioral Indicators:
- Monitoring modification of user attributes susceptible to RCM abuse upon login.
- Monitoring processes that start during user login that hide their graphical windows.
- Triggering of **EventID 1060** by the RCM process when failing to use a specified path via `Remote Desktop Home Folder Drive`.
## Associated Threat Actors
- The article describes a technique discovered during an independent security assessment, suggesting it is applicable to red team operations, penetration testers, and potentially sophisticated threat actors targeting Active Directory misconfigurations. No specific threat actor is named as being the primary source of this precise RCM-based abuse variant.
## Detection Methods
- **Signature-based detection:** Difficult for pure configuration abuse, but can target associated tooling use (like PowerView/BloodHound module execution).
- **Behavioral detection:** Monitoring for system-level processes spinning up during login that exhibit window hiding behaviors. Monitoring Active Directory audit logs for write operations on sensitive user attributes performed by unauthorized principals.
- **YARA rules if available:** N/A
## Mitigation Strategies
- **ACL Auditing:** Thoroughly audit ACLs to identify and remove unnecessary `GenericWrite` (or other sensitive permissions) granted to non-administrative accounts on user objects.
- **Registry Hardening (Post-2016):** If RCM is not required, disable it on Server 2016 and later by creating the registry entry `fQueryUserConfigFromDC` set to `0x00000000`. Monitor this specific registry key for unauthorized changes.
- **Process Monitoring:** Monitor processes initiated during user login, specifically looking for processes that hide their window while launching graphical environments.
- **Role Restriction:** Limit the installation of the Terminal Server/Remote Desktop Services Host role to only necessary servers.
- **Shadowing Control:** Review and ensure that user consent is generally required forRemote Control shadowing, although this vector targets RCM execution logic, not standard shadowing consent.
## Related Tools/Techniques
- **PowerView:** PowerShell module used for AD reconnaissance and initial abuse demonstration.
- **BloodHound:** Primary tool recommended for complex relationship mapping and misconfiguration identification.
- **ADACLScanner, PingCastle:** Other tools mentioned for identifying ACL misconfigurations.
- **Remote Control Manager (RCM):** The underlying Windows feature abused via misconfigured attributes.