Skip to content
The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification
PowerShell
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
Add-RemoteRegBackdoor.ps1 bug fix Apr 10, 2018
LICENSE
README.md Updated README.md with function explanations. Apr 8, 2018
RemoteHashRetrieval.ps1 fix for newer versions of PowerShell Jul 25, 2019

README.md

DAMP

The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification.

This project contains several files that implement host-based security descriptor "backdoors" that facilitate the abuse of various remotely accessible services for arbitrary trustees/security principals.

tl;dr - this grants users/groups (local, domain, or 'well-known' like 'Everyone') of an attacker's choosing the ability to perform specific administrative actions on a modified host without needing membership in the local administrators group.

Note: to implement these backdoors, you need the right to change the security descriptor information for the targeted service, which in stock configurations nearly always means membership in the local administrators group.

More information:

Authors: @tifkin_, @enigma0x3, and @harmj0y.

License: BSD 3-Clause

Remote Registry

Add-RemoteRegBackdoor.ps1

Add-RemoteRegBackdoor

Implements a new remote registry backdoor that allows for the remote retrieval of a system's machine and local account hashes, as well as its domain cached credentials.

RemoteHashRetrieval.ps1

Get-RemoteMachineAccountHash

Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local machine account hash for the specified machine.

Get-RemoteLocalAccountHash

Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local SAM account hashes for the specified machine.

Get-RemoteCachedCredential

Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the domain cached credentials for the specified machine.

You can’t perform that action at this time.