SDDL Security Descriptors

Related Articles

How to use Responder to capture NetNTLM and grab a shell

February 24, 2024

Remotely Capture Traffic from a Domain Controller and Analyze It Locally

January 1, 2024

very simple modifications to a Meterpreter shellcode dropper can be sufficient to bypass modern EDRs

May 17, 2023

Some notes to myself to use as a reference guide and to gain a better understanding of the privileges and rights assigned to Windows services in the form of SDDL security descriptor strings finally today became useful to solve a problem of a Good friend and college of mine (Dear Vanik). maybe in other post going to explain and write-up the solution for that specific case, but anyway the solution need to have good understanding of SDDL, stay with me till end of this post, you will find it very useful later 😉 .

SDDL

The Windows Security Descriptor Definition Language defines the string format used to describe a security descriptor as a text string, commonly used to define an ACL (list of ACEs) for a Windows service.

Take the following userlogger service from an old Hack The Box machine:

C:\util> sc qc userlogger
sc qc userlogger
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: userlogger
        TYPE               : 10  WIN32_OWN_PROCESS 
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : c:\windows\system32\UserLogger.exe
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : User Logger
        DEPENDENCIES       : 
        SERVICE_START_NAME : LocalSystem

The SERVICE_START_NAME defines the privileges with which the service runs, in this instance it’s LocalSystem, or in other words NT AUTHORITY\SYSTEM.

We can request the SDDL string applied to the userlogger service using the following command:

C:\util> sc sdshow userlogger
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWRPWPDTLORC;;;S-1-5-21-2115913093-551423064-1540603852-1003)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;BU)(A;;CCLCSWRPWPLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU) 

ACE Structure

---

The ACEs in a SDDL string are enclosed in parentheses, the userlogger service therefore contains six ACEs. One of them is shown below:

(A;;CCLCSWRPWPDTLOCRRC;;;SY)

Each ACE contains five semi-colon terminated strings, followed by the SID for whom the ACE applies. The structure is as follows with each section labelled:

(ace_type; ace_flags; rights; object_guid; inherit_object_guid; account_sid)

For this individual ACE only the ace_type and rights are set and are applied to SY which represents LocalSystem, meaning this ACE is assigned to NT AUTHORITY\SYSTEM.

The account_sid has a set of predefined values. You have the option of supplying a specific SID into the account_sid field when configuring an ACE:

(A;;CCLCSWRPWPDTLORC;;;S-1-5-21-2115913093-551423064-1540603852-1003)

The account_sid identifies the trustee of the ACE. The SID in this ACE applies to the hacker user from the box.

Decoding

---

The userlogger service security descriptor:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWRPWPDTLORC;;;S-1-5-21-2115913093-551423064-1540603852-1003)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;BU)(A;;CCLCSWRPWPLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU) 

The service’s SDDL only contains a DACL, defined by the D: at the start of the string. The string can be prefixed with any of the following symbols:

Symbol	Description
O:	Owner
G:	Primary Group
D:	Discretionary Access Control List (DACL)
S:	System Access Control List (SACL)

The first value of the user’s ACE – A – in (A;;CCLCSWRPWPDTLORC;;;S-1-5-21-2115913093-551423064-1540603852-1003) is defined as the ace_type, a table containing different ace_type values is shown below:

ACE Type	Description
A	Access Allowed
D	Access Denied
OA	Object Access Allowed
OD	Object Access Denied
AU	System Audit
AL	System Alarm
OU	System Object Audit
OL	System Object Alarm
ML	System Mandatory Label
SP	Central Policy ID

After the A;; (the double semi-colon implies there are no ace_flags assigned) comes the following string – CCLCSWRPWPDTLORC;;;S-1-5-21-2115913093-551423064-1540603852-1003.

Ignoring the user’s SID (we know that the object_guid and inherit_object_guid values are empty and the trustee is hacker) for now we’re left with CCLCSWRPWPDTLORC.

The letters are in pairs and each pair represents a certain right, the following rights are represented in the rights section of the hacker user ACE for the userlogger service:

Symbol	Right
CC	SERVICE_QUERY_CONFIG
LC	SERVICE_QUERY_STATUS
SW	SERVICE_ENUMERATE_DEPENDENTS
RP	SERVICE_START
WP	SERVICE_STOP
DT	SERVICE_PAUSE_CONTINUE
LO	SERVICE_INTERROGATE
RC	READ_CONTROL

A table containing all of the different service DACL rights can be found here.

ConvertFrom-SDDLString

An easy way to read the security descriptor is by using the ConvertFrom-SDDLString PowerShell cmdlet. The docs for the command can be found here.

The syntax is straightforward, you just parse the SDDL to the -Sddl parameter:

PS C:\Users\New> ConvertFrom-SddlString -Sddl "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWRPWPDTLORC;;;S-1-5-21-2115913093-551423064-1540603852-1003)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;BU)(A;;CCLCSWRPWPLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)" 


Owner            :
Group            :
DiscretionaryAcl : {NT AUTHORITY\INTERACTIVE: AccessAllowed (CreateDirectories, ExecuteKey, GenericExecute, GenericRead, GenericWrite, ListDirectory, Read,
                   ReadAndExecute, ReadAttributes, ReadExtendedAttributes, ReadPermissions, Traverse, WriteAttributes, WriteExtendedAttributes), NT
                   AUTHORITY\SERVICE: AccessAllowed (CreateDirectories, GenericExecute, ListDirectory, Read, ReadAttributes, ReadExtendedAttributes,
                   ReadPermissions, WriteAttributes), NT AUTHORITY\SYSTEM: AccessAllowed (CreateDirectories, DeleteSubdirectoriesAndFiles, ExecuteKey,
                   GenericExecute, GenericRead, GenericWrite, ListDirectory, Read, ReadAndExecute, ReadAttributes, ReadExtendedAttributes, ReadPermissions,
                   Traverse, WriteAttributes, WriteExtendedAttributes), BUILTIN\Administrators: AccessAllowed (ChangePermissions, CreateDirectories, Delete,
                   DeleteSubdirectoriesAndFiles, ExecuteKey, FullControl, GenericAll, GenericExecute, GenericRead, GenericWrite, ListDirectory, Modify, Read,
                   ReadAndExecute, ReadAttributes, ReadExtendedAttributes, ReadPermissions, TakeOwnership, Traverse, Write, WriteAttributes, WriteData,
                   WriteExtendedAttributes, WriteKey)...}
SystemAcl        : {}
RawDescriptor    : System.Security.AccessControl.CommonSecurityDescriptor

The ConvertFrom-SDDLString cmdlet will not decode the ACE rights in the same manner as manually doing so with the table in the previous section. The following section explains why in more detail.

Types

---

The ConvertFrom-SDDLString docs show that the -Type flag only has the following values:

• FileSystemRights
• RegistryRights
• ActiveDirectoryRights
• MutexRights
• SemaphoreRights
• CryptoKeyRights
• EventWaitHandleRights

There’s no -Type value that allows you to decode the service DACL rights assigned to a Windows service. If there was a value for service DACLs, when you run the following command you’d get different output for the value of RP:

PS C:\Users\New> ConvertFrom-SddlString -Sddl "D:(A;;RP;;;AU)"

Owner            :
Group            :
DiscretionaryAcl : {NT AUTHORITY\Authenticated Users: AccessAllowed (WriteExtendedAttributes)}
SystemAcl        : {}
RawDescriptor    : System.Security.AccessControl.CommonSecurityDescriptor

It would say SERVICE_START instead of WriteExtendedAtrributes. As you can see below the value of RP changes when you specify a different value to the -Type flag:

PS C:\Users\New> ConvertFrom-SddlString -Sddl "D:(A;;RP;;;AU)" -Type ActiveDirectoryRights

Owner            :
Group            :
DiscretionaryAcl : {NT AUTHORITY\Authenticated Users: AccessAllowed (ReadProperty)}
SystemAcl        : {}
RawDescriptor    : System.Security.AccessControl.CommonSecurityDescriptor

Not sure why there isn’t a service DACL option type for ConvertFrom-SddlString, hopefully Microsoft implements it at some point.

Tables

Service DACL Rights

Symbol	Right	Description
CC	SERVICE_QUERY_CONFIG	read the configuration of the service
LC	SERVICE_QUERY_STATUS	read the status of the service from Service Control Manager
SW	SERVICE_ENUMERATE_DEPENDENTS	list dependencies
LO	SERVICE_INTERROGATE	ask the service its current status
CR	SERVICE_USER_DEFINED_CONTROL	send a service control command
RC	READ_CONTROL	read the security permissions
RP	SERVICE_START	start the service
WP	SERVICE_STOP	stop the service
DT	SERVICE_PAUSE_CONTINUE	pause/continue the service

Predefined Account SIDs

SDDL Alias	SID name
AA	ACCESS_CONTROL_ASSISTANCE_OPS
AC	ALL_APP_PACKAGES
AN	ANONYMOUS
AO	ACCOUNT_OPERATORS
AU	AUTHENTICATED_USERS
BA	BUILTIN_ADMINISTRATORS
BG	BUILTIN_GUESTS
BO	BACKUP_OPERATORS
BU	BUILTIN_USERS
CA	CERT_PUBLISHERS
CD	CERTSVC_DCOM_ACCESS
CG	CREATOR_GROUP
CN	CLONEABLE_CONTROLLERS
CO	CREATOR_OWNER
CY	CRYPTO_OPERATORS
DA	DOMAIN_ADMINS
DC	DOMAIN_COMPUTERS
DD	DOMAIN_DOMAIN_CONTROLLERS
DG	DOMAIN_GUESTS
DU	DOMAIN_USERS
EA	ENTERPRISE_ADMINS
ED	ENTERPRISE_DOMAIN_CONTROLLERS
ER	EVENT_LOG_READERS
ES	RDS_ENDPOINT_SERVERS
HA	HYPER_V_ADMINS
HI	ML_HIGH
IS	IIS_USERS
IU	INTERACTIVE
LA	ADMINISTRATOR<80>
LG	GUEST
LS	LOCAL_SERVICE
LU	PERFLOG_USERS
LW	ML_LOW
ME	ML_MEDIUM
MP	ML MEDIUM PLUS
MS	RDS_MANAGEMENT_SERVERS
MU	PERFMON_USERS
NO	NETWORK_CONFIGURATION_OPS
NS	NETWORK_SERVICE
NU	NETWORK
OW	OWNER_RIGHTS
PA	GROUP_POLICY_CREATOR_OWNER
PO	PRINTER_OPERATORS
PS	PRINCIPAL_SELF
PU	POWER_USERS
RA	RDS_REMOTE_ACCESS_SERVERS
RC	RESTRICTED_CODE
RD	REMOTE_DESKTOP
RE	REPLICATOR
RM	REMOTE_MANAGEMENT_USERS
RO	ENTERPRISE_RO_DCS
RS	RAS_SERVERS
RU	ALIAS_PREW2KCOMPACC
SA	SCHEMA_ADMINISTRATORS
SI	ML_SYSTEM
SO	SERVER_OPERATORS
SU	SERVICE
SY	LOCAL_SYSTEM
UD	USER_MODE_DRIVERS
WD	EVERYONE
WR	WRITE_RESTRICTED_CODE

Glossary

• Access Conrol Entry – (ACE) is an entry in an Access Control List (ACL). An ACE contains a set of access rights and a Security Identifier (SID) that identifies a trustee for whom the rights are allowed, denied, or audited.
• Access Control List – (ACL) is a list of security protections that applies to an object. (An object can be a file, process, event, or anything else having a security descriptor.) An entry in an access control list (ACL) is an access control entry (ACE). There are two types of access control list, discretionary and system.
• Discretionary Access Control List – (DACL) is an access control list that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object.
• System Access Control List – (SACL) is an ACL that controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object’s SACL is controlled by a privilege typically held only by system administrators.
• Security Descriptor – A structure and associated data that contains the security information for a securable object. A security descriptor identifies the object’s owner and primary group. It can also contain a DACL that controls access to the object, and a SACL that controls the logging of attempts to access the object.
• trustee – The user account, group account, or logon session to which an access control entry (ACE) applies. Each ACE in an access control list (ACL) applies to one trustee.