SDDL Security Descriptors

Some notes to myself to use as a reference guide and to gain a better understanding of the privileges and rights assigned to Windows services in the form of SDDL security descriptor strings finally today became useful to solve a problem of a Good friend and college of mine (Dear Vanik). maybe in other post going to explain and write-up the solution for that specific case, but anyway the solution need to have good understanding of SDDL, stay with me till end of this post, you will find it very useful later 😉 .

SDDL

The Windows Security Descriptor Definition Language defines the string format used to describe a security descriptor as a text string, commonly used to define an ACL (list of ACEs) for a Windows service.

Take the following userlogger service from an old Hack The Box machine:

C:\util> sc qc userlogger
sc qc userlogger
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: userlogger
        TYPE               : 10  WIN32_OWN_PROCESS 
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : c:\windows\system32\UserLogger.exe
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : User Logger
        DEPENDENCIES       : 
        SERVICE_START_NAME : LocalSystem

The SERVICE_START_NAME defines the privileges with which the service runs, in this instance it’s LocalSystem, or in other words NT AUTHORITY\SYSTEM.

We can request the SDDL string applied to the userlogger service using the following command:

C:\util> sc sdshow userlogger
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWRPWPDTLORC;;;S-1-5-21-2115913093-551423064-1540603852-1003)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;BU)(A;;CCLCSWRPWPLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU) 

ACE Structure


The ACEs in a SDDL string are enclosed in parentheses, the userlogger service therefore contains six ACEs. One of them is shown below:

(A;;CCLCSWRPWPDTLOCRRC;;;SY)

Each ACE contains five semi-colon terminated strings, followed by the SID for whom the ACE applies. The structure is as follows with each section labelled:

(ace_type; ace_flags; rights; object_guid; inherit_object_guid; account_sid)

For this individual ACE only the ace_type and rights are set and are applied to SY which represents LocalSystem, meaning this ACE is assigned to NT AUTHORITY\SYSTEM.

The account_sid has a set of predefined values. You have the option of supplying a specific SID into the account_sid field when configuring an ACE:

(A;;CCLCSWRPWPDTLORC;;;S-1-5-21-2115913093-551423064-1540603852-1003)

The account_sid identifies the trustee of the ACE. The SID in this ACE applies to the hacker user from the box.

Decoding


The userlogger service security descriptor:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWRPWPDTLORC;;;S-1-5-21-2115913093-551423064-1540603852-1003)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;BU)(A;;CCLCSWRPWPLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU) 

The service’s SDDL only contains a DACL, defined by the D: at the start of the string. The string can be prefixed with any of the following symbols:

SymbolDescription
O:Owner
G:Primary Group
D:Discretionary Access Control List (DACL)
S:System Access Control List (SACL)

The first value of the user’s ACE – A – in (A;;CCLCSWRPWPDTLORC;;;S-1-5-21-2115913093-551423064-1540603852-1003) is defined as the ace_type, a table containing different ace_type values is shown below:

ACE TypeDescription
AAccess Allowed
DAccess Denied
OAObject Access Allowed
ODObject Access Denied
AUSystem Audit
ALSystem Alarm
OUSystem Object Audit
OLSystem Object Alarm
MLSystem Mandatory Label
SPCentral Policy ID

After the A;; (the double semi-colon implies there are no ace_flags assigned) comes the following string – CCLCSWRPWPDTLORC;;;S-1-5-21-2115913093-551423064-1540603852-1003.

Ignoring the user’s SID (we know that the object_guid and inherit_object_guid values are empty and the trustee is hacker) for now we’re left with CCLCSWRPWPDTLORC.

The letters are in pairs and each pair represents a certain right, the following rights are represented in the rights section of the hacker user ACE for the userlogger service:

SymbolRight
CCSERVICE_QUERY_CONFIG
LCSERVICE_QUERY_STATUS
SWSERVICE_ENUMERATE_DEPENDENTS
RPSERVICE_START
WPSERVICE_STOP
DTSERVICE_PAUSE_CONTINUE
LOSERVICE_INTERROGATE
RCREAD_CONTROL

A table containing all of the different service DACL rights can be found here.

ConvertFrom-SDDLString

An easy way to read the security descriptor is by using the ConvertFrom-SDDLString PowerShell cmdlet. The docs for the command can be found here.

The syntax is straightforward, you just parse the SDDL to the -Sddl parameter:

PS C:\Users\New> ConvertFrom-SddlString -Sddl "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWRPWPDTLORC;;;S-1-5-21-2115913093-551423064-1540603852-1003)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;BU)(A;;CCLCSWRPWPLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)" 


Owner            :
Group            :
DiscretionaryAcl : {NT AUTHORITY\INTERACTIVE: AccessAllowed (CreateDirectories, ExecuteKey, GenericExecute, GenericRead, GenericWrite, ListDirectory, Read,
                   ReadAndExecute, ReadAttributes, ReadExtendedAttributes, ReadPermissions, Traverse, WriteAttributes, WriteExtendedAttributes), NT
                   AUTHORITY\SERVICE: AccessAllowed (CreateDirectories, GenericExecute, ListDirectory, Read, ReadAttributes, ReadExtendedAttributes,
                   ReadPermissions, WriteAttributes), NT AUTHORITY\SYSTEM: AccessAllowed (CreateDirectories, DeleteSubdirectoriesAndFiles, ExecuteKey,
                   GenericExecute, GenericRead, GenericWrite, ListDirectory, Read, ReadAndExecute, ReadAttributes, ReadExtendedAttributes, ReadPermissions,
                   Traverse, WriteAttributes, WriteExtendedAttributes), BUILTIN\Administrators: AccessAllowed (ChangePermissions, CreateDirectories, Delete,
                   DeleteSubdirectoriesAndFiles, ExecuteKey, FullControl, GenericAll, GenericExecute, GenericRead, GenericWrite, ListDirectory, Modify, Read,
                   ReadAndExecute, ReadAttributes, ReadExtendedAttributes, ReadPermissions, TakeOwnership, Traverse, Write, WriteAttributes, WriteData,
                   WriteExtendedAttributes, WriteKey)...}
SystemAcl        : {}
RawDescriptor    : System.Security.AccessControl.CommonSecurityDescriptor

The ConvertFrom-SDDLString cmdlet will not decode the ACE rights in the same manner as manually doing so with the table in the previous section. The following section explains why in more detail.

Types


The ConvertFrom-SDDLString docs show that the -Type flag only has the following values:

  • FileSystemRights
  • RegistryRights
  • ActiveDirectoryRights
  • MutexRights
  • SemaphoreRights
  • CryptoKeyRights
  • EventWaitHandleRights

There’s no -Type value that allows you to decode the service DACL rights assigned to a Windows service. If there was a value for service DACLs, when you run the following command you’d get different output for the value of RP:

PS C:\Users\New> ConvertFrom-SddlString -Sddl "D:(A;;RP;;;AU)"

Owner            :
Group            :
DiscretionaryAcl : {NT AUTHORITY\Authenticated Users: AccessAllowed (WriteExtendedAttributes)}
SystemAcl        : {}
RawDescriptor    : System.Security.AccessControl.CommonSecurityDescriptor

It would say SERVICE_START instead of WriteExtendedAtrributes. As you can see below the value of RP changes when you specify a different value to the -Type flag:

PS C:\Users\New> ConvertFrom-SddlString -Sddl "D:(A;;RP;;;AU)" -Type ActiveDirectoryRights

Owner            :
Group            :
DiscretionaryAcl : {NT AUTHORITY\Authenticated Users: AccessAllowed (ReadProperty)}
SystemAcl        : {}
RawDescriptor    : System.Security.AccessControl.CommonSecurityDescriptor

Not sure why there isn’t a service DACL option type for ConvertFrom-SddlString, hopefully Microsoft implements it at some point.

Tables

Service DACL Rights

SymbolRightDescription
CCSERVICE_QUERY_CONFIGread the configuration of the service
LCSERVICE_QUERY_STATUSread the status of the service from Service Control Manager
SWSERVICE_ENUMERATE_DEPENDENTSlist dependencies
LOSERVICE_INTERROGATEask the service its current status
CRSERVICE_USER_DEFINED_CONTROLsend a service control command
RCREAD_CONTROLread the security permissions
RPSERVICE_STARTstart the service
WPSERVICE_STOPstop the service
DTSERVICE_PAUSE_CONTINUEpause/continue the service

Predefined Account SIDs

SDDL AliasSID name
AAACCESS_CONTROL_ASSISTANCE_OPS
ACALL_APP_PACKAGES
ANANONYMOUS
AOACCOUNT_OPERATORS
AUAUTHENTICATED_USERS
BABUILTIN_ADMINISTRATORS
BGBUILTIN_GUESTS
BOBACKUP_OPERATORS
BUBUILTIN_USERS
CACERT_PUBLISHERS
CDCERTSVC_DCOM_ACCESS
CGCREATOR_GROUP
CNCLONEABLE_CONTROLLERS
COCREATOR_OWNER
CYCRYPTO_OPERATORS
DADOMAIN_ADMINS
DCDOMAIN_COMPUTERS
DDDOMAIN_DOMAIN_CONTROLLERS
DGDOMAIN_GUESTS
DUDOMAIN_USERS
EAENTERPRISE_ADMINS
EDENTERPRISE_DOMAIN_CONTROLLERS
EREVENT_LOG_READERS
ESRDS_ENDPOINT_SERVERS
HAHYPER_V_ADMINS
HIML_HIGH
ISIIS_USERS
IUINTERACTIVE
LAADMINISTRATOR<80>
LGGUEST
LSLOCAL_SERVICE
LUPERFLOG_USERS
LWML_LOW
MEML_MEDIUM
MPML MEDIUM PLUS
MSRDS_MANAGEMENT_SERVERS
MUPERFMON_USERS
NONETWORK_CONFIGURATION_OPS
NSNETWORK_SERVICE
NUNETWORK
OWOWNER_RIGHTS
PAGROUP_POLICY_CREATOR_OWNER
POPRINTER_OPERATORS
PSPRINCIPAL_SELF
PUPOWER_USERS
RARDS_REMOTE_ACCESS_SERVERS
RCRESTRICTED_CODE
RDREMOTE_DESKTOP
REREPLICATOR
RMREMOTE_MANAGEMENT_USERS
ROENTERPRISE_RO_DCS
RSRAS_SERVERS
RUALIAS_PREW2KCOMPACC
SASCHEMA_ADMINISTRATORS
SIML_SYSTEM
SOSERVER_OPERATORS
SUSERVICE
SYLOCAL_SYSTEM
UDUSER_MODE_DRIVERS
WDEVERYONE
WRWRITE_RESTRICTED_CODE

Glossary

  • Access Conrol Entry – (ACE) is an entry in an Access Control List (ACL). An ACE contains a set of access rights and a Security Identifier (SID) that identifies a trustee for whom the rights are allowed, denied, or audited.
  • Access Control List – (ACL) is a list of security protections that applies to an object. (An object can be a file, process, event, or anything else having a security descriptor.) An entry in an access control list (ACL) is an access control entry (ACE). There are two types of access control list, discretionary and system.
  • Discretionary Access Control List – (DACL) is an access control list that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object.
  • System Access Control List – (SACL) is an ACL that controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object’s SACL is controlled by a privilege typically held only by system administrators.
  • Security Descriptor – A structure and associated data that contains the security information for a securable object. A security descriptor identifies the object’s owner and primary group. It can also contain a DACL that controls access to the object, and a SACL that controls the logging of attempts to access the object.
  • trustee – The user account, group account, or logon session to which an access control entry (ACE) applies. Each ACE in an access control list (ACL) applies to one trustee.

About mahyar

OrcID: 0000-0001-8875-3362 PhD Candidate (National Academy of Sciences of Ukraine - Institute for Telecommunications and Global Information) MCP - MCSA - MCSE - MCTS MCITP: Enterprise AdministratorCCNA, CCNP (R&S , Security)ISO/IEC 27001 Lead Auditor

Check Also

Active Directory Penetration Mind Map

click to see Full-Size Image Scan Network cme smb # enumerate smb hosts nmap -sP …

Leave a Reply

Your email address will not be published. Required fields are marked *