Some notes to myself to use as a reference guide and to gain a better understanding of the privileges and rights assigned to Windows services in the form of SDDL security descriptor strings finally today became useful to solve a problem of a Good friend and college of mine (Dear Vanik). maybe in other post going to explain and write-up the solution for that specific case, but anyway the solution need to have good understanding of SDDL, stay with me till end of this post, you will find it very useful later 😉 .
SDDL
The Windows Security Descriptor Definition Language defines the string format used to describe a security descriptor as a text string, commonly used to define an ACL (list of ACEs) for a Windows service.
Take the following userlogger
service from an old Hack The Box machine:
C:\util> sc qc userlogger
sc qc userlogger
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: userlogger
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : c:\windows\system32\UserLogger.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : User Logger
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
The SERVICE_START_NAME
defines the privileges with which the service runs, in this instance it’s LocalSystem
, or in other words NT AUTHORITY\SYSTEM
.
We can request the SDDL string applied to the userlogger
service using the following command:
C:\util> sc sdshow userlogger
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWRPWPDTLORC;;;S-1-5-21-2115913093-551423064-1540603852-1003)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;BU)(A;;CCLCSWRPWPLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
ACE Structure
The ACEs in a SDDL string are enclosed in parentheses, the userlogger
service therefore contains six ACEs. One of them is shown below:
(A;;CCLCSWRPWPDTLOCRRC;;;SY)
Each ACE contains five semi-colon terminated strings, followed by the SID for whom the ACE applies. The structure is as follows with each section labelled:
(ace_type; ace_flags; rights; object_guid; inherit_object_guid; account_sid)
For this individual ACE only the ace_type
and rights
are set and are applied to SY
which represents LocalSystem
, meaning this ACE is assigned to NT AUTHORITY\SYSTEM
.
The account_sid
has a set of predefined values. You have the option of supplying a specific SID into the account_sid
field when configuring an ACE:
(A;;CCLCSWRPWPDTLORC;;;S-1-5-21-2115913093-551423064-1540603852-1003)
The account_sid
identifies the trustee of the ACE. The SID in this ACE applies to the hacker
user from the box.
Decoding
The userlogger
service security descriptor:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWRPWPDTLORC;;;S-1-5-21-2115913093-551423064-1540603852-1003)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;BU)(A;;CCLCSWRPWPLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
The service’s SDDL only contains a DACL, defined by the D:
at the start of the string. The string can be prefixed with any of the following symbols:
Symbol | Description |
---|---|
O: | Owner |
G: | Primary Group |
D: | Discretionary Access Control List (DACL) |
S: | System Access Control List (SACL) |
The first value of the user’s ACE – A
– in (A;;CCLCSWRPWPDTLORC;;;S-1-5-21-2115913093-551423064-1540603852-1003)
is defined as the ace_type
, a table containing different ace_type
values is shown below:
ACE Type | Description |
---|---|
A | Access Allowed |
D | Access Denied |
OA | Object Access Allowed |
OD | Object Access Denied |
AU | System Audit |
AL | System Alarm |
OU | System Object Audit |
OL | System Object Alarm |
ML | System Mandatory Label |
SP | Central Policy ID |
After the A;;
(the double semi-colon implies there are no ace_flags
assigned) comes the following string – CCLCSWRPWPDTLORC;;;S-1-5-21-2115913093-551423064-1540603852-1003
.
Ignoring the user’s SID (we know that the object_guid
and inherit_object_guid
values are empty and the trustee is hacker
) for now we’re left with CCLCSWRPWPDTLORC
.
The letters are in pairs and each pair represents a certain right, the following rights are represented in the rights
section of the hacker
user ACE for the userlogger
service:
Symbol | Right |
---|---|
CC | SERVICE_QUERY_CONFIG |
LC | SERVICE_QUERY_STATUS |
SW | SERVICE_ENUMERATE_DEPENDENTS |
RP | SERVICE_START |
WP | SERVICE_STOP |
DT | SERVICE_PAUSE_CONTINUE |
LO | SERVICE_INTERROGATE |
RC | READ_CONTROL |
A table containing all of the different service DACL rights can be found here.
ConvertFrom-SDDLString
An easy way to read the security descriptor is by using the ConvertFrom-SDDLString
PowerShell cmdlet. The docs for the command can be found here.
The syntax is straightforward, you just parse the SDDL to the -Sddl
parameter:
PS C:\Users\New> ConvertFrom-SddlString -Sddl "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWRPWPDTLORC;;;S-1-5-21-2115913093-551423064-1540603852-1003)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;BU)(A;;CCLCSWRPWPLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)"
Owner :
Group :
DiscretionaryAcl : {NT AUTHORITY\INTERACTIVE: AccessAllowed (CreateDirectories, ExecuteKey, GenericExecute, GenericRead, GenericWrite, ListDirectory, Read,
ReadAndExecute, ReadAttributes, ReadExtendedAttributes, ReadPermissions, Traverse, WriteAttributes, WriteExtendedAttributes), NT
AUTHORITY\SERVICE: AccessAllowed (CreateDirectories, GenericExecute, ListDirectory, Read, ReadAttributes, ReadExtendedAttributes,
ReadPermissions, WriteAttributes), NT AUTHORITY\SYSTEM: AccessAllowed (CreateDirectories, DeleteSubdirectoriesAndFiles, ExecuteKey,
GenericExecute, GenericRead, GenericWrite, ListDirectory, Read, ReadAndExecute, ReadAttributes, ReadExtendedAttributes, ReadPermissions,
Traverse, WriteAttributes, WriteExtendedAttributes), BUILTIN\Administrators: AccessAllowed (ChangePermissions, CreateDirectories, Delete,
DeleteSubdirectoriesAndFiles, ExecuteKey, FullControl, GenericAll, GenericExecute, GenericRead, GenericWrite, ListDirectory, Modify, Read,
ReadAndExecute, ReadAttributes, ReadExtendedAttributes, ReadPermissions, TakeOwnership, Traverse, Write, WriteAttributes, WriteData,
WriteExtendedAttributes, WriteKey)...}
SystemAcl : {}
RawDescriptor : System.Security.AccessControl.CommonSecurityDescriptor
The ConvertFrom-SDDLString
cmdlet will not decode the ACE rights in the same manner as manually doing so with the table in the previous section. The following section explains why in more detail.
Types
The ConvertFrom-SDDLString docs show that the -Type
flag only has the following values:
- FileSystemRights
- RegistryRights
- ActiveDirectoryRights
- MutexRights
- SemaphoreRights
- CryptoKeyRights
- EventWaitHandleRights
There’s no -Type
value that allows you to decode the service DACL rights assigned to a Windows service. If there was a value for service DACLs, when you run the following command you’d get different output for the value of RP
:
PS C:\Users\New> ConvertFrom-SddlString -Sddl "D:(A;;RP;;;AU)"
Owner :
Group :
DiscretionaryAcl : {NT AUTHORITY\Authenticated Users: AccessAllowed (WriteExtendedAttributes)}
SystemAcl : {}
RawDescriptor : System.Security.AccessControl.CommonSecurityDescriptor
It would say SERVICE_START
instead of WriteExtendedAtrributes
. As you can see below the value of RP
changes when you specify a different value to the -Type
flag:
PS C:\Users\New> ConvertFrom-SddlString -Sddl "D:(A;;RP;;;AU)" -Type ActiveDirectoryRights
Owner :
Group :
DiscretionaryAcl : {NT AUTHORITY\Authenticated Users: AccessAllowed (ReadProperty)}
SystemAcl : {}
RawDescriptor : System.Security.AccessControl.CommonSecurityDescriptor
Not sure why there isn’t a service DACL option type for ConvertFrom-SddlString
, hopefully Microsoft implements it at some point.
Tables
Service DACL Rights
Symbol | Right | Description |
---|---|---|
CC | SERVICE_QUERY_CONFIG | read the configuration of the service |
LC | SERVICE_QUERY_STATUS | read the status of the service from Service Control Manager |
SW | SERVICE_ENUMERATE_DEPENDENTS | list dependencies |
LO | SERVICE_INTERROGATE | ask the service its current status |
CR | SERVICE_USER_DEFINED_CONTROL | send a service control command |
RC | READ_CONTROL | read the security permissions |
RP | SERVICE_START | start the service |
WP | SERVICE_STOP | stop the service |
DT | SERVICE_PAUSE_CONTINUE | pause/continue the service |
Predefined Account SIDs
SDDL Alias | SID name |
---|---|
AA | ACCESS_CONTROL_ASSISTANCE_OPS |
AC | ALL_APP_PACKAGES |
AN | ANONYMOUS |
AO | ACCOUNT_OPERATORS |
AU | AUTHENTICATED_USERS |
BA | BUILTIN_ADMINISTRATORS |
BG | BUILTIN_GUESTS |
BO | BACKUP_OPERATORS |
BU | BUILTIN_USERS |
CA | CERT_PUBLISHERS |
CD | CERTSVC_DCOM_ACCESS |
CG | CREATOR_GROUP |
CN | CLONEABLE_CONTROLLERS |
CO | CREATOR_OWNER |
CY | CRYPTO_OPERATORS |
DA | DOMAIN_ADMINS |
DC | DOMAIN_COMPUTERS |
DD | DOMAIN_DOMAIN_CONTROLLERS |
DG | DOMAIN_GUESTS |
DU | DOMAIN_USERS |
EA | ENTERPRISE_ADMINS |
ED | ENTERPRISE_DOMAIN_CONTROLLERS |
ER | EVENT_LOG_READERS |
ES | RDS_ENDPOINT_SERVERS |
HA | HYPER_V_ADMINS |
HI | ML_HIGH |
IS | IIS_USERS |
IU | INTERACTIVE |
LA | ADMINISTRATOR<80> |
LG | GUEST |
LS | LOCAL_SERVICE |
LU | PERFLOG_USERS |
LW | ML_LOW |
ME | ML_MEDIUM |
MP | ML MEDIUM PLUS |
MS | RDS_MANAGEMENT_SERVERS |
MU | PERFMON_USERS |
NO | NETWORK_CONFIGURATION_OPS |
NS | NETWORK_SERVICE |
NU | NETWORK |
OW | OWNER_RIGHTS |
PA | GROUP_POLICY_CREATOR_OWNER |
PO | PRINTER_OPERATORS |
PS | PRINCIPAL_SELF |
PU | POWER_USERS |
RA | RDS_REMOTE_ACCESS_SERVERS |
RC | RESTRICTED_CODE |
RD | REMOTE_DESKTOP |
RE | REPLICATOR |
RM | REMOTE_MANAGEMENT_USERS |
RO | ENTERPRISE_RO_DCS |
RS | RAS_SERVERS |
RU | ALIAS_PREW2KCOMPACC |
SA | SCHEMA_ADMINISTRATORS |
SI | ML_SYSTEM |
SO | SERVER_OPERATORS |
SU | SERVICE |
SY | LOCAL_SYSTEM |
UD | USER_MODE_DRIVERS |
WD | EVERYONE |
WR | WRITE_RESTRICTED_CODE |
Glossary
- Access Conrol Entry – (ACE) is an entry in an Access Control List (ACL). An ACE contains a set of access rights and a Security Identifier (SID) that identifies a trustee for whom the rights are allowed, denied, or audited.
- Access Control List – (ACL) is a list of security protections that applies to an object. (An object can be a file, process, event, or anything else having a security descriptor.) An entry in an access control list (ACL) is an access control entry (ACE). There are two types of access control list, discretionary and system.
- Discretionary Access Control List – (DACL) is an access control list that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object.
- System Access Control List – (SACL) is an ACL that controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object’s SACL is controlled by a privilege typically held only by system administrators.
- Security Descriptor – A structure and associated data that contains the security information for a securable object. A security descriptor identifies the object’s owner and primary group. It can also contain a DACL that controls access to the object, and a SACL that controls the logging of attempts to access the object.
- trustee – The user account, group account, or logon session to which an access control entry (ACE) applies. Each ACE in an access control list (ACL) applies to one trustee.