RACE - Minimal Rights and ACE for Active Directory Dominance

Conference:  Defcon 27



The presentation discusses techniques for persistence and privilege escalation in cybersecurity using ACL modifications on Windows machines.
  • ACL modifications can be used to gain and maintain local admin or domain admin privileges
  • Tools such as Bloodhound, VD ACL scanner, and Pink Castle can be used for ACL auditing
  • WMI permanent event consumers can be used for persistence but may not always result in command execution
  • Modifying the ACL of the PowerShell remoting endpoint and WMI namespaces can allow for remote code execution
The presenter demonstrated how modifying the ACL of the default PowerShell remoting endpoint on a domain controller with domain admin privileges can allow a non-special user to access the domain controller. This illustrates the potential danger of ACL modifications in allowing unauthorized access to sensitive systems.


User rights and privileges are a part of the access control model in Active Directory. Applicable only at the local computer level, a user generally has different rights (through access tokens) on different machines in a domain. Another part of the access control model is security descriptors (ACLs) that protects a securable object. At the domain level, ACL abuse is well known and adversaries have used it for persistence. For user rights, the abuse is mostly with the help of groups (memberships, SID History etc.) or misconfigured delegated rights. A lesser-known area of abuse and offensive research is a combination of minimal Rights and ACE (hence the term RACE). Often overlooked in audits and assessments, using minimal rights along with favourable ACEs provides a very interesting technique of persistence and on-demand privilege escalation on a Windows machine with much desired stealth. This talk covers interesting domain privilege escalation, persistence and backdoor techniques with the help of ACLs, minimal user rights and combinations of both. We will discuss how these techniques can be applied using open source tools and scripts. The talk also covers how to detect and mitigate such attacks. The talk will be full of live demonstrations.