Audit failed access - SDDL change

[hkelley]

Has anybody tried to audit failed requests? I'm thinking of a tweak like this so that the cmdlet takes a user-specified SDDL and that the default SDDL audits for failure.

` Function Set-NetSessionEnumPermission { [CmdletBinding(SupportsShouldProcess,ConfirmImpact='High')]

Param( [Parameter(Mandatory = $false)] [string] $SDDL = "O:SYG:SYD:(A;;FA;;;S-1-5-3)(A;;FA;;;IU)(A;;FA;;;SU)(A;;CCDCRPSDRCWDWO;;;BA)(A;;CCDCRPSDRCWDWO;;;PU)(A;;CCDCRPSDRCWDWO;;;SO)S:(AU;FA;GA;;;WD)"

) `

[p0w3rsh3ll]

If you check these pages: https://p0w3rsh3ll.wordpress.com/2017/08/23/netcease-module/ https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b you can see that Microsoft ATA product can detect it. It means that it's audited and ATA detects failed attempts. The code in this module doesn't use a SDDL in a string form. It uses a hardcoded value as a byte array.

If you want to get the SDDL string form, you can do something like this to read the current value

$HT = @{
 Path = 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity'
}
(
 New-Object -TypeName System.Security.AccessControl.CommonSecurityDescriptor -ArgumentList (
  $true,
  $false,
  ((Get-ItemProperty -Name SrvsvcSessionInfo @HT).SrvsvcSessionInfo),
  0
 )
).GetSddlForm([System.Security.AccessControl.AccessControlSections]::All)

[hkelley]

ATA detects authentication at a domain controller. It can't see a failed authorization on a member server.

Additionally, I'm betting that an attacker could use a tool like samrdump.py to pass the hash and dump SAMR. Secretsdump works that way so I'm guessing samrdum will too. That would bypass the DC/ATA entirely.

I've already written the SDDL conversion routine but then discovered that shares don't have SACLs.

Based on this tweet, that's what the SD at SrvsvcSessionInfo is.