有關安全識別符號定義語言SDDL

# 有關安全識別符號定義語言SDDL 更新時間:2023/1/22 About SDDL --- - 安全性描述元定義語言 SDDL, Security Descriptor Definition Language - 定義Convert Security Descriptor To String Security Descriptor和 Convert String Security Descriptor To Security Descriptor - 在Windows系統中一種安全性控制的方法，可以用來賦予被註冊的服務相關的控制權限 Describe SDDL --- Windows系統中，每一個系統中的服務(Service)，在Windows系統都是物件，使用者在系統中活動，大多數的作業都會依角色、權限進行設定，常見的運用操作會出現在SC指令(ServiceControl)，當你要控制系統中使用者對於系統服務的進階ACL就可透過SC指令去查詢及設定，當你想知道，某支程式或者服務目前具備的權限可以下指令透過sc show 'xxxxx' xxxxx為系統中執行檔案或者服務名稱可以看出該服務或者執行檔案目前的系統讀寫權限，舉例來說，記得前提是下指令執行cmd必須要系統管理者權限想知道winservicesample.exe目前在系統中的ACL，可以下指令 sc.exe sdshow winservicesample.exe 查出的結果是 D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;NS)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) 上面那些不像英文的就是SDDL 至於權限設定，其實有兩種一種叫做 discretionary access control list (DACL)，下完之後是整個有加入AD環境的使用者跟電腦會被套用到，通常前面會是D:開頭另一種叫做system access control list (SACL)，下完之後就僅限系統使用者跟電腦會被套用到，通常前面會是S:開頭 ACL規則跟防火牆做法差不多通常會有Allow 通過，或者是Deny阻擋，分別為A及D 再來要解釋常見權限操作代碼的縮寫 CC — SERVICE_QUERY_CONFIG (request service settings) LC — SERVICE_QUERY_STATUS (service status polling) SW — SERVICE_ENUMERATE_DEPENDENTS LO — SERVICE_INTERROGATE CR — SERVICE_USER_DEFINED_CONTROL RC — READ_CONTROL RP — SERVICE_START WP — SERVICE_STOP DT — SERVICE_PAUSE_CONTINUE 另一段則是常見使用者代碼的縮寫 AU --> Authenticated Users AO --> Account operators AN --> Anonymous logon AU --> Authenticated users BA --> Built-in administrators BG --> Built-in guests BO --> Backup operators BU --> Built-in users CA --> Certificate server administrators CG --> Creator group CO --> Creator owner DA --> Domain administrators DC --> Domain computers DD --> Domain controllers DG --> Domain guests DU --> Domain users EA --> Enterprise administrators ED --> Enterprise domain controllers WD --> Everyone PA --> Group Policy administrators IU --> Interactively logged-on user LA --> Local administrator LG --> Local guest LS --> Local service account SY --> Local system NU --> Network logon user NO --> Network configuration operators NS --> Network service account PO --> Printer operators PS --> Personal self PU --> Power users RS --> RAS servers group RD --> Terminal server users SA --> Schema administrators SU --> Service logon user Use SDDL IN sc sdset command --- 假設要讓Network Service Account這個系統帳號對winservicesample.exe具備相關的權限，則可以下，(注意下面的指令下了之後Network Service Account就可以對winservicesample.exe有完整控制權限) sc.exe sdset winservicesample.exe "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWLOCRRCRPWPDT;;;NS)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" Some incident --- 要講事件，暫時沒有很具體的講法，但是之前在騰訊雲有一篇【T1543.003】利用 ACL 隐藏恶意 Windows 服务 https://cloud.tencent.com/developer/article/1746322 還有Freebuf也有一篇 Windows權限維持技巧之隱藏服務 https://www.freebuf.com/articles/system/254838.html 主要就是怕說有惡意程式透過類似手法做為入侵後的手段 Solution --- - 因為指令下了馬上就有效，所以關鍵在於不能讓不該有權限的人，執行這個指令 - 前面提到下錯了很麻煩，所以重點是如果你真的要下記得先下sdshow做前後比對，還有可以的話記得把下指令的過程記錄下來，下錯馬上改回去 - 如果還是不放心可以做一些監控還有阻擋措施參考資料 --- 安全性描述元定義語言 https://learn.microsoft.com/zh-tw/windows/win32/secauthz/security-descriptor-definition-language SDDL https://rootclay.gitbook.io/windows-access-control/security-descriptor-definition-language SDDL Security Descriptors https://tajdini.net/blog/forensics-and-security/sddl-security-descriptors/ Windows中使用SDDL（安全識別符號定義語言）給指定的服務設定許可權 https://itw01.com/H2SE7FP.html SDDL Explained - Security Descriptor Definition Language https://clan8blog.wordpress.com/2016/08/08/sddl-explained/ Windowsのセキュリティ設定を記述するSDDL文字列とは https://atmarkit.itmedia.co.jp/ait/articles/0603/25/news016.html Windows權限維持技巧之隱藏服務 https://www.freebuf.com/articles/system/254838.html Getting started with SDDL (Security Descriptor Definition Language) https://www.lewisroberts.com/2010/09/16/getting-started-with-sddl/ SDDL安全模板編寫 https://blog.csdn.net/qinlicang/article/details/5538307 SDDL CONVERSION WITH POWERSHELL https://poshscripter.wordpress.com/2017/04/27/sddl-conversion-with-powershell/ Bypassing SACL Auditing on LSASS https://www.tiraniddo.dev/2017/10/bypassing-sacl-auditing-on-lsass.html 正則表達式解析 SDDL (Regex to parse SDDL) https://tw.coderbridge.com/questions/6f3a3f542bb74e639f98f1522ffd06d8 【T1543.003】利用 ACL 隐藏恶意 Windows 服务 https://cloud.tencent.com/developer/article/1746322 The Security Descriptor Definition Language of Love (Part 1) https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/the-security-descriptor-definition-language-of-love-part-1/ba-p/395202 The Security Descriptor Definition Language of Love (Part 2) https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/the-security-descriptor-definition-language-of-love-part-2/ba-p/395258 適用于驅動程式開發人員的Windows安全性模型 https://learn.microsoft.com/zh-tw/windows-hardware/drivers/driversecurity/windows-security-model DCOM: 以 Security Descriptor Definition Language (SDDL) 語法表示的電腦啟動限制 https://learn.microsoft.com/zh-tw/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax Windows中使用SDDL（安全識別符號定義語言）給指定的服務設定許可權 https://itw01.com/H2SE7FP.html Security Descriptor Definition Language https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language Red Team Tactics: Hiding Windows Services https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ Security Descriptors https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptors Windows访问控制 https://rootclay.gitbook.io/windows-access-control/ 特殊指令之SC命令详解 https://blog.csdn.net/kxjrzyk/article/details/108505715 How to set a Windows Service's permissions using ServiceControl and SDDL https://www.advancedinstaller.com/forums/viewtopic.php?t=49990 Windows服務化方式sc.exe指令清單 https://www.gushiciku.cn/pl/gTU4/zh-tw sc命令 https://www.jendow.com.tw/wiki/sc%E5%91%BD%E4%BB%A4 SC命令管理服務狀態 https://www.twblogs.net/a/5b8c92312b7177188333c475 WIN7 查出目前服務資訊之一 https://pclevinblog.pixnet.net/blog/post/314560093-win7-%E6%9F%A5%E5%87%BA%E7%9B%AE%E5%89%8D%E6%9C%8D%E5%8B%99%E8%B3%87%E8%A8%8A%E4%B9%8B%E4%B8%80 ###### tags: `Windows`