Creating Active Directory Labs For Blue and Red Teams

5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Home / Blog / Creating Active Directory Labs for Blue and Red Teams
Creating Active Directory Labs for Blue and

Red Teams
01.07.2020 redteaming vulnerability
Nowadays most enterprises are using Active Directory for building their internal
infrastructure. Therefore, it is important to understand common pitfalls and how
to detect adversarial activities in the network.
In this article, Sven Bernhard will describe how Blue and Red Teams can create Active Directory Labs for
training and testing purposes. He explains how to set up the Active Directory environment as well as how
to introduce common miscon gurations / vulnerabilities on purpose. Furthermore, a monitoring server
setup using Microsoft ATA is described.
Prerequisites
Think about how you like to set up your lab environment:

1. Cloud Incident?
2. Hardware
Cloud
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 1/58
Setup of the lab environment on one of the different cloud hosting providers like AWS, Azure or Google
Cloud.
Advantages:
Unlimited resources
Easily accessible from anywhere
You pay only if the lab is running
Disadvantages:
Can be very expensive (7 Machines with 2 CPU, 4GB RAM and 80 Gigs of storage will cost around 300-
400 USD per month – if they are running 24/7)
Hardware
The easiest way is to build a lab just on your personal computer is with a virtualization software like
VirtualBox, VMware Workstation or Hyper-V, but a lot of resources are needed to have all machines up
and running. Therefore, I recommend building a dedicated lab server.
Used server hardware is cheap nowadays. Following an example con guration:
Part Amount Price ($)
Intel Xeon E5-2690v2 CPU 2x 290,00
Supermicro X9DRi-LN4F+ Motherboard 1x 170,00
128GB (8×16 GB) DDR3 PC3-12800R (1600 Mhz) ECC RAM 1x 250,00
256 GB SSD 1x 30,00
1 TB SSD 1x 100,00
EE-ATX Case (e.g. Zofos Evo Window Bit-Tower) 1x 150,00
750-Watt Power Supply (e.g. Corsair XC Series 750 Watt 80 Plus Bronze) 1x 90,00
ZOTAC GeForce GT 730 Zone Edition 4GB DDR3 GPU 1x 80,00
Noctua NH-U9S, Premium CPU Cooler 2x 60,00
TOTAL 1570,00
To check how many rearms are left just enter the following command:

PS > slmgr -dlv Incident?
Lab Setup
To install the Windows Operating Systems, Microsoft Windows Server Evaluation versions can be used.
The versions are valid for 180 days, the trial period can be extended up to six times for additional 180
days.
The evaluation versions can be downloaded here:
https://www.microsoft.com/de-de/evalcenter/evaluate-windows-server
To extend the period the following command must be issued once the trial period comes to an end:
PS > slmgr -rearm
To check how many days are left in the trial period just issue the following command:
PS > slmgr -dli
To check how many rearms are left just enter the following command:
PS > slmgr -dlv

Incident?
Another option is to get a MSDN/VisualStudio subscription where the most Microsoft products are
included, the subscription costs $1,199 for the rst year and $799 for the renewal per year.
https://visualstudio.microsoft.com/vs/pricing/

Installing The Domain Environment Incident?
Create VMs and install the number of servers (with Windows Server 2016 / 2019) you like to have in your
lab, I recommend 2-3 Domain Controllers and 2-3 Servers rst. The lab can be extended over time. After
installing a few Windows Server 2016 / 2019 VMs , it is time to create forests, promote the domain
controllers and add some servers or workstations.
Create a Root Domain
The rst step is to promote a parent domain controller in the forest root:
Open the Server Manager and go to Local Server.
Click on Computer name:
Click on Change:

Incident?
Change the Computer name:
Restart the machine:
After the reboot, open Server Manager and click on Add roles and features:

Incident?
As Installation Type choose Role-Based or feature-based installation:
“Select a server from the server pool” will automatically set up your server, you just need to click

on Next:
Incident?
Choose Active Directory Domain Services and click on Add Features in the popup window:

Incident?
Con rm 3 times with Next and then on Install:

Incident?
Wait for the installation to nish and click on yellow exclamation mark on top right of the Server
Manager and choose Promote this server to a domain controller:
Choose the deployment con guration – Add a new forest and enter your root domain name:

Incident?
Enter a password and click on Next until you can click on Install:

Incident?
Login to the domain as administrator:
Set a static IP address for your server in Control Panel\Network and Internet\Network Connections:

Incident?
Child Domain
The root domain controller is up and running, it is time to promote a child domain controller and build a
trust relationship between the parent and the child domain. For this purpose, we will do almost the same
steps as for the parent domain. The only difference is that we will not create a new forest but adding a
new domain to an existing forest (Deployment Con guration of the parent dc). A user who is in the
enterprise admin group of the parent domain must be used to enroll the domain.
Set a static IP for the machine and point its DNS to DC01:
Repeat the steps previous steps (how to promote a domain controller) until choosing the deployment
con guration.
As Deployment Con guration, choose Add a new domain to an existing forest and enter your details:

Incident?

Incident?
Set a DSRM password and con rm the installation by clicking on Next until you can choose Install:
After the reboot you can log in to the child domain controller:

Incident?
Enrolling Computers
Now, some workstations / servers need to be installed and added to the network.
Give the computers also a static IP address and point the DNS to the domain’s DNS server / DC:
Click on Computer name in the Server Manager and rename the computer:

Incident?
After the restart, join the domain under Workgroup (below Computer name in the Server Manger):
Enter the password of a user of the enterprise admins group of the domain:

Incident?
Repeat this step for every machine you want to add to your test network.
Introducing Vulnerabilities / Miscon gurations

Following, some examples on how to introduce vulnerabilities / miscon gurations to the systems.
Vulnerable Services
To introduce a vulnerable service, you can either search for a software which already contains a
vulnerable service, or you can just modify an existing service. For example, change the permissions of a
service to a user / group to manage it. Vulnerable services must be con gured directly on the machine
where the service is running using the local administrator of the computer.
To change the permissions of a service one of the following methods can be used:
SC.exe:
A standard built-in Windows method to manage system service permissions supposes using the Service
Controller utility (sc.exe). You can get the current permissions to the service like this:
PS > sc.exe sdshow <SERVICE NAME>

Incident?
The rst letter after brackets means: allow (A) or deny (D).
Next symbols granting different rights on the service:
CC — SERVICE_QUERY_CONFIG (request service settings)

LC — SERVICE_QUERY_STATUS (service status polling)
SW — SERVICE_ENUMERATE_DEPENDENTS
LO — SERVICE_INTERROGATE
CR — SERVICE_USER_DEFINED_CONTROL
RC — READ_CONTROL
RP — SERVICE_START
WP — SERVICE_STOP
DT — SERVICE_PAUSE_CONTINUE
The last 2 characters are objects (user group or SID) that are granted permissions.
Following a list of possible aliases:
Alias Meaning
AU Authenticated Users
AO Account Operators
RU Alias to allow previous Windows 2000
AN Anonymous Login
BA Built-in Administrators
BG Built-in Guests
BO Backup Operators
BU Built-in Users
CA Certi cate Server Administrators
CG Creator Group
CO Creator Owner
DA Domain Administrators
DC Domain Computers
DD Domain Controllers 
Incident?
DG Domain Guests
DU Domain Users
EA Enterprise Administrators
ED Enterprise Domain Controllers
WD Everyone
PA Group Policy Administrators
IU Interactively Logged-on User
LA Local Administrator
LG Local Guest
LS Local Service Account
SY Local System
NU Network Logon User
NO Network Con guration Operators
NS Network Service Account
PO Printer Operators
PS Personal Self
PU Power Users
RS RAS Servers Group
RD Terminal Server Users
RE Replicator
RC Restricted Code
SA Schema Administrators
SO Server Operators
SU Service Logon User
To set the permissions the following syntax can be used:
PS > sc.exe sdset <service name> <Security Descriptor in SDDL format>
For example, the spooler service permissions can be changed, that any user can restart the service,
using the following command:

Incident?
PS > sc.exe sdset spooler "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
(A;;RPWPCR;;;<SID of user or group>)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Windows Security Templates:
Another option to grant rights to a service is a Security Template.
First, press Windows + R and open the Microsoft Management Console (mmc.exe):
Add the Security Templates snap-in (CTRL+M for add or remove snap ins). Add Security Con guration
and Analysis and Security Templates:

Incident?
It is possible to specify an own path by right-clicking on Security Templates from the console tree and
selecting New Template Search Path…. If no path is selected the default
path %username%\documents\security\templates is used.
Right click on the path in the tree structure and choose New Template…:
Choose a Template name and click OK. A new template is visible in the console:
A Security Database is required. Right-click Security Con guration and Analysis from the console tree
and select Open Database… Enter a name for the database and click Open:

Incident?
An Import Template window appears. Browse to the previously created template and select it:

Incident?
Right-click Security Con guration and Analysis from the console tree and select Analyze Computer …
A tree structure for Security Con guration and Analysis was created:
Double-Click System Services and scroll down to nd the service you need to change,

e.g. Print Spooler and double click on it. Tick the box De ne this policy in the database:

Incident?
Click the Edit Security… button click on Add and type in the group or user you want to grant permissions
to:

Incident?
With the account selected grant the needed permissions and click OK.
Click OK on the Service Properties to bring you back to the console. The service now will appear with
an X next to it as well as an Investigate message on the Permission column:

Incident?
This is because the new permissions causing a con ict with what is con gured on the local machine. To
apply the new permissions, right click on Security Con guration and Analysis from the console tree and
select Con gure Computer…
Now the service can be abused by the con gured user / group.
PowerShellAccessControl Module:
It will be also possible to use PowerShell to miscon gure a service on a computer. A PowerShell module
called PowerShellAccessControl can be found in TechNet gallery. This module can be used for
managing permissions for different Windows objects.
To download the module just click

here: https://gallery.technet.microsoft.com/scriptcenter/PowerShellAccessControl-d3be7b83
Import the module to your current PowerShell session: 

Incident?
PS > Import-Module PowerShellAccessControl
View granted permissions:

PS > Get-Service spooler | Get-EffectiveAccess -Principal SEC\user01
Change the permissions of a non-administrative user to interact with a service:

Get-Service spooler | Add-AccessControlEntry -ServiceAccessRights Start,Stop -Principal SEC\user01
Now SEC\user01 will be able to start and stop the spooler service.
PS > Import-Module PowerShellAccessControl
View granted permissions:
PS > Get-Service spooler | Get-EffectiveAccess -Principal SEC\user01
Change the permissions of a non-administrative user to interact with a service:
Get-Service spooler | Add-AccessControlEntry -ServiceAccessRights Start,Stop -Principal SEC\user01
Now SEC\user01 will be able to start and stop the spooler service.
Unquoted Service Paths:
If a service is created which executable path contains spaces and isn’t enclosed within quotes, the
service is exposed to a vulnerability known as Unquoted Service Path which enables adversaries to
elevate privileges.
Edit the ImagePath in the Windows Registry of any installed Service to make it vulnerable:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Name of Service]
To open the registry editor just use Windows+R and type regedit.

Incident?
Next open the services folder in the tree structure and modify the service as follows:
Service abuse usually leads to local privilege escalation. Once an adversary took over such a user/group
which can interact with a service, it will for example be possible to stop the service, exchange its binary
with a malicious one and restart the service. More information on local privilege escalation can be found
at the SEC Consult article “Windows Privilege Escalaction – an Approach for Penetration Testers“.
Active Sessions
To create an active session, you can either just login to the server manually (and do a snapshot while
the machine is running).
Or, use Autologon from the Sysinternals Suite:
https://docs.microsoft.com/en-us/sysinternals/downloads/autologon
It is a portable executable where you just enter the credentials and the domain name and click
on Enable. From now on, the selected user will automatically logon to the machine once the machine

starts.
Incident?
The password is encrypted, it is not possible to browse through the registry to nd it.
Credential-Manager
Different credentials can be saved in the Windows Credential Manager. Credentials of local or domain
users as well as credentials for other programs like Internet Explorer.
To save website credentials for Internet Explorer just browse to a web application and login, click on
save credentials. The credentials will now be saved in the credential manager and can be obtained by
adversaries.
To expose domain or local credentials the runas command with the parameter /savecred can be used:
PS > runas /user:<DOMAIN\USERNAME> /savecred <PROGRAM>
This will save the user credentials in the local credential manager:

Incident?
SPN Miscon guration (Kerberoast)
Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To
enable authentication, Kerberos requires that SPNs are associated with at least one service logon
account.
Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos
ticket-granting service (TGS) service tickets for any SPN from a domain controller. The hash of the
service account associated with the SPN is used as the private key and is thus vulnerable to o ine brute
force attacks. Cracked hashes may enables adversaries to perform persistence, privilege escalation, and
lateral movement via access to valid accounts.
To make an SPN vulnerable, make sure a weak password is used.
Enter the following commands on the domain controller:
PS > net user user01 ‘Pa$$w0rd’ /ADD /DOMAIN
PS > setspn -s http/srv01.sec.lab.local:80 user01

Incident?
SPN Miscon guration (AS-REP Roast)
In order to exploit AS-REP Roast, Kerberos preauthentication needs to be disabled. Without Kerberos

Pre-Authentication an adversary can directly send a request for authentication. The KDC will return an
encrypted TGT and the attacker can brute force it o ine.
The miscon guration can be introduced on the domain controller like:
Click on Active Directory Users and Computers:
Create a New User by expanding the domain tree and right click on the User tab:

Incident?
After the user was created and the password was set, right click on the user and open Properties, click
on Account and set the option “Do not require Kerberos preauthentication”:

Incident?
GPO Miscon guration
A Group Policy Object is an Active directory container and used for group policy settings which can be
used as a resource to control users and computers. GPOs can be used to allow or disallow certain
actions for a group of users or computers such as disable local admin access.
In our example we will create a GPO which grants local administrator permissions on a speci c server.
We will then delegate the permissions to another user. If an adversary takes over this user, it will be
possible to change the GPO and create own local administrators on the machines which are linked to
that GPO.
Perform the following steps on a domain controller:
Click on Tools and on Group Policy Manager:

Incident?
Link the GPO to the desired OU, click on Create a GPO in this domain, and Link it here:
Create a Group and link it to the GPO. Go to Active Directory Users and Computers, right click on the
desired OU and click on New and choose Group:

Incident?
Create the group:
Con gure the GPO:

Incident?
Press Edit… and the Group Policy Management Editor will pop up. In the editor choose Computer
Con guration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups right click and
add the previously created group to the GPO. Select This group is a member of administrators:

Incident?
Click on OK:
Update the Group Policy settings using gpupdate:
PS > gpupdate /force

Incident?
Now all users in the LocalAdmin group have local admin permission on the linked machines. Add a user
of the domain having edit rights on the GPO. Click on the created GPO and go to delegation and Add… a
user.
SEC\user01 has permissions to Edit settings, delete, modify security on the GPO now, and will be able
to abuse the permissions in several ways to compromise machines/users which are affected by the
GPO. For example, adversaries can push malicious startup scripts or installing a backdoor.
Miscon gured Permissions
ACLs and ACEs de ne the permissions on speci c objects like users, computers or groups (e.g. change

accounts names, reset passwords, etc.) in Active Directory.
Incident?
Following table shows some permissions which can be abused by adversaries:
CL/ACE Function
GenericAll Full permissions on an Object
GenericWrite Almost full permissions on an Object, many attributes can be updated.
WriteOwner Change object owner
Object can be modi ed – will allow adversaries to gain full access on the
WriteDACL
object
AllExtendedRights Permission adding users to a group or reset user’s passwords
ForceChangePassword Permission to change user’s passwords
Self Permission to add yourself to a group
In this example we will be using the previously created LocalAdmins group and

grant GenericAll permissions to a speci c user:
Open Active Directory Users and Computers on the domain controller and right click on our group and
click on Properties, then we choose Member Of and add the Builtin Administrators:

Incident?
Go to the tab Managed By and click on Change to choose a domain user which will have the permissions
managing this group:
Click on Manager can update membership list:

Incident?
Apply the settings. Adversaries, who compromised SEC\user02, would now be able to add and modify
all objects for the LocalAdmins group.
Unconstrained Delegation
Delegation is used when a server or service account needs to impersonate a user. For example, a front-
end webserver impersonates users when accessing a backend database. If unconstrained delegation is
con gured on a server, it allows the server to impersonate connecting users. Computer and user objects
can get unconstrained delegation assigned. Normally it will be assigned to computers running services.
How to setup unconstrained delegation:
Go to Active Directory Users and Computers on the domain controller and right click on the computer
where the service is running, choose Delegation and tick the following:

Incident?
Click on OK and verify if everything worked. To verify click on View and tick Advanced Features:

Incident?
Open Properties of the computer again and click on Attribute Editor. The
attribute UserAccountControl should contain the following entry:
The TGT of every user who is connecting to this server will be saved in memory and can be extracted by
an adversary.
Constrained Delegation
Constrained Delegation limits what services a machine, which is trusted for delegation, can access on
behalf of an authenticated user. If there is a compromised user or computer account where constrained
delegation is enabled, it’s possible to impersonate any domain user and authenticate to the service
where the account is trusted for delegation.
How to setup constrained delegation:
Open Active Directory Users and Computers on the domain controller and click on the Properties of the
computer. Choose Trust this computer for delegation to speci c services only – User Kerberos
only and click on Add to choose the service: 
Incident?

Incident?
Verify in the server’s Properties, if our con guration worked by checking if the msDS-

AllowedToDelegateTo attribute is set:
In this case constrained delegation limits the server to authenticate on behalf of a user to the 
SPN CIFS/SRV01.SEC.LAB.LOCAL. Incident?
If an adversary compromises the server, he will be able to receive the TGS from the machine. If a server
is trusted for CIFS delegation on a machine, it will allow him to read the les on the target system by
extracting the cached TGS ticket.
Installing Detection Capabilities

To detect malicious behavior, tools like Splunk, Kibana or Microsoft ATA are being used. In this example
we will setup Microsoft ATA as detection capability.
Advanced Threat Analytics (ATA) is a platform that helps protect enterprises from multiple types of
cyber-attacks and insider threats. ATA is using a network parsing engine to capture and parse network
tra c of multiple protocols (such as Kerberos, DNS, RPC, NTLM, and others) for authentication,
authorization, and information gathering. It is monitoring the network using port mirroring from Domain
Controllers and other important computers.
More information about ATA can be found at:
https://docs.microsoft.com/en-us/advanced-threat-analytics/what-is-ata
To download a 90-day trial version of ATA visit the following link:
https://www.microsoft.com/en-us/evalcenter/evaluate-microsoft-advanced-threat-analytics
Before we start the installation, make sure that the computer where you install ATA is internet
connected. Use a dedicated monitoring machine to set it up, make sure to give the machine enough
resources (6GB+ of RAM).
In this example we will setup our ATA on a second domain controller. The installation process is straight
forward. First, we attach the downloaded ISO to our monitoring server and open it in the Explorer:

Incident?
Just double click on Microsoft ATA Center Setup. Choose your language:
Accept terms and conditions and click next:

Incident?
Check for updates
Choose Database and install path and install a self-signed certi cate:

Incident?
Click on Launch:

Incident?
Internet Explorer will open, accept the certi cate warning (only do this for your lab setup, don’t accept
certi cate warnings for production machines!):
Create an ATA user on the DC in Active Directory Users and Computers:

Figure 75 – Create ATA userEnter the credentials of the ATA user to the ATA instance and click on Test
connection and if the connection succeeded, click on Save:
Incident?
Click on Download Gateway Setup and Install the rst Gateway to install the ATA Gateway:
Click on and the Gateway le to your computer:
Gateway Setupdownload

Incident?
Download the le to your and start the Gateway Setup:
CopyDomain ControllerMicrosoft ATA Gateway Setup
Choose and click on :
languageNext
Click on and wait until the process is done:


Install Incident?

Incident?
As soon as the installation process is done click on Finish:
Back on the ATA Server, the Domain Controller is added as Gateway:
Click on the name of the and set to :
Domain ControllerDomain synchronizer CandidateOn

Incident?
The Gateway will be synced:Please note that this process will take some time:

Incident?
Conclusio
Congratulations, you build your rst Active Directory Lab. With such a basic setup you will be able to
perform different types of attacks and check if an alert will be triggered and how it looks like. Of course,
you can extend the lab to your needs and add different servers and workstations as well as exchange
ATA to your favorite solution.
Sources:
https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
https://adsecurity.org/?p=1684
http://www.harmj0y.net/blog/redteaming/kerberoasting-revisited/
http://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
http://www.labofapenetrationtester.com/
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-
directory-domain-services-overview
http://woshub.com/set-permissions-on-windows-service/
https://rastamouse.me/2019/01/gpo-abuse-part-1/
https://pentestmag.com/gpo-abuse-you-cant-see-me/
https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-
71f2b33688e1
https://medium.com/@riccardo.ancarani94/exploiting-unconstrained-delegation-a81eabbd6976
https://docs.microsoft.com/en-us/advanced-threat-analytics/what-is-ata
https://docs.microsoft.com/de-de/advanced-threat-analytics/install-ata-step1
https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-
kerberos-constrained-delegation

https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-
Incident?
compromise-via-unrestricted-kerberos-delegation
https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-
directory-acls-aces
 Back
Legal Notice Privacy Statement
SEC Consult is one of the leading consultancies in the eld of cyber and application security. The company
specializes in information security management, security audits, penetration testing, ISO 27001 certi cation
support, cyber defense and secure software certi cation. SEC Consult is part of Atos.
   

Incident?

Creating Active Directory Labs For Blue and Red Teams

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Creating Active Directory Labs For Blue and Red Teams

Uploaded by

Copyright:

Available Formats

5/13/2021 Creating Active Directory Labs for Blue and Red Teams

Creating Active Directory Labs for Blue and

Part Amount Price ($)

Intel Xeon E5-2690v2 CPU 2x 290,00

Supermicro X9DRi-LN4F+ Motherboard 1x 170,00

256 GB SSD 1x 30,00

EE-ATX Case (e.g. Zofos Evo Window Bit-Tower) 1x 150,00

ZOTAC GeForce GT 730 Zone Edition 4GB DDR3 GPU 1x 80,00

Noctua NH-U9S, Premium CPU Cooler 2x 60,00

The evaluation versions can be downloaded here:

PS > slmgr -rearm

PS > slmgr -dli

PS > slmgr -dlv

Create a Root Domain

Open the Server Manager and go to Local Server.

Click on Computer name:

Change the Computer name:

Restart the machine:

As Installation Type choose Role-Based or feature-based installation:

Con rm 3 times with Next and then on Install:

Enter a password and click on Next until you can click on Install:

Login to the domain as administrator:

Set a static IP for the machine and point its DNS to DC01:

Click on Computer name in the Server Manager and rename the computer:

Repeat this step for every machine you want to add to your test network.

Introducing Vulnerabilities / Miscon gurations

PS > sc.exe sdshow <SERVICE NAME>

CC — SERVICE_QUERY_CONFIG (request service settings)

Following a list of possible aliases:

RU Alias to allow previous Windows 2000

CA Certi cate Server Administrators

ED Enterprise Domain Controllers

PA Group Policy Administrators

IU Interactively Logged-on User

LS Local Service Account

NU Network Logon User

NO Network Con guration Operators

NS Network Service Account

RS RAS Servers Group

RD Terminal Server Users

SU Service Logon User

To set the permissions the following syntax can be used:

PS > sc.exe sdset <service name> <Security Descriptor in SDDL format>

(A;;RPWPCR;;;<SID of user or group>)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

Windows Security Templates:

Another option to grant rights to a service is a Security Template.

First, press Windows + R and open the Microsoft Management Console (mmc.exe):

Right click on the path in the tree structure and choose New Template…:

Choose a Template name and click OK. A new template is visible in the console:

A tree structure for Security Con guration and Analysis was created:

Double-Click System Services and scroll down to nd the service you need to change,

To download the module just click

Import the module to your current PowerShell session: 

View granted permissions:

Change the permissions of a non-administrative user to interact with a service:

PS > Import-Module PowerShellAccessControl

View granted permissions:

PS > Get-Service spooler | Get-EffectiveAccess -Principal SEC\user01

Change the permissions of a non-administrative user to interact with a service:

Get-Service spooler | Add-AccessControlEntry -ServiceAccessRights Start,Stop -Principal SEC\user01

Unquoted Service Paths:

Edit the ImagePath in the Windows Registry of any installed Service to make it vulnerable: