SDDL Security Descriptors

6 minute read

Some notes to myself to use as a reference guide and to gain a better understanding of the privileges and rights assigned to Windows services in the form of SDDL security descriptor strings.


SDDL

The Windows Security Descriptor Definition Language defines the string format used to describe a security descriptor as a text string, commonly used to define an ACL (list of ACEs) for a Windows service.

Take the following userlogger service from an old Hack The Box machine:

C:\util> sc qc userlogger
sc qc userlogger
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: userlogger
        TYPE               : 10  WIN32_OWN_PROCESS 
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : c:\windows\system32\UserLogger.exe
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : User Logger
        DEPENDENCIES       : 
        SERVICE_START_NAME : LocalSystem

The SERVICE_START_NAME defines the privileges with which the service runs, in this instance it’s LocalSystem, or in other words NT AUTHORITY\SYSTEM.

We can request the SDDL string applied to the userlogger service using the following command:

C:\util> sc sdshow userlogger
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWRPWPDTLORC;;;S-1-5-21-2115913093-551423064-1540603852-1003)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;BU)(A;;CCLCSWRPWPLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU) 



ACE Structure


The ACEs in a SDDL string are enclosed in parentheses, the userlogger service therefore contains six ACEs. One of them is shown below:

(A;;CCLCSWRPWPDTLOCRRC;;;SY)

Each ACE contains five semi-colon terminated strings, followed by the SID for whom the ACE applies. The structure is as follows with each section labelled:

(ace_type; ace_flags; rights; object_guid; inherit_object_guid; account_sid)

For this individual ACE only the ace_type and rights are set and are applied to SY which represents LocalSystem, meaning this ACE is assigned to NT AUTHORITY\SYSTEM.

The account_sid has a set of predefined values, a table containing the values can be found here. You have the option of supplying a specific SID into the account_sid field when configuring an ACE:

(A;;CCLCSWRPWPDTLORC;;;S-1-5-21-2115913093-551423064-1540603852-1003)

The account_sid identifies the trustee of the ACE. The SID in this ACE applies to the hacker user from the box.



Decoding


The userlogger service security descriptor:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWRPWPDTLORC;;;S-1-5-21-2115913093-551423064-1540603852-1003)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;BU)(A;;CCLCSWRPWPLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU) 

The service’s SDDL only contains a DACL, defined by the D: at the start of the string. The string can be prefixed with any of the following symbols:

Symbol Description
O: Owner
G: Primary Group
D: Discretionary Access Control List (DACL)
S: System Access Control List (SACL)

The first value of the user’s ACE - A - in (A;;CCLCSWRPWPDTLORC;;;S-1-5-21-2115913093-551423064-1540603852-1003) is defined as the ace_type, a table containing different ace_type values is shown below:

ACE Type Description
A Access Allowed
D Access Denied
OA Object Access Allowed
OD Object Access Denied
AU System Audit
AL System Alarm
OU System Object Audit
OL System Object Alarm
ML System Mandatory Label
SP Central Policy ID

After the A;; (the double semi-colon implies there are no ace_flags assigned) comes the following string - CCLCSWRPWPDTLORC;;;S-1-5-21-2115913093-551423064-1540603852-1003.

Ignoring the user’s SID (we know that the object_guid and inherit_object_guid values are empty and the trustee is hacker) for now we’re left with CCLCSWRPWPDTLORC.

The letters are in pairs and each pair represents a certain right, the following rights are represented in the rights section of the hacker user ACE for the userlogger service:

Symbol Right
CC SERVICE_QUERY_CONFIG
LC SERVICE_QUERY_STATUS
SW SERVICE_ENUMERATE_DEPENDENTS
RP SERVICE_START
WP SERVICE_STOP
DT SERVICE_PAUSE_CONTINUE
LO SERVICE_INTERROGATE
RC READ_CONTROL

A table containing all of the different service DACL rights can be found here.



ConvertFrom-SDDLString

An easy way to read the security descriptor is by using the ConvertFrom-SDDLString PowerShell cmdlet. The docs for the command can be found here.

The syntax is straightforward, you just parse the SDDL to the -Sddl parameter:

PS C:\Users\New> ConvertFrom-SddlString -Sddl "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWRPWPDTLORC;;;S-1-5-21-2115913093-551423064-1540603852-1003)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;BU)(A;;CCLCSWRPWPLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)" 


Owner            :
Group            :
DiscretionaryAcl : {NT AUTHORITY\INTERACTIVE: AccessAllowed (CreateDirectories, ExecuteKey, GenericExecute, GenericRead, GenericWrite, ListDirectory, Read,
                   ReadAndExecute, ReadAttributes, ReadExtendedAttributes, ReadPermissions, Traverse, WriteAttributes, WriteExtendedAttributes), NT
                   AUTHORITY\SERVICE: AccessAllowed (CreateDirectories, GenericExecute, ListDirectory, Read, ReadAttributes, ReadExtendedAttributes,
                   ReadPermissions, WriteAttributes), NT AUTHORITY\SYSTEM: AccessAllowed (CreateDirectories, DeleteSubdirectoriesAndFiles, ExecuteKey,
                   GenericExecute, GenericRead, GenericWrite, ListDirectory, Read, ReadAndExecute, ReadAttributes, ReadExtendedAttributes, ReadPermissions,
                   Traverse, WriteAttributes, WriteExtendedAttributes), BUILTIN\Administrators: AccessAllowed (ChangePermissions, CreateDirectories, Delete,
                   DeleteSubdirectoriesAndFiles, ExecuteKey, FullControl, GenericAll, GenericExecute, GenericRead, GenericWrite, ListDirectory, Modify, Read,
                   ReadAndExecute, ReadAttributes, ReadExtendedAttributes, ReadPermissions, TakeOwnership, Traverse, Write, WriteAttributes, WriteData,
                   WriteExtendedAttributes, WriteKey)...}
SystemAcl        : {}
RawDescriptor    : System.Security.AccessControl.CommonSecurityDescriptor

The ConvertFrom-SDDLString cmdlet will not decode the ACE rights in the same manner as manually doing so with the table in the previous section. The following section explains why in more detail.


Types


The ConvertFrom-SDDLString docs show that the -Type flag only has the following values:

  • FileSystemRights
  • RegistryRights
  • ActiveDirectoryRights
  • MutexRights
  • SemaphoreRights
  • CryptoKeyRights
  • EventWaitHandleRights

There’s no -Type value that allows you to decode the service DACL rights assigned to a Windows service. If there was a value for service DACLs, when you run the following command you’d get different output for the value of RP:

PS C:\Users\New> ConvertFrom-SddlString -Sddl "D:(A;;RP;;;AU)"

Owner            :
Group            :
DiscretionaryAcl : {NT AUTHORITY\Authenticated Users: AccessAllowed (WriteExtendedAttributes)}
SystemAcl        : {}
RawDescriptor    : System.Security.AccessControl.CommonSecurityDescriptor

It would say SERVICE_START instead of WriteExtendedAtrributes. As you can see below the value of RP changes when you specify a different value to the -Type flag:

PS C:\Users\New> ConvertFrom-SddlString -Sddl "D:(A;;RP;;;AU)" -Type ActiveDirectoryRights

Owner            :
Group            :
DiscretionaryAcl : {NT AUTHORITY\Authenticated Users: AccessAllowed (ReadProperty)}
SystemAcl        : {}
RawDescriptor    : System.Security.AccessControl.CommonSecurityDescriptor

Not sure why there isn’t a service DACL option type for ConvertFrom-SddlString, hopefully Microsoft implements it at some point.



Tables

Service DACL Rights

Symbol Right Description
CC SERVICE_QUERY_CONFIG read the configuration of the service
LC SERVICE_QUERY_STATUS read the status of the service from Service Control Manager
SW SERVICE_ENUMERATE_DEPENDENTS list dependencies
LO SERVICE_INTERROGATE ask the service its current status
CR SERVICE_USER_DEFINED_CONTROL send a service control command
RC READ_CONTROL read the security permissions
RP SERVICE_START start the service
WP SERVICE_STOP stop the service
DT SERVICE_PAUSE_CONTINUE pause/continue the service


Predefined Account SIDs

SDDL Alias SID name
AA ACCESS_CONTROL_ASSISTANCE_OPS
AC ALL_APP_PACKAGES
AN ANONYMOUS
AO ACCOUNT_OPERATORS
AU AUTHENTICATED_USERS
BA BUILTIN_ADMINISTRATORS
BG BUILTIN_GUESTS
BO BACKUP_OPERATORS
BU BUILTIN_USERS
CA CERT_PUBLISHERS
CD CERTSVC_DCOM_ACCESS
CG CREATOR_GROUP
CN CLONEABLE_CONTROLLERS
CO CREATOR_OWNER
CY CRYPTO_OPERATORS
DA DOMAIN_ADMINS
DC DOMAIN_COMPUTERS
DD DOMAIN_DOMAIN_CONTROLLERS
DG DOMAIN_GUESTS
DU DOMAIN_USERS
EA ENTERPRISE_ADMINS
ED ENTERPRISE_DOMAIN_CONTROLLERS
ER EVENT_LOG_READERS
ES RDS_ENDPOINT_SERVERS
HA HYPER_V_ADMINS
HI ML_HIGH
IS IIS_USERS
IU INTERACTIVE
LA ADMINISTRATOR<80>
LG GUEST
LS LOCAL_SERVICE
LU PERFLOG_USERS
LW ML_LOW
ME ML_MEDIUM
MP ML MEDIUM PLUS
MS RDS_MANAGEMENT_SERVERS
MU PERFMON_USERS
NO NETWORK_CONFIGURATION_OPS
NS NETWORK_SERVICE
NU NETWORK
OW OWNER_RIGHTS
PA GROUP_POLICY_CREATOR_OWNER
PO PRINTER_OPERATORS
PS PRINCIPAL_SELF
PU POWER_USERS
RA RDS_REMOTE_ACCESS_SERVERS
RC RESTRICTED_CODE
RD REMOTE_DESKTOP
RE REPLICATOR
RM REMOTE_MANAGEMENT_USERS
RO ENTERPRISE_RO_DCS
RS RAS_SERVERS
RU ALIAS_PREW2KCOMPACC
SA SCHEMA_ADMINISTRATORS
SI ML_SYSTEM
SO SERVER_OPERATORS
SU SERVICE
SY LOCAL_SYSTEM
UD USER_MODE_DRIVERS
WD EVERYONE
WR WRITE_RESTRICTED_CODE


Glossary

  • Access Conrol Entry - (ACE) is an entry in an Access Control List (ACL). An ACE contains a set of access rights and a Security Identifier (SID) that identifies a trustee for whom the rights are allowed, denied, or audited.

  • Access Control List - (ACL) is a list of security protections that applies to an object. (An object can be a file, process, event, or anything else having a security descriptor.) An entry in an access control list (ACL) is an access control entry (ACE). There are two types of access control list, discretionary and system.

  • Discretionary Access Control List - (DACL) is an access control list that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object.

  • System Access Control List - (SACL) is an ACL that controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object’s SACL is controlled by a privilege typically held only by system administrators.

  • Security Descriptor - A structure and associated data that contains the security information for a securable object. A security descriptor identifies the object’s owner and primary group. It can also contain a DACL that controls access to the object, and a SACL that controls the logging of attempts to access the object.

  • trustee - The user account, group account, or logon session to which an access control entry (ACE) applies. Each ACE in an access control list (ACL) applies to one trustee.