Skip to content

Instantly share code, notes, and snippets.

@MHaggis

MHaggis/SDDLTest.md

Created January 14, 2025 16:38
Show Gist options
  • Save MHaggis/3e3e9a4ed8f553e2454c55e164f92455 to your computer and use it in GitHub Desktop.
Save MHaggis/3e3e9a4ed8f553e2454c55e164f92455 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
SDDLTest.md

SDDL Security Testing and Demonstration Guide

1. Decode an SDDL String (Basic Permissions Breakdown)

Objective: Retrieve and interpret SDDL for a file.

Command:

(Get-Acl C:\Windows\System32\cmd.exe).Sddl

Expected Outcome:

  • Displays the SDDL string for cmd.exe.
  • Explain O: (Owner), G: (Group), D: (DACL), and ACEs.
  • Convert the SDDL into readable permissions using: 
    Get-Acl C:\Windows\System32\cmd.exe | Format-List

2. Modify File Permissions Using SDDL

Objective: Modify an SDDL string to add/remove permissions.

Steps:

  1. Create a test file: 
    New-Item -Path C:\Test\demo.txt -ItemType File
  2. Retrieve current ACL: 
    (Get-Acl C:\Test\demo.txt).Sddl
  3. Grant Everyone full control (Dangerous in real life!): 
    $acl = Get-Acl C:\Test\demo.txt
$acl.SetSecurityDescriptorSddlForm("O:BAG:BAD:(A;;FA;;;WD)")
Set-Acl C:\Test\demo.txt -AclObject $acl
  4. Verify changes: 
    (Get-Acl C:\Test\demo.txt).Sddl

Expected Outcome:

  • File is now accessible to everyone.
  • Attackers can exploit this; defenders should remove it immediately.

3. Checking Service SDDL (Potential Privilege Escalation)

Objective: Retrieve Windows Service security permissions.

Command:

sc.exe sdshow wuauserv

Expected Outcome:

  • Displays SDDL string for the Windows Update (wuauserv) service.
  • Analyze who can start, stop, and modify the service.
  • Compare to a misconfigured service with weaker permissions.

4. Modify a Service's Security Descriptor (Attacker vs Defender)

Objective: Demonstrate how an attacker could modify service permissions.

Steps:

  1. Create a vulnerable service: 
    New-Service -Name "AtomicDemo" -BinaryPathName "C:\Windows\System32\notepad.exe"
  2. Retrieve its SDDL: 
    sc.exe sdshow AtomicDemo
  3. Grant "Everyone" (WD) permission to start/stop service (Bad practice!): 
    sc.exe sdset AtomicDemo "D:(A;;CCLCSWLOCRRC;;;WD)"

Expected Outcome:

  • Attackers can restart or hijack the service.
  • Defenders should restrict access to SYSTEM and Administrators.

5. Extract Registry Permissions Using SDDL

Objective: Retrieve registry key security descriptors.

Retrieve SDDL for a registry key:

(Get-Acl "HKLM:\SYSTEM\CurrentControlSet\Services\wuauserv").Sddl

Expected Outcome:

  • Attackers alter registry security to hijack services.

6. Old-School Tool: Using subinacl.exe to Modify Permissions

Objective: Demonstrate how older tools still work for SDDL changes.

Grant full control to Everyone (dangerous):

subinacl /file C:\Test\demo.txt /grant=everyone=f

Fix permissions (defensive action):

subinacl /file C:\Test\demo.txt /revoke=everyone

Expected Outcome:

  • Older tools like subinacl.exe are still used by attackers/admins.
  • Use it to audit and remediate overly permissive permissions.

Final Wrap-Up

By the end of these demos, you should: ✅ Understand how to read, decode, and modify SDDL.
✅ See how attackers exploit weak SDDL configurations.
✅ Learn how to lock things down and audit permissions as a defender.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment