-
-
Notifications
You must be signed in to change notification settings - Fork 41
Exploit Cost
Exploit Cost is an estimation of how noisy or complex a particular attack path might be. (Kudos to the ACLPWN project for this idea.)
For example, if an attacker has compromised userA and userA is a member of groupB then that step in the attack path doesn't require any further exploitation or real opsec considerations.
Conversely if an attacker has compromised a user's workstation which also has an admin user session on it, to exploit this the attacker would (possibly) need to elevate permissions on the workstation and run something like Mimikatz to extract credentials from memory. This would require OPSEC considerations around monitoring of LSASS processes and also potentially require endpoint protectionbypasses. All of which make the exploitation that little bit more difficult.
These scores have been assigned based upon my personal best judgement. They are not set in stone and discussions around the scoring are welcome and will only help to improve this.
The scores assigned to each exploit are:
| Relationship | Target Node Type | OPSEC Considerations | Possible Protections to Bypass | Possible Privesc Required | Cost |
|---|---|---|---|---|---|
| Memberof | Group | No | No | No | 0 |
| HasSession | Any | Yes | Yes | Yes | 3 |
| CanRDP | Any | No | No | No | 0 |
| Contains | Any | No | No | No | 0 |
| GPLink | Any | No | No | No | 0 |
| AdminTo | Any | Yes | No | No | 1 |
| ForceChangePassword | Any | Yes | No | No | 1 |
| AllowedToDelegate | Any | Yes | No | No | 1 |
| AllowedToAct | Any | Yes | No | No | 1 |
| AddAllowedToAct | Any | Yes | No | No | 1 |
| ReadLapsPassword | Any | Yes | No | No | 1 |
| ReadGMSAPassword | Any | Yes | No | No | 1 |
| HasSidHistory | Any | Yes | No | No | 1 |
| CanPSRemote | Any | Yes | No | No | 1 |
| ExecuteDcom | Any | Yes | No | No | 1 |
| SqlAdmin | Any | Yes | No | No | 1 |
| AllExtendedRights | Group/User/Computer | Yes | No | No | 1 |
| AddMember | Group | Yes | No | No | 1 |
| AddSelf | Group | Yes | No | No | 1 |
| GenericAll | Group/User/Computer | Yes | No | No | 1 |
| WriteDACL | Group/User/Computer | Yes | No | No | 1 |
| WriteOwner | Group/User/Computer | Yes | No | No | 1 |
| Owns | Group/User/Computer | Yes | No | No | 1 |
| GenericWrite | Group/User/Computer | Yes | No | No | 1 |
| AllExtendedRights | Domain | Yes | Yes | No | 2 |
| GenericAll | Domain | Yes | Yes | No | 2 |
| WriteDACL | Domain | Yes | Yes | No | 2 |
| WriteOwner | Domain | Yes | Yes | No | 2 |
| Owns | Domain | Yes | Yes | No | 2 |
| GenericAll | GPO/OU | Yes | No | No | 1 |
| WriteDACL | GPO/OU | Yes | No | No | 1 |
| WriteOwner | GPO/OU | Yes | No | No | 1 |
| Owns | GPO/OU | Yes | No | No | 1 |
| WriteSPN | User | Yes | No | No | 1 |
| AddKeyCredentialLink | Any | Yes | Yes | No | 2 |