πŸ’»Hyper-V Administrators

🎯 Overview

Hyper-V Administrators have full access to all Hyper-V features. If Domain Controllers are virtualized, members should be considered Domain Admins due to their ability to clone VMs and extract NTDS.dit offline.

πŸ–₯️ Virtual Machine Attack Vectors

Domain Controller VM Compromise

# Attack scenario:
1. Create clone of live Domain Controller VM
2. Mount virtual disk (.vhdx) offline
3. Extract NTDS.dit from mounted filesystem
4. Use secretsdump.py for credential extraction

Risk Assessment:

  • Virtualized DCs = Full domain compromise potential

  • VM cloning bypasses all online protections

  • Offline analysis undetectable by security tools

πŸ”— Hard Link Exploitation

Attack Mechanism

# CVE-2018-0952 / CVE-2019-0841 exploitation:
1. vmms.exe restores permissions as NT AUTHORITY\SYSTEM
2. Delete target .vhdx file
3. Create hard link to protected SYSTEM file
4. Gain full permissions on SYSTEM file

Target File Example

# Mozilla Maintenance Service target
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Exploitation Steps

# 1. Run PowerShell hard link exploit
# 2. Take ownership of target file
takeown /F "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

# 3. Replace with malicious executable
# 4. Start service for SYSTEM execution
sc.exe start MozillaMaintenance

⚠️ Limitations

Patching Status

# MITIGATED: March 2020 Windows security updates
# Changed hard link behavior
# Technique no longer effective on patched systems

Alternative Vectors

# Focus on:
- VM-based attacks (still viable)
- Service exploitation requiring SYSTEM context
- Application services startable by unprivileged users

πŸ” Detection & Defense

Monitoring

# Watch for:
- Hyper-V VM cloning activities
- Unexpected VM creation/deletion
- Hard link creation attempts
- Service file modifications

Hardening

# Mitigation strategies:
- Regular Windows updates (March 2020+)
- Restrict Hyper-V Administrators membership
- Monitor VM operations
- Implement VM integrity checking

πŸ’‘ Key Takeaways

  1. Hyper-V Administrators = potential Domain Admin access on virtualized DCs

  2. VM cloning attack most reliable vector

  3. Hard link exploitation patched since March 2020

  4. Virtualization security critical for domain protection

Hyper-V Administrators group represents significant risk in virtualized environments, particularly when Domain Controllers are virtualized.

PreviousDnsAdminsNextPrint Operators

Last updated