Virtual Account
as identified previously, the iis-default account is a fully-featured service account in the target system. the account exists for hosting the internet information services(IIS) web server.
another important aspects when it comes down to service account in windows domain environment is that those service accounts often times are referred to as virtual accounts according to the official Microsoft documentation. Virtual accounts are introduced in Windows Server 2008 R2 and Windows 7 that they are managed local accounts in domain-joined systems that simplify service administration by providing the following benefits:
- The virtual account is automatically managed.
- The virtual account can access the network in a domain environment.
- No password management is required.
- For example, if the default value is used for the service accounts during SQL Server setup on Windows Server 2008 R2, a virtual account that uses the instance name as the service name is established in the format
NT SERVICE\<SERVICENAME>.
- For example, if the default value is used for the service accounts during SQL Server setup on Windows Server 2008 R2, a virtual account that uses the instance name as the service name is established in the format
This would essentially mean that the iis-default account SHARES the same password that the machine account(g0$) uses.
A simple testing can confirm this concept.
Testing
PS C:\tmp> whoami
iis apppool\defaultapppool
PS C:\tmp> dir \\10.10.16.8\ImAMachineAccWhen I attempt to connect to the Kali SMB server to invoke the network authentication
The Kali SMB server indeed received the inbound Net-NTLMv2 authentication string as the g0$ account, which is the DC host
Assessment
in any situation where the machine is domain-joined and you can run code as
NT AUTHORITY\NETWORK SERVICEor aMicrosoft Virtual Account, the RBCD technique may be employed for local privilege escalation, provided that Active directory hasn’t been hardened to mitigate the RBCD attacks completely (which is very rarely the case).
therefore, compromising a valid and fully-featured virtual accounts in Windows, often leads to complete compromise of target system This can be achieved by leveraging the TGT delegation technique Moving on to the Lateral Movement phase