SlideShare une entreprise Scribd logo

The Unintended Risks of Trusting Active Directory

Will Schroeder
Will Schroeder

This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.

Internet
1  sur  46
Télécharger pour lire hors ligne
The Unintended Risks of Trusting Active Directory
@harmj0y Red teamer and offensive engineer at SpecterOps Adaptive Threat Division alumni Avid blogger (http://harmj0y.net) Co-founder of Empire, BloodHound, Veil-Framework 2
@tifkin_ Red teamer, hunter, and researcher at SpecterOps Adaptive Threat Division alumni Forever going after shiny things Contributor to various projects/blog posts 3
@enigma0x3 Red teamer and security researcher at SpecterOps Adaptive Threat Division alumni Avid blogger (https://enigma0x3.net/), COM lover, CVE holder 4
“As an offensive researcher, if you can dream it, someone has likely already done it...and that someone isn’t the kind of person who speaks at security cons.” 5 Matt Graeber “Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asynchronous, and Fileless Backdoor” BlackHat 2015
What is “Admin Access” ? Hint: it’s more complicated than just “local administrators”! 6
The “True” Nature of Administrative Access ▪ Controversial statement: membership in a system’s local administrators group isn’t what ultimately matters! ▪ What actually matters is what local/domain groups have access to specific remote resources (RPC, remote reg, WMI, SQL, etc.) based on the host service’s security descriptors 7
8 CIFS Remote Registry WinRM SCM WMI RPC :) SD SD “LOCAL Administrators” GENERIC_ALL “DOMAINuser” SC_MANAGER_C REATE_SERVICE Etc. SD SD SD SD
Wait, Security Descriptors? ACLs? What are Those and Why Should I Care? 9
Security descriptors are the Windows mechanism to control authenticated access to resources, or “securable objects” 10 PS: lots of caveats here :)
What Is a “Securable Object”? Why, a Windows object that can have a security descriptor, of course! 11
SECURITY_DESCRIPTOR 12https://msdn.microsoft.com/en-us/library/windows/hardware/ff556610(v=vs.85).aspx
From ACLs to DACLs to SACLs ▪ An Access Control List (ACL) is basically shorthand for the DACL/SACL superset ▪ An object’s Discretionary Access Control List (DACL) and System Access Control List (SACL) are ordered collections of Access Control Entries (ACEs) ▫ DACL - What principals/trustees have what rights over the object ▫ The SACL - Specifies how to audit access to the object 13
14
tl;dr ▪ Security descriptors are just the mechanism that Windows uses to define what users (principals) can perform what actions on a specific object, either in Active Directory or on the host ▫ When access is requested, some process enumerates the effective security identifiers (SIDs) of the requestor, compares them to the information in the DACL, and decides whether to grant access 15
OK, That’s “Cool” but Why Should I Care, Really? 16
Why Care? ▪ It’s often difficult to determine whether a specific security descriptor misconfiguration was set maliciously or configured by accident ▫ Existing misconfigurations: privesc opportunities ▫ Malicious misconfiguration changes: persistence! ▪ These changes often have a minimal forensic footprint ▪ Most defenders are not aware of this general persistence approach, much less how to find and remediate it ▫ Nor are they aware of existing misconfigurations that affect privesc... 17
Host-based Security Descriptors More than just the service control manager yo’
Discovering Host Securable Objects ▪ Windows documentation lists about 20-30 securable objects* ▪ We’ve identified 70+! (There are *many* more) ▪ Microsoft Protocol Specifications ▫ Very useful for RPC servers! ▪ Find-RegistrySecurityDescriptors.ps1 19*https://msdn.microsoft.com/en-us/library/windows/desktop/aa379557(v=vs.85).aspx
20
Online vs Offline Security Descriptors ▪ Where do objects get their security descriptor? ▫ Offline - Security descriptor derived from registry, file, etc. ▫ Online - Security descriptor is in memory ▪ Our approach for enumeration: ▫ Locally as an unprivileged user ▫ Locally as a privileged user ▫ Remotely as an unprivileged user ▫ Remotely as a privileged user 21
Example: Remote Registry ▪ Imagine this scenario: remotely dumping an endpoint’s machine account hash as an “unprivileged” user (i.e. not in local admins)! ▪ Backdoor Process ▫ Remotely backdoor the winreg key with an attacker- controlled user/group (this key == remote registry access) ▫ Add malicious ACEs to the SECURITY and SYSTEM hives 22
Example: Remote Registry ▪ (Remote) Backdoor Execution ▫ As the backdoor (domain or local) user, connect to the remote registry service on the backdoored system ▫ Open up specific reg keys linked to LSA and extract their classes ▫ Combine these class values and compute the BootKey ▫ Use the BootKey to decrypt the LSA key ▫ Use the LSA key to decrypt the machine account hash! ▫ EVERYONE GETS A SILVER TICKET!! 23
Active Directory Security Descriptors Everything needs an access control model, even AD
Active Directory ACL Advantages 25 ▪ A big advantage: by default the DACLs for nearly every AD object can be enumerated by any authenticated user in the domain through LDAP! ▪ Other advantages of AD ACLs: ▫ Changes also have a minimal forensic footprint ▫ Changes often survive OS and domain functional level upgrades, i.e. “misconfiguration debt” ▫ Anti-audit measures can be taken!
26 Security Descriptors: AD GUI Edition
Generic Rights We Care About 27 GenericAll Allows ALL generic rights to the specified object GenericWrite Allows for the modification of (almost) all properties on a specified object WriteDacl Grants the ability to modify the DACL in the object security descriptor WriteOwner Grants the ability to take ownership of the object
Object-specific Rights We Care About 28 Users User-Force-Change-Password or write to the servicePrincipalName Groups Write to the member property Computers None outside of LAPS :( GPOs Modification of GPC-File-Sys-Path Domains WriteDacl to add DCSync rights
Example: Abusing Exchange ▪ Exchange Server introduces several schema changes, new nested security groups, and MANY control relationships to Active Directory, making it a perfect spot to blend in amongst the noise! ▪ Pre Exchange Server 2007 SP1, this included the WriteDACL privilege against the domain object itself with Exchange Trusted Subsystem as the principal 29
Example: Abusing Exchange ▪ Backdoor Process ▫ Identify a non-protected security group with local admin rights on one or more Exchange servers ▫ Grant Authenticated Users full control over this security group ▫ Change the owner of the group to an Exchange server ▫ Deny Read Permissions on this group to the Everyone principal 30
Example: Abusing Exchange ▪ Backdoor Execution ▫ Regain access to the Active Directory domain as any user ▫ Add your current user to the backdoored security group ▫ Use your new local admin rights on an Exchange server to execute commands as the SYSTEM user on that computer ▫ Abuse the rights Exchange Trusted Subsystem has over the domain object (i.e. WriteDacl!) ▫ More information: http://bit.ly/2IIK3K3 31
Active Directory + Host ACL Abuse Plugging the Gaps in Attack Chains
▪ Prior to joining active directory, the host is in ultimate control of who can access its resources ▪ After a machine is joined to AD, a few things happen: ▫ The machine is no longer solely in charge of authentication ▫ A portion of key material for the host is stored in another location (machine account hash in ntds.dit) ▫ Default domain group SIDs are added to local groups ▫ Management is no longer solely left to the host (i.e. GPOs :) “Risks” Of Joining Active Directory 33
Active Directory: Before and After 34 Workgroup Active Directory Security Principals Local users/groups + Domain users/groups Access/Permission Management Host-based Security Descriptors + Default domain groups added to local groups Authentication NTLM (SAM) + Kerberos/NTLM (NTDS) Resource Administration Manual + GPOs
Active Directory: Before and After 35 DCOM Service Administrators admin DOMAINDomain Admins Distributed COM Users DOMAINsrvcacct DOMAINjohnDOMAINsrvadms DOMAINlee
The “Actual” Attack Graph ▪ BloodHound doesn’t (currently) take host based security descriptors into account ▪ The actual access graph that exists in a domain includes the security descriptors for every remotely accessible service on every host + AD descriptors ▫ Includes “unrolling” groups… this may not be (currently) realistically possible to model in large environments ¯_(ツ)_/¯ 36
Security Implications ▪ Host-based security descriptors are the missing link when thinking about domain attack graphs! ▪ There ARE existing misconfigurations in the security descriptors in some host-based services! ▫ More to come this summer, stay tuned :) ▪ Host-based security descriptor modifications can be chained with AD misconfigurations/modifications ▪ “Fills the gap” left by the lack of an AD ACL computer primitive 37
tl;dr Security Implications of Joining Active Directory ▪ When you join a system to Active Directory, you’re introducing additional nodes into the access graph that may affect the security of other systems ▪ You’re also implicitly trusting the security of a large number of other nodes in the graph as well ▫ You’re almost certainly exposing your system’s services to more access than you realize! 38
Case Study #1 Picking on Exchange Again :)
Case Study: Exchanging Rights ▪ We saw before that the Exchange Trusted Subsystem group (which contains Exchange servers) often has a huge number of rights over the domain ▪ So let’s integrate the remote registry host-based backdoor on an Exchange box! ▫ No changes to the DC or any AD data ▫ Takes advantage of existing misconfigurations! 40
[DEMO] 41
Case Study #2 Abusing Existing Misconfigurations
Case Study: Abusing Existing Misconfigurations ▪ GPOs set lots of interesting settings! ▫ They can even set host-based security descriptors: ) ▫ Imagine one that modifies the security descriptor for SCM ▪ We can also easily correlate GPOs to find what systems they apply to ▪ What happens if the group SID set for the descriptor via GPO, after unrolling, contains a service account... 43
44 [DEMO]
45 Summary ▪ Access is more than just “local administrators” ! ▪ You should really care about security descriptors! ▪ Host based security descriptors (accidentally misconfigured or maliciously backdoored) can have far- reaching implications for the security of other systems in the domain!
46 Questions? You can find us at @SpecterOps: ▪ @harmj0y , @tifkin_ , @enigma0x3 ▪ [will,lee,matt]@specterops.io

Recommandé

An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Will Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
Will Schroeder
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 

Recommandé

An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Will Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
Will Schroeder
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
Will Schroeder
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
Shakacon
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
Will Schroeder
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
Will Schroeder
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Andy Robbins
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
Will Schroeder
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
Priyanka Aash
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
Douglas Bienstock
 
BloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryBloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active Directory
Andy Robbins
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Cody Thomas
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
Will Schroeder
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
BloodHound Unleashed.pdf
BloodHound Unleashed.pdfBloodHound Unleashed.pdf
BloodHound Unleashed.pdf
n00py1
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax
 

Contenu connexe

Tendances

Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
Shakacon
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 

Tendances (20)

DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
 
BloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryBloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active Directory
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
BloodHound Unleashed.pdf
BloodHound Unleashed.pdfBloodHound Unleashed.pdf
BloodHound Unleashed.pdf
 

Similaire à The Unintended Risks of Trusting Active Directory

DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax
 
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Mary Racter
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)
Apostolos Giannakidis
 
Dev buchan everything you need to know about agent design
Dev buchan everything you need to know about agent designDev buchan everything you need to know about agent design
Dev buchan everything you need to know about agent design
Bill Buchan
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 

Similaire à The Unintended Risks of Trusting Active Directory (20)

Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
 
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud Security
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environment
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVM
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
 
7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure
 
Dev buchan everything you need to know about agent design
Dev buchan everything you need to know about agent designDev buchan everything you need to know about agent design
Dev buchan everything you need to know about agent design
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your Company
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
Presentation anatomy of a database attack
Presentation anatomy of a database attackPresentation anatomy of a database attack
Presentation anatomy of a database attack
 
ppt-security-dbsat-222-overview-nodemo.pdf
ppt-security-dbsat-222-overview-nodemo.pdfppt-security-dbsat-222-overview-nodemo.pdf
ppt-security-dbsat-222-overview-nodemo.pdf
 

Plus de Will Schroeder

Plus de Will Schroeder (18)

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdf
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44con
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with Python
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 

Dernier

Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
F
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
kumargunjan9515
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Priya Reddy
 

Dernier (20)

Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 

The Unintended Risks of Trusting Active Directory

  • 1. The Unintended Risks of Trusting Active Directory
  • 2. @harmj0y Red teamer and offensive engineer at SpecterOps Adaptive Threat Division alumni Avid blogger (http://harmj0y.net) Co-founder of Empire, BloodHound, Veil-Framework 2
  • 3. @tifkin_ Red teamer, hunter, and researcher at SpecterOps Adaptive Threat Division alumni Forever going after shiny things Contributor to various projects/blog posts 3
  • 4. @enigma0x3 Red teamer and security researcher at SpecterOps Adaptive Threat Division alumni Avid blogger (https://enigma0x3.net/), COM lover, CVE holder 4
  • 5. “As an offensive researcher, if you can dream it, someone has likely already done it...and that someone isn’t the kind of person who speaks at security cons.” 5 Matt Graeber “Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asynchronous, and Fileless Backdoor” BlackHat 2015
  • 6. What is “Admin Access” ? Hint: it’s more complicated than just “local administrators”! 6
  • 7. The “True” Nature of Administrative Access ▪ Controversial statement: membership in a system’s local administrators group isn’t what ultimately matters! ▪ What actually matters is what local/domain groups have access to specific remote resources (RPC, remote reg, WMI, SQL, etc.) based on the host service’s security descriptors 7
  • 9. Wait, Security Descriptors? ACLs? What are Those and Why Should I Care? 9
  • 10. Security descriptors are the Windows mechanism to control authenticated access to resources, or “securable objects” 10 PS: lots of caveats here :)
  • 11. What Is a “Securable Object”? Why, a Windows object that can have a security descriptor, of course! 11
  • 13. From ACLs to DACLs to SACLs ▪ An Access Control List (ACL) is basically shorthand for the DACL/SACL superset ▪ An object’s Discretionary Access Control List (DACL) and System Access Control List (SACL) are ordered collections of Access Control Entries (ACEs) ▫ DACL - What principals/trustees have what rights over the object ▫ The SACL - Specifies how to audit access to the object 13
  • 14. 14
  • 15. tl;dr ▪ Security descriptors are just the mechanism that Windows uses to define what users (principals) can perform what actions on a specific object, either in Active Directory or on the host ▫ When access is requested, some process enumerates the effective security identifiers (SIDs) of the requestor, compares them to the information in the DACL, and decides whether to grant access 15
  • 16. OK, That’s “Cool” but Why Should I Care, Really? 16
  • 17. Why Care? ▪ It’s often difficult to determine whether a specific security descriptor misconfiguration was set maliciously or configured by accident ▫ Existing misconfigurations: privesc opportunities ▫ Malicious misconfiguration changes: persistence! ▪ These changes often have a minimal forensic footprint ▪ Most defenders are not aware of this general persistence approach, much less how to find and remediate it ▫ Nor are they aware of existing misconfigurations that affect privesc... 17
  • 18. Host-based Security Descriptors More than just the service control manager yo’
  • 19. Discovering Host Securable Objects ▪ Windows documentation lists about 20-30 securable objects* ▪ We’ve identified 70+! (There are *many* more) ▪ Microsoft Protocol Specifications ▫ Very useful for RPC servers! ▪ Find-RegistrySecurityDescriptors.ps1 19*https://msdn.microsoft.com/en-us/library/windows/desktop/aa379557(v=vs.85).aspx
  • 20. 20
  • 21. Online vs Offline Security Descriptors ▪ Where do objects get their security descriptor? ▫ Offline - Security descriptor derived from registry, file, etc. ▫ Online - Security descriptor is in memory ▪ Our approach for enumeration: ▫ Locally as an unprivileged user ▫ Locally as a privileged user ▫ Remotely as an unprivileged user ▫ Remotely as a privileged user 21
  • 22. Example: Remote Registry ▪ Imagine this scenario: remotely dumping an endpoint’s machine account hash as an “unprivileged” user (i.e. not in local admins)! ▪ Backdoor Process ▫ Remotely backdoor the winreg key with an attacker- controlled user/group (this key == remote registry access) ▫ Add malicious ACEs to the SECURITY and SYSTEM hives 22
  • 23. Example: Remote Registry ▪ (Remote) Backdoor Execution ▫ As the backdoor (domain or local) user, connect to the remote registry service on the backdoored system ▫ Open up specific reg keys linked to LSA and extract their classes ▫ Combine these class values and compute the BootKey ▫ Use the BootKey to decrypt the LSA key ▫ Use the LSA key to decrypt the machine account hash! ▫ EVERYONE GETS A SILVER TICKET!! 23
  • 24. Active Directory Security Descriptors Everything needs an access control model, even AD
  • 25. Active Directory ACL Advantages 25 ▪ A big advantage: by default the DACLs for nearly every AD object can be enumerated by any authenticated user in the domain through LDAP! ▪ Other advantages of AD ACLs: ▫ Changes also have a minimal forensic footprint ▫ Changes often survive OS and domain functional level upgrades, i.e. “misconfiguration debt” ▫ Anti-audit measures can be taken!
  • 27. Generic Rights We Care About 27 GenericAll Allows ALL generic rights to the specified object GenericWrite Allows for the modification of (almost) all properties on a specified object WriteDacl Grants the ability to modify the DACL in the object security descriptor WriteOwner Grants the ability to take ownership of the object
  • 28. Object-specific Rights We Care About 28 Users User-Force-Change-Password or write to the servicePrincipalName Groups Write to the member property Computers None outside of LAPS :( GPOs Modification of GPC-File-Sys-Path Domains WriteDacl to add DCSync rights
  • 29. Example: Abusing Exchange ▪ Exchange Server introduces several schema changes, new nested security groups, and MANY control relationships to Active Directory, making it a perfect spot to blend in amongst the noise! ▪ Pre Exchange Server 2007 SP1, this included the WriteDACL privilege against the domain object itself with Exchange Trusted Subsystem as the principal 29
  • 30. Example: Abusing Exchange ▪ Backdoor Process ▫ Identify a non-protected security group with local admin rights on one or more Exchange servers ▫ Grant Authenticated Users full control over this security group ▫ Change the owner of the group to an Exchange server ▫ Deny Read Permissions on this group to the Everyone principal 30
  • 31. Example: Abusing Exchange ▪ Backdoor Execution ▫ Regain access to the Active Directory domain as any user ▫ Add your current user to the backdoored security group ▫ Use your new local admin rights on an Exchange server to execute commands as the SYSTEM user on that computer ▫ Abuse the rights Exchange Trusted Subsystem has over the domain object (i.e. WriteDacl!) ▫ More information: http://bit.ly/2IIK3K3 31
  • 32. Active Directory + Host ACL Abuse Plugging the Gaps in Attack Chains
  • 33. ▪ Prior to joining active directory, the host is in ultimate control of who can access its resources ▪ After a machine is joined to AD, a few things happen: ▫ The machine is no longer solely in charge of authentication ▫ A portion of key material for the host is stored in another location (machine account hash in ntds.dit) ▫ Default domain group SIDs are added to local groups ▫ Management is no longer solely left to the host (i.e. GPOs :) “Risks” Of Joining Active Directory 33
  • 34. Active Directory: Before and After 34 Workgroup Active Directory Security Principals Local users/groups + Domain users/groups Access/Permission Management Host-based Security Descriptors + Default domain groups added to local groups Authentication NTLM (SAM) + Kerberos/NTLM (NTDS) Resource Administration Manual + GPOs
  • 35. Active Directory: Before and After 35 DCOM Service Administrators admin DOMAINDomain Admins Distributed COM Users DOMAINsrvcacct DOMAINjohnDOMAINsrvadms DOMAINlee
  • 36. The “Actual” Attack Graph ▪ BloodHound doesn’t (currently) take host based security descriptors into account ▪ The actual access graph that exists in a domain includes the security descriptors for every remotely accessible service on every host + AD descriptors ▫ Includes “unrolling” groups… this may not be (currently) realistically possible to model in large environments ¯_(ツ)_/¯ 36
  • 37. Security Implications ▪ Host-based security descriptors are the missing link when thinking about domain attack graphs! ▪ There ARE existing misconfigurations in the security descriptors in some host-based services! ▫ More to come this summer, stay tuned :) ▪ Host-based security descriptor modifications can be chained with AD misconfigurations/modifications ▪ “Fills the gap” left by the lack of an AD ACL computer primitive 37
  • 38. tl;dr Security Implications of Joining Active Directory ▪ When you join a system to Active Directory, you’re introducing additional nodes into the access graph that may affect the security of other systems ▪ You’re also implicitly trusting the security of a large number of other nodes in the graph as well ▫ You’re almost certainly exposing your system’s services to more access than you realize! 38
  • 39. Case Study #1 Picking on Exchange Again :)
  • 40. Case Study: Exchanging Rights ▪ We saw before that the Exchange Trusted Subsystem group (which contains Exchange servers) often has a huge number of rights over the domain ▪ So let’s integrate the remote registry host-based backdoor on an Exchange box! ▫ No changes to the DC or any AD data ▫ Takes advantage of existing misconfigurations! 40
  • 42. Case Study #2 Abusing Existing Misconfigurations
  • 43. Case Study: Abusing Existing Misconfigurations ▪ GPOs set lots of interesting settings! ▫ They can even set host-based security descriptors: ) ▫ Imagine one that modifies the security descriptor for SCM ▪ We can also easily correlate GPOs to find what systems they apply to ▪ What happens if the group SID set for the descriptor via GPO, after unrolling, contains a service account... 43
  • 45. 45 Summary ▪ Access is more than just “local administrators” ! ▪ You should really care about security descriptors! ▪ Host based security descriptors (accidentally misconfigured or maliciously backdoored) can have far- reaching implications for the security of other systems in the domain!
  • 46. 46 Questions? You can find us at @SpecterOps: ▪ @harmj0y , @tifkin_ , @enigma0x3 ▪ [will,lee,matt]@specterops.io