Active Directory gurations That Total Compromise · DSRM is a special boot mode for repairing or...
Transcript of Active Directory gurations That Total Compromise · DSRM is a special boot mode for repairing or...
10 Active DirectoryMisconfigurations That Lead to Total Compromise
[email protected] +1-888-867-5179Austin, TX 201 W 5th St.
ATTACK EXPLANATION
Group Policy Preferences allow an administrator to configure
local administrator accounts, schedule tasks, and mount
network drives with specified credentials when a user logs in.
GPPs are written to the SYSVOL share of the domain controllers.
An attacker can gain access to the GPP xml files inside the
SYSVOL share and extract the specified credentials that were
stored in the GPP.
POTENTIAL THREAT
An attacker can gain the same privileges of the accounts it
extracts from the GPPs. Accounts being used for the GPPs
typically have local admin user rights for every machine.
1. Group Policy Preferences Visible Passwords
ATTACK EXPLANATION
Abuse of an Active Directory “SID History” object enables an
attacker to inherit permissions from other high-privileged SID
accounts (or groups) without any trace of additional group
membership for the user.
POTENTIAL THREAT
Using a SID attribute could indicate that the attacker is trying to
hide high-privileged group membership, e.g. “Domain Admins”,
in a low-privileged account to conceal a post-exploitation
domain backdoor.
2. Hidden Security Identifier (SID)
ATTACK EXPLANATION
If an attacker has the long-term key for the “krbtgt” account, he
can forge a logon ticket (TGT) with any user rights. The ticket
can contain a fictitious username with domain admin
membership (or any other membership the attacker chooses).
POTENTIAL THREAT
An attacker can gain any privileges for any service or machine in
the network and can use it everywhere. These privileges can last
as long as the “krbtgt” account is not reset.
3. Golden Ticket
ATTACK EXPLANATION
If a low-privileged user was added to the domain replication
object, then the attacker would be able to access all the
domain-sensitive data, e.g. user hashes in the domain, without
being a high-privileged user. Because some domain services
require domain replication capabilities, replication permissions
must be assigned to Active Directory objects.
POTENTIAL THREAT
Full access to the entire domain user’s database.
4. Domain Replication Backdoor
ATTACK EXPLANATION
Abuse of AdminSDHolder ACLs—such as adding an unprivileged
user to the AdminSDHolder security object with full control or
write permissions—gives that unprivileged user the ability to
add himself or other users to powerful groups, such as Domain
Admins, without having high-privileges.
POTENTIAL THREAT
Enabling and modifying this feature would allow an attacker to
leave hidden administrator privileges on the DC without using
domain accounts.
5. Unprivileged Admin Holder ACL
ATTACK EXPLANATION
Authenticated users can enumerate any object in the domain.
Enumerating users whose passwords never expire could reveal
high-privileged users in the domain.
POTENTIAL THREAT
These credentials will allow an attacker to gain access to high
privileges in the network that can last indefinitely.
6. Power User Enumeration
ATTACK EXPLANATION
A user can request service tickets to any service in the domain.
Since the service ticket is encrypted with the service account’s
long-term key, an attacker can gather service tickets and
attempt local brute-force attacks on the long-term key.
POTENTIAL THREAT
This attack could allow the attacker to obtain fully privileged
access to the machines running the service account.
7. Silver Ticket
ATTACK EXPLANATION
Unmanaged endpoints can query the Active Directory and
gather information on the domain environment without
authentication.
POTENTIAL THREAT
Attackers can view the entire directory structure and
permissions from an unauthenticated user and computer with a
network connection.
8. Anonymous LDAP Allowed
ATTACK EXPLANATION
DSRM is a special boot mode for repairing or recovering Active
Directory when the Directory Services are down. Enabling and
modifying this feature would allow an attacker to leave hidden
administrator privileges via a backdoor on the DC without using
any domain accounts.
POTENTIAL THREAT
Full control of and access to the organization’s Domain
Controllers.
9. DSRM Login Enabled
ATTACK EXPLANATION
Since many companies use imaging software, the local
administrator password is frequently the same across the entire
enterprise. An attacker stealing local administrator credentials
from a local computer in the network can pass the local admin
long-term key to a remote machine to authenticate itself.
POTENTIAL THREAT
Once an attacker obtains local admin credentials on one
machine, he can move laterally and obtain access to every
machine in the network with the same local admin password.
10. Local Admin Traversal
AD | ASSESS
Attackers exploit misconfigurations and utilize
backdoors to compromise your entire domain.
Find them first with AD|Assess.
All Domain and Active Directory Assessment
Attack simulation to find misconfigurations and
backdoors in AD and the domain network that
lead to total compromise.
GET ASSESSMENT