Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The presentation on my "Shadow Admins" research

534 views

Published on

Shadow Admins are powerful and stealthy privileged accounts - attacker & defenders must know about them.

Published in: Technology
  • Login to see the comments

The presentation on my "Shadow Admins" research

  1. 1. Lavi Lazarovitz Security Research Team Lead Asaf Hecht Security Researcher Shadow Admins
  2. 2. Shadow Admins: Underground Accounts That Undermine The Network Admin A Privileged Accounts Admin B Shadow Admin
  3. 3. Shadow Admins: Underground Accounts That Undermine The Network Industry Standards SHADOW ADMIN
  4. 4. Shadow Admins: Underground Accounts That Undermine The Network Industry Standards Privileged account An information system account with authorizations of a privileged user Privileged user [CNSSI 4009] A user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform
  5. 5. Shadow Admins: Underground Accounts That Undermine The Network Discovering Privileged Accounts Built-in Admin Groups Active Directory Shadow Admins C: NET GROUPS /Domain _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ * Enterprise Admins * Domain Admins * Account Operators * Schema Admins C: NET GROUPS /Domain _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ * Administrators_Global * A_Admins_UK * Server_Admins_Local * WS_Admins_Local Organization Defined Groups
  6. 6. Shadow Admins: Underground Accounts That Undermine The Network Shadow Admins Name: Shadow Admin D.O.B.: Not part of any privilege group ID #: S-1-5-21-3623812015- 3361044358-30301820-1014 Issued: 08/06/2017 Expires: NEVER IDENTIFICATION CARD Shadow Admin has Direct Privilege Permissions!
  7. 7. Shadow Admins: Underground Accounts That Undermine The Network Permissions and ACLs - on directories READ ONLY SYSTEM Administrators User1 Guest FULL CONTROL READ & WRITE
  8. 8. Shadow Admins: Underground Accounts That Undermine The Network Permissions and ACLs - in Active Directory SYSTEM Enterprise Admins Domain Admins Authenticated Users User1 User2 ACLAD Objects Groups Domain root Containers GPOs FULL CONTROL CREATE CHILD OBJECTS DELETE CHILD OBJECTS CHANGE PASSWORD READ ONLY READ ONLY READ ONLY CHANGE PASSWORD
  9. 9. LET’S SEE IT
  10. 10. Shadow Admins: Underground Accounts That Undermine The Network Active Directory - Object tree and ACL
  11. 11. Shadow Admins: Underground Accounts That Undermine The Network Active Directory - Object tree and ACL
  12. 12. Shadow Admins: Underground Accounts That Undermine The Network Group assignment: Direct assignment: Direct vs Group ACL Assignment
  13. 13. Shadow Admins: Underground Accounts That Undermine The Network Direct vs Group ACL Assignment Account Emily has DC Sync permission: Domain and can steal all the passwords: Account Emily has Reset Password permission: on Administrator account Administrator account:
  14. 14. Shadow Admins: Underground Accounts That Undermine The Network Privilege Escalation The Red Side Scenarios Persistence
  15. 15. Shadow Admins: Underground Accounts That Undermine The Network C: NET LOCALGROUP _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ * Administrators ** Load and unload device drivers ** Manage Auditing and security logs * Remote Desktop Users ** Allow logon through remote desktop services User Rights - Local Privileged Accounts
  16. 16. WATCH THE USER RIGHTS
  17. 17. Shadow Admins: Underground Accounts That Undermine The Network Local User Rights
  18. 18. Shadow Admins: Underground Accounts That Undermine The Network User Rights Attack
  19. 19. Shadow Admins: Underground Accounts That Undermine The Network Our Free Tool - ACLight - Shadow Admin Scanner PowerShell GitHub Automatic
  20. 20. SHADOW ADMIN SCANNER
  21. 21. Shadow Admins: Underground Accounts That Undermine The Network Privilege ACL Scanner - Results
  22. 22. Shadow Admins: Underground Accounts That Undermine The Network Privilege ACL Scanner - Results Full CSV output – every account and its privileged permission:
  23. 23. Shadow Admins: Underground Accounts That Undermine The Network Light In The Shadows Domain Groups Shadow Admins Local Groups
  24. 24. Shadow Admins: Underground Accounts That Undermine The Network Download & Run Free: https://github.com/CyberArkLabs/ACLight Lavi.Lazarovitz@cyberark.com, @LaviLazarovitz Asaf.Hecht@cyberark.com, @Hechtov
  25. 25. Shadow Admins: Underground Accounts That Undermine The Network Actionable Takeaways KNOW all your privileged accounts in the network: • By group assignments • By ACLs analysis of the Active Directory HOW: • Scan your network for Shadow Admins - who have sensitive direct permissions • Use our free privileged ACLs scanning tool: https://github.com/CyberArkLabs/ACLight SECURE those new detected privileged accounts!

×