SlideShare a Scribd company logo

BSides Hawaii 2020: Dude, Wheres My Domain Admins

Download as PPTX, PDF
J
Joel M. Leo

The document discusses securing Active Directory by making it more difficult for attackers to enumerate and escalate privileges. It recommends tightening down AD permissions so only privileged principals can enumerate sensitive identities like Domain Administrators. The key steps are to enable "List Object" mode, modify object ACLs to remove unprivileged access, modify the AdminSDHolder ACL, and let the SDProp process propagate the changes. This makes AD reconnaissance and privilege escalation harder while using existing Windows Server capabilities.

Technology
1 of 35
Dude, Where’s My Domain Admins? Making AD recon and privilege escalation more difficult for attackers Joel M. Leo, MCSE SI/CP&I, CISSP, SEI SAP
Dude, Where’s My Domain Admins? Making AD recon and privilege escalation more difficult for attackers Joel M. Leo, MCSE SI/CP&I, CISSP, SEI SAP
BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo Mahalos! Hi Tech Hui @pyrotek3 (Sean Metcalf – adsecurity.org) @gentilkiwi (Benjamin Delpy – mimikatz and more) SpecterOps (Bloodhound and more) @harmj0y @cptjesus @_wald0
About Me • Live and work in Honolulu, Hawaii • Active Directory Architect and Principal Systems Engineer for Gap Inc. • Principal Consultant for Hi Tech Hui - https://www.hitechhui.com • PoC for Def Con Groups 808 https://dc808.org @defconhawaii @joelmleo https://www.linkedin.com/in/joelmleo BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
Problem Statement What’s the problem Earthman? Default Active Directory permissions allow any authenticated user to enumerate the entire directory, including security-sensitive principals such as Domain Administrators. BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
Killchain BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo Image credit: Microsoft https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-threats
Solution TL;DR Tighten down AD permissions so only privileged principals can enumerate these sensitive identities Ok, a little more detail: • ***Plan extensively*** and take a system state backup of a DC! • Create groups & add members according to plan • Enable “List Object” mode • Remove ‘Authenticated Users’ from the ‘Pre-Windows 2000 Compatible Access’ group! • Modify OU/container ACLs • Modify AdminSDHolder ACL and let SDProp do its thing BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
Technology Background • AD DACLs, ACEs, and Implicit Deny • Generic Read, decomposed • “List Object mode” • AdminSDHolder & SDProp All of these capabilities are already in-the-box with Windows Server. There are no additional products or licenses required. BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
AD DACLs, ACEs, and Implicit Deny • DACL = Discretionary Access Control List - applies to an object to define the object’s set of permissions using ACEs. Not to be confused with SACLs, which are used for auditing access. • ACE = Access Control Entry – the individual entries listed on a DACL that grant a principal permission on the object AD follows the “implicit deny” model with “access-based enumeration” – if you aren’t granted permissions to something in AD you’re implicitly denied access to it & it won’t be listed in search results, GUI tools, etc. BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
Generic Read Permission “Generic Read” permission is just the combination of: • RC – Read Control; read the security descriptor of the object • LC – List Content; list the contents of the object • RP – Read Properties; read the properties/attributes of the object • LO – List Object; permission to list the object when the parent container’s contents are enumerated These permissions can be separately granted. You see where this is going =) BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
List Object Mode Exposes ‘List Object’ control and enforces its permissions • A principal now requires List Contents on the parent container and/or List Object on the objects within to have the object listed when the parent container’s contents are enumerated • Enabled by setting dSHeuristics to ‘001’ • dSHeuristics is an attribute of CN=Directory Service,CN=Windows NT,CN=Services in the Configuration partition of AD • Affects the whole forest • Unicode string value that controls many aspects of AD functionality • Default string Is null • If the string is NOT empty in your environment, then you need to replace the third character from the left with ‘1’ • More about dSHeuristics: https://docs.microsoft.com/en- us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38- 33950617d2c5 BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
List Object Mode BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
AdminSDHolder & SDProp AdminSDHolder is an object that provides the DACL for protected accounts and groups, including Domain Admins SDProp is a process that executes every 60 minutes on the PDC emulator which compares protected objects’ DACL with AdminSDHolder’s. If they differ, inheritance is disabled, the DACL on AdminSDHolder is applied to the object, and its adminCount attribute is set to 1 More infoz: https://adsecurity.org/?p=1906 BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
Bringing It All Together With List Object mode enabled, a user that is not granted permissions to enumerate objects (List Object permission on the objects themselves) and isn’t granted permissions to List Contents on the parent container will not be able to see those objects in the directory. We modify the DACLs on parent containers and AdminSDHolder, which then applies the ACL to each of the protected groups and their members through SDProp. BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
Lab Environment • Single AD domain • Mostly default • Privsep • Regular account: joelmleo • Sysadmin: sa-joelleo • Domain admin: da-joelmleo BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
All accounts, including regular account - joelmleo Can see the Domain Admins group and everything else BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
Solution Outline 1. PlanPlanPlan - Who needs to have access to what, and what permissions do they need? 2. Take a system state backup of a domain controller 3. Create groups and add members according to your plan 4. Enable "List Object mode” a. Remove ‘Authenticated Users’ from the ‘Pre-Windows 2000 Compatible Access’ group! 5. Modify OU/container ACLs a. Remove ‘List Contents’ permission from ‘Authenticated Users’ 6. Modify AdminSDHolder ACL a. Remove ‘Authenticated Users’ b. Add the group(s) which should be able to see these with Read permissions 7. Let SDProp do its thing BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
Our Plan Goal: Hide our Domain Admins (and other protected entities) from enumeration by unprivileged users Containers that hold the objects we want to hide: ‘CN=Builtin,’ ‘CN=Users’ & ‘OU=Administrative Users,OU=Users,OU=Lab Accounts’ Group that will be granted privileges to enumerate these hidden objects: ‘HiddenObjects-Enumerate’ Members of our Sysadmin team should be able to enumerate these objects with their sa- accounts, so they will be added to the above group BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
ChChChChaangees 1 • Created ‘HiddenObjects-Enumerate’ group • Added sa- accounts as members BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
ChChChChaangees 2 • Removed ‘Authenticated Users’ from the ‘Pre-Windows 2000 Compatible Access’ group • Set dSHeuristics to ‘001’ BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
ChChChChaangees 3 • Removed ‘List Contents’ permission from ‘Authenticated Users’ on • CN=Builtin • CN=Users • OU=Administrative Users,OU=Users,OU=Lab Accounts • AdminSDHolder changes • Removed ‘Authenticated Users’ permissions • Added ‘HiddenObjects-Enumerate’ with ‘Generic Read’ perms • Manually kicked off SDProp (I cheated – could have waited an hour) BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
Demo: Execute Solution BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
Regular Account - joelmleo Can no longer see the Domain Admins group, or any other protected principal BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo Domain Admins??
Demo: Run Some Queries BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
Privileged Account sa-joelleo Can still see the Domain Admins group and all other protected principals BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
What Else Can This Do? • Can be used to hide accounts that need long-lived passwords from casual enumeration • Better choice would be to rotate the passwords =) • Hide service accounts, including gMSAs • Hide sensitive computer accounts • Admin workstations • Sensitive servers • Hide GPOs BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
What Doesn’t This Solve? • This does nothing for you if everyone is a domain admin • Efficacy is greatly reduced if privileged users are allowed to log in to any machine – use PAW/tiering! • Even if an account is hidden in this way, it can still be used to authenticate. If you document the username and password on Confluence, in your git repositories, hardcoded in scripts, etc., an attacker can still make use of them if they find the creds • An attacker that obtains a system state backup, IFM copy, NTDS.DIT etc. may be able to enumerate objects inside BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
Pitfalls • This should be a tactic as part of a larger security strategy • Unprivileged users will not be able to browse to find these objects • Service accounts are particularly affected. Users need to type in the account’s name, instead of browsing. Can still use sc.exe, Powershell, etc. to set service creds. • IAM tools will fail to enumerate hidden objects unless granted privileges • Requires some level of privilege separation. If a regular user account is a member of a group protected by SDProp, many tools that user requires will fail when this is implemented. • Solution – use separate accounts for elevated privileges • Applications that do silly things to validate they’ve auth’d to AD BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
Conclusion Through a combination of AD’s “List Object mode,” ACL modification, and SDProp, we can raise the bar on our Active Directory security by hiding highly-privileged accounts, making it that much more difficult for an attacker to elevate their privileges in AD. BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo #SecurityIsNeverDone
Additional Resources • “An ACE up the Sleeve” PDF available here: https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An- ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors- wp.pdf • @PyroTek3 (Sean Metcalf, https://adsecurity.org) • Bloodhound https://github.com/BloodHoundAD • PowerSploit https://github.com/PowerShellMafia/PowerSploit • Best practices for securing AD https://docs.microsoft.com/en- us/windows-server/identity/ad-ds/plan/security-best-practices/best- practices-for-securing-active-directory • MS-ADTS https://docs.microsoft.com/en- us/openspecs/windows_protocols/ms-adts BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
Q&A @joelmleo BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo

Recommended

Exploiting Linked (Open) Data via Microsoft Access using ODBC File DSNs
Exploiting Linked (Open) Data via Microsoft Access using ODBC File DSNsExploiting Linked (Open) Data via Microsoft Access using ODBC File DSNs
Exploiting Linked (Open) Data via Microsoft Access using ODBC File DSNsKingsley Uyi Idehen
 
Understanding Data
Understanding Data Understanding Data
Understanding Data Kingsley Uyi Idehen
 
dude wheres my domain admins v1.pptx
dude wheres my domain admins v1.pptxdude wheres my domain admins v1.pptx
dude wheres my domain admins v1.pptxJoel Leo
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLEDB
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLEDB
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLEDB
 
Data Leakage Prevention
Data Leakage PreventionData Leakage Prevention
Data Leakage PreventionMicrosoft TechNet - Belgium and Luxembourg
 

Recommended

Exploiting Linked (Open) Data via Microsoft Access using ODBC File DSNs
Exploiting Linked (Open) Data via Microsoft Access using ODBC File DSNsExploiting Linked (Open) Data via Microsoft Access using ODBC File DSNs
Exploiting Linked (Open) Data via Microsoft Access using ODBC File DSNsKingsley Uyi Idehen
 
Understanding Data
Understanding Data Understanding Data
Understanding Data Kingsley Uyi Idehen
 
dude wheres my domain admins v1.pptx
dude wheres my domain admins v1.pptxdude wheres my domain admins v1.pptx
dude wheres my domain admins v1.pptxJoel Leo
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLEDB
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLEDB
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLEDB
 
Data Leakage Prevention
Data Leakage PreventionData Leakage Prevention
Data Leakage PreventionMicrosoft TechNet - Belgium and Luxembourg
 
Better access control of administrators
Better access control of administratorsBetter access control of administrators
Better access control of administratorsRahul Sisondia
 
ppt-security-dbsat-222-overview-nodemo.pdf
ppt-security-dbsat-222-overview-nodemo.pdfppt-security-dbsat-222-overview-nodemo.pdf
ppt-security-dbsat-222-overview-nodemo.pdfcamyla81
 
Active directory - an introduction
Active directory - an introductionActive directory - an introduction
Active directory - an introductionpepoluan
 
Synapse india reviews on drupal intro
Synapse india reviews on drupal introSynapse india reviews on drupal intro
Synapse india reviews on drupal introTarunsingh198
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
WSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
WSO2Con USA 2017: Introduction to Security: End-to-End Identity ManagementWSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
WSO2Con USA 2017: Introduction to Security: End-to-End Identity ManagementWSO2
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environmentDavid Rowe
 
Cause 2013: A Flexible Approach to Creating an Enterprise Directory
Cause 2013: A Flexible Approach to Creating an Enterprise DirectoryCause 2013: A Flexible Approach to Creating an Enterprise Directory
Cause 2013: A Flexible Approach to Creating an Enterprise Directoryrwgorrel
 
MySQL: Create multiple DB accounts for an app using SYSTEM_USER privilege and...
MySQL: Create multiple DB accounts for an app using SYSTEM_USER privilege and...MySQL: Create multiple DB accounts for an app using SYSTEM_USER privilege and...
MySQL: Create multiple DB accounts for an app using SYSTEM_USER privilege and...Arnab Ray
 
Drupal -Introduction to Drupal
Drupal -Introduction to DrupalDrupal -Introduction to Drupal
Drupal -Introduction to DrupalVibrant Technologies & Computers
 
Drupal intro-training-in-mumbai
Drupal intro-training-in-mumbaiDrupal intro-training-in-mumbai
Drupal intro-training-in-mumbaivibrantuser
 
Role-Based Access Control (RBAC) in Neo4j
Role-Based Access Control (RBAC) in Neo4jRole-Based Access Control (RBAC) in Neo4j
Role-Based Access Control (RBAC) in Neo4jNeo4j
 
Windows 2008 Active Directory Branch office Management_MVP Sampath Perera
Windows 2008 Active Directory Branch office Management_MVP Sampath PereraWindows 2008 Active Directory Branch office Management_MVP Sampath Perera
Windows 2008 Active Directory Branch office Management_MVP Sampath PereraQuek Lilian
 
Introduction to Active Directory
Introduction to Active DirectoryIntroduction to Active Directory
Introduction to Active DirectoryJalpesh Vadgama
 
Cairo meetup low code best practices
Cairo meetup low code best practicesCairo meetup low code best practices
Cairo meetup low code best practicesAhmed Keshk
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119lior mazor
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax
 
Mitigating Risk in a Complex Hybrid Directory Environment
Mitigating Risk in a Complex Hybrid Directory EnvironmentMitigating Risk in a Complex Hybrid Directory Environment
Mitigating Risk in a Complex Hybrid Directory EnvironmentQuest
 
Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control DBmaestro - Database DevOps
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

More Related Content

Similar to BSides Hawaii 2020: Dude, Wheres My Domain Admins

Better access control of administrators
Better access control of administratorsBetter access control of administrators
Better access control of administratorsRahul Sisondia
 
ppt-security-dbsat-222-overview-nodemo.pdf
ppt-security-dbsat-222-overview-nodemo.pdfppt-security-dbsat-222-overview-nodemo.pdf
ppt-security-dbsat-222-overview-nodemo.pdfcamyla81
 
Active directory - an introduction
Active directory - an introductionActive directory - an introduction
Active directory - an introductionpepoluan
 
Synapse india reviews on drupal intro
Synapse india reviews on drupal introSynapse india reviews on drupal intro
Synapse india reviews on drupal introTarunsingh198
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
WSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
WSO2Con USA 2017: Introduction to Security: End-to-End Identity ManagementWSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
WSO2Con USA 2017: Introduction to Security: End-to-End Identity ManagementWSO2
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environmentDavid Rowe
 
Cause 2013: A Flexible Approach to Creating an Enterprise Directory
Cause 2013: A Flexible Approach to Creating an Enterprise DirectoryCause 2013: A Flexible Approach to Creating an Enterprise Directory
Cause 2013: A Flexible Approach to Creating an Enterprise Directoryrwgorrel
 
MySQL: Create multiple DB accounts for an app using SYSTEM_USER privilege and...
MySQL: Create multiple DB accounts for an app using SYSTEM_USER privilege and...MySQL: Create multiple DB accounts for an app using SYSTEM_USER privilege and...
MySQL: Create multiple DB accounts for an app using SYSTEM_USER privilege and...Arnab Ray
 
Drupal intro-training-in-mumbai
Drupal intro-training-in-mumbaiDrupal intro-training-in-mumbai
Drupal intro-training-in-mumbaivibrantuser
 
Role-Based Access Control (RBAC) in Neo4j
Role-Based Access Control (RBAC) in Neo4jRole-Based Access Control (RBAC) in Neo4j
Role-Based Access Control (RBAC) in Neo4jNeo4j
 
Windows 2008 Active Directory Branch office Management_MVP Sampath Perera
Windows 2008 Active Directory Branch office Management_MVP Sampath PereraWindows 2008 Active Directory Branch office Management_MVP Sampath Perera
Windows 2008 Active Directory Branch office Management_MVP Sampath PereraQuek Lilian
 
Introduction to Active Directory
Introduction to Active DirectoryIntroduction to Active Directory
Introduction to Active DirectoryJalpesh Vadgama
 
Cairo meetup low code best practices
Cairo meetup low code best practicesCairo meetup low code best practices
Cairo meetup low code best practicesAhmed Keshk
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119lior mazor
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax
 
Mitigating Risk in a Complex Hybrid Directory Environment
Mitigating Risk in a Complex Hybrid Directory EnvironmentMitigating Risk in a Complex Hybrid Directory Environment
Mitigating Risk in a Complex Hybrid Directory EnvironmentQuest
 
Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control DBmaestro - Database DevOps
 

Similar to BSides Hawaii 2020: Dude, Wheres My Domain Admins (20)

Better access control of administrators
Better access control of administratorsBetter access control of administrators
Better access control of administrators
 
ppt-security-dbsat-222-overview-nodemo.pdf
ppt-security-dbsat-222-overview-nodemo.pdfppt-security-dbsat-222-overview-nodemo.pdf
ppt-security-dbsat-222-overview-nodemo.pdf
 
Active directory - an introduction
Active directory - an introductionActive directory - an introduction
Active directory - an introduction
 
Synapse india reviews on drupal intro
Synapse india reviews on drupal introSynapse india reviews on drupal intro
Synapse india reviews on drupal intro
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
WSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
WSO2Con USA 2017: Introduction to Security: End-to-End Identity ManagementWSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
WSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environment
 
Cause 2013: A Flexible Approach to Creating an Enterprise Directory
Cause 2013: A Flexible Approach to Creating an Enterprise DirectoryCause 2013: A Flexible Approach to Creating an Enterprise Directory
Cause 2013: A Flexible Approach to Creating an Enterprise Directory
 
MySQL: Create multiple DB accounts for an app using SYSTEM_USER privilege and...
MySQL: Create multiple DB accounts for an app using SYSTEM_USER privilege and...MySQL: Create multiple DB accounts for an app using SYSTEM_USER privilege and...
MySQL: Create multiple DB accounts for an app using SYSTEM_USER privilege and...
 
Drupal -Introduction to Drupal
Drupal -Introduction to DrupalDrupal -Introduction to Drupal
Drupal -Introduction to Drupal
 
Drupal intro-training-in-mumbai
Drupal intro-training-in-mumbaiDrupal intro-training-in-mumbai
Drupal intro-training-in-mumbai
 
Role-Based Access Control (RBAC) in Neo4j
Role-Based Access Control (RBAC) in Neo4jRole-Based Access Control (RBAC) in Neo4j
Role-Based Access Control (RBAC) in Neo4j
 
Windows 2008 Active Directory Branch office Management_MVP Sampath Perera
Windows 2008 Active Directory Branch office Management_MVP Sampath PereraWindows 2008 Active Directory Branch office Management_MVP Sampath Perera
Windows 2008 Active Directory Branch office Management_MVP Sampath Perera
 
Introduction to Active Directory
Introduction to Active DirectoryIntroduction to Active Directory
Introduction to Active Directory
 
Cairo meetup low code best practices
Cairo meetup low code best practicesCairo meetup low code best practices
Cairo meetup low code best practices
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
 
Mitigating Risk in a Complex Hybrid Directory Environment
Mitigating Risk in a Complex Hybrid Directory EnvironmentMitigating Risk in a Complex Hybrid Directory Environment
Mitigating Risk in a Complex Hybrid Directory Environment
 
Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control
 

Recently uploaded

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Recently uploaded (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

BSides Hawaii 2020: Dude, Wheres My Domain Admins

  • 1. Dude, Where’s My Domain Admins? Making AD recon and privilege escalation more difficult for attackers Joel M. Leo, MCSE SI/CP&I, CISSP, SEI SAP
  • 2. Dude, Where’s My Domain Admins? Making AD recon and privilege escalation more difficult for attackers Joel M. Leo, MCSE SI/CP&I, CISSP, SEI SAP
  • 3. BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo Mahalos! Hi Tech Hui @pyrotek3 (Sean Metcalf – adsecurity.org) @gentilkiwi (Benjamin Delpy – mimikatz and more) SpecterOps (Bloodhound and more) @harmj0y @cptjesus @_wald0
  • 4. About Me • Live and work in Honolulu, Hawaii • Active Directory Architect and Principal Systems Engineer for Gap Inc. • Principal Consultant for Hi Tech Hui - https://www.hitechhui.com • PoC for Def Con Groups 808 https://dc808.org @defconhawaii @joelmleo https://www.linkedin.com/in/joelmleo BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 5. Problem Statement What’s the problem Earthman? Default Active Directory permissions allow any authenticated user to enumerate the entire directory, including security-sensitive principals such as Domain Administrators. BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 6. Killchain BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo Image credit: Microsoft https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-threats
  • 7. Solution TL;DR Tighten down AD permissions so only privileged principals can enumerate these sensitive identities Ok, a little more detail: • ***Plan extensively*** and take a system state backup of a DC! • Create groups & add members according to plan • Enable “List Object” mode • Remove ‘Authenticated Users’ from the ‘Pre-Windows 2000 Compatible Access’ group! • Modify OU/container ACLs • Modify AdminSDHolder ACL and let SDProp do its thing BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 8. Technology Background • AD DACLs, ACEs, and Implicit Deny • Generic Read, decomposed • “List Object mode” • AdminSDHolder & SDProp All of these capabilities are already in-the-box with Windows Server. There are no additional products or licenses required. BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 9. AD DACLs, ACEs, and Implicit Deny • DACL = Discretionary Access Control List - applies to an object to define the object’s set of permissions using ACEs. Not to be confused with SACLs, which are used for auditing access. • ACE = Access Control Entry – the individual entries listed on a DACL that grant a principal permission on the object AD follows the “implicit deny” model with “access-based enumeration” – if you aren’t granted permissions to something in AD you’re implicitly denied access to it & it won’t be listed in search results, GUI tools, etc. BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 10. Generic Read Permission “Generic Read” permission is just the combination of: • RC – Read Control; read the security descriptor of the object • LC – List Content; list the contents of the object • RP – Read Properties; read the properties/attributes of the object • LO – List Object; permission to list the object when the parent container’s contents are enumerated These permissions can be separately granted. You see where this is going =) BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 11. List Object Mode Exposes ‘List Object’ control and enforces its permissions • A principal now requires List Contents on the parent container and/or List Object on the objects within to have the object listed when the parent container’s contents are enumerated • Enabled by setting dSHeuristics to ‘001’ • dSHeuristics is an attribute of CN=Directory Service,CN=Windows NT,CN=Services in the Configuration partition of AD • Affects the whole forest • Unicode string value that controls many aspects of AD functionality • Default string Is null • If the string is NOT empty in your environment, then you need to replace the third character from the left with ‘1’ • More about dSHeuristics: https://docs.microsoft.com/en- us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38- 33950617d2c5 BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 12. List Object Mode BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 13. AdminSDHolder & SDProp AdminSDHolder is an object that provides the DACL for protected accounts and groups, including Domain Admins SDProp is a process that executes every 60 minutes on the PDC emulator which compares protected objects’ DACL with AdminSDHolder’s. If they differ, inheritance is disabled, the DACL on AdminSDHolder is applied to the object, and its adminCount attribute is set to 1 More infoz: https://adsecurity.org/?p=1906 BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 14. Bringing It All Together With List Object mode enabled, a user that is not granted permissions to enumerate objects (List Object permission on the objects themselves) and isn’t granted permissions to List Contents on the parent container will not be able to see those objects in the directory. We modify the DACLs on parent containers and AdminSDHolder, which then applies the ACL to each of the protected groups and their members through SDProp. BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 15. Lab Environment • Single AD domain • Mostly default • Privsep • Regular account: joelmleo • Sysadmin: sa-joelleo • Domain admin: da-joelmleo BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 16. All accounts, including regular account - joelmleo Can see the Domain Admins group and everything else BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 17. Solution Outline 1. PlanPlanPlan - Who needs to have access to what, and what permissions do they need? 2. Take a system state backup of a domain controller 3. Create groups and add members according to your plan 4. Enable "List Object mode” a. Remove ‘Authenticated Users’ from the ‘Pre-Windows 2000 Compatible Access’ group! 5. Modify OU/container ACLs a. Remove ‘List Contents’ permission from ‘Authenticated Users’ 6. Modify AdminSDHolder ACL a. Remove ‘Authenticated Users’ b. Add the group(s) which should be able to see these with Read permissions 7. Let SDProp do its thing BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 18. Our Plan Goal: Hide our Domain Admins (and other protected entities) from enumeration by unprivileged users Containers that hold the objects we want to hide: ‘CN=Builtin,’ ‘CN=Users’ & ‘OU=Administrative Users,OU=Users,OU=Lab Accounts’ Group that will be granted privileges to enumerate these hidden objects: ‘HiddenObjects-Enumerate’ Members of our Sysadmin team should be able to enumerate these objects with their sa- accounts, so they will be added to the above group BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 19. ChChChChaangees 1 • Created ‘HiddenObjects-Enumerate’ group • Added sa- accounts as members BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 20. ChChChChaangees 2 • Removed ‘Authenticated Users’ from the ‘Pre-Windows 2000 Compatible Access’ group • Set dSHeuristics to ‘001’ BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 21. ChChChChaangees 3 • Removed ‘List Contents’ permission from ‘Authenticated Users’ on • CN=Builtin • CN=Users • OU=Administrative Users,OU=Users,OU=Lab Accounts • AdminSDHolder changes • Removed ‘Authenticated Users’ permissions • Added ‘HiddenObjects-Enumerate’ with ‘Generic Read’ perms • Manually kicked off SDProp (I cheated – could have waited an hour) BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 22. Demo: Execute Solution BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 23. Regular Account - joelmleo Can no longer see the Domain Admins group, or any other protected principal BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 24. BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo Domain Admins??
  • 25. Demo: Run Some Queries BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 26. BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 27. BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 28. BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 29. Privileged Account sa-joelleo Can still see the Domain Admins group and all other protected principals BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 30. What Else Can This Do? • Can be used to hide accounts that need long-lived passwords from casual enumeration • Better choice would be to rotate the passwords =) • Hide service accounts, including gMSAs • Hide sensitive computer accounts • Admin workstations • Sensitive servers • Hide GPOs BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 31. What Doesn’t This Solve? • This does nothing for you if everyone is a domain admin • Efficacy is greatly reduced if privileged users are allowed to log in to any machine – use PAW/tiering! • Even if an account is hidden in this way, it can still be used to authenticate. If you document the username and password on Confluence, in your git repositories, hardcoded in scripts, etc., an attacker can still make use of them if they find the creds • An attacker that obtains a system state backup, IFM copy, NTDS.DIT etc. may be able to enumerate objects inside BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 32. Pitfalls • This should be a tactic as part of a larger security strategy • Unprivileged users will not be able to browse to find these objects • Service accounts are particularly affected. Users need to type in the account’s name, instead of browsing. Can still use sc.exe, Powershell, etc. to set service creds. • IAM tools will fail to enumerate hidden objects unless granted privileges • Requires some level of privilege separation. If a regular user account is a member of a group protected by SDProp, many tools that user requires will fail when this is implemented. • Solution – use separate accounts for elevated privileges • Applications that do silly things to validate they’ve auth’d to AD BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 33. Conclusion Through a combination of AD’s “List Object mode,” ACL modification, and SDProp, we can raise the bar on our Active Directory security by hiding highly-privileged accounts, making it that much more difficult for an attacker to elevate their privileges in AD. BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo #SecurityIsNeverDone
  • 34. Additional Resources • “An ACE up the Sleeve” PDF available here: https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An- ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors- wp.pdf • @PyroTek3 (Sean Metcalf, https://adsecurity.org) • Bloodhound https://github.com/BloodHoundAD • PowerSploit https://github.com/PowerShellMafia/PowerSploit • Best practices for securing AD https://docs.microsoft.com/en- us/windows-server/identity/ad-ds/plan/security-best-practices/best- practices-for-securing-active-directory • MS-ADTS https://docs.microsoft.com/en- us/openspecs/windows_protocols/ms-adts BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo
  • 35. Q&A @joelmleo BSides Hawaii - Dude, Where's My Domain Admins? © 2020 Joel M. Leo

Editor's Notes

  1. 2 I’m honored to speak with you today about a tactic we can use to make life a little harder for attackers in our Active Directory environments. By implementing this tactic, attackers have a more difficult time identifying highly privileged users in AD, making their choice of targets more difficult. 95% of the fortune 500 use AD 29% of breaches in DBIR (Verizon Data Breach Investigations Report) 2019 involved stolen credentials - 68% of breaches that featured Hacking 2019 Median dwell time for an attacker was 56 days (78 in 2018) – Mandiant We raise the bar on our AD security to trip attackers up and stand a better chance of detecting them before they cause more damage.
  2. .5
  3. .5
  4. 2 Explain why this is a problem
  5. Describe killchain and where this problem comes in, then where the solution comes in
  6. Help set baseline understanding of the technologies involved
  7. ACL management in AD is… complicated. The default tools (ADUC, ADS&S, etc.) are scandalously bad for this sort of thing – you can’t even see the Security tab under which ACLs are listed without turning on “Advanced Features.” The AD module for Powershell isn’t much better
  8. RC = Read Control, LC = List Contents, RP = Read Properties, LO = List Object
  9. Default operational mode is “list child.” dSHeuristics also controls anonymous ldap, which groups are “protected groups” (dwAdminSDExMask – 16th character,) anr, some ad lds functionality, and more
  10. Default operational mode is “list child.” dSHeuristics also controls anonymous ldap, which groups are “protected groups” (dwAdminSDExMask – 16th character,) anr, some ad lds functionality, and more
  11. Manually running sdprop 2008 and earlier = fixupinheritance, 2008 r2 and later = RunProtectAdminGroupsTask
  12. Net group Wmic dsquery/dsget adsisearcher type accelerator powerview recon modules
  13. .net calls out of the accountmanagement namespace LDAP RPC
  14. AAD Connect sync account would be a good example of a service account worth hiding – ds-replication-get-changes and *-all
  15. Use mimikatz example