The document discusses securing Active Directory by making it more difficult for attackers to enumerate and escalate privileges. It recommends tightening down AD permissions so only privileged principals can enumerate sensitive identities like Domain Administrators. The key steps are to enable "List Object" mode, modify object ACLs to remove unprivileged access, modify the AdminSDHolder ACL, and let the SDProp process propagate the changes. This makes AD reconnaissance and privilege escalation harder while using existing Windows Server capabilities.
2
I’m honored to speak with you today about a tactic we can use to make life a little harder for attackers in our Active Directory environments. By implementing this tactic, attackers have a more difficult time identifying highly privileged users in AD, making their choice of targets more difficult.
95% of the fortune 500 use AD
29% of breaches in DBIR (Verizon Data Breach Investigations Report) 2019 involved stolen credentials
- 68% of breaches that featured Hacking
2019 Median dwell time for an attacker was 56 days (78 in 2018) – Mandiant
We raise the bar on our AD security to trip attackers up and stand a better chance of detecting them before they cause more damage.
.5
.5
2
Explain why this is a problem
Describe killchain and where this problem comes in, then where the solution comes in
Help set baseline understanding of the technologies involved
ACL management in AD is… complicated. The default tools (ADUC, ADS&S, etc.) are scandalously bad for this sort of thing – you can’t even see the Security tab under which ACLs are listed without turning on “Advanced Features.” The AD module for Powershell isn’t much better
RC = Read Control, LC = List Contents, RP = Read Properties, LO = List Object
Default operational mode is “list child.” dSHeuristics also controls anonymous ldap, which groups are “protected groups” (dwAdminSDExMask – 16th character,) anr, some ad lds functionality, and more
Default operational mode is “list child.” dSHeuristics also controls anonymous ldap, which groups are “protected groups” (dwAdminSDExMask – 16th character,) anr, some ad lds functionality, and more
Manually running sdprop 2008 and earlier = fixupinheritance, 2008 r2 and later = RunProtectAdminGroupsTask
Net group
Wmic
dsquery/dsget
adsisearcher type accelerator
powerview recon modules
.net calls out of the accountmanagement namespace
LDAP
RPC
AAD Connect sync account would be a good example of a service account worth hiding – ds-replication-get-changes and *-all