SlideShare a Scribd company logo

dude wheres my domain admins v1.pptx

Download as PPTX, PDF
Joel Leo
Joel Leo

Presented at BlueTeamCon 2023 *Attacker pops a workstation on your domain* *Attacker establishes her foothold and local persistence* *Attacker begins recon of AD, starting with Domain Admins* ERROR: The group name could not be found. Attacker, with a disconcerted look on her face: "Dude, where's my Domain Admins?" Killchains that involve AD usually involve enumeration of highly-privileged accounts: members of Domain/Enterprise/Builtin Admins, Server Operators, etc. Those groups and their members can be enumerated in AD by default, exposing members as targets of exploitation to obtain those privileges. However, there's a way to use in-the-box AD capabilities to thwart these attempts. Using List Object mode, implicit deny, and AdminSDHolder/SDProp, AD defenders can hide these principals from unprivileged users. In this talk, I'll walk you through the principles, process, and pitfalls, so you can raise the bar on your AD defenses without blowing things up.

Technology
1 of 36
Dude, Where’s My Domain Admins? Making AD recon and privilege escalation more difficult for attackers Joel M. Leo, MCSE: SI/CP&I, MC: ASAE, CISSP, SEI SAP
Dude, Where’s My Domain Admins? Making AD recon and privilege escalation more difficult for attackers Joel M. Leo, MCSE: SI/CP&I, MC: ASAE, CISSP, SEI SAP
BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo Mahalos! BlueTeamCon folks @pyrotek3 (Sean Metcalf – Trimarc, adsecurity.org) @gentilkiwi (Benjamin Delpy – mimikatz and more) SpecterOps (Bloodhound and more) @harmj0y @cptjesus @_wald0
About Me • Live and work in Honolulu, Hawaii • https://www.hawaiicommunityfoundation.org/strengthening/maui-strong-fund • On the hunt for my next full-time role • Principal Consultant for Hi Tech Hui - https://www.hitechhui.com • Consultant for Directory Services Expedited – https://www.dse.team • PoC for Def Con Groups 808 https://www.dc808.net @defconhawaii @joelmleo @joelmleo@infosec.exchange https://www.linkedin.com/in/joelmleo BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Problem Statement What’s the problem Earthman? Default Active Directory permissions allow any authenticated user to enumerate the entire directory, including security-sensitive principals such as the Domain Admins group. BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Killchain BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo Image credit: Microsoft https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-threats
Solution TL;DR Tighten down AD permissions so only privileged principals can enumerate these sensitive identities Ok, a little more detail: • ***Plan extensively*** and take a system state backup of a DC! • Create groups & add members according to plan • Enable “List Object” mode • Remove ‘Authenticated Users’ from the ‘Pre-Windows 2000 Compatible Access’ group! • Modify OU/container ACLs • Modify AdminSDHolder ACL and let SDProp do its thing BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Technology Background • AD DACLs, ACEs, and Implicit Deny • Generic Read, decomposed • “List Object mode” • AdminSDHolder & SDProp All of these capabilities are already in-the-box with Windows Server since Windows 2000. There are no additional products or licenses required. BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
AD DACLs, ACEs, and Implicit Deny • DACL = Discretionary Access Control List - applies to an object to define the object’s set of permissions using ACEs. Not to be confused with SACLs, which are used for auditing access. • ACE = Access Control Entry – the individual entries listed on a DACL that grant a principal permission on the object AD follows the “implicit deny” model with “access-based enumeration” – if you aren’t granted permissions to something in AD you’re implicitly denied access to it & it won’t be listed in search results, GUI tools, etc. BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Generic Read Permission “Generic Read” permission is just the combination of: • RC – Read Control; read the security descriptor of the object • LC – List Content; list the contents of the object • RP – Read Properties; read the properties/attributes of the object • LO – List Object; permission to list the object when the parent container’s contents are enumerated These permissions can be separately granted. You see where this is going =) BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
List Object Mode Exposes ‘List Object’ control and enforces its permissions • When enabled, principals now require List Contents on the parent container, or List Object on the parent container AND the objects within to have the object listed when the parent container’s contents are enumerated • Enabled by setting the third bit of dSHeuristics to ‘1’ • dSHeuristics is an attribute of CN=Directory Service,CN=Windows NT,CN=Services in the Configuration partition of the AD forest • Affects the whole forest • Unicode string value that controls many aspects of AD functionality • Default string Is null • In most environments, when enabled this will read ‘001’ • If the string is NOT empty in your environment, then you need to replace the third character from the left with ‘1’ • More about dSHeuristics: https://docs.microsoft.com/en- us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5 • More about List Object mode: https://learn.microsoft.com/en- us/openspecs/windows_protocols/ms-adts/4a7705f7-c61e-4020-86a7-41a44fb233e5 BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
AdminSDHolder & SDProp AdminSDHolder is a domain object that provides the DACL for protected accounts and groups within that domain, including its Domain Admins SDProp is a process that executes every 60 minutes on the PDC emulator which compares protected objects’ DACL with AdminSDHolder’s. If they differ, inheritance is disabled on the object, the DACL on AdminSDHolder is applied to the object, and its adminCount attribute is set to 1 More infoz: https://adsecurity.org/?p=1906 BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Bringing It All Together With List Object mode enabled, a user that is not granted permissions to enumerate objects (List Object permission on the objects themselves and their parent container) and isn’t granted permissions to List Contents on the parent container will not be able to see those objects in the directory. We modify the DACLs on parent containers and AdminSDHolder, which then applies the ACL to each of the protected groups and their members through SDProp. This combination of settings effectively hides objects protected by SDProp, such as the Domain Admins group, the RID-500 Administrator account, etc. from casual enumeration BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Lab Environment • Single AD domain • Mostly default • Privsep • Regular account: joelmleo • Sysadmin: sa-joelleo • Domain admin: da-joelmleo BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
All accounts, including regular account - joelmleo Can see the Domain Admins group and everything else BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Solution Outline 1. PlanPlanPlan - Who needs to have access to what, and what permissions do they need? 2. Take a system state backup of a domain controller 3. Create groups and add members according to your plan 4. Enable "List Object mode” a. Remove ‘Authenticated Users’ from the ‘Pre-Windows 2000 Compatible Access’ group! 5. Modify OU/container ACLs a. Remove ‘List Contents’ permission from ‘Authenticated Users’ 6. Modify AdminSDHolder ACL a. Remove ‘Authenticated Users’ b. Add the group(s) which should be able to see these with Read permissions 7. Let SDProp do its thing BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Our Plan Goal: Hide our Domain Admins (and other protected entities) from enumeration by unprivileged users Containers that hold the objects we want to hide: ‘CN=Builtin,’ ‘CN=Users’ & ‘OU=Administrative Users,OU=Users,OU=Lab Accounts’ Group that will be granted privileges to enumerate these hidden objects: ‘HiddenObjects-Enumerate’ Members of our Sysadmin team should be able to enumerate these objects with their sa- accounts, so they will be added to the above group BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
ChChChChaangees 1 • Created ‘HiddenObjects-Enumerate’ group • Added sa- accounts as members BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
ChChChChaangees 2 • Removed ‘Authenticated Users’ from the ‘Pre-Windows 2000 Compatible Access’ group • Set dSHeuristics to ‘001’ to enable List Object mode BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
ChChChChaangees 3 • Removed ‘List Contents’ permission from ‘Authenticated Users’ on • CN=Builtin • CN=Users • OU=Administrative Users,OU=Users,OU=Lab Accounts • Need to disable inheritance first • AdminSDHolder changes • Removed ‘Authenticated Users’ permissions • Added ‘HiddenObjects-Enumerate’ with ‘Generic Read’ perms • Manually kicked off SDProp (I cheated – could have waited an hour) BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Demo: Execute Solution BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Regular Account - joelmleo Can no longer see the Domain Admins group, or any other protected principal BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo Domain Admins??
Demo: Run Some Queries BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Privileged Account sa-joelleo Can still see the Domain Admins group and all other protected principals BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
What Else Can This Do? • Can be used to hide accounts that need long-lived passwords from casual enumeration • Better choice would be to rotate the passwords =) • Hide service accounts, including gMSAs • Hide sensitive computer accounts • Admin workstations • Sensitive servers • Hide GPOs BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
What Doesn’t This Solve? • This does nothing for you if everyone is a domain admin • Efficacy is greatly reduced if privileged users are allowed to log in to any machine – use PAW/tiering! • Even if an account is hidden in this way, it can still be used to authenticate. If you document the username and password on Confluence, in your git repositories, hardcoded in scripts, etc., an attacker can still make use of them if they find the creds • An attacker that obtains a system state backup, IFM copy, NTDS.DIT etc. may be able to enumerate objects inside BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Pitfalls 0x0 • This should be a tactic as part of a larger security strategy • Unprivileged users will not be able to browse to find these objects • Service accounts are particularly affected. Users need to type in the account’s name, instead of browsing. Can still use sc.exe, Powershell, etc. to set service creds. • IAM tools will fail to enumerate hidden objects unless granted privileges • “Hidden” identities synchronized to cloud environments • Requires some level of privilege separation. If a regular user account is a member of a group protected by SDProp, many tools that user requires will fail when this is implemented. • Solution – use separate accounts for elevated privileges • Applications that do silly things to validate they’ve auth’d to AD BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Pitfalls 0x1 Attackers can still gather information from some tools and infer/discover the existence of hidden objects BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Pitfalls 0x2 BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo An attacker can still capture hidden creds via Responder etc. if they can get a foothold on a subnet where those creds are used, and LLMNR, NBT-NS, etc. aren’t disabled
Conclusion Through a combination of AD’s “List Object mode,” ACL modification, and SDProp, we can raise the bar on our Active Directory security by hiding highly-privileged accounts, making it that much more difficult for an attacker to elevate their privileges in AD. BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo #SecurityIsNeverDone
Additional Resources • “An ACE up the Sleeve” PDF available here: https://www.blackhat.com/docs/us- 17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active- Directory-DACL-Backdoors-wp.pdf • @PyroTek3 (Sean Metcalf, https://adsecurity.org) • Bloodhound https://github.com/BloodHoundAD • Best practices for securing AD https://learn.microsoft.com/en-us/windows- server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing- active-directory • MS-ADTS https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms- adts/d2435927-0999-4c62-8c6d-13ba31a52e1a • Active Directory: Controlling Object Visibility – List Object Mode https://social.technet.microsoft.com/wiki/contents/articles/29558.active-directory- controlling-object-visibility-list-object-mode.aspx BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Q&A @joelmleo @joelmleo@infosec.exchange BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo https://www.linkedin.com/in/joelmleo

Recommended

Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs
Vasiliy Suvorov
 
Lessons learned from writing over 300,000 lines of infrastructure code
Lessons learned from writing over 300,000 lines of infrastructure codeLessons learned from writing over 300,000 lines of infrastructure code
Lessons learned from writing over 300,000 lines of infrastructure code
Yevgeniy Brikman
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?
GlobalLogic Ukraine
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
Why HATEOAS
Why HATEOASWhy HATEOAS
Why HATEOAS
Lee Wayne
 
Introduction to Google Guice
Introduction to Google GuiceIntroduction to Google Guice
Introduction to Google Guice
Knoldus Inc.
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
Mikhail Egorov
 
Pentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerPentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A Primer
Brian Hysell
 

Recommended

Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs
Vasiliy Suvorov
 
Lessons learned from writing over 300,000 lines of infrastructure code
Lessons learned from writing over 300,000 lines of infrastructure codeLessons learned from writing over 300,000 lines of infrastructure code
Lessons learned from writing over 300,000 lines of infrastructure code
Yevgeniy Brikman
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?
GlobalLogic Ukraine
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
Why HATEOAS
Why HATEOASWhy HATEOAS
Why HATEOAS
Lee Wayne
 
Introduction to Google Guice
Introduction to Google GuiceIntroduction to Google Guice
Introduction to Google Guice
Knoldus Inc.
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
Mikhail Egorov
 
Pentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerPentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A Primer
Brian Hysell
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Kangaroot
 
Introduction to Nebula Graph, an Open-Source Distributed Graph Database
Introduction to Nebula Graph, an Open-Source Distributed Graph DatabaseIntroduction to Nebula Graph, an Open-Source Distributed Graph Database
Introduction to Nebula Graph, an Open-Source Distributed Graph Database
Nebula Graph
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
Lewis Ardern
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
JSON-LD for RESTful services
JSON-LD for RESTful servicesJSON-LD for RESTful services
JSON-LD for RESTful services
Markus Lanthaler
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Training Week: Introduction to Neo4j Bloom 2022
Training Week: Introduction to Neo4j Bloom 2022Training Week: Introduction to Neo4j Bloom 2022
Training Week: Introduction to Neo4j Bloom 2022
Neo4j
 
FIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access Control
FIWARE
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
Frans Rosén
 
Decentralized Identifier (DIDs) fundamentals deep dive
Decentralized Identifier (DIDs) fundamentals deep diveDecentralized Identifier (DIDs) fundamentals deep dive
Decentralized Identifier (DIDs) fundamentals deep dive
SSIMeetup
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...
Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...
Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...
Identity Days
 
Primeiros passos com a API do Zabbix - 3º Zabbix Meetup do Interior
Primeiros passos com a API do Zabbix - 3º Zabbix Meetup do InteriorPrimeiros passos com a API do Zabbix - 3º Zabbix Meetup do Interior
Primeiros passos com a API do Zabbix - 3º Zabbix Meetup do Interior
Zabbix BR
 
The DID Report 1: The First Official W3C DID Working Group Meeting (Japan)- D...
The DID Report 1: The First Official W3C DID Working Group Meeting (Japan)- D...The DID Report 1: The First Official W3C DID Working Group Meeting (Japan)- D...
The DID Report 1: The First Official W3C DID Working Group Meeting (Japan)- D...
SSIMeetup
 
Google Dorks and SQL Injection
Google Dorks and SQL InjectionGoogle Dorks and SQL Injection
Google Dorks and SQL Injection
Mudassir Hassan Khan
 
Introduction to Self Sovereign Identity - IIW October 2019
Introduction to Self Sovereign Identity - IIW October 2019Introduction to Self Sovereign Identity - IIW October 2019
Introduction to Self Sovereign Identity - IIW October 2019
Heather Vescent
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
Mayank Patel
 
Firebase presentation
Firebase presentationFirebase presentation
Firebase presentation
Haouzi Ameur Younes
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
Abhishek Koserwal
 
BSides Hawaii 2020: Dude, Wheres My Domain Admins
BSides Hawaii 2020: Dude, Wheres My Domain AdminsBSides Hawaii 2020: Dude, Wheres My Domain Admins
BSides Hawaii 2020: Dude, Wheres My Domain Admins
Joel M. Leo
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot
 

More Related Content

What's hot

Introduction to Nebula Graph, an Open-Source Distributed Graph Database
Introduction to Nebula Graph, an Open-Source Distributed Graph DatabaseIntroduction to Nebula Graph, an Open-Source Distributed Graph Database
Introduction to Nebula Graph, an Open-Source Distributed Graph Database
Nebula Graph
 
Training Week: Introduction to Neo4j Bloom 2022
Training Week: Introduction to Neo4j Bloom 2022Training Week: Introduction to Neo4j Bloom 2022
Training Week: Introduction to Neo4j Bloom 2022
Neo4j
 
FIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access Control
FIWARE
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
Frans Rosén
 
Decentralized Identifier (DIDs) fundamentals deep dive
Decentralized Identifier (DIDs) fundamentals deep diveDecentralized Identifier (DIDs) fundamentals deep dive
Decentralized Identifier (DIDs) fundamentals deep dive
SSIMeetup
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Primeiros passos com a API do Zabbix - 3º Zabbix Meetup do Interior
Primeiros passos com a API do Zabbix - 3º Zabbix Meetup do InteriorPrimeiros passos com a API do Zabbix - 3º Zabbix Meetup do Interior
Primeiros passos com a API do Zabbix - 3º Zabbix Meetup do Interior
Zabbix BR
 
The DID Report 1: The First Official W3C DID Working Group Meeting (Japan)- D...
The DID Report 1: The First Official W3C DID Working Group Meeting (Japan)- D...The DID Report 1: The First Official W3C DID Working Group Meeting (Japan)- D...
The DID Report 1: The First Official W3C DID Working Group Meeting (Japan)- D...
SSIMeetup
 

What's hot (20)

Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18
 
Introduction to Nebula Graph, an Open-Source Distributed Graph Database
Introduction to Nebula Graph, an Open-Source Distributed Graph DatabaseIntroduction to Nebula Graph, an Open-Source Distributed Graph Database
Introduction to Nebula Graph, an Open-Source Distributed Graph Database
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
JSON-LD for RESTful services
JSON-LD for RESTful servicesJSON-LD for RESTful services
JSON-LD for RESTful services
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Training Week: Introduction to Neo4j Bloom 2022
Training Week: Introduction to Neo4j Bloom 2022Training Week: Introduction to Neo4j Bloom 2022
Training Week: Introduction to Neo4j Bloom 2022
 
FIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access Control
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
Decentralized Identifier (DIDs) fundamentals deep dive
Decentralized Identifier (DIDs) fundamentals deep diveDecentralized Identifier (DIDs) fundamentals deep dive
Decentralized Identifier (DIDs) fundamentals deep dive
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...
Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...
Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...
 
Primeiros passos com a API do Zabbix - 3º Zabbix Meetup do Interior
Primeiros passos com a API do Zabbix - 3º Zabbix Meetup do InteriorPrimeiros passos com a API do Zabbix - 3º Zabbix Meetup do Interior
Primeiros passos com a API do Zabbix - 3º Zabbix Meetup do Interior
 
The DID Report 1: The First Official W3C DID Working Group Meeting (Japan)- D...
The DID Report 1: The First Official W3C DID Working Group Meeting (Japan)- D...The DID Report 1: The First Official W3C DID Working Group Meeting (Japan)- D...
The DID Report 1: The First Official W3C DID Working Group Meeting (Japan)- D...
 
Google Dorks and SQL Injection
Google Dorks and SQL InjectionGoogle Dorks and SQL Injection
Google Dorks and SQL Injection
 
Introduction to Self Sovereign Identity - IIW October 2019
Introduction to Self Sovereign Identity - IIW October 2019Introduction to Self Sovereign Identity - IIW October 2019
Introduction to Self Sovereign Identity - IIW October 2019
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
 
Firebase presentation
Firebase presentationFirebase presentation
Firebase presentation
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
 

Similar to dude wheres my domain admins v1.pptx

BSides Hawaii 2020: Dude, Wheres My Domain Admins
BSides Hawaii 2020: Dude, Wheres My Domain AdminsBSides Hawaii 2020: Dude, Wheres My Domain Admins
BSides Hawaii 2020: Dude, Wheres My Domain Admins
Joel M. Leo
 
Active directory job_interview_preparation_guide
Active directory job_interview_preparation_guideActive directory job_interview_preparation_guide
Active directory job_interview_preparation_guide
abdulkalamattari
 
Data Privacy Patterns in databricks for data engineering professional certifi...
Data Privacy Patterns in databricks for data engineering professional certifi...Data Privacy Patterns in databricks for data engineering professional certifi...
Data Privacy Patterns in databricks for data engineering professional certifi...
TusharAgarwal49094
 

Similar to dude wheres my domain admins v1.pptx (20)

BSides Hawaii 2020: Dude, Wheres My Domain Admins
BSides Hawaii 2020: Dude, Wheres My Domain AdminsBSides Hawaii 2020: Dude, Wheres My Domain Admins
BSides Hawaii 2020: Dude, Wheres My Domain Admins
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
 
Role-Based Access Control (RBAC) in Neo4j
Role-Based Access Control (RBAC) in Neo4jRole-Based Access Control (RBAC) in Neo4j
Role-Based Access Control (RBAC) in Neo4j
 
Global Azure Bootcamp 2018 - Oh no my organization went Azure
Global Azure Bootcamp 2018 - Oh no my organization went AzureGlobal Azure Bootcamp 2018 - Oh no my organization went Azure
Global Azure Bootcamp 2018 - Oh no my organization went Azure
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
Controlling User Access -Data base
Controlling User Access -Data baseControlling User Access -Data base
Controlling User Access -Data base
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
Active directory job_interview_preparation_guide
Active directory job_interview_preparation_guideActive directory job_interview_preparation_guide
Active directory job_interview_preparation_guide
 
Better access control of administrators
Better access control of administratorsBetter access control of administrators
Better access control of administrators
 
DITA Metadata
DITA MetadataDITA Metadata
DITA Metadata
 
Fortress SQL Server
Fortress SQL ServerFortress SQL Server
Fortress SQL Server
 
Data Privacy Patterns in databricks for data engineering professional certifi...
Data Privacy Patterns in databricks for data engineering professional certifi...Data Privacy Patterns in databricks for data engineering professional certifi...
Data Privacy Patterns in databricks for data engineering professional certifi...
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
ppt-security-dbsat-222-overview-nodemo.pdf
ppt-security-dbsat-222-overview-nodemo.pdfppt-security-dbsat-222-overview-nodemo.pdf
ppt-security-dbsat-222-overview-nodemo.pdf
 
LinkedIn's Logical Data Access Layer for Hadoop -- Strata London 2016
LinkedIn's Logical Data Access Layer for Hadoop -- Strata London 2016LinkedIn's Logical Data Access Layer for Hadoop -- Strata London 2016
LinkedIn's Logical Data Access Layer for Hadoop -- Strata London 2016
 

Recently uploaded

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Recently uploaded (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

dude wheres my domain admins v1.pptx

  • 1. Dude, Where’s My Domain Admins? Making AD recon and privilege escalation more difficult for attackers Joel M. Leo, MCSE: SI/CP&I, MC: ASAE, CISSP, SEI SAP
  • 2. Dude, Where’s My Domain Admins? Making AD recon and privilege escalation more difficult for attackers Joel M. Leo, MCSE: SI/CP&I, MC: ASAE, CISSP, SEI SAP
  • 3. BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo Mahalos! BlueTeamCon folks @pyrotek3 (Sean Metcalf – Trimarc, adsecurity.org) @gentilkiwi (Benjamin Delpy – mimikatz and more) SpecterOps (Bloodhound and more) @harmj0y @cptjesus @_wald0
  • 4. About Me • Live and work in Honolulu, Hawaii • https://www.hawaiicommunityfoundation.org/strengthening/maui-strong-fund • On the hunt for my next full-time role • Principal Consultant for Hi Tech Hui - https://www.hitechhui.com • Consultant for Directory Services Expedited – https://www.dse.team • PoC for Def Con Groups 808 https://www.dc808.net @defconhawaii @joelmleo @joelmleo@infosec.exchange https://www.linkedin.com/in/joelmleo BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 5. Problem Statement What’s the problem Earthman? Default Active Directory permissions allow any authenticated user to enumerate the entire directory, including security-sensitive principals such as the Domain Admins group. BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 6. Killchain BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo Image credit: Microsoft https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-threats
  • 7. Solution TL;DR Tighten down AD permissions so only privileged principals can enumerate these sensitive identities Ok, a little more detail: • ***Plan extensively*** and take a system state backup of a DC! • Create groups & add members according to plan • Enable “List Object” mode • Remove ‘Authenticated Users’ from the ‘Pre-Windows 2000 Compatible Access’ group! • Modify OU/container ACLs • Modify AdminSDHolder ACL and let SDProp do its thing BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 8. Technology Background • AD DACLs, ACEs, and Implicit Deny • Generic Read, decomposed • “List Object mode” • AdminSDHolder & SDProp All of these capabilities are already in-the-box with Windows Server since Windows 2000. There are no additional products or licenses required. BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 9. AD DACLs, ACEs, and Implicit Deny • DACL = Discretionary Access Control List - applies to an object to define the object’s set of permissions using ACEs. Not to be confused with SACLs, which are used for auditing access. • ACE = Access Control Entry – the individual entries listed on a DACL that grant a principal permission on the object AD follows the “implicit deny” model with “access-based enumeration” – if you aren’t granted permissions to something in AD you’re implicitly denied access to it & it won’t be listed in search results, GUI tools, etc. BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 10. Generic Read Permission “Generic Read” permission is just the combination of: • RC – Read Control; read the security descriptor of the object • LC – List Content; list the contents of the object • RP – Read Properties; read the properties/attributes of the object • LO – List Object; permission to list the object when the parent container’s contents are enumerated These permissions can be separately granted. You see where this is going =) BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 11. List Object Mode Exposes ‘List Object’ control and enforces its permissions • When enabled, principals now require List Contents on the parent container, or List Object on the parent container AND the objects within to have the object listed when the parent container’s contents are enumerated • Enabled by setting the third bit of dSHeuristics to ‘1’ • dSHeuristics is an attribute of CN=Directory Service,CN=Windows NT,CN=Services in the Configuration partition of the AD forest • Affects the whole forest • Unicode string value that controls many aspects of AD functionality • Default string Is null • In most environments, when enabled this will read ‘001’ • If the string is NOT empty in your environment, then you need to replace the third character from the left with ‘1’ • More about dSHeuristics: https://docs.microsoft.com/en- us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5 • More about List Object mode: https://learn.microsoft.com/en- us/openspecs/windows_protocols/ms-adts/4a7705f7-c61e-4020-86a7-41a44fb233e5 BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 12. AdminSDHolder & SDProp AdminSDHolder is a domain object that provides the DACL for protected accounts and groups within that domain, including its Domain Admins SDProp is a process that executes every 60 minutes on the PDC emulator which compares protected objects’ DACL with AdminSDHolder’s. If they differ, inheritance is disabled on the object, the DACL on AdminSDHolder is applied to the object, and its adminCount attribute is set to 1 More infoz: https://adsecurity.org/?p=1906 BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 13. Bringing It All Together With List Object mode enabled, a user that is not granted permissions to enumerate objects (List Object permission on the objects themselves and their parent container) and isn’t granted permissions to List Contents on the parent container will not be able to see those objects in the directory. We modify the DACLs on parent containers and AdminSDHolder, which then applies the ACL to each of the protected groups and their members through SDProp. This combination of settings effectively hides objects protected by SDProp, such as the Domain Admins group, the RID-500 Administrator account, etc. from casual enumeration BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 14. Lab Environment • Single AD domain • Mostly default • Privsep • Regular account: joelmleo • Sysadmin: sa-joelleo • Domain admin: da-joelmleo BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 15. All accounts, including regular account - joelmleo Can see the Domain Admins group and everything else BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 16. Solution Outline 1. PlanPlanPlan - Who needs to have access to what, and what permissions do they need? 2. Take a system state backup of a domain controller 3. Create groups and add members according to your plan 4. Enable "List Object mode” a. Remove ‘Authenticated Users’ from the ‘Pre-Windows 2000 Compatible Access’ group! 5. Modify OU/container ACLs a. Remove ‘List Contents’ permission from ‘Authenticated Users’ 6. Modify AdminSDHolder ACL a. Remove ‘Authenticated Users’ b. Add the group(s) which should be able to see these with Read permissions 7. Let SDProp do its thing BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 17. Our Plan Goal: Hide our Domain Admins (and other protected entities) from enumeration by unprivileged users Containers that hold the objects we want to hide: ‘CN=Builtin,’ ‘CN=Users’ & ‘OU=Administrative Users,OU=Users,OU=Lab Accounts’ Group that will be granted privileges to enumerate these hidden objects: ‘HiddenObjects-Enumerate’ Members of our Sysadmin team should be able to enumerate these objects with their sa- accounts, so they will be added to the above group BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 18. ChChChChaangees 1 • Created ‘HiddenObjects-Enumerate’ group • Added sa- accounts as members BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 19. ChChChChaangees 2 • Removed ‘Authenticated Users’ from the ‘Pre-Windows 2000 Compatible Access’ group • Set dSHeuristics to ‘001’ to enable List Object mode BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 20. ChChChChaangees 3 • Removed ‘List Contents’ permission from ‘Authenticated Users’ on • CN=Builtin • CN=Users • OU=Administrative Users,OU=Users,OU=Lab Accounts • Need to disable inheritance first • AdminSDHolder changes • Removed ‘Authenticated Users’ permissions • Added ‘HiddenObjects-Enumerate’ with ‘Generic Read’ perms • Manually kicked off SDProp (I cheated – could have waited an hour) BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 21. Demo: Execute Solution BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 22. Regular Account - joelmleo Can no longer see the Domain Admins group, or any other protected principal BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 23. BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo Domain Admins??
  • 24. Demo: Run Some Queries BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 25. BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 26. BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 27. BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 28. Privileged Account sa-joelleo Can still see the Domain Admins group and all other protected principals BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 29. What Else Can This Do? • Can be used to hide accounts that need long-lived passwords from casual enumeration • Better choice would be to rotate the passwords =) • Hide service accounts, including gMSAs • Hide sensitive computer accounts • Admin workstations • Sensitive servers • Hide GPOs BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 30. What Doesn’t This Solve? • This does nothing for you if everyone is a domain admin • Efficacy is greatly reduced if privileged users are allowed to log in to any machine – use PAW/tiering! • Even if an account is hidden in this way, it can still be used to authenticate. If you document the username and password on Confluence, in your git repositories, hardcoded in scripts, etc., an attacker can still make use of them if they find the creds • An attacker that obtains a system state backup, IFM copy, NTDS.DIT etc. may be able to enumerate objects inside BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 31. Pitfalls 0x0 • This should be a tactic as part of a larger security strategy • Unprivileged users will not be able to browse to find these objects • Service accounts are particularly affected. Users need to type in the account’s name, instead of browsing. Can still use sc.exe, Powershell, etc. to set service creds. • IAM tools will fail to enumerate hidden objects unless granted privileges • “Hidden” identities synchronized to cloud environments • Requires some level of privilege separation. If a regular user account is a member of a group protected by SDProp, many tools that user requires will fail when this is implemented. • Solution – use separate accounts for elevated privileges • Applications that do silly things to validate they’ve auth’d to AD BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 32. Pitfalls 0x1 Attackers can still gather information from some tools and infer/discover the existence of hidden objects BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 33. Pitfalls 0x2 BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo An attacker can still capture hidden creds via Responder etc. if they can get a foothold on a subnet where those creds are used, and LLMNR, NBT-NS, etc. aren’t disabled
  • 34. Conclusion Through a combination of AD’s “List Object mode,” ACL modification, and SDProp, we can raise the bar on our Active Directory security by hiding highly-privileged accounts, making it that much more difficult for an attacker to elevate their privileges in AD. BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo #SecurityIsNeverDone
  • 35. Additional Resources • “An ACE up the Sleeve” PDF available here: https://www.blackhat.com/docs/us- 17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active- Directory-DACL-Backdoors-wp.pdf • @PyroTek3 (Sean Metcalf, https://adsecurity.org) • Bloodhound https://github.com/BloodHoundAD • Best practices for securing AD https://learn.microsoft.com/en-us/windows- server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing- active-directory • MS-ADTS https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms- adts/d2435927-0999-4c62-8c6d-13ba31a52e1a • Active Directory: Controlling Object Visibility – List Object Mode https://social.technet.microsoft.com/wiki/contents/articles/29558.active-directory- controlling-object-visibility-list-object-mode.aspx BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 36. Q&A @joelmleo @joelmleo@infosec.exchange BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo https://www.linkedin.com/in/joelmleo

Editor's Notes

  1. 2 Andy Robbins Ace up the Sleeve 2017 Jonas Knudson & Alexander Schmitt Troopers last June a tactic we can use to make life a little harder for attackers in our Active Directory environments. By implementing this tactic, attackers have a more difficult time identifying highly privileged users in AD, making their choice of targets more difficult. 95% of the fortune 500 use AD 86% of breaches in DBIR (Verizon Data Breach Investigations Report) 2023 involved stolen credentials for initial access We raise the bar on our AD security to trip attackers up and stand a better chance of detecting them before they cause more damage.
  2. .5
  3. .5
  4. 2 Explain why this is a problem Quote comes from Douglas Adams’ “The Restaurant at the End of the Universe”
  5. Describe killchain and where this problem comes in, then where the solution comes in
  6. Call out the only forest wide change is enabling list object mode. Everything else needs to be done on a per domain basis
  7. Help set baseline understanding of the technologies involved
  8. ACL management in AD is… complicated. The default tools (ADUC, ADS&S, etc.) are scandalously bad for this sort of thing – you can’t even see the Security tab under which ACLs are listed without turning on “Advanced Features.” The AD module for Powershell isn’t much better
  9. RC = Read Control, LC = List Contents, RP = Read Properties, LO = List Object
  10. First graphic shows advanced security view before List Object is enabled, and second shows the same view after List Object is enabled. Good to mention the fact that you have to enable “Advanced Features” before even being able to see the security tab within ADUC. Default operational mode is “list child.” dSHeuristics also controls anonymous ldap, which groups are “protected groups” (dwAdminSDExMask – 16th character,) anr, some ad lds functionality, and more
  11. get-adobject "cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=internal,dc=lab" -properties * | ft dsheuristics get-adobject "cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=internal,dc=lab" | set-adobject –add @{dsheuristics=‘001’} To update the setting, can use –remove or –replace flags on set-adobject
  12. Manually running sdprop 2008 and earlier = fixupinheritance, 2008 r2 and later = RunProtectAdminGroupsTask
  13. Net group Wmic dsquery/dsget adsisearcher type accelerator powerview recon modules From a trusted domain’s administrator account
  14. .net calls out of the accountmanagement namespace LDAP RPC Impacket, with the second showing unhidden account
  15. Good to mention Theoden’s situation: he was at this moment controlled by Saruman. Gandalf was able to cast Saruman out of Theoden’s mind, bringing him back to his senses. In our scenario, the attacker is Gandalf and defender is Theoden, the lesson being our security win through list object could be temporary
  16. AAD Connect sync account would be a good example of a service account worth hiding – ds-replication-get-changes and *-all Note that the acls need to be adjusted appropriately. AdminSDHolder isn’t appropriate for everything
  17. Use mimikatz example. Popping a machine with a domain admin logged in means mimikatz could scrape those creds. Also, the SIDs don’t change so they could inject well-known but hidden object SID in to a ticket through mimikatz, Rubeus, etc., even if they can’t enumerate the object, aka why the domain is not the security boundary
  18. For the final bullet, use the example of Bloodhound back in 2020. Sharphound would query the domain for the existence of the builtin\administrators group and would exit if it couldn’t find it. I chatted with @cptjesus, who updated Sharphound to query for the domain object instead, after which the ingestor began working in the environment in which I was testing. Another example is the app that queried for its own service account to determine if it was connected to AD. When the service account was hidden, the app began failing until the service account was added to the group given permissions to enumerate the hidden objects.
  19. 1 bloodhound automatically labels the builtin\administrators group. https://github.com/BloodHoundAD/SharpHoundCommon/blob/1bcf1a8ac05206a265e514345bcfadef18d948ef/src/CommonLib/WellKnownPrincipal.cs#L52 2 bloodhound: Rid 512 is domain admins, and rid 519 is enterprise admins 3 nmap: still enumerates the administrator account 4 enum4linux: most queries don’t list hidden objects, but this one does. None of the groups’ memberships were enumerated though The more an attacker has to work to identify their targets, the higher likelihood they’ll be detected
  20. Reemphasize network segmentation