SlideShare a Scribd company logo
1 of 51
Download to read offline
The Unintended Risks
of Trusting Active
Directory
@harmj0y
Red teamer and offensive engineer
at SpecterOps
Adaptive Threat Division alumni
Avid blogger (http://harmj0y.net)
Co-founder of GhostPack, Empire,
BloodHound, Veil-Framework
2
@tifkin_
Red teamer, hunter, and
researcher at SpecterOps
Adaptive Threat Division alumni
Forever going after shiny things
Contributor to various
projects/blog posts
3
@enigma0x3
Red teamer and security
researcher at SpecterOps
Adaptive Threat Division alumni
Avid blogger
(https://enigma0x3.net/), COM
lover, CVE holder
4
What is
“Admin Access” ?
Hint: it’s more complicated
than just “local administrators”!
5
The “True” Nature of Administrative Access
▪ Controversial statement: membership in a system’s
local administrators group isn’t what ultimately
matters!
▪ What actually matters is what local/domain groups
have access to specific remote resources (RPC,
remote reg, WMI, SQL, etc.) based on the host
service’s security descriptors
6
7
CIFS
Remote
Registry
WinRM
SCM
WMI
RPC :)
SD
SD
“LOCAL
Administrators”
GENERIC_ALL
“DOMAINuser”
SC_MANAGER_C
REATE_SERVICE
Etc.
SD
SD
SD
SD
Wait, Security
Descriptors? ACLs?
What are Those and Why Should I Care?
8
Security descriptors are the
Windows mechanism to control
authenticated access to
resources, or “securable objects”
9
PS: lots of caveats here :)
What Is a
“Securable Object”?
Why, a Windows object that can have
a security descriptor, of course!
10
SECURITY_DESCRIPTOR
11https://msdn.microsoft.com/en-us/library/windows/hardware/ff556610(v=vs.85).aspx
From Owners to DACLs to ACEs
▪ An object’s Owner completely controls an object
▪ An object’s Discretionary Access Control List
(DACL) is collection of Access Control Entries
(ACEs)
▫ ACEs – Allow/Deny rules of who can do what to an object
12
13
Authorization Checks
▪ Individual services perform authorization checks
when objects are accessed
▪ Services compare the requestor’s user/group SIDs
to the DACL and grant/deny access
▪ Local “Administrators” is a group many services
grant access to by default (but it could be denied)
14
OK, That’s “Cool”
but Why Should I
Care, Really?
15
Why Care?
▪ It’s often difficult to determine whether a specific security
descriptor misconfiguration was set maliciously or configured
by accident
▫ Existing misconfigurations: privesc/lateral movement opportunities
▫ Malicious misconfiguration changes: persistence!
▪ These changes often have a minimal forensic footprint
▪ Many teams are not aware of these misconfigurations, much
less how to identify, abuse, or remediate them
16
Host-based Security
Descriptors
More than just the service control manager yo’
Discovering Host Securable Objects
▪ Windows documentation lists about 20-30 securable
objects*
▪ We’ve identified 70+! (There are *many* more)
▪ Microsoft Protocol Specifications
▫ Very useful for RPC servers ;)
▪ Find-RegistrySecurityDescriptors.ps1
▪ @tiraniddo’s NtObjectManager project
18*https://msdn.microsoft.com/en-us/library/windows/desktop/aa379557(v=vs.85).aspx
19
Persistent vs Runtime Security Descriptors
▪ Where do objects get their security descriptor?
▫ Persistent - Security descriptor loaded from registry, file, etc.
▫ Runtime - Security descriptor is in memory
▪ Our approach for enumeration:
▫ Locally as an unprivileged user
▫ Locally as a privileged user
▫ Remotely as an unprivileged user
▫ Remotely as a privileged user
20
Example: Remote Registry
▪ Imagine this scenario: remotely dumping an
endpoint’s machine account hash as an “unprivileged”
user (i.e. not in local admins)!
▪ Backdoor Process
▫ Remotely backdoor the winreg key with an attacker-
controlled user/group (this key == remote registry access)
▫ Add malicious ACEs to a few specific registry hives/keys so
we can read LSA secrets remotely
21
Example: Remote Registry
▪ (Remote) Backdoor Execution
▫ As the backdoor (domain or local) user, connect to the
remote registry service on the backdoored system
▫ Open up specific reg keys linked to LSA and extract their
classes
▫ Combine these class values and compute the BootKey
▫ Use the BootKey to decrypt the LSA key
▫ Use the LSA key to decrypt the machine account hash!
▫ EVERYONE GETS A SILVER TICKET!!
22
Active Directory Security
Descriptors
Everything needs an access control model, even AD
Active Directory ACL Advantages
24
▪ A big advantage: by default the DACLs for nearly
every AD object can be enumerated by any
authenticated user in the domain through LDAP!
▪ Other advantages of AD ACLs:
▫ Changes also have a minimal forensic footprint
▫ Changes often survive OS and domain functional level
upgrades, i.e. “misconfiguration debt”
▫ Anti-audit measures can be taken!
25
Security
Descriptors:
AD GUI
Edition
Generic Rights We Care About
26
GenericAll Allows ALL generic rights to the specified object
GenericWrite Allows for the modification of (almost) all
properties on a specified object
WriteDacl Grants the ability to modify the DACL in the
object security descriptor
WriteOwner Grants the ability to take ownership of the object
Object-specific Rights We Care About (abbreviated)
27
Users User-Force-Change-Password or write to
the servicePrincipalName
Groups Write to the member property
Computers None outside of LAPS :(
GPOs Modification of GPC-File-Sys-Path
Domains WriteDacl to add DCSync rights
Example: Abusing Exchange
▪ Exchange Server introduces several schema changes,
new nested security groups, and MANY control
relationships to Active Directory, making it a perfect
spot to blend in amongst the noise!
▪ Pre Exchange Server 2007 SP1, this included the
WriteDACL privilege against the domain object itself
with Exchange Trusted Subsystem as the principal
28
Active Directory + Host
ACL Abuse
Plugging the Gaps in Attack Chains
▪ Prior to joining active directory, the host is in ultimate
control of who can access its resources
▪ After a machine is joined to AD, a few things happen:
▫ The machine is no longer solely in charge of authentication
▫ A portion of key material for the host is stored in another
location (machine account hash in ntds.dit)
▫ Default domain group SIDs are added to local groups
▫ Management is no longer solely left to the host (i.e. GPOs :)
“Risks” Of Joining Active Directory
30
Active Directory: Before and After
31
Workgroup
Security Principals Local users/groups
Access/Permission
Management
Host-based Security
Descriptors
Authentication NTLM (SAM)
Resource
Administration
Manual
Active Directory
+ Domain users/groups
+ Default domain groups
added to local groups
+ Kerberos/NTLM
(NTDS)
+ GPOs
Active Directory: Before and After
32
DCOM
Service
Administrators
admin
DOMAINDomain Admins
Distributed
COM Users
DOMAINsrvcacct
DOMAINjohnDOMAINsrvadms
DOMAINlee
Security Implications
▪ Host-based security descriptors are the missing
link when thinking about domain attack graphs!
▪ There ARE existing “misconfigurations” in the security
descriptors in some host-based services!
▫ More to come on this in a bit ;)
▪ Host-based security descriptor modifications can be
chained with AD misconfigurations/modifications
▪ “Fills the gap” left by the lack of an AD ACL computer primitive
33
tl;dr Security Implications of Joining Active Directory
▪ When you join a system to Active Directory, you’re
introducing additional nodes into the access graph
that may affect the security of other systems
▪ You’re also implicitly trusting the security of a
large number of other nodes in the graph as well
▫ You’re almost certainly exposing your system’s services
to more access than you realize!
34
Case Study #1
Picking on Exchange Again :)
Case Study: Exchanging Rights
▪ We saw before that the Exchange Trusted
Subsystem group (which contains Exchange servers)
often has a huge number of rights over the domain
▪ So let’s integrate the remote registry host-based
backdoor on an Exchange box!
▫ No changes to the DC or any AD data
▫ Takes advantage of existing misconfigurations!
36
37
Case Study #2
Abusing Existing Misconfigurations
Ingredient #1: Unconstrained Delegation
▪ If a server is configured for unconstrained
delegation, service ticket requests will include the
requestor’s TGT stuffed into the service ticket
▪ So if you can get a principal to auth to an
unconstrained server you control, you can
extract their TGTs out of memory!
▪ More information: https://adsecurity.org/?p=1667
39
Ingredient #2: Effectively Extracting TGTs
▪ Rubeus is a new C# Kerberos abuse toolkit that
includes various ticket extraction capabilities
▪ The monitor action will monitor 4624 logon events
from the event log and extract any new usable
TGT .kirbis from LSASS using LSA APIs
▫ No read handle to LSASS needed!
40https://github.com/GhostPack/Rubeus
Ingredient #3: The Printer Bug
▪ Old but enabled-by-default-on-Windows Print
System Remote Protocol (MS-RPRN)
▪ RpcRemoteFindFirstPrinterChangeNotification(Ex)
▫ Purpose: “REMOTESERVER, send me a notification when
____” (e.g. when there’s a new print job)
▪ Implication: *Any domain user* can coerce
REMOTESERVER$ to authenticate to any machine
▫ Won’t fix by Microsoft - “ by design” ☺
41
Ingredient #3: The Printer Bug
42
Domain User/Attacker: Please authenticate to OTHERHOST
SERVER
OTHERHOST
Abuse Scenarios
▪ Machine account TGT theft via Unconstrained Delegation
▪ NTLM attacks!!!!
▪ NTLM-relay to ______ protocol
▪ Is SERVER$ local admin anywhere? (Relay and login)
▪ LDAP relay anyone…. ☺
▪ NTLMv1 downgrade attacks - XP/2003 anyone?
The Dangerous Recipe
1. Compromise a server configured with
unconstrained delegation
2. Beginning monitoring for delegated TGTs
▫ Start Rubeus’ monitor action with /interval:5
3. Coerce a domain controller to authenticate to the
unconstrained server using SpoolSample
4. Load the extracted ticket, DCSync, profit!
43
44
45
Summary
▪ Access is more than just “local administrators” !
▪ Host based security descriptors (accidentally misconfigured,
configured by default, or maliciously backdoored) can have
far-reaching implications for the security of other
systems in the domain!
▪ Defense should focus on restricting access to ALL securable
objects (host, AD, Exchange, etc.)
46
Questions?
You can find us at @SpecterOps:
▪ @harmj0y , @tifkin_ ,
@enigma0x3
▪ [will,lee,matt]@specterops.io
Credit to @elad_shamir for subsequent
discovery of the printer bug!
Appendix: Printer Bug Details
▪ Print System Remote Protocol (MS-RPRN)
▫ All comms are SMB-RPC (TCP 445)
▫ Named Pipe: pipespoolss
▫ RPC UUID: 12345678-1234-ABCD-EF00-0123456789AB
▫ “Discovered” by reading the protocol spec (likely more
RPC servers that do a similar thing)
47
Appendix: Printer Bug Details
▪ Opnum 62 or 65
▫ RpcRemoteFindFirstPrinterChangeNotification
▫ RpcRemoteFindFirstPrinterChangeNotificationEx
▪ The RPC server is accessible by all domain users
on Windows >= 8 if the Spooler service is started
(Server & Workstations have it enabled by default)
▫ On Windows < 8 , seems possible if the host has
shared a printer
48
Appendix: Coerced Machine Account Authentication
Attack Scenarios
▪ Printer bug isn’t the only way to do this (we’ve already confirmed from
our own research/other that there’s other vectors)
▪ If NTLMv1 enabled? Do an NTLMv1 downgrade and get the machine’s
NTLM hash
▪ NTLM relay
▫ Is a machine account a member of the local Administrators group on any
machine? (Often seen on SCCM and Exchange servers)
▫ NTLM relay to LDAP and grant yourself DCSync rights if LDAP signing not
enforced (see @_dirkjan’s contribution to ntlmrelayx)
▫ Problematic with SMB -> LDAP due to SMB clients setting the signing
bit (thanks @_dirkjan!)
49
Hi Lee,
The team has finished its investigation and determined the issue is by-design.
From the NTLM side of things, this is a relay attack, and there are plenty of mitigations that customers can
use to mitigate this particular attack:
1. Restrict NTLM usage
2. Configure/enable Extended Protection for Authentication for all services that support it.
3. Enable SMB Signing or SMB Encryption
4. Do not grant machine accounts administrative privileges to other machine accounts
50
Additional Guidance
▪ Impersonating domain machine accounts is by design? ¯_(ツ)_/¯
▫ We don’t think it was, but nonetheless, it’s possible
▪ Restricting access to hosts/networks goes a LONG way
▫ Windows does not require inbound network access in order to work
in Active Directory!
▫ FIREWALLS!! Host-based and network
▫ IPSec
▪ Prevent relaying to LDAP: Set LdapEnforceChannelBinding to 1
51

More Related Content

What's hot

Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, OsloBloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, OsloAndy Robbins
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 

What's hot (20)

Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, OsloBloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
 

Similar to Derbycon - The Unintended Risks of Trusting Active Directory

Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Paula Januszkiewicz
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud SecurityMongoDB
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseFelipe Prado
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyAmazon Web Services
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMApostolos Giannakidis
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformAll Things Open
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsAlert Logic
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environmentDavid Rowe
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise MongoDB
 
Active Directory and Virtualization
Active Directory and VirtualizationActive Directory and Virtualization
Active Directory and VirtualizationAniket Pandey
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 

Similar to Derbycon - The Unintended Risks of Trusting Active Directory (20)

Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud Security
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your Company
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVM
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
 
Operations: Security
Operations: SecurityOperations: Security
Operations: Security
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environment
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise
 
Active Directory and Virtualization
Active Directory and VirtualizationActive Directory and Virtualization
Active Directory and Virtualization
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 

More from Will Schroeder

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfWill Schroeder
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conWill Schroeder
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with PythonWill Schroeder
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have MissedWill Schroeder
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 

More from Will Schroeder (18)

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdf
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44con
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with Python
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 

Recently uploaded

一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理F
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsrahman018755
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...APNIC
 
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxResearch Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxi191686
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样AS
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样AS
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC
 
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样ayvbos
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdfMatthew Sinclair
 
TOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide HandbookTOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide HandbookVarun Mithran
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书c6eb683559b3
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理F
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样AS
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理AS
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书F
 
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)Obat Cytotec
 

Recently uploaded (20)

一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxResearch Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
TOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide HandbookTOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide Handbook
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书
 
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
 

Derbycon - The Unintended Risks of Trusting Active Directory

  • 1. The Unintended Risks of Trusting Active Directory
  • 2. @harmj0y Red teamer and offensive engineer at SpecterOps Adaptive Threat Division alumni Avid blogger (http://harmj0y.net) Co-founder of GhostPack, Empire, BloodHound, Veil-Framework 2
  • 3. @tifkin_ Red teamer, hunter, and researcher at SpecterOps Adaptive Threat Division alumni Forever going after shiny things Contributor to various projects/blog posts 3
  • 4. @enigma0x3 Red teamer and security researcher at SpecterOps Adaptive Threat Division alumni Avid blogger (https://enigma0x3.net/), COM lover, CVE holder 4
  • 5. What is “Admin Access” ? Hint: it’s more complicated than just “local administrators”! 5
  • 6. The “True” Nature of Administrative Access ▪ Controversial statement: membership in a system’s local administrators group isn’t what ultimately matters! ▪ What actually matters is what local/domain groups have access to specific remote resources (RPC, remote reg, WMI, SQL, etc.) based on the host service’s security descriptors 6
  • 8. Wait, Security Descriptors? ACLs? What are Those and Why Should I Care? 8
  • 9. Security descriptors are the Windows mechanism to control authenticated access to resources, or “securable objects” 9 PS: lots of caveats here :)
  • 10. What Is a “Securable Object”? Why, a Windows object that can have a security descriptor, of course! 10
  • 12. From Owners to DACLs to ACEs ▪ An object’s Owner completely controls an object ▪ An object’s Discretionary Access Control List (DACL) is collection of Access Control Entries (ACEs) ▫ ACEs – Allow/Deny rules of who can do what to an object 12
  • 13. 13
  • 14. Authorization Checks ▪ Individual services perform authorization checks when objects are accessed ▪ Services compare the requestor’s user/group SIDs to the DACL and grant/deny access ▪ Local “Administrators” is a group many services grant access to by default (but it could be denied) 14
  • 15. OK, That’s “Cool” but Why Should I Care, Really? 15
  • 16. Why Care? ▪ It’s often difficult to determine whether a specific security descriptor misconfiguration was set maliciously or configured by accident ▫ Existing misconfigurations: privesc/lateral movement opportunities ▫ Malicious misconfiguration changes: persistence! ▪ These changes often have a minimal forensic footprint ▪ Many teams are not aware of these misconfigurations, much less how to identify, abuse, or remediate them 16
  • 17. Host-based Security Descriptors More than just the service control manager yo’
  • 18. Discovering Host Securable Objects ▪ Windows documentation lists about 20-30 securable objects* ▪ We’ve identified 70+! (There are *many* more) ▪ Microsoft Protocol Specifications ▫ Very useful for RPC servers ;) ▪ Find-RegistrySecurityDescriptors.ps1 ▪ @tiraniddo’s NtObjectManager project 18*https://msdn.microsoft.com/en-us/library/windows/desktop/aa379557(v=vs.85).aspx
  • 19. 19
  • 20. Persistent vs Runtime Security Descriptors ▪ Where do objects get their security descriptor? ▫ Persistent - Security descriptor loaded from registry, file, etc. ▫ Runtime - Security descriptor is in memory ▪ Our approach for enumeration: ▫ Locally as an unprivileged user ▫ Locally as a privileged user ▫ Remotely as an unprivileged user ▫ Remotely as a privileged user 20
  • 21. Example: Remote Registry ▪ Imagine this scenario: remotely dumping an endpoint’s machine account hash as an “unprivileged” user (i.e. not in local admins)! ▪ Backdoor Process ▫ Remotely backdoor the winreg key with an attacker- controlled user/group (this key == remote registry access) ▫ Add malicious ACEs to a few specific registry hives/keys so we can read LSA secrets remotely 21
  • 22. Example: Remote Registry ▪ (Remote) Backdoor Execution ▫ As the backdoor (domain or local) user, connect to the remote registry service on the backdoored system ▫ Open up specific reg keys linked to LSA and extract their classes ▫ Combine these class values and compute the BootKey ▫ Use the BootKey to decrypt the LSA key ▫ Use the LSA key to decrypt the machine account hash! ▫ EVERYONE GETS A SILVER TICKET!! 22
  • 23. Active Directory Security Descriptors Everything needs an access control model, even AD
  • 24. Active Directory ACL Advantages 24 ▪ A big advantage: by default the DACLs for nearly every AD object can be enumerated by any authenticated user in the domain through LDAP! ▪ Other advantages of AD ACLs: ▫ Changes also have a minimal forensic footprint ▫ Changes often survive OS and domain functional level upgrades, i.e. “misconfiguration debt” ▫ Anti-audit measures can be taken!
  • 26. Generic Rights We Care About 26 GenericAll Allows ALL generic rights to the specified object GenericWrite Allows for the modification of (almost) all properties on a specified object WriteDacl Grants the ability to modify the DACL in the object security descriptor WriteOwner Grants the ability to take ownership of the object
  • 27. Object-specific Rights We Care About (abbreviated) 27 Users User-Force-Change-Password or write to the servicePrincipalName Groups Write to the member property Computers None outside of LAPS :( GPOs Modification of GPC-File-Sys-Path Domains WriteDacl to add DCSync rights
  • 28. Example: Abusing Exchange ▪ Exchange Server introduces several schema changes, new nested security groups, and MANY control relationships to Active Directory, making it a perfect spot to blend in amongst the noise! ▪ Pre Exchange Server 2007 SP1, this included the WriteDACL privilege against the domain object itself with Exchange Trusted Subsystem as the principal 28
  • 29. Active Directory + Host ACL Abuse Plugging the Gaps in Attack Chains
  • 30. ▪ Prior to joining active directory, the host is in ultimate control of who can access its resources ▪ After a machine is joined to AD, a few things happen: ▫ The machine is no longer solely in charge of authentication ▫ A portion of key material for the host is stored in another location (machine account hash in ntds.dit) ▫ Default domain group SIDs are added to local groups ▫ Management is no longer solely left to the host (i.e. GPOs :) “Risks” Of Joining Active Directory 30
  • 31. Active Directory: Before and After 31 Workgroup Security Principals Local users/groups Access/Permission Management Host-based Security Descriptors Authentication NTLM (SAM) Resource Administration Manual Active Directory + Domain users/groups + Default domain groups added to local groups + Kerberos/NTLM (NTDS) + GPOs
  • 32. Active Directory: Before and After 32 DCOM Service Administrators admin DOMAINDomain Admins Distributed COM Users DOMAINsrvcacct DOMAINjohnDOMAINsrvadms DOMAINlee
  • 33. Security Implications ▪ Host-based security descriptors are the missing link when thinking about domain attack graphs! ▪ There ARE existing “misconfigurations” in the security descriptors in some host-based services! ▫ More to come on this in a bit ;) ▪ Host-based security descriptor modifications can be chained with AD misconfigurations/modifications ▪ “Fills the gap” left by the lack of an AD ACL computer primitive 33
  • 34. tl;dr Security Implications of Joining Active Directory ▪ When you join a system to Active Directory, you’re introducing additional nodes into the access graph that may affect the security of other systems ▪ You’re also implicitly trusting the security of a large number of other nodes in the graph as well ▫ You’re almost certainly exposing your system’s services to more access than you realize! 34
  • 35. Case Study #1 Picking on Exchange Again :)
  • 36. Case Study: Exchanging Rights ▪ We saw before that the Exchange Trusted Subsystem group (which contains Exchange servers) often has a huge number of rights over the domain ▪ So let’s integrate the remote registry host-based backdoor on an Exchange box! ▫ No changes to the DC or any AD data ▫ Takes advantage of existing misconfigurations! 36
  • 37. 37
  • 38. Case Study #2 Abusing Existing Misconfigurations
  • 39. Ingredient #1: Unconstrained Delegation ▪ If a server is configured for unconstrained delegation, service ticket requests will include the requestor’s TGT stuffed into the service ticket ▪ So if you can get a principal to auth to an unconstrained server you control, you can extract their TGTs out of memory! ▪ More information: https://adsecurity.org/?p=1667 39
  • 40. Ingredient #2: Effectively Extracting TGTs ▪ Rubeus is a new C# Kerberos abuse toolkit that includes various ticket extraction capabilities ▪ The monitor action will monitor 4624 logon events from the event log and extract any new usable TGT .kirbis from LSASS using LSA APIs ▫ No read handle to LSASS needed! 40https://github.com/GhostPack/Rubeus
  • 41. Ingredient #3: The Printer Bug ▪ Old but enabled-by-default-on-Windows Print System Remote Protocol (MS-RPRN) ▪ RpcRemoteFindFirstPrinterChangeNotification(Ex) ▫ Purpose: “REMOTESERVER, send me a notification when ____” (e.g. when there’s a new print job) ▪ Implication: *Any domain user* can coerce REMOTESERVER$ to authenticate to any machine ▫ Won’t fix by Microsoft - “ by design” ☺ 41
  • 42. Ingredient #3: The Printer Bug 42 Domain User/Attacker: Please authenticate to OTHERHOST SERVER OTHERHOST Abuse Scenarios ▪ Machine account TGT theft via Unconstrained Delegation ▪ NTLM attacks!!!! ▪ NTLM-relay to ______ protocol ▪ Is SERVER$ local admin anywhere? (Relay and login) ▪ LDAP relay anyone…. ☺ ▪ NTLMv1 downgrade attacks - XP/2003 anyone?
  • 43. The Dangerous Recipe 1. Compromise a server configured with unconstrained delegation 2. Beginning monitoring for delegated TGTs ▫ Start Rubeus’ monitor action with /interval:5 3. Coerce a domain controller to authenticate to the unconstrained server using SpoolSample 4. Load the extracted ticket, DCSync, profit! 43
  • 44. 44
  • 45. 45 Summary ▪ Access is more than just “local administrators” ! ▪ Host based security descriptors (accidentally misconfigured, configured by default, or maliciously backdoored) can have far-reaching implications for the security of other systems in the domain! ▪ Defense should focus on restricting access to ALL securable objects (host, AD, Exchange, etc.)
  • 46. 46 Questions? You can find us at @SpecterOps: ▪ @harmj0y , @tifkin_ , @enigma0x3 ▪ [will,lee,matt]@specterops.io Credit to @elad_shamir for subsequent discovery of the printer bug!
  • 47. Appendix: Printer Bug Details ▪ Print System Remote Protocol (MS-RPRN) ▫ All comms are SMB-RPC (TCP 445) ▫ Named Pipe: pipespoolss ▫ RPC UUID: 12345678-1234-ABCD-EF00-0123456789AB ▫ “Discovered” by reading the protocol spec (likely more RPC servers that do a similar thing) 47
  • 48. Appendix: Printer Bug Details ▪ Opnum 62 or 65 ▫ RpcRemoteFindFirstPrinterChangeNotification ▫ RpcRemoteFindFirstPrinterChangeNotificationEx ▪ The RPC server is accessible by all domain users on Windows >= 8 if the Spooler service is started (Server & Workstations have it enabled by default) ▫ On Windows < 8 , seems possible if the host has shared a printer 48
  • 49. Appendix: Coerced Machine Account Authentication Attack Scenarios ▪ Printer bug isn’t the only way to do this (we’ve already confirmed from our own research/other that there’s other vectors) ▪ If NTLMv1 enabled? Do an NTLMv1 downgrade and get the machine’s NTLM hash ▪ NTLM relay ▫ Is a machine account a member of the local Administrators group on any machine? (Often seen on SCCM and Exchange servers) ▫ NTLM relay to LDAP and grant yourself DCSync rights if LDAP signing not enforced (see @_dirkjan’s contribution to ntlmrelayx) ▫ Problematic with SMB -> LDAP due to SMB clients setting the signing bit (thanks @_dirkjan!) 49
  • 50. Hi Lee, The team has finished its investigation and determined the issue is by-design. From the NTLM side of things, this is a relay attack, and there are plenty of mitigations that customers can use to mitigate this particular attack: 1. Restrict NTLM usage 2. Configure/enable Extended Protection for Authentication for all services that support it. 3. Enable SMB Signing or SMB Encryption 4. Do not grant machine accounts administrative privileges to other machine accounts 50
  • 51. Additional Guidance ▪ Impersonating domain machine accounts is by design? ¯_(ツ)_/¯ ▫ We don’t think it was, but nonetheless, it’s possible ▪ Restricting access to hosts/networks goes a LONG way ▫ Windows does not require inbound network access in order to work in Active Directory! ▫ FIREWALLS!! Host-based and network ▫ IPSec ▪ Prevent relaying to LDAP: Set LdapEnforceChannelBinding to 1 51