The Unintended Risks of Trusting Active Directory

Will Schroeder
Will SchroederOffensive Engineer
The Unintended Risks of Trusting Active Directory
@harmj0y Red teamer and offensive engineer at SpecterOps Adaptive Threat Division alumni Avid blogger (http://harmj0y.net) Co-founder of Empire, BloodHound, Veil-Framework 2
@tifkin_ Red teamer, hunter, and researcher at SpecterOps Adaptive Threat Division alumni Forever going after shiny things Contributor to various projects/blog posts 3
@enigma0x3 Red teamer and security researcher at SpecterOps Adaptive Threat Division alumni Avid blogger (https://enigma0x3.net/), COM lover, CVE holder 4
“As an offensive researcher, if you can dream it, someone has likely already done it...and that someone isn’t the kind of person who speaks at security cons.” 5 Matt Graeber “Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asynchronous, and Fileless Backdoor” BlackHat 2015
What is “Admin Access” ? Hint: it’s more complicated than just “local administrators”! 6
The “True” Nature of Administrative Access ▪ Controversial statement: membership in a system’s local administrators group isn’t what ultimately matters! ▪ What actually matters is what local/domain groups have access to specific remote resources (RPC, remote reg, WMI, SQL, etc.) based on the host service’s security descriptors 7
8 CIFS Remote Registry WinRM SCM WMI RPC :) SD SD “LOCAL Administrators” GENERIC_ALL “DOMAINuser” SC_MANAGER_C REATE_SERVICE Etc. SD SD SD SD
Wait, Security Descriptors? ACLs? What are Those and Why Should I Care? 9
Security descriptors are the Windows mechanism to control authenticated access to resources, or “securable objects” 10 PS: lots of caveats here :)
What Is a “Securable Object”? Why, a Windows object that can have a security descriptor, of course! 11
SECURITY_DESCRIPTOR 12https://msdn.microsoft.com/en-us/library/windows/hardware/ff556610(v=vs.85).aspx
From ACLs to DACLs to SACLs ▪ An Access Control List (ACL) is basically shorthand for the DACL/SACL superset ▪ An object’s Discretionary Access Control List (DACL) and System Access Control List (SACL) are ordered collections of Access Control Entries (ACEs) ▫ DACL - What principals/trustees have what rights over the object ▫ The SACL - Specifies how to audit access to the object 13
14
tl;dr ▪ Security descriptors are just the mechanism that Windows uses to define what users (principals) can perform what actions on a specific object, either in Active Directory or on the host ▫ When access is requested, some process enumerates the effective security identifiers (SIDs) of the requestor, compares them to the information in the DACL, and decides whether to grant access 15
OK, That’s “Cool” but Why Should I Care, Really? 16
Why Care? ▪ It’s often difficult to determine whether a specific security descriptor misconfiguration was set maliciously or configured by accident ▫ Existing misconfigurations: privesc opportunities ▫ Malicious misconfiguration changes: persistence! ▪ These changes often have a minimal forensic footprint ▪ Most defenders are not aware of this general persistence approach, much less how to find and remediate it ▫ Nor are they aware of existing misconfigurations that affect privesc... 17
Host-based Security Descriptors More than just the service control manager yo’
Discovering Host Securable Objects ▪ Windows documentation lists about 20-30 securable objects* ▪ We’ve identified 70+! (There are *many* more) ▪ Microsoft Protocol Specifications ▫ Very useful for RPC servers! ▪ Find-RegistrySecurityDescriptors.ps1 19*https://msdn.microsoft.com/en-us/library/windows/desktop/aa379557(v=vs.85).aspx
20
Online vs Offline Security Descriptors ▪ Where do objects get their security descriptor? ▫ Offline - Security descriptor derived from registry, file, etc. ▫ Online - Security descriptor is in memory ▪ Our approach for enumeration: ▫ Locally as an unprivileged user ▫ Locally as a privileged user ▫ Remotely as an unprivileged user ▫ Remotely as a privileged user 21
Example: Remote Registry ▪ Imagine this scenario: remotely dumping an endpoint’s machine account hash as an “unprivileged” user (i.e. not in local admins)! ▪ Backdoor Process ▫ Remotely backdoor the winreg key with an attacker- controlled user/group (this key == remote registry access) ▫ Add malicious ACEs to the SECURITY and SYSTEM hives 22
Example: Remote Registry ▪ (Remote) Backdoor Execution ▫ As the backdoor (domain or local) user, connect to the remote registry service on the backdoored system ▫ Open up specific reg keys linked to LSA and extract their classes ▫ Combine these class values and compute the BootKey ▫ Use the BootKey to decrypt the LSA key ▫ Use the LSA key to decrypt the machine account hash! ▫ EVERYONE GETS A SILVER TICKET!! 23
Active Directory Security Descriptors Everything needs an access control model, even AD
Active Directory ACL Advantages 25 ▪ A big advantage: by default the DACLs for nearly every AD object can be enumerated by any authenticated user in the domain through LDAP! ▪ Other advantages of AD ACLs: ▫ Changes also have a minimal forensic footprint ▫ Changes often survive OS and domain functional level upgrades, i.e. “misconfiguration debt” ▫ Anti-audit measures can be taken!
26 Security Descriptors: AD GUI Edition
Generic Rights We Care About 27 GenericAll Allows ALL generic rights to the specified object GenericWrite Allows for the modification of (almost) all properties on a specified object WriteDacl Grants the ability to modify the DACL in the object security descriptor WriteOwner Grants the ability to take ownership of the object
Object-specific Rights We Care About 28 Users User-Force-Change-Password or write to the servicePrincipalName Groups Write to the member property Computers None outside of LAPS :( GPOs Modification of GPC-File-Sys-Path Domains WriteDacl to add DCSync rights
Example: Abusing Exchange ▪ Exchange Server introduces several schema changes, new nested security groups, and MANY control relationships to Active Directory, making it a perfect spot to blend in amongst the noise! ▪ Pre Exchange Server 2007 SP1, this included the WriteDACL privilege against the domain object itself with Exchange Trusted Subsystem as the principal 29
Example: Abusing Exchange ▪ Backdoor Process ▫ Identify a non-protected security group with local admin rights on one or more Exchange servers ▫ Grant Authenticated Users full control over this security group ▫ Change the owner of the group to an Exchange server ▫ Deny Read Permissions on this group to the Everyone principal 30
Example: Abusing Exchange ▪ Backdoor Execution ▫ Regain access to the Active Directory domain as any user ▫ Add your current user to the backdoored security group ▫ Use your new local admin rights on an Exchange server to execute commands as the SYSTEM user on that computer ▫ Abuse the rights Exchange Trusted Subsystem has over the domain object (i.e. WriteDacl!) ▫ More information: http://bit.ly/2IIK3K3 31
Active Directory + Host ACL Abuse Plugging the Gaps in Attack Chains
▪ Prior to joining active directory, the host is in ultimate control of who can access its resources ▪ After a machine is joined to AD, a few things happen: ▫ The machine is no longer solely in charge of authentication ▫ A portion of key material for the host is stored in another location (machine account hash in ntds.dit) ▫ Default domain group SIDs are added to local groups ▫ Management is no longer solely left to the host (i.e. GPOs :) “Risks” Of Joining Active Directory 33
Active Directory: Before and After 34 Workgroup Active Directory Security Principals Local users/groups + Domain users/groups Access/Permission Management Host-based Security Descriptors + Default domain groups added to local groups Authentication NTLM (SAM) + Kerberos/NTLM (NTDS) Resource Administration Manual + GPOs
Active Directory: Before and After 35 DCOM Service Administrators admin DOMAINDomain Admins Distributed COM Users DOMAINsrvcacct DOMAINjohnDOMAINsrvadms DOMAINlee
The “Actual” Attack Graph ▪ BloodHound doesn’t (currently) take host based security descriptors into account ▪ The actual access graph that exists in a domain includes the security descriptors for every remotely accessible service on every host + AD descriptors ▫ Includes “unrolling” groups… this may not be (currently) realistically possible to model in large environments ¯_(ツ)_/¯ 36
Security Implications ▪ Host-based security descriptors are the missing link when thinking about domain attack graphs! ▪ There ARE existing misconfigurations in the security descriptors in some host-based services! ▫ More to come this summer, stay tuned :) ▪ Host-based security descriptor modifications can be chained with AD misconfigurations/modifications ▪ “Fills the gap” left by the lack of an AD ACL computer primitive 37
tl;dr Security Implications of Joining Active Directory ▪ When you join a system to Active Directory, you’re introducing additional nodes into the access graph that may affect the security of other systems ▪ You’re also implicitly trusting the security of a large number of other nodes in the graph as well ▫ You’re almost certainly exposing your system’s services to more access than you realize! 38
Case Study #1 Picking on Exchange Again :)
Case Study: Exchanging Rights ▪ We saw before that the Exchange Trusted Subsystem group (which contains Exchange servers) often has a huge number of rights over the domain ▪ So let’s integrate the remote registry host-based backdoor on an Exchange box! ▫ No changes to the DC or any AD data ▫ Takes advantage of existing misconfigurations! 40
[DEMO] 41
Case Study #2 Abusing Existing Misconfigurations
Case Study: Abusing Existing Misconfigurations ▪ GPOs set lots of interesting settings! ▫ They can even set host-based security descriptors: ) ▫ Imagine one that modifies the security descriptor for SCM ▪ We can also easily correlate GPOs to find what systems they apply to ▪ What happens if the group SID set for the descriptor via GPO, after unrolling, contains a service account... 43
44 [DEMO]
45 Summary ▪ Access is more than just “local administrators” ! ▪ You should really care about security descriptors! ▪ Host based security descriptors (accidentally misconfigured or maliciously backdoored) can have far- reaching implications for the security of other systems in the domain!
46 Questions? You can find us at @SpecterOps: ▪ @harmj0y , @tifkin_ , @enigma0x3 ▪ [will,lee,matt]@specterops.io
1 of 46

The Unintended Risks of Trusting Active Directory

Download to read offline
Internet

This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.

Will Schroeder
Will SchroederOffensive Engineer

Recommended

An ACE in the Hole - Stealthy Host Persistence via Security Descriptors by
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
6.9K views63 slides
aclpwn - Active Directory ACL exploitation with BloodHound by
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
11.5K views41 slides
Derbycon - The Unintended Risks of Trusting Active Directory by
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
35.8K views51 slides
Ace Up the Sleeve by
Ace Up the SleeveAce Up the Sleeve
Ace Up the SleeveWill Schroeder
23.7K views60 slides
Not a Security Boundary by
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
4K views48 slides
DerbyCon 2019 - Kerberoasting Revisited by
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
10.3K views27 slides

More Related Content

What's hot

Abusing Microsoft Kerberos - Sorry you guys don't get it by
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
43.1K views53 slides
Evading Microsoft ATA for Active Directory Domination by
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
35.4K views59 slides
Attacker's Perspective of Active Directory by
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
1.6K views92 slides
(Ab)Using GPOs for Active Directory Pwnage by
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
551 views53 slides
Getting Started in Pentesting the Cloud: Azure by
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureBeau Bullock
2.2K views53 slides
PHDays 2018 Threat Hunting Hands-On Lab by
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
7.7K views116 slides

What's hot(20)

Abusing Microsoft Kerberos - Sorry you guys don't get it by Benjamin Delpy
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy43.1K views
Evading Microsoft ATA for Active Directory Domination by Nikhil Mittal
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
Nikhil Mittal35.4K views
Attacker's Perspective of Active Directory by Sunny Neo
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
Sunny Neo1.6K views
(Ab)Using GPOs for Active Directory Pwnage by Petros Koutroumpis
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis551 views
Getting Started in Pentesting the Cloud: Azure by Beau Bullock
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: Azure
Beau Bullock2.2K views
PHDays 2018 Threat Hunting Hands-On Lab by Teymur Kheirkhabarov
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov7.7K views
0wn-premises: Bypassing Microsoft Defender for Identity by Nikhil Mittal
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal1.6K views
ReCertifying Active Directory by Will Schroeder
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder1.8K views
RACE - Minimal Rights and ACE for Active Directory Dominance by Nikhil Mittal
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
Nikhil Mittal47.6K views
Six Degrees of Domain Admin - BloodHound at DEF CON 24 by Andy Robbins
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Andy Robbins17.1K views
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac... by MITRE ATT&CK
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK1.3K views
Hacked? Pray that the Attacker used PowerShell by Nikhil Mittal
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
Nikhil Mittal8.7K views
PowerShell for Practical Purple Teaming by Nikhil Mittal
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal5.3K views
Hunting for Privilege Escalation in Windows Environment by Teymur Kheirkhabarov
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov11.9K views
Catch Me If You Can: PowerShell Red vs Blue by Will Schroeder
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder7.8K views
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di... by DirkjanMollema
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema18.6K views
Carlos García - Pentesting Active Directory Forests [rooted2019] by RootedCON
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON4.5K views
powershell-is-dead-epic-learnings-london by nettitude_labs
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-london
nettitude_labs2K views
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh... by CODE BLUE
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
CODE BLUE3.7K views
Windows Privilege Escalation by Riyaz Walikar
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
Riyaz Walikar15.2K views

Similar to The Unintended Risks of Trusting Active Directory

Anatomy of a Cloud Hack by
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud HackNotSoSecure Global Services
2.1K views33 slides
PSConfEU - Offensive Active Directory (With PowerShell!) by
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
9K views16 slides
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C... by
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax
1K views43 slides
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL by
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot
66 views31 slides
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ... by
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Mary Racter
403 views57 slides
Gartner Security & Risk Management Summit 2018 by
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Paula Januszkiewicz
3.3K views64 slides

Similar to The Unintended Risks of Trusting Active Directory(20)

Anatomy of a Cloud Hack by NotSoSecure Global Services
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
NotSoSecure Global Services2.1K views
PSConfEU - Offensive Active Directory (With PowerShell!) by Will Schroeder
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder9K views
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C... by DataStax
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax1K views
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL by Kangaroot
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot66 views
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ... by Mary Racter
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Mary Racter403 views
Gartner Security & Risk Management Summit 2018 by Paula Januszkiewicz
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
Paula Januszkiewicz3.3K views
Mitigating Java Deserialization attacks from within the JVM (improved version) by Apostolos Giannakidis
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)
Apostolos Giannakidis351 views
Enterprise Cloud Security by MongoDB
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud Security
MongoDB232 views
Creating a fortress in your active directory environment by David Rowe
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environment
David Rowe531 views
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks by Yossi Sassi
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Yossi Sassi183 views
Mitigating Java Deserialization attacks from within the JVM by Apostolos Giannakidis
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVM
Apostolos Giannakidis362 views
Securing Your MongoDB Deployment by MongoDB
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
MongoDB4.3K views
Managed Threat Detection & Response for AWS Applications by Alert Logic
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
Alert Logic 2K views
XP Days 2019: First secret delivery for modern cloud-native applications by Vlad Fedosov
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
Vlad Fedosov279 views
7 Ways To Cyberattack And Hack Azure by Abdul Khan
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure
Abdul Khan58 views
Dev buchan everything you need to know about agent design by Bill Buchan
Dev buchan everything you need to know about agent designDev buchan everything you need to know about agent design
Dev buchan everything you need to know about agent design
Bill Buchan1K views
Operations: Security Crash Course — Best Practices for Securing your Company by Amazon Web Services
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your Company
Amazon Web Services367 views
Owning computers without shell access dark by Royce Davis
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
Royce Davis3.5K views
BSides SG Practical Red Teaming Workshop by Ajay Choudhary
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary673 views
Presentation anatomy of a database attack by xKinAnx
Presentation anatomy of a database attackPresentation anatomy of a database attack
Presentation anatomy of a database attack
xKinAnx533 views

More from Will Schroeder

Nemesis - SAINTCON.pdf by
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfWill Schroeder
238 views32 slides
Certified Pre-Owned by
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-OwnedWill Schroeder
1.5K views30 slides
Defending Your "Gold" by
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"Will Schroeder
2.3K views20 slides
A Case Study in Attacking KeePass by
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
9.9K views50 slides
The Travelling Pentester: Diaries of the Shortest Path to Compromise by
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
9.1K views45 slides
A Year in the Empire by
A Year in the EmpireA Year in the Empire
A Year in the EmpireWill Schroeder
3.9K views52 slides

More from Will Schroeder(20)

Nemesis - SAINTCON.pdf by Will Schroeder
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdf
Will Schroeder238 views
Certified Pre-Owned by Will Schroeder
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
Will Schroeder1.5K views
Defending Your "Gold" by Will Schroeder
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
Will Schroeder2.3K views
A Case Study in Attacking KeePass by Will Schroeder
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
Will Schroeder9.9K views
The Travelling Pentester: Diaries of the Shortest Path to Compromise by Will Schroeder
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
Will Schroeder9.1K views
A Year in the Empire by Will Schroeder
A Year in the EmpireA Year in the Empire
A Year in the Empire
Will Schroeder3.9K views
Trusts You Might Have Missed - 44con by Will Schroeder
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44con
Will Schroeder5.6K views
Building an EmPyre with Python by Will Schroeder
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with Python
Will Schroeder4.7K views
PSConfEU - Building an Empire with PowerShell by Will Schroeder
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
Will Schroeder3.3K views
I Have the Power(View) by Will Schroeder
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
Will Schroeder20.8K views
Bridging the Gap by Will Schroeder
Bridging the GapBridging the Gap
Bridging the Gap
Will Schroeder7.8K views
Building an Empire with PowerShell by Will Schroeder
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
Will Schroeder22.3K views
Trusts You Might Have Missed by Will Schroeder
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
Will Schroeder4.6K views
Drilling deeper with Veil's PowerTools by Will Schroeder
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
Will Schroeder6.3K views
I hunt sys admins 2.0 by Will Schroeder
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder12.4K views
I Hunt Sys Admins by Will Schroeder
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
Will Schroeder8K views
Derbycon - Passing the Torch by Will Schroeder
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
Will Schroeder7.9K views
Adventures in Asymmetric Warfare by Will Schroeder
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
Will Schroeder2.8K views
Pwnstaller by Will Schroeder
PwnstallerPwnstaller
Pwnstaller
Will Schroeder2K views
PowerUp - Automating Windows Privilege Escalation by Will Schroeder
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
Will Schroeder15.9K views

Recently uploaded

IETF 118: Starlink Protocol Performance by
IETF 118: Starlink Protocol PerformanceIETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol PerformanceAPNIC
124 views22 slides
Existing documentaries (1).docx by
Existing documentaries (1).docxExisting documentaries (1).docx
Existing documentaries (1).docxMollyBrown86
13 views5 slides
PORTFOLIO 1 (Bret Michael Pepito).pdf by
PORTFOLIO 1 (Bret Michael Pepito).pdfPORTFOLIO 1 (Bret Michael Pepito).pdf
PORTFOLIO 1 (Bret Michael Pepito).pdfbrejess0410
7 views6 slides
UiPath Document Understanding_Day 2.pptx by
UiPath Document Understanding_Day 2.pptxUiPath Document Understanding_Day 2.pptx
UiPath Document Understanding_Day 2.pptxRohitRadhakrishnan8
282 views21 slides
UiPath Document Understanding_Day 3.pptx by
UiPath Document Understanding_Day 3.pptxUiPath Document Understanding_Day 3.pptx
UiPath Document Understanding_Day 3.pptxUiPathCommunity
95 views25 slides
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲 by
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲Infosec train
7 views6 slides

Recently uploaded(20)

IETF 118: Starlink Protocol Performance by APNIC
IETF 118: Starlink Protocol PerformanceIETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol Performance
APNIC124 views
Existing documentaries (1).docx by MollyBrown86
Existing documentaries (1).docxExisting documentaries (1).docx
Existing documentaries (1).docx
MollyBrown8613 views
PORTFOLIO 1 (Bret Michael Pepito).pdf by brejess0410
PORTFOLIO 1 (Bret Michael Pepito).pdfPORTFOLIO 1 (Bret Michael Pepito).pdf
PORTFOLIO 1 (Bret Michael Pepito).pdf
brejess04107 views
UiPath Document Understanding_Day 2.pptx by RohitRadhakrishnan8
UiPath Document Understanding_Day 2.pptxUiPath Document Understanding_Day 2.pptx
UiPath Document Understanding_Day 2.pptx
RohitRadhakrishnan8282 views
UiPath Document Understanding_Day 3.pptx by UiPathCommunity
UiPath Document Understanding_Day 3.pptxUiPath Document Understanding_Day 3.pptx
UiPath Document Understanding_Day 3.pptx
UiPathCommunity95 views
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲 by Infosec train
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲
Infosec train7 views
DU Series - Day 4.pptx by UiPathCommunity
DU Series - Day 4.pptxDU Series - Day 4.pptx
DU Series - Day 4.pptx
UiPathCommunity94 views
AI Powered event-driven translation bot by Jimmy Dahlqvist
AI Powered event-driven translation botAI Powered event-driven translation bot
AI Powered event-driven translation bot
Jimmy Dahlqvist16 views
Sustainable Marketing by Theo van der Zee
Sustainable MarketingSustainable Marketing
Sustainable Marketing
Theo van der Zee9 views
Serverless cloud architecture patterns by Jimmy Dahlqvist
Serverless cloud architecture patternsServerless cloud architecture patterns
Serverless cloud architecture patterns
Jimmy Dahlqvist17 views
google forms survey (1).pptx by MollyBrown86
google forms survey (1).pptxgoogle forms survey (1).pptx
google forms survey (1).pptx
MollyBrown8614 views
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf by RIPE NCC
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
RIPE NCC15 views
WEB 2.O TOOLS: Empowering education.pptx by narmadhamanohar21
WEB 2.O TOOLS: Empowering education.pptxWEB 2.O TOOLS: Empowering education.pptx
WEB 2.O TOOLS: Empowering education.pptx
narmadhamanohar2115 views
childcare.pdf by fatma alnaqbi
childcare.pdfchildcare.pdf
childcare.pdf
fatma alnaqbi14 views
Is Entireweb better than Google by sebastianthomasbejan
Is Entireweb better than GoogleIs Entireweb better than Google
Is Entireweb better than Google
sebastianthomasbejan10 views
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf by RIPE NCC
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
RIPE NCC9 views
Audience profile.pptx by MollyBrown86
Audience profile.pptxAudience profile.pptx
Audience profile.pptx
MollyBrown8612 views
OMS: Diretrizes para um controle da promoção comercial dos ditos substitutos ... by Prof. Marcus Renato de Carvalho
OMS: Diretrizes para um controle da promoção comercial dos ditos substitutos ...OMS: Diretrizes para um controle da promoção comercial dos ditos substitutos ...
OMS: Diretrizes para um controle da promoção comercial dos ditos substitutos ...
Prof. Marcus Renato de Carvalho88 views
zotabet.pdf by zotabetcasino
zotabet.pdfzotabet.pdf
zotabet.pdf
zotabetcasino6 views
Building trust in our information ecosystem: who do we trust in an emergency by Tina Purnat
Building trust in our information ecosystem: who do we trust in an emergencyBuilding trust in our information ecosystem: who do we trust in an emergency
Building trust in our information ecosystem: who do we trust in an emergency
Tina Purnat85 views

The Unintended Risks of Trusting Active Directory

  • 1. The Unintended Risks of Trusting Active Directory
  • 2. @harmj0y Red teamer and offensive engineer at SpecterOps Adaptive Threat Division alumni Avid blogger (http://harmj0y.net) Co-founder of Empire, BloodHound, Veil-Framework 2
  • 3. @tifkin_ Red teamer, hunter, and researcher at SpecterOps Adaptive Threat Division alumni Forever going after shiny things Contributor to various projects/blog posts 3
  • 4. @enigma0x3 Red teamer and security researcher at SpecterOps Adaptive Threat Division alumni Avid blogger (https://enigma0x3.net/), COM lover, CVE holder 4
  • 5. “As an offensive researcher, if you can dream it, someone has likely already done it...and that someone isn’t the kind of person who speaks at security cons.” 5 Matt Graeber “Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asynchronous, and Fileless Backdoor” BlackHat 2015
  • 6. What is “Admin Access” ? Hint: it’s more complicated than just “local administrators”! 6
  • 7. The “True” Nature of Administrative Access ▪ Controversial statement: membership in a system’s local administrators group isn’t what ultimately matters! ▪ What actually matters is what local/domain groups have access to specific remote resources (RPC, remote reg, WMI, SQL, etc.) based on the host service’s security descriptors 7
  • 9. Wait, Security Descriptors? ACLs? What are Those and Why Should I Care? 9
  • 10. Security descriptors are the Windows mechanism to control authenticated access to resources, or “securable objects” 10 PS: lots of caveats here :)
  • 11. What Is a “Securable Object”? Why, a Windows object that can have a security descriptor, of course! 11
  • 13. From ACLs to DACLs to SACLs ▪ An Access Control List (ACL) is basically shorthand for the DACL/SACL superset ▪ An object’s Discretionary Access Control List (DACL) and System Access Control List (SACL) are ordered collections of Access Control Entries (ACEs) ▫ DACL - What principals/trustees have what rights over the object ▫ The SACL - Specifies how to audit access to the object 13
  • 14. 14
  • 15. tl;dr ▪ Security descriptors are just the mechanism that Windows uses to define what users (principals) can perform what actions on a specific object, either in Active Directory or on the host ▫ When access is requested, some process enumerates the effective security identifiers (SIDs) of the requestor, compares them to the information in the DACL, and decides whether to grant access 15
  • 16. OK, That’s “Cool” but Why Should I Care, Really? 16
  • 17. Why Care? ▪ It’s often difficult to determine whether a specific security descriptor misconfiguration was set maliciously or configured by accident ▫ Existing misconfigurations: privesc opportunities ▫ Malicious misconfiguration changes: persistence! ▪ These changes often have a minimal forensic footprint ▪ Most defenders are not aware of this general persistence approach, much less how to find and remediate it ▫ Nor are they aware of existing misconfigurations that affect privesc... 17
  • 18. Host-based Security Descriptors More than just the service control manager yo’
  • 19. Discovering Host Securable Objects ▪ Windows documentation lists about 20-30 securable objects* ▪ We’ve identified 70+! (There are *many* more) ▪ Microsoft Protocol Specifications ▫ Very useful for RPC servers! ▪ Find-RegistrySecurityDescriptors.ps1 19*https://msdn.microsoft.com/en-us/library/windows/desktop/aa379557(v=vs.85).aspx
  • 20. 20
  • 21. Online vs Offline Security Descriptors ▪ Where do objects get their security descriptor? ▫ Offline - Security descriptor derived from registry, file, etc. ▫ Online - Security descriptor is in memory ▪ Our approach for enumeration: ▫ Locally as an unprivileged user ▫ Locally as a privileged user ▫ Remotely as an unprivileged user ▫ Remotely as a privileged user 21
  • 22. Example: Remote Registry ▪ Imagine this scenario: remotely dumping an endpoint’s machine account hash as an “unprivileged” user (i.e. not in local admins)! ▪ Backdoor Process ▫ Remotely backdoor the winreg key with an attacker- controlled user/group (this key == remote registry access) ▫ Add malicious ACEs to the SECURITY and SYSTEM hives 22
  • 23. Example: Remote Registry ▪ (Remote) Backdoor Execution ▫ As the backdoor (domain or local) user, connect to the remote registry service on the backdoored system ▫ Open up specific reg keys linked to LSA and extract their classes ▫ Combine these class values and compute the BootKey ▫ Use the BootKey to decrypt the LSA key ▫ Use the LSA key to decrypt the machine account hash! ▫ EVERYONE GETS A SILVER TICKET!! 23
  • 24. Active Directory Security Descriptors Everything needs an access control model, even AD
  • 25. Active Directory ACL Advantages 25 ▪ A big advantage: by default the DACLs for nearly every AD object can be enumerated by any authenticated user in the domain through LDAP! ▪ Other advantages of AD ACLs: ▫ Changes also have a minimal forensic footprint ▫ Changes often survive OS and domain functional level upgrades, i.e. “misconfiguration debt” ▫ Anti-audit measures can be taken!
  • 27. Generic Rights We Care About 27 GenericAll Allows ALL generic rights to the specified object GenericWrite Allows for the modification of (almost) all properties on a specified object WriteDacl Grants the ability to modify the DACL in the object security descriptor WriteOwner Grants the ability to take ownership of the object
  • 28. Object-specific Rights We Care About 28 Users User-Force-Change-Password or write to the servicePrincipalName Groups Write to the member property Computers None outside of LAPS :( GPOs Modification of GPC-File-Sys-Path Domains WriteDacl to add DCSync rights
  • 29. Example: Abusing Exchange ▪ Exchange Server introduces several schema changes, new nested security groups, and MANY control relationships to Active Directory, making it a perfect spot to blend in amongst the noise! ▪ Pre Exchange Server 2007 SP1, this included the WriteDACL privilege against the domain object itself with Exchange Trusted Subsystem as the principal 29
  • 30. Example: Abusing Exchange ▪ Backdoor Process ▫ Identify a non-protected security group with local admin rights on one or more Exchange servers ▫ Grant Authenticated Users full control over this security group ▫ Change the owner of the group to an Exchange server ▫ Deny Read Permissions on this group to the Everyone principal 30
  • 31. Example: Abusing Exchange ▪ Backdoor Execution ▫ Regain access to the Active Directory domain as any user ▫ Add your current user to the backdoored security group ▫ Use your new local admin rights on an Exchange server to execute commands as the SYSTEM user on that computer ▫ Abuse the rights Exchange Trusted Subsystem has over the domain object (i.e. WriteDacl!) ▫ More information: http://bit.ly/2IIK3K3 31
  • 32. Active Directory + Host ACL Abuse Plugging the Gaps in Attack Chains
  • 33. ▪ Prior to joining active directory, the host is in ultimate control of who can access its resources ▪ After a machine is joined to AD, a few things happen: ▫ The machine is no longer solely in charge of authentication ▫ A portion of key material for the host is stored in another location (machine account hash in ntds.dit) ▫ Default domain group SIDs are added to local groups ▫ Management is no longer solely left to the host (i.e. GPOs :) “Risks” Of Joining Active Directory 33
  • 34. Active Directory: Before and After 34 Workgroup Active Directory Security Principals Local users/groups + Domain users/groups Access/Permission Management Host-based Security Descriptors + Default domain groups added to local groups Authentication NTLM (SAM) + Kerberos/NTLM (NTDS) Resource Administration Manual + GPOs
  • 35. Active Directory: Before and After 35 DCOM Service Administrators admin DOMAINDomain Admins Distributed COM Users DOMAINsrvcacct DOMAINjohnDOMAINsrvadms DOMAINlee
  • 36. The “Actual” Attack Graph ▪ BloodHound doesn’t (currently) take host based security descriptors into account ▪ The actual access graph that exists in a domain includes the security descriptors for every remotely accessible service on every host + AD descriptors ▫ Includes “unrolling” groups… this may not be (currently) realistically possible to model in large environments ¯_(ツ)_/¯ 36
  • 37. Security Implications ▪ Host-based security descriptors are the missing link when thinking about domain attack graphs! ▪ There ARE existing misconfigurations in the security descriptors in some host-based services! ▫ More to come this summer, stay tuned :) ▪ Host-based security descriptor modifications can be chained with AD misconfigurations/modifications ▪ “Fills the gap” left by the lack of an AD ACL computer primitive 37
  • 38. tl;dr Security Implications of Joining Active Directory ▪ When you join a system to Active Directory, you’re introducing additional nodes into the access graph that may affect the security of other systems ▪ You’re also implicitly trusting the security of a large number of other nodes in the graph as well ▫ You’re almost certainly exposing your system’s services to more access than you realize! 38
  • 39. Case Study #1 Picking on Exchange Again :)
  • 40. Case Study: Exchanging Rights ▪ We saw before that the Exchange Trusted Subsystem group (which contains Exchange servers) often has a huge number of rights over the domain ▪ So let’s integrate the remote registry host-based backdoor on an Exchange box! ▫ No changes to the DC or any AD data ▫ Takes advantage of existing misconfigurations! 40
  • 42. Case Study #2 Abusing Existing Misconfigurations
  • 43. Case Study: Abusing Existing Misconfigurations ▪ GPOs set lots of interesting settings! ▫ They can even set host-based security descriptors: ) ▫ Imagine one that modifies the security descriptor for SCM ▪ We can also easily correlate GPOs to find what systems they apply to ▪ What happens if the group SID set for the descriptor via GPO, after unrolling, contains a service account... 43
  • 45. 45 Summary ▪ Access is more than just “local administrators” ! ▪ You should really care about security descriptors! ▪ Host based security descriptors (accidentally misconfigured or maliciously backdoored) can have far- reaching implications for the security of other systems in the domain!
  • 46. 46 Questions? You can find us at @SpecterOps: ▪ @harmj0y , @tifkin_ , @enigma0x3 ▪ [will,lee,matt]@specterops.io