Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Unintended Risks of Trusting Active Directory

3,192 views

Published on

This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.

Published in: Internet

The Unintended Risks of Trusting Active Directory

  1. 1. The Unintended Risks of Trusting Active Directory
  2. 2. @harmj0y Red teamer and offensive engineer at SpecterOps Adaptive Threat Division alumni Avid blogger (http://harmj0y.net) Co-founder of Empire, BloodHound, Veil-Framework 2
  3. 3. @tifkin_ Red teamer, hunter, and researcher at SpecterOps Adaptive Threat Division alumni Forever going after shiny things Contributor to various projects/blog posts 3
  4. 4. @enigma0x3 Red teamer and security researcher at SpecterOps Adaptive Threat Division alumni Avid blogger (https://enigma0x3.net/), COM lover, CVE holder 4
  5. 5. “As an offensive researcher, if you can dream it, someone has likely already done it...and that someone isn’t the kind of person who speaks at security cons.” 5 Matt Graeber “Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asynchronous, and Fileless Backdoor” BlackHat 2015
  6. 6. What is “Admin Access” ? Hint: it’s more complicated than just “local administrators”! 6
  7. 7. The “True” Nature of Administrative Access ▪ Controversial statement: membership in a system’s local administrators group isn’t what ultimately matters! ▪ What actually matters is what local/domain groups have access to specific remote resources (RPC, remote reg, WMI, SQL, etc.) based on the host service’s security descriptors 7
  8. 8. 8 CIFS Remote Registry WinRM SCM WMI RPC :) SD SD “LOCAL Administrators” GENERIC_ALL “DOMAINuser” SC_MANAGER_C REATE_SERVICE Etc. SD SD SD SD
  9. 9. Wait, Security Descriptors? ACLs? What are Those and Why Should I Care? 9
  10. 10. Security descriptors are the Windows mechanism to control authenticated access to resources, or “securable objects” 10 PS: lots of caveats here :)
  11. 11. What Is a “Securable Object”? Why, a Windows object that can have a security descriptor, of course! 11
  12. 12. SECURITY_DESCRIPTOR 12https://msdn.microsoft.com/en-us/library/windows/hardware/ff556610(v=vs.85).aspx
  13. 13. From ACLs to DACLs to SACLs ▪ An Access Control List (ACL) is basically shorthand for the DACL/SACL superset ▪ An object’s Discretionary Access Control List (DACL) and System Access Control List (SACL) are ordered collections of Access Control Entries (ACEs) ▫ DACL - What principals/trustees have what rights over the object ▫ The SACL - Specifies how to audit access to the object 13
  14. 14. 14
  15. 15. tl;dr ▪ Security descriptors are just the mechanism that Windows uses to define what users (principals) can perform what actions on a specific object, either in Active Directory or on the host ▫ When access is requested, some process enumerates the effective security identifiers (SIDs) of the requestor, compares them to the information in the DACL, and decides whether to grant access 15
  16. 16. OK, That’s “Cool” but Why Should I Care, Really? 16
  17. 17. Why Care? ▪ It’s often difficult to determine whether a specific security descriptor misconfiguration was set maliciously or configured by accident ▫ Existing misconfigurations: privesc opportunities ▫ Malicious misconfiguration changes: persistence! ▪ These changes often have a minimal forensic footprint ▪ Most defenders are not aware of this general persistence approach, much less how to find and remediate it ▫ Nor are they aware of existing misconfigurations that affect privesc... 17
  18. 18. Host-based Security Descriptors More than just the service control manager yo’
  19. 19. Discovering Host Securable Objects ▪ Windows documentation lists about 20-30 securable objects* ▪ We’ve identified 70+! (There are *many* more) ▪ Microsoft Protocol Specifications ▫ Very useful for RPC servers! ▪ Find-RegistrySecurityDescriptors.ps1 19*https://msdn.microsoft.com/en-us/library/windows/desktop/aa379557(v=vs.85).aspx
  20. 20. 20
  21. 21. Online vs Offline Security Descriptors ▪ Where do objects get their security descriptor? ▫ Offline - Security descriptor derived from registry, file, etc. ▫ Online - Security descriptor is in memory ▪ Our approach for enumeration: ▫ Locally as an unprivileged user ▫ Locally as a privileged user ▫ Remotely as an unprivileged user ▫ Remotely as a privileged user 21
  22. 22. Example: Remote Registry ▪ Imagine this scenario: remotely dumping an endpoint’s machine account hash as an “unprivileged” user (i.e. not in local admins)! ▪ Backdoor Process ▫ Remotely backdoor the winreg key with an attacker- controlled user/group (this key == remote registry access) ▫ Add malicious ACEs to the SECURITY and SYSTEM hives 22
  23. 23. Example: Remote Registry ▪ (Remote) Backdoor Execution ▫ As the backdoor (domain or local) user, connect to the remote registry service on the backdoored system ▫ Open up specific reg keys linked to LSA and extract their classes ▫ Combine these class values and compute the BootKey ▫ Use the BootKey to decrypt the LSA key ▫ Use the LSA key to decrypt the machine account hash! ▫ EVERYONE GETS A SILVER TICKET!! 23
  24. 24. Active Directory Security Descriptors Everything needs an access control model, even AD
  25. 25. Active Directory ACL Advantages 25 ▪ A big advantage: by default the DACLs for nearly every AD object can be enumerated by any authenticated user in the domain through LDAP! ▪ Other advantages of AD ACLs: ▫ Changes also have a minimal forensic footprint ▫ Changes often survive OS and domain functional level upgrades, i.e. “misconfiguration debt” ▫ Anti-audit measures can be taken!
  26. 26. 26 Security Descriptors: AD GUI Edition
  27. 27. Generic Rights We Care About 27 GenericAll Allows ALL generic rights to the specified object GenericWrite Allows for the modification of (almost) all properties on a specified object WriteDacl Grants the ability to modify the DACL in the object security descriptor WriteOwner Grants the ability to take ownership of the object
  28. 28. Object-specific Rights We Care About 28 Users User-Force-Change-Password or write to the servicePrincipalName Groups Write to the member property Computers None outside of LAPS :( GPOs Modification of GPC-File-Sys-Path Domains WriteDacl to add DCSync rights
  29. 29. Example: Abusing Exchange ▪ Exchange Server introduces several schema changes, new nested security groups, and MANY control relationships to Active Directory, making it a perfect spot to blend in amongst the noise! ▪ Pre Exchange Server 2007 SP1, this included the WriteDACL privilege against the domain object itself with Exchange Trusted Subsystem as the principal 29
  30. 30. Example: Abusing Exchange ▪ Backdoor Process ▫ Identify a non-protected security group with local admin rights on one or more Exchange servers ▫ Grant Authenticated Users full control over this security group ▫ Change the owner of the group to an Exchange server ▫ Deny Read Permissions on this group to the Everyone principal 30
  31. 31. Example: Abusing Exchange ▪ Backdoor Execution ▫ Regain access to the Active Directory domain as any user ▫ Add your current user to the backdoored security group ▫ Use your new local admin rights on an Exchange server to execute commands as the SYSTEM user on that computer ▫ Abuse the rights Exchange Trusted Subsystem has over the domain object (i.e. WriteDacl!) ▫ More information: http://bit.ly/2IIK3K3 31
  32. 32. Active Directory + Host ACL Abuse Plugging the Gaps in Attack Chains
  33. 33. ▪ Prior to joining active directory, the host is in ultimate control of who can access its resources ▪ After a machine is joined to AD, a few things happen: ▫ The machine is no longer solely in charge of authentication ▫ A portion of key material for the host is stored in another location (machine account hash in ntds.dit) ▫ Default domain group SIDs are added to local groups ▫ Management is no longer solely left to the host (i.e. GPOs :) “Risks” Of Joining Active Directory 33
  34. 34. Active Directory: Before and After 34 Workgroup Active Directory Security Principals Local users/groups + Domain users/groups Access/Permission Management Host-based Security Descriptors + Default domain groups added to local groups Authentication NTLM (SAM) + Kerberos/NTLM (NTDS) Resource Administration Manual + GPOs
  35. 35. Active Directory: Before and After 35 DCOM Service Administrators admin DOMAINDomain Admins Distributed COM Users DOMAINsrvcacct DOMAINjohnDOMAINsrvadms DOMAINlee
  36. 36. The “Actual” Attack Graph ▪ BloodHound doesn’t (currently) take host based security descriptors into account ▪ The actual access graph that exists in a domain includes the security descriptors for every remotely accessible service on every host + AD descriptors ▫ Includes “unrolling” groups… this may not be (currently) realistically possible to model in large environments ¯_(ツ)_/¯ 36
  37. 37. Security Implications ▪ Host-based security descriptors are the missing link when thinking about domain attack graphs! ▪ There ARE existing misconfigurations in the security descriptors in some host-based services! ▫ More to come this summer, stay tuned :) ▪ Host-based security descriptor modifications can be chained with AD misconfigurations/modifications ▪ “Fills the gap” left by the lack of an AD ACL computer primitive 37
  38. 38. tl;dr Security Implications of Joining Active Directory ▪ When you join a system to Active Directory, you’re introducing additional nodes into the access graph that may affect the security of other systems ▪ You’re also implicitly trusting the security of a large number of other nodes in the graph as well ▫ You’re almost certainly exposing your system’s services to more access than you realize! 38
  39. 39. Case Study #1 Picking on Exchange Again :)
  40. 40. Case Study: Exchanging Rights ▪ We saw before that the Exchange Trusted Subsystem group (which contains Exchange servers) often has a huge number of rights over the domain ▪ So let’s integrate the remote registry host-based backdoor on an Exchange box! ▫ No changes to the DC or any AD data ▫ Takes advantage of existing misconfigurations! 40
  41. 41. [DEMO] 41
  42. 42. Case Study #2 Abusing Existing Misconfigurations
  43. 43. Case Study: Abusing Existing Misconfigurations ▪ GPOs set lots of interesting settings! ▫ They can even set host-based security descriptors: ) ▫ Imagine one that modifies the security descriptor for SCM ▪ We can also easily correlate GPOs to find what systems they apply to ▪ What happens if the group SID set for the descriptor via GPO, after unrolling, contains a service account... 43
  44. 44. 44 [DEMO]
  45. 45. 45 Summary ▪ Access is more than just “local administrators” ! ▪ You should really care about security descriptors! ▪ Host based security descriptors (accidentally misconfigured or maliciously backdoored) can have far- reaching implications for the security of other systems in the domain!
  46. 46. 46 Questions? You can find us at @SpecterOps: ▪ @harmj0y , @tifkin_ , @enigma0x3 ▪ [will,lee,matt]@specterops.io

×