This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
The talk I gave at Black Hat USA 2017 on bypassing Microsoft Advanced Threat Analytics (ATA). I demonstrate techniques to bypass, avoid and attack ATA in this talk.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Talk of Skip Duckwall and I at BlackHat 2014 USA / Defcon Wall of Sheep.
Kerberos, and new pass-the-* feature, like overpass-the-hash and the Golden Ticket
Kerberoasting has become the red team’s best friend over the past several years, with various tools being built to support this technique. However, by failing to understand a fundamental detail concerning account encryption support, we haven’t understood the entire picture. This talk will revisit our favorite TTP, bringing a deeper understanding to how the attack works, what we’ve been missing, and what new tooling and approaches to kerberoasting exist.
[errata] For more information on DCSync and associated permissions, as well as AdminSDHolder and associated permissions, see Sean Metcalf's respective posts at https://adsecurity.org/?p=1729 and https://adsecurity.org/?p=1906 .
"An ACE Up the Sleeve: Designing Active Directory DACL Backdoors" was presented at BlackHat and DEF CON 2017.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
A collection of techniques that allow users to escalate privileges to local administrator and then to NT Authority\System. On a windows domain readers can use the described techniques to escalate to domain administrators.
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax
This talk will review the advanced security features in DataStax Enterprise and discuss best practices for secure deployments. In particular, topics reviewed will cover: Authentication with Kerberos & LDAP/Active Directory, Role-based Authorization and LDAP role assignment, Auditing, Securing network communication, Encrypting data files and using the Key-Management Interoperability Protocol (KMIP) for secure off-host key management. The talk will also suggest strategies for addressing security needs not met directly by the built-in features of the database such as how to address applications that require Attribute Based Access Control (ABAC).
About the Speaker
Matt Kennedy Sr. Product Manager, DataStax
Matt Kennedy works at DataStax as the product manager for DataStax Enterprise Core. Matt has been a Cassandra user and occasional contributor since version 0.7 and was named a Cassandra MVP in 2013 shortly before joining DataStax. Unlike Cassandra, Matt is not partition tolerant.
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
The talk I gave at Black Hat USA 2017 on bypassing Microsoft Advanced Threat Analytics (ATA). I demonstrate techniques to bypass, avoid and attack ATA in this talk.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Talk of Skip Duckwall and I at BlackHat 2014 USA / Defcon Wall of Sheep.
Kerberos, and new pass-the-* feature, like overpass-the-hash and the Golden Ticket
Kerberoasting has become the red team’s best friend over the past several years, with various tools being built to support this technique. However, by failing to understand a fundamental detail concerning account encryption support, we haven’t understood the entire picture. This talk will revisit our favorite TTP, bringing a deeper understanding to how the attack works, what we’ve been missing, and what new tooling and approaches to kerberoasting exist.
[errata] For more information on DCSync and associated permissions, as well as AdminSDHolder and associated permissions, see Sean Metcalf's respective posts at https://adsecurity.org/?p=1729 and https://adsecurity.org/?p=1906 .
"An ACE Up the Sleeve: Designing Active Directory DACL Backdoors" was presented at BlackHat and DEF CON 2017.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
A collection of techniques that allow users to escalate privileges to local administrator and then to NT Authority\System. On a windows domain readers can use the described techniques to escalate to domain administrators.
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax
This talk will review the advanced security features in DataStax Enterprise and discuss best practices for secure deployments. In particular, topics reviewed will cover: Authentication with Kerberos & LDAP/Active Directory, Role-based Authorization and LDAP role assignment, Auditing, Securing network communication, Encrypting data files and using the Key-Management Interoperability Protocol (KMIP) for secure off-host key management. The talk will also suggest strategies for addressing security needs not met directly by the built-in features of the database such as how to address applications that require Attribute Based Access Control (ABAC).
About the Speaker
Matt Kennedy Sr. Product Manager, DataStax
Matt Kennedy works at DataStax as the product manager for DataStax Enterprise Core. Matt has been a Cassandra user and occasional contributor since version 0.7 and was named a Cassandra MVP in 2013 shortly before joining DataStax. Unlike Cassandra, Matt is not partition tolerant.
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot
The webinar will review a multi-layered framework for PostgreSQL security, with a deeper focus on limiting access to the database and data, as well as securing the data.
Using the popular AAA (Authentication, Authorisation, Auditing) framework EnterpriseDB will cover:
- Best practices for authentication (trust, certificate, MD5, Scram, etc).
- Advanced approaches, such as password profiles.
- Deep dive of authorisation and data access control for roles, database objects (tables, etc), view usage, row-level security, and data redaction.
- Auditing, encryption, and SQL injection attack prevention
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Mary Racter
Secret-based protocols are the most popular methods for establishing trust in authentication. Unfortunately, they are also one of the first attack surfaces to be probed when system compromise is attempted. Today’s digital services often focus on scalability, high-availability, and fault tolerance, leading to a shift towards microservices on cluster-based architectures. Secret management has evolved as well, leading to the development of cluster-compatible, open-source SM tools such as HashiCorp’s Vault. This talk is designed to help SecOps professionals leverage security concepts such as spatial and temporal attack surfaces, trust, and risk acceptance to secure their cluster credential management.
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
This deck contains a few improvements based on received feedback, such as the addition of links and reworded some points for clarity.
A talk about the existing ways to mitigate Java deserialization attacks from the JVM. The talk was presented at the BSides Luxembourg conference on October 2017.
It describes the use of Instrumentation Agents and Serialization Filtering and their limitations.
It also talks about Runtime Virtualization and Runtime privilege de-escalation.
At the talk there was also a PoC demo that demonstrated how an Instrumentation Agent could be tampered from a file upload vulnerability at the application level.
Cloud computing transforms the way we can store, process and share our data. New applications and workloads are growing rapidly, which brings every day more sensitive data into the conversation about risk and what constitutes natural targets for bad actors. This presentation reflects on current best practices to address the most significant security concerns for sensitive data in the cloud, and offers participants a list of steps to achieve enterprise-grade safety with MongoDB deployments among the expanding service provider options.
Slide deck for the Secruity Weekly session on Oct 25th 2018. Code is up on www.github/YossiSassi. Special thanks to Eyal Neemany & Omer Yair who helped prep this talk.
See the improved version: https://www.slideshare.net/ApostolosGiannakidis/mitigating-java-deserialization-attacks-from-within-the-jvm-improved-version
A talk about the existing ways to mitigate Java deserialization attacks from the JVM. The talk was presented at the BSides Luxembourg conference on October 2017.
It describes the use of Instrumentation Agents and Serialization Filtering and their limitations.
It also talks about Runtime Virtualization and Runtime privilege de-escalation.
At the talk there was also a PoC demo that demonstrated how an Instrumentation Agent could be tampered from a file upload vulnerability at the application level.
Security is more critical than ever with new computing environments in the cloud and expanding access to the Internet. There are a number of security protection mechanisms available for MongoDB to ensure you have a stable and secure architecture for your deployment. We'll walk through general security threats to databases and specifically how they can be mitigated for MongoDB deployments.
XP Days 2019: First secret delivery for modern cloud-native applicationsVlad Fedosov
In this talk we’ll see how Authentication and Secrets delivery work in distributed containerized applications from the inside. We’ll start from the theory of security and will go through the topics like Container Auth Role, Static & Dynamic secrets, Env vars/volumes for secret delivery, Vault & K8S secrets. After this talk you’ll get an understanding how to securely deploy your containerized workloads.
Everything and anything is hackable and vulnerable in some ways. Even with all the security governance and check points, businesses are still being cyberattacked & hacked regularly.
Did you know, a public IP is attacked by a hacker after the first five minutes of life on the internet.
This presentation directly explores the 7 dangerous ways to Cyberattack Azure and provides countermeasures.
More importantly, provides some guidance to start protecting your business in the Cloud!
Operations: Security Crash Course — Best Practices for Securing your CompanyAmazon Web Services
All companies should build with security and protection of customer data as the number one priority. This talk will cover a wide range of best practices from MFA, root accounts, encrypting laptops, inventory management, MDM, and incident response. You'll learn key principles of how to build a secure organization to protect your data. Don't wait until your first security incident before putting these best practices in place.
Practical Red Teaming is a hands-on class designed to teach participants with various techniques and tools for performing red teaming attacks. The goal of the training is to give a red teamer’s perspective to participants who want to go beyond VAPT. This intense course immerses students in a simulated enterprise environment, with multiple domains, up-to-date and patched operating systems. We will cover several phases of a Red Team engagement in depth – Local Privilege escalation, Domain Enumeration, Admin Recon, Lateral movement, Domain Admin privileges etc.
If you want to learn how to perform Red Team operations, sharpen your red teaming skillset, or understand how to defend against modern attacks, Practical Red Teaming is the course for you.
Topics :
• Red Team philosophy/overview
• Red Teaming vs Penetration Testing
• Active Directory Fundamentals – Forests, Domains, OU’s etc
• Assume Breach Methodology
• Insider Attack Simulation
• Introduction to PowerShell
• Initial access methods
• Privilege escalation methods through abuse of misconfigurations
• Domain Enumeration
• Lateral Movement and Pivoting
• Single sign-on in Active Directory
• Abusing built-in functionality for code execution
• Credential Replay
• Domain privileges abuse
• Dumping System and Domain Secrets
• Kerberos – Basics and its Fundamentals
• Kerberos Attack and Defense (Kerberoasting, Silver ticket, Golden ticket attack etc)
https://bsidessg.org/schedule/2019-ajaychoudhary-and-niteshmalviya/
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
This presentation was given at DerbyCon 6 on 9/23/2016. It covers the fusion of the PowerShell Empire and Python EmPyre projects, as well as new Empire 2.0 transports.
PowerUp - Automating Windows Privilege EscalationWill Schroeder
This slidedeck was given as a firetalk at @BSidesBoston '14, and covers the genesis and implementation of PowerUp, a Powershell tool for Windows privilege escalation.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
https://bit.ly/3KACoyV
The ER diagram for the project is the foundation for the building of the database of the project. The properties, datatypes, and attributes are defined by the ER diagram.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
2. @harmj0y
Red teamer and offensive engineer
at SpecterOps
Adaptive Threat Division alumni
Avid blogger (http://harmj0y.net)
Co-founder of Empire,
BloodHound, Veil-Framework
2
3. @tifkin_
Red teamer, hunter, and
researcher at SpecterOps
Adaptive Threat Division alumni
Forever going after shiny things
Contributor to various
projects/blog posts
3
4. @enigma0x3
Red teamer and security
researcher at SpecterOps
Adaptive Threat Division alumni
Avid blogger
(https://enigma0x3.net/), COM
lover, CVE holder
4
5. “As an offensive researcher, if you
can dream it, someone has likely
already done it...and that someone
isn’t the kind of person who speaks
at security cons.”
5
Matt Graeber
“Abusing Windows Management
Instrumentation (WMI) to Build a Persistent,
Asynchronous, and Fileless Backdoor”
BlackHat 2015
7. The “True” Nature of Administrative Access
▪ Controversial statement: membership in a system’s
local administrators group isn’t what ultimately
matters!
▪ What actually matters is what local/domain groups
have access to specific remote resources (RPC,
remote reg, WMI, SQL, etc.) based on the host
service’s security descriptors
7
13. From ACLs to DACLs to SACLs
▪ An Access Control List (ACL) is basically shorthand
for the DACL/SACL superset
▪ An object’s Discretionary Access Control List
(DACL) and System Access Control List (SACL) are
ordered collections of Access Control Entries (ACEs)
▫ DACL - What principals/trustees have what rights over the
object
▫ The SACL - Specifies how to audit access to the object
13
15. tl;dr
▪ Security descriptors are just the mechanism that
Windows uses to define what users (principals)
can perform what actions on a specific object,
either in Active Directory or on the host
▫ When access is requested, some process enumerates
the effective security identifiers (SIDs) of the requestor,
compares them to the information in the DACL, and
decides whether to grant access
15
17. Why Care?
▪ It’s often difficult to determine whether a specific security
descriptor misconfiguration was set maliciously or configured
by accident
▫ Existing misconfigurations: privesc opportunities
▫ Malicious misconfiguration changes: persistence!
▪ These changes often have a minimal forensic footprint
▪ Most defenders are not aware of this general persistence
approach, much less how to find and remediate it
▫ Nor are they aware of existing misconfigurations that affect privesc...
17
21. Online vs Offline Security Descriptors
▪ Where do objects get their security descriptor?
▫ Offline - Security descriptor derived from registry, file, etc.
▫ Online - Security descriptor is in memory
▪ Our approach for enumeration:
▫ Locally as an unprivileged user
▫ Locally as a privileged user
▫ Remotely as an unprivileged user
▫ Remotely as a privileged user
21
22. Example: Remote Registry
▪ Imagine this scenario: remotely dumping an
endpoint’s machine account hash as an “unprivileged”
user (i.e. not in local admins)!
▪ Backdoor Process
▫ Remotely backdoor the winreg key with an attacker-
controlled user/group (this key == remote registry access)
▫ Add malicious ACEs to the SECURITY and SYSTEM hives
22
23. Example: Remote Registry
▪ (Remote) Backdoor Execution
▫ As the backdoor (domain or local) user, connect to the
remote registry service on the backdoored system
▫ Open up specific reg keys linked to LSA and extract their
classes
▫ Combine these class values and compute the BootKey
▫ Use the BootKey to decrypt the LSA key
▫ Use the LSA key to decrypt the machine account hash!
▫ EVERYONE GETS A SILVER TICKET!!
23
25. Active Directory ACL Advantages
25
▪ A big advantage: by default the DACLs for nearly
every AD object can be enumerated by any
authenticated user in the domain through LDAP!
▪ Other advantages of AD ACLs:
▫ Changes also have a minimal forensic footprint
▫ Changes often survive OS and domain functional level
upgrades, i.e. “misconfiguration debt”
▫ Anti-audit measures can be taken!
27. Generic Rights We Care About
27
GenericAll Allows ALL generic rights to the specified object
GenericWrite Allows for the modification of (almost) all
properties on a specified object
WriteDacl Grants the ability to modify the DACL in the
object security descriptor
WriteOwner Grants the ability to take ownership of the object
28. Object-specific Rights We Care About
28
Users User-Force-Change-Password or write to
the servicePrincipalName
Groups Write to the member property
Computers None outside of LAPS :(
GPOs Modification of GPC-File-Sys-Path
Domains WriteDacl to add DCSync rights
29. Example: Abusing Exchange
▪ Exchange Server introduces several schema changes,
new nested security groups, and MANY control
relationships to Active Directory, making it a perfect
spot to blend in amongst the noise!
▪ Pre Exchange Server 2007 SP1, this included the
WriteDACL privilege against the domain object itself
with Exchange Trusted Subsystem as the principal
29
30. Example: Abusing Exchange
▪ Backdoor Process
▫ Identify a non-protected security group with local admin
rights on one or more Exchange servers
▫ Grant Authenticated Users full control over this security
group
▫ Change the owner of the group to an Exchange server
▫ Deny Read Permissions on this group to the Everyone
principal
30
31. Example: Abusing Exchange
▪ Backdoor Execution
▫ Regain access to the Active Directory domain as any user
▫ Add your current user to the backdoored security group
▫ Use your new local admin rights on an Exchange server to
execute commands as the SYSTEM user on that computer
▫ Abuse the rights Exchange Trusted Subsystem has over
the domain object (i.e. WriteDacl!)
▫ More information: http://bit.ly/2IIK3K3
31
33. ▪ Prior to joining active directory, the host is in ultimate
control of who can access its resources
▪ After a machine is joined to AD, a few things happen:
▫ The machine is no longer solely in charge of authentication
▫ A portion of key material for the host is stored in another
location (machine account hash in ntds.dit)
▫ Default domain group SIDs are added to local groups
▫ Management is no longer solely left to the host (i.e. GPOs :)
“Risks” Of Joining Active Directory
33
34. Active Directory: Before and After
34
Workgroup Active Directory
Security Principals Local users/groups
+ Domain
users/groups
Access/Permission
Management
Host-based Security
Descriptors
+ Default domain
groups added to
local groups
Authentication NTLM (SAM)
+ Kerberos/NTLM
(NTDS)
Resource
Administration
Manual + GPOs
35. Active Directory: Before and After
35
DCOM
Service
Administrators
admin
DOMAINDomain Admins
Distributed
COM Users
DOMAINsrvcacct
DOMAINjohnDOMAINsrvadms
DOMAINlee
36. The “Actual” Attack Graph
▪ BloodHound doesn’t (currently) take host based
security descriptors into account
▪ The actual access graph that exists in a domain
includes the security descriptors for every remotely
accessible service on every host + AD descriptors
▫ Includes “unrolling” groups… this may not be (currently)
realistically possible to model in large environments ¯_(ツ)_/¯
36
37. Security Implications
▪ Host-based security descriptors are the missing
link when thinking about domain attack graphs!
▪ There ARE existing misconfigurations in the security
descriptors in some host-based services!
▫ More to come this summer, stay tuned :)
▪ Host-based security descriptor modifications can be
chained with AD misconfigurations/modifications
▪ “Fills the gap” left by the lack of an AD ACL computer primitive
37
38. tl;dr Security Implications of Joining Active Directory
▪ When you join a system to Active Directory, you’re
introducing additional nodes into the access graph
that may affect the security of other systems
▪ You’re also implicitly trusting the security of a
large number of other nodes in the graph as well
▫ You’re almost certainly exposing your system’s services
to more access than you realize!
38
40. Case Study: Exchanging Rights
▪ We saw before that the Exchange Trusted
Subsystem group (which contains Exchange servers)
often has a huge number of rights over the domain
▪ So let’s integrate the remote registry host-based
backdoor on an Exchange box!
▫ No changes to the DC or any AD data
▫ Takes advantage of existing misconfigurations!
40
43. Case Study: Abusing Existing Misconfigurations
▪ GPOs set lots of interesting settings!
▫ They can even set host-based security descriptors: )
▫ Imagine one that modifies the security descriptor for SCM
▪ We can also easily correlate GPOs to find what
systems they apply to
▪ What happens if the group SID set for the
descriptor via GPO, after unrolling, contains a
service account...
43
45. 45
Summary
▪ Access is more than just “local administrators” !
▪ You should really care about security descriptors!
▪ Host based security descriptors (accidentally
misconfigured or maliciously backdoored) can have far-
reaching implications for the security of other
systems in the domain!
46. 46
Questions?
You can find us at @SpecterOps:
▪ @harmj0y , @tifkin_ ,
@enigma0x3
▪ [will,lee,matt]@specterops.io