Folks,
Today, I will share with you a concrete example of how any insider could potentially compromise the user account of the Chief Financial Officer (CFO) of an organization by exploiting weaknesses in access grants provisioned in Active Directory, which is the basis of the Active Directory Privilege Escalation security risk that I declassified one week ago.
Chief Financial Officer |
This specific example is a very realistic illustration of this risk, that today could be carried out in most organizations worldwide.
SUMMARY -
- Target: The CFO's domain user account which resides in the Finance OU in the Active Directory
- Attacker: John Doe, a temporary contractor working on some project, who has a domain user account
- Attack Methodology -
- Step 1 - Obtain a tool that can aid in performing Active Directory Security Analysis.
- Step 2 - Use this tool to a) locate the CFO's domain user account in Active Directory, and then b) analyze access provisioned in the ACL of the CFO's domain user account to identify the list of all individuals who can reset the CFO's password.
- Step 3 - Use the same tool to analyze security permissions on the user accounts of each of these individuals to identify who can reset their passwords. Iterate this process on this list of accounts, and continue iterating until the single weakest link i.e. an account that can be easily compromised by the attacker, has been found.
- Step 4 - Begin by compromising the account identified as the weakest link. Then, login using that account and reset the password of the next account in the chain. Repeat this process until you have reset the password of a delegated admin who can reset the CFO's user account.
- Step 5 - Login using the final compromised delegated admin's account, and reset the CFO's password.
- Time Requirement - The exploitation process is very quick, since a password reset operation only takes 5 seconds, and a subsequent logon about 30 seconds. The only part that takes some time is the process of determining who can actually reset a target account's password.
- Compromising the Initial Account - The initial account can be compromised by any one of various means, an encyclopedia of which is known to most malicious individuals. Examples of such means include Password Guessing, Password Stealing (Keystroke Logger), Phishing, Hash Replays (Pass-the-Hash) etc.
DETAILS -
Step 1 - Obtain a tool that can aid in performing Active Directory Security Analysis
Since John already has a domain user account, he already has complete read access to Active Directory content. All he needs is an Active Directory Security Analysis tool to view Active Directory content, analyze Active Directory permissions and enumerate group memberships i.e. aid in the process of determining effective access in Active Directory.
The Advanced Security Settings Tab of the Active Directory Users and Computers Tool |
There are many freely available tools that can aid the attacker in performing Active Directory Security Analysis, such as Microsoft Active Directory Users and Computers Snap-In, Administrative Center, dsacls, acldiag, LDP, LIZA etc.
Step 2a - Use this tool to locate the CFO's domain user account in Active Directory
Once John has installed a tool of his choice, he can launch it to view the contents of the Active Directory. Using the tool's inbuilt search abilities, he should easily be able to locate the CFO's account -
Locating the CFO's User Account in Active Directory |
CFO's User Account in Active Directory |
Once John has located the CFO's domain user account, he can access the ACL protecting the account. Since authenticated users have default read access in Active Directory, no special access is needed to access and examine AD ACLs.
Step 2b - Use this tool to analyze access provisioned in the ACL of the CFO's domain user account to identify the list of all individuals who can reset the CFO's password.
The next step is to analyze the object's ACL to identify the list of all individuals who can reset the CFO's password. The following is the access control list (ACL) protecting the CFO's domain user account -
Analyzing Security Permissions Specified in the ACL of the CFO's User Account |
To do so, he will need to engage in the process of determining who has what effective access in Active Directory. Kindly note that this process is NOT the same as the one involved in determining who has what permissions in Active Directory.
In essence, all John needs to do is determine who effectively has Reset Password rights allowed on the CFO's user account. Anyone who is effectively allowed the Reset Password extended right, or All Extended Rights, or Full Control over the object will make the list. This is because All Extended Rights includes the Reset Password right, and because Full Control includes All Extended Rights.
As you can see above, there are many security permissions specified in the ACL, each one specified in an individual access control entry (ACE). Some ACEs grant permissions whereas others deny permissions. Some are explicitly specified on the object, whereas others are inherited. Some inherited ones apply to the object (CIID), whereas others merely exist to be inherited down to other objects (CIIO).
In order to determine effective access on the CFO's object, John will need to perform a process similar to the following -
- Identify all relevant ACEs i.e. all ACEs that allow/deny Reset Password, or All Extended Rights or Full Control.
- Then flatten all group memberships for which access is specified in all relevant ACEs, generating lists that enumerating the list of all individuals who are allowed access, as well as enumerating the list of all individuals who are denied access. (Ensure that any and all nested group memberships are completely flattened as well.)
- Then, intersect these lists taking into account all pertinent factors, such as inheritance rules, ACE applicability, conflict resolution etc. to ultimately arrive at a list of all individuals who can reset the CFO's password.
Upon completion of these steps, John would have the list of all individuals who can effectively reset the CFO's password.
List of individuals who can reset the CFO's password |
It is worth noting that even if John did not know how to do engage in this process with 100% precision, even with 80% precision, he could determine 80% of the individuals who could reset the CFO's password.
Step 3 - Analyze security permissions on the accounts of these individuals to identify who can reset their passwords.
If John is already a delegated admin, and his account is already on that list, he may not need to analyze effective access on any more accounts. However, if his account is not on that list, then he could continue the process to find a weakest link, which is described below.
Once John has put together the list of all the individuals who can reset the CFO's password, he would then proceed to determine who can reset the passwords of these individuals. This would give him a broader attack base, and one that would also usually constitute a set of weaker targets to compromise.
He could then iterate this process on this new list of accounts, and continue iterating until the single weakest link i.e. an account that can be easily compromised by the attacker, has been found.
Any ONE of a large number of IT admins may be the starting point for privilege escalation i.e. the weakest link |
For instance, he might find that a total of 12 individuals can reset the CFO's password, but that a total of 36 individuals can reset the passwords of these 12 individuals. He could iterate further to find potentially 50 or so individuals who could in turn reset the passwords of these 36 individuals.
He only needs to iterate the process until he can find at least one account that is easily or readily compromisable i.e. until he has found the weakest link. For instance, he could stop identifying accounts as soon as he finds the account of a single local IT admin whose account he could compromise using various known means.
By engaging in this process, he would have in effect identified a privilege escalation path, which would start from an easily compromsable account and lead all the way up to the CFO's user account.
Step 4 - Escalate Privilege by Performing Password Resets
Once John has identified a privilege escalation chain, all he needs to do is act upon it at a day and time of his choosing and to his advantage. He would begin by compromising the first account using any one of several known means to do so.
Once he has compromised the first account, the rest of escalation is simply a matter of logging in using the compromised account, then resetting the next target's password, then logging off, and logging on using the next compromised account, and so on, and by the end of it, he would have effectively escalated his privilege to that of the CFO of the company
Final Privilege Escalation Step - Resetting the CFO's account's password |
In most cases, John would only have to repeat these steps 2 to 4 times (i.e his privilege escalation depth would be 2-4.)
Step 5 - Login as the CFO
Once John has reset the CFO's account's password to one of his choice (e.g. Th@WasEasy!), he can instantly login as the CFO i.e. using the CFO's account -
Once logged in as the CFO, he would have whatever read and modify access the CFO's account may have been provisioned across the IT infrastructure. Since in most organizations, single-sign-on is in use, he could almost instantly access, copy, change or delete any information that the CFO's account might have access to.
(Imagine the financial and legal ramifications of John being able to access the organization's quarterly earnings numbers just 10 minutes before the official scheduled earnings release, using the CFO's account, and then leaking them on the Internet.)
Some Observations about Active Directory Privilege Escalation Based on Exploitation of Unauthorized Access Grants
As seen above, the process of identifying and exploiting unauthorized access grants in Active Directory is rather simple. Here are some noteworthy observations -
- Easier than the Pass-The-Hash (PtH) Attack Vector - This attack vector is much easier than the PtH attack vector because of the following reasons -
- Opportunity - The PtH attack vector may be easy to carry out against Domain Admins because the likelihood of having a Domain Admin logon to a machine the attacker controls is high. However, the likelihood of a specific non-administrative high-value account such as that of the CFO, CEO, CIO, CISO, IT Director, a Vice President, a manager etc. logging on to a machine controlled by the attacker is rather low. (Most folks usually logon to their own dedicated machines.) Thus, the likelihood of compromising a non-administrative account with PtH is low, whereas with this attack vector it is high.
- Lower Bar - In most organizations, there is already sufficient awareness about the PtH attack vector, and administrators are careful as to not to logon to machines they do not trust. However, most organizations still have no idea as to exactly who can reset whose passwords, so there are ample opportunities to escalate privilege by resetting passwords and thus the bar is much lower
- No Specialized Tooling Required - Unlike the PtH attck vector, this attack vector does not require any specialized tooling. It only requires some security analysis and the enactment of basic tasks, which can easily be carried out using Microsoft's native tools.
- Higher Probability - If a potential target never logs on to the attacker's host, the attacker will NEVER be able to use PtH to escalate privilege. However, with password resets, not only does the potential target not need to logon to the attacker's machine, the probability of finding at least one unauthorized individual who can reset the target user's account is substantially higher.
- A Vast Attack Surface - It is not just domain user accounts that are vulnerable. All Active Directory content, including security groups (and their memberships), computer accounts, GPOs, entire organizational units (OUs), service connection points (SCPs) etc. can all be compromised by simply determining who can manage them and then using this approach to take over the account of a delegated administrator who can manage that object.
- AdminSDHolder Protection does not mitigate this risk - Contrary to popular belief, AdminSDHolder does not mitigate this risk for two reasons -
- Non-administrative accounts - AdminSDHolder only serves to ensure that a standard set of permissions in applied to all administrative accounts and groups. It does not provide any protection for non-administrative accounts and groups. So for example, executive (C*O) accounts, VP accounts, director and manager accounts are not protected by it, neither are regular employee and contractor accounts.
- Administrative accounts - Even for administrative accounts, it only serves to ensure that a single standardized set of permissions are applied to all accounts. It does NOT protect the groups to whom access is specified in the ACL of the AdminSDHolder object itself, or the users that belong to these groups. Thus, this attack vector can also be used against all administrative accounts and groups.
- Security Analysis is not Audited - The act of performing security analysis only involves read access to Active Directory. Read access to Active Directory is almost never audited because of the sheer volume of read access that takes place everyday in the course of normal business/IT operations. As a result, it is virtually impossible for IT personnel to know whether or not, and if so, when, someone might be performing such security analysis in their environments. This aspect gives attackers the luxury of time. They could take anywhere from hours to weeks to identify weaknesses, then act at a day and time of their choosing to exploit their findings.
- This Risk is 100% Mitigatable - This risk is 100% mitigatable. In other words, organizations can easily take steps to mitigate it, such that even if every user in the environment were to scour all their Active Directory ACLs, all they would find are tightly locked access grants i.e. least privilege access (LPA) implemented in their Active Directory. In order to mitigate this risk and attain an LPA state in their Active Directory, all that organizational IT personnel need to do is identify and eliminate unauthorized access grants in their Active Directory. This can easily be done by using any advanced Active Directory Security Analysis Tool that is capable of determining True Active Directory Effective Permissions (i.e. true/accurate effective permissions on Active Directory objects). Organizations that have abundant IT resources and expertise could also choose to develop and test their own Active Directory effective access assessment capabilities in-house.
Real-World Proof
For most IT personnel familiar with Active Directory, the example presented above should be sufficient to illustrate the risk.
Need one say more?
Best wishes,
Sanjay