Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Thursday, September 12, 2013

Active Directory Privilege Escalation based on Exploitation of Unauthorized Grants in Active Directory - The #1 Cyber Security Risk to Active Directory


The #1 cyber security risk to Active Directory deployments is summarized in the following Executive Summary document (which can be downloaded by clicking the image below, or by clicking here) -

Active Directory Privilege Escalation Executive Summary - 
  To access this Executive Summary, click image above, or here.
Those who understand it, know that it is powerful enough that it can be used to instantly compromise any Active Directory deployment in the world. (We can demonstrate its enactment in any production Active Directory deployment in the world.)

Those who don't understand it yet may wish to ramp up their Active Directory Security skills. A good starting point is to research "Active Directory Effective Permissions" and "Active Directory Privilege Escalation".

In days to come I will shed light on its various aspects, such as what makes it substantially more critical than the Pass-the-Hash attack vector, etc. Until then, here are some thoughts, some details, and a concrete example.

Best wishes,

PS2: For those of you who downloaded the password-protected version of the document this past week, the password to that document was "SkyFall"


  1. I agree that this is indeed an oft overlooked security risk. Ultimately it's just an extension of the compromised account problem isn't it, as you still need to get hold of an account with the ability to reset passwords? - but this time your potential list of accounts is broadened to ones that are not clearly identified as high priority ones in need of protection.
    I must confess that all to often domain admin accounts are severely over-used, so that they are used to log on all over the place to all manner of machines to perform non-DA tasks, so in many circumstances a determined attacker would not have to go to the lengths of trying to compromise an account with reset password permissions because the DA accounts are readily available. But I would agree that in many better run organisations, this attack vector may still be overlooked.

  2. I would certainly agree that in many well-run organisations where they take measures to adequately protect the domain admin accounts, this is an oft overlooked attack vector as it's not immediately obvious.
    I would say though that all too often I have seen companies use their DA accounts far too much, logging on to all manner of machines with them to perform non-DA tasks. So in many cases a determined attacker would not have to try less obvious routes as the DA accounts are readily available for compromise.

  3. Hi Tim,

    Thank you for your note. Indeed, it is an extension of the compromised account problem, but it makes it VASTLY easier to compromise virtually any IT resource stored in Active Directory i.e. any account, any group, any OU etc.

    In regards to the PtH vector, if it is highly effective in attacking Domain Admins, it is only because inexperienced Domain Admins use their accounts to logon to so many machines, to fulfill business needs.

    However, let’s assume you wanted to compromise the CEO’s/CIOs/CFOs account. In that case, because the likelihood of them logging on to machines other than their designated laptops/desktops is pretty low, PtH is hardly useful. In contrast, this attack vector can very easily be used to identify who can reset the passwords of the CEO/CIO/CFO, then iterate the logic a few times, to find someone sitting down the hall that is your starting point for the multi-step escalation.

    You’d be surprised if I told you that recently we found that more than 700 individuals had the ability to reset the password of the CEO of a very prominent multi-$B organization (who shall remain nameless.) It turns out that in this particular case, this company had outsourced the management of their Active Directory to another very prominent global IT organization (another multi-$B organiation). The most surprising part was that no one in either of these organizations knew that this 700+ people could reset the CEO’s password.

    You see, the hardest part here is making accurate effective access determinations. That can take anywhere from 30 minutes to an hour per object, if done manually and of course it requires some expertise (, which is one of the reasons this attack vector isn’t on many people’s radar) but if automated, you neither need to have expertise, nor does it take nearly that long.

    For example, here is one such free tool designed for legitimate use (i.e. to help employees assess risk) that reduces the time down to seconds.

    The fact of the matter is that in virtually every Active Directory deployment, unauthorized access in Active Directory is pervasive and rampant, and its just a matter of time before everyone figures this out.

    Best wishes,

    PS: Of course, this can be used to accomplish everything ranging from wanting to create an alt account for malicious use to modifying the membership of any group, to linking a GPO to an OU etc