Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Wednesday, August 5, 2015

Good Presentation on Modern Day Active Directory Attacks (Red Vs Blue) at Black Hat USA 2015 but seems to have missed the #1 Attack Vector


As you may know, Black Hat USA 2015 is currently being held in Las Vegas, and I believe there was a certain presentation titled Red vs Blue: Modern Active Directory Attacks Detection and Protection by a certain Mr. Sean Metcalf.

[ Now of course, if you know what we do at Paramount Defenses, then you know that if we wanted, we could easily have stolen anybody's thunder at Black Hat. However, when you have thousands of organizations from across a 150 countries worldwide knocking at your doors every month, you just don't have the time or the need to present at conferences. ]

 That said, as seen below, there (rightfully) was quite a bit of interest in this Active Directory Security focused presentation.

After all, given that Active Directory is the foundation of cyber security at over 85% of all business and government organizations across the world today, no one should be surprised by the interest this topic and presentation may have garnered.

For those who may not know this yet, 100% of all major recent cyber security breaches (E.g. Snowden, Target, JP Morgan, Sony, Anthem, the OPM Breach) involved the compromise and misuse of just ONE  Active Directory privileged user account.

However, what surprises me is to see that even cyber security experts don't seem to know much about certain aspects of this critically important area of cyber security. The short of it is that if your Active Directory is compromised, you're proverbially finished, and the easiest way that a perpetrator could use to compromise your Active Directory wasn't even mentioned in this presentation at Black Hat!

Active Directory Attack Vectors

Specifically, I don't know what Mr. Sean Metcalf's background is, and perhaps he's an expert at attack vectors involving Kerberos tickets, but I was really surprised to find that in a presentation in August 2015 at Black Hat 2015 USA that is on Modern Day Active Directory Attacks, there is no mention of the #1 of all Active Directory attack vectors that could allow perpetrators to instantly compromise the account of any or all Active Directory Privileged Users without so much so as knowing how to spell the word HASH, let alone capturing a hash, or for that matter obtaining and using Kerberos tickets regardless of their type (Golden/Bronze/Whatever.)

Not ONE mention. Nada. Zero!  Seriously, I'm not sure if its funny or scary.

Perhaps I should share a little something about Active Directory Security for all cyber security professionals out there...

...with the right tooling, ANYONE with access to a domain-joined computer could easily find an Active Directory privilege escalation path leading to virtually any privileged user account of choice, within minutes, and once such a path has been found, with minimal computer security know-how, he/she could gain administrative privilege within minutes, WITHOUT having to go through all the pain involved in sophisticated hash and/or Kerberos ticket capturing/replay/blah-blah attacks.

Unfortunately its too damn easy -

(That attack vector is Active Directory Privilege Escalation based on the identification and exploitation of unauthorized access grants in Active Directory deployments aka "Reset the Password" (RtP).)

Fortunately, its 100% mitigatable.

If you want to see how vulnerable your own domain user account or that of a colleague, such as a Domain Admin is, you can do so, our compliments by using the world's most advanced cyber security penetration testing tool, Gold Finger Mini (Its Free.)

Pass-the-Hash (PtH), Golden Tickets, Silver Tickets etc. etc. are so yesterday and lame.

Alright now, if you'll excuse me, I'll get back to work.

Best wishes,

PS: A humble word of advice to all Active Directory Security Gurus out there - you may want to ramp up your Active Directory Security skills. Here's a good starting point.