Today I'd like to share with you the top-10 ways in which an intruder or a rogue/coerced insider could actually rather easily and quickly gain Domain Admin equivalent administrative access/power/privilege in any Active Directory environment in the world.
Please note that the only reason I'm publishing this simple list is because apparently there is a similarly titled list out there that apparently does not cover even one of the top-10 ways in which an intruder could gain Domain Admin rights in Active Directory.
Original source: http://www.paramountdefenses.com/blog/top-10-ways-to-gain-domain-admin-privileges-in-active-directory
Attack Methods for Gaining Domain Admin Rights in Active Directory -
- Use Mimikatz DCSync to obtain credentials of all domain accounts, including those of all privileged user accounts.
- Add an inheritable Allow Full Control security permission in the ACL protecting the domain root object to instantly gain domain-wide administrative access on 99% of all objects in the domain i.e. those whose ACL is not marked Protected.
- Reset the password of any existing Domain Admin equivalent domain user account, then logon using new password.
- Modify the group membership of any Domain Admin equivalent domain security group by adding an account you control to that group, then instantly logon using that account and have that admin group's SID in your Windows access token.
- Modify the contents of any one of numerous sensitive objects in the System container and/or in the Configuration or Schema partitions to gain administrative access in Active Directory. Here is one of 100+ examples: Simply modify the defaultSecurityDescriptor attribute of the User class Schema object in the Schema to grant an account of your choice full control on all newly created domain user accounts, especially one created for an administrative/privileged user.)
- Add a Allow Reset Password or Allow Write-Property Member permission in the AdminSDHolder object's ACL to instantly gain the ability to take over any/every administrative account and group protected by AdminSDHolder.
- Add Allow Write Property - GPLink and Allow Write Property - GPOptions permissions in the ACL protecting the Domain Controllers OU, then link a compromising group policy to that OU that would allow you to logon interactively on DCs and/or to gain administrative access on DCs. Once you have admin access on a DC, you own the entire kingdom.
- Establish a cross forest trust or external trust with a forest controlled by the intruder/perpetrator
- Set the Password not required bit on any administrative/privileged domain user account, then instantly perform a logon.
- If any form of MFA (multi-factor authentication, e.g. Smart cards etc.) is in use, simply disable its use by modifying the relevant attribute on the target administrative/privileged user's domain account, then instantly perform a password reset and logon to that account using the newly set password. (If you have sufficient rights, a password reset takes 1 second.)
It should be noted that not a single one of these attack methods involves the use of password hashes or Kerberos tickets.
I should also mention that these are merely the top-10 ways to do so. There are many many (100s) more ways in which one could accomplish this objective, simply by modifying appropriate content in Active Directory. In almost every Active Directory deployment, there are 1000s of objects that can be modified to gain all kinds of elevated/privileged access in Active Directory. One's ability to (exploit or) adequately protect Active Directory is a function of one's depth/expertise in Active Directory security.
For those who wish to learn more about Active Directory Security, this deck is a good starting point - Active Directory Security.
It must also be mentioned that each one of these attack vectors can be easily mitigated by possessing a single fundamental cyber security capability, that most organizations do not (even seem to know about, let alone) possess today. Here's a hint.
Stay tuned for MUCH more, in days to come.
Best wishes,
Sanjay
PS: This was a 30-second brain-dump of about 0.01% of our knowledge in Active Directory Security. We generally prefer to let our work do the talking, so here are three simple examples of our work that embody our deep knowledge - one, two and three.
PS2: If you liked this blog post, you may also like the following -
- Active Directory Beyond the MCSE for the Black Hat Conference 2016
- A Letter to Benjamin Delpy regarding Mimikatz and Active Directory Security
- The Paramount Brief - Declassified and Substantiated
- Trillion $ Privileged Access Insight on the OPM Breach
- A Simple $100B Question and a follow-up Simple Trillion $ Question, both to/for Microsoft