Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Friday, January 20, 2017

The Top-10 Ways in which an Intruder or a Rogue Insider Could Escalate Privilege to Domain Admin in Active Directory


I hope this finds you doing well. Earlier today, I just shared some cyber security insight for U.S. President Donald Trump.

Today I also wanted to share with you the top-10 easiest ways in which an intruder or a rogue/compromised/coerced insider could easily escalate their privilege to that of a Domain Admin in virtually any Active Directory environment in the world.

It should also be noted that not a single one of these ways involve using pass-the-hash or Kerberos ticket meddling techniques. In fact, not a single one of these ways requires the victim to logon to any computer, let alone one owned by the perpetrator.

The enactment of any one such way could result in the perpetrator obtaining privileged (Domain Admin equivalent) access.

Top-10 Ways to Escalate Privilege to Domain Admin in Active Directory

Here are the Top-10 Ways to Escalate Privilege to Domain Admin in Active Directory environments -

  1. If one has sufficient effective permissions to replicate secrets from Active Directory, one can effortlessly use the DCSync feature of Mimikatz tool to obtain the credentials of all domain users accounts, including those of all privileged users.

  2. If one has sufficient effective permissions to modify permissions on the domain root object, one could easily add an inheritable permission granting oneself or any account controlled by oneself Full Control across the entire domain, thus obtaining full control on 99% of all objects in the domain, i.e. on all objects whose ACL is not marked Protected.

  3. If one has sufficient effective permissions to reset the password of even one Domain Admin account, one can effortlessly reset the password of that Domain Admin account and logon as that account to escalate privilege.

  4. If one has sufficient effective permissions to modify the group membership of even one privileged Active Directory security group (e.g. Domain Admins, Enterprise Admins, Builtin Admins, etc. or any non-default group that has privileged access), one could easily add one's own account or an account controlled by the perpetrator, to escalate privilege.

  5. If one has sufficient effective permissions to modify critical Active Directory configuration content, such as vast amounts of information stored in the Configuration partition, the Schema partition and/or the System container in the domain partition, one could easily escalate privilege. For instance (and this is one of 100+ examples), if one could modify the defaultSecurityDescriptor attribute on the SchemaClass object User in the Schema partition, one could automatically control every newly created domain user account that may ever be made a member of any privileged group.

  6. If one has sufficient effective permissions to modify permissions on the access control list protecting the AdminSDHolder object, one could easily escalate privilege by granting oneself or any account controlled by oneself any desired level of control on all default administrative accounts and groups protected by the AdminSDHolder process in Active Directory.

  7. If one has sufficient effective permissions to modify gpLink and gpOptions attributes on the default Domain Controllers organizational unit (OU), one could easily link a compromising group policy (GPO) to the OU, and use it to gain sufficient user rights and privileges on all domain Domain Controllers (DCs) that would allow one to logon to any DC and obtain system-level access, such as by having the Act as part of Operating System user-right granted to oneself.

  8. If one has sufficient effective permissions to establish an incoming forest trust or an external trust with domain, one could instantly establish trust with a domain in which one possesses administrative control, and use well known means to elevate privilege in this domain.

  9. If one has sufficient effective permissions to modify the attribute that controls whether or not passwords are required for authentication on any one Domain Admin account, then one could easily set this setting and proceed to logon to that account without needing to enter a password, thus instantly elevating privilege to that of a Domain Admin.

  10. If any form of MFA (Multi-factor authentication) such as Smartcards etc. or a variety of other band-aids are in use, if one has sufficient effective permissions on even one Domain Admin user's account, one could simply disable the use of Smartcards and/or a 3rd party MFA control by tweaking the involved attribute on the user account, then proceed to perform a password reset and logon using one's password of choice, thus having escalated privilege within seconds.

To reiterate, the enactment of any one of these ways, by any one individual, even one time, would be sufficient in a perpetrator obtaining privileged access in an Active Directory environment, and strictly speaking this would be a colossal security breach.

Also to reiterate, not a single one of these ways involve using pass-the-hash or Kerberos ticket meddling techniques. In fact, and consequently, none of these ways requires the victim to logon to any computer, let alone one owned by the perpetrator.

Escalation, Not Persistence

Perhaps that are some who might say that these are the top ways of establishing "persistence", not of "escalating privilege."

To them I say that "persistence" is just a fancy concept that Microsoft seems to have recently come up with.

Those who truly understand security know that once a privileged user account has been compromised in your system, it is technically Game-over, because from that point on, the very fabric of trust would have been pierced and compromised, and continuing to operate on such a compromised system would be tantamount to, from that point on and onward, exposing the entirety of the organization's digital footprint i.e. all digital communications, assets, secrets, data etc. to the intruder.

As such, there is always the scenario, wherein a proficient perpetrator, given a single opportunity to obtain such privileged access, having gained so, could easily automate the destruction of an entire domain, leaving nothing more to protect.

(In such a scenario, "persistence" would be meaningless.)

The other thing to note is each of these methods of privilege escalation could be enacted by anyone that has a domain user account or access to a domain-joined computer. All the perpetrator needs are sufficient rights i.e. sufficient effective permissions in Active Directory to be able to enact certain tasks that are typically delegated amongst many IT personnel.

Now, in most Active Directory environments today, there are many many more individuals and service accounts that already possess the ability to enact the ways outlined above. This is because most Active Directory deployments have been around for years, and an extensive amount of delegation and/or provisioning of access rights has been done in Active Directory over the years. Further, since most organizations do not possess the means to audit these delegations, in all likelihood, they have no idea as to exactly who can enact these tasks in their environments, and in most organizations there could be many accounts including those belonging to various contractors and service accounts that have sufficient privileges to enact these tasks today.

In essence, today intruders could identify the presence of a vast number of existent yet arcane unauthorized privileged access grants in Active Directory and easily exploit them to elevate privileges and gain Domain-Admin equivalent privileged access.

To reiterate, each and any one of these ways can give the perpetrator instant privileged access, and once a perpetrator has privileged access, he/she could instantly lock everyone else out, rendering any attempts to stop him/her virtually useless.


I should also mention that each of these risks can be easily, swiftly and reliably mitigated by every organization today.

All that organizations require to mitigate these risks is the ability to accurately audit effective permissions in Active Directory.

This simple fundamental capability can be used to ensure that all access provisioned/delegated in Active Directory is adherent to the principle of least privilege, thereby ensuring that no unauthorized individuals possess the ability to enact any such tasks.

To learn more about Active Directory Effective Permissions, see slides 31 through 44 of this deck on Active Directory Security.

(Note: Keyword here is accurately. Beware of freely available yet dangerously inaccurate effective permissions tooling - here.)

A Double-Edged Sword

The ability to determine effective permissions in Active Directory environments is a double-edged sword today. Here's why -

If attackers could determine effective permissions in Active Directory even if only with partial (e.g. 20%) accuracy, such as by using a free but inaccurate effective permissions calculator such as this one, they could still identify multiple domain accounts that possess the ability to enact any one of these tasks, thereby having identified highly valuable and potent yet substantially less-protected domain user accounts that they could then focus their target and compromise efforts at to gain privileged access.

For instance, should an intruder be able to determine that a certain delegated admin John Doe possesses the ability to enact any one of the tasks above, all he/she has to do is compromise John Doe's account and he/she would be seconds away from escalating privilege and taking over the entire environment. This is about 100 times easier than trying to directly compromise a highly-protected domain Admin account OR find out where a Domain Admin may have logged on and/or may logon, or trying to lure him to logon, and then use archaic pass-the-hash or Kerberos ticket meddling techniques to try and gain privileged access. I'll repeat that - it is 100 TIMES EASIER.

By the same token, defenders could use the ability to determine effective permissions in Active Directory to identify and eliminate all unauthorized access in Active Directory, thus eliminating any opportunities for the attackers to exploit them.

The ability to determine effective permissions in Active Directory is thus extremely valuable to both attackers and to defenders.

While partial accuracy (e.g. 20%) may be sufficient for attackers (as they only need to identify a few such accounts) and can today be obtained by using dangerously inaccurate free effective permissions tooling such as this, defenders do require 100% accuracy, because they do need to identify and eliminate all unauthorized access, and thus absolutely require trustworthy, accurate effective permissions tooling, such as this. A highly pertinent and relevant real example that illustrates the substantial advantage that defenders (organizations) can swiftly gain over attackers by using effective permissions can be found here.

Concluding Thoughts

As I conclude this post, allow me to share two insightful pointers with you, which concern the easiest way in which a perpetrator could compromise an entire Active Directory environment within minutes, as well as how to easily thwart his/her ability to do so -

  1. A Simple $100B Active Directory Security Question for Alex Simons at Microsoft
  2. How to Lockdown Active Directory to Thwart the Use of Mimikatz DCSync
Incidentally, these 2 pointers concern and impact the foundational security of every organization operating on Active Directory.

To those who wish to learn more (including Microsoft), I highly recommend - Defending Active Directory Against CyberAttacks

Finally, as I had indicated a few days ago, starting January 26th, 2017, I'll be doing my bit to help the wonderful folks at Microsoft and across the world better understand the most vital aspect of organizational cyber security, Active Directory Security, right here on this blog.  Stay tuned!

Best wishes,

No comments:

Post a Comment