Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Wednesday, July 26, 2017

An ACE Up the Sleeve: Designing Active Directory ACL Backdoors


Earlier today, two fine gentlemen gave a nice presentation titled An ACE Up the Sleeve: Designing Active Directory ACL Backdoors at the Black Hat Conference 2017.

Here's the abstract of their presentation -
"Active Directory (AD) object discretionary access control lists (DACLs) are an untapped offensive landscape, often overlooked by attackers and defenders alike. The control relationships between AD objects align perfectly with the "attackers think in graphs" philosophy and expose an entire class of previously unseen control edges, dramatically expanding the number of paths to complete domain compromise. 
While DACL misconfigurations can provide numerous paths that facilitate elevation of domain rights, they also present a unique chance to covertly deploy Active Directory persistence. It's often difficult to determine whether a specific AD DACL misconfiguration was set intentionally or implemented by accident. This makes Active Directory DACL backdoors an excellent persistence opportunity: minimal forensic footprint, and maximum plausible deniability. 
This talk will cover Active Directory DACLs in depth, our "misconfiguration taxonomy," and enumeration/analysis with BloodHound's newly released feature set. We will cover the abuse of AD DACL misconfigurations for the purpose of domain rights elevation, including common misconfigurations encountered in the wild. We will then cover methods to design AD DACL backdoors, including ways to evade current detections, and will conclude with defensive mitigation/detection techniques for everything described."

I didn't have to be there to know that this would be a well-received and fascinating presentation.  Nice work, gentlemen!

The World of Active Directory ACLs

I'd like to welcome them to the important world of Active Directory ACLs. Even though they may have recently discovered this fascinating world, they're still far ahead of thousands of organizations worldwide, which only goes to prove what I've said here.

Active Directory ACLs

Given how much time they may have spent on Active Directory ACLs (even in just the last few months), they'll likely get this.

Let me tell you that they are a 100% correct that within the ocean of Active Directory ACLs that exists in every Active Directory deployment worldwide, there are a million (pl)ACEs for a intruder/perpetrator/insider to hide within, oh, and for anyone who knows how to find them, there are also thousands of  exploitable Active Directory privilege escalation paths to find.

They may also have shown you how to design Active Directory DACL backdoors, including ways to evade current detections, assuming by current detections, they're referring to the use of existing tooling like dsacls, acldiag, PowerShell scripts, <fill in the blank with your favorite Active Directory ACL analyzer/permissions audit tool> to analyze Active Directory ACLs, you know the tools most IT personnel having been using for years at 1000s of organizations because Microsoft never educated them better.

Fortunately, and they may not know this, organizations that possess the right tooling can now easily identify and eliminate all such insecure (pl)ACEs leaving no place left to hide in Active Directory ACLs i.e. there'll be zero ways left to evade detection.

   Zero!      нуль, nul, صفر , 零,Null, μηδέν, ʻole, אֶפֶס , शून्य, ゼロ,제로, nihil, sero !

So, what is the right tooling ?  Well, I will be penning a post titled something along the lines of  No more (pl)ACEs To Hide : Identifying Active Directory ACL Backdoors and/or How to Thwart Persistence In Active Directory in a few days, so you'll just have to wait for it, but if you're curious, I'll give you a big hint; it has to do with this - Active Directory Effective Permissions.

Over all, these gentlemen are spot-on and 100% right, and I sincerely commend their efforts to help organizations become aware of the vulnerabilities that lie deep within the thousands of ACLs inside their foundational Active Directory deployments.  

How to Identify and Thwart Sneaky Persistence in Active Directory

[Nov 22, 2017 Update] - Here are two posts on how to identify and thwart sneaky persistence in Active Directory -
  1. How to Easily Identify and Thwart Sneaky Persistence in Active Directory

  2. How to Identify and Thwart "Real" Sneaky Persistence in Active Directory

Best wishes,

PS: A Helpful Reading List - For everyone who'd like to get into the fascinating world of Active Directory Security/ACLs -

  1. Best Practices for Delegating Active Directory Administration

    (especially the Appendices, and the other guides + the free LDP tool.)

  2. Defending Active Directory Against Cyber Attacks (Microsoft)

  3. Defending Active Directory Against Cyber Attacks (Paramount Defenses)

  4. Advanced Active Directory Security School for Microsoft

No comments:

Post a Comment