A Simple Question for all Self-Proclaimed Active Directory Security Experts

Folks,

As former Microsoft Program Manager for Active Directory Security, I find it amusing every time I come across some Active Directory vendor's or self-proclaimed AD security expert's website that claims that they know Active Directory Security well.

(You see, not one of these Active Directory Security vendors or self-proclaimed Active Directory security experts seem to have a CLUE as to the most important Active Directory Security Capability in the world, let alone possessing that paramount capability.)

So, I thought I'd  pose a very simple Active Directory Security question to all Active Directory Security vendors and experts -

Question: Do you know the answer to this ONE simple question?

Specifically, in that question, I have shared a simple non-default string, and I have indicated that is a cause for great concern.

What I would like to know is what it represents and why is it a great cause of concern for 85% of organizations worldwide?


On a scale of 1 to 10, 1 being easy and 10 being difficult, I'd rate this question as a 3, so if you're truly an Active Directory expert, this should be easy for you, and shouldn't take you a minute. You can leave your answer in a comment below.


Here's your chance to impress me (and the whole world.) Oh, and Microsoft employees too may feel free to take a shot ;-)

Best wishes,
Sanjay.

What is Active Directory, and Why Is it Important?

Folks,

Today is January 06, 2020, and as promised, here I am getting back to sharing thoughts on Active Directory Security.


Back to the Basics (Cyber Security 101)

I'd like to kick off this blog this year/decade by asking and answering a very simple yet vital question - What is Active Directory?

You see, while this question may seem simple to some (and it is,) its one of the most important questions to answer adequately, because in an adequate answer to this most simple question lies the key to organizational cyber security worldwide.

The reason is very simple -  if you were to ask most CISOs or IT professionals, they'll likely tell you that Active Directory is the "phone book" of an organization's IT infrastructure, and of course, since "who really cares about a phone book" it is this shallow view that leads so many organizations to greatly diminish the value of Active Directory to the point of sheer negligence!

In fact, for years now, this has been the predominant view held by most CISOs and organizations worldwide, and sadly it is the negligence resulting from such a simplistic view of Active Directory that the Active Directory deployments of most organizations remain substantially insecure and vastly vulnerable to compromise today.



Active Directory - The Very Foundation of Organizational Cyber Security Worldwide

If as they say, a "A Picture is Worth a Thousand Words", perhaps I should paint you a very simple Trillion $ picture -

An organization's Active Directory deployment is quite simply its single most valuable IT and corporate asset, worthy of the highest protection at all times, because it is the very foundation of an organization's cyber security.

You see, the entirety of an organization's building blocks of cyber security i.e. all organizational user accounts and passwords used to authenticate their people, all security groups used to authorize access to all their IT resources, all their privileged user accounts, all the accounts of all their computing devices (laptops, desktops, servers etc.) are all stored, managed and secured in (i.e. inside) the organization's foundational Active Directory, and all sensitive/privileged actions on them are audited in it.

In other words, should an organization's foundational Active Directory, or even a single Active Directory privileged user account, be compromised, the very foundation of the organization's cyber security, and thus the entire organization could be exposed to the risk of complete, swift and colossal compromise.



Active Directory Security Must Be Organizational Cyber Security Priority #1

Ensuring the highest protection of an organization's foundational Active Directory deployment must, without a doubt, be the #1 priority of every organization that cares about cyber security, protecting shareholder value and business continuity.

Here's why - A deeper, detailed look into What is Active Directory ?

For anyone to whom this may still not be clear, I'll spell it out - just about everything in organizational Cyber Security, whether it be Identity and Access Management, Privileged Access Management, Network Security, Endpoint Security, Data Security, Intrusion Detection, Cloud Security, Zero Trust etc. ultimately relies and depends on Active Directory (and its security.)


In essence, today every organization in the world is only as secure as is its foundational Active Directory deployment, and from the CEO to the CISO, from IT Managers to Auditors and from Domain Admins to employees, everyone should know this fact.

Best wishes,
Sanjay.

How Massive Could the Impact of an Active Directory Security Breach Be?

Folks,

Today I'd like to ask a simple but paramount question, the answer to which impacts not just trillions of dollars of organizational and investor wealth worldwide, but also likely the national security of over one hundred and fifty countries worldwide.

Here it is -

Q: How Massive Could the Impact of an Active Directory Security Breach Be?

      Specifically, exactly what could happen if the foundational Active Directory of an organization were breached? 

Active Directory is the Foundation of Cyber Security Worldwide 

If you need me to paint you a picture, consider the potential impact of an Active Directory security breach at virtually any organization that impacts your life - from the world's biggest IT (Cloud, Operating Systems, Phones, Computers, Networking, Internet, Social Media etc.) companies to the world's biggest cyber security companies, or for that matter from virtually every financial institution on Wall Street, to just about every company traded on any stock exchange in any country in the world, or any one of thousands of government agencies/departments in over 150 countries worldwide.

The reason I am publicly asking this question, is because its 2018 today, not 2004, and this is possibly the most important cyber security question that Executive Management, Cyber Security and IT leadership at thousands of organizations worldwide should be asking themselves today, but most likely are not.

In fact, at most organizations, this isn't even on their radar, let alone rightly being their top (#1) cyber security priority.

Thus, I felt the need to ask this paramount question.

Also, for once, I am NOT going to answer a question that I have asked, but instead let organizations worldwide ponder over it. Over the years, I've already asked and answered many of the world's most vital Active Directory / cyber security questions.

I'll only say this much - Any organization whose CEO and CISO do not know the answer to this question is not secure today.

Sicnerely,
Sanjay

Can Anyone (i.e. any Cyber Security Company or Expert) Help Thousands of Microsoft's Customers MITIGATE the Risk Posed by Mimikatz DCSync?

Folks,

Over the years, I've asked and answered some of the hardest questions in Active Directory Security, so today I'm only going to ask a question, with the hope that there is someone out there, and I mean anyone, who is the answer to this question!

Here's my Question -

Can Anyone in the World (i.e. any Cyber Security Company or Expert) Out There Help Thousands (1000s) of Microsoft's Organizational Customers Mitigate the Serious Cyber Security Risk Posed by Mimikatz DCSync?

Anyone?

There are 6,000,000,000+ people across 190+ countries worldwide, there are millions of IT personnel employed at 1000s of organizations, there are 1000s of cyber security experts and over a 1000 cyber security companies. I'm looking for just ONE.


By the way, by mitigate, I mean "render Mimikatz DCSync unusable in an AD environment" in that, say in an organization that had 10,000 employees and thus had 10,000 domain user accounts, and say 10 privileged users, even if every single one of these 10,000 accounts had been compromised by a perpetrator, he/she still couldn't use Mimikatz DCSync against their AD.

Also, I'm looking for an answer that's beyond the most obvious answer, which is to not grant anyone the required access. In other words, I'm looking for an answer that will work in every real, production Active Directory domain in the world, you know, wherein various default Active Directory security groups and users are already granted various permissions in Active Directory.


Here's what I've found thus far -

1. This brilliant, gentle, highly-accomplished cyber security expert developed Mimikatz DCSync
2. This AD security enthusiast educated the world about its usage, exploitation and detection (but not about its mitigation)
3. This famous cyber security expert showed an example in action (; Oh my! ;-))
4. This expert shared some guidance on how to detect it (; if you're detecting it, its likely too late)
5. These cyber security experts don't seem to know that much about it, or about Active Directory Security
6. These wonderful folks present an inaccurate script to help detect who can use Mimikatz DCSync

I could go on and on sharing the identities of so many who talk about it, but there isn't a single one who can help mitigate it :-(

Not to mention the 1000+ cyber security companies, including some big names such as (mentioned in no particular order) Palantir, Gemalto, Tanium, Tripwire, CheckPoint, Palo Alto Networks, Symantec, McAfee, Cisco, Kaspersky Labs, CrowdStrike, SentinelOne, BAE Systems, Qualys, Sophos, Gemalto, CyberArk, ZScaler, Preempt, BeyondTrust, Quest, HP, etc. etc.!

Oh, here's the amusing part - in all likelihood, most of these cyber security companies too very likely run on Active Directory, and if I had to guess, I don't think even one of them, know how to, or possess the means to mitigate Mimikatz DCSync!

Funny haan? ;-)


Why Does this Matter?

By now, I shouldn't have to tell anyone involved in Active Directory or cyber security why this matters, but I will nonetheless -

Most simply put, should a perpetrator be able to successfully run Mimikatz DCSync against your foundational Active Directory domain, you're DONE, as it would be tantamount to a massive, systemic cyber security breach. The entirety of your user populace's credentials would have been compromised, and the perpetrator would have obtained control over your entire Active Directory forever. It would be time for everyone, including all Domain Admins, the CISO, the CIO and the CEO to find another job (assuming you can find one, considering your resume would highlight your previous employment, and since your previous employer (i.e. the one that was breached) would likely have been all over the news for quite some time, it may perhaps end up being a little difficult to find suitable employment.)



How about an Illustrative Scenario?

Sure, if you'd like one, here you go -  A Massive Breach at a Company whilst it was Considering the Cloud.


A Request

We often come across Domain Admins, and every now and then CISOs, who have no idea what Mimikatz DCSync is, and that is scary. If you are such a Domain Admin / CISO, my earnest request to you would be to immediately learn about it, or, in the best interest of your employer's foundational cyber security, please let someone else take over your vital responsibilities.



Let Me Know

Very well then. If ANYONE in the world knows ANYONE who can help (and by that I mean  possesses the capability to be able to help) thousands of organizations worldwide (easily and correctly) MITIGATE the serious risk posed by Mimikatz DCSync, please let me know. I'm all ears, and I think, so are thousands of organizations worldwide, including perhaps Microsoft too ;-).

In short, I'm looking for someone/thing that could render the extremely powerful and dangerous Mimikatz DCSync, unusable. With 6 billion people, millions of IT and cyber security pros, and a 1000+ cyber security companies worldwide, I'm hopeful.

So if you know of someone (and I mean, anyone) who can do so, please let me know by leaving a comment below.

If I don't get an answer by July 02, perhaps I'll take a shot at the answer, over at - www.cyber-security-blog.com.

Best wishes,
Sanjay


PS: On an unrelated note, when you use Windows Update
       to update your Windows 10 PC every week, do you
       EVER check to see just what got downloaded?
       Perhaps you SHOULD, and here's why.



July 03 Update. Here's the answer > www.cyber-security-blog.com/2018/07/mimikatz-dcsync-mitigation.html

Looking Back at 2017 - An Eventful Year for Active Directory Security

Folks,

As we get ready to bid farewell to 2017, it may be fitting to recap notable happenings in Active Directory Security this year.

This appears to have been the year in which the mainstream Cyber Security community finally seems to have realized just how important and in fact paramount Active Directory Security is to cyber security worldwide, in that it appears that they may have finally realized that Active Directory is the very heart and foundation of privileged access at 85% of organizations worldwide!

I say so only because it appears to have been in this year that the following terms seem to have become mainstream cyber security buzzwords worldwide - Privileged User, Privileged Access, Domain Admins, Enterprise Admins, Mimikatz DCSync, AdminSDHolder, Active Directory ACLs, Active Directory Privilege Escalation, Sneaky Persistence in Active Directory, Stealthy Admins in Active Directory, Shadow Admins in Active Directory, Domain Controllers, Active Directory Botnets, etc. etc.



Top-10 Notable Active Directory Security Events of 2017

Here are the Top-10 most notable events in Active Directory Security this year -

1. Since the beginning on the year, i.e. January 01, 2017, Mimikatz DCSync, an incredibly and dangerously powerful tool built by Benjamin Delpy, that can be used to instantly compromise the credentials of all Active Directory domain user accounts in an organization, including those of all privileged user accounts, has been gaining immense popularity, and appears to have become a must-have tool in every hacker, perpetrator and cyber security penetration-tester's arsenal.
   


2. On May 15, 2017, the developers of BloodHound introduced version 1.3, with the objective of enhancing its ability to find privilege escalation paths in Active Directory that could help find out "Who can become Domain Admin?"  From that point on, Bloodhound, which is massively inaccurate, seems to have started becoming very popular in the hacking community.


3. On June 08, 2017, CyberArk a Billion+ $ cyber-security company, and the self-proclaimed leader in Privileged Account Security, introduced the concept of Shadow Admins in Active Directory, as well as released a (massively inaccurate) tool called ACLight to help organizations identify all such Shadow Admins in Active Directory deployments worldwide.


4. On June 14, 2017, Sean Metcalf, an Active Directory security enthusiast penned an entry-level post "Scanning for Active Directory Privileges and Privileged Accounts" citing that Active Directory Recon is the new hotness since attackers, Red Teamers and penetration testers have realized that control of Active Directory provides power over the organization!


5. On July 11, 2017, Preempt, a Cyber Security announced that they had found a vulnerability in Microsoft's implementation of LDAP-S that permits the enactment of an NTLM relay attack, and in effect could allow an individual to effectively impersonate a(n already) privileged user and enact certain LDAP operations to gain privileged access. 


6. On July 26, 2017, the developers of (massively inaccurate) BloodHound gave a presentation titled An ACE Up the Sleeve - Designing Active Directory DACL Backdoors at the famed Black Hat Conference USA 2017. This presentation at Black Hat likely played a big role in bringing Active Directory Security to the forefront of mainstream Cyber Security.


7. Also on July 26, 2017, a second presentation on Active Directory Security at the Black Hat Conference titled The Active Directory Botnet introduced the world to a new attack technique that exploits the default access granted to all Active Directory users, to setup command and control servers within organizations worldwide. This too made waves.


8. On September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team penned a detailed and insightful blog post titled Active Directory Access Control List - Attacks and Defense, citing that recently there has been a lot of attention regarding the use of Active Directory ACLs for privilege escalation in Active Directory environments. Unfortunately, in doing so Microsoft inadvertently ended up revealing just how little its ATA team seems to know about the subject.


9. On December 12, 2017, Preempt, a Cyber Security announced that they had found a flaw in Microsoft's Azure Active Directory Connect software that could allow Stealthy Admins to gain full domain control. They also suggested that organizations worldwide use their (massively inaccurate) tooling to find these Stealthy Admins in Active Directory.


10. From January 26, 2017 through December 27, 2017, Paramount Defenses' CEO conducted Active Directory Security School for Microsoft, so that in turn Microsoft could help not just every entity mentioned in points 1- 9 above, but the whole world realize that in fact the key and the only correct way to mitigate each one of the security risks and challenges identified in points 1 - 9  above, lies in Active Directory Effective Permissions and Active Directory Effective Access.

Helping Defend Microsoft's Global Customer Base
( i.e. 85% of Business and Govt. Organizations Worldwide )

Folks, since January 01, 2017, both, as former Microsoft Program Manager for Active Directory Security and as the CEO of Paramount Defenses, I've penned 50+ insightful blog posts to help educate thousands of organizations worldwide about...

...not just the paramount importance of Active Directory Security to their foundational security, but also about how to correctly secure and defend their foundational Active Directory from every cyber security risk/challenge covered in points 1- 9 above.

This year, I ( / we) ...

1. conducted 30-days of advanced Active Directory Security School for the $ 650+ Billion Microsoft Corporation
   
   
   Introduction, How Well Does Microsoft Understand Cyber Security, The Importance of Active Directory Security, The Impact of an Active Directory Security Breach, The Active Directory Attack Surface, The Top-5 Security Risks to Active Directory, Active Directory Privilege Escalation, An Ocean of Access Privileges, AdminSDHolder, Active Directory ACLs - Attack and Defense (Actual),  Active Directory Effective Permissions, and so many more ...



2. showed thousands of organizations worldwide How to Render Mimikatz DCSync Useless in their Active Directory


3. helped millions of pros (like Mr. Metcalf) worldwide learn How to Correctly Identify Privileged Users in Active Directory


4. helped the developers of BloodHound understand How to Easily Identify Sneaky Persistence in Active Directory


5. helped Microsoft's ATA Team learn advanced stuff About Active Directory ACLs - Actual Attack and Defense


6. showed CyberArk, trusted by 50% of Fortune 100 CISOs, How to Correctly Identify Shadow Admins in Active Directory


7. helped cyber security startup Preempt's experts learn How to Correctly Identify Stealthy Admins in Active Directory


8. helped the presenters of The Active Directory Botnet learn How to Easily Solve the Problem of Active Directory Botnets


9. helped millions of cyber security folks worldwide understand and illustrate Active Directory Privilege Escalation


10. Most importantly, I helped thousands of organizations worldwide, including Microsoft, understand the paramount importance of Active Directory Effective Permissions and Active Directory Effective Access to Active Directory Security

In fact, we're not just providing guidance, we're uniquely empowering organizations worldwide to easily solve these challenges.





Summary

All in all, its been quite an eventful year for Active Directory Security (, and one that I saw coming over ten years ago.)

In 2017, attackers, pen-testers and defenders finally seem to have realized the importance of Active Directory Security.

Perhaps, in 2018, they'll realize that the key to Active Directory Security lies in being able to accurately determine this.

Best wishes,
Sanjay.

PS: Why I do, What I do.

Just ONE Question to Microsoft & Preempt re Security Advisory 4056318 and Active Directory Privilege Escalation in Office 365 / Azure AD Connect

(About the Flaw in Azure AD Connect Software That Can Allow Stealthy Admins to Gain Full Domain Control)

Folks,

On Dec 12, 2017, Microsoft issued Security Advisory 4056318 in response to a flaw that Preempt discovered in Microsoft's Azure AD Connect software that lets its customers synchronize directory data between their on-premises AD and Azure AD.

This is rather important, as evidenced by this headline - Microsoft launches privilege escalation attack on itself with Office 365 !

Indeed, Microsoft may just shot themselves (and their customers) in the foot by making one HUGE careless mistake!

I thought I'd share a few thoughts.



First, a quick SUMMARY

Here's the summary of the flaw -

Preempt (a startup, more on which below) discovered that when organizations run Azure AD Connect to integrate their on-premises Active Directory with Azure Active Directory, if they select Express Settings during installation, then the domain user account MSOL that is created for Azure AD Connect is granted the Get Replication Changes All extended right on the domain root (, so that it can sync content, including passwords,) YET this account is NOT afforded special protection under the umbrella of AdminSDHolder, AND AS A RESULT, this results in a non-administrative / non-privileged domain user account possessing what is clearly tantamount to administrative / privileged access in Active Directory, thus paving an Active Directory Privilege Escalation path.

What I've shared above is the essence of this issue. In short, if you run Azure AD Connect and select Express Settings, you will have introduced in your environment a privilege escalation path leading from a delegated admin to Domain Admin (equivalent) !




The VULNERABILITY

Herein lies the flaw/vulnerability -

Since this MSOL account is not protected by AdminSDHolder, its ACL (access control list) is neither protected nor locked-down, and thus it could easily contain many ACEs (access control entries), some Explicit, and others Inherited from its parent, that could in effect end up granting numerous non-privileged users sufficient Active Directory effective permissions (e.g. Reset Password, Modify Permissions,Modify Owner) on it so as to be able to obtain control over this account and then misuse the Get Replication Changes All effective permissions that this account has on the domain root by using tooling like Mimikatz DCSync to instantly compromise the passwords of every single account in the Active Directory, including those of all Active Directory privileged users!

Thus, this one little Active Directory ACL misconfiguration automatically enables this scenario - Massive Cyber Security Breach !

By the way, if you want to know who can reset the MSOL account's password today, all you have to do is touch a button.





A QUESTION to MICROSOFT

You do realize that a single such mistake could instantly jeopardize the security of thousands of organizations worldwide, yes?

Question: Since WHEN did we become SO careless?! How could this have passed basic vetting? I had just asked a question a few weeks ago, with the hope that y'all would start taking this seriously - How Well Does Microsoft Understand Cyber Security ?!

This stuff is very important, and I know you're capable of much better than this, so can we please be more careful next time?!

(It appears to me that you may likely not have the right set of folks working on Active Directory Security. If you need me to help you identify the right set of Microsoft employees that should be working on AD Security, or help you out generally, let me know.)





PREEMPT ISSUES ITS OWN GUIDANCE

Preempt, in addition to having found this flaw and reported it to Microsoft, also issued its own guidance for organizations.

Here it is - Advisory: Flaw in Azure AD Connect Software Can Allow Stealthy Admins to Gain Full Domain Control.

You'll want to read it, as here are the parts they discussed - Understanding Stealthy Admins, Details on the Azure AD Connect Account Flaw, Who is Impacted, How Stealthy Admins can be Exploited, How Organizations can Protect Themselves, Free Preempt Inspector Tool for Determining if you are at Risk. They even made two videos, and uploaded them to YouTube .

They also shared that Microsoft has acknowledged the issue and released a Microsoft Security Advisory and a PowerShell script that address the flaw by adjusting the permissions of the Active Directory domain accounts to address this issue.

Finally, they issued guidance on how organizations can protect themselves -

1. Review all stealthy administrators in your network
2. For each stealthy admin, decide whether added permissions are indeed necessary
3. Protect your privileged (known and stealthy) users by adding protection

Their guidance ends with:  FREE TOOL: Download Preempt Inspector to see if you have stealthy admins in your organization.

Their simple, well-intentioned guidance is spot-on. Can the same be said about their tooling? Well...  (keep reading.)




SOME GUIDANCE FOR PREEMPT

Since Preempt has been so helpful to a company I so love i.e. Microsoft, by discovering this flaw and sharing it with Microsoft, perhaps the gentlemanly thing to do here would be to return the favor by sharing a few thoughts with them -

1. As you'll hopefully agree, if there exist such "Stealthy Admins" in Active Directory, then it is paramount that organizations be able to accurately identify all such "Stealthy Admins", because even just ONE such account could be used to gain complete command and control over Active Directory, and consequently over the entire network.


2. This notion of "Stealthy Admins" that you likely seem to have introduced, as likely did CyberArk the notion of "Shadow Admins", does sound very catchy, but it is not actually new. What you seem to be referring to as "Stealthy Admins" is actually what thousands of organizations have, for almost two decades now, known simply as Delegated Admins.


3. I thought I'd share that in 2016, we had informed the Chairmen, CEOs and CFOs of the world's top 200 organizations, as well as MSRC that due to one specific deficiency in Active Directory, there likely exist hundreds of such stealthy / shadow admins (and thus thousands of privilege escalation paths) in most Active Directory deployments worldwide?


4. Did you know that most vendors in the Active Directory space do not seem to know that to correctly identify stealthy / shadow admins in Active Directory, one needs to be able to determine Active Directory Effective Permissions ?


5. Finally, I do recall having read a few articles on this very subject on the Internet (; if you merely replace the term "Delegated Admins" with "Stealthy Admins" in these articles, they may all sound very familiar) -


1. From way way back in 2013 - Active Directory Privilege Escalation  (+ again in 2017)


2. From way back in 2014 - Using Password Resets to Escalate Privilege in Active Directory   (+ again in 2017)


3. From back in 2015 - How to Identify and Minimize Privileged Users in Active Directory


4. From 2016 - 10 Examples of Delegated (Stealthy) Admins in Active Directory


5. From 2017 - How to Correctly Discover Stealthy Admins in Active Directory + 50 More

Thus, Preempt's focus on Stealthy Admins in Active Directory is spot-on, but the Bible on the subject has already been written.




A QUESTION TO PREEMPT

Finally, since Preempt's experts seem to be proficient at finding flaws, thought I'd ask most respectfully ask them a question -

The Question: Preempt, are you SURE that your free tool Preempt Inspector, which you've been recommending to organizations worldwide as a means to identify all Stealthy Admins in Active Directory deployments, can in fact accurately identify Stealthy Admins in Active Directory?  (or could there potentially be a(n equally big) flaw in it?)

Again, I ask this most respectfully, and I only ask this because
as you'll hopefully agree, accuracy after all is paramount.



The answer, in days to come
(; it'll be very similar to this.)


That's all for now.

Best wishes,
Sanjay.



PS: By the way, Microsoft's guidance in its Security Advisory 4056318 is INSUFFICIENT, in that even if you enacted it exactly as specified, you may still be left exposed. If you want to know why, please feel free to tune in here in a few days, or to ask us.

Coming Soon... How to Thwart Sneaky Persistence in Active Directory

Folks,

As I briefly mentioned earlier, a few weeks ago, at the Black Hat Conference 2017 (which we skipped) on Cyber Security, two fine gentlemen made an interesting presentation titled An ACE Up The Sleeve - Designing Active Directory DACL Backdoors.

In this presentation, a whitepaper on which can now be downloaded from here, its authors have presented what may seem like a ground-breaking revelation to those uninitiated to the subject, but what in reality is actually just Active Directory Security 101.

With full respect to its authors, I will say that for someone who may have been relatively new to this subject (which most cyber security pen testers, ethical hackers and hackers are these days) and coming from a mainstream pen-testing/attack background (i.e. generally focused on and employing local credential-theft attack-vectors) they got close to actual sneaky persistence in AD.


Incredulously and amazingly, perhaps because a majority of cyber security experts (both, defenders and attackers) and IT pros may not know Active Directory Security that well, this presentation has been garnering a lot of attention, including at Microsoft.

Here's proof - In the last ONE month alone, Microsoft's Advanced Threat Analytics (ATA) Team has published TWO blog posts in response to this presentation (on Sep 18 here and on Oct 11 here), so this clearly seems to have Microsoft's attention!

Speaking of which, here's a quote from Microsoft's latest blog post regarding this topic/presentation - "In general, this is a very important goal for an attacker and is a big part of a successful mission performed either by a nation state or by a hacker group."

Wow!   Hmm.    Keep reading ;-)





How to Easily Thwart Sneaky Persistence in Active Directory

I may no longer officially be an employee of Microsoft, but I am former Microsoft Program Manager for Active Directory Security, and just because I work for a different company now, that neither diminishes my knowledge nor my passion to help the world.


So, in a few days, right here, to help organizations worldwide, including to help my fine colleagues at Microsoft who seem to be struggling to figure out how to deal with this, I will share just how EASY it is to thwart sneaky persistence in Active Directory -

If you truly understand Active Directory Security, then you know that there are far greater challenges facing most organizations worldwide, so to help put this behind them, and to adequately address that whitepaper, I'll pen an insightful post on the subject.


BTW, in the whitepaper, regarding Defenses, the authors state - "Some defenders may believe the detection of these types of backdoors is a lost cause... ...the primary method for detection and investigation remains properly tuned event logs for DCs...  ... one interesting defensive tool is the use of AD replication metadata." etc. It appears these wonderful folks are trying too hard!

Oh, and the most amusing part is to see Microsoft try even harder, and I'm quoting this verbatim from here - "This does sound like an issue...  ...so, this made me think - Is there a way we can identify all the objects to which I don't have permissions?" ;-)


This one's actually quite simple.  The answer, coming up, in a few days...

Best,
Sanjay

CEO, Paramount Defenses



Update - October 24, 2017 > Here it is - How To Easily Identify & Thwart Sneaky Persistence in Active Directory

A Paramount Question for Microsoft Azure CTO : he said 'Ask me anything'

Dear Mark,

You Sir, are Mark Russinovich, Chief Technology Officer (CTO) of Microsoft Azure, and for you I have the greatest of respect.

A few days ago at Microsoft Ignite, you said - "Ask me anything!" -

By the way, I must compliment you for doing so, because when you do so, you really have to be ready for any/every question!




So, I'd like to ask 1 Question

Mark, on behalf of 1000s of Microsoft's organizational customers, I'd like to most respectfully ask you just one simple question -

Question: How can/should organizations find out exactly who actually has what privileged access in their Active Directory ?

Specifically, how can organizations determine exactly who can do what on the 1000s of domain user accounts, domain computer accounts, domain security groups, containers, OUs, SCPs etc., including of course all their privileged and executive domain user accounts and groups that reside in their foundational Active Directory?

I only ask this question because as you too will likely agree, this 1 simple question directly impacts and thus is paramount to the foundational cyber security of over 85% of all organizations worldwide, all of whom operate on Microsoft Active Directory.


I really do hope that on behalf of Microsoft, you'll answer this question, for organizations worldwide look forward to the answer.

Most respectfully,
Sanjay

CEO, Paramount Defenses


PS: Sir, if you've ever heard of AccessChk.exe and know what it does,
(and I believe you have), then you know the answer to this question.

PS2: As former Microsoft Program Manager for Active Directory Security, I'd like to offer a hint. The answer to this question is also the (premise for, and thus the same as the) key to the ten questions below, and in essence it involves just two words -

1. What Constitutes a Privileged User in Active Directory?

2. How to Correctly Audit Privileged Users/Access in Active Directory?

3. How to Render Mimikatz DCSync Useless in an Active Directory Environment?

4. How to Easily Identify and Thwart Sneaky Persistence in Active Directory?

5. How to Easily Solve The Difficult Problem of Active Directory Botnets?

6. Why are the World's Top Active Directory Permissions Analysis Tools Are Mostly Useless?

7. Why is the Need to Lockdown Access Privileges in Active Directory Paramount to its Defense?

8. How to Attain (Lockdown) and Maintain Least Privileged Access (LPA) in Active Directory?

9. How to Securely Delegate and Correctly Audit Administrative Access in Active Directory?

10. How to Easily Secure Active Directory and Operate a Bulletproof Active Directory deployment?

In short, the answer is (something like) this -

Ans: To do so, all that organizations need to do is to accurately and adequately determine e******** p**********/a***** on their Active Directory objects. That's it.

Some Love For Microsoft + Time to Help Microsoft (and the Entire World)

Folks,

This is a Trillion $ post. I wanted to show some love for Microsoft and help them out, as it appears they could use some help.

BTW, for those wondering who I am to make such a statement, I'm a nobody who knows a thing about a thing that impacts WD.




Trillion $ Background

From the White House to the Fortune 1000, Microsoft Active Directory is the very foundation of cyber security at over 85% of organizations worldwide. In fact, it is also the foundation of cyber security of almost every cyber security company worldwide.

Active Directory is the Foundation of Cyber Security Worldwide

The compromise of an organization's foundational Active Directory deployment could have disastrous consequences for the organization and its stakeholders, and the real extent of damage would be a function of the perpetrators' proficiency and intent.

If you understand the inner workings of Active Directory based networks, then you know that the amount of damage that we've seen in recent breaches such as the Equifax breach, is nothing, compared to the amount of damage that can actually be done.



Thus far, perpetrators have been focused on simple attack vectors such as credential-theft attacks aimed at the compromise of an organization's privileged users (e.g. Domain Admins), and over time Microsoft has made their enactment much harder.

As these attack vectors become harder to enact, perpetrators have started focusing on increasing their knowledge about Active Directory, and exploring ways to try and target and compromise Active Directory itself, as evidenced by the fact that in the last year alone, we've seen the introduction of Mimikatz DCSync, BloodHound and recently the advent of Active Directory Botnets.

Today Active Directory security, and in particular Active Directory access control lists (ACLs) impact organizational security and national security, worldwide. Speaking of which, and just so the world knows, here is Microsoft's take on them, and here is ours.

Perpetrators seem to be learning fast, and building rapidly, so the next big wave of cyber breaches could involve compromise of Active Directory deployments, unless organizations act swiftly to lock-down their foundational Active Directory deployments.

To do so, organizations worldwide need the right insight, guidance and tooling to adequately lock-down their Active Directory deployments. Unfortunately, Microsoft doesn't seem to know much about it (proof: 1, 2, 3, 4), and thus may be unable to help.




Some Love for Microsoft

Today I may be the CEO of Paramount Defenses, but I'm also former Microsoft Program Manager for Active Directory Security, and I for one deeply love Microsoft, and deeply care about the foundational cyber security of all organizations worldwide, so I'm going to help Microsoft and the entire world adequately secure and defend their foundational Active Directory deployments.

To Satya (Nadella) and my former colleagues at Microsoft I say - "Microsoft is one of the greatest companies in the world today, and we care deeply and passionately about not only the role we play in society and the impact we have on billions of people, but also the responsibility that goes along, so we're* going to help the world address this colossal cyber security challenge."

* I may no longer be a Microsoft employee, but I still do care deeply and equally, so I'm happy to help you.
  If I were you, I'd most respectfully embrace this opportunity, be thankful for it, and not squander it.

To my friends at Microsoft, if I may have recently been a tad critical of you, its only because I care deeply about our customers, and I know that Microsoft can do much better at educating its global customer base about a matter of paramount importance.





Er, What Cyber Security Challenge?

Now, there might be billions of people and thousands of organizations worldwide who may have absolutely no idea about what I'm talking about, so perhaps I should succinctly and unequivocally spell it out not just for the entire world, but also for Microsoft.

Stated simply, and as described in The Paramount Brief, here's the #1 cyber security challenge that impacts the world today -

"From Silicon Valley to New York and London to Sydney, at the very foundation of cyber security and IT of 85+% of all business and government organizations across 190+ countries worldwide lies Microsoft's Active Directory.

Within the foundational Active Directory domains of these organization lie the entirety of their building blocks of their cyber security i.e. their user accounts, computer accounts, security groups, security policies etc. each one of which is represented by an Active Directory object & protected by an Active Directory Access Control List (ACL).

Today, in most of these organizations, there exist millions of ACLs in their Active Directory, and within these ACLs exists an ocean of excessive/unauthorized access, that today paves thousands of privilege escalation paths to literally the entirety of all objects in these Active Directory deployments, including to all their privileged users.

This ocean of unauthorized access exists worldwide today because Active Directory lacks and has always lacked the essential ability to help organizations correctly and adequately audit effective access in Active Directory, and consequently even though organizations have been delegating/provisioning all kinds of access in Active Directory to fulfill various business needs, they've never had the opportunity to correctly audit this ocean of access, resulting in a situation caused over time (i.e. over the years) wherein today unauthorized access pervades Active Directory.

In short, today, at most organizations, no one knows exactly who has what access on any of their building blocks of security, and possibly an excessive number of users, computers and service accounts may have substantial unauthorized access on them, and thus be in a position to easily and instantly compromise their security.

• A Trillion $ Note: Most organizations (and perpetrators, as well as the Bloodhound Tool) audit "Who has what permissions in Active Directory?" Unfortunately, that does not provide the accurate picture. What they need to audit is "Who has what effective permissions/access in Active Directory?" Sadly, Microsoft has NEVER provided this guidance in an entire decade, so no one even seems to know this.

Anyone who possesses the tooling to correctly analyze effective access in Active Directory could instantly identify, and either eliminate or exploit, all such unauthorized access grants and the 1000s of privilege escalation paths they pave, and thus be in a position to either formidably defend or completely compromise these organizations.

The potential impact of this huge cyber security challenge is best illustrated by these 7 examples. Its that simple."

As simple as it is, not a single one* of the 1000+ cyber security companies that exist today has a solution for this challenge.


Let there be no mistake about this - a proficient intruder who possesses tooling that lets him/her correctly analyze effective permissions/access in Active Directory, could easily find, hundreds if not thousands, of unauthorized access grants in most Active Directory domains, and exploit them to compromise and obtain complete command and control over the organization.

If you find this hard to believe, you don't have to take my word for it, as here is Microsoft finally acknowledging it, and doing their best to downplay it. By the way, if they truly understood the depth of this problem, what they should've actually said is here.

Unfortunately, perpetrators can develop their own tooling and they don't even have to be 100% accurate (e.g. Bloodhound.)

Fortunately, organizations that possess the right tooling (e.g. 1, 2) can reliably mitigate all such security risks to Active Directory, from Mimikatz DCSync to Active Directory Privilege Escalation and from Sneaky Persistence to Active Directory Botnets, before perpetrators have the opportunity to exploit them, leaving no unauthorized access in Active Directory for perpetrators to exploit.





Time to Help Microsoft (and the Entire World)

Over the next few days, not only am I going to help reduce the almost total lack of awareness, education and understanding that exists at organizations today concerning Active Directory Security, I am also going to help organizations worldwide learn just how they can adequately and swiftly address this massive cyber security challenge before it becomes a huge problem.

Of course, today we can also uniquely empower organizations worldwide to adequately secure and defend their foundational Active Directory deployments, and we are happy to help organizations that request our help, but we are not going to go to anyone explicitly offering our help, because we're not your ordinary company.


So, in days to come, we'll begin by educating the world about the following -

1. What Constitutes a Privileged User in Active Directory


2. How to Correctly Audit Privileged Users/Access in Active Directory


3. How to Render Mimikatz DCSync Useless in an Active Directory Environment


4. How to Easily Identify and Thwart Sneaky Persistence in Active Directory


5. How to Easily Solve The Difficult Problem of Active Directory Botnets


6. Why the World's Top Active Directory Permissions Analysis Tools Are Mostly Useless


7. Why is the Need to Lockdown Access Privileges in Active Directory Paramount to its Defense?


8. How to Attain (Lockdown) and Maintain Least Privileged Access (LPA) in Active Directory


9. How to Securely Delegate and Correctly Audit Administrative Access in Active Directory


10. How to Easily Secure Active Directory and Operate a Bulletproof Active Directory Deployment

You see, each one of these Active Directory security focused objectives can actually be easily accomplished today, but and in order to do so, what is required is the ability to be able to accurately and adequately audit effective access in Active Directory.

Each one of these topics is absolutely essential for organizational cyber security worldwide, and if you know of even one other entity (e.g. individual/company) on the planet that can help the world address each one of these objectives today, let me know.

So, within the next 7 days, as a part of this, I'll start penning the above, and you'll be able to read them right here.

In Summary

If you truly understand Active Directory Security, then you know that literally the entire world's wealth is being protected by it, so and thus we just cannot afford for organizations to start having their foundational Active Directory deployments being breached.

Together, we can help adequately secure and defend organizations worldwide and deny perpetrators the opportunities and avenues they seek to compromise our foundational Active Directory deployments, because we must and because we can.


Best wishes,
Sanjay

CEO, Paramount Defenses

Formerly, Program Manager,
Active Directory Security,
Microsoft Corporation


PS: To anyone who believes they know more about Active Directory Security than us, or can help the world more than we can, go ahead and demonstrate that you can - this is your opportunity. If you can, let's see it. If you can't, you'll want to listen to us.

PS2: If you liked this post, you may also like the 20+ posts that are a part of - Helping Microsoft with Active Directory Security.