Folks,

Wish you a very happy new year. Earlier today, I just shared some cyber security insight for U.S. President Elect Donald Trump , so after today's post (i.e. the one below), I might consider taking some time off from blogging (, or I might not.)

Today I just wanted to share with you the top-10 easiest ways in which an intruder or a rogue/compromised/coerced insider could easily escalate their privilege to that of a Domain Admin in virtually any Active Directory environment in the world.

It should also be noted that not a single one of these ways involve using pass-the-hash or Kerberos ticket meddling techniques. In fact, not a single one of these ways requires the victim to logon to any computer, let alone one owned by the perpetrator.

The enactment of any one such way could result in the perpetrator obtaining privileged (Domain Admin equivalent) access.

Top-10 Ways to Escalate Privilege to Domain Admin in Active Directory

Here are the Top-10 Ways to Escalate Privilege to Domain Admin in Active Directory environments -


The Top-10 Ways in which an Intruder or a Rogue Insider Could Escalate Privilege ...
If one has sufficient effective permissions to replicate secrets from Active Directory, one can effortlessly use the DCSync feature of Mimikatz tool to obtain the credentials of all domain users accounts, including those of all privileged users. If one has sufficient effective permissions tomodify permissions on the domain root object, one could easily add an inheritablepermission granting oneself or any account controlled by oneself Full Control across the entire domain, thus obtaining full control on 99% of all objects in the domain, i.e. on all objects whose ACL is not marked Protected . If one has sufficient effective permissions to reset the password of even one Domain Admin account, one can effortlessly reset the password of that Domain Admin account and logon as that account to escalate privilege. If one has sufficient effective permissions to modify the group membership ofeven one privilegedActive Directory security group(e.g. Domain Admins, Enterprise Admins, Builtin Admins, etc. or any non-default group that has privileged access), one could easily add one's own account or an account controlled by the perpetrator, to escalate privilege. If one has sufficient effective permissions tomodify critical Active Directory configuration content, such as vast amounts of information stored in the Configuration partition, the Schema partition and/or the System container in the domain partition,one could easily escalate privilege.For instance (and this is one of 100+ examples), if one could modify the defaultSecurityDescriptor attribute on the SchemaClass object User in the Schema partition, one could automatically control every newly created domain user account that may ever be made a member of any privileged group. If one has sufficient effective permissions tomodify permissions on the access controllist protecting the AdminSDHolder object, one could easily escalate privilege by grantingoneself or any account controlled by oneself any desired level of control on all default administrative accounts and groups protected by the AdminSDHolderprocess in ActiveDirectory. If one has sufficient effective permissions tomodify gpLink and gpOptions attributes on the default Domain Controllers organizational unit (OU), one could easily link acompromising group policy (GPO) to the OU, and use ittogain sufficientuser rights and privileges on all domain Domain Controllers (DCs) that would allow one tologon to anyDC and obtainsystem-level access, such as by having the Act as part of OperatingSystem user-right granted to oneself. If one has sufficient effective permissions toestablish an incoming forest trust or an external trust with domain, one could instantly establish trust with a domainin which onepossesses administrative control, and use well known means to elevate privilege in this domain. If one has sufficient effective permissions tomodify the attribute that controls whether or not passwords are required for authentication on any one Domain Admin account, then one could easily set this setting and proceed to logon to that account without needing to enter a password, thus instantly elevating privilege to that of a Domain Admin. If any form of MFA (Multi-factor authentication) such as Smartcards etc. or a variety of other band-aids are in use, if one has sufficient effective permissions on even one Domain Admin user's account, one could simply disable the use of Smartcards and/or a 3rd party MFA control by tweaking the involved attribute on the user account, then proceed to perform a password reset and logon using one's password of choice, thus having escalated privilege within seconds.

To reiterate, the enactment of any one of theseways, by any one individual, even one time , would be sufficient in a perpetrator obtaining privileged access in an Active Directory environment, and strictly speaking this would be a colossal security breach.

Also to reiterate, not a single one of these ways involve using pass-the-hash or Kerberos ticket meddling techniques.In fact, and consequently, none of these ways requires the victim to logon to any computer, let alone one owned by the perpetrator.

Escalation ,Not Persistence

Perhaps that are some who might say that these are the top ways of establishing "persistence", not of "escalating privilege."


The Top-10 Ways in which an Intruder or a Rogue Insider Could Escalate Privilege ...

To them I say that "persistence" is just a fancy concept that Microsoft seems to have recently come up with.

Those who truly understand security know that once a privileged user account has been compromised in your system, it is technically Game-over , because from that point on, the very fabric of trust would have been pierced and compromised, and continuing to operate on such a compromised system would be tantamount to, from that point on and onward, exposing the entirety of the organization's digital footprint i.e. all digital communications,assets, secrets, dataetc.to the intruder.


The Top-10 Ways in which an Intruder or a Rogue Insider Could Escalate Privilege ...

As such, there is always the scenario, wherein a proficient perpetrator, given a single opportunity to obtainsuch privileged access,having gained so, could easily automate the destruction of an entire domain,leaving nothingmore to protect.

(In such a scenario, "persistence" would be meaningless.)

The other thing to note is each ofthese methods of privilege escalationcould be enacted by anyone that has a domain user account or access to a domain-joined computer. All the perpetratorneeds are sufficient rights i.e. sufficient effective permissions in Active Directory to be able to enact certain tasks that are typically delegated amongst many IT personnel.

Now, in most Active Directory environments today, there are many many more individuals and service accounts that already possess the ability to enact the ways outlined above. This is because most Active Directory deployments have been around for years, and an extensive amount of delegation and/or provisioning of access rights has been done in Active Directory over the years. Further, since most organizations do not possess the means to audit these delegations, in all likelihood, they have no idea as to exactly who can enact these tasks in their environments, andin most organizations there could be many accounts including those belonging to various c

本文系统(windows)相关术语:三级网络技术 计算机三级网络技术 网络技术基础 计算机网络技术

分页:12
转载请注明
本文标题:The Top-10 Ways in which an Intruder or a Rogue Insider Could Escalate Privilege ...
本站链接:http://www.codesec.net/view/523435.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(windows) | 评论(0) | 阅读(87)