In our fourth edition of the Insider Threat podcast, we have our favorite guest Jeff Warren on to discuss the latest in the AD attack series of blog posts. These attacks are always fascinating, but this one must be the most interesting yet. These attack vectors are simultaneously obscure and powerful. Most attackers aren’t sophisticated enough to leverage AD permissions in these ways, but those that are rank as the most dangerous. We started with a simple definition of what these AD permissions attacks really are. In essence, it’s about taking advantage of the sometimes complex and always well-hidden ways AD gives you to set permissions on AD objects. This is not using AD groups to grant permissions to files. This is the permission you would set on that AD group within AD itself. If you know how to take advantage of these permissions, you can find ways to reset administrator account passwords (and thereby own them), take over sensitive groups, and even have AD itself become an ally in keeping your foothold strong as an attacker.
If that last one sounds a bit fantastic, then you really need to go read about the AdminSDHolder attack in the blog series. Briefly, it takes a mechanism designed to enhance the security of sensitive groups in AD (e.g. Enterprise Admins) and subverts it to keep granting permissions on those groups to attackers even after they have been ousted from them. It is nasty stuff. It really cuts to the heart of why these permissions attacks are so effective when used correctly. The permissions are what should protect your AD objects. When attackers poison that well, what’s meant to protect becomes the real threat. Something like AdminSDHolder is also quite obscure, and, as Jeff tells us in the podcast, much of what is out there online about it is either out of date or not very helpful. Of course, that’s why we’re doing all this. We want to share it all with you so you can make the best defenses you can. But it is also about us trying to ensure we’re doing the right things by finding and mastering every last vector of attack we can find that is fodder for us to build the ultimate AD protection.
To read the full blog series accompanying the podcast, please click here.
To be notified of Insider Threat Podcast episodes, sign up here.