Introduction: Active Directory Permissions Attacks
In a previous blog series, we have written about attacks against Active Directory (AD) administrative rights and service accounts. These topics have led to several discussions with coworkers and employees about other ways to penetrate and attack Active Directory environments. Throughout these conversations, one topic was repeatedly overlooked: Active Directory permissions. Most approaches to elevating privileges within AD focus on administrative rights, stealing credentials and passwords, and performing pass-the-hash attacks. These are all very effective in their own right, but sometimes unnecessary. In many organizations, understanding how to take advantage of weak Active Directory permissions is enough to get you all the rights you need.
Why are Active Directory Permissions so Important?
Active Directory provides security and control over critical information and systems. The ability to manage Active Directory is controlled through a series of permissions that are applied to different objects and containers. These permissions control critical capabilities such as modifying security group memberships and resetting the password of a privileged account. With the right permissions, it is possible to obtain any privilege and bypass nearly any security controls.
How Do Attackers Take Advantage of Active Directory Permissions?
Active Directory permissions are rarely well-maintained. They are complicated and difficult to manage centrally, especially in environments with multiple domains and forests. Some common scenarios you will see when you inspect any organization’s AD permissions include:
- Heavy overprovisioning of rights to help desk or administrative staff
- Rights granted to users who no longer need them
- Inheritance being broken and permissions changed in unexpected ways
If attackers know what permissions they need, it’s trivial to find and exploit these weaknesses.
Over the next four weeks, I’m not only going to detail four (4) attacks against Active Directory permissions you need to know about, but I’m also going to explain how they work, the techniques and tools real attackers use to perpetrate these attacks, and what you can do about them. Here’s the lineup:
- Active Directory Permissions Attack #1 – Exploiting Weak Permissions with PowerSploit Read Now
- Active Directory Permissions Attack #2 – Attacking AD Permissions with Bloodhound Read Now
- Active Directory Permissions Attack #3 – Persistence using AdminSDHolder and SDProp Read Now
- Active Directory Permissions Attack #4 – Unconstrained Delegation Permissions Read Now
Sign up to be notified when each blog is posted, or check back every Tuesday at 8:30 AM EST for the latest edition.
To register for the webinar on the Active Directory Permissions Attack series, please click here.
Active Directory Permissions Attack #1 is already up. Enjoy!