Exploiting Weak Active Directory Permissions with PowerSploit

Exploiting Weak Active Directory Permissions with PowerSploit

AD Permissions Attack #1: Exploiting Weak Permissions with PowerSploit

In the introductory post, we outlined some reasons why attackers may target AD permissions. In this post, we are going to look at specific ways to search for weak permissions. This attack can be perpetrated without any privileges in an environment, so finding these weaknesses is very quick and effective. We will be using a PowerShell framework PowerSploit to perform the reconnaissance and demonstrate just how easy it is to find holes in any Active Directory security model.

Active Directory Managed Security Groups

Active Directory security groups are a favorite target of attackers because they are used to secure systems and data. By finding groups that they can manage, attackers can add their compromised accounts to one of these groups, perpetrate an attack, and then remove their membership after. If they do not find any groups that can be managed by an account they have compromised, they can use this information to find other accounts to target.

Active Directory groups provide the ability to set a manager, and enable that manager to update the group with the “Manager can update membership list” setting. Under the covers, this ability just adds a new permission to the group that can be searched for easily. Active Directory Managed-by attribute in AD Security Group Manager with ‘Manager can update membership list’ setting

PowerSploit offers a built-in command Find-ManagedSecurityGroups that will return a list of groups and their managers: PowerSploit Find-ManagedSecurityGroups command returning list of Active Directory groups with their managers

You can see the “CanManageWrite” attribute specifies whether the manager can add and remove membership to the group. With this information, an attacker knows every group that has this setting enabled, and exactly which users can manipulate which groups.

Invoke-ACLScanner

PowerSploit offers another valuable way to find weak permissions with the Invoke-ACLScanner command. As the name implies, this will scan all Access Control Lists (ACLs) and return their permissions. However, AD permissions can be very complex and confusing. There are dozens of built-in permissions that are not easily exploitable and not really worth looking through.

Invoke-ACLScanner has added intelligence to look for the easiest permissions to exploit by filtering the permissions to where:

  • The SIDs of the users/groups in the permission have resource IDs (RIDs) above 1000.
  • The rights granted give modify access to the target object

In other words, this command finds the permissions that belong to users and groups that are more likely to be exploited and not out-of-the-box permissions Active Directory users to manage itself.

By issuing this single command, all of the exploitable permissions are returned. These permissions may secure users, groups, Group Policy Objects (GPOs), Organizational Units (OUs), or any other object within Active Directory. PowerSploit and the Invoke-ACLScanner command returning exploitable Active Directory permissions

Find Rights for Current User

If returning every exploitable right is too much work, it’s very straightforward to just look for exploitable rights for the currently logged on user. This approach will provide an attacker with a list of objects that can be exploited with their current account.

With a little extra PowerShell, it is easy to filter the list of Invoke-ACLScanner to the logged in user with a command such as:

Invoke-ACLScanner | Where-Object {$_.IdentityReference –eq
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name}

This will return a much more filtered list of permissions that are immediately actionable by the logged in user. Filtering the PowerSploit Invoke-ACLScanner command to the logged in user to return list of actionable AD permissions

Protecting Your Active Directory Permissions

Permissions are a necessary part of Active Directory, and overall they drastically improve the security. However, proper attention must be paid to avoid having easily exploitable permissions. Some simple places to start include:

  • Scan for Active Directory permissions and report on weaknesses
  • Remove permissions given to stale and disabled accounts.
  • Review the Managed-by attribute on groups for accuracy
  • Structure OUs so least-privilege permissions can be given to any delegated administrators

We will cover more advanced attacks and what to do to protect against them in the remainder of this blog series. In our next post, we will look at the web application Bloodhound and how the most recent version can visualize attack paths using Active Directory Permissions.

Here are the other blogs in the series:

Active Directory Permissions Attack #2 – Attacking AD Permissions with Bloodhound Read Now
Active Directory Permissions Attack #3 – Persistence using AdminSDHolder and SDProp Read Now
Active Directory Permissions Attack #4 – Unconstrained Delegation Permissions Read Now

To watch the AD Permissions Attacks webinar, please click here.

Jeff Warren is STEALTHbits’ Vice President of Product Management. Jeff has held multiple roles within the Product Management group since joining the organization in 2010, initially building STEALTHbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining STEALTHbits, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development. With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering STEALTHbits’ high quality, innovative solutions. Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.

Leave a Reply

Your email address will not be published. Required fields are marked *

*