Introduction: Active Directory Permissions Attacks
In a previous blog series, we have written about attacks against Active Directory (AD) administrative rights and service accounts. These topics have led to several discussions with coworkers and employees about other ways to penetrate and attack Active Directory environments. Throughout these conversations, one topic was repeatedly overlooked: Active Directory permissions. Most approaches to elevating privileges within AD focus on administrative rights, stealing credentials and passwords, and performing pass-the-hash attacks. These are all very effective in their own right, but sometimes unnecessary. In many organizations, understanding how to take advantage of weak Active Directory permissions is enough to get you all the rights you need.
Why are Active Directory Permissions so Important?
Active Directory provides security and control over critical information and systems. The ability to manage Active Directory is controlled through a series of permissions that are applied to different objects and containers. These permissions control critical capabilities such as modifying security group memberships and resetting the password of a privileged account. With the right permissions, it is possible to obtain any privilege and bypass nearly any security controls.
How Do Attackers Take Advantage of Active Directory Permissions?
Active Directory permissions are rarely well-maintained. They are complicated and difficult to manage centrally, especially in environments with multiple domains and forests. Some common scenarios you will see when you inspect any organization’s AD permissions include:
- Heavy overprovisioning of rights to help desk or administrative staff
- Rights granted to users who no longer need them
- Inheritance being broken and permissions changed in unexpected ways
If attackers know what permissions they need, it’s trivial to find and exploit these weaknesses.
Over the next four weeks, I’m not only going to detail four (4) attacks against Active Directory permissions you need to know about, but I’m also going to explain how they work, the techniques and tools real attackers use to perpetrate these attacks, and what you can do about them. Here’s the lineup:
- Active Directory Permissions Attack #1 – Exploiting Weak Permissions with PowerSploit Read Now
- Active Directory Permissions Attack #2 – Attacking AD Permissions with Bloodhound Read Now
- Active Directory Permissions Attack #3 – Persistence using AdminSDHolder and SDProp Read Now
- Active Directory Permissions Attack #4 – Unconstrained Delegation Permissions Read Now
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Jeff Warren is Stealthbits’ General Manager of Products. Jeff has held multiple roles within the Technical Product Management group since joining the organization in 2010, initially building Stealthbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining Stealthbits – now part of Netwrix, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development.
With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering Stealthbits’ high quality, innovative solutions.
Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.
Related Posts
- SERVER (UN)TRUST ACCOUNT
- Setup, Configuration, and Task Execution with Covenant: The Complete Guide
- Protecting Against DCShadow
- Detecting Persistence through Active Directory Extended Rights
- Resource-Based Constrained Delegation Abuse
- Honey Token Threat Detection with StealthDEFEND
- Domain Persistence with Subauthentication Packages
- What is DCSync? An Introduction
- How to Detect Pass-the-Hash Attacks
- New Exchange Authentication Vulnerability uses AD Admin to Gain Privileges
Leave a Reply