AD Permissions Attack #1: Exploiting Weak Permissions with PowerSploit
In the introductory post, we outlined some reasons why attackers may target AD permissions. In this post, we are going to look at specific ways to search for weak permissions. This attack can be perpetrated without any privileges in an environment, so finding these weaknesses is very quick and effective. We will be using a PowerShell framework PowerSploit to perform the reconnaissance and demonstrate just how easy it is to find holes in any Active Directory security model.
Active Directory Managed Security Groups
Active Directory security groups are a favorite target of attackers because they are used to secure systems and data. By finding groups that they can manage, attackers can add their compromised accounts to one of these groups, perpetrate an attack, and then remove their membership after. If they do not find any groups that can be managed by an account they have compromised, they can use this information to find other accounts to target.
Active Directory groups provide the ability to set a manager, and enable that manager to update the group with the “Manager can update membership list” setting. Under the covers, this ability just adds a new permission to the group that can be searched for easily.
PowerSploit offers a built-in command Find-ManagedSecurityGroups that will return a list of groups and their managers:
You can see the “CanManageWrite” attribute specifies whether the manager can add and remove membership to the group. With this information, an attacker knows every group that has this setting enabled, and exactly which users can manipulate which groups.
Invoke-ACLScanner
PowerSploit offers another valuable way to find weak permissions with the Invoke-ACLScanner command. As the name implies, this will scan all Access Control Lists (ACLs) and return their permissions. However, AD permissions can be very complex and confusing. There are dozens of built-in permissions that are not easily exploitable and not really worth looking through.
Invoke-ACLScanner has added intelligence to look for the easiest permissions to exploit by filtering the permissions to where:
- The SIDs of the users/groups in the permission have resource IDs (RIDs) above 1000.
- The rights granted give modify access to the target object
In other words, this command finds the permissions that belong to users and groups that are more likely to be exploited and not out-of-the-box permissions Active Directory users to manage itself.
By issuing this single command, all of the exploitable permissions are returned. These permissions may secure users, groups, Group Policy Objects (GPOs), Organizational Units (OUs), or any other object within Active Directory.
Find Rights for Current User
If returning every exploitable right is too much work, it’s very straightforward to just look for exploitable rights for the currently logged on user. This approach will provide an attacker with a list of objects that can be exploited with their current account.
With a little extra PowerShell, it is easy to filter the list of Invoke-ACLScanner to the logged in user with a command such as:
Invoke-ACLScanner | Where-Object {$_.IdentityReference –eq [System.Security.Principal.WindowsIdentity]::GetCurrent().Name}
This will return a much more filtered list of permissions that are immediately actionable by the logged in user.
Protecting Your Active Directory Permissions
Permissions are a necessary part of Active Directory, and overall they drastically improve the security. However, proper attention must be paid to avoid having easily exploitable permissions. Some simple places to start include:
- Scan for Active Directory permissions and report on weaknesses
- Remove permissions given to stale and disabled accounts.
- Review the Managed-by attribute on groups for accuracy
- Structure OUs so least-privilege permissions can be given to any delegated administrators
We will cover more advanced attacks and what to do to protect against them in the remainder of this blog series. In our next post, we will look at the web application Bloodhound and how the most recent version can visualize attack paths using Active Directory Permissions.
Here are the other blogs in the series:
Active Directory Permissions Attack #2 – Attacking AD Permissions with Bloodhound Read Now
Active Directory Permissions Attack #3 – Persistence using AdminSDHolder and SDProp Read Now
Active Directory Permissions Attack #4 – Unconstrained Delegation Permissions Read Now
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Jeff Warren is Stealthbits’ General Manager of Products. Jeff has held multiple roles within the Technical Product Management group since joining the organization in 2010, initially building Stealthbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining Stealthbits – now part of Netwrix, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development.
With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering Stealthbits’ high quality, innovative solutions.
Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.
Related Posts
- Understanding Lateral Movement and Privilege Escalation
- SERVER (UN)TRUST ACCOUNT
- Setup, Configuration, and Task Execution with Covenant: The Complete Guide
- Protecting Against DCShadow
- Detecting Persistence through Active Directory Extended Rights
- Lateral Movement Through Pass-the-Cache
- Resource-Based Constrained Delegation Abuse
- Honey Token Threat Detection with StealthDEFEND
- Domain Persistence with Subauthentication Packages
- What is DCSync? An Introduction
Leave a Reply