Introducing StealthAUDIT 11.5! Complete your cloud security puzzle. LEARN MORE
Stealthbits

Exploiting Weak Active Directory Permissions with PowerSploit

Blog >Exploiting Weak Active Directory Permissions with PowerSploit

AD Permissions Attack #1: Exploiting Weak Permissions with PowerSploit

In the introductory post, we outlined some reasons why attackers may target AD permissions. In this post, we are going to look at specific ways to search for weak permissions. This attack can be perpetrated without any privileges in an environment, so finding these weaknesses is very quick and effective. We will be using a PowerShell framework PowerSploit to perform the reconnaissance and demonstrate just how easy it is to find holes in any Active Directory security model.

Active Directory Managed Security Groups

Active Directory Managed-by attribute in AD Security Group Manager with ‘Manager can update membership list’ setting

Active Directory security groups are a favorite target of attackers because they are used to secure systems and data. By finding groups that they can manage, attackers can add their compromised accounts to one of these groups, perpetrate an attack, and then remove their membership after. If they do not find any groups that can be managed by an account they have compromised, they can use this information to find other accounts to target.

Active Directory groups provide the ability to set a manager, and enable that manager to update the group with the “Manager can update membership list” setting. Under the covers, this ability just adds a new permission to the group that can be searched for easily. 

PowerSploit Find-ManagedSecurityGroups command returning list of Active Directory groups with their managers

PowerSploit offers a built-in command Find-ManagedSecurityGroups that will return a list of groups and their managers: 

You can see the “CanManageWrite” attribute specifies whether the manager can add and remove membership to the group. With this information, an attacker knows every group that has this setting enabled, and exactly which users can manipulate which groups.

Invoke-ACLScanner

PowerSploit offers another valuable way to find weak permissions with the Invoke-ACLScanner command. As the name implies, this will scan all Access Control Lists (ACLs) and return their permissions. However, AD permissions can be very complex and confusing. There are dozens of built-in permissions that are not easily exploitable and not really worth looking through.

Invoke-ACLScanner has added intelligence to look for the easiest permissions to exploit by filtering the permissions to where:

  • The SIDs of the users/groups in the permission have resource IDs (RIDs) above 1000.
  • The rights granted give modify access to the target object

In other words, this command finds the permissions that belong to users and groups that are more likely to be exploited and not out-of-the-box permissions Active Directory users to manage itself.

PowerSploit and the Invoke-ACLScanner command returning exploitable Active Directory permissions

By issuing this single command, all of the exploitable permissions are returned. These permissions may secure users, groups, Group Policy Objects (GPOs), Organizational Units (OUs), or any other object within Active Directory. 

Find Rights for Current User

If returning every exploitable right is too much work, it’s very straightforward to just look for exploitable rights for the currently logged on user. This approach will provide an attacker with a list of objects that can be exploited with their current account.

With a little extra PowerShell, it is easy to filter the list of Invoke-ACLScanner to the logged in user with a command such as:

Invoke-ACLScanner | Where-Object {$_.IdentityReference –eq [System.Security.Principal.WindowsIdentity]::GetCurrent().Name}

Filtering the PowerSploit Invoke-ACLScanner command to the logged in user to return list of actionable AD permissions

This will return a much more filtered list of permissions that are immediately actionable by the logged in user. 

Protecting Your Active Directory Permissions

Permissions are a necessary part of Active Directory, and overall they drastically improve the security. However, proper attention must be paid to avoid having easily exploitable permissions. Some simple places to start include:

  • Scan for Active Directory permissions and report on weaknesses
  • Remove permissions given to stale and disabled accounts.
  • Review the Managed-by attribute on groups for accuracy
  • Structure OUs so least-privilege permissions can be given to any delegated administrators

We will cover more advanced attacks and what to do to protect against them in the remainder of this blog series. In our next post, we will look at the web application Bloodhound and how the most recent version can visualize attack paths using Active Directory Permissions.

Here are the other blogs in the series:

Active Directory Permissions Attack #2 – Attacking AD Permissions with Bloodhound Read Now
Active Directory Permissions Attack #3 – Persistence using AdminSDHolder and SDProp Read Now
Active Directory Permissions Attack #4 – Unconstrained Delegation Permissions Read Now

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Loading

Featured Asset

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe

DON’T MISS A POST. SUBSCRIBE TO THE BLOG!


Loading

© 2022 Stealthbits Technologies, Inc.

Start a Free Stealthbits Trial!

No risk. No obligation.

FREE TRIAL