The presentation on my "Shadow Admins" research

•Download as PPTX, PDF•

2 likes•1,350 views

Asaf Hecht

Shadow Admins are powerful and stealthy privileged accounts - attacker & defenders must know about them.

Technology

Lavi Lazarovitz
Security Research Team Lead
Asaf Hecht
Security Researcher
Shadow Admins

Shadow Admins: Underground Accounts That
Undermine The Network
Admin A
Privileged Accounts
Admin B
Shadow Admin

Shadow Admins: Underground Accounts That
Undermine The Network
Industry Standards
SHADOW ADMIN

Shadow Admins: Underground Accounts That
Undermine The Network
Industry Standards
Privileged account An information system account with authorizations of a
privileged user
Privileged user
[CNSSI 4009]
A user that is authorized (and therefore, trusted) to perform
security-relevant functions that ordinary users are not
authorized to perform

Shadow Admins: Underground Accounts That
Undermine The Network
Discovering Privileged Accounts
Built-in Admin Groups
Active Directory
Shadow Admins
C: NET GROUPS /Domain
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
* Enterprise Admins
* Domain Admins
* Account Operators
* Schema Admins
C: NET GROUPS /Domain
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
* Administrators_Global
* A_Admins_UK
* Server_Admins_Local
* WS_Admins_Local
Organization Defined Groups

Shadow Admins: Underground Accounts That
Undermine The Network
Shadow Admins
Name: Shadow Admin
D.O.B.: Not part of any privilege group
ID #: S-1-5-21-3623812015-
3361044358-30301820-1014
Issued: 08/06/2017
Expires: NEVER
IDENTIFICATION CARD
Shadow Admin has Direct Privilege Permissions!

Shadow Admins: Underground Accounts That
Undermine The Network
Permissions and ACLs - on directories
READ ONLY
SYSTEM
Administrators
User1
Guest
FULL CONTROL
READ & WRITE

Shadow Admins: Underground Accounts That
Undermine The Network
Permissions and ACLs - in Active Directory
SYSTEM
Enterprise Admins
Domain Admins
Authenticated Users
User1
User2
ACLAD Objects
Groups
Domain root
Containers
GPOs
FULL CONTROL
CREATE CHILD OBJECTS
DELETE CHILD OBJECTS
CHANGE PASSWORD
READ ONLY
READ ONLY
READ ONLY
CHANGE PASSWORD

Shadow Admins: Underground Accounts That
Undermine The Network
Active Directory - Object tree and ACL

Shadow Admins: Underground Accounts That
Undermine The Network
Group assignment: Direct assignment:
Direct vs Group ACL Assignment

Shadow Admins: Underground Accounts That
Undermine The Network
Direct vs Group ACL Assignment
Account Emily has DC Sync permission:
Domain and can steal all the passwords:
Account Emily has Reset Password permission: on
Administrator account Administrator account:

Shadow Admins: Underground Accounts That
Undermine The Network
Privilege Escalation
The Red Side Scenarios
Persistence

Shadow Admins: Underground Accounts That
Undermine The Network
C: NET LOCALGROUP
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
* Administrators
** Load and unload device drivers
** Manage Auditing and security logs
* Remote Desktop Users
** Allow logon through remote desktop services
User Rights - Local Privileged Accounts

Shadow Admins: Underground Accounts That
Undermine The Network
Local User Rights

Shadow Admins: Underground Accounts That
Undermine The Network
User Rights Attack

Shadow Admins: Underground Accounts That
Undermine The Network
Our Free Tool - ACLight - Shadow Admin Scanner
PowerShell
GitHub
Automatic

Shadow Admins: Underground Accounts That
Undermine The Network
Privilege ACL Scanner - Results

Shadow Admins: Underground Accounts That
Undermine The Network
Privilege ACL Scanner - Results
Full CSV output – every account and its privileged permission:

Shadow Admins: Underground Accounts That
Undermine The Network
Light In The Shadows
Domain Groups Shadow Admins Local Groups

Shadow Admins: Underground Accounts That
Undermine The Network
Download & Run Free:
https://github.com/CyberArkLabs/ACLight
Lavi.Lazarovitz@cyberark.com, @LaviLazarovitz
Asaf.Hecht@cyberark.com, @Hechtov

Shadow Admins: Underground Accounts That
Undermine The Network
Actionable Takeaways
KNOW all your privileged accounts in the network:
• By group assignments
• By ACLs analysis of the Active Directory
HOW:
• Scan your network for Shadow Admins - who have sensitive direct permissions
• Use our free privileged ACLs scanning tool:
https://github.com/CyberArkLabs/ACLight
SECURE those new detected privileged accounts!

What's hot

Demystifying Initial Access in Azure

Gabriel Mathenge

OWASP Top 10 2021 What's New

Michael Furman

MITRE ATT&CK framework

Bhushan Gurav

Cybersecurity Basics - Aravindr.com

Aravind R

SOME ve SOC Ekipleri İçin Açık Kaynak Çözümler

BGA Cyber Security

10 Adımda Sızma Testleri

BGA Cyber Security

From ATT&CKcon 3.0 By David Barroso, CounterCraft When an adversary engages in a specific behavior, they are vulnerable to expose an unintended weakness. By looking at each ATT&CK technique, we can examine the weaknesses revealed and identify an engagement activity or activities to exploit this weakness. During the presentation we will see some real examples of how we can use different ATT&CK techniques in order to plan different adversary engagement activities.

Mapping ATT&CK Techniques to ENGAGE Activities

MITRE ATT&CK

Cloud App Security Customer Presentation.pdf

ErikHof4

Many organizations and managed security providers are starting to move from SIEM, Security Information and Event Management, to EDR, Endpoint Detection and Response. The problem is this may not be the best decision for your organization. These technologies are similar but fundamentally different. This presentation also shares innovating ways to use your SIEM to catch the bad guys as well as learn some simple tricks for easing the burden of SIEM management.

EDR vs SIEM - The fight is on

Justin Henderson

Carlos García - Pentesting Active Directory Forests [rooted2019]

RootedCON

Role of Forensic Triage In Cyber Security Trends 2021

Amrit Chhetri

Application Threat Modeling

Priyanka Aash

ReCertifying Active Directory

Will Schroeder

Threat Modeling Using STRIDE

Girindro Pringgo Digdo

ATT&CK Updates- Defensive ATT&CK

MITRE ATT&CK

Derbycon - The Unintended Risks of Trusting Active Directory

Will Schroeder

Putting MITRE ATT&CK into Action with What You Have, Where You Are

Katie Nickels

Security operations center 5 security controls

AlienVault

Cyberspace is the new battlefield: We’re seeing attacks on civilians and organizations from nation states. Attacks are no longer just against governments or enterprise systems directly. We’re seeing attacks against private property—the mobile devices we carry around everyday, the laptop on our desks—and public infrastructure. What started a decade-and-a-half ago as a sense that there were some teenagers in the basement hacking their way has moved far beyond that. It has morphed into sophisticated international organized crime and, worse, sophisticated nation state attacks. Personnel and resources are limited: According to an annual survey of 620 IT professional across North America and Western Europe from ESG, 51% respondents claim their organization had a problem of shortage of cybersecurity skills—up from 23% in 2014.1 The security landscape is getting more complicated and the stakes are rising, but many enterprises don’t have the resources they need to meet their security needs. Virtually anything can be corrupted: The number of connected devices in 2018 is predict to top 11 billion – not including computers and phones. As we connect virtually everything, anything can be disrupted. Everything from the cloud to the edge needs to be considered and protected

Microsoft Security - New Capabilities In Microsoft 365 E5 Plans

David J Rosenthal

Micro segmentation and zero trust for security and compliance - Guardicore an...

YouAttestSlideshare

What's hot (20)

Demystifying Initial Access in Azure

OWASP Top 10 2021 What's New

MITRE ATT&CK framework

Cybersecurity Basics - Aravindr.com

SOME ve SOC Ekipleri İçin Açık Kaynak Çözümler

10 Adımda Sızma Testleri

Mapping ATT&CK Techniques to ENGAGE Activities

Cloud App Security Customer Presentation.pdf

EDR vs SIEM - The fight is on

Carlos García - Pentesting Active Directory Forests [rooted2019]

Role of Forensic Triage In Cyber Security Trends 2021

Application Threat Modeling

ReCertifying Active Directory

Threat Modeling Using STRIDE

ATT&CK Updates- Defensive ATT&CK

Derbycon - The Unintended Risks of Trusting Active Directory

Putting MITRE ATT&CK into Action with What You Have, Where You Are

Security operations center 5 security controls

Microsoft Security - New Capabilities In Microsoft 365 E5 Plans

Micro segmentation and zero trust for security and compliance - Guardicore an...

Similar to The presentation on my "Shadow Admins" research

Shadow admins

Lavi Lazarovitz

You wouldn’t leave the front or back door of your house unlocked and wide open, would you? Then why aren’t you as diligent with your work environment? Idle permissions and forgotten accounts – which often aren’t cleaned up – are two key areas ripe for compromise in your identity system. Learn how: - An attacker can use back doors into your Active Directory environment to gain access to your systems, applications, and confidential information. - Having your administrators make a few minor changes, can increase your security footprint and lower your attack surface. Session Outcomes: - Learn 5 free methods to secure your Active Directory. - Deploy validated and tested policies that enhance your security footprint. - Identify and define privileged groups in your organization.

Secure active directory in one day without spending a single dollar

David Rowe

Escalation defenses ad guardrails every company should deploy

David Rowe

Is the door to your active directory wide open and unsecure

David Rowe

UNIT 6-EXPLAINING THE ROLE OF THE NETWORK ADMINISTRATOR AND SUPPORT.pptx

LeahRachael

Owasp web security

Pankaj Kumar Sharma

Windows Server 2012 Managing Active Directory Domain

Napoleon NV

Hunting for Privilege Escalation in Windows Environment

Teymur Kheirkhabarov

Secure Active Directory in one Day Without Spending a Single Dollar

David Rowe

CHAPTER 26 WINDOWS SECURITY 26.1 FUNDAMENTAL

EstelaJeffery653

User id installation and configuration

Alberto Rivai

Practical Red Teaming is a hands-on class designed to teach participants with various techniques and tools for performing red teaming attacks. The goal of the training is to give a red teamer’s perspective to participants who want to go beyond VAPT. This intense course immerses students in a simulated enterprise environment, with multiple domains, up-to-date and patched operating systems. We will cover several phases of a Red Team engagement in depth – Local Privilege escalation, Domain Enumeration, Admin Recon, Lateral movement, Domain Admin privileges etc. If you want to learn how to perform Red Team operations, sharpen your red teaming skillset, or understand how to defend against modern attacks, Practical Red Teaming is the course for you. Topics : • Red Team philosophy/overview • Red Teaming vs Penetration Testing • Active Directory Fundamentals – Forests, Domains, OU’s etc • Assume Breach Methodology • Insider Attack Simulation • Introduction to PowerShell • Initial access methods • Privilege escalation methods through abuse of misconfigurations • Domain Enumeration • Lateral Movement and Pivoting • Single sign-on in Active Directory • Abusing built-in functionality for code execution • Credential Replay • Domain privileges abuse • Dumping System and Domain Secrets • Kerberos – Basics and its Fundamentals • Kerberos Attack and Defense (Kerberoasting, Silver ticket, Golden ticket attack etc) https://bsidessg.org/schedule/2019-ajaychoudhary-and-niteshmalviya/

BSides SG Practical Red Teaming Workshop

Ajay Choudhary

Catch the full webinar at: https://www.beyondtrust.com/resources/webinar/managing-unix-accounts-todays-complex-world-stop-shadow-efficient/ In this presentation from his webinar, InfoSec expert consultant and CISO, Chris Ray, shares his experiences for identifying the potential pitfalls both Unix Administrators and Security teams face when managing user accounts across multiple Unix environments. Tune in to get insights into: •Regulatory requirements to watch for; •What works and what doesn’t work with “sudo”; •Strategies to lessen the audit impact to Unix administrators; and •Tips for getting executive buy-in for what you need fixed.

Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...

BeyondTrust

Dynamics CRM Harsha PPT

Harsha T

by Roy Feintuch, Dome9 Join us for four days of security and compliance sessions and hands-on labs led by our AWS security pros during AWS Security Week at the San Francisco Loft. Join us for all four days, or pick just the days that are most relevant to you. We'll open on Monday with Security 101 day, followed by sessions Tuesday on Identity and Access Management, our popular Threat Detection and Remediation day Wednesday will feature an updated GuardDuty lab, and we'll end Thursday with Incident Response sessions, labs, and a talk by Netflix on their new open source IR tool. This week will also feature Dome9 as a sponsor, and you can hear them speak and present a hands-on workshop Monday during Security 101 day.

The Perimeter Is Dead

Amazon Web Services

Cis controls v8_guide (1)

MHumaamAl

Today there are more privileged users than ever before. Providing access is not optional it is a business necessity. But how do you avoid excessive access? Providing the right access at the right time is the formula for reducing your risk and securing a world of data. At FedEx empowering the right people at the right time is not only good business, but it's also good security. For more information on Security, please visit: http://cainc.to/CAW17-Security

Case Study: Privileged Access in a World on Time

CA Technologies

Creating a fortress in your active directory environment

David Rowe

Ceh v5 module 04 enumeration

Vi Tính Hoàng Nam

IT103Microsoft Windows XP/OS Chap13

blusmurfydot1

Recently uploaded

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

Top 10 Most Downloaded Games on Play Store in 2024

SynarionITSolutions

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

MINDCTI Revenue Release Quarter One 2024

MIND CTI

Increase engagement and revenue with Muvi Live Paywall! In this presentation, we will explore the five key benefits of using Muvi Live Paywall to monetize your live streams. You'll learn how Muvi Live Paywall can help you: Monetize your live content easily: Set up pay-per-view access to your live streams and start generating revenue from your content. Increase audience engagement: Provide exclusive, premium content behind the paywall to keep your viewers engaged. Gain valuable viewer insights: Track viewer data and analytics to better understand your audience and tailor your content accordingly. Reduce content piracy: Muvi Live Paywall's security features help protect your content from unauthorized distribution. Streamline your workflow: The all-in-one platform simplifies the process of managing and monetizing your live streams. With Muvi Live Paywall, you can take control of your live stream monetization and create a sustainable business model for your content. Learn more about Muvi Live Paywall and start generating revenue from your live streams today!

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams

Roshan Dwivedi

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

A Principled Technologies deployment guide Conclusion Deploying VMware Cloud Foundation 5.1 on next gen Dell PowerEdge servers brings together critical virtualization capabilities and high-performing hardware infrastructure. Relying on our hands-on experience, this deployment guide offers a comprehensive roadmap that can guide your organization through the seamless integration of advanced VMware cloud solutions with the performance and reliability of Dell PowerEdge servers. In addition to the deployment efficiency, the Cloud Foundation 5.1 and PowerEdge solution delivered strong performance while running a MySQL database workload. By leveraging VMware Cloud Foundation 5.1 and PowerEdge servers, you could help your organization embrace cloud computing with confidence, potentially unlocking a new level of agility, scalability, and efficiency in your data center operations.

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

Principled Technologies

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Partners Life - Insurer Innovation Award 2024

The Digital Insurer

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

Tata AIG General Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Recently uploaded (20)

Why Teams call analytics are critical to your entire business

Top 10 Most Downloaded Games on Play Store in 2024

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Data Cloud, More than a CDP by Matt Robison

MINDCTI Revenue Release Quarter One 2024

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

Boost Fertility New Invention Ups Success Rates.pdf

Partners Life - Insurer Innovation Award 2024

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Exploring the Future Potential of AI-Enabled Smartphone Processors

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Boost PC performance: How more available memory can improve productivity

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

Tata AIG General Insurance Company - Insurer Innovation Award 2024

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

The presentation on my "Shadow Admins" research

1. Lavi Lazarovitz Security Research Team Lead Asaf Hecht Security Researcher Shadow Admins

2. Shadow Admins: Underground Accounts That Undermine The Network Admin A Privileged Accounts Admin B Shadow Admin

3. Shadow Admins: Underground Accounts That Undermine The Network Industry Standards SHADOW ADMIN

4. Shadow Admins: Underground Accounts That Undermine The Network Industry Standards Privileged account An information system account with authorizations of a privileged user Privileged user [CNSSI 4009] A user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform

5. Shadow Admins: Underground Accounts That Undermine The Network Discovering Privileged Accounts Built-in Admin Groups Active Directory Shadow Admins C: NET GROUPS /Domain _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ * Enterprise Admins * Domain Admins * Account Operators * Schema Admins C: NET GROUPS /Domain _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ * Administrators_Global * A_Admins_UK * Server_Admins_Local * WS_Admins_Local Organization Defined Groups

6. Shadow Admins: Underground Accounts That Undermine The Network Shadow Admins Name: Shadow Admin D.O.B.: Not part of any privilege group ID #: S-1-5-21-3623812015- 3361044358-30301820-1014 Issued: 08/06/2017 Expires: NEVER IDENTIFICATION CARD Shadow Admin has Direct Privilege Permissions!

7. Shadow Admins: Underground Accounts That Undermine The Network Permissions and ACLs - on directories READ ONLY SYSTEM Administrators User1 Guest FULL CONTROL READ & WRITE

8. Shadow Admins: Underground Accounts That Undermine The Network Permissions and ACLs - in Active Directory SYSTEM Enterprise Admins Domain Admins Authenticated Users User1 User2 ACLAD Objects Groups Domain root Containers GPOs FULL CONTROL CREATE CHILD OBJECTS DELETE CHILD OBJECTS CHANGE PASSWORD READ ONLY READ ONLY READ ONLY CHANGE PASSWORD

9. LET’S SEE IT

10. Shadow Admins: Underground Accounts That Undermine The Network Active Directory - Object tree and ACL

11. Shadow Admins: Underground Accounts That Undermine The Network Active Directory - Object tree and ACL

12. Shadow Admins: Underground Accounts That Undermine The Network Group assignment: Direct assignment: Direct vs Group ACL Assignment

13. Shadow Admins: Underground Accounts That Undermine The Network Direct vs Group ACL Assignment Account Emily has DC Sync permission: Domain and can steal all the passwords: Account Emily has Reset Password permission: on Administrator account Administrator account:

14. Shadow Admins: Underground Accounts That Undermine The Network Privilege Escalation The Red Side Scenarios Persistence

15. Shadow Admins: Underground Accounts That Undermine The Network C: NET LOCALGROUP _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ * Administrators ** Load and unload device drivers ** Manage Auditing and security logs * Remote Desktop Users ** Allow logon through remote desktop services User Rights - Local Privileged Accounts

16. WATCH THE USER RIGHTS

17. Shadow Admins: Underground Accounts That Undermine The Network Local User Rights

18. Shadow Admins: Underground Accounts That Undermine The Network User Rights Attack

19. Shadow Admins: Underground Accounts That Undermine The Network Our Free Tool - ACLight - Shadow Admin Scanner PowerShell GitHub Automatic

20. SHADOW ADMIN SCANNER

21. Shadow Admins: Underground Accounts That Undermine The Network Privilege ACL Scanner - Results

22. Shadow Admins: Underground Accounts That Undermine The Network Privilege ACL Scanner - Results Full CSV output – every account and its privileged permission:

23. Shadow Admins: Underground Accounts That Undermine The Network Light In The Shadows Domain Groups Shadow Admins Local Groups

24. Shadow Admins: Underground Accounts That Undermine The Network Download & Run Free: https://github.com/CyberArkLabs/ACLight Lavi.Lazarovitz@cyberark.com, @LaviLazarovitz Asaf.Hecht@cyberark.com, @Hechtov

25. Shadow Admins: Underground Accounts That Undermine The Network Actionable Takeaways KNOW all your privileged accounts in the network: • By group assignments • By ACLs analysis of the Active Directory HOW: • Scan your network for Shadow Admins - who have sensitive direct permissions • Use our free privileged ACLs scanning tool: https://github.com/CyberArkLabs/ACLight SECURE those new detected privileged accounts!

The presentation on my "Shadow Admins" research

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to The presentation on my "Shadow Admins" research

Similar to The presentation on my "Shadow Admins" research (20)

Recently uploaded

Recently uploaded (20)

The presentation on my "Shadow Admins" research