SlideShare a Scribd company logo

The Unintended Risks of Trusting Active Directory

Will Schroeder
Will Schroeder

This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.

Internet
1 of 46
Download to read offline
The Unintended Risks of Trusting Active Directory
@harmj0y Red teamer and offensive engineer at SpecterOps Adaptive Threat Division alumni Avid blogger (http://harmj0y.net) Co-founder of Empire, BloodHound, Veil-Framework 2
@tifkin_ Red teamer, hunter, and researcher at SpecterOps Adaptive Threat Division alumni Forever going after shiny things Contributor to various projects/blog posts 3
@enigma0x3 Red teamer and security researcher at SpecterOps Adaptive Threat Division alumni Avid blogger (https://enigma0x3.net/), COM lover, CVE holder 4
“As an offensive researcher, if you can dream it, someone has likely already done it...and that someone isn’t the kind of person who speaks at security cons.” 5 Matt Graeber “Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asynchronous, and Fileless Backdoor” BlackHat 2015
What is “Admin Access” ? Hint: it’s more complicated than just “local administrators”! 6
The “True” Nature of Administrative Access ▪ Controversial statement: membership in a system’s local administrators group isn’t what ultimately matters! ▪ What actually matters is what local/domain groups have access to specific remote resources (RPC, remote reg, WMI, SQL, etc.) based on the host service’s security descriptors 7
8 CIFS Remote Registry WinRM SCM WMI RPC :) SD SD “LOCAL Administrators” GENERIC_ALL “DOMAINuser” SC_MANAGER_C REATE_SERVICE Etc. SD SD SD SD
Wait, Security Descriptors? ACLs? What are Those and Why Should I Care? 9
Security descriptors are the Windows mechanism to control authenticated access to resources, or “securable objects” 10 PS: lots of caveats here :)
What Is a “Securable Object”? Why, a Windows object that can have a security descriptor, of course! 11
SECURITY_DESCRIPTOR 12https://msdn.microsoft.com/en-us/library/windows/hardware/ff556610(v=vs.85).aspx
From ACLs to DACLs to SACLs ▪ An Access Control List (ACL) is basically shorthand for the DACL/SACL superset ▪ An object’s Discretionary Access Control List (DACL) and System Access Control List (SACL) are ordered collections of Access Control Entries (ACEs) ▫ DACL - What principals/trustees have what rights over the object ▫ The SACL - Specifies how to audit access to the object 13
14
tl;dr ▪ Security descriptors are just the mechanism that Windows uses to define what users (principals) can perform what actions on a specific object, either in Active Directory or on the host ▫ When access is requested, some process enumerates the effective security identifiers (SIDs) of the requestor, compares them to the information in the DACL, and decides whether to grant access 15
OK, That’s “Cool” but Why Should I Care, Really? 16
Why Care? ▪ It’s often difficult to determine whether a specific security descriptor misconfiguration was set maliciously or configured by accident ▫ Existing misconfigurations: privesc opportunities ▫ Malicious misconfiguration changes: persistence! ▪ These changes often have a minimal forensic footprint ▪ Most defenders are not aware of this general persistence approach, much less how to find and remediate it ▫ Nor are they aware of existing misconfigurations that affect privesc... 17
Host-based Security Descriptors More than just the service control manager yo’
Discovering Host Securable Objects ▪ Windows documentation lists about 20-30 securable objects* ▪ We’ve identified 70+! (There are *many* more) ▪ Microsoft Protocol Specifications ▫ Very useful for RPC servers! ▪ Find-RegistrySecurityDescriptors.ps1 19*https://msdn.microsoft.com/en-us/library/windows/desktop/aa379557(v=vs.85).aspx
20
Online vs Offline Security Descriptors ▪ Where do objects get their security descriptor? ▫ Offline - Security descriptor derived from registry, file, etc. ▫ Online - Security descriptor is in memory ▪ Our approach for enumeration: ▫ Locally as an unprivileged user ▫ Locally as a privileged user ▫ Remotely as an unprivileged user ▫ Remotely as a privileged user 21
Example: Remote Registry ▪ Imagine this scenario: remotely dumping an endpoint’s machine account hash as an “unprivileged” user (i.e. not in local admins)! ▪ Backdoor Process ▫ Remotely backdoor the winreg key with an attacker- controlled user/group (this key == remote registry access) ▫ Add malicious ACEs to the SECURITY and SYSTEM hives 22
Example: Remote Registry ▪ (Remote) Backdoor Execution ▫ As the backdoor (domain or local) user, connect to the remote registry service on the backdoored system ▫ Open up specific reg keys linked to LSA and extract their classes ▫ Combine these class values and compute the BootKey ▫ Use the BootKey to decrypt the LSA key ▫ Use the LSA key to decrypt the machine account hash! ▫ EVERYONE GETS A SILVER TICKET!! 23
Active Directory Security Descriptors Everything needs an access control model, even AD
Active Directory ACL Advantages 25 ▪ A big advantage: by default the DACLs for nearly every AD object can be enumerated by any authenticated user in the domain through LDAP! ▪ Other advantages of AD ACLs: ▫ Changes also have a minimal forensic footprint ▫ Changes often survive OS and domain functional level upgrades, i.e. “misconfiguration debt” ▫ Anti-audit measures can be taken!
26 Security Descriptors: AD GUI Edition
Generic Rights We Care About 27 GenericAll Allows ALL generic rights to the specified object GenericWrite Allows for the modification of (almost) all properties on a specified object WriteDacl Grants the ability to modify the DACL in the object security descriptor WriteOwner Grants the ability to take ownership of the object
Object-specific Rights We Care About 28 Users User-Force-Change-Password or write to the servicePrincipalName Groups Write to the member property Computers None outside of LAPS :( GPOs Modification of GPC-File-Sys-Path Domains WriteDacl to add DCSync rights
Example: Abusing Exchange ▪ Exchange Server introduces several schema changes, new nested security groups, and MANY control relationships to Active Directory, making it a perfect spot to blend in amongst the noise! ▪ Pre Exchange Server 2007 SP1, this included the WriteDACL privilege against the domain object itself with Exchange Trusted Subsystem as the principal 29
Example: Abusing Exchange ▪ Backdoor Process ▫ Identify a non-protected security group with local admin rights on one or more Exchange servers ▫ Grant Authenticated Users full control over this security group ▫ Change the owner of the group to an Exchange server ▫ Deny Read Permissions on this group to the Everyone principal 30
Example: Abusing Exchange ▪ Backdoor Execution ▫ Regain access to the Active Directory domain as any user ▫ Add your current user to the backdoored security group ▫ Use your new local admin rights on an Exchange server to execute commands as the SYSTEM user on that computer ▫ Abuse the rights Exchange Trusted Subsystem has over the domain object (i.e. WriteDacl!) ▫ More information: http://bit.ly/2IIK3K3 31
Active Directory + Host ACL Abuse Plugging the Gaps in Attack Chains
▪ Prior to joining active directory, the host is in ultimate control of who can access its resources ▪ After a machine is joined to AD, a few things happen: ▫ The machine is no longer solely in charge of authentication ▫ A portion of key material for the host is stored in another location (machine account hash in ntds.dit) ▫ Default domain group SIDs are added to local groups ▫ Management is no longer solely left to the host (i.e. GPOs :) “Risks” Of Joining Active Directory 33
Active Directory: Before and After 34 Workgroup Active Directory Security Principals Local users/groups + Domain users/groups Access/Permission Management Host-based Security Descriptors + Default domain groups added to local groups Authentication NTLM (SAM) + Kerberos/NTLM (NTDS) Resource Administration Manual + GPOs
Active Directory: Before and After 35 DCOM Service Administrators admin DOMAINDomain Admins Distributed COM Users DOMAINsrvcacct DOMAINjohnDOMAINsrvadms DOMAINlee
The “Actual” Attack Graph ▪ BloodHound doesn’t (currently) take host based security descriptors into account ▪ The actual access graph that exists in a domain includes the security descriptors for every remotely accessible service on every host + AD descriptors ▫ Includes “unrolling” groups… this may not be (currently) realistically possible to model in large environments ¯_(ツ)_/¯ 36
Security Implications ▪ Host-based security descriptors are the missing link when thinking about domain attack graphs! ▪ There ARE existing misconfigurations in the security descriptors in some host-based services! ▫ More to come this summer, stay tuned :) ▪ Host-based security descriptor modifications can be chained with AD misconfigurations/modifications ▪ “Fills the gap” left by the lack of an AD ACL computer primitive 37
tl;dr Security Implications of Joining Active Directory ▪ When you join a system to Active Directory, you’re introducing additional nodes into the access graph that may affect the security of other systems ▪ You’re also implicitly trusting the security of a large number of other nodes in the graph as well ▫ You’re almost certainly exposing your system’s services to more access than you realize! 38
Case Study #1 Picking on Exchange Again :)
Case Study: Exchanging Rights ▪ We saw before that the Exchange Trusted Subsystem group (which contains Exchange servers) often has a huge number of rights over the domain ▪ So let’s integrate the remote registry host-based backdoor on an Exchange box! ▫ No changes to the DC or any AD data ▫ Takes advantage of existing misconfigurations! 40
[DEMO] 41
Case Study #2 Abusing Existing Misconfigurations
Case Study: Abusing Existing Misconfigurations ▪ GPOs set lots of interesting settings! ▫ They can even set host-based security descriptors: ) ▫ Imagine one that modifies the security descriptor for SCM ▪ We can also easily correlate GPOs to find what systems they apply to ▪ What happens if the group SID set for the descriptor via GPO, after unrolling, contains a service account... 43
44 [DEMO]
45 Summary ▪ Access is more than just “local administrators” ! ▪ You should really care about security descriptors! ▪ Host based security descriptors (accidentally misconfigured or maliciously backdoored) can have far- reaching implications for the security of other systems in the domain!
46 Questions? You can find us at @SpecterOps: ▪ @harmj0y , @tifkin_ , @enigma0x3 ▪ [will,lee,matt]@specterops.io

Recommended

An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 

Recommended

An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the SleeveWill Schroeder
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration TestingCheah Eng Soon
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"Will Schroeder
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys AdminsWill Schroeder
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teamingn|u - The Open Security Community
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouDouglas Bienstock
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud HackNotSoSecure Global Services
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax
 

More Related Content

What's hot

(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration TestingCheah Eng Soon
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouDouglas Bienstock
 

What's hot (20)

(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
 

Similar to The Unintended Risks of Trusting Active Directory

DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot
 
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Mary Racter
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Paula Januszkiewicz
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud SecurityMongoDB
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environmentDavid Rowe
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksYossi Sassi
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMApostolos Giannakidis
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsAlert Logic
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsVlad Fedosov
 
7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack AzureAbdul Khan
 
Dev buchan everything you need to know about agent design
Dev buchan everything you need to know about agent designDev buchan everything you need to know about agent design
Dev buchan everything you need to know about agent designBill Buchan
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyAmazon Web Services
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access darkRoyce Davis
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopAjay Choudhary
 
Presentation anatomy of a database attack
Presentation anatomy of a database attackPresentation anatomy of a database attack
Presentation anatomy of a database attackxKinAnx
 
ppt-security-dbsat-222-overview-nodemo.pdf
ppt-security-dbsat-222-overview-nodemo.pdfppt-security-dbsat-222-overview-nodemo.pdf
ppt-security-dbsat-222-overview-nodemo.pdfcamyla81
 

Similar to The Unintended Risks of Trusting Active Directory (20)

Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
 
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud Security
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environment
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVM
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
 
7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure
 
Dev buchan everything you need to know about agent design
Dev buchan everything you need to know about agent designDev buchan everything you need to know about agent design
Dev buchan everything you need to know about agent design
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your Company
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
Presentation anatomy of a database attack
Presentation anatomy of a database attackPresentation anatomy of a database attack
Presentation anatomy of a database attack
 
ppt-security-dbsat-222-overview-nodemo.pdf
ppt-security-dbsat-222-overview-nodemo.pdfppt-security-dbsat-222-overview-nodemo.pdf
ppt-security-dbsat-222-overview-nodemo.pdf
 

More from Will Schroeder

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfWill Schroeder
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conWill Schroeder
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with PythonWill Schroeder
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have MissedWill Schroeder
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 

More from Will Schroeder (17)

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdf
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44con
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with Python
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 

Recently uploaded

Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Delhi Call girls
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Call Girls in Nagpur High Profile
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...tanu pandey
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.CarlotaBedoya1
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.soniya singh
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)Delhi Call girls
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663Call Girls Mumbai
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...singhpriety023
 

Recently uploaded (20)

Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
 
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 

The Unintended Risks of Trusting Active Directory

  • 1. The Unintended Risks of Trusting Active Directory
  • 2. @harmj0y Red teamer and offensive engineer at SpecterOps Adaptive Threat Division alumni Avid blogger (http://harmj0y.net) Co-founder of Empire, BloodHound, Veil-Framework 2
  • 3. @tifkin_ Red teamer, hunter, and researcher at SpecterOps Adaptive Threat Division alumni Forever going after shiny things Contributor to various projects/blog posts 3
  • 4. @enigma0x3 Red teamer and security researcher at SpecterOps Adaptive Threat Division alumni Avid blogger (https://enigma0x3.net/), COM lover, CVE holder 4
  • 5. “As an offensive researcher, if you can dream it, someone has likely already done it...and that someone isn’t the kind of person who speaks at security cons.” 5 Matt Graeber “Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asynchronous, and Fileless Backdoor” BlackHat 2015
  • 6. What is “Admin Access” ? Hint: it’s more complicated than just “local administrators”! 6
  • 7. The “True” Nature of Administrative Access ▪ Controversial statement: membership in a system’s local administrators group isn’t what ultimately matters! ▪ What actually matters is what local/domain groups have access to specific remote resources (RPC, remote reg, WMI, SQL, etc.) based on the host service’s security descriptors 7
  • 9. Wait, Security Descriptors? ACLs? What are Those and Why Should I Care? 9
  • 10. Security descriptors are the Windows mechanism to control authenticated access to resources, or “securable objects” 10 PS: lots of caveats here :)
  • 11. What Is a “Securable Object”? Why, a Windows object that can have a security descriptor, of course! 11
  • 13. From ACLs to DACLs to SACLs ▪ An Access Control List (ACL) is basically shorthand for the DACL/SACL superset ▪ An object’s Discretionary Access Control List (DACL) and System Access Control List (SACL) are ordered collections of Access Control Entries (ACEs) ▫ DACL - What principals/trustees have what rights over the object ▫ The SACL - Specifies how to audit access to the object 13
  • 14. 14
  • 15. tl;dr ▪ Security descriptors are just the mechanism that Windows uses to define what users (principals) can perform what actions on a specific object, either in Active Directory or on the host ▫ When access is requested, some process enumerates the effective security identifiers (SIDs) of the requestor, compares them to the information in the DACL, and decides whether to grant access 15
  • 16. OK, That’s “Cool” but Why Should I Care, Really? 16
  • 17. Why Care? ▪ It’s often difficult to determine whether a specific security descriptor misconfiguration was set maliciously or configured by accident ▫ Existing misconfigurations: privesc opportunities ▫ Malicious misconfiguration changes: persistence! ▪ These changes often have a minimal forensic footprint ▪ Most defenders are not aware of this general persistence approach, much less how to find and remediate it ▫ Nor are they aware of existing misconfigurations that affect privesc... 17
  • 18. Host-based Security Descriptors More than just the service control manager yo’
  • 19. Discovering Host Securable Objects ▪ Windows documentation lists about 20-30 securable objects* ▪ We’ve identified 70+! (There are *many* more) ▪ Microsoft Protocol Specifications ▫ Very useful for RPC servers! ▪ Find-RegistrySecurityDescriptors.ps1 19*https://msdn.microsoft.com/en-us/library/windows/desktop/aa379557(v=vs.85).aspx
  • 20. 20
  • 21. Online vs Offline Security Descriptors ▪ Where do objects get their security descriptor? ▫ Offline - Security descriptor derived from registry, file, etc. ▫ Online - Security descriptor is in memory ▪ Our approach for enumeration: ▫ Locally as an unprivileged user ▫ Locally as a privileged user ▫ Remotely as an unprivileged user ▫ Remotely as a privileged user 21
  • 22. Example: Remote Registry ▪ Imagine this scenario: remotely dumping an endpoint’s machine account hash as an “unprivileged” user (i.e. not in local admins)! ▪ Backdoor Process ▫ Remotely backdoor the winreg key with an attacker- controlled user/group (this key == remote registry access) ▫ Add malicious ACEs to the SECURITY and SYSTEM hives 22
  • 23. Example: Remote Registry ▪ (Remote) Backdoor Execution ▫ As the backdoor (domain or local) user, connect to the remote registry service on the backdoored system ▫ Open up specific reg keys linked to LSA and extract their classes ▫ Combine these class values and compute the BootKey ▫ Use the BootKey to decrypt the LSA key ▫ Use the LSA key to decrypt the machine account hash! ▫ EVERYONE GETS A SILVER TICKET!! 23
  • 24. Active Directory Security Descriptors Everything needs an access control model, even AD
  • 25. Active Directory ACL Advantages 25 ▪ A big advantage: by default the DACLs for nearly every AD object can be enumerated by any authenticated user in the domain through LDAP! ▪ Other advantages of AD ACLs: ▫ Changes also have a minimal forensic footprint ▫ Changes often survive OS and domain functional level upgrades, i.e. “misconfiguration debt” ▫ Anti-audit measures can be taken!
  • 27. Generic Rights We Care About 27 GenericAll Allows ALL generic rights to the specified object GenericWrite Allows for the modification of (almost) all properties on a specified object WriteDacl Grants the ability to modify the DACL in the object security descriptor WriteOwner Grants the ability to take ownership of the object
  • 28. Object-specific Rights We Care About 28 Users User-Force-Change-Password or write to the servicePrincipalName Groups Write to the member property Computers None outside of LAPS :( GPOs Modification of GPC-File-Sys-Path Domains WriteDacl to add DCSync rights
  • 29. Example: Abusing Exchange ▪ Exchange Server introduces several schema changes, new nested security groups, and MANY control relationships to Active Directory, making it a perfect spot to blend in amongst the noise! ▪ Pre Exchange Server 2007 SP1, this included the WriteDACL privilege against the domain object itself with Exchange Trusted Subsystem as the principal 29
  • 30. Example: Abusing Exchange ▪ Backdoor Process ▫ Identify a non-protected security group with local admin rights on one or more Exchange servers ▫ Grant Authenticated Users full control over this security group ▫ Change the owner of the group to an Exchange server ▫ Deny Read Permissions on this group to the Everyone principal 30
  • 31. Example: Abusing Exchange ▪ Backdoor Execution ▫ Regain access to the Active Directory domain as any user ▫ Add your current user to the backdoored security group ▫ Use your new local admin rights on an Exchange server to execute commands as the SYSTEM user on that computer ▫ Abuse the rights Exchange Trusted Subsystem has over the domain object (i.e. WriteDacl!) ▫ More information: http://bit.ly/2IIK3K3 31
  • 32. Active Directory + Host ACL Abuse Plugging the Gaps in Attack Chains
  • 33. ▪ Prior to joining active directory, the host is in ultimate control of who can access its resources ▪ After a machine is joined to AD, a few things happen: ▫ The machine is no longer solely in charge of authentication ▫ A portion of key material for the host is stored in another location (machine account hash in ntds.dit) ▫ Default domain group SIDs are added to local groups ▫ Management is no longer solely left to the host (i.e. GPOs :) “Risks” Of Joining Active Directory 33
  • 34. Active Directory: Before and After 34 Workgroup Active Directory Security Principals Local users/groups + Domain users/groups Access/Permission Management Host-based Security Descriptors + Default domain groups added to local groups Authentication NTLM (SAM) + Kerberos/NTLM (NTDS) Resource Administration Manual + GPOs
  • 35. Active Directory: Before and After 35 DCOM Service Administrators admin DOMAINDomain Admins Distributed COM Users DOMAINsrvcacct DOMAINjohnDOMAINsrvadms DOMAINlee
  • 36. The “Actual” Attack Graph ▪ BloodHound doesn’t (currently) take host based security descriptors into account ▪ The actual access graph that exists in a domain includes the security descriptors for every remotely accessible service on every host + AD descriptors ▫ Includes “unrolling” groups… this may not be (currently) realistically possible to model in large environments ¯_(ツ)_/¯ 36
  • 37. Security Implications ▪ Host-based security descriptors are the missing link when thinking about domain attack graphs! ▪ There ARE existing misconfigurations in the security descriptors in some host-based services! ▫ More to come this summer, stay tuned :) ▪ Host-based security descriptor modifications can be chained with AD misconfigurations/modifications ▪ “Fills the gap” left by the lack of an AD ACL computer primitive 37
  • 38. tl;dr Security Implications of Joining Active Directory ▪ When you join a system to Active Directory, you’re introducing additional nodes into the access graph that may affect the security of other systems ▪ You’re also implicitly trusting the security of a large number of other nodes in the graph as well ▫ You’re almost certainly exposing your system’s services to more access than you realize! 38
  • 39. Case Study #1 Picking on Exchange Again :)
  • 40. Case Study: Exchanging Rights ▪ We saw before that the Exchange Trusted Subsystem group (which contains Exchange servers) often has a huge number of rights over the domain ▪ So let’s integrate the remote registry host-based backdoor on an Exchange box! ▫ No changes to the DC or any AD data ▫ Takes advantage of existing misconfigurations! 40
  • 42. Case Study #2 Abusing Existing Misconfigurations
  • 43. Case Study: Abusing Existing Misconfigurations ▪ GPOs set lots of interesting settings! ▫ They can even set host-based security descriptors: ) ▫ Imagine one that modifies the security descriptor for SCM ▪ We can also easily correlate GPOs to find what systems they apply to ▪ What happens if the group SID set for the descriptor via GPO, after unrolling, contains a service account... 43
  • 45. 45 Summary ▪ Access is more than just “local administrators” ! ▪ You should really care about security descriptors! ▪ Host based security descriptors (accidentally misconfigured or maliciously backdoored) can have far- reaching implications for the security of other systems in the domain!
  • 46. 46 Questions? You can find us at @SpecterOps: ▪ @harmj0y , @tifkin_ , @enigma0x3 ▪ [will,lee,matt]@specterops.io