Presented at BlueTeamCon 2023
*Attacker pops a workstation on your domain*
*Attacker establishes her foothold and local persistence*
*Attacker begins recon of AD, starting with Domain Admins*
ERROR: The group name could not be found.
Attacker, with a disconcerted look on her face: "Dude, where's my Domain Admins?"
Killchains that involve AD usually involve enumeration of highly-privileged accounts: members of Domain/Enterprise/Builtin Admins, Server Operators, etc. Those groups and their members can be enumerated in AD by default, exposing members as targets of exploitation to obtain those privileges. However, there's a way to use in-the-box AD capabilities to thwart these attempts. Using List Object mode, implicit deny, and AdminSDHolder/SDProp, AD defenders can hide these principals from unprivileged users. In this talk, I'll walk you through the principles, process, and pitfalls, so you can raise the bar on your AD defenses without blowing things up.
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
dude wheres my domain admins v1.pptx
1. Dude, Where’s My
Domain Admins?
Making AD recon and privilege escalation more difficult
for attackers
Joel M. Leo, MCSE: SI/CP&I, MC: ASAE, CISSP, SEI
SAP
2. Dude, Where’s My
Domain Admins?
Making AD recon and privilege escalation more difficult
for attackers
Joel M. Leo, MCSE: SI/CP&I, MC: ASAE, CISSP, SEI
SAP
2
Andy Robbins Ace up the Sleeve 2017
Jonas Knudson & Alexander Schmitt Troopers last June
a tactic we can use to make life a little harder for attackers in our Active Directory environments. By implementing this tactic, attackers have a more difficult time identifying highly privileged users in AD, making their choice of targets more difficult.
95% of the fortune 500 use AD
86% of breaches in DBIR (Verizon Data Breach Investigations Report) 2023 involved stolen credentials for initial access
We raise the bar on our AD security to trip attackers up and stand a better chance of detecting them before they cause more damage.
.5
.5
2
Explain why this is a problem
Quote comes from Douglas Adams’ “The Restaurant at the End of the Universe”
Describe killchain and where this problem comes in, then where the solution comes in
Call out the only forest wide change is enabling list object mode. Everything else needs to be done on a per domain basis
Help set baseline understanding of the technologies involved
ACL management in AD is… complicated. The default tools (ADUC, ADS&S, etc.) are scandalously bad for this sort of thing – you can’t even see the Security tab under which ACLs are listed without turning on “Advanced Features.” The AD module for Powershell isn’t much better
RC = Read Control, LC = List Contents, RP = Read Properties, LO = List Object
First graphic shows advanced security view before List Object is enabled, and second shows the same view after List Object is enabled. Good to mention the fact that you have to enable “Advanced Features” before even being able to see the security tab within ADUC.
Default operational mode is “list child.” dSHeuristics also controls anonymous ldap, which groups are “protected groups” (dwAdminSDExMask – 16th character,) anr, some ad lds functionality, and more
get-adobject "cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=internal,dc=lab" -properties * | ft dsheuristics
get-adobject "cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=internal,dc=lab" | set-adobject –add @{dsheuristics=‘001’}
To update the setting, can use –remove or –replace flags on set-adobject
Manually running sdprop 2008 and earlier = fixupinheritance, 2008 r2 and later = RunProtectAdminGroupsTask
Net group
Wmic
dsquery/dsget
adsisearcher type accelerator
powerview recon modules
From a trusted domain’s administrator account
.net calls out of the accountmanagement namespace
LDAP
RPC
Impacket, with the second showing unhidden account
Good to mention Theoden’s situation: he was at this moment controlled by Saruman. Gandalf was able to cast Saruman out of Theoden’s mind, bringing him back to his senses. In our scenario, the attacker is Gandalf and defender is Theoden, the lesson being our security win through list object could be temporary
AAD Connect sync account would be a good example of a service account worth hiding – ds-replication-get-changes and *-all
Note that the acls need to be adjusted appropriately. AdminSDHolder isn’t appropriate for everything
Use mimikatz example. Popping a machine with a domain admin logged in means mimikatz could scrape those creds. Also, the SIDs don’t change so they could inject well-known but hidden object SID in to a ticket through mimikatz, Rubeus, etc., even if they can’t enumerate the object, aka why the domain is not the security boundary
For the final bullet, use the example of Bloodhound back in 2020. Sharphound would query the domain for the existence of the builtin\administrators group and would exit if it couldn’t find it. I chatted with @cptjesus, who updated Sharphound to query for the domain object instead, after which the ingestor began working in the environment in which I was testing.
Another example is the app that queried for its own service account to determine if it was connected to AD. When the service account was hidden, the app began failing until the service account was added to the group given permissions to enumerate the hidden objects.
1 bloodhound automatically labels the builtin\administrators group. https://github.com/BloodHoundAD/SharpHoundCommon/blob/1bcf1a8ac05206a265e514345bcfadef18d948ef/src/CommonLib/WellKnownPrincipal.cs#L52
2 bloodhound: Rid 512 is domain admins, and rid 519 is enterprise admins
3 nmap: still enumerates the administrator account
4 enum4linux: most queries don’t list hidden objects, but this one does. None of the groups’ memberships were enumerated though
The more an attacker has to work to identify their targets, the higher likelihood they’ll be detected