SlideShare a Scribd company logo

dude wheres my domain admins v1.pptx

Download as PPTX, PDF
Joel Leo
Joel Leo

Presented at BlueTeamCon 2023 *Attacker pops a workstation on your domain* *Attacker establishes her foothold and local persistence* *Attacker begins recon of AD, starting with Domain Admins* ERROR: The group name could not be found. Attacker, with a disconcerted look on her face: "Dude, where's my Domain Admins?" Killchains that involve AD usually involve enumeration of highly-privileged accounts: members of Domain/Enterprise/Builtin Admins, Server Operators, etc. Those groups and their members can be enumerated in AD by default, exposing members as targets of exploitation to obtain those privileges. However, there's a way to use in-the-box AD capabilities to thwart these attempts. Using List Object mode, implicit deny, and AdminSDHolder/SDProp, AD defenders can hide these principals from unprivileged users. In this talk, I'll walk you through the principles, process, and pitfalls, so you can raise the bar on your AD defenses without blowing things up.

Technology
1 of 36
Dude, Where’s My Domain Admins? Making AD recon and privilege escalation more difficult for attackers Joel M. Leo, MCSE: SI/CP&I, MC: ASAE, CISSP, SEI SAP
Dude, Where’s My Domain Admins? Making AD recon and privilege escalation more difficult for attackers Joel M. Leo, MCSE: SI/CP&I, MC: ASAE, CISSP, SEI SAP
BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo Mahalos! BlueTeamCon folks @pyrotek3 (Sean Metcalf – Trimarc, adsecurity.org) @gentilkiwi (Benjamin Delpy – mimikatz and more) SpecterOps (Bloodhound and more) @harmj0y @cptjesus @_wald0
About Me • Live and work in Honolulu, Hawaii • https://www.hawaiicommunityfoundation.org/strengthening/maui-strong-fund • On the hunt for my next full-time role • Principal Consultant for Hi Tech Hui - https://www.hitechhui.com • Consultant for Directory Services Expedited – https://www.dse.team • PoC for Def Con Groups 808 https://www.dc808.net @defconhawaii @joelmleo @joelmleo@infosec.exchange https://www.linkedin.com/in/joelmleo BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Problem Statement What’s the problem Earthman? Default Active Directory permissions allow any authenticated user to enumerate the entire directory, including security-sensitive principals such as the Domain Admins group. BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Killchain BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo Image credit: Microsoft https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-threats
Solution TL;DR Tighten down AD permissions so only privileged principals can enumerate these sensitive identities Ok, a little more detail: • ***Plan extensively*** and take a system state backup of a DC! • Create groups & add members according to plan • Enable “List Object” mode • Remove ‘Authenticated Users’ from the ‘Pre-Windows 2000 Compatible Access’ group! • Modify OU/container ACLs • Modify AdminSDHolder ACL and let SDProp do its thing BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Technology Background • AD DACLs, ACEs, and Implicit Deny • Generic Read, decomposed • “List Object mode” • AdminSDHolder & SDProp All of these capabilities are already in-the-box with Windows Server since Windows 2000. There are no additional products or licenses required. BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
AD DACLs, ACEs, and Implicit Deny • DACL = Discretionary Access Control List - applies to an object to define the object’s set of permissions using ACEs. Not to be confused with SACLs, which are used for auditing access. • ACE = Access Control Entry – the individual entries listed on a DACL that grant a principal permission on the object AD follows the “implicit deny” model with “access-based enumeration” – if you aren’t granted permissions to something in AD you’re implicitly denied access to it & it won’t be listed in search results, GUI tools, etc. BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Generic Read Permission “Generic Read” permission is just the combination of: • RC – Read Control; read the security descriptor of the object • LC – List Content; list the contents of the object • RP – Read Properties; read the properties/attributes of the object • LO – List Object; permission to list the object when the parent container’s contents are enumerated These permissions can be separately granted. You see where this is going =) BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
List Object Mode Exposes ‘List Object’ control and enforces its permissions • When enabled, principals now require List Contents on the parent container, or List Object on the parent container AND the objects within to have the object listed when the parent container’s contents are enumerated • Enabled by setting the third bit of dSHeuristics to ‘1’ • dSHeuristics is an attribute of CN=Directory Service,CN=Windows NT,CN=Services in the Configuration partition of the AD forest • Affects the whole forest • Unicode string value that controls many aspects of AD functionality • Default string Is null • In most environments, when enabled this will read ‘001’ • If the string is NOT empty in your environment, then you need to replace the third character from the left with ‘1’ • More about dSHeuristics: https://docs.microsoft.com/en- us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5 • More about List Object mode: https://learn.microsoft.com/en- us/openspecs/windows_protocols/ms-adts/4a7705f7-c61e-4020-86a7-41a44fb233e5 BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
AdminSDHolder & SDProp AdminSDHolder is a domain object that provides the DACL for protected accounts and groups within that domain, including its Domain Admins SDProp is a process that executes every 60 minutes on the PDC emulator which compares protected objects’ DACL with AdminSDHolder’s. If they differ, inheritance is disabled on the object, the DACL on AdminSDHolder is applied to the object, and its adminCount attribute is set to 1 More infoz: https://adsecurity.org/?p=1906 BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Bringing It All Together With List Object mode enabled, a user that is not granted permissions to enumerate objects (List Object permission on the objects themselves and their parent container) and isn’t granted permissions to List Contents on the parent container will not be able to see those objects in the directory. We modify the DACLs on parent containers and AdminSDHolder, which then applies the ACL to each of the protected groups and their members through SDProp. This combination of settings effectively hides objects protected by SDProp, such as the Domain Admins group, the RID-500 Administrator account, etc. from casual enumeration BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Lab Environment • Single AD domain • Mostly default • Privsep • Regular account: joelmleo • Sysadmin: sa-joelleo • Domain admin: da-joelmleo BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
All accounts, including regular account - joelmleo Can see the Domain Admins group and everything else BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Solution Outline 1. PlanPlanPlan - Who needs to have access to what, and what permissions do they need? 2. Take a system state backup of a domain controller 3. Create groups and add members according to your plan 4. Enable "List Object mode” a. Remove ‘Authenticated Users’ from the ‘Pre-Windows 2000 Compatible Access’ group! 5. Modify OU/container ACLs a. Remove ‘List Contents’ permission from ‘Authenticated Users’ 6. Modify AdminSDHolder ACL a. Remove ‘Authenticated Users’ b. Add the group(s) which should be able to see these with Read permissions 7. Let SDProp do its thing BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Our Plan Goal: Hide our Domain Admins (and other protected entities) from enumeration by unprivileged users Containers that hold the objects we want to hide: ‘CN=Builtin,’ ‘CN=Users’ & ‘OU=Administrative Users,OU=Users,OU=Lab Accounts’ Group that will be granted privileges to enumerate these hidden objects: ‘HiddenObjects-Enumerate’ Members of our Sysadmin team should be able to enumerate these objects with their sa- accounts, so they will be added to the above group BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
ChChChChaangees 1 • Created ‘HiddenObjects-Enumerate’ group • Added sa- accounts as members BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
ChChChChaangees 2 • Removed ‘Authenticated Users’ from the ‘Pre-Windows 2000 Compatible Access’ group • Set dSHeuristics to ‘001’ to enable List Object mode BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
ChChChChaangees 3 • Removed ‘List Contents’ permission from ‘Authenticated Users’ on • CN=Builtin • CN=Users • OU=Administrative Users,OU=Users,OU=Lab Accounts • Need to disable inheritance first • AdminSDHolder changes • Removed ‘Authenticated Users’ permissions • Added ‘HiddenObjects-Enumerate’ with ‘Generic Read’ perms • Manually kicked off SDProp (I cheated – could have waited an hour) BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Demo: Execute Solution BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Regular Account - joelmleo Can no longer see the Domain Admins group, or any other protected principal BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo Domain Admins??
Demo: Run Some Queries BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Privileged Account sa-joelleo Can still see the Domain Admins group and all other protected principals BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
What Else Can This Do? • Can be used to hide accounts that need long-lived passwords from casual enumeration • Better choice would be to rotate the passwords =) • Hide service accounts, including gMSAs • Hide sensitive computer accounts • Admin workstations • Sensitive servers • Hide GPOs BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
What Doesn’t This Solve? • This does nothing for you if everyone is a domain admin • Efficacy is greatly reduced if privileged users are allowed to log in to any machine – use PAW/tiering! • Even if an account is hidden in this way, it can still be used to authenticate. If you document the username and password on Confluence, in your git repositories, hardcoded in scripts, etc., an attacker can still make use of them if they find the creds • An attacker that obtains a system state backup, IFM copy, NTDS.DIT etc. may be able to enumerate objects inside BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Pitfalls 0x0 • This should be a tactic as part of a larger security strategy • Unprivileged users will not be able to browse to find these objects • Service accounts are particularly affected. Users need to type in the account’s name, instead of browsing. Can still use sc.exe, Powershell, etc. to set service creds. • IAM tools will fail to enumerate hidden objects unless granted privileges • “Hidden” identities synchronized to cloud environments • Requires some level of privilege separation. If a regular user account is a member of a group protected by SDProp, many tools that user requires will fail when this is implemented. • Solution – use separate accounts for elevated privileges • Applications that do silly things to validate they’ve auth’d to AD BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Pitfalls 0x1 Attackers can still gather information from some tools and infer/discover the existence of hidden objects BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Pitfalls 0x2 BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo An attacker can still capture hidden creds via Responder etc. if they can get a foothold on a subnet where those creds are used, and LLMNR, NBT-NS, etc. aren’t disabled
Conclusion Through a combination of AD’s “List Object mode,” ACL modification, and SDProp, we can raise the bar on our Active Directory security by hiding highly-privileged accounts, making it that much more difficult for an attacker to elevate their privileges in AD. BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo #SecurityIsNeverDone
Additional Resources • “An ACE up the Sleeve” PDF available here: https://www.blackhat.com/docs/us- 17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active- Directory-DACL-Backdoors-wp.pdf • @PyroTek3 (Sean Metcalf, https://adsecurity.org) • Bloodhound https://github.com/BloodHoundAD • Best practices for securing AD https://learn.microsoft.com/en-us/windows- server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing- active-directory • MS-ADTS https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms- adts/d2435927-0999-4c62-8c6d-13ba31a52e1a • Active Directory: Controlling Object Visibility – List Object Mode https://social.technet.microsoft.com/wiki/contents/articles/29558.active-directory- controlling-object-visibility-list-object-mode.aspx BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
Q&A @joelmleo @joelmleo@infosec.exchange BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo https://www.linkedin.com/in/joelmleo

Recommended

Social Engineering
Social EngineeringSocial Engineering
Social Engineeringn|u - The Open Security Community
 
Google authentication
Google authenticationGoogle authentication
Google authenticationNexThoughts Technologies
 
Day1 Compose Camp.pptx
Day1 Compose Camp.pptxDay1 Compose Camp.pptx
Day1 Compose Camp.pptxShayantaniKar
 
Hacking Vs Cracking in Computer Networks
Hacking Vs Cracking in Computer NetworksHacking Vs Cracking in Computer Networks
Hacking Vs Cracking in Computer NetworksSrikanth VNV
 
Ddos attacks
Ddos attacksDdos attacks
Ddos attackscommunication-eg
 
Denial of service
Denial of serviceDenial of service
Denial of servicegarishma bhatia
 
Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber Security Infotech
 
What constitutes a cyber crime in the country
What constitutes a cyber crime in the countryWhat constitutes a cyber crime in the country
What constitutes a cyber crime in the countryUjjwal Tripathi
 

Recommended

Social Engineering
Social EngineeringSocial Engineering
Social Engineeringn|u - The Open Security Community
 
Google authentication
Google authenticationGoogle authentication
Google authenticationNexThoughts Technologies
 
Day1 Compose Camp.pptx
Day1 Compose Camp.pptxDay1 Compose Camp.pptx
Day1 Compose Camp.pptxShayantaniKar
 
Hacking Vs Cracking in Computer Networks
Hacking Vs Cracking in Computer NetworksHacking Vs Cracking in Computer Networks
Hacking Vs Cracking in Computer NetworksSrikanth VNV
 
Ddos attacks
Ddos attacksDdos attacks
Ddos attackscommunication-eg
 
Denial of service
Denial of serviceDenial of service
Denial of servicegarishma bhatia
 
Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber Security Infotech
 
What constitutes a cyber crime in the country
What constitutes a cyber crime in the countryWhat constitutes a cyber crime in the country
What constitutes a cyber crime in the countryUjjwal Tripathi
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentationBradford Bach
 
Research in the deep web
Research in the deep webResearch in the deep web
Research in the deep webSeth Porter, MA, MLIS
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingA Raheem Ansari
 
Cyber crime
Cyber crimeCyber crime
Cyber crimeJeet Swain
 
Threats of Public Wi-Fi
Threats of Public Wi-Fi Threats of Public Wi-Fi
Threats of Public Wi-Fi The TNS Group
 
Reconnaissance
ReconnaissanceReconnaissance
Reconnaissancen|u - The Open Security Community
 
Cyber warfare ss
Cyber warfare ssCyber warfare ss
Cyber warfare ssMaira Asif
 
Cyber Space
Cyber SpaceCyber Space
Cyber SpaceKashif Latif
 
Information technology act
Information technology actInformation technology act
Information technology actMeghana Bhogle
 
Sagorer teer theke
Sagorer teer thekeSagorer teer theke
Sagorer teer thekeStudent
 
Big Data & Elections
Big Data & ElectionsBig Data & Elections
Big Data & Electionstsuempa
 
Sua 정보보호관리체계 cissp_물리보안_강의교안
Sua 정보보호관리체계 cissp_물리보안_강의교안Sua 정보보호관리체계 cissp_물리보안_강의교안
Sua 정보보호관리체계 cissp_물리보안_강의교안Lee Chanwoo
 
Denial of Service Attack
Denial of Service AttackDenial of Service Attack
Denial of Service AttackDhrumil Panchal
 
CHFI
CHFICHFI
CHFIDesmond Devendran
 
How is ai important to the future of cyber security
How is ai important to the future of cyber security How is ai important to the future of cyber security
How is ai important to the future of cyber security Robert Smith
 
IOT Security
IOT SecurityIOT Security
IOT SecuritySylvain Martinez
 
Social engineering
Social engineering Social engineering
Social engineering Vîñàý Pãtêl
 
Social Engineering and What to do About it
Social Engineering and What to do About itSocial Engineering and What to do About it
Social Engineering and What to do About itAleksandr Yampolskiy
 
IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies Network Intelligence India
 
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyUpping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyKaspersky
 
BSides Hawaii 2020: Dude, Wheres My Domain Admins
BSides Hawaii 2020: Dude, Wheres My Domain AdminsBSides Hawaii 2020: Dude, Wheres My Domain Admins
BSides Hawaii 2020: Dude, Wheres My Domain AdminsJoel M. Leo
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot
 

More Related Content

What's hot

Data breach presentation
Data breach presentationData breach presentation
Data breach presentationBradford Bach
 
Threats of Public Wi-Fi
Threats of Public Wi-Fi Threats of Public Wi-Fi
Threats of Public Wi-Fi The TNS Group
 
Cyber warfare ss
Cyber warfare ssCyber warfare ss
Cyber warfare ssMaira Asif
 
Information technology act
Information technology actInformation technology act
Information technology actMeghana Bhogle
 
Sagorer teer theke
Sagorer teer thekeSagorer teer theke
Sagorer teer thekeStudent
 
Big Data & Elections
Big Data & ElectionsBig Data & Elections
Big Data & Electionstsuempa
 
Sua 정보보호관리체계 cissp_물리보안_강의교안
Sua 정보보호관리체계 cissp_물리보안_강의교안Sua 정보보호관리체계 cissp_물리보안_강의교안
Sua 정보보호관리체계 cissp_물리보안_강의교안Lee Chanwoo
 
Denial of Service Attack
Denial of Service AttackDenial of Service Attack
Denial of Service AttackDhrumil Panchal
 
How is ai important to the future of cyber security
How is ai important to the future of cyber security How is ai important to the future of cyber security
How is ai important to the future of cyber security Robert Smith
 
Social Engineering and What to do About it
Social Engineering and What to do About itSocial Engineering and What to do About it
Social Engineering and What to do About itAleksandr Yampolskiy
 
IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies Network Intelligence India
 
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyUpping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyKaspersky
 

What's hot (20)

Data breach presentation
Data breach presentationData breach presentation
Data breach presentation
 
Research in the deep web
Research in the deep webResearch in the deep web
Research in the deep web
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Threats of Public Wi-Fi
Threats of Public Wi-Fi Threats of Public Wi-Fi
Threats of Public Wi-Fi
 
Reconnaissance
ReconnaissanceReconnaissance
Reconnaissance
 
Cyber warfare ss
Cyber warfare ssCyber warfare ss
Cyber warfare ss
 
Cyber Space
Cyber SpaceCyber Space
Cyber Space
 
Information technology act
Information technology actInformation technology act
Information technology act
 
Sagorer teer theke
Sagorer teer thekeSagorer teer theke
Sagorer teer theke
 
Big Data & Elections
Big Data & ElectionsBig Data & Elections
Big Data & Elections
 
Sua 정보보호관리체계 cissp_물리보안_강의교안
Sua 정보보호관리체계 cissp_물리보안_강의교안Sua 정보보호관리체계 cissp_물리보안_강의교안
Sua 정보보호관리체계 cissp_물리보안_강의교안
 
Denial of Service Attack
Denial of Service AttackDenial of Service Attack
Denial of Service Attack
 
CHFI
CHFICHFI
CHFI
 
How is ai important to the future of cyber security
How is ai important to the future of cyber security How is ai important to the future of cyber security
How is ai important to the future of cyber security
 
IOT Security
IOT SecurityIOT Security
IOT Security
 
Social engineering
Social engineering Social engineering
Social engineering
 
Social Engineering and What to do About it
Social Engineering and What to do About itSocial Engineering and What to do About it
Social Engineering and What to do About it
 
IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies
 
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyUpping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from Kaspersky
 

Similar to dude wheres my domain admins v1.pptx

BSides Hawaii 2020: Dude, Wheres My Domain Admins
BSides Hawaii 2020: Dude, Wheres My Domain AdminsBSides Hawaii 2020: Dude, Wheres My Domain Admins
BSides Hawaii 2020: Dude, Wheres My Domain AdminsJoel M. Leo
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLEDB
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLEDB
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLEDB
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have MissedWill Schroeder
 
Role-Based Access Control (RBAC) in Neo4j
Role-Based Access Control (RBAC) in Neo4jRole-Based Access Control (RBAC) in Neo4j
Role-Based Access Control (RBAC) in Neo4jNeo4j
 
Global Azure Bootcamp 2018 - Oh no my organization went Azure
Global Azure Bootcamp 2018 - Oh no my organization went AzureGlobal Azure Bootcamp 2018 - Oh no my organization went Azure
Global Azure Bootcamp 2018 - Oh no my organization went AzureKarim Vaes
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
Controlling User Access -Data base
Controlling User Access -Data baseControlling User Access -Data base
Controlling User Access -Data baseSalman Memon
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Active directory job_interview_preparation_guide
Active directory job_interview_preparation_guideActive directory job_interview_preparation_guide
Active directory job_interview_preparation_guideabdulkalamattari
 
Better access control of administrators
Better access control of administratorsBetter access control of administrators
Better access control of administratorsRahul Sisondia
 
Data Privacy Patterns in databricks for data engineering professional certifi...
Data Privacy Patterns in databricks for data engineering professional certifi...Data Privacy Patterns in databricks for data engineering professional certifi...
Data Privacy Patterns in databricks for data engineering professional certifi...TusharAgarwal49094
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
ppt-security-dbsat-222-overview-nodemo.pdf
ppt-security-dbsat-222-overview-nodemo.pdfppt-security-dbsat-222-overview-nodemo.pdf
ppt-security-dbsat-222-overview-nodemo.pdfcamyla81
 
LinkedIn's Logical Data Access Layer for Hadoop -- Strata London 2016
LinkedIn's Logical Data Access Layer for Hadoop -- Strata London 2016LinkedIn's Logical Data Access Layer for Hadoop -- Strata London 2016
LinkedIn's Logical Data Access Layer for Hadoop -- Strata London 2016Carl Steinbach
 

Similar to dude wheres my domain admins v1.pptx (20)

BSides Hawaii 2020: Dude, Wheres My Domain Admins
BSides Hawaii 2020: Dude, Wheres My Domain AdminsBSides Hawaii 2020: Dude, Wheres My Domain Admins
BSides Hawaii 2020: Dude, Wheres My Domain Admins
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
 
Role-Based Access Control (RBAC) in Neo4j
Role-Based Access Control (RBAC) in Neo4jRole-Based Access Control (RBAC) in Neo4j
Role-Based Access Control (RBAC) in Neo4j
 
Global Azure Bootcamp 2018 - Oh no my organization went Azure
Global Azure Bootcamp 2018 - Oh no my organization went AzureGlobal Azure Bootcamp 2018 - Oh no my organization went Azure
Global Azure Bootcamp 2018 - Oh no my organization went Azure
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
Controlling User Access -Data base
Controlling User Access -Data baseControlling User Access -Data base
Controlling User Access -Data base
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
Active directory job_interview_preparation_guide
Active directory job_interview_preparation_guideActive directory job_interview_preparation_guide
Active directory job_interview_preparation_guide
 
Better access control of administrators
Better access control of administratorsBetter access control of administrators
Better access control of administrators
 
DITA Metadata
DITA MetadataDITA Metadata
DITA Metadata
 
Fortress SQL Server
Fortress SQL ServerFortress SQL Server
Fortress SQL Server
 
Data Privacy Patterns in databricks for data engineering professional certifi...
Data Privacy Patterns in databricks for data engineering professional certifi...Data Privacy Patterns in databricks for data engineering professional certifi...
Data Privacy Patterns in databricks for data engineering professional certifi...
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
ppt-security-dbsat-222-overview-nodemo.pdf
ppt-security-dbsat-222-overview-nodemo.pdfppt-security-dbsat-222-overview-nodemo.pdf
ppt-security-dbsat-222-overview-nodemo.pdf
 
LinkedIn's Logical Data Access Layer for Hadoop -- Strata London 2016
LinkedIn's Logical Data Access Layer for Hadoop -- Strata London 2016LinkedIn's Logical Data Access Layer for Hadoop -- Strata London 2016
LinkedIn's Logical Data Access Layer for Hadoop -- Strata London 2016
 

Recently uploaded

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 

Recently uploaded (20)

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 

dude wheres my domain admins v1.pptx

  • 1. Dude, Where’s My Domain Admins? Making AD recon and privilege escalation more difficult for attackers Joel M. Leo, MCSE: SI/CP&I, MC: ASAE, CISSP, SEI SAP
  • 2. Dude, Where’s My Domain Admins? Making AD recon and privilege escalation more difficult for attackers Joel M. Leo, MCSE: SI/CP&I, MC: ASAE, CISSP, SEI SAP
  • 3. BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo Mahalos! BlueTeamCon folks @pyrotek3 (Sean Metcalf – Trimarc, adsecurity.org) @gentilkiwi (Benjamin Delpy – mimikatz and more) SpecterOps (Bloodhound and more) @harmj0y @cptjesus @_wald0
  • 4. About Me • Live and work in Honolulu, Hawaii • https://www.hawaiicommunityfoundation.org/strengthening/maui-strong-fund • On the hunt for my next full-time role • Principal Consultant for Hi Tech Hui - https://www.hitechhui.com • Consultant for Directory Services Expedited – https://www.dse.team • PoC for Def Con Groups 808 https://www.dc808.net @defconhawaii @joelmleo @joelmleo@infosec.exchange https://www.linkedin.com/in/joelmleo BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 5. Problem Statement What’s the problem Earthman? Default Active Directory permissions allow any authenticated user to enumerate the entire directory, including security-sensitive principals such as the Domain Admins group. BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 6. Killchain BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo Image credit: Microsoft https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-threats
  • 7. Solution TL;DR Tighten down AD permissions so only privileged principals can enumerate these sensitive identities Ok, a little more detail: • ***Plan extensively*** and take a system state backup of a DC! • Create groups & add members according to plan • Enable “List Object” mode • Remove ‘Authenticated Users’ from the ‘Pre-Windows 2000 Compatible Access’ group! • Modify OU/container ACLs • Modify AdminSDHolder ACL and let SDProp do its thing BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 8. Technology Background • AD DACLs, ACEs, and Implicit Deny • Generic Read, decomposed • “List Object mode” • AdminSDHolder & SDProp All of these capabilities are already in-the-box with Windows Server since Windows 2000. There are no additional products or licenses required. BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 9. AD DACLs, ACEs, and Implicit Deny • DACL = Discretionary Access Control List - applies to an object to define the object’s set of permissions using ACEs. Not to be confused with SACLs, which are used for auditing access. • ACE = Access Control Entry – the individual entries listed on a DACL that grant a principal permission on the object AD follows the “implicit deny” model with “access-based enumeration” – if you aren’t granted permissions to something in AD you’re implicitly denied access to it & it won’t be listed in search results, GUI tools, etc. BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 10. Generic Read Permission “Generic Read” permission is just the combination of: • RC – Read Control; read the security descriptor of the object • LC – List Content; list the contents of the object • RP – Read Properties; read the properties/attributes of the object • LO – List Object; permission to list the object when the parent container’s contents are enumerated These permissions can be separately granted. You see where this is going =) BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 11. List Object Mode Exposes ‘List Object’ control and enforces its permissions • When enabled, principals now require List Contents on the parent container, or List Object on the parent container AND the objects within to have the object listed when the parent container’s contents are enumerated • Enabled by setting the third bit of dSHeuristics to ‘1’ • dSHeuristics is an attribute of CN=Directory Service,CN=Windows NT,CN=Services in the Configuration partition of the AD forest • Affects the whole forest • Unicode string value that controls many aspects of AD functionality • Default string Is null • In most environments, when enabled this will read ‘001’ • If the string is NOT empty in your environment, then you need to replace the third character from the left with ‘1’ • More about dSHeuristics: https://docs.microsoft.com/en- us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5 • More about List Object mode: https://learn.microsoft.com/en- us/openspecs/windows_protocols/ms-adts/4a7705f7-c61e-4020-86a7-41a44fb233e5 BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 12. AdminSDHolder & SDProp AdminSDHolder is a domain object that provides the DACL for protected accounts and groups within that domain, including its Domain Admins SDProp is a process that executes every 60 minutes on the PDC emulator which compares protected objects’ DACL with AdminSDHolder’s. If they differ, inheritance is disabled on the object, the DACL on AdminSDHolder is applied to the object, and its adminCount attribute is set to 1 More infoz: https://adsecurity.org/?p=1906 BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 13. Bringing It All Together With List Object mode enabled, a user that is not granted permissions to enumerate objects (List Object permission on the objects themselves and their parent container) and isn’t granted permissions to List Contents on the parent container will not be able to see those objects in the directory. We modify the DACLs on parent containers and AdminSDHolder, which then applies the ACL to each of the protected groups and their members through SDProp. This combination of settings effectively hides objects protected by SDProp, such as the Domain Admins group, the RID-500 Administrator account, etc. from casual enumeration BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 14. Lab Environment • Single AD domain • Mostly default • Privsep • Regular account: joelmleo • Sysadmin: sa-joelleo • Domain admin: da-joelmleo BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 15. All accounts, including regular account - joelmleo Can see the Domain Admins group and everything else BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 16. Solution Outline 1. PlanPlanPlan - Who needs to have access to what, and what permissions do they need? 2. Take a system state backup of a domain controller 3. Create groups and add members according to your plan 4. Enable "List Object mode” a. Remove ‘Authenticated Users’ from the ‘Pre-Windows 2000 Compatible Access’ group! 5. Modify OU/container ACLs a. Remove ‘List Contents’ permission from ‘Authenticated Users’ 6. Modify AdminSDHolder ACL a. Remove ‘Authenticated Users’ b. Add the group(s) which should be able to see these with Read permissions 7. Let SDProp do its thing BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 17. Our Plan Goal: Hide our Domain Admins (and other protected entities) from enumeration by unprivileged users Containers that hold the objects we want to hide: ‘CN=Builtin,’ ‘CN=Users’ & ‘OU=Administrative Users,OU=Users,OU=Lab Accounts’ Group that will be granted privileges to enumerate these hidden objects: ‘HiddenObjects-Enumerate’ Members of our Sysadmin team should be able to enumerate these objects with their sa- accounts, so they will be added to the above group BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 18. ChChChChaangees 1 • Created ‘HiddenObjects-Enumerate’ group • Added sa- accounts as members BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 19. ChChChChaangees 2 • Removed ‘Authenticated Users’ from the ‘Pre-Windows 2000 Compatible Access’ group • Set dSHeuristics to ‘001’ to enable List Object mode BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 20. ChChChChaangees 3 • Removed ‘List Contents’ permission from ‘Authenticated Users’ on • CN=Builtin • CN=Users • OU=Administrative Users,OU=Users,OU=Lab Accounts • Need to disable inheritance first • AdminSDHolder changes • Removed ‘Authenticated Users’ permissions • Added ‘HiddenObjects-Enumerate’ with ‘Generic Read’ perms • Manually kicked off SDProp (I cheated – could have waited an hour) BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 21. Demo: Execute Solution BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 22. Regular Account - joelmleo Can no longer see the Domain Admins group, or any other protected principal BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 23. BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo Domain Admins??
  • 24. Demo: Run Some Queries BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 25. BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 26. BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 27. BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 28. Privileged Account sa-joelleo Can still see the Domain Admins group and all other protected principals BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 29. What Else Can This Do? • Can be used to hide accounts that need long-lived passwords from casual enumeration • Better choice would be to rotate the passwords =) • Hide service accounts, including gMSAs • Hide sensitive computer accounts • Admin workstations • Sensitive servers • Hide GPOs BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 30. What Doesn’t This Solve? • This does nothing for you if everyone is a domain admin • Efficacy is greatly reduced if privileged users are allowed to log in to any machine – use PAW/tiering! • Even if an account is hidden in this way, it can still be used to authenticate. If you document the username and password on Confluence, in your git repositories, hardcoded in scripts, etc., an attacker can still make use of them if they find the creds • An attacker that obtains a system state backup, IFM copy, NTDS.DIT etc. may be able to enumerate objects inside BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 31. Pitfalls 0x0 • This should be a tactic as part of a larger security strategy • Unprivileged users will not be able to browse to find these objects • Service accounts are particularly affected. Users need to type in the account’s name, instead of browsing. Can still use sc.exe, Powershell, etc. to set service creds. • IAM tools will fail to enumerate hidden objects unless granted privileges • “Hidden” identities synchronized to cloud environments • Requires some level of privilege separation. If a regular user account is a member of a group protected by SDProp, many tools that user requires will fail when this is implemented. • Solution – use separate accounts for elevated privileges • Applications that do silly things to validate they’ve auth’d to AD BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 32. Pitfalls 0x1 Attackers can still gather information from some tools and infer/discover the existence of hidden objects BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 33. Pitfalls 0x2 BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo An attacker can still capture hidden creds via Responder etc. if they can get a foothold on a subnet where those creds are used, and LLMNR, NBT-NS, etc. aren’t disabled
  • 34. Conclusion Through a combination of AD’s “List Object mode,” ACL modification, and SDProp, we can raise the bar on our Active Directory security by hiding highly-privileged accounts, making it that much more difficult for an attacker to elevate their privileges in AD. BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo #SecurityIsNeverDone
  • 35. Additional Resources • “An ACE up the Sleeve” PDF available here: https://www.blackhat.com/docs/us- 17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active- Directory-DACL-Backdoors-wp.pdf • @PyroTek3 (Sean Metcalf, https://adsecurity.org) • Bloodhound https://github.com/BloodHoundAD • Best practices for securing AD https://learn.microsoft.com/en-us/windows- server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing- active-directory • MS-ADTS https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms- adts/d2435927-0999-4c62-8c6d-13ba31a52e1a • Active Directory: Controlling Object Visibility – List Object Mode https://social.technet.microsoft.com/wiki/contents/articles/29558.active-directory- controlling-object-visibility-list-object-mode.aspx BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo
  • 36. Q&A @joelmleo @joelmleo@infosec.exchange BlueTeamCon - Dude, Where's My Domain Admins? © 2023 Joel M. Leo https://www.linkedin.com/in/joelmleo

Editor's Notes

  1. 2 Andy Robbins Ace up the Sleeve 2017 Jonas Knudson & Alexander Schmitt Troopers last June a tactic we can use to make life a little harder for attackers in our Active Directory environments. By implementing this tactic, attackers have a more difficult time identifying highly privileged users in AD, making their choice of targets more difficult. 95% of the fortune 500 use AD 86% of breaches in DBIR (Verizon Data Breach Investigations Report) 2023 involved stolen credentials for initial access We raise the bar on our AD security to trip attackers up and stand a better chance of detecting them before they cause more damage.
  2. .5
  3. .5
  4. 2 Explain why this is a problem Quote comes from Douglas Adams’ “The Restaurant at the End of the Universe”
  5. Describe killchain and where this problem comes in, then where the solution comes in
  6. Call out the only forest wide change is enabling list object mode. Everything else needs to be done on a per domain basis
  7. Help set baseline understanding of the technologies involved
  8. ACL management in AD is… complicated. The default tools (ADUC, ADS&S, etc.) are scandalously bad for this sort of thing – you can’t even see the Security tab under which ACLs are listed without turning on “Advanced Features.” The AD module for Powershell isn’t much better
  9. RC = Read Control, LC = List Contents, RP = Read Properties, LO = List Object
  10. First graphic shows advanced security view before List Object is enabled, and second shows the same view after List Object is enabled. Good to mention the fact that you have to enable “Advanced Features” before even being able to see the security tab within ADUC. Default operational mode is “list child.” dSHeuristics also controls anonymous ldap, which groups are “protected groups” (dwAdminSDExMask – 16th character,) anr, some ad lds functionality, and more
  11. get-adobject "cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=internal,dc=lab" -properties * | ft dsheuristics get-adobject "cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=internal,dc=lab" | set-adobject –add @{dsheuristics=‘001’} To update the setting, can use –remove or –replace flags on set-adobject
  12. Manually running sdprop 2008 and earlier = fixupinheritance, 2008 r2 and later = RunProtectAdminGroupsTask
  13. Net group Wmic dsquery/dsget adsisearcher type accelerator powerview recon modules From a trusted domain’s administrator account
  14. .net calls out of the accountmanagement namespace LDAP RPC Impacket, with the second showing unhidden account
  15. Good to mention Theoden’s situation: he was at this moment controlled by Saruman. Gandalf was able to cast Saruman out of Theoden’s mind, bringing him back to his senses. In our scenario, the attacker is Gandalf and defender is Theoden, the lesson being our security win through list object could be temporary
  16. AAD Connect sync account would be a good example of a service account worth hiding – ds-replication-get-changes and *-all Note that the acls need to be adjusted appropriately. AdminSDHolder isn’t appropriate for everything
  17. Use mimikatz example. Popping a machine with a domain admin logged in means mimikatz could scrape those creds. Also, the SIDs don’t change so they could inject well-known but hidden object SID in to a ticket through mimikatz, Rubeus, etc., even if they can’t enumerate the object, aka why the domain is not the security boundary
  18. For the final bullet, use the example of Bloodhound back in 2020. Sharphound would query the domain for the existence of the builtin\administrators group and would exit if it couldn’t find it. I chatted with @cptjesus, who updated Sharphound to query for the domain object instead, after which the ingestor began working in the environment in which I was testing. Another example is the app that queried for its own service account to determine if it was connected to AD. When the service account was hidden, the app began failing until the service account was added to the group given permissions to enumerate the hidden objects.
  19. 1 bloodhound automatically labels the builtin\administrators group. https://github.com/BloodHoundAD/SharpHoundCommon/blob/1bcf1a8ac05206a265e514345bcfadef18d948ef/src/CommonLib/WellKnownPrincipal.cs#L52 2 bloodhound: Rid 512 is domain admins, and rid 519 is enterprise admins 3 nmap: still enumerates the administrator account 4 enum4linux: most queries don’t list hidden objects, but this one does. None of the groups’ memberships were enumerated though The more an attacker has to work to identify their targets, the higher likelihood they’ll be detected
  20. Reemphasize network segmentation