Microsoft Active Directory (AD) is one of, if not THE, most critical services used by organizations of all sizes. In fact, for roughly 90% of Global Fortune 1000 companies, AD is the primary method utilized for seamless authentication and authorization when connecting and managing individual endpoints inside corporate networks. Research has revealed that AD also presents significant security risk for these enterprises, as mountains of misconfiguration debt in AD compound the largely unseen, unmanaged and growing problem of AD Attack Paths for enterprises.
In fact, there are three very common misconfigurations we’ve seen across the majority of AD environments:
- Privileged kerberoastable users – Highly privileged users that are susceptible to the “Kerberoast” attack, as first described by Tim Medin. Combining a particular kerberos configuration, a weak password, and a high degree of privilege, attackers can reliably abuse this misconfiguration in nearly every Active Directory domain.
- Domain Controller object ownership – It is very common to see normal users or lower-privileged service accounts as the object owners of domain controller computer accounts. This misconfiguration can bridge the gap between the rest of the environment and a domain controller, as these normal users or lower-privilege service accounts are not given the same protections and care as more sensitive domain admin user accounts.
- Domain Users group and other large groups having control of other objects – All-inclusive security principals with any kind of special privilege. For example, it’s common to see the “Domain Users” group granted local admin rights on one or more systems. This configuration effectively offers adversaries a jumping-off point for an Attack Path that can potentially lead all the way to the compromise of a Domain Admin user.
So, why are these three common misconfigurations such a problem, and what attacks do they open organizations up to? To start, the most impactful contributing factor to the emergence of these misconfigurations is a lack of visibility provided by native and third-party tooling. These misconfigurations aren’t easy to identify or understand using Microsoft’s own tooling, and even third-party tooling that can spot these misconfigurations are not capable of calculating their impact. As a result, admins typically never see these configurations within any security context, much less with any empirical risk rating.
These common misconfigurations almost always chain together to form complete Attack Paths – connecting every user and computer in the environment to the organization’s most critical assets, domain admins and domain controllers. In other words, an attacker landing in almost any AD domain can find and chain these misconfigurations together to fully compromise every system and identity within an enterprise.
The good news is that an individual Attack Path can be fixed. This can typically be accomplished through the removal of privileges that users do not need. That said, the effectiveness of closing specific Attack Paths is limited – for example in a large AD environment, an adversary can usually negotiate an alternative route to the same objective. Think of it like a road trip from New York City to Washington D.C. If a section of highway or a specific bridge is shut down, you can simply take a detour and get to your destination via other avenues.
For organizations to reduce their overall risk exposure to AD Attack Paths, they need to look at their high-value Tier Zero assets and work backwards from the adversary’s point of view. Doing so enables the discovery of Attack Paths that are most likely to be targeted as well as the identification of “choke points” that many of those Attack Paths are passing through. Shutting down these high-priority choke points can sever hundreds or thousands of Attack Paths at once. The trick is to close off the Attack Paths that present the most risk rather than eliminating them entirely. Two great open source tools that can help include BloodHound and PingCastle.
Andy Robbins, technical architect at SpecterOps, is a co-creator of BloodHound, the free and open source Active Directory attack path mapping and analysis tool. Andy has spoken at several conferences including Black Hat USA, Black Hat Europe, and DEF CON and has a backgrou
nd in professional red teaming and penetration testing.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply