A few weeks ago, a presentation titled An ACE Up The Sleeve – Designing Active Directory DACL Backdoors at the Black Hat Conference 2017 (which we skipped) apparently made waves and caught the attention of the world, including that of Microsoft. In fact, it apparently intrigued Microsoft so much that its Advanced Threat Analytics (ATA) team blogged about it twice in one month.
In that presentation, a whitepaper on which can now be downloaded from here, its authors have presented what may seem like a ground-breaking revelation to those uninitiated to the subject.
Earlier this month, I shared how organizations can easily identify and thwart sneaky persistence in Active Directory based on “hiding” objects in Active Directory within just minutes. I had also said that while amateurs rely on this technique, proficient perpetrators rely on using what I called “real” sneaky persistence in Active Directory, a way to hide that’s a 100 times harder to detect.
“Real” sneaky persistence in Active Directory is a technique via which a proficient perpetrator could plant backdoors inside Active Directory access control lists (ACLs) that would be extremely difficult to identify with the naked eye (or even with basic Active Directory permissions analysis tooling) yet allow the perpetrator to gain unrestricted privileged access in Active Directory at will. Simply put, it involves exploiting the sophistication of Active Directory’s powerful security model and the sheer complexity of the ocean of Active Directory security permissions that exist in the thousands of Active Directory ACLs that exist in every Active Directory domain to hide in plain sight wherein none of it is obvious, yet all of it leads to the “Keys to the Kingdom.”
Earlier this week, I also shared how organizations can identify and thwart “real” sneaky persistence in Active Directory with equal ease. Indeed, “real” sneaky persistence is very powerful, effective and dangerous, and likely a clear and present danger, but fortunately today every organization that wishes to identify and mitigate the risk posed by “real” sneaky persistence can today do so.
Well, here’s how organizations can easily identify, thwart and mitigate the risk of sneaky persistence in Active Directory – How to Identify and Thwart “Real” Sneaky Persistence in Active Directory.