The Top-10 Ways to Gain Domain Admin Privileges in Active Directory Environments

Folks,

Six months ago we made the simple claim that we are the most important and valuable cyber security company today. In days to come, I will easily substantiate that claim, but/and before I can do so, I’d like to share with you the Top-10 ways in which an intruder or a rogue/coerced insider could gain Domain Admin privileges (i.e. the Keys to the Kingdom) in an Active Directory environment.

The reason this is so important, and in fact paramount, is that the compromise of a (even a single) privileged user’s account can easily result in a massive system-wide cyber security breach. Ask any well-informed CEO, CIO or CISO and they’ll tell you that this is the #1 cyber security challenge facing their organization and most organizations today. In fact, 100% of all major recent cyber security breaches (e.g. Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise of a single Active Directory privileged user account i.e. a Domain Admin* account.

So, without further adieu, here are the Top-10 ways in which an intruder could easily gain Domain Admin privileges in an Active Directory environment –

Domain Admin Compromise

 

Top-10 Ways to Become a Domain Admin in an Active Directory Environment –

  1. Use the DCSync feature of the mimikatz hacking tool to obtain credentials of all domain accounts, including those of all privileged user accounts
  2. Modify the security permissions specified in the ACL that protects the domain root object to gain domain-wide privileged access  (; simply add an inheritable Allow Full Control permission.)
  3. Reset the password of any default or non-default administrative/privileged user account
  4. Modify the group membership of any default or non-default administrative/privileged security group
  5. Modify the contents of various objects in the System container or in the Configuration or Schema partitions (One of 100+ examples: modify defaultSecurityDescriptor attribute in Schema)
  6. Modify the security permissions specified in the ACL that protects the AdminSDHolder object to gain control over all default administrative/privileged user accounts and groups
  7. Modify the security permissions specified in the ACL that protects the Domain Controllers OU to gain control over the ability to link a compromising group policy to that OU
  8. Establish a cross forest trust or external trust with a forest controlled by the intruder/perpetrator
  9. Set the Password not required bit on any administrative/privileged domain user account
  10. If any form of MFA (multi-factor authentication, e.g. Smart cards) is in use, simply disable its use on target administrative/privileged user accounts, then instantly perform a password reset

 

It is these 10 simple ways of privilege escalation that serve as the technical basis upon which we had recently put forth the 10 Essential Cyber Security Questions for All Organizations Worldwide.

I should mention that these are merely the Top-10 ways to do so. There are many many more ways in which one could accomplish this objective, simply by modifying content in Active Directory.

An intruder only needs to find out who has sufficient effective permissions to be able to perform any one of the above, then compromise any one of those accounts, to have a golden starting point.

Incidentally, not a single one of these ways (mentioned or alluded to above) involve passing hashes or meddling with Kerberos tickets; they merely involve modification of Active Directory content.

 

The astute mind will have already deduced that these attack vectors can be mitigated by possessing one fundamental cyber security capability, which most organizations do not yet possess today.

In my next post, I will shed light on that one fundamental cyber security capability as well as substantiate our simple claim. (The astute mind will already have made the connect.)  Stay tuned.

Best wishes,
Sanjay

 

PS: This, i.e. 10 ways to gain Domain Admin privileges in Active Directory, is merely the Tip of the Iceberg, when it comes to what someone could do if they could modify Active Directory content.

PS2: Its 2016, not 2006. Ideally Microsoft should have helped its customers understand and mitigate these foundational risks years ago, by at the very least providing vital adequate technical guidance. Unfortunately, the underbelly of most organizations continues to remain vastly vulnerable to these risks, so considering the stats (100%), we felt an obligation to shed light on them.

Leave a Reply