Active Directory Privilege Escalation
Active Directory Privilege Escalation based on the identification and exploitation of unauthorized access grants provisioned in Active Directory deployments poses a clear and present danger to the foundational security of over 85% of all business and government organizations worldwide today, and is consequently the world's #1 cyber security risk today –
It is the world's #1 cyber security risk because it directly impacts the foundational security of every organization whose IT infrastructure is powered by Active Directory, and in these organizations it let's anyone with a domain user account identify and potentially exploit privilege escalation paths in Active Directory to obtain complete, unrestricted administrative privileges, within minutes, and subsequently use these privileges to bypass/disable all other security controls and obtain access to, compromise, steal, divulge and/or destroy virtually any or all organizational IT resources.
Specifically, with minimal expertise and the right tools, virtually anyone could enact this risk in any organization to instantly obtain complete administrative control, and subsequently circumvent all existing security controls to obtain access to any IT resource. In the worst case scenario, a skilled perpetrator could automate the destruction of the organization's entire IT infrastructure.
|See it in action here
At the foundation of cyber security of over 85% of all organizations worldwide lies Microsoft Active Directory. All aspects of distributed security and IT management are integrated with Active Directory, and all building blocks of organizational security i.e. all user and computer accounts as well as security groups and policies are all stored. managed and protected in Active Directory.
To help organizations achieve cost efficiencies and fulfill their unique operational IT needs, Active Directory lets organizations delegate administrative responsibilities for identity and access management amongst various IT personnel by providing organizations the ability to grant specific administrative users and groups the access they require to enact specific administrative tasks.
The act of granting specific users and groups specific access so as to enable them to be able to enact specific administrative tasks is commonly referred to as delegation of administration, and technically it involves provisioning least-privilege access for delegated administrators and groups on IT resources such as user accounts and security groups that are all stored in Active Directory.
For example, organizations can delegate the responsibility of performing password resets for all employees to the IT Help Desk Team, and for all executives to the IT Executive Support Team.
Active Directory lets organizations provision/delegate access precisely, but it lacks the means to help them assess, verify or audit effective provisioned/delegated access precisely. As a result, over time, driven by business needs, the effective state of access in Active Directory changes, and once the state changes, no one really knows who is really provisioned what effective access.
Consequently, this results in a situation wherein over time (weeks. months and eventually years) as the state of provisioned access steadily changes to meet business needs, large numbers of unauthorized access grants are introduced in Active Directory, and eventually they become so pervasive, that their presence lets anyone who can find them, exploit them to elevate their privilege.
For example, 1 year ago, an organization may have only granted 3 individuals the ability to reset the passwords of its 5 Domain Admins accounts. However, over time, the state of provisioned access may have had to be changed to fulfill dynamic business needs, and as a result today, unbeknownst to them, over 30 individuals may be able to reset Domain Admin account passwords.
In essence, a substantially large number of accounts of IT and non-IT personnel, unbeknownst to them or to the organization, may today have sufficient rights in Active Directory to be able to enact sensitive administrative tasks, that they should not ideally be able to enact, resulting in a situation wherein a perpetrator could compromise any one of these accounts to escalate privilege.
For example, due to an incorrectly configured permission involving a nested group, John Doe, a temporary IT contractor at a branch office may have sufficient rights to be able to reset a Domain Admin's password. Should a malicious perpetrator be able to figure this out, all he would have to do to escalate his privilege to that of a Domain Admin is to compromise John Doe's account.
It turns out that in every Active Directory deployment, by default, all authenticated users i.e. everyone with a domain account already has sufficient rights to be able to analyze the security permissions granted on all Active Directory objects. As a result, with just a little bit of knowledge and/or the right tools, literally anyone can analyze and find 1000s of privilege escalation paths.
The unfortunate reality is that today in virtually every Active Directory deployment worldwide, there exist a large number of such hidden, readily exploitable privilege escalation paths. With the right tools, anyone can find and exploit these paths, and any insider or malicious perpetrator (e.g. an Advanced Persistent Threat (APT)) could easily do so to gain unrestricted privileged (administrative) access.
History is witness that 100% of all major recent cyber security breaches have involved the compromise and subsequent misuse of just 1 account that had unrestricted privileged access.
Fortunately, with adequate executive support, this risk can be swiftly and reliably mitigated.
A Clear and Present Cyber Security Danger
This risk poses a clear and present danger to organizational security worldwide because it potentially lets virtually anyone with a domain user account quickly and easily obtain unrestricted (Domain / Enterprise Admin level) administrative access without having to compromise a single computer or requiring anyone to have to logon to a computer controlled by the perpetrator.
Organizations that are unaware of this risk are advised to bring this to the immediate attention of their Executive Leadership (C*Os), Information Security and IT Infrastructure Management teams, assess their current exposure and swiftly enact adequate risk mitigation measures to protect the organization and the interests of the organization's customers, investors and other stakeholders.
|See it in action here