Paramount Defenses Company | Leadership | Products | Solutions | Partners | Privileged Access Insight | Support | News | Careers | Blog | Contact 100%
Our Global Customers - Cyber Security Thought Leaders
Privileged Access | Impact of Compromise | Attack Surface | Active Directory Privilege Escalation | Attack Vectors | Threat Sources | Risk Mitigation

The attack surface is vast  – it is your entire foundational Active Directory.

A Vast Attack Surface – Your Entire Active Directory

The attack surface is vast because virtually every domain user account, computer account, security group and other vital content stored in Active Directory is a potential target of compromise.

After all, every domain user account, computer account and security group (as well as other content) in your Active Directory exists for the purpose of providing one or more individuals the ability to access one or more IT resources across your network. For instance, a domain user account might provide an employee the ability to access resources on the network, a domain computer account might allow users to access that computer and any IT resources stored on it, and a domain security group might be used to control access to IT resources across the network.

In other words, every domain user account, computer account and security group (as well as other content) in your Active Directory plays a role in the protection of IT resources across your network. Consequently, it follows that the compromise of any one of these resources, such as a domain security group, could result in the compromise of numerous IT resources in your network.

For example, consider a domain security group that is being used to provision secure access to vast amounts of high-value confidential information stored in files and databases across the network. The easiest way for a malicious perpetrator to obtain access to all these resources is not to compromise the computers on which these files and databases are stored, but merely to compromise this security group. Specifically, if the perpetrator could simply change the membership of this group in Active Directory, he/she could instantly gain access to all these resources without having to compromise a single computer.

Furthermore, because literally everyone with a domain account has blanket read access to the Active Directory, anyone can take their sweet time to analyze weaknesses in Active Directory.




Priority Target #1 – Active Directory Administrative Accounts

The most high value target in Active Directory are the user accounts of IT personnel that have unrestricted administrative access in your network, i.e. your Active Directory administrators.

These accounts are high priority targets for malicious perpetrators because the compromise of any one of these accounts is sufficient to instantly compromise your entire network.

Like ordinary accounts, these accounts too reside in Active Directory, and they too are protected by Active Directory security permissions, which can be analyzed by anyone.

In many organizations, a majority of these accounts still reside in non-administrative OUs, giving delegated administrative IT personnel the opportunity to manage them.

Attack Vector: Active Directory Privilege Escalation




Priority Target #2 – Active Directory Administrative Groups

The 2nd most high value target in Active Directory are administrative security groups that have unrestricted administrative access in your network. For, e.g. the Domain Administrators group.

These groups are also high priority targets for malicious perpetrators because the compromise of any one of these groups is also sufficient to instantly compromise your entire network.

Like ordinary security groups, these groups too reside in Active Directory, and they too are protected by Active Directory security permissions, which can be analyzed by anyone.

In many organizations, a majority of these security groups still reside in non-administrative OUs, giving delegated administrative IT personnel the opportunity to manage them.

Attack Vector: Active Directory Privilege Escalation




Priority Target #3 – Active Directory Delegated Administrative Accounts and Groups

The 3rd high value target in Active Directory are the delegated administrative accounts and groups that have restricted administrative access in Active Directory. For e.g. Account Mgmt Admins.

Delegated administrative accounts and groups are highly lucrative targets for malicious perpetrators because the compromise of any one of these accounts or groups, can almost always, provide malicious perpetrators the ability to instantly compromise priority targets #1 and #2 above, i.e. Active Directory administrative accounts and groups that have unrestricted administrative access.

For example, consider a scenario where John Doe, a delegated administrator, is a member of the Administrative Support Team, which happens to indirectly (i.e. via a nested group membership) have All Extended Rights (which includes the Reset Password extended right) granted on the domain user account of Jane Doe, who is a member of the Domain Admins group. In this scenario, anyone who can compromise John's account is 30 seconds away from resetting Jane's password and becoming a Domain Admin.

As another example, consider a scenario where John Doe, a delegated administrator, has the Modify Permissions indirectly (via a nested group membership) granted to him on a high-level OU, such as Corp. In this scenario, anyone who can compromise John's account is 30 seconds away from being able to control virtually any and every domain user account and security group, contained in that group, as well as obtain control (by using the ability to create/modify and link a GPO to the OU) over virtually every computer whose computer account resides in that group, and by extension gaining access to all IT resources stored on all of these computers.

Like unrestricted administrative accounts and security groups, these accounts and groups too reside in Active Directory, and they too are protected by Active Directory security permissions, which can be analyzed by anyone. However, unlike unrestricted administrative accounts and security groups, these restricted/delegated administrative access accounts are not as highly protected, and are thus much easier to compromise than unrestricted administrative accounts and security groups, making them highly lucrative initial targets for malicious perpetrators.

For the above reason, it would not be inconceivable to expect that in the next few months Active Directory delegated administrative accounts and groups could become priority target #1.

Attack Vector: Active Directory Privilege Escalation




Priority Target #4 – Widely Used Domain Security Groups

The 4th high value target in Active Directory are domain security groups that are widely used across the network to protect a large number of IT resources. For e.g. a Company Employees group.

These groups are priority targets for malicious perpetrators because they gate access to a large number of IT resources across the network, including a large number of files, folders, databases, SharePoint portals and Intranet sites, and thus, the premise is that the compromise of such a group could instantly grant a malicious perpetrator to a large number of organizational IT resources.

For instance, the Company Employees group could be used to gate access to a large number of internal IT resources such as the Human Resources internal site, the Employee Handbook site, the Employees Only portal, the Corporate Security internal site, Remote Access and VPN servers, and 1000s of files and folders on which read access that was initially granted to Authenticated users may have been tightened down to Company Employees only as a part of the organization's security enhancement measures. In such a scenario, the compromise of the Company Employees group could instantly grant the malicious perpetrator immediate access to 1000s of IT resources without him/her having to compromise a single computer or account on the network.

In this context, a perpetrator can compromise a domain security group by simply obtaining the ability to control the group's membership, so that he can add any account of choice to the group.

Attack Vector: Active Directory Privilege Escalation




Priority Target #5 – Executive User Accounts

The 5th high value target in Active Directory are the user accounts of the organization's executives. For e.g. the Chief Executive Officer's (CEO's) and the Chief Financial Officer's (CFOs) account.

These accounts are also high priority targets for malicious perpetrators because the compromise of any one of these accounts usually provides access to highly-confidential information.

For instance, should a malicious perpetrator be able to compromise the CEO's account, he could access the CEO's email, as well as all IT assets to which the CEO has access.

The malicious perpetrator would also be able to send email as though the CEO were sending it, and making any changes in the system that the CEO had access to make.

All executive accounts too reside in Active Directory, and they too are protected by Active Directory security permissions, which can be analyzed by anyone.

Attack Vector: Active Directory Privilege Escalation




Priority Target #6 – Executive Security Groups

The 6th high value target in Active Directory are executive security groups i.e. security groups that are used to provision access for executive (C*O) accounts. For e.g. a Chief Executives group.

These groups are priority targets for malicious perpetrators because such groups usually gate access to highly confidential and sensitive information to which only executives may be privy.

For instance, the likelihood of such a group having access to information such as the company's financials, or access to data which could indicate that a noteworthy event such as a merger or acquisition is in the works, is very high, so the compromise of such a group could grant malicious perpetrators access to high-value intel, which could then be used to realize monetary gains.

Like ordinary security groups, these groups too reside in Active Directory, and they too are protected by Active Directory security permissions, which can be analyzed by anyone.

Attack Vector: Active Directory Privilege Escalation




Priority Target #7 – High-Value Specific Interest Domain Security Groups

The 7th high value target in Active Directory are high-value specific interest domain security groups i.e. security groups that are being used to provision access to specific high-value IT resources. For e.g. Project X Development Team, Litigation Y Counsel Team, Company Z M&A Team etc.

These groups are usually priority targets for malicious perpetrators that are focused on obtaining access to information and documents pertaining to a specific high-value project, event or matter. Malicious perpetrators engaged in intelligence gathering and/or corporate espionage tend to focus on their efforts on specific high-value information, and if they find that access to such information is being gated by a specific domain security group, then that group becomes a primary target for them, as its compromise provides the easiest avenue to the accomplishment of their goals.

For instance, consider a scenario wherein an Advanced Persistent Threat (APT) from a specific country seeks to obtain specific information about the development progress of a military jet being developed by a major defense contractor for the government of a rival nation. Upon having breached the perimeter of the defense contractor, should the malicious perpetrators discover that vast amounts of information related to Jet X is scattered across 100s of file servers and access to which is being gated by group Jet X Dev Team, then instead of trying to compromise 100s of servers to obtain access to these documents, all that the malicious perpetrators need to do is compromise the Jet X Dev Team. Once they have compromised the security group gating access to the 1000s of documents on 100s of servers, they can easily and instantly access the entirety of this information without having to compromise a single server.

Like ordinary security groups, these groups too reside in Active Directory, and they too are protected by Active Directory security permissions, which can be analyzed by anyone.

In this context, a perpetrator can compromise a domain security group by simply obtaining the ability to control the group's membership, so that he can add any account of choice to the group.

Attack Vector: Active Directory Privilege Escalation




Priority Target #8 – High-Value Specific Interest Domain User Accounts

The 8th high value target in Active Directory are high-value specific interest domain user accounts i.e. accounts that belong to specific individuals of interest. For e.g. A specific Security Guard

These accounts are usually priority targets for malicious perpetrators because they may have access to specific high-value information the availability of which could be critical for a specific event.

For instance, consider a scenario wherein malicious perpetrators seeking to gain unauthorized access to the branch office of a multi-national company in a foreign country know that a specific security guard has access to the daily access codes that are required to enter the high security facility. In this scenario, all the malicious perpetrators need to is target and compromise the domain user account of this specific guard, because once his account has been compromised, they can access the security system to obtain the access control codes for that specific location.

Such accounts are ordinary domain user accounts that reside in Active Directory, and they too thus are protected by Active Directory security permissions, which can be analyzed by anyone.

In this context, a perpetrator can compromise a domain user account by resetting the user's password, then proceeding to logon to the system using that user's account and the new password.

Attack Vector: Active Directory Privilege Escalation




Priority Target #9 – High-Value Specific Interest Domain Computer Accounts

The 9th high value target in Active Directory are high-value specific interest domain computer accounts i.e. that represent specific computers. For e.g. A compromised domain-joined server

These computers accounts are usually priority targets for malicious perpetrators because obtaining control over provide the perpetrators the opportunity to elevate their privilege.

For instance, consider a scenario wherein malicious perpetrators seeking to gain elevate their privilege have compromised a domain-joined machine. In such a scenario, if they can additionally set the Trusted for Unconstrained Delegation bit on the computer account residing in Active Directory that represents the compromised machine, they could then launch a service in System or Network Service context which could impersonate across the network, any clients that the perpetrators could lure to access that service on that machine, in effect helping them escalate privilege.

Such accounts are ordinary domain user accounts that reside in Active Directory, and they too thus are protected by Active Directory security permissions, which can be analyzed by anyone.

In this context, a perpetrator can compromise a domain user account by resetting the user's password, then proceeding to logon to the system using that user's account and the new password.

Attack Vector: Active Directory Privilege Escalation




Priority Target #10 – Specific Resources Stored in Active Directory

The 10th high value target in Active Directory are specific interest resources stored in Active Directory. For e.g. a specific service connection point that is being used by a specific IT service.

These resources are usually focused targets for malicious perpetrators because they can provide control over certain operational aspects of the network, such as the ability to disrupt a service.

For instance, consider a scenario wherein a 3rd party has been deployed by an organization to integrate non-Windows machines with Active Directory, and assume that such a service creates and relies on the presence of service connection points in the Active Directory. These service connection points are used by the clients of the service to locate specific service-specific servers based on certain keywords that are present on these service connection points. In such a scenario, should malicious perpetrators be able to compromise one or more of these service connection points, the could then change they keywords on these service connection points, resulting in a situation where queries from the service's clients would go unresolved, and as a consequence, the clients would be unable to find the service's servers, resulting in a denial of service to these clients. In certain situations the unavailability of specific services could aid malicious perpetrators in performing other illicit activities on the network.

Resources such as service connection points, also reside in Active Directory, and are protected by Active Directory security permissions, which can be analyzed by anyone.

In this context, a perpetrator can compromise a service connection point by obtaining effective write-property access on the service connection point to be able to modify the keywords attribute .

Attack Vector: Active Directory Privilege Escalation




The attack surface is vast, because the attack surface is the entire Active Directory. The fact that all users already have read access to Active Directory security permissions does not help.

With adequate executive support and the right process and tools, organizations can swiftly and reliably audit and lock-down effective access in Active Directory, to prevent unauthorized access.


Impact of Compromise Impact of Compromise
Active Directory Privilege Escalation Active Directory Privilege Escalation

Welcome
Who We Are What We Do How We Protect You
Sitemap