There are 2 main attack vectors that can be used to gain unrestricted privileged access in Active Directory deployments –.
- Credential theft based on the capture and replay of hashes, also known as Pass-the-Hash (PtH)
- Active Directory Privilege Escalation based on the identification and exploitation of unauthorized access grants, also known as Reset-the-Password (RtP)
Of these two main attack vectors, Pass-the-Hash (PtH) has thus far been the predominant attack vector of choice, in all likelihood because most malicious perpetrators, cyber security professionals and cyber security vendors are not yet familiar with the innards of Active Directory Security. In reality, it is FAR easier to escalate privilege with Active Directory Privilege Escalation.
The following is an illustration of the sheer power of Active Directory Security innards, on which Active Directory Privilege Escalation is based, but before that, a quick word about Pass-the-Hash.
Pass-the-Hash – Greatly Diminished
During the past few years, Pass-the-Hash has been the predominant attack vector used to compromise Active Directory administrative accounts. It has purportedly also been used in recent cyber security breaches. Although it may seem powerful to novices in the field of Active Directory Security, to those who are experts in the field of Active Directory Security, it is over-rated and over-kill.
Here's why. Its successful use undoubtedly necessitates 3 conditions – 1) It requires the attacker to compromise and own a machine, 2) it subsequently requires the perpetrator to have appropriate tooling and the expertise to install and use such tooling, and 3) most importantly, in order to be successful, it absolutely requires the victim to log on to the compromised machine.
If the victim never logs on to the attacker's machine, the attacker will never succeed. In fact, the efficacy of Pass-the-Hash to compromise unrestricted administrative accounts stands greatly diminished today because most organizations are aware of PtH and their policies now ensure that unrestricted administrative access accounts are not used to log on to untrustworthy machines.
In comparison, the successful use of Active Directory Privilege Escalation based on the identification and exploitation of unauthorized grants in Active Directory does not necessitate any such conditions. 1) It does NOT require the attacker to compromise any machine, 2) it does NOT require the attacker to be an expert, and 3) it does NOT require the victim to logon to ANY machine.
In fact, as illustrated below, today, with appropriate tooling, anyone can find and potentially exploit unauthorized access grants in Active Directory to obtain unrestricted administrative access.
Active Directory Privilege Escalation – Illustrated
Active Directory Privilege Escalation based on the identification and exploitation of unauthorized access grants, is the world's #1 cyber security risk today because it can potentially let anyone gain unrestricted administrative access in Active Directory very, very quickly. (Most organizations worldwide are vulnerable to it, including the world's top software and cyber security companies.)
This potent attack vector is best understood with an illustration –
[ Important Note: This is merely one example involving a perpetrator targeting an administrative domain user account. In this manner, a perpetrator could easily also target any other domain user account (e.g. the CEO's account), domain security group (e.g. All Fulltime Employees), domain computer account (e.g. that of a DC or a Web Server), service connection point (e.g. one for a mission-critical line-of-business application) or Organizational Unit, and inflict targeted and possibly substantial damage very quickly. For details please see the Attack Surface section. ]
Here's your IT infrastructure –
In your Microsoft Windows Server powered IT infrastructure, at the very foundation of your IT security and IT management lies your Active Directory deployment. All organizational user accounts are stored in and protected by Active Directory, all security groups used to control access to all IT resources are stored in Active Directory, all computing devices (desktops, laptops, servers and mobile devices) are joined to the Active Directory, and consequently all IT resources (files, folders, databases, applications etc) are stored on machines joined to (and managed via) the Active Directory. In addition, all organization-wide email relies on Active Directory, and RAS, VPN and Internet Access are also integrated with Active Directory.
In summary, the security of your entire IT infrastructure relies on your Active Directory, and your Active Directory in turn is secured and managed by your Active Directory administrators.
Here's a real scenario –
In light of the above, it is not unreasonable to assume that Active Directory administrative access accounts are highly lucrative targets for malicious perpetrators. After all, if a malicious perpetrator is able to compromise an account that possesses administrative access in Active Directory, he/she could instantly gain system-wide access across your IT infrastructure.
In fact, 100% of all recent major cyber security breaches involved the compromise and subsequent misuse of a single Active Directory administrative account by a malicious perpetrator.
So, the scenario to consider here is the following – A malicious perpetrator who has managed to compromise a domain-joined machine or a domain user account inside your perimeter now has a single objective – to attempt to compromise any one of your numerous Active Directory administrative access account holders, and obtain unrestricted system-wide access.
A $T Question: If the compromise of just 1 Active Directory administrative access account can give a malicious perpetrator system-wide access, it's worth asking –
What is the easiest way for a malicious perpetrator to compromise an Active Directory administrative access account?
The answer to this question lies ahead...
First, let's consider the Pass-the-Hash (PtH) attack vector –
As you may know, thus far, the Pass-the-Hash attack vector has been the predominant attack vector employed by malicious perpetrators to gain Active Directory administrative access.
As powerful as it may be, the efficacy of this attack vector relies on the ability of the attacker to have the victim logon to a machine owned by the attacker.
And therein lies its Achilles Heel – If the victim never logs on to the attacker's machine, the attacker will never succeed.
In the scenario illustrated above, a malicious perpetrator inside the perimeter attempts to compromise an Active Directory administrative access account holder by trying to lure him to logon to a machine owned by the perpetrator. Unfortunately for the attacker, because there exists a simple corporate security policy that does not permit Active Directory administrative access account holders to logon to any other machine except specially designated, trustworthy machines, the administrator does not get lured to logon to the perpetrator's machine, and as a result the Pass-the-Hash attack vector is rendered useless.
In such a scenario, the malicious perpetrator can sit and wait for a proverbial 100 years. The Pass-the-Hash attack vector aimed at the administrator will not get him anywhere, anymore.
Now, consider this –
Did you know that in Active Directory, there exists a security permission (strictly speaking, an extended right) known as Reset Password which allows anyone who has this permission effectively granted on an Active Directory user account the ability to instantly reset that account's password, and login as that account?
(Strictly speaking, anyone who effectively has the Reset Password extended right, or All Extended Rights or Full Control permissions on an account can reset that account's password.)
That's right. No password guessing, cracking, phishing, PtH etc. etc. required. You simply install and launch ADUC or GF Mini, locate the target account, and select Reset Password.
In essence, anyone who has the Reset Password extended right effectively granted to them on a domain user account is 10 seconds away from taking over that account.
Now, it turns out that in most Active Directory deployments, numerous IT personnel have the Reset Password permission effectively granted to them on many accounts, but no one really knows exactly who can reset whose passwords, because the only way to find this out is by accurately determining effective permissions/access on each account, and that is hard to do.
In light of the above, the malicious perpetrator, instead of trying the PtH attack on an Active Directory administrative access account holder, attempts to find out who can reset that admin's password. To do so, he performs Active Directory account password reset analysis and he uncovers that John Doe, a delegated admin can reset the AD admin's password.
This knowledge is extremely valuable to him, because now he has discovered that in order to compromise the Active Directory administrator's account, he only needs to compromise the delegated admin John Doe's account, which may be much easier to compromise since in all likelihood it may not be as highly protected as the Active Directory administrator's account.
The malicious perpetrator then performs password reset analysis on the delegated admin John Doe's account and further uncovers that Jane Doe, another delegated admin can reset John Doe's password.
This knowledge is also very valuable to him, because now he has discovered that in order to compromise John Doe's account, he only needs to compromise Jane Doe's account.
The malicious perpetrator then performs password reset analysis on Jane Doe's account and uncovers that Jim Doe, another delegated admin can reset Jane Doe's password.
The malicious perpetrator then performs password reset analysis on Jim Doe's account and finally uncovers that Jack Doe, a vulnerable IT admin can reset Jim Doe's password.
This is a very valuable discovery for the malicious perpetrator because the malicious perpetrator has discovered that Jack Doe's account is vulnerable. and thus is the best starting point.
As to being vulnerable, there are many possibilities, such as and not limited to –
- The individual whose account/computer the malicious perpetrator had initially compromised may already have sufficient effective permissions to reset Jack Doe's password.
- The computer that Jack Doe uses to logon is exposed to any one of numerous vulnerabilities that can be exploited to compromise his computer, and subsequently his account.
- The account of Jack Doe is inadequately protected, and is thus vulnerable to any one of numerous basic exploitation techniques such as password guessing, spear-phishing etc.
- The malicious perpetrator can relatively easily lure Jack Doe to logon to a machine owned by the perpetrator, to capture his password or use PtH to compromise his account.
The point is that not only is it far easier (100x easier) to compromise a vulnerable delegated admin's account (e.g. Jack Doe) than it is to compromise an Active Directory administrator's account, but also that once an attacker has compromised this vulnerable account, he is only a few password resets away from compromising an Active Directory administrator's account.
Thus, the perpetrator has uncovered the identities of 4 individuals, the successive compromise of whose accounts could ultimately be used to gain Active Directory administrative access.
In essence, the malicious perpetrator has used Active Directory password reset analysis to identify what can be considered to be an Active Directory Privilege Escalation path.
(As illustrated below, the rest is easy.)
A Privilege Escalation Path –
As illustrated below, the malicious perpetrator used Active Directory password reset analysis to identify an Active Directory privilege escalation path leading to administrative access.
Specifically, the privilege escalation path identified by the perpetrator is: Perpetrator > Jack Doe > Jim Doe > Jane Doe > John Doe > Active Directory Administrator
(Exact exploitation steps are presented in #8 below.)
Automated Active Directory Password Reset Analysis Tooling –
As illustrated above, the actual steps involved in password reset based privilege escalation are very simple to perform. The difficult part is not the enactment of password resets, because that is easy. The difficult part here is in one's ability to accurately perform password reset analysis i.e. accurately find out exactly who can reset whose passwords in Active Directory.
It turns out that in order to perform accurate password reset analysis, one needs to know how to correctly determine effective permissions/access on user accounts in Active Directory.
Unfortunately, the Active Directory security expertise required to correctly determine effective permissions/access in Active Directory is a rarity, and hardly anyone in the world knows how to do so. In fact, even the world's top software and top cyber security companies do not know how to do so, and most hackers barely know much about Active Directory security.
This is probably the reason that most organizations, cyber security companies as well as hackers, do not know much about this highly potent attack vector yet, i.e. until now.
If an entity were to be able to apply deep Active Directory security expertise and automate the determination of effective permissions/access in Active Directory, this would become easy.
At Paramount Defenses, we applied our deep Active Directory security expertise to develop Gold Finger Mini, the world's 1st fully-automated accurate password reset analysis tool to demonstrate that it is possible to automate the complex password reset analysis process by automating the accurate determination of effective permissions/access in Active Directory.
Gold Finger Mini was designed for use by organizational users to help them find out who can reset their passwords, and help them play a role in enhancing organizational cyber security .
Gold Finger Mini
With Gold Finger Mini, anyone with access to a domain account can find out who can reset whose passwords and thus identify privilege escalation paths in Active Directory deployments
With Gold Finger Mini, IT personnel can now accomplish in seconds what otherwise takes hours to do if attempted manually, i.e. accurately find out who can reset whose passwords.
A 100 Privilege Escalation Paths –
Today, in virtually every Active Directory deployment worldwide, there are not just a few, but in fact, 100s and in all likelihood, potentially 1000s of such privilege escalation paths.
With a password reset analysis tool, today anyone with a domain account can easily perform password reset analysis to identify privilege escalation paths leading to all admin accounts.
Any malicious perpetrator that can find even 1 such privilege escalation path, could easily exploit it to instantly gain unrestricted (system-wide) administrative access in the organization.
Authenticated User to Domain Admin in 5 minutes –
This attack vector is so powerful that those who know how to employ it can escalate their privilege from an authenticated user to an Active Directory administrator within 5 minutes.
As illustrated above, the privilege escalation path identified by the perpetrator is: Perpetrator > Jack Doe > Jim Doe > Jane Doe > John Doe > Active Directory Administrator
It may be noted that the only assumption made is that the perpetrator has compromised a single domain user account or a domain joined computer, and is thus an authenticated user.
As an authenticated user, the malicious perpetrator only needs to enact the following steps to successfully escalate his privilege to that of an Active Directory administrator –
- Begin by using his hacking expertise to compromise the most vulnerable account (or his computer, and subsequently his user account) in the chain i.e. Jack Doe's account.
- Log in as Jack Doe, launch ADUC or GF Mini to locate Jim Doe's account, then reset Jim's password, to say TwoMinutesAway
- Log in as Jim Doe with the password TwoMinutesAway, then launch ADUC / GF Mini to locate Jane Doe's account, then reset Jane's password, to say OneMinuteAway
- Log in as Jane Doe with the password OneMinuteAway, then launch ADUC / GF Mini to locate John Doe's account, then reset John's password, to say WhoNeedsPtH
- Log in as John Doe with the password WhoNeedsPtH, then launch ADUC / GF Mini to locate the target Active Directory admin's account, then reset his password, to say 0wned
- Log in as the Active Directory admin with the password 0wned.
A password reset takes 10 seconds, and a logon/logoff takes about 1 minute, so the entire sequence of steps involved in the privilege escalation (steps 2 - 6) takes less than 5 minutes.
In this manner, having identified a privilege escalation path based on password reset analysis, the malicious perpetrator now successfully elevates his privilege, from an authenticated user to an Active Directory administrator, in less than 5 minutes.
Unrestricted Privileged (Administrative) Access in your IT Infrastructure –
Once the malicious perpetrator has logged in as the Active Directory administrator, he now possesses unrestricted privileged (administrative) access in your IT infrastructure.
He can obtain access to, copy, tamper, destroy and/or divulge any and all IT resources in your IT infrastructure, irrespective of whether or not other security controls may be in place.
That is because an Active Directory admin is a part of an Active Directory based IT infrastructure's Trusted Computing Base (TCB), and one cannot protect a system from its own TCB.
For instance, he/she can –
- Use the power of Group Policy to modify the security policy of any domain joined computer (laptop, desktop, server etc.)
- Logon to any domain-joined machine as an administrator, and consequently obtain access to all IT resources stored on that machine
- Logon to any domain-joined machine as an administrator, and consequently alter or control any service or application running on that machine
- Reset the password of any domain user account, and subsequently logon as that user account to obtain access to everything that account has access to.
- Modify the membership of any domain security group to gain access to any or all IT resources that are currently being protected by that domain security group.
These are merely a few examples of how much damage a perpetrator who is able to compromise an Active Directory account can inflict. In the worst case scenario, it could be colossal.
Game Over (Inflicting Colossal Damage) –
In the worst case scenario, the amount of damage that a single malicious perpetrator could inflict by compromising a single Active Directory administrative account could be colossal.
For instance, here is what a highly proficient malicious perpetrator could potentially do immediately after compromising an Active Directory administrative account –
- Begin by executing a simple script that immediately disables all user accounts, including all administrative accounts, so that no one else can logon to stop the perpetrator
- Next, use Group Policy to push out a script to every domain-joined machine that will force a restart and disallow interactive and network logons to everyone (except this admin)
- Then, quickly install a pre-configured and tested Internet Gateway that has a terabit/gigabit connection to an external network owned by the malicious perpetrator
- Use Group Policy to push out a pre-written script to every domain-joined machine that when executed will cause all data on that computer to be transmitted to that external network via the Internet Gateway installed in step 2, then destroy the local copy of that data, and finally destroy critical operating system files rendering the computer useless.
- Subsequently execute another script that will destroy every Domain Controller in effect destroying the very foundation of the entire IT infrastructure, leaving nothing to recover.
With nothing left to recover, even a $100B organization could be quickly reduced to a petty $100M, not including the legal and punitive costs associated with any litigation that might follow.
Note: This was merely one example involving a perpetrator targeting an administrative domain user account. In this manner, a perpetrator could easily also target any other domain user account (e.g. the CEO's account), domain security group (e.g. All Fulltime Employees), domain computer account (e.g. that of a Web Server), service connection point (e.g. one for a mission-critical line-of-business application) or Organizational Unit, and inflict targeted and possibly substantial damage very quickly. For complete details please see the Attack Surface section.
In Summary –
Active Directory privilege escalation based on the identification and exploitation of unauthorized access grants in Active Directory is the #1 cyber security risk to organizations worldwide.
Organizations are advised to take this risk very seriously, escalate it to the highest levels, enact adequate risk mitigation measures and ensure that this risk is adequately mitigated.
For a proficient well-backed malicious perpetrator, 1 opportunity could be sufficient to use this attack vector to inflict colossal, and in the worst-case, irreversible damage to the organization.