Paramount Defenses Company | Leadership | Products | Solutions | Partners | Privileged Access Insight | Support | News | Careers | Blog | Contact 100%
Our Global Customers - Cyber Security Thought Leaders
Privileged Access | Impact of Compromise | Attack Surface | Active Directory Privilege Escalation | Attack Vectors | Threat Sources | Risk Mitigation

It could be any insider, or outsider.

Threat Sources – It Could be Anyone

Anyone with a domain account could potentially identify and exploit privilege escalation paths in Active Directory to quickly compromise a privileged access account or group and inflict damage.

In several recent breaches, either an Advanced Persistent Threat (APT) or an external malicious perpetrator has been successful in compromising and mis-using a privileged access account.

However, although an APT or a motivated external malicious perpetrator may appear to be the most likely threat source, in reality it could be anyone on the inside, especially a trusted insider.

For instance, if one were to consider a scenario wherein a trusted or privileged insider might turn rogue, or be coerced into using their privilege, the threat surface would change dramatically.

At the end of the day, one has to consider the inadvertent, rogue or coerced misuse of a domain account, in which case, literally every domain account is a potential threat source.




Summary of Threat Sources

The following is a summary of the primary external and internal sources that could pose a threat to the security of unrestricted and restricted administrative accounts and security groups –

  1. External Threat Sources
    1. An Advanced Persistent Threat (APT)
    2. An External Malicious Perpetrator
    3. A Hacktivist Group or a Lone-Wolf Hacker


>
  1. Internal Threat Sources
    1. Any Compromised, Unproficient, Rogue or Coerced Limited Privileged-Access Account Holder
    2. Any Compromised or Misused Computer whose domain account is Trusted for Unconstrained Delegation
    3. Any Compromised, Disgruntled, Rogue or Coerced Contractor, Vendor or Employee Account

> The preferred Modus Operandi for an external threat source is to compromise the domain account of an internal threat source to gain a foothold inside the perimeter and to obtain authenticated-user level access. This level of access can then be easily used to identify a large number of privilege escalation paths to an unrestricted administrative access account or group, and once identified, this compromised internal domain account can then also be used to escalate privilege and gain unrestricted administrative access, any day and time the perpetrator wishes to do so.




In light of the above, the Top 3 threats sources are listed below, in prioritized order.




Limited Privileged-Access Account Holders – Active Directory Delegated Administrators

The compromised, deliberate or coerced misuse of an account that knowingly or unknowingly possesses limited privileged (administrative) access is the #1 threat source to unrestricted administrative accounts and groups. The accounts of all individuals that are delegated any level of administrative access rights in Active Directory are a classic example of such an account.

This is so because these individuals almost always already possess sufficient privilege to be able to directly or indirectly compromise an administrative account or group in Active Directory.

For instance, should a delegated administrative account holder have sufficient effective access to be able to reset the password of an unrestricted access administrative account, he/she could directly reset the password of that unrestricted administrative account to elevate his/her privilege and gain unrestricted administrative access across the network.

Similarly, should a delegated administrative account holder have sufficient effective access to be able to modify the permissions on an organizational unit (OU) in which an administrative account resides, he/she could indirectly influence the permissions protecting that administrative account to elevate his/her privilege and also gain unrestricted administrative access across the network.

There are 4 scenarios worthy of consideration here –

  1. Compromised Account – The #1 threat is from a compromised Active Directory delegated admin account i.e. one that may have been compromised by an external source (e.g. an APT.)
  2. Rogue Individual – The #2 threat is from an individual who is an Active Directory delegated admin and has turned rogue, for whatever reason (e.g. disgruntled due to a recent decision.)
  3. Accidental Mistake – The #3 threat is from an individual who is an Active Directory delegated admin and accidentally makes a mistake (e.g. changed Domain Admins membership.)
  4. Coerced Individual – The #4 threat is from an individual who is an Active Directory delegated admin and has been coerced by someone to misuse his authority to inflict damage.

In each of the 4 situations outlined above, the risk of compromise of an unrestricted Active Directory administrative access account or group is high.




Computers Trusted for Unconstrained Delegation

Computers whose domain computer accounts are Trusted for Unconstrained Delegation are the #2 threat source to administrative accounts and groups.

This is so because any service that is running as System or Network Service on these domain-joined computers can impersonate any client of that service across the network.

For instance, consider a scenario wherein a service running on a computer whose domain account is Trusted for Unconstrained Delegation, is accessed by a Domain Admin. In this situation, unless the Domain Admin's account has the setting Account is sensitive and cannot be delegated enabled, the service could go across the network as though it were the Domain Admin, and obtain access to any resource to which a Domain Admin might have access.

Anyone who can compromise such a computer and control such a service, and lure an unrestricted administrative access account holder to use the service, could easily escalate their privilege.

There are 4 scenarios worthy of consideration here –

  1. Compromised Computer – The compromise of a computer that is trusted for unconstrained delegation could be used to host a malicious service that could impersonate a privileged client.
  2. Rogue IT Admin – A rogue/disgruntled IT admin responsible for managing such a computer could also install or configure a malicious service that could impersonate a privileged client.
  3. Accidental Mistake – An individual that is delegated the ability to manage a computer's domain computer account (in Active Directory) could accidentally enable this setting on it.
  4. Coerced Individual – An individual that is delegated the ability to manage a computer's domain computer account (in Active Directory) could be coerced into forcibly enabling this setting.

In each of the 4 situations outlined above, the risk of compromise of an unrestricted Active Directory administrative access account or group is high.




Unprivileged-Access Account Holders – Contractors, Vendors and Employees

Individuals who possess unprivileged access accounts are the #3 threat source to administrative accounts and groups.

This is so because these individuals at a minimum have an authenticated-user level access, and this level of access is sufficient to be able to identify privilege escalation paths in Active Directory.

For instance, the account of any contractor, vendor or employee can be used to analyze the entirety of all security permissions protecting all Active Directory content, and determine exactly who has what level of access on all primary targets such as unrestricted and restricted administrative accounts and groups, and on all secondary targets such as executive accounts and groups.

Once such analysis is complete, and privilege escalation paths have been identified, the same account can also be used to compromise the initial target in the privilege escalation path.

There are 4 scenarios worthy of consideration here –

  1. Compromised Account – A compromised unprivileged-access account can be used by an external threat source (e.g. an APT) to identify and exploit privilege escalation paths.
  2. Disgruntled User – A disgruntled user who has an unprivileged-access account could use his/her account to identify and exploit privilege escalation paths.
  3. Rogue Individual – An individual who has unprivileged-access account and has turned rogue could also use his/her account to identify and exploit privilege escalation paths.
  4. Coerced Individual – An individual who has unprivileged-access could be coerced to misuse of his/her access for the purpose of identifying and exploiting privilege escalation paths.

In each of the 4 situations outlined above, the risk of compromise of an unrestricted Active Directory administrative access account or group is medium.



In Essence

In essence, today just about anyone with a domain account can easily identify and could potentially exploit a large number of privilege escalation paths in any Active Directory deployment.

Consequently, external threat sources, such as an APT, hackers, etc. need only compromise any one domain account to gain a foothold, then easily identify and potentially exploit privilege escalation paths that can then be used to gain unrestricted administrative access across the network. Though the vastness of these threat sources cannot be reduced, the risk can be mitigated.


Attack Vectors Attack Vectors
Risk Mitigation Risk Mitigation

Welcome
Who We Are What We Do How We Protect You
Sitemap