This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.

1. The Unintended Risks
of Trusting Active
Directory

2. @harmj0y
Red teamer and offensive engineer
at SpecterOps
Adaptive Threat Division alumni
Avid blogger (http://harmj0y.net)
Co-founder of Empire,
BloodHound, Veil-Framework
2

3. @tifkin_
Red teamer, hunter, and
researcher at SpecterOps
Adaptive Threat Division alumni
Forever going after shiny things
Contributor to various
projects/blog posts
3

4. @enigma0x3
Red teamer and security
researcher at SpecterOps
Adaptive Threat Division alumni
Avid blogger
(https://enigma0x3.net/), COM
lover, CVE holder
4

5. “As an offensive researcher, if you
can dream it, someone has likely
already done it...and that someone
isn’t the kind of person who speaks
at security cons.”
5
Matt Graeber
“Abusing Windows Management
Instrumentation (WMI) to Build a Persistent,
Asynchronous, and Fileless Backdoor”
BlackHat 2015

6. What is
“Admin Access” ?
Hint: it’s more complicated
than just “local administrators”!
6

7. The “True” Nature of Administrative Access
▪ Controversial statement: membership in a system’s
local administrators group isn’t what ultimately
matters!
▪ What actually matters is what local/domain groups
have access to specific remote resources (RPC,
remote reg, WMI, SQL, etc.) based on the host
service’s security descriptors
7

8. 8
CIFS
Remote
Registry
WinRM
SCM
WMI
RPC :)
SD
SD
“LOCAL
Administrators”
GENERIC_ALL
“DOMAINuser”
SC_MANAGER_C
REATE_SERVICE
Etc.
SD
SD
SD
SD

9. Wait, Security
Descriptors? ACLs?
What are Those and Why Should I Care?
9

10. Security descriptors are the
Windows mechanism to control
authenticated access to
resources, or “securable objects”
10
PS: lots of caveats here :)

11. What Is a
“Securable Object”?
Why, a Windows object that can have
a security descriptor, of course!
11

12. SECURITY_DESCRIPTOR
12https://msdn.microsoft.com/en-us/library/windows/hardware/ff556610(v=vs.85).aspx

13. From ACLs to DACLs to SACLs
▪ An Access Control List (ACL) is basically shorthand
for the DACL/SACL superset
▪ An object’s Discretionary Access Control List
(DACL) and System Access Control List (SACL) are
ordered collections of Access Control Entries (ACEs)
▫ DACL - What principals/trustees have what rights over the
object
▫ The SACL - Specifies how to audit access to the object
13

14. 14

15. tl;dr
▪ Security descriptors are just the mechanism that
Windows uses to define what users (principals)
can perform what actions on a specific object,
either in Active Directory or on the host
▫ When access is requested, some process enumerates
the effective security identifiers (SIDs) of the requestor,
compares them to the information in the DACL, and
decides whether to grant access
15

16. OK, That’s “Cool”
but Why Should I
Care, Really?
16

17. Why Care?
▪ It’s often difficult to determine whether a specific security
descriptor misconfiguration was set maliciously or configured
by accident
▫ Existing misconfigurations: privesc opportunities
▫ Malicious misconfiguration changes: persistence!
▪ These changes often have a minimal forensic footprint
▪ Most defenders are not aware of this general persistence
approach, much less how to find and remediate it
▫ Nor are they aware of existing misconfigurations that affect privesc...
17

18. Host-based Security
Descriptors
More than just the service control manager yo’

19. Discovering Host Securable Objects
▪ Windows documentation lists about 20-30 securable
objects*
▪ We’ve identified 70+! (There are *many* more)
▪ Microsoft Protocol Specifications
▫ Very useful for RPC servers!
▪ Find-RegistrySecurityDescriptors.ps1
19*https://msdn.microsoft.com/en-us/library/windows/desktop/aa379557(v=vs.85).aspx

20. 20

21. Online vs Offline Security Descriptors
▪ Where do objects get their security descriptor?
▫ Offline - Security descriptor derived from registry, file, etc.
▫ Online - Security descriptor is in memory
▪ Our approach for enumeration:
▫ Locally as an unprivileged user
▫ Locally as a privileged user
▫ Remotely as an unprivileged user
▫ Remotely as a privileged user
21

22. Example: Remote Registry
▪ Imagine this scenario: remotely dumping an
endpoint’s machine account hash as an “unprivileged”
user (i.e. not in local admins)!
▪ Backdoor Process
▫ Remotely backdoor the winreg key with an attacker-
controlled user/group (this key == remote registry access)
▫ Add malicious ACEs to the SECURITY and SYSTEM hives
22

23. Example: Remote Registry
▪ (Remote) Backdoor Execution
▫ As the backdoor (domain or local) user, connect to the
remote registry service on the backdoored system
▫ Open up specific reg keys linked to LSA and extract their
classes
▫ Combine these class values and compute the BootKey
▫ Use the BootKey to decrypt the LSA key
▫ Use the LSA key to decrypt the machine account hash!
▫ EVERYONE GETS A SILVER TICKET!!
23

24. Active Directory Security
Descriptors
Everything needs an access control model, even AD

25. Active Directory ACL Advantages
25
▪ A big advantage: by default the DACLs for nearly
every AD object can be enumerated by any
authenticated user in the domain through LDAP!
▪ Other advantages of AD ACLs:
▫ Changes also have a minimal forensic footprint
▫ Changes often survive OS and domain functional level
upgrades, i.e. “misconfiguration debt”
▫ Anti-audit measures can be taken!

26. 26
Security
Descriptors:
AD GUI
Edition

27. Generic Rights We Care About
27
GenericAll Allows ALL generic rights to the specified object
GenericWrite Allows for the modification of (almost) all
properties on a specified object
WriteDacl Grants the ability to modify the DACL in the
object security descriptor
WriteOwner Grants the ability to take ownership of the object

28. Object-specific Rights We Care About
28
Users User-Force-Change-Password or write to
the servicePrincipalName
Groups Write to the member property
Computers None outside of LAPS :(
GPOs Modification of GPC-File-Sys-Path
Domains WriteDacl to add DCSync rights

29. Example: Abusing Exchange
▪ Exchange Server introduces several schema changes,
new nested security groups, and MANY control
relationships to Active Directory, making it a perfect
spot to blend in amongst the noise!
▪ Pre Exchange Server 2007 SP1, this included the
WriteDACL privilege against the domain object itself
with Exchange Trusted Subsystem as the principal
29

30. Example: Abusing Exchange
▪ Backdoor Process
▫ Identify a non-protected security group with local admin
rights on one or more Exchange servers
▫ Grant Authenticated Users full control over this security
group
▫ Change the owner of the group to an Exchange server
▫ Deny Read Permissions on this group to the Everyone
principal
30

31. Example: Abusing Exchange
▪ Backdoor Execution
▫ Regain access to the Active Directory domain as any user
▫ Add your current user to the backdoored security group
▫ Use your new local admin rights on an Exchange server to
execute commands as the SYSTEM user on that computer
▫ Abuse the rights Exchange Trusted Subsystem has over
the domain object (i.e. WriteDacl!)
▫ More information: http://bit.ly/2IIK3K3
31

32. Active Directory + Host
ACL Abuse
Plugging the Gaps in Attack Chains

33. ▪ Prior to joining active directory, the host is in ultimate
control of who can access its resources
▪ After a machine is joined to AD, a few things happen:
▫ The machine is no longer solely in charge of authentication
▫ A portion of key material for the host is stored in another
location (machine account hash in ntds.dit)
▫ Default domain group SIDs are added to local groups
▫ Management is no longer solely left to the host (i.e. GPOs :)
“Risks” Of Joining Active Directory
33

34. Active Directory: Before and After
34
Workgroup Active Directory
Security Principals Local users/groups
+ Domain
users/groups
Access/Permission
Management
Host-based Security
Descriptors
+ Default domain
groups added to
local groups
Authentication NTLM (SAM)
+ Kerberos/NTLM
(NTDS)
Resource
Administration
Manual + GPOs

35. Active Directory: Before and After
35
DCOM
Service
Administrators
admin
DOMAINDomain Admins
Distributed
COM Users
DOMAINsrvcacct
DOMAINjohnDOMAINsrvadms
DOMAINlee

36. The “Actual” Attack Graph
▪ BloodHound doesn’t (currently) take host based
security descriptors into account
▪ The actual access graph that exists in a domain
includes the security descriptors for every remotely
accessible service on every host + AD descriptors
▫ Includes “unrolling” groups… this may not be (currently)
realistically possible to model in large environments ¯_(ツ)_/¯
36

37. Security Implications
▪ Host-based security descriptors are the missing
link when thinking about domain attack graphs!
▪ There ARE existing misconfigurations in the security
descriptors in some host-based services!
▫ More to come this summer, stay tuned :)
▪ Host-based security descriptor modifications can be
chained with AD misconfigurations/modifications
▪ “Fills the gap” left by the lack of an AD ACL computer primitive
37

38. tl;dr Security Implications of Joining Active Directory
▪ When you join a system to Active Directory, you’re
introducing additional nodes into the access graph
that may affect the security of other systems
▪ You’re also implicitly trusting the security of a
large number of other nodes in the graph as well
▫ You’re almost certainly exposing your system’s services
to more access than you realize!
38

39. Case Study #1
Picking on Exchange Again :)

40. Case Study: Exchanging Rights
▪ We saw before that the Exchange Trusted
Subsystem group (which contains Exchange servers)
often has a huge number of rights over the domain
▪ So let’s integrate the remote registry host-based
backdoor on an Exchange box!
▫ No changes to the DC or any AD data
▫ Takes advantage of existing misconfigurations!
40

41. [DEMO]
41

42. Case Study #2
Abusing Existing Misconfigurations

43. Case Study: Abusing Existing Misconfigurations
▪ GPOs set lots of interesting settings!
▫ They can even set host-based security descriptors: )
▫ Imagine one that modifies the security descriptor for SCM
▪ We can also easily correlate GPOs to find what
systems they apply to
▪ What happens if the group SID set for the
descriptor via GPO, after unrolling, contains a
service account...
43

44. 44
[DEMO]

45. 45
Summary
▪ Access is more than just “local administrators” !
▪ You should really care about security descriptors!
▪ Host based security descriptors (accidentally
misconfigured or maliciously backdoored) can have far-
reaching implications for the security of other
systems in the domain!

46. 46
Questions?
You can find us at @SpecterOps:
▪ @harmj0y , @tifkin_ ,
@enigma0x3
▪ [will,lee,matt]@specterops.io