Lessons Learned

Rich
6 min readMar 3, 2023

TL;DR Summary of our 15 part Auditing AD Series.

Welcome to the summary of our Auditing AD Series!

Part I: 3 warm up questions to get us started

Part II: Who can reset the CISO’s password?

Part III: Who can execute DCSync?

Part IV: Who can modify the Domain Admins group?

Part V: Domain dominance in minutes via ACL abuse (i.e. why auditing AD matters)

Part VI: Why Allow statements matter a LOT more than Deny ones

Part VII: Sneaky persistence via hidden objects in AD

Part VIII: SDDL, what is it, does it matter?

Part IX: Do you know who owns your domain?

Part X: Who can push ransomware via Group Policy?

Part XI: Free ways to simplify auditing AD

Part XII: Sidenote on arcane rights like Self

Part XIII: Sidenote on the ScriptPath right

Part XIV: Self & so called “Effective Permissions”

Part XV: Inheritance Explained & an Example

Part XVI: Summary of our Auditing AD Series

Annex A: Scrubbing Group Policy for local admins

Annex B: What Property Sets in AD are, & why they matter

Annex C: Dangerous Rights & RE GUIDs Cheatsheet

Annex D: Mishky’s Blue Team Auditor

Annex E: Even ChatGPT gets this stuff wrong

Annex F: Get-ADPermission Cheatsheet

Annex G: Mishky’s Red Team Enumerate & Attack tools

Background

I decided to make a summary as the lessons learned is a bit lengthy. Some are bullet points, others are more paragraph length. Please note that the original summary was not as well put together. I am leaving it alone rather than scrapping it completely and simply linking this one in the series.

Additionally, this summary mentions the vendor who provided the VM used for much of this auditing series a lot. This is simply because they posed the questions that we answered and because, unlike Microsoft, they are one of the organizations out there that is still focused on securing ‘on prem’ AD.

So without further ado, let’s sum this all up.

So called “Effective Permissions”

Here at test.local we have a fundamental disagreement with the vendor who posed the questions we answered in this series. We don’t really agree with the term “effective permissions”, nor with the definition they insist on.

  • The vendor insists that “Effective Permissions” are Allows & Denys in DACLs
  • They seem to think that certain privileges don’t count.

We on the other hand have shown how

Perhaps most importantly though we have shown our work along the way, line by line, command by command, including exactly how to setup the scenarios the vendor had thrown out there and then abuse them.

AD Truths

  • Everything in AD is an object
  • Objects have their own attributes, DACLs, & SACLs
  • Objects can take actions on other objects
  • What actions they can take depend on the DACL
  • What actions they took are logged according to the SACL

It is important to bear the above in mind as many general security courses teach that subjects take actions on objects, for example. This would be a dangerous misconception to carry into auditing & securing a Windows domain.

An easy example

Take for example the DACL shown below in the GUI:

Who has rights on this OU? Who could link a GPO to it? The vendor might tell you that no one can.

Add a Deny ACE or two to the above and ask an even better question; did anything actually change?

Import-Module ActiveDirectory ; Set-Location AD: ; (Get-Acl (Get-ADOrganizationalUnit “ou=test,ou=vips,dc=test,dc=local”).DistinguishedName).Access

Do these Deny ACEs even matter here?

So called “Permissions Analysis”

This brings us to the next fundamental disagreement. They would tell you that “Active Directory permissions analysis is mostly futile”. Here at test.local we disagree. If a group should not have a given privilege then remove the Allow ACE that gives them it. If a given user should not have a certain privilege then remove them from the group. Sure you could try to setup a tangled web of conflicting Allows, Denys, group memberships, etc … but that course of action is likely to only make your Misconfiguration Debt worse. It’s also likely to leave gaps that a clever attacker can slink through.

What we do agree on

  • AD is secure by default
  • If it’s insecure due to misconfiguration, it’s probably because those in charge don’t care enough
  • If AD gets compromised then it’s game over for your org
  • ‘on prem’ Windows domain security is critical, even if Microsoft doesn’t mention it much anymore
  • Detection is a distant second to Prevention

Small disagreements

That vendor seems to be stuck in the early 00s. They seem to be unaware of PowerShell. They keep using the GUI, cmd.exe, and old tools like dsacls as examples.

They seem to harbor a deep seated hatred of free, open source tools like BloodHound and PowerShell. Perhaps this is due to the culture at the old Microsoft, the Microsoft of Steve Ballmer. By contrast the new Microsoft is one of the largest contributors to open source projects on github. They have more employees working on open source than Red Hat does.

Summary

We end this collection of bullet points much the same way we ended every howto in this series.

  • Auditing AD is not sexy or exciting.
  • It doesn’t get much attention.
  • However it is crucial to make sure the previous admin team didn’t leave behind a mess.
  • Clean up your Misconfiguration Debt before an attacker gains a foothold and takes advantage of it.
  • You can spend a boatload on a proprietary tool or you can do it with built-in and/or open source tools for free
  • The important thing is that you do it.

Stay safe out there.

References

Microsoft on effective permissions: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772184(v=ws.11)?redirectedfrom=MSDN

Vendor’s points on AD security: https://blog.paramountdefenses.com/2020/05/active-directory-security-for-cyber-security-experts.html

Snowden and password sharing: https://www.theverge.com/2013/11/7/5079428/snowden-used-colleagues-passwords-to-access-secret-files-report-says

4 ways to capture NTLMv2: https://www.hackingarticles.in/4-ways-capture-ntlm-hashes-network/

More about capturing NTLMv2: https://0xdf.gitlab.io/2019/01/13/getting-net-ntlm-hases-from-windows.html

20 ways to capture NTLMv2: https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/

Microsoft on credential theft attacks: https://learn.microsoft.com/en-us/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract

“script kiddie”: https://blog.paramountdefenses.com/2020/06/unleashing-ransomware-using-active-directory.html

Script kiddie actual definition: https://www.urbandictionary.com/define.php?term=script%20kiddie

One vendor’s criticism of a great free tool: https://www.active-directory-security.com/2020/02/bloodhound-for-ad-is-bloody-inaccurate.html

Info on BloodHound updates: https://wald0.com/?p=112

Sean Metcalf presentation on Windows domain security: https://adsecurity.org/wp-content/uploads/2019/02/2019-ITDefense-SecuringActiveDirectoryAdministration-Metcalf-Final.pdf

John Lambert’s advice: https://github.com/JohnLaTwC/Shared/blob/master/Defenders%20think%20in%20lists.%20Attackers%20think%20in%20graphs.%20As%20long%20as%20this%20is%20true%2C%20attackers%20win.md

John Lambert Defender’s Mindset: https://medium.com/@johnlatwc/defenders-mindset-319854d10aaa

SAMAccountName spoofing: https://pentestlab.blog/2022/01/10/domain-escalation-samaccountname-spoofing/

Lapsus social engineering: https://www.techrepublic.com/article/microsoft-warns-destructive-attacks-lapsus-cybercrime-group/

Microsoft on DEV-0537, aka Lapsus$, TTPs: https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/

Trimarc AD Security Assessment: https://www.trimarcsecurity.com/ad-security-assessment

Microsoft AD Security Assessment: https://docs.microsoft.com/en-us/services-hub/health/getting-started-adsecurity

--

--

Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.