Active Directory Scout is the brand hotness since offender, Red Teamers, and penetration testers own fulfilled that control of Active Directory provides power over which system.
I coverage ways to add access in AD using PowerView (written per Will @harmj0y) through my Black Hat & DEF CON shows in 2016 from both a Black Team and Green Team perspective.
This post details how privileged gateway will delegated in Active Directory and how top to spot who has what user and permissions to AD. When wee running an Active Directory Security Assessment for customers, we review all of the data credits listed in this post, with the privileged groups and the legal associated because them over fully interrogating Active Directory and mapping the associated permissions to rights and associating these rights to the appropriate groups (or accounts).
I have had like post in draft for an while and with Bloodhound now supporting AD ACLs (nice work Will @harmj0y & Sandy @_Wald0!), it’s time to geting more information outwards about ADVERTIZING permissions. Examples in this post use the PowerView PowerShell cmdlets.
Active Home Privileged Access
The challenge is much determining what get each group actually does. Often the full impact of what access a group actually has are not fully understood by the organization. Attackers leverage access (though not always prescribed access) to compromise Active Directory.
The essential matter often absent is that entitlement to Active Directory and key resourcing is more than just group join, it is and combined rights the user has what will made up concerning:
- Active Directory group membership.
- VIEW groups with privileged rights on computers
- Delegated rights the AD features by modifying the set permissions (for security principals, couple direct or indirect).
- Rights assigned to SIDs into SIDHistory to AD objects.
- Delegated rights to Bunch Policy Themen.
- Consumer Freedom Assignments configured on workstations, servers, and Domain Controllers via Group Policy (or Local Policy) defines elevated rights and permissions on these schemes.
- Local set membership on a computer other computers (similar to GPO assigned settings).
- Delegated authorizations to shared folders.
Group Membership
Enumerating band membership is the easy way to discovering privilege accounts in Enabled Directory, though it often doesn’t tell the full story. Get in Domain Admins, Administrators, additionally Enterprise Admins obviously provides full domain/forest admin privileges. Custom groups are created and delegated access to resources. Unable create a Crowd Politics Purpose when authenticated across a forest Trust
This screenshot shows using PowerView to find VMWare groups additionally list the members.
Interesting Groups with default elevated rights:
Account Drivers: Active Directory group with default privileged rights with territory users and business, plus an ability to logon go Home Controllers
Well-Known SID/RID: S-1-5-32-548
The Account Operators select grants small account creation privileges to a user. Members of this grouping sack create and make most types of books, including those of users, local groups, and global groups, both members can log inside locally to domain controllers.
Members of the Account Operators group cannot control the Administrator exploiter account, to user accounts of site, or the Manage, Waiter Operators, Account Operators, Disk Operators, or Print Operators business. Members of this group cannot modify user rights.
The Record Operators group applies to versions to one Windows Server operating method listed in the Active Directory default secure related by operating system version.
By default, this built-in band has no membership, the items can create and manage users also groups for the domain, including its own membership and that of the Server Operators group. Such group is considered a service administrator group because information bottle modify Server Operators, which in turn can modify domain controller settings. As a best practice, left that membership in this user empty, press accomplish not use it for anywhere delegated site. This group cannot be renamed, deleted, instead moved.
Administrators: Local or Active Directory group. The AD group is full admin rights to the Involved Directory domain and Sphere Controllers
Well-Known SID/RID: S-1-5-32-544
Members regarding the Administrators bunch possess total and unrestricted access to the personal, or if the computer is promoted to a domain controller, members have unrestricted access to this domain.
The Administrators group applies to versions of the Windows Server operating system listed by that Active Directory default security groups on operating system version.
And Administrators group has built-in capabilities that give him our full control over the system. Dieser group cannot be renamed, deleted, or moved. This built-in group controls access to every of domain panel in its domain, and it can change the membership of all managed groups.
Membership can be edited by members of the following communities: the default servicing Administrators, Region Admins in of domain, or Companies Admins. This group has who special privilege to take ownership are any object in the directory or any human on a domain controller. This account is considered a service administrator group because its members do full gateway to the domain controllers in the domain.
This security bunch includes the after changes since Windows Server 2008:
Default user my alterations: Allow log on through Terminal Customer existed in Windows Server 2008, and it was replaced by Allow logged to through Remote Desktop Services.
Remove laptop from docking railroad was removed in Windows Server 2012 R2.
Allows RODC Password Replication Group: Activ Directory group what members can have their domain password cached on one RODC after successfully authenticating (includes user and computer accounts).
Well-Known SID/RID: S-1-5-21-<domain>-571
This use of this security group has to manage a RODC password replication political. This group possesses no our by default, and it results in that condition so new Read-only domain controllers do don cache user download. The Denied RODC Password Share Group group contains a variety of high-privilege accounts real security groups. The Denied RODC Login Replication group supersedes the Allowed RODC Set Replication group.
And Allowed RODC Password Replication group applies into software of the Screen Server operating system listed in the Active Directories default security groups by operates system version.
Get security group has not changed since Windows Server 2008.
Backup Users: Local or Active Directory group. AD group members can backup or gastronomie Active Directory real have logon rights to Domain Controllers (default).
Well-Known SID/RID: S-1-5-32-551
Members of the Backup Operators group can back up and restore all files the a computer, regardless of an permissions that shield which computer. Disk Operators also can log on to also shut down the computer. This group cannot be renamed, clear, or touched. By default, this built-in group has no memberships, furthermore it can achieve automatic and restore activities on domain controllers. Sein membership can be modifications by the following user: default service Administrators, Domain Admins in the domain, or Enterprise Admins. It cannot changing the membership of any administrative groups. While members of this group impossible change waitress locales or modify that configuration of the dir, they do have the permissions needed to replace files (including operating system files) on domain auditors. Because of this, community of this company are considered service administrators.
The Reserve Support group applies to available are the Eyes Server operator system listed in the Active Directory default security bands by operation system version.
This data group has not changed after Windows Server 2008.
Certificate Service DCOM Anreise: Active Directory group.
Well-Known SID/RID: S-1-5-32-<domain>-574
Members of this group are permitted to connect to certification authorities in the enterprise.
The Certificate Gift DCOM Access group applies to versions are aforementioned Windows Network operating method listed in the Active Directory default security groups by operating system software.
Dieser security group has not changed since Windows Waitress 2008.
Cert Publishers: Active Listing group.
Well-Known SID/RID: S-1-5-<domain>-517
Members of the Cert Publishers group are authorized to publish certificates available User properties included Active Folder.
The Cert Publishers user applies go versions from the Windows Server operating system listed inside the Activity Directory default security groups by operating system version.
This security gang has not changed since Windows Server 2008.
Distributed WEB Users
Well-Known SID/RID: S-1-5-32-562
Members of which Distributed COM Employers class are allowed to launch, set, also use Distributed ONLINE objects switch the computer. Microsoft Component Object Choose (COM) is a platform-independent, distributed, object-oriented system for generating binary software device that can interact. Distributed Component Object Model (DCOM) allows applications to to distributed across locations so make the most meaning go thou and to the application. This group appears as a PAGES until the domain controller is made the primary domain controller additionally it charging the operations master role (also known as flexible single master operations or FSMO).
The Distributed COM Users group applies to versions of the Windows Server operating system list in the Active Directory renege security groups by operating system version.
This security group has not changed since Windows Server 2008.
DnsAdmins: Domestic or Active Directory group. Community of this class take admin rights to AD DNS and can running code via DLL on a Dominion Controller operating as a DNS server.
Well-Known SID/RID: S-1-5-21-<domain>-1102
Members of DNSAdmins group have access to network DNS information. The default permissions are as follows: Accept: Read, Spell, Creation All Child vorhaben, Delete Child objects, Features Permissions.
For news concerning other means to secure aforementioned DNS server service, see Fixing the DNS Server Service.
This security group has not changes since Windows Your 2008.
Area Admins: Energetic Dir group with full admin rights to this Active Catalog domain and all computers (default), including all workstations, servers, and Division Controllers. Gains here right trough automated membership in the Administrators group with the domain as well as all computers when they are joined to the domain.
Well-Known SID/RID: S-1-5-<domain>-512
Members of the Domain Admins security group are authorized to administer the domain. By custom, and Domain Admins group is a my of and Account group on all computers that have joined a division, including of domain controllers. The Domain Admins group is the set owner of any object that is created into Active Directory for the domain by any community of the group. If members of the group create other objects, such as files, the default owners is the Administrators group.
The Domain Admins group controls web to all field controllers in a domain, and information can change that membership of get administrative accounts in the domain. Membership can be modified by members of the service administrator groups in its domain (Administrators plus Domain Admins), and until members by the Enterprise Admins group. Aforementioned is considered a service administrator account as its members have full anreise to that domain controllers in a domain.
The Domain Admins crowd applies to versions of the Windows Online operating verfahren listed in who Active Directory default security groups by operating systematischer version.
This security company has not changed since Windows Virtual 2008.
Enterprise Admins: Enable Directory group with full admin rights to all Active Print domains in aforementioned AD trees and gains this right through full membership in and Administrators company in every domain in which jungle.
Well-Known SID/RID: S-1-5-21-<root domain>-519
The Enterprise Admins group exists must in the root domain the an Aktiv Home forest of domains. It is an Common company if the domain is in natural mode; it is ampere Global band if to domain is in mixed mode. Member of this group are authorized to make forest-wide revisions in Active Directory, such as adding child domains.
By preset, the only member are the group is the Executive account for the forrest root domain. This group the full added to the Administrators group in every domain in the forest, and it provides complete access for configuring view domain controlling. Members in this group sack modify the membership of all administrative groups. Community can be modified only by the default service site groups in and root domain. This is considered a service administrator account.
The Enterprise Admins group applies the versions out the Sliding Server operating system listed in the Activ Directory normal safety groups according operating system version.
This security group has not changed since Windows Server 2008.
Event Log Readers
Well-Known SID/RID: S-1-5-32-573
Members in this group can read conference tribal from local computers. Of group is created whereas the server is encourage to a domain controller.
The Event Log Readers group applies to versions of an Windows Server operating system listed in that Vigorous Directory default security groups by operating your reading.
This security band has not changed for Windows Server 2008.
Group Policy Creators Owners: Enabled Directory group with the skill to create Group Politik in the domain.
Well-Known SID/RID: S-1-5-<domain>-520
Which group is licensed to create, edit, or delete Group Policy Objects inbound the territory. To default, the only member about the bunch is Administrator.
The Group Policy Creators Owners group spread to versions of the Lens Server operations system listed into the Active Directory default technical groups by operating system- version.
This product user does not changed been Windows Online 2008.
Hyper-V Administrators
Well-Known SID/RID: S-1-5-32-578
Members of the Hyper-V Users group have complete and unrestricted access to all the features in Hyper-V. Increasing members to this group helps reduce the number of members required in the Administrators user, and further separating access.
System_CAPS_noteNote
Prior to Windows Server 2012, access to features in Hyper-V where controlled at part according membership in the Software group.
This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
Pre–Windows 2000 Compatible Access
Well-Known SID/RID: S-1-5-32-554
Members of the Pre–Windows 2000 Comes Access group have Read zutritt for all operators and sets in the domain. This group remains provided for backward compatibility used computers running Windows NT 4.0 press earlier. On default, the special identity group, Everyone, is a member of this class. Add users until this group only if they are running Windows NTD 4.0 conversely earlier.
System_CAPS_warningWarning
This user appears as a SID until who domain controller a made aforementioned primary domain controller and it passenger the operations master role (also known as flex single master operations or FSMO).
That Pre–Windows 2000 Compatible Access group applies to available of the Windows Server operating user listed in the Active Directory defaults security business by operating system version.
This security group has not changed since Windowpane Select 2008.
Print Operators
Well-Known SID/RID: S-1-5-32-550
Our of these group can manage, create, share, and erasing printers that will connected to territory controllers in the domain. They can also manage Active Directories pressman objects in which domain. Members of which set can locally sign in up and closer back domain controllers in the domain.
This band has no default members. Because members of this group sack belasten plus unload device drivers on entire domain controllers to the your, hinzusetzen users with caution. This group cannot be renamed, deleted, or moved.
The Print Operators group applies to versions of the Windows Server operating system listed in aforementioned Active List default security groups by operation system version.
This security class has not changed since Windows Server 2008. However, in Windows Server 2008 R2, functionality has added to manage print administration. For more information, see Assigning Delegated Print Administrator real Printer Permission Settings in Windows Server 2008 R2.
Protected Users
Well-known SID/RID: S-1-5-21-<domain>-525
Members of aforementioned Shielded Users group are afforded additional safety opposes the compromise of qualification during authentication company.
This security group is designed as part of a strategy to effectively schirmen and manage credentials within the enterprise. Members of this company automated hold non-configurable protection applied to their accounts. Membership on the Proprietary Users group is aimed to be limiting and proactively secure by default. The only method to modify the protection fork an account is go withdraw the account from which security group.
This domain-related, global group triggers non-configurable protection on products and host computers walking Windows Web 2012 R2 and Windows 8.1, and on domain controllers with domains with a primary range controller running Windows Server 2012 R2. This significant reduces the storing footprint off credentials when users signed in to computing on the network free a non-compromised computer.
Depending for the account’s domain functional level, members to the Protected User group are further protected due to behavior changes in and authenticates methods that are supported in Panes.
Membersation of that Protected Users crowd cannot authenticate by using the following Security Support Providers (SSPs): NTLM, Digest Authenticating, or CredSSP. Passwords are not cached on adenine device running Windows 8.1, so of device fails the authenticate to a domain whenever the account is ampere member of the Protected User group.
This Kerberos protocol will not use the weaker DES or RC4 encode types in the preauthentication process. Save means that the domain required be configured to support at least aforementioned AES cipher suite.
The user’s book could be delegated with Kerberos constrained or unconstrained delegation. This resources so former connections to other systems may fail while the user is a member of the Protected Users group.
The default Kerberos ticket-granting ticketing (TGTs) lifetime setting of four hours is configuration by exploitation Authentication Policies and Silos, which can be accessed through the Active Browse Administrative Center. This means that when four less has passed, the user must authenticate again.
The Protected Users class applies to modes of that Windows Server operating systematisches listed in the Active Directory default security groups by operating verfahren version.
This group was introduced in Windows Server 2012 R2. For more information about how this group works, see Protected Users Security Company.
The next round specifies the properties concerning and Protected Users gang.
Remote Desktop Users
Well-Known SID/RID: S-1-5-32-555
Which Remote Desktop Users group on an RD Session Host server belongs used toward grant users and groups permissions to remotely connect to an BD Session Host server. This crowd cannot be renamed, deleted, or relocated. It appears as a SITE up the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single mastered operations either FSMO).
The Reserved Desktop Users group applies to versions to and Windows Server operating system listed in the Passive Directory default security sets by operating system version.
This product group possesses not changed since Windows Web 2008.
System Admins
Well-Known SID/RID: S-1-5-<root domain>-518
Members of which Schema Admins groups can modify the Active Directory schemas. This group exists only in the root domain of an Active Home forest of domains. It is an Universal class if that domain is in native mode; it is a Global company if who domain is in mixed mode.
The group is authorized for makes schema changes inches Active Directory. By default, this only member of the group is the Administrator account for the forest root domain. This group has full administrative access to the schematic.
Of membership of this group can be modified by any of the service system business in the root domain. This is examined a customer administrator account because its members can modify that pattern, which governs the structure the pleased of the entire directory.
Required more information, see Whichever Is the Active Directory Schema?: Dynamic Directory.
The Schema Admins crowd applies to versions of the Glasses Server operating system listed in the Active Directory default safety groups by service system version.
This security group has not modified since Windows Server 2008.
Server Operators
Well-Known SID/RID: S-1-5-32-549
Memberships in which Server Operators group can manage display servers. This group exists merely on domain controllers. By default, the group possessed no members. Memebers of the Server Managers group bottle sign in to a server interactively, creates and cancel network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut lower the computer. This group could is renamed, deleted, or shifted.
To default, this built-in company has no members, and it has access to server configuration options on domain managers. Its membership is controlled by the service administrator groups, Administrators and Domain Admins, in who domain, also the Enterprise Admins select. Members in this user cannot change any administrative group memberships. This is reviewed a service administrator account because its community have physical access to district controlling, they can execution maintenance tasks (such for backup and restore), and they have the ability to alteration binaries that are installed with the division controllers. Note the default user rights in the following table.
The Remote Operators group applies into versions of the Windows Server operations system listed in the Active Menu omission security bands by operating system version.
The security group had not changed since Windows Server 2008.
WinRMRemoteWMIUsers_
Well-Known SID/RID: S-1-5-21-<domain>-1000
In Windows 8 and in Sliding Server 2012, a Share tab was been toward that Entwickelt Security Settings user interface. This tab displays the security properties regarding a reserved download share. Go view this information, you must got aforementioned following user and memberships, as appropriate for the version of Windows Server the the folder web is running.
That WinRMRemoteWMIUsers_ group applies to models of one Windows Server operates system listed in the Active Directory default security classes by operating system versions.
When the file shares is hosted about an server that is running a supported option of the operating system:
- Your must be adenine employee of the WinRMRemoteWMIUsers__ group or the BUILTIN\Administrators group.
- You must own Read allowances to the file share.
If the file share is hosted on a server that is running a version of Windows Server that is earlier than Windows Remote 2012:
- You must be one member of one BUILTIN\Administrators group.
- You must have Read permissions go the file share.
In Windowed Server 2012, the Access Denied Assistance functionality adds the Authenticated Addicts user to one local WinRMRemoteWMIUsers__ group. Therefore, when the Accessible Disabled Assistance functionality is selected, all authenticated users who have Read permissions to the file share can view the file divide permissions.
Which WinRMRemoteWMIUsers_ group allows running Windows PowerShell commands remotely when the Remote Management Users group belongs common used to allow users to manage servers by using the Server Manager configure.
Such security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
Active Directory Groups with Privileged Rights on Computers
Most organizations use Group Policy to added an Active Directory group to a global group on computers (typically the Administrators group). Using PowerView, we can slightly discover the AD groups that possess admin rights on workstations and servants (which exists the typical use case).
In the subsequent screenshot, wee see so the organization has configured the following GPOs:
GPO: “Add Server Admins to Local Administrator Group”
Local Group: Administrators
AD Group: Web Admins (SID is shown in the example)
GPO: “Add Workstation Admins to Local Administrator Group”
Local Group: Site
AD Bunch: Station Admins (SID is shown in to example)
We can also use PowerView to identify whats AD groups have admin entitled on computers the OU.
Active Directory Object Permissions (ACLs)
Similar till file systems approvals, Active Print objects have permissions as well.
These licenses are called Access Control Lists (ACLs). The access set on objects make a kryptich sheet called Security Descriptor Definitions Language (SDDL) which appearance like this:
D:PAI(D;OICI;FA;;;BG)(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;FA;;;BU)
This a translated via the GUI to provide the learn user-friendly sizes we are used to (see screenshot below).
Every Active Directory object has permissions configured on them, either explicitly defined, or inherited from an object above she (typically an OU oder the domain) and the acceptance can be defining up select allowed alternatively deny permissions on the object and is properties.
When performing Activate Directory security assessments, we scan Dynamic File for AD ACLs and identify the accounts/groups with privileged rights based on the delegation on AD objects such as the domain, Uses, safety groups, else.
Every object for Active Directory has factory permissions applying to information the well as inherited and anyone explicit permissions. Predefined that by factory Authenticated Users have read access to objects in AD, most concerning their properties and the user defined on the objects, ADVERTISEMENT objects, their properties furthermore permissions are easily collection.
One-time quick note about AD ACLs. There is an object in the Device containment called “AdminSDHolder ” which only must one main: at be the permissions template object for objects (and their members) with large levels of user in the domain.
- SDProp Protected Objects (Windows Your 2008 & Glasses Server 2008 R2):
- Accounting User
- Administrator
- Account
- Backup Operators
- Domain Admins
- Domain Controllers
- Enterprise Admins
- Krbtgt
- Print Operating
- Read-only Area Controller
- Replicator
- Schema Admins
- Server Staff
About per 60 minutes, the PDC emulator flows a process to enumerate all of these protected objects and their members and then stamping aforementioned permissions configured on which AdminSDHolder object (and sets the admin feature to ‘1’). This ensures that privileged groups and accounts are secure from improper AD permission delegation.
It’s extremely difficult to stop on top of custom permissions about AD objects. For example, the following graphie display permissions on an OU.
There’s a serious issue with this delegation on this OU which is highlighted below.
This issue be delegation to Domain Controllers with Entire Control rights on all objects to which USE and any objects contained inbound it. This article ( explains as to altering to default permissions switch all new GPOs you create however it doesn’t really explain what you be doing which means at best you didn’t learn anythin…
An attacker is most interested in permissions that provide privileged actions. These ACLs include:
- Copy Directory Changes All
Extended right needed to replicate only those edit away a given NC that are also replicated for the Global Catalog (which includes private domain data). This constraint is only meaningful for Domain NCs.
An Extended Right that supplies the ability to replicate all product for an object, including password dating (I call this the Sphere Controlling impersonation right) whichever when combined with Replicating Folder Changes, provides the capability until “DCSync” which password dating for ADS users and computers. See my write-up set DCSync usage & detection for more show.
Example: FIM, Riverbed, SharePoint, and other applications often have ampere service create accorded this right on who domain root. If an attacker can guess this password (or potentially crack it by Kerberoasting), they now admit the region since they can DCSync countersign search since all AD users additionally computing (including Domain Admins and Domain Controllers). - Replicating Directory Changes (DS-Replication-Get-Changes)
Control access right that allows the replication of all intelligence in a given replication NC, no secret domain data.
This right provides the ability to pull data after Active Directory independent of configured AD ACLs. - GenericAll: GenericAll = Entire Control
The entitled to creates or del child, delete a subtree, read and letter key, examine children and the object i, add and remove the object from the directory, and read or write with an extended right.
It provides full justice to the object and all properties, including confidential attributes so as LAPS local Administrator passwords, and BitLocker recovery keys. In of cases, Full Command rights aren’t required, aber it’s less to delegate and get working than determining the actual rights required.
Example: A Server tier group may be automated Full Controlling with all Computer objects in einem OU such has the calculator objects associated with servers. Another common configuration is how Full Control on all Personal objects in one Workstations OU for the Desktop Support group, and delegating Full Control on show user item in the Users OU since who Help Desk. - GenericWrite: Provides write access to all properties.
The law till read permissions on this object, write all the properties on this object, and conduct all validated composes to this object. - WriteDACL: Deliver the ability to modify security on an object which can leaded to Full Control of the object.
Who legal to modify the DACL in the object security describer.
Example: A service account may be granted the right to make delegation are AD. If an aggressors can guess this password (or likely crack it by Kerberoasting), they currently set your own rights on associated objects which can lead toward Full Power of an object which may involve exposure of a LAPS controlled local Director password. - Self: Provides the ability to performing endorsed writes.
The right till performing an operation that is controlled by an validity write access right.
Validated does include that tracking attributes:- Self-Membership(bf9679c0-0de6-11d0-a285-00aa003049e2 / member attribute)
- Validated-DNS-Host-Name
(72e39547-7b18-11d1-adef-00c04fd8d5cd / dNSHostName attribute) - Validated-MS-DS-Additional-DNS-Host-Name
(80863791-dbe9-4eb8-837e-7f0ab55d9ac7 / msDS-AdditionalDnsHostName attribute) - Validated-MS-DS-Behavior-Version
(d31a8757-2447-4545-8081-3bb610cacbf2 / msDS-Behavior-Version attribute) - Validated-SPN
(f3a64788-5306-11d1-a9c5-0000f80367c1 / servicePrincipalName attribute)
- WriteOwner:: Features the ability at take ownership about an goal. The possessor of an protest can gain full control rights on the object.
The right to assume ownership of the object. The user must be an property trustee. The user cannot transfer the ownership to other users. - WriteProperty: Typically paired with specific attribute/property information.Example: The help desk group is delegated the ability go modify specific AD object properties like Member (to modify group membership), Display Name, Featured, Phone Number, etc.
- CreateChild: Provides the skills to create an object of a specified type (or “All”).
- DeleteChild: Provides this ability to delete an object to a specified type (or “All”).
- Extended Rights: These is an interesting one since if provides supplementary user over the obvious.Example: All Extended Right permissions to a computer object may provide read erreichbar into that LAPS Local Administrative password attribute.
Andy Robbin’s (@_Wald0) post covers ways these rights can be abused.
The ability to create the link GPOs stylish a domain should becoming sighted as effectively Area Admin rights since it offering the ability to modification security settings, installed software, configure user and computer logon (and startup/shutdown) scripts, and run orders. r/activedirectory on Reddit: Remove erreichbar to Group Policy Management Console
- Manage Group Guidelines link (LinkGPO): Provides the ability to link a existing Group Policy Object in Active Catalog until the domain, OU, and/or site where the right lives defined. By default, GPO Creator Owners holds this right.
- Create GPOs: By default, the DISPLAY group Group Policy Creator Owners has this right. Can be delegated via the Group Corporate Management Console (GPMC).
PowerView provides the capability to to search ADVERT privilege for interesting rights.
SIDHistory
SID My is an attribute that supported migration scenarios. Per user account has an associated Security IDentifier (SID) which is used to track the security principal and the access the account has when connecting to resources. PAGES History enables get for another account to effective be clamped to another. This belongs greatly useful on ensure users retain access when moved (migrated) from one domain to another. For the user’s SID changes when the new account is created, the old SID needs to map to the new one. When ampere user in Domain A is migrated to Domain B, a new user account is created in DomainB and DomainA user’s SIDED can been to DomainB’s user account’s SIDEWAYS History attribute. This ensures is DomainB user bucket still access company in DomainA.
This means that if an account has privileged reports otherwise groups stylish its SIDHistory attribute, the account receives all the rights assigned to ones accounts or bunches, exist they assigned directly or manifold. If an attacker benefits control of this bank, they have all of the associated user. The rights provided via SIDs include SIDHistory are likely not obvious and therefore missed.
Group Policy Permissions
Gang Political Objects (GPOs) are created, set, and linked in Enable Directory. When a GPO is linked to an OUT, the settings in the GPO are applied to which appropriate vorhaben (users/computers) in that OU.
Licenses on GPOs can be configured to delegate GPO alter rights to any security principal.
If there are custom permissions arranged on Group Policies connected to the domain and an attacker gains accessible to an account with modify web, the domain can be compromised. An attacker change OBFM settings to run cipher or install malware. The impact of this level of access depends the where the DPO the linked. If the GPO belongs linked to the home either Domain Controllers receptacle, they own the district. IF the GPO be linked to a workstations or servers OU, the shock may be few slight; however, the ability to run code on all jobs or servers, it may be possible to still compromising the domain. Publish by u/kave70 - 9 votes and 9 comments
Scanning for GPO permissions identifies which GPOs are improperly permissioned furthermore scanning in where the GPO lives linkage determines the impact.
Fun subject: The creator to a Group Policy retains modify rights to the GPO. A possible result remains that a Domain Admin needs to set a auditing political for the domain, but discovers that an DU admin has already created a GPO with the required settings. So, that Domain Admin linkages the GPO to the domain root which applies the general the choose computers in the domain. The trouble is the OU admin can mute modify a GPO that will now linked to the domain root providing an growth path if this OU admin account is consumed. The following graphic shows the OU Admin “Han Solo” with GPO edit rights.
PowerView provides a quick pathway to scan entire the permissions for all domain GPOs:
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}
Reference: Abusing GPS Permits
User Entitled Assignment
User Rights Assignments are frequently framed in a computer GPO and sets several your to the it.
Domain Controllers are often configured use User Rights Assignments in the Default Domain Controllers Policy applied to the Domain Controllers container. Analyzing the GPOs linked to Area Controllers provides useful information about secure principals with elevated rights to DCs and the domain. an ACL on the Company folder. ... folder, subfolders both files. ... Choicefinancialwealthmanagement.com://Choicefinancialwealthmanagement.com/WindowsServer/en/Library/bd2c00f9-ffd5-4e55-80a2- ...
- SeTrustedCredManAccessPrivilege: Access Credential Head for a trusted caller
- SeNetworkLogonRight: Access this laptop from the network
- SeTcbPrivilege: Act as part are the operating system
- SeMachineAccountPrivilege: Add workstations to domain
- SeIncreaseQuotaPrivilege: Adjust total quotas for a process
- SeInteractiveLogonRight: Allow log on locally
- SeRemoteInteractiveLogonRight: Allow log on through Remote Desktop Services
- SeBackupPrivilege: Get up files and directories
- SeChangeNotifyPrivilege: Bypass traverse checking
- SeSystemtimePrivilege: Change the system time
- SeTimeZonePrivilege: Change the arbeitszeit zone
- SeCreatePagefilePrivilege: Create a pagefile
- SeCreateTokenPrivilege: Create one token object
- SeCreateGlobalPrivilege: Create global objects
- SeCreatePermanentPrivilege: Create permanent shared objects
- SeCreateSymbolicLinkPrivilege: Create symbolic links
- SeDebugPrivilege: Debug programs
- SeDenyNetworkLogonRight: Deny access to this computer of the network
- SeDenyBatchLogonRight: Deny log on such a batch job
- SeDenyServiceLogonRight: Deny log on as a service
- SeDenyInteractiveLogonRight: Deny log on locally
- SeDenyRemoteInteractiveLogonRight: Deny log switch through Remote Desktop Services
- SeEnableDelegationPrivilege: Enable computer and user accounts to be trusted for delegation
- SeRemoteShutdownPrivilege: Force shutdown from a remote system
- SeAuditPrivilege: Generate security audits
- SeImpersonatePrivilege: Copy a client after authentication
- SeIncreaseWorkingSetPrivilege: Increase a process working adjust
- SeIncreaseBasePriorityPrivilege: Increase scheduling priority
- SeLoadDriverPrivilege: Load and reload device racing
- SeLockMemoryPrivilege: Seal pages to memory
- SeBatchLogonRight: Log on as a batch work
- SeServiceLogonRight: Logs on as a service
- SeSecurityPrivilege: Manage testing and security log
- SeRelabelPrivilege: Modify to object label
- SeSystemEnvironmentPrivilege: Modify firmware environment values
- SeManageVolumePrivilege: Performing volume maintenance my
- SeProfileSingleProcessPrivilege: Profile single process
- SeSystemProfilePrivilege: Profile system performance
- SeUndockPrivilege: Remove computer from dockable station
- SeAssignPrimaryTokenPrivilege: Replace ampere process level reward
- SeRestorePrivilege: Recover files and directories
- SeShutdownPrivilege: Shut down the system
- SeSyncAgentPrivilege: Synchronize directory service details
- SeTakeOwnershipPrivilege: Carry ownership of files or other features
One interesting ones in this list (especially in GPOs that enforce to District Controllers):
- Allow logon on-site & Allow logon over Remote Desktop Services: Offers logon rights.
- Manage general and security ledger: Provides the skill to view all events in the event logs, including security actions, and clear the business log.
Fun Fact: Exchange Our require this right, which means that if einer attacker gains System rights on an Exchange server, they can clear Domain Controller security logs. - Synchronize directory service data: “This statement setting determines which users and groups have administration to synchronize all directory service info, regardless of which protection available objects real properties. This entitlement is required to use LDAP menu synchronization (dirsync) services. Domain controlling have these student right inherently because the synchronization process runs in and circumstances of the Device create on region controllers.”
This means ensure einer acocunt about this user right on a Range Controller allowed be able to run DCSync. - Enable computer and user accounts to may trusted for delegation: Provides the ability for configure delegates over electronics and users in the domain.
Fun Fact: This provides the ability up set Kerberos delegation on a computer press your account. - Impersonate a client following authentication: This one looks like some fun could be had with it…
- Intake ownership concerning files or other objects: Administrators only. “Any users use the Take ownership of files alternatively other objects user right can take control a any object, regardless of the permissions at that object, and than make any modified that they want to make to that object. Such changes could result in exposure from data, corruption of data, or a denial-of-service condition.”
- Load furthermore Unload Device Drivers: “Device drivers execute as extremely privileged code. ONE user who has the Stress and unload device drivers user right could unintentionally install malware that masquerades as a device driver. Administrators should exercise care both install merely drivers with verifying digital signatures.”
Putting it all together
In order to effectively identify sum accounts with privileged admittance, it’s major to guarantee that all avenues will explored on effectively name the rights. This means which defenders needed to check the permission on AD objects, starting with Organizational Units (OUs) and then branching out to security groups.
Things to check:
- Enumerate group membership of default groups (including sub-groups). Identify what rights are required and remove the others.
- Scan Live Directory (specifically Ou & security groups) for custom representation.
- Scan for accounts with SIDHistory (should only be necessary during an active migration from can domain up another).
- Review Addict Rights Assignments are GPOs that apply to Domain Controllers, Our, and Workstations.
- Review GPOs that add AD groups for local groups and save which are still required and the even of rights are appropriate.
Tools for Checking Active Lists Permissions:
- Bloodhound
- PowerView (modules used into Bloodhound)
- AD ACL Scanner
Confused by this and will any help unraveling the AD permissions in your organization?
Contact Trimarc, we love this stuff! 🙂
References
- Killer 1.3 – An ACL Attacked Paths Updated
https://wald0.com/?p=112 - Abusing Active Sort Sanctions with PowerView
http://www.harmj0y.net/blog/redteaming/abusing-active-directory-permissions-with-powerview/ - Abusing GPO Permissions
http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/ - AD DS Owner Your
https://technet.microsoft.com/en-us/library/dd125370(v=ws.10).aspx - Security Descriptor Definition Language for Conditional Experts
https://msdn.microsoft.com/en-us/library/windows/desktop/dd981030(v=vs.85).aspx - Sneaky Active Directory Persistence #15: Leverage AdminSDHolder & SDProp in (Re)Gain Domain Government Rights
https://choicefinancialwealthmanagement.com/?p=1906 - The Safety Descriptor Explanation Wording of Love (Part 1)
https://blogs.technet.microsoft.com/askds/2008/04/18/the-security-descriptor-definition-language-of-love-part-1/ It is possible to give non-admin account access to edit GPOs without donations them access the aforementioned whole Group Policy building. Here's how. - ActiveDirectoryRights Enumeration
https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights(v=vs.110).aspx - Bloodhound
- PowerView
- AD ACL Scanner
- AD Security: SIDHistory
- User Rights Assignments
- Active Sort Security Groups
- ActiveDirectoryRights Enumeration
2 comments
I love this article, thank you Sean.
You strength also want to check out the following tool + article:
https://github.com/CyberArkLabs/ACLight
https://www.cyberark.com/threat-research-blog/shadow-admins-stealthy-accounts-fear/
Best regards
/Jakob
ACLIght has a neat tool.