Tuesday, May 12, 2020

Day 2 - Red Teamers, can you hack THIS Active Directory ? (I Doubt It)


Hello. I hope this finds you doing well. Welcome to Day-2 of "Active Directory Security for Cyber Security Experts."

Over the next 60 days, I'm going to be drawing upon two decades of experience in Active Directory Security to help thousands of organizations and millions of IT and cyber security personnel worldwide increase their knowledge.

Today, I'd like to pose a simple question / challenge to 1000s of Active Directory Red Teamers /Attackers worldwide -

Can YOU hack THIS Active Directory ?

(i.e. the one described below.)

(Before you arrive at any premature conclusions, please read the "What's the Point?" section that follows.)

An Active Directory Like Ours

Like most organizations worldwide, we (Paramount Defenses) too operate on Microsoft Active Directory, and most of our machines, including those on which reside our billion+ dollar cyber security algorithms, are joined to our Active Directory.

Unlike most organizations worldwide, we DO actually strive
to adequately protect our foundational Active Directory -

  1.  Domain Controller (DC) Security - All DCs are afforded the highest levels of system, network and physical security. I can't divulge details but know that let alone being able to logon to a DC, one couldn't even get physical access to them without multi-factor authN. The same level of security is afforded to all admin workstations and AD backups.

  2. Privileged Access in Active Directory - Privileged access for everything, including identity (user account) and access (group) management, computer and group policy management, access for AD-integrated apps etc. is all precisely and verifiably delegated/provisioned in Active Directory and locked-down based on the principle of least privilege.

  3.  Privileged Account Security - We don't have more than one active Domain Admin equivalent privileged user in Active Directory at any time, including across all default AD admin groups, and all such accounts (e.g. Enterprise Admin, Schema Admin etc.) that possess unrestricted admin access in Active Directory are disabled by default.

  4. Secure Administrative Practices - Every Domain Admin equivalent privileged account user is assigned a dedicated admin workstation exclusively for the purpose of performing activities that require Domain Admin level privileged access, and each such workstation is afforded the same level of security as are our DCs. Logging on to any other machine using Domain Admin credentials is strictly disallowed and could result in termination of employment.

  5. Service Accounts, esp. those require Domain-Admin Equivalent Access -  We only use managed service accounts across our network. Each one of them is AD managed, and has long (>25 character) passwords that are frequently rotated. We do not allow the use of any apps whose service accounts require Domain-Admin (DA) access, because if you understand Windows security, you know that almost nothing actually requires DA level access to accomplish. 

  6. Trustworthy Software - We do not deploy any 3rd-party software that we cannot impose the highest levels of trust in, especially Active Directory mgmt/security/auditing solutions. This is because so many popular AD management and auditing solutions available today are developed outside USA, and some prominent ones are developed in Russia. Also, use of any free* tools or scripts downloaded from the Internet could result in immediate termination.

  7. Empowerment and Accountability - Most importantly, because we understand just how paramount the security of our foundational Active Directory is to our company's security, we have a simple and clear chain of accountability, which is as follows:  CEO - CISO - Director, IT - Enterprise Admin. Finally, I personally ensure that our IT team has whatever it needs to secure our AD, and we only hire the most trustworthy and proficient personnel as AD Admins.

(By the way, none of this takes too much effort or cost to do so. All it really takes is an understanding of and respect for the role that Active Directory plays in our security, and the will to enact just enough simple measures to adequately protect it.)

Now, let me stop right there, for sharing that much is
enough to make a Trillion $ point, which follows.

So, What's the Point?

The point of sharing this with you was to help you understand that in such an environment, no matter how proficient an Active Directory Red Teamer or attacker you might be, you're likely not going to find success using popular credential-theft attack techniques such as Kerberoasting,  Mimikatz etc. or using Mimikatz DCSync, DCShadow, Bloodhound etc.

Perhaps I should elaborate and substantiate this -
  1. Kerberoasting - As you'll agree, given measure #5 above, Kerberoasting just isn't going to be technically possible.

  2. Silver Tickets and Golden Tickets - Given measure #1 above, you're not going to be able to logon to a single DC, so you're never going to be able to generate a Silver or a Golden ticket.

  3. Mimkatz (for password hash extraction and reuse) - Likewise, in light of measures #3, #4 and #6 above, you're not going to get an opportunity to logon to or compromise any computer on to which a single Domain Admin equivalent credential may have ever been entered/used, so you're not about to find success using credential theft techniques that involve extracting and replaying/using password hashes from memory.

  4. Mimikatz DCSync and Mimikatz DC Shadow - Given measure #2 above, we possess the ability to determine and control exactly who can replicate secrets from our Active Directory domain, and as a consequence, we can reduce that number down to virtually zero, leaving you no opportunity whatsoever to even have the sufficient effective permissions needed to run Mimikatz DCSync against our AD. Similarly, because we can determine and control exactly who can create NT-DSA objects in our Active Directory, Mimikatz DCShadow too won't be possible.

  5. Bloodhound - Given measure #2 above, you could run Bloodhound all you want, but you're not going to find a single privilege escalation path leading to anything, because WE found and eliminated ALL of them BEFORE you could.

NOW, in your defense, let me be the first to admit that ours isn't a typical Active Directory environment by any means. Most Active Directory deployments should be secured like so, but they're nowhere near so ; most of them are vastly vulnerable.

That said, I'll be the first to tell you that of the 7 simple Active Directory Security measures that we implement, TODAY, every organization in the world too can implement just about all these measures on their own, except MEASURE #2.

As to measure #2, unfortunately, there's just no way to implement it without having the capability to accurately determine this, and do so domain-wide; sadly, most organizations (likely including $T Microsoft) do not even seem to know that they require this essential capability, let alone having it, so they're very far away from being able to adequately secure their AD.

Now, Consider This

Consider an Active Directory environment in which all measures above, except #2, have been implemented. By the way, in their interest of their own security, all organizations should endeavor to attain at least this level of Active Directory Security.

In such an Active Directory environment, as shared above, what so many folks errantly refer to as common and prevalent "Active Directory attack techniques", i.e. Kerberoasting, Mimikatz, Golden Tickets etc. aren't going to get you anywhere.

In such environments, many may be inclined to think that there's not that much more left to try and attack/compromise.

Yet, if you think about it (, and now since you've heard of Bloodhound, you likely know that) there is still an OCEAN of opportunity left to go after (and for defenders to defend), and unlike credential-theft attack vectors, it actually involves "Active Directory Security."

  • Side-note: I had asked Delpy the same question back in 2016, likely even BEFORE Bloodhound was around.

Active Directory Security

As you'll hopefully agree, the most important and vital aspect of Active Directory security, is the security of its contents.

You know what I'm talking about. Every single one of the most powerful privileged user accounts and groups, the user accounts of all employees and executives, every single domain computer account (including those of DCs), every single domain security group used to protect most IT assets across the network, every single group policy used to secure and protect all domain-joined hosts etc. all have one thing in common - they constitute the very contents of Active Directory.

In essence, the most valuable assets of any organization operating on Active Directory are INSIDE their Active Directory.

Now, each one of these assets is represented as an Active Directory object, and protected by an access control list (ACL), within which reside numerous security permissions, each one of which allow or deny some form of access to some security principal, and together they collectively determine exactly who can do what on each one of these Active Directory objects.

In other words, there's a vast OCEAN of Active Directory security permissions in every organization's Active Directory.

Within this ocean lies a vast amount of privileged access, and sadly, because it is very difficult to accurately assess it, much of it is excessive (unauthorized), just waiting to be found and exploited, or found and eliminated (locked-down.)

Simply put, its a race, and whoever (i.e. the good or the bad guys) accurately identifies it first WINS (i.e. controls AD.)

  • Side-note: Incidentally, Bloodhound, a promising tool that so many Active Directory Red Teamers, attackers and perpetrators have come to like and use, is based on identifying privilege escalation paths in this very ocean of AD security permissions; its underlying theory can be found here. However, it barely scratches the surface, and sadly it is inaccurate because it makes the same classic mistake that 1000s of organizations have themselves been making for years - it too relies on determining "Who has what permissions in AD" which is virtually futile.

    Finally, as pointed above, even if it were accurate, implementing measure #2 above would render it useless.

In essence, if you could correctly analyze this vast ocean of Active Directory security permissions, you could instantly find thousands of privilege escalation paths leading to every object in Active Directory, from Domain Admin accounts to the CEO's account, and from the Domain Admins group to a group protecting high-value IT assets across the network.

From an organizational standpoint, you would then have the ability to lockdown all such identified, existent unauthorized privileged access and eliminate all such paths, securing your Active Directory. From an attacker's standpoint you would have identified thousands of easily exploitable privilege escalation paths leading to whatever you want to compromise.

The key to correctly analyzing this vast ocean of security permissions and privileged access in Active Directory, and thus the key to being able to identify who can do what, where and how, on any and every object in Active Directory lies in this, and in days to come, it is my intention to help everyone learn more about this vast ocean, and how to correctly analyze it.


Today's post was intended to convey that the attack methodologies that most Active Directory Red Teamers and Attackers use to attack Active Directory security, don't actually have much to do with Active Directory Security per se, and can be thwarted by implementing a few common sense measures (, which sadly most organizations have yet to implement.)

As a segue, the second point I wanted to make was that actual crux of and the innards of "Active Directory Security" reside inside the ocean of security permissions that exist in every organization's Active Directory, and in days to come, that's what I intend to help the world better understand, because collectively across the world, they secure Trillions of $ of real wealth.

To be continued on Day 3, May 18, 2020 (; will share VM then, and from which point on, it should be every alternate day.)

Best wishes,

PS: Regarding measure #2 above -

There's a little $1.4 Trillion company out there called Microsoft. They built Active Directory. You should ask them if they can help you do this accurately and adequately on even a single object in AD, let alone do so domain-wide. (They can't.)

(If you can't find them in the Security aisle, look for them in the Sales aisle; they've been quite busy pitching their Cloud offering to the world, and recently, offering free Teams meeting accounts during COVID-19 to increase their user-base.)

Then ask CrowdStrike, FireEye, Symantec, CyberArk, Tanium, Amazon, Google etc. if perhaps they can. (They too can't.)

Next, perhaps ask Quest, Centrify, BeyondTrust, Varonis, Netwrix, Preempt and other popular AD Security companies.

Finally, ask Gartner, those Magic Quadrant gurus, if they know of someone who could. (They may not have a clue.)

No comments:

Post a Comment

Paramount Defenses Logo

© 2006 - 2024 Paramount Defenses.
All Rights Reserved.

Your Privacy

We use cookies to give you the best online experience. Please let us know if you accept these cookies.