Day 4 - Active Directory Security Permissions, Tooling AND a Challenge

Folks,

Hello. I hope this finds you doing well. This post is Day-4 of Active Directory Security for Cyber Security Experts.


TODAY, we'll begin by 1) re-visiting a simple fact, 2) putting your arsenal together and 3) YOUR first challenge.





Active Directory Security Permissions - The Keys to Every Door in the Kingdom

If you're into IT or cyber security, then you likely already know this ONE simple technical fact which is worth reiterating -

1. 85% of all organizations worldwide operate on Microsoft Active Directory - From Microsoft to Amazon, and from the White House to the entire U.S. Government, every relevant organization in the world operates on Active Directory.


2. 100% of everything in Active Directory is an AD object protected by an ACL - From the Domain Admins group to the domain root object, to every employee's (e.g. CEO, CISO etc.) account and computer, to every security group (e.g. All Employees, Executives etc.) used to lockdown access to every IT asset in the organization (i.e. all files, folders, Exchange mailboxes, databases, apps, portals etc.), literally everything is an object in Active Directory.


3. It is the complete set of Active Directory security permissions that exist in the ACL (access control list) of every Active Directory object that collectively govern exactly who can do what on that Active Directory object.

If you connect the above three dots, you'll arrive at the conclusion that at the end of the day, it is Active Directory security permissions that ultimately protect and govern the security of virtually every IT asset in every organization worldwide.

In short, not just the "Keys to the Kingdom", the "Keys to Every Door in the Kingdom" lie in AD Security Permissions.




Three Technical Pointers

Given the paramount importance that Active Directory Security permissions play in organizational cyber security today, in order to gain proficiency in Active Directory Security, one must know Active Directory Security permissions well.

So, here are a few technical pointers that I recommend we all go through to learn more about them -

1. Active Directory Security Permissions (here), How Access Checks work (here) & Order of ACEs in a DACL (here)


2. Best Practices for Delegating Administration in AD, Appendix C: Active Directory Security Permissions (See * below)


3. Best Practices for Delegating Administration in AD, Chapter 2: How Delegation Works in Active Directory (" * below)

• * Note: The content referenced in 2 and 3 above was part of a 400 page whitepaper I had written while I was at Microsoft, titled "Best Practices for Delegating Administration in Active Directory". For reasons best known to Microsoft, it was removed from its Technet Site. Fortunately, you can still access it if you know where to find it. The only place it is available is as a part of "Windows Server 2003 Retired Content", which is a massive 150 MB PDF file which you can still download from here. To locate this content in that download, install Adobe PDF Reader (needed to open the massive 150 MB PDF), open the PDF and search for my name in it (Page: 8186.)

Please take a few moments to review and learn from these simple yet vital technical pointers. I apologize that there is no good content online from Microsoft to share with you - not sure why Microsoft has pulled so much important content. :-(


Finally, if you have more time and truly want to gain a deep understanding of how access control, access checks, access assessment etc. all work in Active Directory, you can review this authoritative patent on the subject, which today is cited by Microsoft, Palantir, CyberArk, Quest, Amazon, Vmware, IBM and other notable companies.





Active Directory Permissions Analysis Tooling

Over the next day thirty days, I am going to be issuing ten challenges, each one motivated by the desire to teach you something specific and valuable, and each one involving and requiring you to analyze permissions in Active Directory.

So, please feel free to put together your own arsenal of tools so you can accept these ten simple, educative challenges.

Further, to help you put this together, here's a list of just about every tool that I know of that can help organizations analyze Active Directory Security Permissions today, listed in alphabetical order by name of the tool to ensure objectivity -

1. Acldiag (Microsoft)
2. Aclight (CyberArk)
3. Active Directory ACL Analyzer (Paramount Defenses)
4. Active Directory ACL Exporter (Paramount Defenses)
5. Active Directory Effective Permissions Calculator (Paramount Defenses)
6. Active Directory Effective Access Auditor (Paramount Defenses)
7. Active Directory Permissions Analyzer (Paramount Defenses)
8. Active Directory Permissions Reporting Tool (ManageEngine)
9. Active Directory Privileged Access Auditor (Paramount Defenses)
10. AD ACL Scanner (Robin Granberg ?)
11. AD Permissions Reporter (CJWDev)
12. BeyondTrust Auditor (BeyondTrust)
13. Bloodhound (SpectreOps)
14. Dsacls (Microsoft)
15. Effective Permissions Reporting Tool (Netwrix)
16. Enterprise Reporter for Active Directory (Quest)
17. Hyena (Systemtools)
18. LepideAuditor (Lepide)
19. Permissions Analyzer for Active Directory (SolarWinds)
20. PowerShell for Active Directory (Microsoft)
21. Stealthaudit Active Directory Permissions Analyzer (Stealthbits)

• Note: The mere mention of any 3rd party tool above is not and should not be considered an endorsement.

The only tools that you cannot currently (i.e. yet) have in your arsenal are those developed by Paramount Defenses.

You're welcome to use any other tools to fulfill the various challenges I'll be sharing soon. If your organization currently uses a particular tool, I recommend using it to see if it can help you get the answers to these upcoming challenges.




Your First Challenge

Your first challenge is a very simple challenge, and I expect each one of you to be able to easily fulfill this challenge.

Using any tool(s) of your choice that are in your Active Directory security arsenal, please analyze the security permissions in the Active Directory Security Lab VM that I have shared, and simply answer the following three simple questions -

1. Exactly how many security permissions (ACEs) are there domain-wide in the corp.local domain?


2. Exactly how many members does the Domain Admins security group have? 


3. Exactly how many security permissions in the ACL protecting the the Domain Admins security group directly or indirectly impact "Write Property - Member" permissions ?

• These are really simple warm-up questions. Your answer can be as simple as >   1) 100,000     2) 5     3) 4

The answer to question 1 helps determine how large the attack surface is. The answer to question 2 is (sadly) the (mere) extent to which many organizations go to to audit privileged access in Active Directory, and the answer to question 3 begins to scratch the surface when trying to determine who actually has what privileged access in an Active Directory.

You can answer these three simple questions below in a comment, or answer them in my LinkedIn post for today's lesson.




The Importance of Exactness

In Active Directory Security, exactness is very important. In fact, it is paramount because it only takes ONE compromised, malicious or coerced Active Directory privileged user to completely own, compromise and destroy the entire organization.

Here's proof - did you know that almost all major recent cyber security breaches, including JP Morgan, Target, Sony Hack, Snowden, the OPM Breach, Anthem, Avast, the United Nations and others all involved the compromise and misuse of just ONE Active Directory privileged user account.

Perhaps the best way to think of it is this - ask yourself if you would board a flight if I told you that the Metal Detector at the airport was not entirely accurate; you know, one that could do the job with about 75% accuracy (leaving a 25% chance that an explosive device or a firearm could make it past the security checkpoint and on to the plane you're going to be on.)

I know I wouldn't. Would you?   (If you care, don't accept approximate answers ; demand and expect exact answers.)




That's All for Today

Today's simple challenge is intended to lay the foundation for the next ten challenges, and the level of difficulty will only increase with each challenge, so I encourage everyone to accept and embrace this and all following challenges.

By the way, I decided to start simple because there are many folks who are tuned in, and for some of whom, even simple ACL analysis may be a first-time experience. So, to experts who may find these simple challenges simple, please wait for the next challenge, and no matter how advanced you are in Active Directory Security, you will have a worthy challenge :-)

That's it for today. I'll post Day-5 on July 04, and in it, I'll share the answers, including how I make these determinations, AND I'll share your next challenge, which clearly and directly impacts every organization's foundational cyber security today.

I look forward to your answers - answering these 3 questions shouldn't take more than 10 minutes.

Best wishes,
Sanjay.

Day 3 - Active Directory Security (Privileged Access) Lab Virtual Machine

Folks,

Hello. I hope this finds you doing well. This post is Day-3 of Active Directory Security for Cyber Security Experts.


Today, I'm making available a special Active Directory Security lab virtual machine that everyone can download for free that we built to help organizations and experts worldwide learn advanced Active Directory Security and Privileged Access.



An Active Directory Security Lab VM

Over the next thirty to sixty days, I'll be teaching the world how to correctly audit privileged access in Active Directory (AD), and to help everyone learn, follow and try it out for themselves, I had a special AD Security VM custom-built for everyone.

This is a free, instantly downloadable, custom-built VM running Windows Server 2019, complete with -

1. Over 1000 security principals, including domain user accounts, computer accounts and security groups
2. Over 3000 objects including GPOs, service connection points, print queues and managed service accounts
3. Over 30 custom real-world administrative delegations provisioned across over 200 organizational units (OUs)
4. Over 150,000 Active Directory security permissions spanning over 3000 Active Directory access control lists (ACLs)
5. Custom permissions in the AdminSDHolder ACL as well as on the domain root object, governing Mimikatz DCSync

Active Directory Security Scenarios

Today organizations worldwide need to know how to adequately secure and defend their foundational Active Directory deployments from compromise, especially how to deal with specific advanced Active Directory Security scenarios.

This custom-built Active Directory Security lab VM contains specifically implemented examples of many such advanced Active Directory Security scenarios -

1. How to correctly audit privileged access (the "Keys to the Kingdom") in Active Directory
2. How to correctly assess, verify and lockdown privileged access in Active Directory
3. How to attain and maintain Least Privileged Access (LPA) in Active Directory
4. How to perform Privileged Account Discovery (PAD) in Active Directory
5. How to correctly assess various Active Directory Security solutions


6. How to uncover stealthy admins in Active Directory
7. How to identify sneaky persistence in Active Directory
8. How to prevent the spread of ransomware via Active Directory
9. How to identify (1000s of) privilege escalation Paths in Active Directory
10. How to eliminate serious risks posed by Bloodhound, Mimikatz DC Sync etc.

Over the next few days, I will walk through crystal-clear examples of each one of these scenarios in this lab VM and show how to identify these scenarios in this lab VM, helping everyone learn how to address these scenarios in real-world ADs.




Fulfilling Active Directory Focused Privileged 
Access Management (PAM) Audit Needs

Organizations worldwide also need to correctly fulfill Privileged Access Management (PAM) focused privileged access audit requirements involving Active Directory, so I'll also show you how to easily and correctly fulfill such requirements.

Specifically, for the benefit of IT, cyber security and compliance audit professionals, I'll share -

1. How to correctly audit who has what privileged access in and across the entire Active Directory (i.e. domain-wide)
2. How to correctly audit who has what privileged access on a specific Active Directory object (e.g. the CEO's/CFO's domain user account, the Domain Admins security group, the domain root, a specific OU, AdminSDHolder etc.) 

Today, unfortunately, most organizations and auditors do not know how to correctly do so, so this should be equally helpful.




Real-World Active Directory Contents

This AD Security lab VM contains a Windows Server 2019 powered, Active Directory forest, corp.local, for a fictional multi-national corporation headquartered in USA with worldwide operations across Americas, Europe, the Middle East and Asia.

It has an elaborate, real-world like organizational unit (OU) hierarchy that includes well over 200 OUs, across which realistic, custom administrative delegations have been provisioned for various IT security groups such as Help Desk.





Real-World Privileged Access / Administrative Delegations

This AD Security lab VM has also been custom-configured with over two dozen real-world administrative delegations that have been implemented to over two dozen domain security groups across this fictional domain, just like in the real world.

In particular, privileged/administrative access has been carefully delegated/provisioned in this Active Directory for domain user account (identity) management, security group (access) management, computer (host) management, group policy management etc. just like it is done at most organizations in the real-world, both directly, and via group nesting.

Administrative tasks that have been delegated include account creations (provisioning), object deletions, password resets, account expirations, group membership changes, access control (ACL) modifications, group policy (GPO) linking, etc. etc.





Download Point

This custom-built Active Directory Security is free for everyone to use, and it can be instantly downloaded from HERE.

Download

Its file size is 7,729,720,905 bytes (7.21 GB) and its MD-5 Hash is 390c9597a2568cd0f5f64b48b9c81f20. 


Step-by-step directions on how to download and get started with this VM in less than five minutes are provided below.





Getting Started

It takes less than five (5) minutes to get started, and here are step-by-step instructions on how to do so -

1. Download this free Active Directory Security Virtual Machine from here.
2. Download and install the free version of VMWare Workstation Player from here.
3. Unzip the VM to extract the "AD Security" folder
4. Create a "Virtual Machines" folder in "My Documents"
5. Move the unzipped "AD Security" folder into the "Virtual Machines" folder


6. Launch VM Workstation Player and select "Open a Virtual Machine"
7. Point it to the "AD Security.vmx" file in the "My Documents\Virtual Machines\AD Security" folder
8. Then select the "AD Security VM" and click the play button to start it.
9. At the logon screen, login as "CORP\Administrator"  (The password is provided below.)
10. Open a command-prompt, and enter "slmgr /rearm" to rearm the Windows license, then restart the VM.

That's it. Login as Administrator, then launch the "Start here" text file located on the desktop (in the VM) to become acquainted with the contents of this VM, subsequent to which you can launch ADUC to begin exploring AD contents.

• Note: In step 8 above, you may (or may not) need to change the working directory for the VM. Should you need to do so, click on "Edit Virtual Machine Settings," then select the "Options" tab, and under "General" settings, locate the "Working Directory" text-box in the right-hand side, and modify it.



• Please do NOT change any contents of this VM yet, especially any security permissions or domain security group memberships as I will be walking you through numerous specific examples, and if the permissions or group memberships have been changed, your results will not be the same.

Password

You will need the password for the Administrator account to login to this virtual machine.

The case-sensitive password for the Administrator account is:     ParamountDefenses!


If you're having problems logging in, feel
free to send me a message on LinkedIn.

Summary

Today, Active Directory is the foundation of IT, cyber security and privileged access at 85% of organizations worldwide.

Those who know how to correctly analyze privileged access inside Active Directory possess substantial power because almost everything in Active Directory Security ultimately boils down to privileged access on Active Directory objects.


Over the next month, I'll be helping millions of IT and Cyber Security professionals worldwide gain this valuable skill, and the remaining lessons over the next 30 to 60 days will all refer to examples in this custom-built AD Security lab VM.

This AD Security Lab VM was custom built to illustrate and demonstrate the scenarios mentioned above and should be very helpful for anyone who may have a desire to gain advanced Active Directory Security and Privileged Access skills.

Best wishes,
Sanjay.


PS: July 22, 2020 Update - A detailed overview of the contents of this domain can be found here. PS2: March 08, 2021 Update - A new version of the VM has now been made available. The download link above and the file size and MD-5 hash details above are for the new version. For reference, the file size of the original (2020) version was 7,747,920,663 bytes (7.21 GB) and its MD-5 Hash was 80be4b771485303f069a63f8eb7b4c9e.

Whiff - A Simple, Innocuous Ransomware Example

Folks,

As promised yesterday, today I wanted to share the first piece of innocuous ransomware example that I wrote last week.


Introducing Whiff

The first simple and innocuous illustrative ransomware I wrote is called "Whiff" and it can be downloaded from here.

whiff.exe

It was written to be able to programmatically encrypt or decrypt one specific file, and it uses the same password to do so.

This is NOT real ransomware; it is merely a very small piece of software intended to demonstrate how an actual piece of ransomware with similar capabilities could effortlessly and instantly encrypt and decrypt files on organizational computers.



Purpose

The sole purpose of this sample innocuous illustrative ransomware is to DEMONSTRATE just how quickly and effortlessly someone who could deploy similar ransomware using Active Directory (specifically via Group Policy) could cause files on thousands of machines in an organization to be instantly encrypted.

If you know how to deploy a logon script using Group Policy in Active Directory, then you should have no problem trying it out right away (; Script name: whiff.exe, Parameter: /E .) If you don't know how to deploy a logon script using Group Policy, you'll want to tune back next week, which is when I will provide step-by-step directions on how to do so.




Capabilities

Having been written to illustrate how someone could deploy ransomware using Active Directory, its sole capability is illustrative in nature, and it is specifically programmed to instantly ENCRYPT and DECRYPT a single specific file sample.txt in the location c:\temp.

For your convenience it can also automatically create (and delete) this sample file for you, via the /C (and /X) switch(es).


In case you're wondering why there isn't a "Ransom" payment notice displayed, its because there isn't any actual ransom involved. This is an illustrative piece of ransomware-like-software and you can easily decrypt the file using the /D flag.



Usage

whiff.exe provides four simple options -

• /C   This option will automatically create a timestamped file c:\temp\sample.txt

• /E   This option will automatically encrypt the c:\temp\sample.txt file

• /D   This option will automatically decrypt the encrypted version of c:\temp\sample.txt

• /X   This option will automatically delete the file c:\temp\sample.txt

How to Easily Deploy it Organization-wide using Active Directory

It takes less than one minute to deploy it organization-wide via Active Directory.

If you know how to deploy a logon script using Group Policy in Active Directory, you should have no problem trying it out right away. (Use script whiff.exe, paramter /E, and make sure that a c:\temp directory exists on domain-joined machines.)

If you don't know how to deploy a logon script using Group Policy, or are having difficulty figuring it out, simply check this blog next week as I will be sharing step-by-step instructions on how exactly to do so.




You Can Also Try It Right Away Without Active Directory

In addition to being able to deploy it via Active Directory, you can also instantly try it out on any Windows computer.

Here's how -

1. Download whiff.exe from here onto any Windows computer.


2. Create a folder named temp on C:\ on the same computer.
3. Open a command-prompt, and navigate to the folder where you saved whiff.exe.
4. Right-click on the whiff.exe file to check and verify its digital signature.
5. Type whiff /C and click enter to have it automatically create sample.txt in the c:\temp folder.
6. Navigate to the c:\temp folder, locate the sample.txt file, and open it to review its plaint-text, then close it.


7. Next, type, whiff /E and click enter to have it instantly encrypt the file.
8. Now, open c:\temp\sample.txt again ; it will be encrypted.
9. To decrypt it, type whiff /D and click enter. Open the file to verify that it has been decrypted.
10. Finally, should you wish to delete the sample.txt file, simply enter whiff /X.

You can also create your own sample.txt file. The /C option also adds a timestamp to the sample file it creates to help you verify that the program did in fact decrypt the same plain-text version that existed prior to your having encrypted the file.




An Innocuous Ransomware Sample

Ransomware poses a serious and real risk to organizations worldwide, and while organizations strive to employ various measures to protect themselves from being victimized, there are hardly any innocuous, trustworthy samples of illustrative ransomware-like-software available for organizations to try "what-if" scenarios and possibilities.

In that regard, whiff.exe is completely innocuous. It is purposefully intended to accomplish just one illustrative objective i.e. to encrypt and decrypt a single, specific trivial file, i.e. one named sample.txt that resides in the c:\temp folder.

It is also digitally signed to ensure its authenticity and integrity, and it thus provides a safe and trustworthy sample of an illustrative ransomware-like-software so organizations can easily and safely try out "what-if" scenarios and possibilities.

To reiterate, whiff.exe is specifically intended to help organizations see for themselves just how easily anyone who has sufficient access in Active Directory to be able to link a GPO to an(y) organizational unit (OU) or the domain root could potentially wreak havoc by using the power of Group Policy to very quickly deploy ransomware across thousands of machines in an organization.




Folder-wide Encryption

As I had indicated, I've written two such pieces of exemplary ransomware. Whiff is the first piece and by intention it can only encrypt (and decrypt) ONE file, which too is a specific temporary/trivial file.

That said, the second piece of exemplary ransomware that I wrote, and which I may share in days/weeks to come, can automatically encrypt thousands or even millions of files in any specifiable file-system folder.

In short, should it be required, we can also demonstrate (to any and every organization that wants to see so) just how easily actual similar ransomware could be deployed onto thousands of computers via Active Directory and result in the almost instantaneous encryption of entire hard-drives containing thousands of folders and millions of files.


For now though, Whiff should be enough to demonstrate this dire possibility, because to the wise, a "whiff" is enough.

Best,
Sanjay.


PS: Hey Google, define Whiff  for the world.

How Attackers Could Unleash Ransomware on Thousands of Computers in an Organization using Active Directory

Folks,

Hello. Today's post is on ransomware - specifically how a perpetrator could instantly unleash ransomware on thousands of organizational computers, in minutes using Active Directory, instantly encrypting vast amounts of an organization's data.



Ransomware (; needs no introduction.)

Today ransomware undoubtedly poses a clear and present cyber security danger to thousands of organizations worldwide.

Examples of ransomware include CryptoLocker, CryptoWall, WannaCry, Petya, NotPetya, Bad Rabbit, Sodinokibi etc. etc.

According to the New York Times, in 2019 alone, over 200,000 organizations had submitted files that had been hacked in a ransomware attack, and the average payment to release files was over $80,000. This amount doubled in December of 2019, and several organizations have faced ransom demands in the millions of dollars.

Of course, one the most famous and high-profile cases of ransomware involves the multi-billion $ Danish shipping giant Maersk, which fell victim to the Petya ransomware in 2018, and ended up incurring a staggering loss of US $ 250 Million.

Since then so many critical organizations including hospitals, police departments, city governments, law firms, automotive companies etc. etc. have been falling victim to ransomware and so many more are struggling to protect themselves.

For instance, just yesterday, the city of Knoxville became the latest American city to suffer a ransomware attack. Days ago, Honda announced that it had to halt operations due to a ransomware attack. Earlier this year, amongst numerous others, the Miami Beach Police Department suffered a ransomware attack, as did Parkview Medical Center in Colorado. Recently an FBI official said that "We certainly view it as one of the most serious cybercriminal problems we face right now."

In essence, today most do organizations understand the risk posed by ransomware and the need to protect themselves. However, what they may not know is that someone could unleash ransomware on thousands of computers in minutes.




How Much Damage Could Be Inflicted?

In a cyber attack involving an organization becoming a victim of ransomware, generally the extent of damage inflicted is a function of the amount of data that was encrypted (and possibly exfiltrated) and the value of that data to the organization.

That said, almost always, the extent of damage inflicted in a situation wherein ransomware is able to encrypt (/exfiltrate) data on (/from) thousands of computers would be exponentially more than that in a situation involving a few computers.

This begs a question - how easy is it for someone to unleash ransomware on thousands of organizational computers?



Well, lets take a look, shall we, and
the answer lies in what follows...



How Ransomware is Usually Unleashed

In most cases, the avenue for unleashing ransomware in an organization involves simple attack vectors such as phishing an employee, compromising an unpatched machine etc. and it usually begins with a SINGLE machine being victimized.

Subsequently, the mal payload attempts to compromise additional machines on the network, and the degree to which it is successful in spreading within an organization is usually a function of the number of vulnerable machines it can find/infect.

In short, barring the case wherein an Active Directory privileged user's account is compromised, traditional avenues used to unleash malware in an organization cannot usually easily infect THOUSANDS of an organization's computers.



Now, Consider THIS

Consider that an organization is situated in a single centrally air-conditioned building, and that the building's central air-conditioning unit is in a room at the top of the building. In such a scenario, air from the building's central air-conditioning unit has a clear, direct and uninterrupted channel into every room in the building.

Now, consider a situation wherein there is a dangerous virus that threatens humans and that can be spread if airborne.

In such a situation, if someone, such as a perpetrator, could get into the room that houses the central air-conditioning unit, he/she could easily unleash/spray the virus into the central air-conditioning unit, and within minutes of doing so, the virus would effortlessly have found its way into every room in the building, and instantly threaten every person in every room.



Instantly Unleashing Ransomware Using Active Directory

From the United States Government to the Fortune 100, at 85% of all business and government organizations worldwide, at the very foundation of these organizations' cyber security and IT lie their foundational Active Directory deployments.

There exists a direct secure channel between Active Directory and every computer in an organization that is joined to its Active Directory, and via a management feature called Group Policy, organizational IT personnel can easily and instantly control the security of every domain-joined machine, and that includes pushing out logon scripts onto these machines.


If someone, such as a perpetrator, could link a single malicious GPO (Group Policy Object) to an organizational unit (OU) or the domain root in an organization's foundational Active Directory, he/she could almost instantly and effortlessly deploy ransomware to thousands of organizational machines, thereby inflicting colossal damage in a matter of minutes.

In short, in the simple air-conditioned building scenario shared above, a room in the building represents a computer in the organization, and the central air-conditioning unit in the building represents the organization's foundational Active Directory.

All that someone needs to do is link the ransomware to a new/existing group policy and then link that group policy to an OU or domain, and he/she would basically have instantaneously and effortlessly unleashed ransomware onto thousands of organizational computers, because AD has a clear, direct and uninterrupted channel to every domain-joined computer.

In short, in just a few mouse clicks, anyone who had sufficient access in Active Directory to basically be able to link a GPO to an OU/domain, could effortlessly unleash ransomware across the entire organization, by (mis-)using Active Directory.

(This incidentally begs the question - "Do we know exactly who can link GPOs to OUs in our Active Directory today?!")



Sounds Theoretical ( ; Any Proof?)

Most IT and cyber security professionals would likely agree that in theory it sounds doable (because it isn't rocket science.)

At the same time, most of them, including most CISOs, will question whether there's any evidence at all of this simple yet highly potent attack vector in reality/practice. In other words, is this merely theory, or can someone show it in action today?

After all, there's no dearth of theoretical attack vectors in cyber security, so unless this is possible today, why worry :-) ?!




Time to Worry (; Here's Proof.)

I don't know whether or not there exists ransomware that has been shown to leverage Active Directory yet (IMO primarily because the bad guys aren't that smart/capable yet,) and I most definitely do not have the time to research it, BUT/AND...

...to PROVE that this is ABSOLUTELY possible today, last week, I sat down to code, and within a few hours, I had personally written production-level RANSOMWARE that can be easily deployed using Active Directory (via GPOs).

In fact, I wrote TWO of them, and I'll share the FIRST one with the world TOMORROW morning, right here on this blog.


NOW, before you jump to conclusions, let me clearly state that the sole purpose of doing so was to show the world that if I can personally create them in just a few hours, imagine what a professional/state-sponsored adversary/APT could create.

Make no mistake about it - each one of them is simple yet professional-grade*. The first one is very simple and solely for illustrative purposes ; once deployed, it will encrypt one specific file. The second one, which too is deployment-ready, once deployed, will encrypt (and with the right password, decrypt) entire directories on thousands of domain-joined computers.

* I'm not a script kiddie. I don't do .NET, PowerShell, VBScript etc. I write professional-grade code in C & Assembly.

As always, you do not need to take my word for it. Tomorrow, I'll share the link right here on this blog, and everyone will be able to freely download and instantly deploy it in any test/production Active Directory, and see it in action for themselves.




Summary

Ransomware clearly poses a serious cyber risk to thousands of organizations worldwide ; thus far it has been spread using traditional attack vectors, but/and since thousands of organizations operate on Active Directory, it is only a matter of time before perpetrators realize that they can leverage AD to easily unleash it on thousands of computers within organizations.

As an example, consider Mimikatz and Mimikatz DCSync. For years, it has been no secret that theoretically speaking, one could extract credentials from memory, and of course, replicate secrets from Active Directory, and that if materialized, these could be highly potent attack vectors, and sure enough, one day Benjamin Delpy made this trivial for everyone.

Thus, I felt the need to make organizations aware of this highly potent yet unmitigated attack vector as well, well before perpetrators weaponize it, and to demonstrate its feasibility, I've written two harmless pieces of illustrative ransomware.


In short, if you can click a few mouse buttons, you can now see for yourself how someone could leverage Active Directory to unleash ransomware on thousands of computers. It is no longer merely theoretical ; it is completely possible, today.

I'm also not about to wait for perpetrators to start misusing Active Directory to unleash ransomware and wreak havoc at organizations worldwide. In days to come, I'm going to teach and empower organizations to prevent this from happening.


Prevention is always better than cure/recovery, and as we have seen, timely preventive action can be extremely valuable.

Alright then (; until tomorrow.)

Thanks,
Sanjay


PS2: Pardon the delay in getting to Day 3 of Active Directory Security for Cyber Security Experts ; it'll be out on June 18.