Folks,
I hope this finds you doing well. Today, we are announcing our second global Gold Finger Mini Challenge for US $ 25,000.
The $ 25,000 Gold Finger Mini Challenge
We are excited to announce an award of US $ 25,000/- to the first individual who can identify any solution in the world, other than Gold Finger, that can demonstrably do what the Advanced level of Gold Finger Mini can. Details below -
Here are the Top 7 Active Directory Privileged Access Audit that the Advanced level of Gold Finger Mini can provide -
- Who can replicate secrets (password hashes) from an Active Directory domain?
- Who can reset the password of an Active Directory domain user's account?
- Who can disable the use of Smartcards on an Active Directory account?
- Who can change an Active Directory security group's membership?
- Who can change security permissions on an Active Directory OU?
- Who can link a group policy (GPO) to an Active Directory OU?
- Who can create an Active Directory user account in an OU?
The need to know exactly who can enact these privileged tasks is absolutely paramount.
Paramount Privileged Access Insights
The unauthorized, accidental or coerced enactment of virtually all administrative tasks listed above could instantly result in a colossal breach far greater (damaging) in impact than even the recent SolarWinds Hack.
Consider this -
- Anyone who could replicate secrets from Active Directory, effortlessly enactable via the use of Mimikatz DCSync, could instantly compromise the credentials of all (thousands) of organizational domain user accounts resulting in a colossal breach bigger than the Solar Winds Hack.
- Anyone who could reset the password of a domain user account would in effect have instantly compromised the identity of that account, such as that of a C-Level Executive, a Software Developer etc. He/she could then login as that account and instantly obtain access to everything that account has access to. If the target were an Active Directory privileged user account, it would be tantamount to a colossal, system-wide breach.
- Anyone who could disable the use of Smartcards for interactive logon, would in effect have downgraded security on that account, forcing authentication to being password based, and a simple password reset of that domain user account could be used to instantly compromise it.
- Anyone who could change the membership of a domain security group could instantly obtain domain-wide access to all IT resources that the compromised group has access to, such as All Employees, Source-Code Access, Accounting, Cloud Global Admins etc. If the target were an Active Directory privileged group, such as Domain Admins, it would be tantamount to a colossal, system-wide breach.
- Anyone who could modify the security permissions on an Active Directory OU could easily gain privileged access on all Active Directory objects e.g. user accounts, computers, security groups, service connection points etc. that reside in that OU. In numerous ways, this could easily be used to elevate/escalate privilege and gain Domain Admin equivalent access, resulting in a colossal breach.
- Anyone who could link a GPO to an Active Directory OU could instantly control the security of all computers whose domain computer accounts reside in that OU. This could be used to easily circumvent all endpoint-protection controls, deliver malicious payloads or instantly unleash malware on thousands of domain-joined computers.
- Anyone who could create a domain user account in Active Directory could then use that account to engage in nefarious activities that couldn't be traced back to a uniquely identifiable individual, thereby enabling the perpetrator to evade accountability while engaging in nefarious recon or attack activities.
Consequently, the need to know exactly who can enact these administrative tasks in an organization's foundational Active Directory deployment is absolutely paramount to organizational cyber security today.
The $ 25,000 Challenge
Our challenge is simple. All you need to do is -
- Try the Advanced level of Gold Finger Mini, downloadable from here, to experience its unique capabilities.
- Identify any solution in the world, other than Gold Finger, that you believe can do what Gold Finger Mini can.
Specifically - Identify any solution in the world that can accurately deliver the 7 paramount insights listed above. - Compare and verify the results of the identified solution with Gold Finger Mini's results in the same AD domain. For your convenience, a ready to use lab AD domain with Gold Finger Mini pre-installed, can be downloaded from here.
List of Popular Active Directory Security Solutions
To help make it easy for you to find other solutions that you could compare Gold Finger Mini with, here is a list of various Active Directory Security Solutions available today, listed in alphabetical order -
- Acldiag (Microsoft)
- Aclight (CyberArk)
- Active Directory ACL Analyzer* (Paramount Defenses)
- Active Directory ACL Exporter* (Paramount Defenses)
- Active Directory Effective Permissions Calculator* (Paramount Defenses)
- Active Directory Effective Access Auditor* (Paramount Defenses)
- Active Directory Membership Auditor* (Paramount Defenses)
- Active Directory Permissions Analyzer* (Paramount Defenses)
- Active Directory Permissions Reporting Tool (ManageEngine)
- Active Directory Privileged Access Auditor* (Paramount Defenses)
- Active Directory Security Auditor* (Paramount Defenses)
- AD ACL Scanner (Robin Granberg ?)
- AD Permissions Reporter (CJWDev)
- AD Secure (Attivo Networks)
- AD Assessor (Attivo Networks)
- Alsid for AD (Alsid)
- BeyondTrust Auditor (BeyondTrust)
- Bloodhound (SpectreOps)
- CrowdStrike Falcon Identity Protection (CrowdStrike)
- Dsacls (Microsoft)
- Directory Service Protector (Semperis)
- Effective Permissions Reporting Tool (Netwrix)
- Enterprise Reporter for Active Directory (Quest)
- Hyena (Systemtools)
- LepideAuditor (Lepide)
- Permissions Analyzer for Active Directory (SolarWinds)
- Ping Castle (Ping Castle)
- PowerShell for Active Directory (Microsoft)
- Purple Knight (Semperis)
- StealthAUDIT Active Directory Permissions Analyzer (Stealthbits)
- * These tools are a part of the Gold Finger Suite and are thus not eligible for consideration
Submission Deadline
The deadline for submitting an entry for our second challenge is May 16, 2021 i.e. all entries received by 23:59:59 U.S. PST on May 16, 2021 will be eligible for participation. The winner will be announced on May 20, 2021 on this blog.
The timestamp at which your email is received will determine the order of submissions. The first submission that identifies a solution other than Gold Finger, that can accurately do what Gold Finger Mini can i.e. deliver the 7 paramount insights listed above, will be the winner. If no submission is able to demonstrably identify such a solution, there will be no winner.
The Next Challenge
We will be issue our next challenge on May 21, 2021. The reward for the next challenge will be US $ 50,000/-.
However, only those individuals who participate in this challenge will be eligible to participate in the next challenge.
Summary
Almost all major breaches in the last decade, including the SolarWinds Hack, involved the compromise and misuse of just one Active Directory privileged user account. Of note, the SolarWinds hackers only targeted Active Directory environments.
The objective of this challenge is to help organizations as well as IT and cyber security personnel worldwide become aware of the paramount importance of knowing exactly who has what privileged access in Active Directory, and to help organizations realize just how substantially inadequate their existing Active Directory audit toolsets are today.
We hope that this will be an educational challenge for all IT and cyber security professionals worldwide, and we look forward to hearing from everyone who understands the paramount importance of Active Directory Security.
Thank you.
Kindest regards,
Sanjay Tandon.
Chairman and CEO,
Paramount Defenses
Your participation is subject to the Terms of Use of our website and our Privacy Policy.
No comments:
Post a Comment