10 Active DirectoryMisconfigurations That Lead to Total Compromise

hello@javelin-networks.com +1-888-867-5179Austin, TX 201 W 5th St.

ATTACK EXPLANATION

Group Policy Preferences allow an administrator to configure

local administrator accounts, schedule tasks, and mount

network drives with specified credentials when a user logs in.

GPPs are written to the SYSVOL share of the domain controllers.

An attacker can gain access to the GPP xml files inside the

SYSVOL share and extract the specified credentials that were

stored in the GPP.

POTENTIAL THREAT

An attacker can gain the same privileges of the accounts it

extracts from the GPPs. Accounts being used for the GPPs

typically have local admin user rights for every machine.

1. Group Policy Preferences Visible Passwords

ATTACK EXPLANATION

Abuse of an Active Directory “SID History” object enables an

attacker to inherit permissions from other high-privileged SID

accounts (or groups) without any trace of additional group

membership for the user.

POTENTIAL THREAT

Using a SID attribute could indicate that the attacker is trying to

hide high-privileged group membership, e.g. “Domain Admins”,

in a low-privileged account to conceal a post-exploitation

domain backdoor.

2. Hidden Security Identifier (SID)

ATTACK EXPLANATION

If an attacker has the long-term key for the “krbtgt” account, he

can forge a logon ticket (TGT) with any user rights. The ticket

can contain a fictitious username with domain admin

membership (or any other membership the attacker chooses).

POTENTIAL THREAT

An attacker can gain any privileges for any service or machine in

the network and can use it everywhere. These privileges can last

as long as the “krbtgt” account is not reset.

3. Golden Ticket

ATTACK EXPLANATION

If a low-privileged user was added to the domain replication

object, then the attacker would be able to access all the

domain-sensitive data, e.g. user hashes in the domain, without

being a high-privileged user. Because some domain services

require domain replication capabilities, replication permissions

must be assigned to Active Directory objects.

POTENTIAL THREAT

Full access to the entire domain user’s database.

4. Domain Replication Backdoor

ATTACK EXPLANATION

Abuse of AdminSDHolder ACLs—such as adding an unprivileged

user to the AdminSDHolder security object with full control or

write permissions—gives that unprivileged user the ability to

add himself or other users to powerful groups, such as Domain

Admins, without having high-privileges.

POTENTIAL THREAT

Enabling and modifying this feature would allow an attacker to

leave hidden administrator privileges on the DC without using

domain accounts.

5. Unprivileged Admin Holder ACL

ATTACK EXPLANATION

Authenticated users can enumerate any object in the domain.

Enumerating users whose passwords never expire could reveal

high-privileged users in the domain.

POTENTIAL THREAT

These credentials will allow an attacker to gain access to high

privileges in the network that can last indefinitely.

6. Power User Enumeration

ATTACK EXPLANATION

A user can request service tickets to any service in the domain.

Since the service ticket is encrypted with the service account’s

long-term key, an attacker can gather service tickets and

attempt local brute-force attacks on the long-term key.

POTENTIAL THREAT

This attack could allow the attacker to obtain fully privileged

access to the machines running the service account.

7. Silver Ticket

ATTACK EXPLANATION

Unmanaged endpoints can query the Active Directory and

gather information on the domain environment without

authentication.

POTENTIAL THREAT

Attackers can view the entire directory structure and

permissions from an unauthenticated user and computer with a

network connection.

8. Anonymous LDAP Allowed

ATTACK EXPLANATION

DSRM is a special boot mode for repairing or recovering Active

Directory when the Directory Services are down. Enabling and

modifying this feature would allow an attacker to leave hidden

administrator privileges via a backdoor on the DC without using

any domain accounts.

POTENTIAL THREAT

Full control of and access to the organization’s Domain

Controllers.

9. DSRM Login Enabled

ATTACK EXPLANATION

Since many companies use imaging software, the local

administrator password is frequently the same across the entire

enterprise. An attacker stealing local administrator credentials

from a local computer in the network can pass the local admin

long-term key to a remote machine to authenticate itself.

POTENTIAL THREAT

Once an attacker obtains local admin credentials on one

machine, he can move laterally and obtain access to every

machine in the network with the same local admin password.

10. Local Admin Traversal

AD | ASSESS

Attackers exploit misconfigurations and utilize

backdoors to compromise your entire domain.

Find them first with AD|Assess.

All Domain and Active Directory Assessment

Attack simulation to find misconfigurations and

backdoors in AD and the domain network that

lead to total compromise.

GET ASSESSMENT