Attackers love shortcuts. Hidden insecure permissions are their express lane to Domain Admin.
Ethical Threat Insight: Finding Hidden Insecure Permissions in Active Directory
Delegated permissions in Active Directory are specific access rights that are granted without requiring that user be a member of a security group.
It’s a way of assigning more granular permissions.
However, it’s all too easy to make mistakes when delegating permissions.
What are the risks of insecure delegations?
Privilege Escalation
Lateral Movement
Service Abuse
Increased Attack Surface
How does insecure permission normally happen? Take this for example…
You want to give the Help Desk group permissions to reset passwords for end users, so you give them “FullControl” of the default Users OU.
Well, you’ve now inadvertently given out more control than you intended to.
FullControl includes way more rights than just resetting passwords and now any user within the Users OU can be compromised by an attacker whose able to obtain a Help Desk account.
Or maybe worse, Help Desk can now make even bigger, more costly mistakes.
How do we find these hidden insecure permissions?
One of my favorite ways is with the free tools, ADeleg and ADeleginator.
ADeleg is a super awesome, simple Active Directory delegation management tool. Use this to find insecure permissions.
ADeleginator is a tool I created to automate finding common insecure delegations. It’s a wrapper around ADeleg, and also a super simple awesome tool.
Here’s what you do:
Download and open ADeleg
Once ADeleg is open click View -> Index view by -> Trustees
That puts the trustees on the left hand side and the resources on the right. That way we can click on a trustee and see the permissions it has on a given resource.Then on the left hand side, open up the Global dropdown and look for several key trustees. You can consider these “unsafe users/groups”.
Everyone
Authenticated Users
Domain Users
Any other user/group you want to look for, like Help Desk
Review the permissions granted on the resources in the window on the right and look for permissions that may be dangerous. We want to look for things like:
Write all properties
Create/delete child objects
Ownership of a resource
Add/delete delegations
Write attribute
Validated write
Change the owner
Change password
Reset password
Action today: My challenge for you today. Pick one OU that holds sensitive accounts (like IT staff or executives). Run a permissions check with ADeleg. If you find “Everyone” or “Authenticated Users” anywhere in the list, tighten it up.
☕ If you would like to learn more about this. I walk through real examples of hidden AD permission risks in this webinar.
Watch it here 👇
All the best
Spencer Alessi
PS - I’m giving a talk + hands on workshop (with a full AD lab) for ContinuumCon! It’s called Killing Active Directory Attack Paths Once and For All. In it, I am going to show how you can use Authentication Policies & Silos to completely eliminate lateral movement attack paths in AD. Hope you come check it out! The conference is streamed for FREE online but if you want to play with the labs you have to buy a ticket. But it’s super affordable. I honestly don’t know how they do it.