Exploitation of GenericWrite Permission in Active Directory Environments
/ 3 min read
Quick take - The article discusses the security vulnerabilities associated with the exploitation of Discretionary Access Control Lists (DACL) through the GenericWrite permission in Active Directory environments, detailing lab setups that illustrate these exploitation techniques and providing recommendations for detection and mitigation.
Fast Facts
- Exploitation of Discretionary Access Control Lists (DACL) via GenericWrite permission in Active Directory poses significant security risks, enabling privilege escalation.
- Malicious users can modify critical attributes, such as group memberships and account permissions, using GenericWrite, except for properties needing special permissions.
- A lab setup simulates attacks and maps methods to the MITRE ATT&CK framework, requiring Windows Server 2019 and various Kali Linux tools.
- The lab demonstrates how a user with GenericWrite privileges can be added to the Domain Admins group through multiple exploitation methods.
- The article emphasizes the need for detection mechanisms and provides recommendations to mitigate risks associated with GenericWrite permission exploitation.
Exploitation of Discretionary Access Control Lists (DACL) in Active Directory
The exploitation of Discretionary Access Control Lists (DACL) through the GenericWrite permission in Active Directory environments presents significant security vulnerabilities. GenericWrite allows users to modify all writable attributes of an object, excluding properties that require special permissions, such as password resets. Malicious actors can exploit this permission to alter critical attributes, including group memberships and account permissions, which can ultimately lead to privilege escalation.
Lab Setup for Exploitation Techniques
A lab setup is detailed to illustrate these exploitation techniques. The lab is designed to simulate attacks and map methods to the MITRE ATT&CK framework for enhanced understanding. The lab environment requires Windows Server 2019 configured as Active Directory. Various Kali Linux tools are also necessary, including BloodHound, Net RPC, Powerview, and BloodyAD.
In the lab setup, a standard user account named Anuradha is created. Anuradha is assigned GenericWrite privileges for the Domain Admins group. The exploitation phase demonstrates how Anuradha can be added to the Domain Admins group. This can be achieved through multiple methods, such as Linux Net RPC, BloodyAD, Windows Net command, and PowerShell.
Additional Lab Setup and Attack Methods
A second lab setup is also described. This setup involves two users named Krishna and Radha. Radha holds GenericWrite permission over Krishna. This phase includes using BloodHound to confirm permissions. Kerberoasting attacks are performed, which can be executed via targetedKerberoast.py from UNIX-like systems. Alternatively, these attacks can be conducted through PowerShell commands on Windows.
The article underscores the importance of recognizing and mitigating threats from GenericWrite permission exploitation. Detection mechanisms are included to identify suspicious activities related to these attacks. Recommendations are provided for addressing vulnerabilities associated with the GenericWrite permission.
By emphasizing potential risks, the article aims to equip organizations with the necessary knowledge. Practical solutions are offered to defend against such security threats effectively.
Original Source: Read the Full Article Here
