Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/17/2018
01:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Exploring, Exploiting Active Directory Admin Flaws

Common methods AD administrators use to protect their environments can easily be exploited. Here's how.

No matter how many tools you buy or how many alerts flood the SOC, your security strategy is only as strong as its administration. If attackers can bypass an admin, they can own the system.

Administrator security was the crux of Sean Metcalf's 2018 DEF CON talk, "Exploiting Active Directory Administrator Insecurities," during which the Trimarc cofounder and CTO outlined the strategies admins are adopting to protect their environments and the flaws in their approaches.

Metcalf dove into current methods businesses are using to administer Active Directory, inherent weaknesses, and what defenders should be watching for. Examples included using read-only domain controllers in ways the organization doesn't expect, exploiting access to agents installed on domain controllers and other privileged systems, and exploiting AD forests.

His idea was to provide insight for red teamers pentesting against organizations improving their defenses, as well as for blue teamers hoping to improve their Active Directory security.

Years ago, he explained, organizations had many admins and sometimes, user accounts doubled as domain admins. Every local administrator account had the same username and password, and some environments had nearly as many domain admins as they did users.

"Old school admin methods," as Metcalf put it, meant logging into a workstation as an admin with credentials stored in Local Security Authority Subsystem Service (LSASS), running standard Microsoft admin tools with credentials in LSASS, and using RDP to log into the domain controller or admin servers for management.

It was "a target-rich environment" with multiple paths to exploit, he said. Now, admins are using newer methods like multi-factor authentication (MFA) and password vaults to protect their credentials so threat actors can't gain access to their environments.

Sneaking Past MFA

There are a few ways for attackers to subvert MFA and gain Active Directory access, Metcalf explained.

"Yes, MFA is good," he said. "But there are situations in which MFA can be bypassed depending on how it's configured." If an attacker knows how to switch authentication data, for example, they can enter their own phone number and have second-factor codes directly sent to their device without the administrator's knowledge.

One of the interesting things about MFA is its onboarding process, he added, using a vendor's authentication technology as an example. The tech works by connecting to an API; when someone connects and sees a prompt, it checks to see if that user can access a specific resource.

However, he continued, if a third party could compromise the admin account, they could have influence over that email so they could filter it out and/or add more devices. Metcalf presented a screen showing different integration options during the configuration process. For example, he explained, an attacker could configure an admin's authentication so it could be bypassed while the user is offline, and/or uncheck the policy that requires authentication while logging in via RDP.

Metcalf recommended using MFA but advised attendees not to rely on it as the primary method for protecting admin accounts. Use hardware tokens or apps, he said, and disable SMS when possible. Ensure all MFA users know how to report anomalies when they see them.

"Remember that once an attacker has AD admin credentials, MFA doesn't really stop them," he noted. He advised correlating users to admin accounts and the workstation used by each admin, in order to make sure the proper person is in place ot be handling admin processes.

Password Vaults

Enterprise password vaults are another tool being deployed more broadly to improve admin security and maintain admin accounts, Metcalf continued. Many businesses include additional components like "Session Manager" to augment security in addition to the password vault.

He detailed several weaknesses in password vault configuration: authentication to the password vault's Web server is usually done with the admin's user account, and connecting to the server doesn't always require MFA. Password vault servers are often administered like any other server and usually permit anyone on the network to send traffic.

Sessions on the server aren't always limited, he continued, creating an opportunity for an attacker to create a new session. Combining the password vault Web server and password management system increases risk, and a flaw in the vault can lead to full AD compromise.

Metcalf pointed to vulnerability CVE-2018-9843 as an example. The flaw in the REST API of password vault software could potentially allow remote attackers to execute arbitrary code through a serialized .NET object in an Authorization HTTP header.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
CVE-2021-21246
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...