Your crown jewels are locked in a database, the system is patched, utilizes modern endpoint security software, and permissions are carefully controlled and locked down. Once this system is joined to Active Directory, however, does that static trust model remain the same? Or has the number of attack paths to your data increased by an order of magnitude? We’ve spent the last year exploring the access control model of Active Directory and recently broadened our focus to include security descriptor misconfigurations/backdoor opportunities at the host level. We soon realized that the post-exploitation “attack surface” of Windows hosts spans well beyond what we originally realized, and that host misconfigurations can sometimes have a profound effect on the security of every other host in the forest. This talk will explore a number of lesser-known Active Directory and host-based permission settings that can be abused in concert for remote access, privilege escalation, or persistence. We will show how targeted host modifications (or existing misconfigurations) can facilitate complex Active Directory attack chains with far-reaching effects on other systems and services in the forest, and can allow new AD attack paths to be built without modifying Active Directory itself.
Lee Christensen is a senior operator, threat hunter, and capability engineer for SpecterOps. He has performed red team and hunt engagements against Fortune 500 companies for several years, and has trained at events throughout the world. Lee enjoys researching and building tools to support offensive engagements and detection capabilities. He has contributed to several offensive/defensive tools and is the author of UnmanagedPowerShell (incorporated into the Metasploit, Empire, and Cobalt Strike toolsets) and KeeThief.
Will Schroeder (@harmj0y) is a offensive engineer and red teamer at SpecterOps. He is a co-founder of Empire/Empyre, BloodHound, and the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a Microsoft PowerShell MVP. He has presented at a number of conferences, including DEF CON, Black Hat, DerbyCon, Troopers, BlueHat Israel, and various Security BSides.
Matt Nelson is an active red teamer and security researcher. He brings a passion for researching and pushing new offensive and defensive techniques into the security industry. He is the primary developer on the PowerSCCM toolkit, a co-developer on the Empire framework, and contributes to many other open source security projects. Matt has spoken at numerous security conferences, and has been recognized by Microsoft for his discovery of new offensive techniques and bypasses. He maintains his blog at http://enigma0x3.net