Active Directory domain privilege escalation is a critical component of most penetration tests and red team assessments, but to date, established methodology dictates a manual and often tedious process of gathering credentials, analyzing new systems we now have admin rights on, pivoting, and repeating this process until reaching our objective. Then -- and only then -- we can look back and see the path we took in its entirety. But that may neither be the only, nor the shortest, path we could have taken to achieve elevated privileges.
By combining the concept of derivative admin (the chaining or linking of administrative rights), existing tools, and graph theory, we can reveal the hidden and unintended relationships in Active Directory domains. For example, Bob is an admin on Steve's system, and Steve is an admin on Mary's system; therefore, Bob is effectively (and perhaps unintentionally) an admin on Mary's system. While existing tools such as Nmap, PowerView, CrackMapExec, and others can gather much of the information needed to find these paths, graph theory is the missing link that gives us the power to find hidden relationships in this offensive data.
The application of graph theory to an Active Directory domain offers several advantages to attackers and defenders. Otherwise invisible, high-level organizational relationships are exposed. Most escalation paths can be efficiently and swiftly identified. Simplified data aggregation accelerates blue and red team analysis. Graph theory has the power and the potential to dramatically change the way you think about and approach Active Directory domain security.
Will Schroeder (@harmj0y) is a security researcher and pentester/red-teamer for Veris Group’s Adaptive Threat Division. He is a co-founder of the Veil- Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a co-founder and core developer of the PowerShell post-exploitation agent Empire. He has presented at a number of security conferences on topics spanning AV-evasion, post-exploitation, red teaming, offensive PowerShell, and more. A former national lab security researcher, he is happy to finally be in the private sector.
Andy Robbins (@_wald0) is the Offensive Network Services lead for Veris Group's Adaptive Threat Division. He has performed penetration tests and red team assessments for a number of Fortune 500 commercial clients and major U.S. Government agencies. In addition, Andy researched and presented findings related to a business logic flaw with certain processes around handling ACH files affecting thousands of banking institutions around the country at DerbyCon. He has a passion for offensive development and red team tradecraft, and helps to develop and teach the ‘Adaptive Red Team Tactics’ course at BlackHat USA.