Escalate Domain privileges
Many of the methods for gaining domain administrative privileges are the same as or similar to those used to gain local administrative privileges. The most important server in any Windows domain is the domain controller. When we compromise this server, we have full access to all user accounts and every server that is joined to the domain. Windows handles tons of authentication requests between itself and other hosts automatically for you. Unfortunately, neither of them even tries to make sure their partner is genuine… at least by default. So with the help of known data gathered from local reconnaissance & internal network discovery.
Red Team: Attack vectors and Techniques
Active Directory- Domain Privilege Escalation, is an exploitation technique in which perpetrators identify and exploit unauthorized access in ACLs of Active Directory objects to compromise them and escalate privilege. Active Directory Privilege Escalation lets attackers compromise domain user accounts, computer accounts, security groups and other Active Directory content, including privileged users and groups. The compromise of a single Active Directory privileged user or group is sufficient to obtain complete command and control over the entire Active Directory, and is equivalent to complete compromise. let’s find the techniques we can put to gain domain privileges.
1.Attack by stealing Authentication Tokens
- Compromise a single workstation and exploit a privilege escalation vulnerability on the system to gain administrative rights. Run Mimikatz or similar to dump local credentials and recently logged on credentials.
- Using the local Administrator credentials gathered from Step 1 attempt to authenticate to other workstations with admin rights. Connect to other workstations and dump credentials on those until a Domain Admin account’s credentials are harvested.
- With the stolen Domain Admin credentials, nothing can stop the attacker from dumping all domain credentials and persisting.
1a)Password/private key — Pass the Hash — Pass the Ticket
All these once compromised can be able to get the account whenever attacker wanted(unless modified/patched). Most service accounts don’t have passwords set to expire, so it’s likely the same password will be in effect for months if not years.
2. Domain Controller Attack
2a)Exploits — Exploits such as MS17–010, MS16–077, MS14–068 can be helpful to exploit a machine for privilege escalation if not patched.
- Mitm6 is an incredibly powerful tool for obtaining and escalating privileges on your typical Windows broadcast network. Using smbrelay + mitm6 or NTLMrelayx + mitm6 to gain domain administrator. This also works if victim do not have the MS16–077 patch applied.
- MS14–068 exploits enables an attacker to effectively re-write a valid Kerberos TGT authentication ticket to make them a Domain Admin (and Enterprise Admin). Mimikatz has module called Kekeo that works on MS14–068 exploit.
2b)Kerberos attack — Tim Medin presented this technique at SANS Hackfest 2014
Kerberos can be an effective method for extracting service account credentials from Active Directory as a regular user without sending any packets to the target system.
This attack involves requesting a Kerberos service ticket(s) (TGS) for the Service Principal Name (SPN) of the target service account. This request uses a valid domain user’s authentication ticket (TGT) to request one or several service tickets for a target service running on a server. Due to less trust checks Kerberost can attempt to open the Kerberos ticket by trying different NTLM hashes and when the ticket is successfully opened, the correct service account password is discovered.
“As I said in maintain local persistence blog.. Kerberos tickets can be used for escalating privileges.”
Note: No elevated rights are required to get the service tickets and no traffic is sent to the target.
2c) GPP — finding local admin passwords in SYSVOL, such as Group Policy Preferences.
This method is the simplest since no special “hacking” tool is required. All the attacker has to do is open up Windows explorer and search the domain SYSVOL DFS share for XML files. Most of the time, the following XML files will contain credentials: groups.xml, scheduledtasks.xml, & Services.xml.
SYSVOL is a shared folder that stores GP info along with login scripts or we can say it contains the public files of domain controllers and every domain users has rights to access the sysvol folder and its contents in read only mode. if there is a password provided, it is AES-256 bit encrypted which can be decrypted after Microsoft published the key.
2d)Delegated privileges — Delegation is a function that allows users to entrust a server on behalf of themselves for authentication to any other service. It is mainly used in the scenario where a service needs to request access to other service resources on behalf of a user. In simple words “Delegation is a feature of Active Directory that allows a user or a computer to impersonate another account.”
This feature can be configured through the Delegation tab on a user or computer account. By selecting “Trust this computer for delegation to any service (Kerberos only),” you are enabling “unconstrained delegation”. Alternatively, you can specify a set number of Service Principal Names (SPNs) to restrict exactly what services a user or computer can impersonate, which would be considered “constrained delegation”.
Once you turn on unconstrained delegation to a computer, any time an account connects to that computer for any reason, their ticket-granting ticket (TGT) is stored in memory so it can be used later by the computer for impersonation. With unconstrained delegation enabled, when the privileged user connects to your machine, their TGT will be stored in memory, which can be replayed to move laterally and compromise a domain controller.
2e)Nested groups — Most active directory structures will include nested groups and will not be completely flat. For an example of the challenges of nested groups, consider the following example:
John may be a member of Group A
Group A may be a member of Group B
Group B may be a member of Group C
Group C may be a member of the ‘Domain Admins’ group
Therefore, John will effectively be a domain administrator, but this fact will not be obvious from a flat list of users and groups. The benefit of this method over all other completely manual implementations is that this will perform a single query regardless of the size of the target AD.
Metasploit has following modules against AD enumeration
2f)Domain Trust & SID History — Adversaries may attempt to gather information on domain trust relationships that may be used to identify Lateral Movement opportunities in Windows multi-domain/forest environments.
Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.
BLUE TEAM: Detective and Preventive Controls
Domain administrator accounts shouldn’t be used on any other machine than the domain controllers, or you will make you an easier target for a full compromise of your network. Follow best practices to immune against the privilege escalation threat.
Endpoint Level:
1. Purchase Threat Detection & Prevention tools — Installing A.V tools mitigates the chance of machine getting compromised and if unfortunately happens, atleast it will detect so that we can perform necessary actions to remediate.
2. Implementing Secure Group Policies like a) Disallow Removable Media b)Restrict Software Installations c) Follow the principle of least privilege d) Control Access to CMD e) Disable Guest Account f) Password length g)Password age limit h) Disabling Anonymous SID Enumeration in A.D h) Moderating access to control panel, I just mentioned few but there are many policies an organization can implement.
3. Installing security patches (Microsoft release the security patches once in every month & core security patches of any 0-day exploits ASAP)
4. Configuring AppLocker and Whitelisting and blacklisting applications based on organization dependency.
5. Privileged Access Management (PAM) microsoft tool provides a way to securely delegate and manage Directory Services.
6. Implementing SIEM in an organization and integrating with other threat detection sources and monitoring those alerts. (If possible configure sysmon to SIEM, Monitor the above mentioned registry keys for any violation)
7. Account segmentation prevents privilege escalation.
Network Level:
1. Installing NIDs/NIPs facilitates to detect and prevent the attacks over network.
2. Implement Honeypots and Canary Tokens which helps to identify the attacks before major impact happens
3. Implementing Network segregation — Segregating sensitive data containing systems to make them more difficult to access.
4. Implementing Tarpit network security mechanism which helps against computer worms and network abuses.
5. Implementing SIEM in an organization and integrating with other threat detection sources and monitoring those alerts. (If possible configure sysmon to SIEM — many ID were mentioned for mostly Lateral movement attacks)
Process Level:
1. Preparation is the effective key in identifying & responding. Training end users at regular intervals and providing awareness on cyberattacks can help the organization against cyberattacks.
2. Don’t use shared local accounts.
3. Use a separate domain user and server admin accounts.
4. Maintain Secure Configurations.
5. Implement incident respond procedures for handling security incidents, breaches, and cyber threats
6.Train staff on the latest security threat and security tools.
Bibliography
https://nsfocusglobal.com/windows-domain-machines-local-privilege-escalation-attack-threat-alert/>
https://blog.stealthbits.com/rid-hijacking-when-guests-become-admins/ — RID Hijacking
https://labs.f-secure.com/archive/active-directory-users-in-nested-groups-reconnaissance/
https://blog.stealthbits.com/unconstrained-delegation-permissions/
https://blog.compass-security.com/2019/07/privilege-escalation-in-windows-domains-1-3/>
https://blog.compass-security.com/2019/08/privilege-escalation-in-windows-domains-2-3/
https://hausec.com/2019/03/12/penetration-testing-active-directory-part-ii/
