ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: What is privilege escalation in Active Directory?


Member

Posts: 15
Date: Jun 22, 2011
What is privilege escalation in Active Directory?
Permalink  
 


Hi Forum,

We have an All Systems Secure initiative going on in our company, and as a part of it we have been looking at the security of our Active Directory and any known threats and risks to our Active Directory.

In doing some basic research, I came across a few sites that talked about Active Directory Privilege Escalation, but I'm not sure I understood what this means or entails. I mean I generally understand what escalation of privilege entails but what does it have to do with our Active Directory per se?

If someone could provide a brief explanation of what privilege escalation in Active Directory means, and how we could protect our Active Directory from it, it would be greatly benefit our organization and I am sure others as well.

Thank you in advance.

Joe.



__________________
Don't mess with my Alienware!


Member

Posts: 21
Date: Jul 13, 2011
What is privilege escalation in Active Directory?
Permalink  
 


Hi Joe,

Shalom. Privilege Escalation in Active Directory is the process by which an attacker systematically escalates their privilege in Active Directory from that of a lesser privileged account to a more privileged account. It is one of the easiest ways in which an attacker, especially an insider could instantly compromise an Active Directory.

Here's an example - let's say a hacker wanted to compromise a Domain Admin account.

Privilege Escalation in Active Directory

(Picture used from - http://www.activedirsec.com/privilege_escalation.html)

Here's how the hacker could use privilege escalation in Active Directory to start with a regular user account and ultimately compromise the Domain Admin's account -

1. Obtain a list of all Domain Admin accounts by enumerating the nested group membership of the Domain Admins security group.

2. Select the account of any one (or more) of these Domain Admin accounts as the target of the attack. Let's assume the Domain Admin selected is John Doe.

3. Find out exactly who all can reset the password of John Doe's user account. Let's assume that the hacker found that 27 people can do so, and one of them is Jane Doe.

4. Find out exactly who all can reset the password of Jane Doe's user account. Let's assume that the hacker found that 34 people can do so, and one of them is Jim Doe.

5. Find out exactly who all can reset the password of Jim Doe's user account. Let's assume that the hacker found that 8 people can do so, and one of them is Jack Doe.

6. Now all the hacker needs to do is compromise Jack Doe's account, then log-in as Jack and reset Jim's password, then log-in as Jim and reset Jane's password, then log-in as Jane and reset John's password, thus becoming Domain Admin.

This whole thing can be done in just a few minutes, and once done, the hacker just escalated his privilege from a ordinary user to a Domain Admin. He/she could then lock out all other Domain Admins and take full control of the Active Directory.

In order to protect Active Directory from security privilege based attacks, it is always best to ensure that you know precisely who can reset whose passwords at all times in your Active Directory.

Lehitra'ot

- Ishmael



__________________

There isn't a system that cannot be broken into.



Member

Posts: 15
Date: Jul 3, 2012
RE: What is privilege escalation in Active Directory?
Permalink  
 


Ishamel,

Thank you so much for providing such a clear and insightful explanation of what is privilege escalation in Active Directory

This certainly sounds quite scary, and is certainly something that anyone in our environment could attempt since everyone has read access to our Active Directory.

You mentioned that in order to protect Active Directory from security privilege based attacks, it is always best to ensure that we know precisely who can reset whose passwords at all times in your Active Directory.

So, we tried to find out precisely who can reset whose passwords at all times in your Active Directory, but we were unable to to do so, as it seems like a very difficult process to try and do manually.

Do you know of any solution solutions that might be able to help us automatically find out who can reset whose passwords in our Active Directory?

Thanks,

Joel.



__________________
Don't mess with my Alienware!


Member

Posts: 21
Date: Jul 24, 2012
RE: What is privilege escalation in Active Directory?
Permalink  
 


Hi Joel,

Yes,  I do. The easiest way to find out who can reset whose passwords in Active Directory is via a tool called Gold Finger Mini.

Lehitra'ot,

Ishamel.



__________________

There isn't a system that cannot be broken into.

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me