What You Don't Know Will Cost You: Modern AD Attack Paths & Toxic Combinations

Thank you for attending my session today. What you don't know will cost you. We're going to talk about modern AD attack pass and toxic combinations. What we is you said something. I'm sorry. What we assume is safe and active directory. The things we stop looking at and how attackers quietly chain those together to take full control. So before we get in there, I want to give you a little bit about myself. My name is Craig Burch. I'm a principal technologist at Chaosoft, but I'm really an identity security enthusiast. I host our Guardians of the Directory podcast. I have over 25 plus years in Active Directory security and architecture. So why is Active Directory as a target?

Well, Active Directory controls authentication to our applications. It authorizes us to get into applications like fileshares, shareepoint, etc. It really is the trust within the enterprise and active directory, believe it or not, controls our ability to recover it as well. So if AED is compromised, our security controls fail, our business operations, they stop and even our recovery assumptions, they break. Attackers build the strategy around this. So now let's look at how attacks have evolved. So if we look at early ransomware, they wanted speed. So they encrypted files. They were destructive, fast, and noisy. But modern attacks are differently, right? They control identity. They're patient, persistent, and invisible. Ransomware did not get smarter. It got more patient. And the reason being

modern-day attacks are identity first. The attackers move from encrypting files to controlling our identity. So this is why attacks look the way they do today. If you want to extort an organization reliability, you do not rush encryption. You take control of identity. And because identity controls everything, so attackers are no longer paid for speed. They're paid for leverage. The business model rewards patience, persistence, and quiet access. And this is exactly what changed identity attacks provide. So if attackers are rewarded for patience and leverage, the next question you have to ask yourself is where does this leverage actually come from? And most organizations think attack paths are exploits, but they're not. Attack paths are inherited trust.

An identity attack path can be something basic that we've created in the past. Things like nested group membership. So these membership chains that silently expand privilege scope beyond the original intent. Delegated rights, permissions granted for convenience that accumulate into powerful access over time. Unreviewed permissions. So access that was never revoked, audited, or questioned, still active and exploitable. The most dangerous permissions are the ones that we granted yesterday. Small decisions accumulate over time. And what I really want you to understand on this slide, attack pass exists whether attackers are present or not. Attack pass exists whether attackers or present or not. So if attack paths are made of trust, what do they actually look like in a real environment? You may

think this is a diagram of an exploit, but I'm going to tell you right now, this is a diagram of normal Active Directory usage in an organization. Here on the right side, we have some users that were added to this group and then they're added to a group like domain admins inside your environment. So this is again regular use inside of Active Directory. So at no point did anything look dangerous here in isolation, but from an attacker's perspective, this is already tier zero. So once the attackers have a foothold, the real question becomes persistence. How do they make sure it survives clean up and recovery? Well, now we first before we get into answering that

question, we really need to understand the attack vectors and vulnerabilities. And there's three main buckets that I'm going to talk about. Misconfigurations, credential theft, and privilege escalation. So misconfigurations they create the opportunity. Credential theft turns access into authority. Privilege escalation expands the control. What matters is not the technique or the bucket it lives in. It's how they overlap. So let's look at some persistence techniques and specifically around misisconfigurations. So, Golden SML, which we've probably heard of with the Solar Gate attack, Golden SML attacks do not break authentication. They bypass it by abusing the trust that we already established in our organization. Active Directory certificate services exploitation. If we think about it, certificate services are designed to

scale our trust, right? And really build trust between machines and user identity. But misconfigured templates turn that trust into long lived access. Microsoft Entra ID connect abuse. Hybrid identity sync creates the bridge. Attackers abuse that bridge to persist across onrem and cloud. So think about this. If attacker loses access every time a password is reset or a server reboots, they fail. So modern AD attacks focus on this persistence mechanisms that live in identity, not on the host. Everything on this slide that I just showed you exists to answer one question. How do I survive cleanup and recovery? Persistence is identity state that survives the recovery that we just talked about. So if persistent lives in identity, the

next question is how do attackers turn ordinary access and credentials they can reuse anywhere. So let's look at some credential theft techniques specifically with active directory. So the I'm going to break these up into two different categories. The first one is password and ticketing harvesting. So these are attacks like Kerber roasting, asprep roasting or even password spraying. Password spraying probably the most common technique still used today in organizations. And then the next bucket I'm going to look at is directory level credential access. So where the attacker is attempting to dump the NTDS.get get inside of active directory or one of my favorite attacks to perform against active directory in a real in a scenario is DC sync attack. So as we're you know

demonstrate this later on in my presentation. What you need to know is every credential theft technique depends on permissions granted earlier in the chain. So the specific technique matters far less than the permissions that allowed it. So once attackers have credentials, the next step is obvious. How do I turn credentials into authority in an organization? So how how do we go about that? That's through privilege escalation. So what I'm going to talk about is machine account quota abuse. If we think about what machine account quote abuse is, if you're not familiar with this, in active directory, every user can add 10 machines to the domain. So, this really helped admins scale the environment, but attackers use this to manufacture new

trust in the organization. So, think about that. If I can get my attacker machine joined to the domain, it's going to give me better leverage inside of your organization. And then the next one I'm going to talk about is unconstrained delegation. So delegation is how AD lets systems act on behalf of users. So think about impersonation. So when unconstrained, it becomes really a credential siphon. And if we look at um active directory just natively, the built-in administrator RID 500 account is susceptible to this attack out of the box because it's not protected against danger against um delegation as well. So think about that today your administrator RID 500 could be admin uh basically imp impersonated in this

scenario but that's not the only thing we have to worry about ACO abuse. So ACO abuse can actually lead to escalation to domain admin or even privileged service accounts in your organization. So what I want you to really understand nothing on this slide required me to have any malware. Nothing requires exploitation. It just requires understanding how AD delegates power. Privilege escalation works because trans trust is transitive in the organization.

So now let's look at some new exploit techniques. The first one I'm going to talk about is entra ID permissions and escalation or unauthorized. This one you may not have heard of VMware ESX authentication bypass. So bypassing security controls basically to gain unauthorized access. What is this one? If you're not familiar with it, if there was inside of Active Directory, there was a group called ESX admins and anybody joined to that environment would get full control over your ESX environment. The next category is ADL app vulnerabilities. We see these you know from time to time. remote code execution risk, but really it's the next big zero day as well. Microsoft Teams has become an insider

threat as well. Teams external access through malware delivery via chat, command and execution via um Teams chats as well. So, if you're not familiar, there's a red teaming tool called ConvoC2 that actually allows you to do um web hooking within Microsoft Teams that will then allow you to run command and control as well. And then more recently, we've seen this one conversational C. So, basically impersonating it to support um deploying ransomware. Um the ransomware in this particular case was a manubus. So again, Teams is the new playground for social engineering. And now we're going to look at another one, Microsoft Intoune. So compliant device bypassing in tune. If you're not familiar, there's um code out there on

GitHub that allow you to basically make your device look like it's compliant. But there's also ways to do token theft and replay attacks in Entra ID. recently you've heard in the news about mass device wiping occurring from Microsoft um in tune as well. So these are all things that we need to be aware of um from modern-day attack surface. Now I want you to think about the attacker mental model. Right? So defenders tend to look at things in isolation. So what do they look like? We look at we look at objects, maybe a setting, maybe a configuration at a moment in time or a snapshot, but that's not how attackers look for, right? So, what do

they look for? They're looking for relationships. They're actually looking for things that overlap in the organization, things they can change together. So again, they're looking to chain all these things together to get to the end point. So this difference in perspective is why these attacks keep working today. So really think about that. Attackers don't care about any of the things that we look at from a defender's um perspective. They care about how all those things um connect. In fact, I believe there was someone from Microsoft that quoted, "Admins um look at things as in list and attackers look at things in graphs." So now I'm going to break down the um attack chain from an overview

perspective. And the first thing I'm going to talk about is initial access. So initial access, it can be fishing, could be reuse or abuse. And what I really want to say here, it almost doesn't matter from the initial access. Again, it could come from a misconfiguration, a vulnerability inside your organization, but at some point they get the initial access. And then the next step that occurs is what I'll call credential material credential materialization. So at some point access becomes credentials and honestly credentials change everything and this can lead to then to delegated trust abuse within the organization and this is where identity decisions start doing the attackers work for them. So the things that we put in the past

that I spoke about in earlier slides, these are the identity decisions that we made prior that really allow the attacker that really gives the attacker the advantage inside your organization. Once inside they go for persistence and remember persistence is not about malware. It's about identity state that survives cleanup. Clean up blind spots is the next thing. Right? So, this is where defenders believe the incident is over and honestly and where the attackers know it isn't. So, what I want you to understand is every step relies on an authorized behavior inside of the organization. So, now I'm going to talk to you about toxic combinations you've probably never seen. And what I'm going to say is

single issues can be survivable. So the danger is not in one setting. It's how these settings interact. So let's take a look at this. And what I want to say is combinations are catastrophic. So again, these toxic combinations really become catastrophic in organization. So now let's look at a few of these in real time. So let's look at the first one. unresolved SIDS and group policies plus delegated go edit rights in active directory. So what does this lead to? Well, let's understand how this might got there for in the first place. So you may have been on an project in your organization and delegated some rights to a user in a group and then what do

you do? You either delete that user or group and what happens? Well, you think everything's good, but it creates these unresolved SIDs and they still remain in there and it creates what I'll call ghost admin privileges inside your organization. Reversible password encryption plus a DC sync attack. So if we look at reversible password encryption, you probably think that you're okay because you have a default password that says do not allow pass reversible password encryption or maybe even for our service accounts and our privilege accounts a fine grain password policy that says do not allow this. But there's a user attribute that overrides all of that on the account that says allow it. And if you combine that with the power to do a

DC sync attack, which normally if I do a DC sync attack, I get the password hash, but now I get the plain text password as part of that attack method. And this leads to instant credential theft within the organization. Admin SD holder inherited drift plus legacy privileged accounts in our environment that we may have not cleaned up. So those that are not familiar with admin SD holder, there's a back-end process that runs every 60 minutes to basically take the permissions from the admin SD holder object and place those security alles on domain admin, schema admins, etc. And in earlier versions of Microsoft Exchange um when you did the basically the domain prep function inside of that environment

it granted legacy privileged accounts for Microsoft Exchange to the admin SV holder as well as the same thing occurred with earlier versions of AD sync in your environment for hybrid environments. The MSOL account has those elevated rights to the admin SD holder. Um, so this can lead to hidden shadow admins as well inside of your organization because remember even if you try to kick them out 60 minutes later that process will run and put those permissions back inside the organization service connection points plus delegated permissions. So could be from Config Man SECM or if you're a hybrid environment and you're using hybrid device join you have service connection points. So what's this allow? If I can

change the service connection point, I can actually redirect you to command and control or even silently um leak credentials to a thirdparty site. So again, these toxic com combinations are often never looked at in an organization, but this is exactly what the attacker is looking to do. They're looking to chain these things together to perform basically those things that I talked about privilege escalation that leads to either ransomware or total domain takeover in an organization. So let's kind of understand what this would look like. So here's something that we've probably all done and we're not picking on Sally Sue here, right? But Sally Sue, think about it. She's a intern. She just got um an internship for a large health

care provider. What does she do? She updates LinkedIn. She says, "Hey, thank you. I'm very excited to be joining this. I'm going to be working on the service desk team at a large healthcare." She updates her title to service desk technician. We've all done these things, right? So, it's not anything um that Sally Sue um did that was really bad behavior. But I want to say that Active Directory reconnaissance starts long before that initial network entry. And really this allowed for shadow access, right? So we know that Sally is going to be a service desk technician. Those are the public cues and then these open the doors. So think about it. I'm going to talk about it in

the next couple um slides, but Sally Sue is going to be expecting some email communications from those um organization to probably onboard or some additional information. So now I need to do as if I'm the attacker is fish Sally Sue in the organization. So what does that look like? I start by fishing Sally Sue. Once I fish her, I'm going to deploy EDR silencer so I can, you know, execute that on her machine. And then the next thing I might do is do a reverse shell, right? Command and control session. Very common. Every attack has some sort of simulation with that. And then what I'm going to tell you is, you know, identity recon. Every Windows

machine I can there's a command I can run called who am I? If I run who am Igroups again, no malware, no additional software, I can see exactly which groups Sally belong to on her machine or within the organization. And then I want once I know which group she's in, I can use another native um functionality either PowerShell or DSackles to then go in enumerate those rights inside of Active Directory and see what that group has permissions over. And then once inside then that changes everything, right? So now I can see that Sally has control over a group called IGA admins. And I can go one step further and I can actually run DSA or

PowerShell to determine what IG admins has access over. And in this scenario, it actually leads to um shadow admin because IG admins has gener generic or all or full control on an organization. What I want you to understand is this became privileged without domain admin. So these effective administrative control achieved was through these delegated and inherent rights. I didn't really get any elevated rights that we think of typically into the organization. I just use Sally's everyday normal um account to you know basically compromise the you know and get privilege escalation. And I'm going to tell you right because of this technique this became visibility without alerts. So these attacks basically through legitimate trespass they generate no additional alerts

right. So it wasn't anything bad behavior to trigger any security tooling unless you're looking for specific events like this. So now I want to look at the next um phase of the attack and then we'll get into a live attack here in a few minutes. So what I want you to understand is the next is very basic, right? Okay, so we're going to refresh Sally's token and then we're going to do a DC sync attack because of we compromised the IDA admins and it has generic all it has the ability to perform a DC sync attack in the organization and normally again we get the NLM hash but because the account also had reversible password encryption we're

going to get the plain text password extracted as part of the attack as well. So we could then move to golden ticket capable KRBTGT compromise. And what I want you to understand is this these words, right? So DC sync is not magic. It is a consequence of trust. This is how active directory works inside of the organization. So once the credentials are materialized, the rest of the attack is no longer technical, right? it's it's operational. So, let's finish out what the attack's going to look like and then we'll um dig in a little further. So, really credential theft is the outcome for delegated authority. It's not a prerequisite in the organization. So, let's go and look at the final steps

before I show you the live attack. So, let's look at basically once I have command and or the account. I'm going to log on to the domain controller as the service account that I compromised. I'm going to then simulate deploying EDR silencer to deployment to all endpoints. I'm going to do ransomware um payload networkwide. I'm going to disable advanced AD auditing. So, I'm going to step back to the simulated EDR silence and deployment for um um endpoints. So what I want you to understand is when an attacker is going after your environment, organizations need to assume two things. The first thing is that your EDR is going to be part of the attack. Attackers understand that organizations

have invested in advanced EDR technology, but they use things like EDR silencer or EDR killer um and use techniques like bring your own vulnerable device driver to disable your EDR. The next thing you need to understand is they know that organizations also have SIM technology and they know that SIM technology relies on advanced AD auditing and event log data in general. So if I can disable the advanced AD audit policy in your organization and clear your security logs right for your directory service logs your SIM is now blind to the attack. And then once that it's just basically deploying the ransomware and now I have full control and then I can you know power down your domain

controllers. So let's actually go and see this as an execution. Again this is how real world attacks work. Everything I'm showing you is how attackers um work today by getting that initial identity and then basically getting the privileges, getting persistence and then deploying the ransomware. So right now I'm going to jump out of the slide for a minute and I'm going to uh open up and show you the live attack. So again, ransomware is the symptom, identity failure is the cause in this scenario. So, let me jump out and let's jump to the attack. So, what I want you to understand is I'm logged on as Sally Sue. So, we can see that I'm logged on as

Sally Sue and now the attackers going to uh Fiser. So, let's start the initial um compromise. So, just clear this out real quick so we can see better. Now the phase one is fishing recon and escalation. So the first thing I'm going to do, remember Sally's expecting some kind of information about her new job and she's going to click on this and behind the scenes it's going to do basically HTML smuggling through like a PDF file. So once inside then the credentials are captured for um Sally Sue. We're going to then get internal access. And what I really want you to kind of focus on here right now is there's an interesting group and I'll come back to

it. I'm going to let this finish the full piece out, but I'll come back to a couple key pieces of information um as part of this attack that makes this successful in an organization. So let's I think it's just about done. So, let's let's review a couple things here.

All right.

Okay. So, now let's break a couple things down here real quick so we kind of understand why this worked. So the first thing that we'll see is she got add she was able to get added to um the IG admins because she had a group inside of her organiza on the organization called service desk operators. So if we look at the service desk operators, they found this. All we needed to do then is look for switching to basically I mentioned DSackles. You could do it with PowerShell. And then we see that basically she has the ability to reset the password, right? User account control and write members inside of you know because of this AD group inside of the

organization. Once we understand that, we're going to then see which accounts she might have access over. So we're going to run ds alackles. And now we see that this IG admins has generic all full control inside which gives the extended write replicating directory changes all and replicate um uh directory changes which is the permissions that are required to perform a DC sync attack inside of an organization. So now let's run the second part of the attack. So let me uh close this, launch a new session as uh Sally and then perform the second part of the attack.

Let me see right here.

Going to open up the radio one here real quick. All right. So, the second part of the attack is actually perform the DC sync attack. And I'm going to use a real attack tool or that well I'll say attack tool but really was not initially built for attacking active directory um mimikats. So let's go ahead and run uh this DCIC attack and see what kind of information we'll be able to get out of here. Remember Sally has replication rights through the IG admins group and we're running MICATs behind the scenes here. And the other key things is normally mimicatch would only give me password hashes. But because we also had reversible password encryption enabled on this account, you can clearly see now

I can get the plain text password in the environment. So now I I basically have domain admin and full control over um the organization. to kind of speed up the attack. Let's go to the next phase of the attack, which is actually launching a simulated ransomware from the domain controller. So now, let me jump to the domain controller and show you the final phase of the attack. So now what I want you basically see is at this point, if you look at my background here, you'll notice that it's a blue background. If you pay close attention, um you'll see something changes as part of the attack. So again, real world scenario. The next start once I have domain admins, I'm

going to start encryption at scale. I'm going to do EDR silencer at scale. Basically, I'm going to do um distributed payloads, you know, taking in the endpoints just like a normal attacker would do. I'm going to change the audit policy. I'm clearing logs and then as you can see the ransomware has already occurred and this is a simulated ransomware demand and then basically added some additional um things to make it look a little more impactful. Look, again, these are all things that are performed by threat actors today from a ransomware perspective because of these toxic combinations that they can chain together inside of an organization. So, the last thing we'll see is we're going to forge a golden

ticket and then we're going to power down the Active Directory domain controller. So, let's go ahead and close this out. So, let's go back to the slide. So again, if we go back to the the attack that we just kind of simulated, the one thing I want to really make sure you guys understand is right identity failure is the cause that allowed this to occur. But it was it was these decisions that we made earlier in our when we were managing active directory um by creating delegated administration having um accounts that have way more control than they probably need. So these are things that again the attacker was a easily able to chain together in

an organization. So why did these why are these chains are are missed? So let's kind of think here right. So nothing here was a misclick. These permissions existed because they once made sense. So if we look at it from that aspect, every permission was authorized. Privilege always drifts and piles. So attackers, they don't need excessive privilege. They wait for privilege to accumulate. every and we assume from an defender's perspective that every delegation is tracked in the organization. So we all know that that's that's not the case. So legacy access is rarely audited or never audited or in an organization. And we also believe this recovery wipes the slate clean. But I'm going to tell you that's not the

case. Well, the back doors will survive reboots. They'll even survive recovering your Active Directory force if you were completely down. So, these things need to be very specifically monitored from an attacker's mindset. So what I'm going to say is one side is living a delusion right again as defenders we assume things are okay but attackers they know that these privileges drift and pile they know that legacy access is never audited and these back doors are they'll survive reboot and even full-on recovery. So most recovery plans focus on systems and malware. When we talk about identity, identity doesn't reset when you're restoring a backup. If an attacker succeeded by chaining what we already trust. So final takeaway,

everything you just watched comes down to one difference. Defenders hunt techniques. We hunt for isolated events, known indicators, discrete objects, but attackers don't. Attackers hunt for combinations, the relationships I just spoke about, those overlap. The chains that survive recovery. So until we start reviewing identity the way the attackers do, this will continue to happen. That is why this keeps working today. Thank you for uh joining my session today. And now we'll open it up for questions and answers.