Share this page!

Stephan Berger Profile picture
Twitter logo
Mar 11 13 tweets 5 min read
1/ Number #6 of the #ActiveDirectory hardening measures:

Privileges and Permissions

🧵 #CyberSecurity
2/ #PingCastle lists, among many other things, the privileges assigned to domain users via GPOs.

The screenshot shows that the Default Notebook Policy grants Domain Users the SeLoadDriverPrivilege privilege.

Why is this bad?
3/ As @0xdf put it:

"If I can load a driver, I can load a vulnerable driver, and then exploit it." [1]

I know that some EDR's raise an alert when a vulnerable driver is loaded or dropped to disk, as such a driver could be exploited for a LPE.
4/ Excerpt from the new @Volexity blog:

"A userland application cannot modify kernel memory, so the malware authors include a vulnerable driver, RTCore64.sys, to read and write into this protected memory space." [4]
5/ "This technique of using an older, vulnerable driver to load malicious code was famously used by Turla for the purposes of loading a malicious rootkit. A public GitHub repository, KDU, owned by hFiref0x,
6/ documents a list of drivers that can be abused for this “Bring Your Own Vulnerable Driver” (BYOVD) technique." [4]
7/ "Access Control Lists (ACL) misconfiguration is one of the most common issues DART finds in Active Directory environments.

Active Directory ACLs are exceptionally granular, complex, and easy to configure incorrectly." [2]
8/ "GenericAll – this privilege is the same as Full Control access.

If a user was compromised and that user had GenericAll over a highly privileged group, then the threat actor could add additional members to that group." [2]
9/ "WriteDacl – this privilege allows manipulation of the ACL on an object.

With this privilege a threat actor can change the ACL on an object such as a group. If a user was compromised and that user had WriteDacl over a highly privileged group,
10/ the threat actor could add a new ACL to that group. That new ACL could then give them access to add additional members to the group, such as themselves." [2]
11/ We, as defenders, can proactively check for such misconfigurations, for example, with PowerView. [3]

🔍
12/ Or with the Bloodhound.

Be a step ahead of the attackers. 🥷
13/ References:

[1] 0xdf.gitlab.io/2020/10/31/htb…
[2] techcommunity.microsoft.com/t5/microsoft-s…
[3] ired.team/offensive-secu…
[4] volexity.com/blog/2023/03/0…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Stephan Berger

Stephan Berger Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @malmoeb

Stephan Berger Profile picture
Mar 13
1/ Number #8 of the #ActiveDirectory hardening measures:

Print Spooler Service

🧵 #CyberSecurity Image
2/ A running print spooler service on domain controllers is still a relatively common finding in our AD assessments, even though an attack path via spooler service and unconstrained delegations have been known for years. [1]

Screenshot below from #PingCastle (@mysmartlogon) Image
3/ Apart from the (older) attack technique with unconstrained delegations (see above), the printer spooler has had various critical vulnerabilities over the last two years. [3] Image
Read 8 tweets
Stephan Berger Profile picture
Mar 12
1/ Number #7 of the #ActiveDirectory hardening measures:

Harden critical accounts

🧵 #CyberSecurity Image
2/ To raise the bar again, add critical accounts to the Protected Users Security Group.

"This group provides protections over and above just preventing delegation and makes them even more secure; however, it may cause operational issues, so it is worth testing in your env." [2]
3/ Benefits:

1⃣ Credential delegation (CredSSP) will not cache the user's plain text credentials [..]

2⃣ Beginning with Windows 8.1 and Windows Server 2012 R2, Windows Digest will not cache the user's plain text credentials even when Windows Digest is enabled.
Read 8 tweets
Stephan Berger Profile picture
Mar 10
1/ Number #5 of the #ActiveDirectory hardening measures:

Add Computers to the Domain

🧵 #CyberSecurity Image
2/ The following case is still worth mentioning:

A customer called us because he discovered two new computers within his computer objects that did not match his naming scheme. Image
3/ During the detailed investigation of the incident, it turned out that these SAMTHEADMIN objects were part of an exploit code that (if successful) would give administrative rights to a standard domain user.

A more in-depth write-up here:

Image
Read 6 tweets
Stephan Berger Profile picture
Mar 9
1/ Number #4 of the #ActiveDirectory hardening measures:

PowerShell Script Block Logging

🧵 #CyberSecurity
2/ Strictly speaking not part of a guide about hardening AD, but I must stress once again the importance of logging executed PowerShell code on clients and servers:



And here with several examples from our Incident Response cases:

3/ There are other opinions about PowerShell Script Block logging because, potentially, passwords or other sensitive data could end up in event logs, and authenticated users on the workstation or server could read these logs, thus giving away the sensitive data. [1]
Read 6 tweets
Stephan Berger Profile picture
Mar 8
1/ Number #3 of the #ActiveDirectory hardening measures:

Passwords

🧵 #CyberSecurity
2/ We talked about passwords in SYSVOL before:

3/ And here:

Read 7 tweets
Stephan Berger Profile picture
Mar 7
1/ Number #2 of the #ActiveDirectory hardening measures:

Service Accounts

🧵 #CyberSecurity
2/ In our AD assessments or IR cases, we repeatedly see that service accounts are highly privileged, often also part of the domain administrators group.

This can be disastrous, especially with a weak password for the service account:

3/ @Synacktiv took a closer look at the detection capabilities of Defender for Identity, including whether and how Kerberoasting could be detected. [1]
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(