Here Be Dragons: The Unexplored Land of Active Directory ACLs presented at derbycon 2017

by Rohan Vazarkar, Will Schroeder, Andy Robbins,

Summary : "During internal penetration tests and red team assessments, Active Directory remains a key arena for gaining initial access, performing lateral movement, escalating rights, and accessing/exfiltrating sensitive data. Over the years, a completely untapped landscape has existed just below the surface in the form of Active Directory object control relationships. Organizational staff come and go, applications deploy and alter Access Control Entries (ACEs), eventually creating an entire ecosystem of policy exceptions and forgotten privileges. Historically, Access Control Lists (ACLs) have been notoriously difficult and frustrating to analyze both defensively and offensively, something we hope to change. In this talk, we will clearly define the Active Directory ACL attack taxonomy, demonstrate analysis using BloodHound, and explain how to abuse misconfigured ACEs with several new PowerView cmdlets. We will cover real world examples of ACL-only attack paths we have identified on real assessments, discuss opsec considerations associated with these attacks, and provide statistics regarding the immense number of attack paths that open up once you introduce object control relations in the BloodHound attack graph (spoiler alert: it's a LOT). We hope you will leave this talk inspired and ready to add ACL-based attacks to your arsenal, and to defensively audit ACLs at scale in your AD domain."
Andrew Robbins (@_wald0) is the Adversary Resilience lead at Specter Ops. Andy is an active Red Teamer and co-author of BloodHound, a tool designed to reveal the hidden and unintended permission relationships in Active Directory domains. He has performed numerous offensive engagements against banks, credit unions, health- care providers, defense companies, and other Fortune 500 companies across the world. He has presented at BlackHat, DEF CON, BSides Las Vegas, DerbyCon, ekoparty, and actively researches Active Directory security. He is also a veteran Black Hat trainer. Will Schroeder (@harmj0y) is an offensive engineer and red teamer for Specter Ops. He is a co-founder of Empire/Empyre, BloodHound, and the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a Microsoft PowerShell MVP. He has spoken at a number of security conferences including ShmooCon, DerbyCon, Troopers, DEF CON, BlueHat Israel, and more on topics ranging from domain trust abuse to advanced offensive tradecraft with PowerShell. Rohan Vazarkar (@CptJesus) is a senior operator and developer for Specter Ops. He has spoken at numerous security conferences including DEF CON, BlackHat, SANS Hackfest, and more. Rohan has lead and supported operations against Fortune 500 companies, federal agencies and clients in the financial, defense, and health-care sectors. He is the co-author of the BloodHound analysis platform and has contributed to other open source projects such as Empire and EyeWitness.