profile

Spencer Alessi

The AD permissions no one checks

Published 3 months ago • 2 min read

Attackers love shortcuts. Hidden insecure permissions are their express lane to Domain Admin.

Ethical Threat Insight: Finding Hidden Insecure Permissions in Active Directory

Delegated permissions in Active Directory are specific access rights that are granted without requiring that user be a member of a security group.

It’s a way of assigning more granular permissions.

However, it’s all too easy to make mistakes when delegating permissions.

What are the risks of insecure delegations?

  • Privilege Escalation
  • Lateral Movement
  • Service Abuse
  • Increased Attack Surface

How does insecure permission normally happen? Take this for example…

You want to give the Help Desk group permissions to reset passwords for end users, so you give them “FullControl” of the default Users OU.

Well, you’ve now inadvertently given out more control than you intended to.

FullControl includes way more rights than just resetting passwords and now any user within the Users OU can be compromised by an attacker whose able to obtain a Help Desk account.

Or maybe worse, Help Desk can now make even bigger, more costly mistakes.

How do we find these hidden insecure permissions?

One of my favorite ways is with the free tools, ADeleg and ADeleginator. Here’s what you do:

  1. Download and open ADeleg
  2. Once ADeleg is open click View -> Index view by -> Trustees
    That puts the trustees on the left hand side and the resources on the right. That way we can click on a trustee and see the permissions it has on a given resource.
  3. Then on the left hand side, open up the Global dropdown and look for several key trustees. You can consider these “unsafe users/groups”.
    • Everyone
    • Authenticated Users
    • Domain Users
    • Any other user/group you want to look for, like Help Desk
  4. Review the permissions granted on the resources in the window on the right and look for permissions that may be dangerous. We want to look for things like:
    • Write all properties
    • Create/delete child objects
    • Ownership of a resource
    • Add/delete delegations
    • Write attribute
    • Validated write
    • Change the owner
    • Change password
    • Reset password

Action today: My challenge for you today. Pick one OU that holds sensitive accounts (like IT staff or executives). Run a permissions check with ADeleg. If you find “Everyone” or “Authenticated Users” anywhere in the list, tighten it up.

☕ If you would like to learn more about this. I walk through real examples of hidden AD permission risks in this webinar.

Watch it here 👇

PS: Hidden AD permissions are like giving your kid the house key and finding out it also unlocks the garage, disables the alarm, and logs into Wifi and Netflix. Congrats, they own the domain. 😅

PPS: I'm hosting another free webinar on the topic of common Windows misconfigurations that give attackers the advantage. Because the thing is...your biggest security risks aren’t exotic exploits… they’re the everyday Windows settings you’ve overlooked.

In this webinar, I'll be covering the worst of the worst, the “how is this still a thing?” misconfigurations that make life way too easy for the bad guys.

The webinar is on Thursday 8/28 at 12pm eastern. Hope to see you there!

Register here 👇

https://go.spenceralessi.com/windows

All the best
Spencer Alessi

"Spirit of a hacker heart of a defender"
All My Links | super cool cybersecurity shirts & stickers

Spencer Alessi

😈 Spirit of a hacker | 💙 Heart of a defender

✔ Pentester/recovering sysadmin ✔ Self-proclaimed Ethical Threat ✔ Active Directory Security Connoisseur ✔ Offensive stuff — securit360.com ✔ Host Cyber Threat POV — offsec.blog ✔ SWAG — swag.ethicalthreat.com 📩 By subscribing, you’ll get exclusive access to industry insights, actionable tips for securing your environments, behind-the-scenes content from my pentests, and updates from someone who keeps a pulse on the ever-changing cyber threat landscape.

Read more from Spencer Alessi
Common Active Directory Security Mistakes Attackers Count On - go.spenceralessi.com

Security applied blindly is just another outage waiting to happen. Ethical Threat Insight: Active Directory Security Mistakes Active Directory is the backbone of your network, and attackers know it just as well (if not better) than most admins. A staggering amount of breaches don’t require fancy exploits. They rely on common misconfigurations, they count on IT admins not doing the hard things that need to be done to secure an AD environment. These are some of the most frequent (and dangerous)...

13 days ago • 1 min read

Downtime is decided months before the attack. Ethical Threat Insight: Surviving a Ransomware Attack A DC‑area Reddit thread described days of disruption after a hospital system was reportedly hit by Rhysida ransomware. How much was the ransom? ~$3 million USD at the time of the incident. 😲 It’s a painful, real‑world reminder: your ability to operate “offline” is the difference between chaos and continuity. The time to have a plan and to prepare is before the proverbial SHTF. 6 ways to prepare...

20 days ago • 2 min read
3 signs your pentest was a paperweight - go.spenceralessi.com

Who you choose to test your environment matters just as much as what they test. Ethical Threat Insight: Internal Pentest Report Red Flags If you know a little bit about me, you know internal pentesting is kind of my thing. I’ve done more than 120 internal pentests in the last 5 years. What I have come to realize is that not all internal pentests are created equal, especially when it comes to reporting. Most internal pentest reports look impressive at first glance, but after you dig into them...

27 days ago • 2 min read