I recently came across an interesting presentation on Active Directory Security and Active Directory Privilege Escalation titled Six Degrees of Domain Admin. Since I happen to know a thing or two about the subject, thought I'd share a few thoughts.
Its nice to see folks apply graph theory towards determining privilege escalation paths. Its also nice to see folks quote my former colleague and good friend, John Lambert, General Manager for the Microsoft Threat Intelligence Center at Microsoft.
By the way, I must mention that John's a great guy, one of Microsoft's finest. He also really likes graphs, and as you may know, is famous for his quote - "Defenders think in lists, attackers think in graphs"; In fact, way back in 2007, when I was visiting MSFT, I remember him suggesting that we consider using graphs with Gold Finger when I showed him its sheer power. By the way, at Paramount Defenses, as defenders, we've always thought in graphs.
Anyway, after seeing that pres, I'd only like to say that those who are still relying on trying to find privilege escalation paths in Windows networks based on where privileged users may have logged on so they can find hosts on which they could employ archaic pass the hash and Kerberos ticket meddling techniques, may still be operating in the Stone Age of cyber security.
For all folks starting out in and/or interested in Active Directory Security and Active Directory Privilege Escalation etc., here's ONE simple helpful resource to ramp up their knowledge - Defending Active Directory Against CyberAttacks -
|Defending Active Directory Against Cyberattacks|
If you really know Active Directory Security, then you know that with the right tooling (e.g. one, two, three) you can easily and instantly find 1000s of instantly exploitable privilege escalation paths in a Windows network right within the Active Directory itself, and thus you'll never even have the need to or any interest in finding out who logs on to / logged on which computer to use archaic pass-the-hash / Kerberos ticket meddling techniques. (That stuff's for novices.)
By the way, we know just how powerful such tooling is, so we will not make it available for free in the public domain. In fact, we only license our tooling to the good guys (organizational IT personnel) and only for use in/against their own Active Directory.
For folks who're still into using archaic pass-the-hash / Kerberos ticket meddling techniques, you'll want to read and absorb this blog entry like a sponge absorbs water - A Letter to Benjamin Delpy regarding Mimikatz and Active Directory Security.
Also, if you're trying to find the shortest path to DA (Domain Admins), you may want to consider learning about this; its only about 1000 times more powerful than anything else out there. Incidentally, this can find 1000s of privilege escalation paths in Active Directory in less time that it would take someone to go through this.
All in all, its nice to see other folks out there finally getting into Active Directory Security. Frankly, having done it for 15+ years now (first at Microsoft, and then at Paramount Defenses), and being a million miles ahead is getting to be a tad boring. That said, one of the perks (the fun part) of my job is that I get to build stuff that even James Bond and Ethan Hunt don't have yet - 007G.