Who Needs WMDs (Weapons of Mass Destruction) Today ?

Folks,

Today, yet again, I'd like to share with you a simple Trillion $ question, one that I had originally asked more that 10 years ago, and recently asked again just about two years ago. Today it continues to be exponentially more relevant to the whole world.

In fact, it is more relevant today than ever given the paramount role that cyber security plays in business and national security.


So without further adieu, here it is - Who needs WMDs (Weapons of Mass Destruction) Today?

Ans: Only those who don't know that we live in a digital world, one wherein virtually everything runs on (networked) computers.


Why would an entity bother trying to acquire or use a WMD (or for that matter even a conventional weapon) when (if you're smart) you could metaphorically stop the motor of entire organizations (or nations) with just a few lines of code designed to exploit arcane but highly potent misconfigured security settings (ACLs) in the underlying systems on which governments, militaries and thousands of business organizations of the world operate?

Today, all you need is two WDs in the same (pl)ACE and its Game Over.


Puzzled? Allow me to give you a HINT:.

Here’s a simple question: What does the following non-default string represent and why should it be a great cause of concern?

(A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (A;CI;RPWDLCLO;;;WD)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(A;;RC;;;RU)(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)

Today, this one little question and the technicality I have shared above directly impacts the cyber security of the entire world.


If you read my words very carefully, as you always should, then you'll find that it shouldn't take an astute cyber security professional more than a minute to figure it out, given that I’ve actually already provided the answer above.


Today, the CISO of every organization in the world, whether it be a government, a military or a billion dollar company (of which there are dime a dozen, and in fact thousands worldwide) or a trillion dollar company MUST know the answer to this question.

They must know the answer because it directly impacts and threatens the foundational cyber security of their organizations.

If they don't, (in my opinion) they likely shouldn't be the organization's CISO because what I have shared above could possibly be the single biggest threat to 85% of organizations worldwide, and it could be used to completely compromise them within minutes (and any organization that would like a demo in their real-world environment may feel free to request one.)

Some of you will have figured it out. For the others, I'll finally shed light on the answer soon.

Best wishes,
Sanjay


PS: If you need to know right away, perhaps you should give your Microsoft contact a call and ask them. If they too need some help (they likely will ;-)), tell them it has to do with a certain security descriptor in Active Directory. (There, now that's a HINT the size of a domain, and it could get an intruder who's been able to breach an organization's network perimeter to root in seconds.)

PS2: If this intrigues you, and you wish to learn more, you may want to read this - Hello World :-)

A Very Simple Trillion $ Cyber Security Multiple-Choice Question

Folks,

In days to come, I'll be helping organizations worldwide understand what constitutes a privileged user in Active Directory, how to correctly audit privileged access in Active Directory, and what the world's most important Active Directory security capability is.

Today though, I just wanted to ask a very simple and elemental cyber security multiple-choice question, so here it is -

Q. What are the minimum Active Directory Security Permissions that a perpetrator needs to be able to successfully run Mimikatz DCSync against an organization's foundational Active Directory deployment?

Is it -

A. The "Get Replication Changes" Extended Right 

B. The "Get Replication Changes All" Extended Right 

C. Both A and B above 

D. Something else

I already know the answer to this simple question. I'm only asking because I believe that today every Domain Admin and every CISO at every organization that operates on Active Directory MUST know the answer to this question, and here's why.

You may be surprised if I were to share with you just how many Domain Admins and CISOs (at so many of the world's most prominent organizations) don't know even seem to know what Mimikatz DCSync is, let alone knowing the answer!

If you know the answer to this question, and care to share, please feel free to share it by leaving a comment below.

Best wishes,
Sanjay.

A Massive Cyber Breach at a Company Whilst it was Considering the 'Cloud'

(A Must-Read for all CEOs, CFOs, CIOs, CISOs, Board Members & Shareholders Today)


Folks,

Today was supposed to be an exciting Friday morning at a Multi-Billion $ organization since the world's top Cloud Computing companies were going to make their final pitches to the company's C-Suite today, as it was considering moving to the "Cloud."

With Cloud Computing companies spending billions to market their latest Kool-Aid to organizations worldwide (even though much of this may actually not be ready for mission-critical stuff), how could this company too NOT be considering the Cloud?



The C-Suite Meeting

Today was a HUGE day for this multi-billion dollar company, for today after several months of researching and evaluating their choices and options, the company's leadership would finally be deciding as to which Cloud Computing provider to go with.

This meeting is being chaired by the Chairman of the Board and attended by the following organizational employees -

Chief Executive Officer (CEO) Chief Financial Officer (CFO)

Chief Information Officer (CIO) Chief Information Security Officer (CISO)

 Also in attendance are about a dozen Vice Presidents, representing Sales, Marketing, Research and Development etc.

Meeting In-Progress

After breakfast, the presentations began at 9:00 am. The organization's CIO kicked off the meeting, rattling off the numerous benefits that the company could enjoy by moving to the Cloud, and minutes later the Vice President of Cloud Computing from the first Cloud Computing company vying for their business started his presentation. His presentation lasted two hours.

The C-Suite then took a break for lunch.

The next presentation began at 1:00 pm and was expected to last till about 4:00 pm. The Vice President of Cloud Computing from the second Cloud Computing company had started her presentation and was almost an hour into it, when all of a sudden this happened...

... the CISO's assistant unexpectedly entered the room, went straight to the CISO and whispered something into his ear.

Everyone was surprised, and all eyes were on the CISO, who grimly asked his assistant - "Are you 100% sure?"  He said "Yes."





Houston, We Have a Problem

The CISO walked up to the CIO and whispered something into his ear. The CIO sat there in complete shock for a moment!

He then gathered himself and proceeded to request everyone except the C-Suite to immediately leave the conference room.

He told the Vice President of this Cloud Computing company - "Hopefully, we'll get back to you in a few weeks."

He then looked at the CEO and the Chairman of the Board, and he said - "Sir, we have a problem!"




Its Over

The CEO asked the CIO - "What's wrong? What happened?"

The CIO replied - "Sir, about 30 minutes ago, an intruder compromised the credentials of each one of our 20,000 employees!"

The CEO was almost in shock, and just couldn't believe what he had just heard, so he asked - "Everyone's credentials?!"

The CIO replied - "I'm afraid yes Sir, yours, mine, literally everyone's, including that of all our privileged users!"

The CEO could sense that there was more bad news, so he asked - "Is there something else I should know?"

The CIO replied - "Sir, 15 minutes ago, the intruder logged on as an Enterprise Admin, disabled the accounts of each one of our privileged users, and used Group Policy to deploy malicious software to each one of our 30,000 domain-joined computers! By now, he could have stolen, exfiltrated and destroyed the entirety of our digital assets! We may have lost literally everything!"

The CEO was shocked! They'd just been breached, and what a massive breach it was - "How could this have happened?"

Mimikatz DCSync 

The CIO turned to the CISO, who stepped in, and answered the question - "Sir, an intruder used a tool called Mimikatz DCSync to basically request and instantly obtain the credentials of every single user from our foundational Active Directory deployment."

The CEO asked - "What is Active Directory?"

The CISO replied - "Sir, simply put, it is the very foundation of our cyber security"

The CEO then asked - "Wait. Can just anyone request and extract credentials from Active Directory?"

The CISO replied - "Sir, not everyone can. Only those individuals whose have sufficient access to do so, and by that I mean, specifically only those who have Get-Replication-Changes-All effective-permissions on the domain root object, can do so."

The CEO then said - "This does not sound right to me. I'm no technical genius, but shouldn't we have known exactly who all have this, whatever you just said, er yes that Get-Replication-Changes-All effective permissions in our Active Directory?!"

The CISO replied - "Sir, it turns out that accurate determination of effective permissions in Active Directory is actually very difficult, and as a result it is almost impossible to figure out exactly who has this effective permissions on our domain root!"

The CEO figured it out - "So you're saying that the intruder had compromised the account of someone who was not on your radar and not supposed to have this access, but actually did, and the intruder used that access to steal everyone's credentials?"

The CISO replied - "That's right. It appears we did not know that this someone had sufficient access (i.e. effective permissions) to be able to replicate secrets from Active Directory, because it is very difficult to accurately figure this out in Active Directory."

The CEO was furious! - "You're kidding right?! Microsoft's spent billions on this new fad called the "Cloud", yet it doesn't even have a solution to help figure out something as vital as this in Active Directory? How long has Active Directory been around ?!

The CISO replied - "Seventeen years."

The CEO then said in disbelief - "Did you just 17 years, as in S-E-V-E-N-T-E-E-N years?!  Get Satya Nadella on the line now! Perhaps I should #REFRESH his memory that we're a customer, and that we may have just lost a few B-I-L-L-I-O-N dollars!"

This is for Real

Make NO mistake about it. As amusing as it might sound, the scenario shared above is very REAL, and in fact today, most business and government organizations worldwide that operate on Active Directory have no idea as to exactly who has sufficient effective permissions to be able to replicate secrets out of their Active Directory. None whatsoever!

We can demonstrate the enactment of this exact scenario, and its underlying cause, to any organizations that wishes to see it.

This Could've Been (and Can Be) Easily Prevented 

This situation could easily have been prevented, if this organization's IT personnel had only possessed the ability to adequately and accurately determine effective permissions in their foundational Active Directory deployments.

Sadly, since Microsoft apparently never educated its customers about the importance of Active Directory effective permissions, most of them have no clue, and in fact have no idea as to exactly who can do what across their Active Directory deployments!

Unfortunately, Mimikatz DCSync is just the Tip of the Iceberg. Today most organizations are likely operating in the dark and have no idea about the actual attack surface, and thus about exactly who can create, delete and manage the entirety of their domain user accounts, domain computer accounts, domain security groups, GPOs, service connection points (SCPs), OUs etc. even though every insider and intruder could try and figure this out and misuse this insight to compromise their security.

Technically speaking, with even just minimal education and the right tooling, here is how easy it is for organizations to figure this out and lock this down today, i.e. to lock this down before an intruder can exploit it to inflict colossal damage - RIGHT HERE.

Oh, and you don't need to call Microsoft for this, although you certainly can and should. If you do, they'll likely have no answer, yet they might use even this to pitch you their latest toy, Microsoft ATA, and of course, their Cloud offering, Microsoft Azure.

Wait, weren't these C*O discussing the Cloud (and likely Microsoft Azure) just a few hours (and a few billion dollars) ago?!

Fast-Forward Six Months

Unfortunately, given the massive scale of this breach, the company did not survive the attack, and had to declare bankruptcy. The C*Os of this company are still looking for suitable employment, and its shareholders ended up losing billions of dollars.

All of this could've been prevented, if they only knew about something as elemental as this, and had the ability to determine this.

Summary

The moral of the story is that while its fine to fall for the latest fad, i.e. consider moving to the "Cloud" and all, but as AND while you consider and plan to do so, you just cannot let you on-prem cyber defenses down even for a moment, because if you do so, you may not have a company left to move to the Cloud. A single excessive effective permission in Active Directory is all it takes.

I'll say this one more time and one last time - what I've shared above could easily happen at almost any organization today.

Best wishes,

Sanjay

CEO, Paramount Defenses

PS: If this sounds too simple and high-level i.e. hardly technical, that is by intent, as it is written for a non-technical audience. This isn't to showcase our technical depth; examples of our technical depth can be found here, here, here, here, here  etc.  etc.



PS2: Note for Microsoft - This may be the simplest example of "Active Directory Access Control Lists - Attack and Defense."

Here's why - Mimikatz DCSync, which embodies the technical brilliance of a certain Mr. Benjamin Delpy, may be the simplest example of how someone could attack Active Directory ACLs to instantly and completely compromise Active Directory. On the other hand, Gold Finger, which embodies the technical expertise of a certain former Microsoft employee, may be the simplest example of how one could defend Active Directory ACLs by being able to instantly identify/audit effective permissions/access in/across Active Directory, and thus lockdown any and all unauthorized access in Active Directory ACLs, making it impossible for an(y) unauthorized user to use Mimikatz DCSync against Active Directory.



PS3: They say to the wise, a hint is enough. I just painted the whole picture out for you. (You may also want to read this & this.)

PS4: If you liked this, you may also like - How To Easily Identify & Thwart Sneaky Persistence in Active Directory

Some Help & Good News for Microsoft regarding Active Directory Security

Folks,

You'll want to read this short blog post very carefully because it not only impacts Microsoft, it likely impacts you, as well as the foundational security of 85% of all business and government organizations worldwide, and it does so in a positive way.



A Quick and Short Background

From the White House to the Fortune 1000, Microsoft Active Directory is the very foundation of cyber security at over 85% of organizations worldwide. In fact, it is also the foundation of cyber security of almost every cyber security company worldwide.

Active Directory is the Foundation of Cyber Security Worldwide

The entirety of an organization's building blocks of cyber security, including the user accounts used by the entirety its workforce, as well as the user accounts of all its privileged users, the computer accounts of the entirety of its computers, and the security groups used to provision access to the entirety of its IT resources, are stored, managed and protected in Active Directory.

During the past few years, credential-theft attacks aimed at the compromise of an organization's privileged users (e.g. Domain Admins) have resulted in a substantial number of reported and unreported breaches at numerous organizations worldwide. In response, to help organizations combat the menace of these credential-theft attacks, Microsoft has had to make substantial enhancements to its Windows Operating Systems as well as acquire and introduce a technology called Microsoft ATA.

These enhancements have made it harder for perpetrators to find success with traditional credential-theft attacks, so they've started focusing their efforts on trying to find ways to attack the Active Directory itself, as evidenced by the fact that in the last year alone, we've seen the introduction of Mimikatz DCSync, BloodHound and recently the advent of Active Directory Botnets.

Make no mistake about it. There's no dearth of opportunity to find ways to exploit weaknesses in Active Directory deployments because there exists an ocean of access within Active Directory, and sadly due to an almost total lack of awareness, education, understanding and tooling, organizations have no idea as to exactly what lies within their Active Directory, particularly in regards to privileged access entitlements, and thus today there likely are 1000s of privilege escalation paths in most Active Directory deployments, waiting to be identified and exploited. All that perpetrators seem to lack today is the know-how and the tooling.

Unfortunately, since the cat's out of the bag, perpetrators seem to be learning fast, and building rapidly, so unless organizations act swiftly and decisively to adequately lock-down vast amount of access that currently exists in their foundational Active Directory deployments, sadly the next big wave of cyber breaches could involve compromise of Active Directory deployments.





Clearly, Microsoft Has No Answers

It gives me absolutely no pleasure to share with you that unfortunately, and sadly as always, Microsoft yet again seems to be playing catch-up, and in fact, it has no clue or any real answers, ideas or solutions to help organizations in this vital regard.

Here's Proof - Last week, on September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team posted this -

Active Directory Access Control List - Attacks and Defense

If and when you read it, it will likely be unequivocally clear to you as to just how little Microsoft understands about not just the sheer depth and breadth of this monumental challenge, but about the sheer impact it could have on organizations worldwide!

You see, if you understand the subject of Active Directory Security well enough, then you know that Active Directory access control lists (ACLs) today don't just impact organizational security worldwide, they likely impact national and global security!

That said, in that post, the best Microsoft could do is concede that this could be a problem, wonder why organizations might ever need to change AdminSDHolder, falsely assume that it may not impact privileged users, praise a massively inaccurate tool for shedding light on this attack vector, and end by saying - "if you find a path with no obstacles, it probably leads somewhere."

Oh, and the very last thing they tell you that is their nascent ATA technology can detect AD multiple recon methods.


In contrast, here's what they should have said - "We care deeply about cyber security and we understand that left unaddressed, this could pose a serious cyber security risk to our customers. Be rest assured that Microsoft Active Directory is a highly robust and securable technology, and here's exactly how organizations can adequately and reliably identify and lock-down privileged access in their Active Directory deployments, leaving no room for perpetrators to identify and exploit any weaknesses."

The reason I say that should've been the response is because if you know enough about this problem, then you also know that it can actually be completely and sufficiently addressed, and that you don't need to rely on detection as a security measure.

BTW, to appreciate how little Microsoft seems to understand about this huge cyber security challenge, you'll want a yardstick to compare Microsoft's response with, so here it is (; you'll want to read the posts) - Active Directory Security School for Microsoft.



Er, I'm really sorry but you are Microsoft, a US$ 550 Billion corporation, not a kid in college. If the best you can do concerning such a profoundly important cyber security challenge is show how little you seem to know about and understand this problem, and only have detection to offer as a solution, frankly, that's not just disappointing, that's deeply concerning, to say the least.

Further, if this is how little you seem to understand about such a profoundly important cyber security challenge concerning your own technology, I cannot help but wonder how well your customers might actually be protected in your recent Cloud offering.





Fortunately There's Help and Good News For Microsoft

I may appear to be critical of Microsoft, and I do still believe that they ought to at least have educated their customers about this and this huge cyber security challenge, but I also love Microsoft, because I've been (at) Microsoft, so I'm going to help them.

To my former colleagues at Microsoft I say - "Each one of us at Microsoft are passionate, care deeply and always strive to do and be the best we can, and even though I may no longer be at Microsoft, (and I still can't believe how you missed this one), luckily and fortunately for you, we've got this covered, and we're going to help you out."

So, over the next few days, not only am I going to help reduce the almost total lack of awareness, education and understanding that exists at organizations today concerning Active Directory Security, I am also going to help organizations worldwide learn just how they can adequately and swiftly address this massive cyber security challenge before it becomes a huge problem.

Specifically, in days to come, as a part of our 30-Day Active Directory Security School, you can expect the following posts -

1. What Constitutes a Privileged User in Active Directory


2. How to Correctly Audit Privileged Users/Access in Active Directory


3. How to Render Mimikatz DCSync Useless in an Active Directory Environment


4. How to Easily Identify and Thwart Sneaky Persistence in Active Directory


5. How to Easily Solve The Difficult Problem of Active Directory Botnets


6. The World's Top Active Directory Permissions Analysis Tools (and Why They're Mostly Useless)


7. The Paramount Need to Lockdown Access Privileges in Active Directory


8. How to Attain and Maintain Least Privileged Access (LPA) in Active Directory


9. How to Securely Delegate and Correctly Audit Administrative Access in Active Directory


10. How to Easily Secure Active Directory and Operate a Bulletproof Active Directory Deployment

You see, each one of these Active Directory security focused objectives can be easily accomplished, but and in order to do so, what is required is the capability to accurately audit effective access in Active Directory. Sadly, let alone possessing this paramount cyber security capability, Microsoft doesn't even seem to have a clue about it.

Each one of these posts is absolutely essential for organizational cyber security worldwide, and if you know of even one other entity (e.g. individual, company etc.) on the planet that can help the world address each one of these today, do let me know.

So, over the next few days, I'll pen the above, and you'll be able to access them at the Active Directory Security Blog.

Until then, you may want to go through each one of the 20 days of posts that I've already shared there, as well as review this.



In fact, this cannot wait, so let us begin with the "actual" insight on Active Directory ACLs that all organizations worldwide must have today -

Active Directory Access Control Lists - "Actual" Attack and Defense.

Together, we can help adequately secure and defend organizations worldwide and deny perpetrators the opportunities and avenues they seek to compromise our foundational Active Directory deployments, because we must and because we can.


Best wishes,
Sanjay

CEO, Paramount Defenses

Formerly Program Manager,
Active Directory Security,
Microsoft Corporation


PS: Microsoft, you're welcome. Also, I don't need anything from you, except a Thank you note.

A Simple Trillion $ Cyber Security Question for Microsoft (MSFT) regarding Defending Active Directory Against Cyberattacks

Folks,

Ask any good security practioner or hacker and they'll tell you that security is in the details so this is a slightly detailed post.  This blog post is also worth a proverbial Trillion $, so if you're into cyber security, you'll want to read it in its entirety.

First things first - As I indicated last week, sometime this week, I will be respectfully and publicly taking Microsoft to Active Directory Security School. This post is not the one that takes them to school; this post is merely a curtain raiser and sets the stage for that post. That post will be titled "Defending Active Directory Against Cyberattacks", and it will be sometime this week.

Today I respectfully pose a simple trillion $ cyber security question to Microsoft regarding the contents of the following video that Microsoft released in May 2016 -  

(Please click the Play button to view the video. If it does not play, you can see it on Microsoft's website here.)

First, the context -

• In May 2016, i.e. within 2 months of this, and for the first time in the 16 years that Active Directory has been around, Microsoft developed and released a 7-part series of 12 videos titled "Defending Active Directory against Cyberattacks". The entire series can be found here. They even made a promo for it, which can be found here.

Next, the summary of the video above titled "Defending the Directory", quoted verbatim -

• "Do you know who your admins are? Learn why maintaining solid access control to sensitive directory objects is important for mitigating stealthy means of persistence and escalation of privilege."

Then, a few quick thoughts -

• I'd like to publicly commend Microsoft for producing this video series on Active Directory Security. It was high time that Microsoft voiced and stressed the importance and urgency of defending Active Directory deployments.
• I strongly encourage IT personnel at all organizations to watch the above video. It is a 29 minute video, but its worth your time, because it concerns a lesser known but highly potent attack vector that most organizations are likely not aware about, and wherein the attack surface is the size of the Atlantic ocean, and one that could easily grant an intruder or an insider complete command and control of the organization's foundational Active Directory in minutes.

Finally, before I pose the question, for those who may not have the time to view it, some important quotes from this video -

1. "The first thing I want to discuss is admins that are a little bit less obvious, or you don't realize they're admins" 
2. "Lots of customers I work with are laser focused on Domain Admins, Enterprise Admins, Builtin Admins and Schema Admins, and they think that if I know who is a member in any one of those groups, I know who my admins are, which isn't always necessarily the case, because with the way that Active Directory works, you can delegate access to different objects through access control lists"
3. "If I had permissions to say link a GPO to the Domain Controllers OU, then I could use that to go from what appears to be an unprivileged account to having full control over Active Directory"
4.  "I am able to do this (i.e. use Mimikatz DCSync to replicate everyone's hashes from Active Directory) using a plain domain user account because this account has been delegated some rights at the Domain level"
5. "A lot of organizations have been using Active Directory since it was released back in 2000, and then they went to 2003 and then 2008 and now they're on 2012, and over that time period they've probably had a lot of turnover in the organization, so the guy that setup AD 10 years ago isn't with the company anymore, and the guy that's doing this now is inheriting a mess potentially from several previous administrators, and people could have delegated this for what they thought was a legitimate reason, and it leaves another attack vector that is less obvious."
6. "Absolutely everything inside of Active Directory is an object, protected by ACLs and these things (ACLs) can be manipulated in a great number of ways depending on what permissions you have there"
7. "You can be an admin through (deeply) nested groups. I have seen that quite a bit. It can get pretty messy. That is why you want to keep a clean directory."
8. "Contest your delegates. Challenge them. Go and find out who has been delegated what privileges"
9. "Somebody, either possibly legitimately, or illegitimately, was granted rights that gave them a lot of power. They could grab the hash of any account, and become that account, simply by having been delegated the Get Replication Changes All rights on that object"
10. "If I have write member permissions on a group, I can add myself to this group, and since this group via group nesting is a member of the Domain Admins group, I could easily and instantly escalate my privilege to that of a Domain Admin"
11. "So effectively that is a means of escalation!"
12. "If a group or account has been granted change password on an account, and that account is privileged, I can change the password on that account, and now I own it!" (See corrections below.)
13. "We're getting pretty deep into the inner workings of Active Directory, but based on what you showed us in the demo, its super important. It is, it is VERY IMPORTANT because these are all different ways that I could use to escalate privilege, and they're not obvious because its controlled by the access control lists (ACLs)! "
14. "We are working to identify which ACLs in Active Directory can lead to command and control of Active Directory"

Oh, and a few relevant (i.e. not all) corrections  -

• "If a group or account has been granted change password on an account, and that account is privileged, I can change the password on that account, and now I own it!" is technically incorrect. It should have been "If a group or account has been granted RESET password on an account, and that account is privileged, I can RESET the password on that account, and now I own it!" It is incorrect because in order to change a user's password, you need to know his/her existing password. Details here or here.
• "You can use the Get-ACL cmdlet in PowerShell with Active Directory and you can view who has the rights on the object that I am looking at, what rights they have." Who has what rights/permissions granted in the ACL of an Active Directory object is NOT the same as who actually has what rights in Active Directory! There's a world of a difference.
• "If I have that permission, I can link that GPO" should be "If I effectively have that permission, then I can link that GPO." Having the permission listed in the ACL is by no means sufficient. Similarly, simply viewing the ACL to see who has Get Replication Changes All is neither sufficient nor the accurate way to find out who can actually replicate secrets from Active Directory. (You need to know who effectively has that permission granted.) More on that later this week.

The Trillion $ Question

Finally, the Trillion $ Question is -

• The Context
  
  Microsoft, its 2016 and you're (only) a $500 Billion company today because virtually the entire world is your customer. Today, across your global organizational customer base, from the Fortune 1000 to entire federal, state and local governments, there exist billions of Active Directory security permissions (aka access privileges) protecting hundreds of millions of Active Directory objects across thousands of Active Directory deployments worldwide.
  
  Its 2016, and so it is 16 years after Active Directory shipped (and so interestingly coincidentally, just 2 months after we, Paramount Defenses, declassified the Paramount Brief) that you're just now and finally stressing the paramount importance of Active Directory Security to your customers, and you finally and rightly tell the world (and I quote from the video above titled "Defending the Directory") - "Go and find out who has been delegated what privileges" because "everything in Active Directory is an object" "protected by access control lists" and "this is very, very important"   BUT when you do so, you completely forget to tell them the one most important technical fact about how to correctly assess who has actually been delegated what privileges in Active Directory i.e. the one technical fact that governs the actual resulting access and delegations in Active Directory.
  
  This, even though it was right in front of the presenter's eyes during one of the methods demonstrated in the video!
  
  (By the way, in the video, the methods demonstrated by the presenter on how to assess these rights/permissions and delegations are substantially inadequate and incorrect. However, the presenter is not to blame because he is merely presenting what has consistently been (inaccurate) official guidance from Microsoft in its whitepapers etc.)
  
  
  The Question
  
   In light of the context above, my simple question to you is - Can you please tell the world WHAT is the one cardinal (paramount) technical fact that governs the determination of who can actually do what in Active Directory?
  
  By the way, HOW in the world could you have forgotten to cover it, when you know that in all likelihood, millions of IT folks from 1000s of organizations across 150+ countries worldwide are going to view these videos and based on the guidance presented, enact measures to enhance the foundational cyber security of their organizations?!

Make not mistake about it. In the answer to this question lies the key to organizational cyber security globally. It's that simple.

Here's why - If organizations do not swiftly and correctly identify and eliminate the ocean of unauthorized access privileges that exists in their Active Directory deployments today, it is only a matter of time before intruders or insiders exploit this ocean of vulnerabilities to obtain complete command and control over foundational Active Directory deployments worldwide.

Oh, and, by the way, no cyber security company on the planet (neither the McAfees nor the CyberArks of the world, neither the FireEyes nor the CrowdStrikes of the world, neither the Centrifys nor the BeyondTrusts of the world) seems to have a clue as to the answer, or for that matter seems to know how to help organizations correctly identify the ocean of unauthorized access privileges that exist in 1000s of Active Directory deployments worldwide, just waiting to be found and exploited.



Substantiating the Trillion $

In case you're wondering why I say its a Trillion $ cyber security question, that's because if you were to add up the market cap of the 20,000+ organizations across 150+ countries, not to mention or include the 1000s of local, state and federal/national governments at whose very foundation lies Microsoft Active Directory, you'll find the sum will handily be in the trillions of $.

Also, in case you find yourself wondering as to how this 1 simple question could possibly impact organizational cyber security globally, for now just consider the colossal impact of even a single (i.e. just one) successful execution of mimikatz DCSync in an organization's network, i.e. the colossal damage a proficient adversary could subsequently, swiftly inflict - it'd be Game Over.

Oh, and by the way, mimikatz DCSync is just the Tip of the Iceberg.  (More (i.e. an ocean to be precise) on that later this week.)



Looking Forward to an Answer

So, to my incredibly talented, hard-working and respected colleagues and friends at Microsoft, I (and the world) look forward to your answer. Also, in case you don't really like that this question is being asked publicly, my sincerest apologies. It is 2016 after all, not 2006, and as you too likely know 100% of all major recent cyber security breaches (e.g. Snowden (at NSA), Target, JP Morgan, Sony, Anthem, OPM) have involved the compromise and misuse of just one Active Directory privileged user account.

If for any reason, you can't answer this question, no worries, I'll answer it for you, later this week, right here on this blog.

Best wishes,
Sanjay


PS: This blog is read by 1000s of prominent folks (CEOs, CIOs, CISOs,  IT Directors, Domain Admins, Security Analysts and Pen Testers at Fortune 100 and 1000 companies, institutional and individual shareholders, cyber security personnel and leadership at 3-letter government agencies worldwide, nation states (e.g. UK, the EU, Australia, Russia, China etc.) and it being a public blog, unfortunately even folks on the dark side) from 150+ countries worldwide. In other words, everyone's tuned in.


PS2: July 25, 2017 Update.  I just answered this question for Microsoft. The answer to this Trillion $ question is right  HERE.

How to Lockdown Active Directory to Thwart the Use of Mimikatz DCSync

Folks,

I'm going to keep this post short, because some brilliant folks feel that my blog posts are longer than their source code.


This is Very Important

On a (very) serious note, today, thanks to the DCSync feature of Mimikatz, the creation of the brilliant Mr. Benjamin Delpy, we have a situation wherein organizational security worldwide boils down to this - if you assume a breached network, then your foundational Active Directory is only as secure as the number of individuals that have the Get Replication Changes All extended right effectively granted in the access control list (ACL) that protects the domain's root object.

A perpetrator using Mimikatz DCSync feature to obtain the credentials of all domain accounts in Active Directory
 

Here's why - if the perpetrator can compromise the account of even a single user who has the Get Replication Changes All extended right effectively granted on the domain root, he/she could login as using that account, request and obtain secrets from Active Directory, and use Mimikatz to in effect determine the credentials of the entirety of your user populace, within minutes!




This is Preventable -  Deny them the Access they Need

As serious as this is, it is easily preventable. You can deny perpetrators the access they need to leverage the DCSync feature.

Thus, in your own best interest, you'll want to immediately minimize (i.e. reduce down to a bare absolute minimum) the number of users who effectively have this right granted, and from that point on not only afford those accounts the highest protection, but also verify and ensure that at all times (365-24-7), not a single individual more than is absolutely required to have this extended right, has this extended right effectively granted to him/her.

The only ability you need to deny perpetrators the access they need to use the DCSync feature of Mimikatz is the ability to accurately determine effective permissions in Active Directory, so that you can accurately assess, audit and verify exactly who has the Get Replication Changes All extended right effectively granted on the domain root object at all times.

Here's how you can lockdown Active Directory in 5 simple steps, to deny perpetrators the opportunity they need to leverage the DCSync feature of Mimikatz -

1. Identify all users who currently have the Get Replication Changes All extended right granted today on the domain root by determining effective permissions on the domain root. 

2. Analyze this list of users to identify all users who should not be on this list.

3. For every user that should not be on this list, identify how he/she is being entitled to this effective permission.

4. For each such user, based on the above identification, proceed to lockdown the identified security permissions, such as by restricting access or modifying a group membership etc.

5. Finally, determine effective permissions on the domain root object again to verify the lockdown, and ensure that only authorized individuals effectively possess this right.

Using these steps, organizations worldwide can quickly lockdown Active Directory to deny perpetrators the opportunity required to leverage the DCSync Feature of Mimikatz to engage in domain-wide credential theft, thus thwarting its use.




Required Tooling

In order to enact the 5 steps outlined above, you can use any Active Directory effective permissions tool that can help you -

1. Accurately determine effective permissions in Active Directory

2. Identify all users that have a specific effective permission granted on an Active Directory object

3. Identify how a specific user has a specific effective permission granted on that Active Directory object

Here's why - Accuracy is essential. We need to identify all such users, and we need to know the how to lockdown their access.

One tool that I know of that meets these criteria is this one. I know so because I architected it. In fact, so many of the world's top business and government organizations worldwide use it to audit privileged access in Active Directory. However, I do NOT want my advice to sound biased so you do NOT have to take my word. Please feel free to do your own research. I will only say this much, and you can validate it yourself - stay away from this tool and scripts on TechNet, as they are dangerously inaccurate.

In the interest of fairness and objectivity, I will repeat this again - you can use any Active Directory effective permissions tool you want that can help you fulfill the above 3 essential needs. I've also provided the reasons as to why these 3 needs are essential.




One

It is critical to ensure that only the absolutely minimum possible number (0/1) of users have this right effectively granted to them.

If even one additional user is effectively granted this critical right, and the perpetrators can identify them and compromise their account(s) (credentials), then they will simply be minutes away from being able to steal the credentials of every user in the Active Directory domain, including all privileged users such as all Domain Admins, Enterprise Admins, Built-in Admins etc.

So, in a way, today, the security of an entire Active Directory domain (and thus forest) depends on exactly who effectively has sufficient enough rights to be able to replicate secrets out of Active Directory!

In other words, to put it simply, if this security grant is not fully locked down at all times, it could be Game Over very quickly.

Finally, to demonstrate just how deeply we care about cyber security globally, any* organization that wishes to find out exactly how many individuals effectively have this right granted today, can now do so completely free (i.e. via the free Try Now option.)




Complete Details

I wanted to keep this post short but perhaps you want more details. Complete details, including an example/illustration of the above 5 steps provided above, as well as the deficiencies in Microsoft's Effective Permissions Tab, and other relevant details can be found on my second blog at - http://www.active-directory-security.com. Here's the url to the post that has the details -
How to Prevent a Perpetrator from Using Mimikatz DCSync feature to perform Credential Theft from Active Directory


In your own organization's best interest, it is imperative to understand just how important this is to Active Directory security.

Best wishes,
Sanjay


PS: Ideally, I could have conveyed this in one sentence - "Simply minimize the number of individuals who effectively possess the Get Replication Changes All on the domain root. Done!"   The keyword here is "effectively" i.e. "effective permissions"

PS2: By the way, detection (see PS3 of this post) isn't sufficient, because by the time you detect and respond to an intruder replicating secrets out, it will have been too late because they will already have been replicated out. As such, when you can easily prevent something bad from happening, why merely rely on being able to detect it, especially when this is so critical?

PS3: By the way, where is Microsoft when it comes to providing some thought-leadership, as well as real-world advice and help on such critical cyber security issues? Also, what if solutions to such fundamental cyber security challenges didn't exist today?