Ready to learn?

Active Directory Escalation paths

๐Ÿ”’ Secure Bits ๐Ÿ’ก
๐——๐—ผ ๐˜†๐—ผ๐˜‚ ๐˜€๐—ฐ๐—ฎ๐—ป ๐˜†๐—ผ๐˜‚๐—ฟ ๐—ถ๐—ป๐—ณ๐—ฟ๐—ฎ๐˜€๐˜๐—ฟ๐˜‚๐—ฐ๐˜๐˜‚๐—ฟ๐—ฒ for privilege escalation paths?

You shouldโ€”especially if you havenโ€™t implemented a ๐—ง๐—ถ๐—ฒ๐—ฟ๐—ถ๐—ป๐—ด ๐— ๐—ผ๐—ฑ๐—ฒ๐—น ๐—ผ๐—ฟ ๐—Ÿ๐—ฒ๐—ฎ๐˜€๐˜ ๐—ฃ๐—ฟ๐—ถ๐˜ƒ๐—ถ๐—น๐—ฒ๐—ด๐—ฒ ๐—”๐—ฐ๐—ฐ๐—ฒ๐˜€๐˜€.

With time, ๐—บ๐—ถ๐˜€๐—ฐ๐—ผ๐—ป๐—ณ๐—ถ๐—ด๐˜‚๐—ฟ๐—ฎ๐˜๐—ถ๐—ผ๐—ป๐˜€ ๐—ฝ๐—ถ๐—น๐—ฒ ๐˜‚๐—ฝโ€”hidden escalation paths emerge. ๐—•๐—น๐—ผ๐—ผ๐—ฑ๐—›๐—ผ๐˜‚๐—ป๐—ฑย is one of the best tools to uncover them.

How to Map Escalation Paths in AD
1๏ธโƒฃ ๐—–๐—ผ๐—น๐—น๐—ฒ๐—ฐ๐˜ ๐——๐—ฎ๐˜๐—ฎ ๐—ณ๐—ฟ๐—ผ๐—บ ๐˜๐—ต๐—ฒ ๐—ง๐—ฎ๐—ฟ๐—ด๐—ฒ๐˜ ๐—œ๐—ป๐—ณ๐—ฟ๐—ฎ๐˜€๐˜๐—ฟ๐˜‚๐—ฐ๐˜๐˜‚๐—ฟ๐—ฒ
โ–ช๏ธAs a standard user, you can gather a lot of data.
โ–ช๏ธHowever, to enumerate active sessions, youโ€™ll need elevated access.
โ–ช๏ธUse Sharphound to collect all necessary relationships.

2๏ธโƒฃ ๐—จ๐—ฝ๐—น๐—ผ๐—ฎ๐—ฑ & ๐—”๐—ป๐—ฎ๐—น๐˜†๐˜‡๐—ฒ ๐—ถ๐—ป ๐—•๐—น๐—ผ๐—ผ๐—ฑ๐—›๐—ผ๐˜‚๐—ป๐—ฑ
โ–ช๏ธOnce imported, you can visualize relationships between AD objects.
โ–ช๏ธIdentify misconfigurations leading to privilege escalation.
โ–ช๏ธExample: Carl โ†’ Workstation โ†’ Server โ†’ Domain Admins ๐Ÿšจ

๐Ÿ’ก Most environments have hidden escalation pathsโ€”the older the infrastructure, the worse it gets.

Learn how to build a secure Active Directory from scratch with me:
Building a Secure Active Directory โ€“ Horizon Secured

Have you ever found a surprising escalation path in your AD?๐Ÿ‘‡

buy a course