Academy hub

Detection of Misconfigurations & Threats in AD

๐Ÿ”’ Secure Bits ๐Ÿ’ก
๐——๐—ผ ๐˜†๐—ผ๐˜‚ ๐—ฟ๐—ฒ๐—ด๐˜‚๐—น๐—ฎ๐—ฟ๐—น๐˜† ๐—ฐ๐—ต๐—ฒ๐—ฐ๐—ธ ๐˜†๐—ผ๐˜‚๐—ฟ ๐—”๐—ฐ๐˜๐—ถ๐˜ƒ๐—ฒ ๐——๐—ถ๐—ฟ๐—ฒ๐—ฐ๐˜๐—ผ๐—ฟ๐˜† ๐—ณ๐—ผ๐—ฟ ๐—บ๐—ถ๐˜€๐—ฐ๐—ผ๐—ป๐—ณ๐—ถ๐—ด๐˜‚๐—ฟ๐—ฒ๐—ฑ ๐—”๐—–๐—Ÿ๐˜€?

ACL misconfigurations are one of the ๐—บ๐—ผ๐˜€๐˜ ๐—ผ๐˜ƒ๐—ฒ๐—ฟ๐—น๐—ผ๐—ผ๐—ธ๐—ฒ๐—ฑ โ€” yet severe โ€” vulnerabilities in AD environments. They often stay hidden until a malicious actor finds themโ€ฆ and by then, itโ€™s too late.

๐—›๐—ฒ๐—ฟ๐—ฒ ๐—ฎ๐—ฟ๐—ฒ ๐—ท๐˜‚๐˜€๐˜ ๐—ฎ ๐—ณ๐—ฒ๐˜„ ๐—ฒ๐˜…๐—ฎ๐—บ๐—ฝ๐—น๐—ฒ๐˜€ ๐—ผ๐—ณ ๐˜๐—ต๐—ฒ๐˜€๐—ฒ:
๐Ÿ”น ๐——๐—–๐—ฆ๐˜†๐—ป๐—ฐ โ€” permissions that let an account replicate data (including secrets) from the AD DS database.
๐Ÿ”น ๐——๐—–๐—ฆ๐—ต๐—ฎ๐—ฑ๐—ผ๐˜„ โ€” the ability to push changes to AD from a compromised machine acting as a rogue Domain Controller.
๐Ÿ”น ๐—ฆ๐—บ๐—ฎ๐—น๐—น๐—ฒ๐—ฟ ๐—ฑ๐—ฒ๐—น๐—ฒ๐—ด๐—ฎ๐˜๐—ถ๐—ผ๐—ป๐˜€ โ€” write access, password resets, read LAPS password, GPO edit permissions, and many other privileges/permissions that can become escalation paths to full AD DS control.
๐Ÿ”น ๐—”๐—— ๐—–๐—ฆ (๐—˜๐—ฆ๐—–-๐—ป) โ€” misconfigurations in Active Directory Certificate Services enabling escalation from a basic user/computer.

These flaws are ๐—ฑ๐—ฎ๐—ป๐—ด๐—ฒ๐—ฟ๐—ผ๐˜‚๐˜€ because ๐—ฎ๐—ป๐˜† authenticated user in your domain can abuse them โ€” often from just a regular workstation.

๐—ฆ๐—ผ ๐—ต๐—ผ๐˜„ ๐—ฑ๐—ผ ๐˜†๐—ผ๐˜‚ ๐—ฝ๐—ฟ๐—ผ๐˜๐—ฒ๐—ฐ๐˜ ๐˜†๐—ผ๐˜‚๐—ฟ๐˜€๐—ฒ๐—น๐—ณ?
๐Ÿ›ก๏ธ Donโ€™t delegate privileges unless you ๐—ณ๐˜‚๐—น๐—น๐˜† ๐˜‚๐—ป๐—ฑ๐—ฒ๐—ฟ๐˜€๐˜๐—ฎ๐—ป๐—ฑ their security impact.
๐Ÿ›ก๏ธ ๐—ฅ๐—ฒ๐—ด๐˜‚๐—น๐—ฎ๐—ฟ๐—น๐˜† ๐˜€๐—ฐ๐—ฎ๐—ป your environment for ACL misconfigurations โ€” just like attackers do during recon.

You can do this ๐—บ๐—ฎ๐—ป๐˜‚๐—ฎ๐—น๐—น๐˜† (e.g. with PowerShell), but for more comprehensive and continuous detection, you might want to ๐˜‚๐˜€๐—ฒ ๐—ฎ ๐˜๐—ผ๐—ผ๐—น.

๐Ÿ”ง One solution Iโ€™ve recently tested is ๐—™๐—ผ๐—ฟ๐—ฒ๐˜€๐˜๐—ฎ๐—น๐—น ๐—œ๐—ฆ๐—ฃ๐— .
Iโ€™ve been working directly with the Forestall team, and after some testing, I can confidently say the ๐—ฝ๐—ฟ๐—ผ๐—ฑ๐˜‚๐—ฐ๐˜ ๐—ฑ๐—ฒ๐—น๐—ถ๐˜ƒ๐—ฒ๐—ฟ๐˜€. It scans for misconfigured ACLs, dangerous permissions, and even attack paths.
๐Ÿ‘‰ ๐— ๐—ผ๐—ฟ๐—ฒ ๐—ฑ๐—ฒ๐˜๐—ฎ๐—ถ๐—น๐˜€ย are in the link provided in the comments.

๐Ÿงช ๐—ง๐—ต๐—ฎ๐—ป๐—ธ๐˜€ ๐˜๐—ผ ๐—ผ๐˜‚๐—ฟ ๐—ฐ๐—ผ๐—น๐—น๐—ฎ๐—ฏ๐—ผ๐—ฟ๐—ฎ๐˜๐—ถ๐—ผ๐—ป, you can also try it for ๐—ณ๐—ฟ๐—ฒ๐—ฒ – just write a comment, and I will make it happen. If you give it a spin, let me know โ€” I might even be able to arrange a discount for you.

Are you regularly checking your AD for these misconfigurations?

buy a course