SlideShare uma empresa Scribd logo

The presentation on my "Shadow Admins" research

Transferir como PPTX, PDF
A
Asaf Hecht

Shadow Admins are powerful and stealthy privileged accounts - attacker & defenders must know about them.

Tecnologia
1 de 25
Lavi Lazarovitz Security Research Team Lead Asaf Hecht Security Researcher Shadow Admins
Shadow Admins: Underground Accounts That Undermine The Network Admin A Privileged Accounts Admin B Shadow Admin
Shadow Admins: Underground Accounts That Undermine The Network Industry Standards SHADOW ADMIN
Shadow Admins: Underground Accounts That Undermine The Network Industry Standards Privileged account An information system account with authorizations of a privileged user Privileged user [CNSSI 4009] A user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform
Shadow Admins: Underground Accounts That Undermine The Network Discovering Privileged Accounts Built-in Admin Groups Active Directory Shadow Admins C: NET GROUPS /Domain _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ * Enterprise Admins * Domain Admins * Account Operators * Schema Admins C: NET GROUPS /Domain _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ * Administrators_Global * A_Admins_UK * Server_Admins_Local * WS_Admins_Local Organization Defined Groups
Shadow Admins: Underground Accounts That Undermine The Network Shadow Admins Name: Shadow Admin D.O.B.: Not part of any privilege group ID #: S-1-5-21-3623812015- 3361044358-30301820-1014 Issued: 08/06/2017 Expires: NEVER IDENTIFICATION CARD Shadow Admin has Direct Privilege Permissions!
Shadow Admins: Underground Accounts That Undermine The Network Permissions and ACLs - on directories READ ONLY SYSTEM Administrators User1 Guest FULL CONTROL READ & WRITE
Shadow Admins: Underground Accounts That Undermine The Network Permissions and ACLs - in Active Directory SYSTEM Enterprise Admins Domain Admins Authenticated Users User1 User2 ACLAD Objects Groups Domain root Containers GPOs FULL CONTROL CREATE CHILD OBJECTS DELETE CHILD OBJECTS CHANGE PASSWORD READ ONLY READ ONLY READ ONLY CHANGE PASSWORD
LET’S SEE IT
Shadow Admins: Underground Accounts That Undermine The Network Active Directory - Object tree and ACL
Shadow Admins: Underground Accounts That Undermine The Network Active Directory - Object tree and ACL
Shadow Admins: Underground Accounts That Undermine The Network Group assignment: Direct assignment: Direct vs Group ACL Assignment
Shadow Admins: Underground Accounts That Undermine The Network Direct vs Group ACL Assignment Account Emily has DC Sync permission: Domain and can steal all the passwords: Account Emily has Reset Password permission: on Administrator account Administrator account:
Shadow Admins: Underground Accounts That Undermine The Network Privilege Escalation The Red Side Scenarios Persistence
Shadow Admins: Underground Accounts That Undermine The Network C: NET LOCALGROUP _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ * Administrators ** Load and unload device drivers ** Manage Auditing and security logs * Remote Desktop Users ** Allow logon through remote desktop services User Rights - Local Privileged Accounts
WATCH THE USER RIGHTS
Shadow Admins: Underground Accounts That Undermine The Network Local User Rights
Shadow Admins: Underground Accounts That Undermine The Network User Rights Attack
Shadow Admins: Underground Accounts That Undermine The Network Our Free Tool - ACLight - Shadow Admin Scanner PowerShell GitHub Automatic
SHADOW ADMIN SCANNER
Shadow Admins: Underground Accounts That Undermine The Network Privilege ACL Scanner - Results
Shadow Admins: Underground Accounts That Undermine The Network Privilege ACL Scanner - Results Full CSV output – every account and its privileged permission:
Shadow Admins: Underground Accounts That Undermine The Network Light In The Shadows Domain Groups Shadow Admins Local Groups
Shadow Admins: Underground Accounts That Undermine The Network Download & Run Free: https://github.com/CyberArkLabs/ACLight Lavi.Lazarovitz@cyberark.com, @LaviLazarovitz Asaf.Hecht@cyberark.com, @Hechtov
Shadow Admins: Underground Accounts That Undermine The Network Actionable Takeaways KNOW all your privileged accounts in the network: • By group assignments • By ACLs analysis of the Active Directory HOW: • Scan your network for Shadow Admins - who have sensitive direct permissions • Use our free privileged ACLs scanning tool: https://github.com/CyberArkLabs/ACLight SECURE those new detected privileged accounts!

Recomendados

SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainSEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainErik Van Buggenhout
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
Overview on hacking tools
Overview on hacking toolsOverview on hacking tools
Overview on hacking toolsZituSahu
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
Welcome and FIDO Update.pptx
Welcome and FIDO Update.pptxWelcome and FIDO Update.pptx
Welcome and FIDO Update.pptxFIDO Alliance
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn TutorialFIDO Alliance
 

Recomendados

SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainSEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainErik Van Buggenhout
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
Overview on hacking tools
Overview on hacking toolsOverview on hacking tools
Overview on hacking toolsZituSahu
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
Welcome and FIDO Update.pptx
Welcome and FIDO Update.pptxWelcome and FIDO Update.pptx
Welcome and FIDO Update.pptxFIDO Alliance
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn TutorialFIDO Alliance
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Xss attack
Xss attackXss attack
Xss attackManjushree Mashal
 
Secret Management Architectures
Secret Management Architectures Secret Management Architectures
Secret Management Architectures Stenio Ferreira
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
WebAuthn and Security Keys
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security KeysFIDO Alliance
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
Sql injection
Sql injectionSql injection
Sql injectionSasha-Leigh Garret
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Sql injection
Sql injectionSql injection
Sql injectionManjushree Mashal
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege EscalationRiyaz Walikar
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attackRayudu Babu
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Ransomware attacks
Ransomware attacksRansomware attacks
Ransomware attacksTexas Medical Liability Trust
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
Shadow admins
Shadow adminsShadow admins
Shadow adminsLavi Lazarovitz
 
Secure active directory in one day without spending a single dollar
Secure active directory in one day without spending a single dollarSecure active directory in one day without spending a single dollar
Secure active directory in one day without spending a single dollarDavid Rowe
 

Mais conteúdo relacionado

Mais procurados

PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Secret Management Architectures
Secret Management Architectures Secret Management Architectures
Secret Management Architectures Stenio Ferreira
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
WebAuthn and Security Keys
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security KeysFIDO Alliance
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege EscalationRiyaz Walikar
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attackRayudu Babu
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 

Mais procurados (20)

PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Xss attack
Xss attackXss attack
Xss attack
 
Secret Management Architectures
Secret Management Architectures Secret Management Architectures
Secret Management Architectures
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
WebAuthn and Security Keys
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security Keys
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
Sql injection
Sql injectionSql injection
Sql injection
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Sql injection
Sql injectionSql injection
Sql injection
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attack
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Application Security
Application SecurityApplication Security
Application Security
 
Ransomware attacks
Ransomware attacksRansomware attacks
Ransomware attacks
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 

Semelhante a The presentation on my "Shadow Admins" research

Secure active directory in one day without spending a single dollar
Secure active directory in one day without spending a single dollarSecure active directory in one day without spending a single dollar
Secure active directory in one day without spending a single dollarDavid Rowe
 
Escalation defenses ad guardrails every company should deploy
Escalation defenses ad guardrails every company should deployEscalation defenses ad guardrails every company should deploy
Escalation defenses ad guardrails every company should deployDavid Rowe
 
Is the door to your active directory wide open and unsecure
Is the door to your active directory wide open and unsecureIs the door to your active directory wide open and unsecure
Is the door to your active directory wide open and unsecureDavid Rowe
 
UNIT 6-EXPLAINING THE ROLE OF THE NETWORK ADMINISTRATOR AND SUPPORT.pptx
UNIT 6-EXPLAINING THE ROLE OF THE NETWORK ADMINISTRATOR AND SUPPORT.pptxUNIT 6-EXPLAINING THE ROLE OF THE NETWORK ADMINISTRATOR AND SUPPORT.pptx
UNIT 6-EXPLAINING THE ROLE OF THE NETWORK ADMINISTRATOR AND SUPPORT.pptxLeahRachael
 
Windows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory DomainWindows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory DomainNapoleon NV
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Secure Active Directory in one Day Without Spending a Single Dollar
Secure Active Directory in one Day Without Spending a Single DollarSecure Active Directory in one Day Without Spending a Single Dollar
Secure Active Directory in one Day Without Spending a Single DollarDavid Rowe
 
CHAPTER 26 WINDOWS SECURITY 26.1 FUNDAMENTAL
CHAPTER 26 WINDOWS SECURITY 26.1 FUNDAMENTAL CHAPTER 26 WINDOWS SECURITY 26.1 FUNDAMENTAL
CHAPTER 26 WINDOWS SECURITY 26.1 FUNDAMENTAL EstelaJeffery653
 
User id installation and configuration
User id installation and configurationUser id installation and configuration
User id installation and configurationAlberto Rivai
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopAjay Choudhary
 
Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...
Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...
Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...BeyondTrust
 
Dynamics CRM Harsha PPT
Dynamics CRM Harsha PPTDynamics CRM Harsha PPT
Dynamics CRM Harsha PPTHarsha T
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)MHumaamAl
 
Case Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on TimeCase Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on TimeCA Technologies
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environmentDavid Rowe
 
IT103Microsoft Windows XP/OS Chap13
IT103Microsoft Windows XP/OS Chap13IT103Microsoft Windows XP/OS Chap13
IT103Microsoft Windows XP/OS Chap13blusmurfydot1
 

Semelhante a The presentation on my "Shadow Admins" research (20)

Shadow admins
Shadow adminsShadow admins
Shadow admins
 
Secure active directory in one day without spending a single dollar
Secure active directory in one day without spending a single dollarSecure active directory in one day without spending a single dollar
Secure active directory in one day without spending a single dollar
 
Escalation defenses ad guardrails every company should deploy
Escalation defenses ad guardrails every company should deployEscalation defenses ad guardrails every company should deploy
Escalation defenses ad guardrails every company should deploy
 
Is the door to your active directory wide open and unsecure
Is the door to your active directory wide open and unsecureIs the door to your active directory wide open and unsecure
Is the door to your active directory wide open and unsecure
 
UNIT 6-EXPLAINING THE ROLE OF THE NETWORK ADMINISTRATOR AND SUPPORT.pptx
UNIT 6-EXPLAINING THE ROLE OF THE NETWORK ADMINISTRATOR AND SUPPORT.pptxUNIT 6-EXPLAINING THE ROLE OF THE NETWORK ADMINISTRATOR AND SUPPORT.pptx
UNIT 6-EXPLAINING THE ROLE OF THE NETWORK ADMINISTRATOR AND SUPPORT.pptx
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Windows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory DomainWindows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory Domain
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Secure Active Directory in one Day Without Spending a Single Dollar
Secure Active Directory in one Day Without Spending a Single DollarSecure Active Directory in one Day Without Spending a Single Dollar
Secure Active Directory in one Day Without Spending a Single Dollar
 
CHAPTER 26 WINDOWS SECURITY 26.1 FUNDAMENTAL
CHAPTER 26 WINDOWS SECURITY 26.1 FUNDAMENTAL CHAPTER 26 WINDOWS SECURITY 26.1 FUNDAMENTAL
CHAPTER 26 WINDOWS SECURITY 26.1 FUNDAMENTAL
 
User id installation and configuration
User id installation and configurationUser id installation and configuration
User id installation and configuration
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...
Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...
Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...
 
Dynamics CRM Harsha PPT
Dynamics CRM Harsha PPTDynamics CRM Harsha PPT
Dynamics CRM Harsha PPT
 
The Perimeter Is Dead
The Perimeter Is DeadThe Perimeter Is Dead
The Perimeter Is Dead
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)
 
Case Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on TimeCase Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on Time
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environment
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
 
IT103Microsoft Windows XP/OS Chap13
IT103Microsoft Windows XP/OS Chap13IT103Microsoft Windows XP/OS Chap13
IT103Microsoft Windows XP/OS Chap13
 

Último

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Último (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

The presentation on my "Shadow Admins" research

  • 1. Lavi Lazarovitz Security Research Team Lead Asaf Hecht Security Researcher Shadow Admins
  • 2. Shadow Admins: Underground Accounts That Undermine The Network Admin A Privileged Accounts Admin B Shadow Admin
  • 3. Shadow Admins: Underground Accounts That Undermine The Network Industry Standards SHADOW ADMIN
  • 4. Shadow Admins: Underground Accounts That Undermine The Network Industry Standards Privileged account An information system account with authorizations of a privileged user Privileged user [CNSSI 4009] A user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform
  • 5. Shadow Admins: Underground Accounts That Undermine The Network Discovering Privileged Accounts Built-in Admin Groups Active Directory Shadow Admins C: NET GROUPS /Domain _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ * Enterprise Admins * Domain Admins * Account Operators * Schema Admins C: NET GROUPS /Domain _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ * Administrators_Global * A_Admins_UK * Server_Admins_Local * WS_Admins_Local Organization Defined Groups
  • 6. Shadow Admins: Underground Accounts That Undermine The Network Shadow Admins Name: Shadow Admin D.O.B.: Not part of any privilege group ID #: S-1-5-21-3623812015- 3361044358-30301820-1014 Issued: 08/06/2017 Expires: NEVER IDENTIFICATION CARD Shadow Admin has Direct Privilege Permissions!
  • 7. Shadow Admins: Underground Accounts That Undermine The Network Permissions and ACLs - on directories READ ONLY SYSTEM Administrators User1 Guest FULL CONTROL READ & WRITE
  • 8. Shadow Admins: Underground Accounts That Undermine The Network Permissions and ACLs - in Active Directory SYSTEM Enterprise Admins Domain Admins Authenticated Users User1 User2 ACLAD Objects Groups Domain root Containers GPOs FULL CONTROL CREATE CHILD OBJECTS DELETE CHILD OBJECTS CHANGE PASSWORD READ ONLY READ ONLY READ ONLY CHANGE PASSWORD
  • 10. Shadow Admins: Underground Accounts That Undermine The Network Active Directory - Object tree and ACL
  • 11. Shadow Admins: Underground Accounts That Undermine The Network Active Directory - Object tree and ACL
  • 12. Shadow Admins: Underground Accounts That Undermine The Network Group assignment: Direct assignment: Direct vs Group ACL Assignment
  • 13. Shadow Admins: Underground Accounts That Undermine The Network Direct vs Group ACL Assignment Account Emily has DC Sync permission: Domain and can steal all the passwords: Account Emily has Reset Password permission: on Administrator account Administrator account:
  • 14. Shadow Admins: Underground Accounts That Undermine The Network Privilege Escalation The Red Side Scenarios Persistence
  • 15. Shadow Admins: Underground Accounts That Undermine The Network C: NET LOCALGROUP _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ * Administrators ** Load and unload device drivers ** Manage Auditing and security logs * Remote Desktop Users ** Allow logon through remote desktop services User Rights - Local Privileged Accounts
  • 16. WATCH THE USER RIGHTS
  • 17. Shadow Admins: Underground Accounts That Undermine The Network Local User Rights
  • 18. Shadow Admins: Underground Accounts That Undermine The Network User Rights Attack
  • 19. Shadow Admins: Underground Accounts That Undermine The Network Our Free Tool - ACLight - Shadow Admin Scanner PowerShell GitHub Automatic
  • 21. Shadow Admins: Underground Accounts That Undermine The Network Privilege ACL Scanner - Results
  • 22. Shadow Admins: Underground Accounts That Undermine The Network Privilege ACL Scanner - Results Full CSV output – every account and its privileged permission:
  • 23. Shadow Admins: Underground Accounts That Undermine The Network Light In The Shadows Domain Groups Shadow Admins Local Groups
  • 24. Shadow Admins: Underground Accounts That Undermine The Network Download & Run Free: https://github.com/CyberArkLabs/ACLight Lavi.Lazarovitz@cyberark.com, @LaviLazarovitz Asaf.Hecht@cyberark.com, @Hechtov
  • 25. Shadow Admins: Underground Accounts That Undermine The Network Actionable Takeaways KNOW all your privileged accounts in the network: • By group assignments • By ACLs analysis of the Active Directory HOW: • Scan your network for Shadow Admins - who have sensitive direct permissions • Use our free privileged ACLs scanning tool: https://github.com/CyberArkLabs/ACLight SECURE those new detected privileged accounts!