4. Shadow Admins: Underground Accounts That
Undermine The Network
Industry Standards
Privileged account An information system account with authorizations of a
privileged user
Privileged user
[CNSSI 4009]
A user that is authorized (and therefore, trusted) to perform
security-relevant functions that ordinary users are not
authorized to perform
5. Shadow Admins: Underground Accounts That
Undermine The Network
Discovering Privileged Accounts
Built-in Admin Groups
Active Directory
Shadow Admins
C: NET GROUPS /Domain
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
* Enterprise Admins
* Domain Admins
* Account Operators
* Schema Admins
C: NET GROUPS /Domain
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
* Administrators_Global
* A_Admins_UK
* Server_Admins_Local
* WS_Admins_Local
Organization Defined Groups
6. Shadow Admins: Underground Accounts That
Undermine The Network
Shadow Admins
Name: Shadow Admin
D.O.B.: Not part of any privilege group
ID #: S-1-5-21-3623812015-
3361044358-30301820-1014
Issued: 08/06/2017
Expires: NEVER
IDENTIFICATION CARD
Shadow Admin has Direct Privilege Permissions!
7. Shadow Admins: Underground Accounts That
Undermine The Network
Permissions and ACLs - on directories
READ ONLY
SYSTEM
Administrators
User1
Guest
FULL CONTROL
READ & WRITE
8. Shadow Admins: Underground Accounts That
Undermine The Network
Permissions and ACLs - in Active Directory
SYSTEM
Enterprise Admins
Domain Admins
Authenticated Users
User1
User2
ACLAD Objects
Groups
Domain root
Containers
GPOs
FULL CONTROL
CREATE CHILD OBJECTS
DELETE CHILD OBJECTS
CHANGE PASSWORD
READ ONLY
READ ONLY
READ ONLY
CHANGE PASSWORD
12. Shadow Admins: Underground Accounts That
Undermine The Network
Group assignment: Direct assignment:
Direct vs Group ACL Assignment
13. Shadow Admins: Underground Accounts That
Undermine The Network
Direct vs Group ACL Assignment
Account Emily has DC Sync permission:
Domain and can steal all the passwords:
Account Emily has Reset Password permission: on
Administrator account Administrator account:
14. Shadow Admins: Underground Accounts That
Undermine The Network
Privilege Escalation
The Red Side Scenarios
Persistence
22. Shadow Admins: Underground Accounts That
Undermine The Network
Privilege ACL Scanner - Results
Full CSV output – every account and its privileged permission:
23. Shadow Admins: Underground Accounts That
Undermine The Network
Light In The Shadows
Domain Groups Shadow Admins Local Groups
24. Shadow Admins: Underground Accounts That
Undermine The Network
Download & Run Free:
https://github.com/CyberArkLabs/ACLight
Lavi.Lazarovitz@cyberark.com, @LaviLazarovitz
Asaf.Hecht@cyberark.com, @Hechtov
25. Shadow Admins: Underground Accounts That
Undermine The Network
Actionable Takeaways
KNOW all your privileged accounts in the network:
• By group assignments
• By ACLs analysis of the Active Directory
HOW:
• Scan your network for Shadow Admins - who have sensitive direct permissions
• Use our free privileged ACLs scanning tool:
https://github.com/CyberArkLabs/ACLight
SECURE those new detected privileged accounts!