Dude, Where’s My Domain Admins?

OVERVIEW

*Attacker pops a workstation on your domain*
*Attacker establishes her foothold and local persistence*
*Attacker begins recon of AD, starting with Domain Admins*

ERROR: The group name could not be found.

Attacker, with a disconcerted look on her face: “Dude, where’s my Domain Admins?”

Killchains that involve AD usually involve enumeration of highly-privileged accounts: members of Domain/Enterprise/Builtin Admins, Server Operators, etc. Those groups and their members can be enumerated in AD by default, exposing members as targets of exploitation to obtain those privileges. However, there’s a way to use in-the-box AD capabilities to thwart these attempts. Using List Object mode, implicit deny, and AdminSDHolder/SDProp, AD defenders can hide these principals from unprivileged users. In this talk, I’ll walk you through the principles, process, and pitfalls, so you can raise the bar on your AD defenses without blowing things up.