- Recorded Date:Mar. 10, 2022
- Event:On Demand
When you analyze major breaches, it invariably comes down to a single vulnerability that was the major break the attacker needed to really bring off the attack. Often that break is about obtaining access to a single account and then elevating access to an account with more access. In a typical AD environment that has accreted objects, accounts, entitlements, and other complexity over decades it turns out that many accounts have been delegated privileged access in Active Directory and attackers can take advantage of those permissions.
This opens an abundance of attack paths in AD, but in this on-demand webcast, AD and Windows security expert Randy Franklin Smith will zero in on one example: Edit permissions on a group policy object. If that doesn’t sound like a powerful sort of privileged access, you need to understand this: Having edit access to a GPO effectively gives you administrator authority to all the computers that apply that GPO. This session demonstrates more than one way to prove that claim.
Then the session will explore the security controls available in Windows and Active Directory that control who can make changes to group policy objects, as well as group policy related attributes on other objects like Organizational Units and Domain roots. The latter is an important point because changing the gpLink or gpOptions attribution on an OU can be just as disruptive as editing an actual GPO.
So, it’s important to carefully manage the security of:
• Group Policy Creator Owners group
• The GPO itself
• The System/Policies folder in AD
• The sysvol folder on domain controllers
• The gpLink and gpOptions attributes on the domain root and organizational units
After an introduction to group policy access control and why it’s so important, Quest’s Bryan Patton will demonstrate a very realistic attack path involving one account that was delegated access to group policy and how practically the whole domain can be taken over by compromising that one account.
In addition, we’ll hear from Andy Robbins, whose background is in red teaming, where he performed numerous red team operations and penetration tests against banks, credit unions, health-care providers, defense companies, and other Fortune 500 companies across the world. He has presented at DEF CON, BSides Las Vegas, DerbyCon, ekoparty, and actively researches Active Directory and Azure security. He is also co-creator of SpecterOps BloodHound and he will briefly show you how Attack Path Management technology continuously maps and quantifies Active Directory Attack Paths – millions of them.