Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Identify Managed AD Security Groups #119

Merged

Conversation

@stufus
Copy link
Contributor

commented Dec 24, 2015

Overview

This function identifies AD groups which have the 'managedBy' attribute set (which will be the DN of a user who is allowed to manage the group) and is based on my initial msf module (rapid7/metasploit-framework#6375).

AD groups can be managed by otherwise low privileged users by setting the 'Managed By' attribute:

managed_by_tab

This is routinely used for distribution groups, but it turns out that security groups also support this option. If the 'manager can update membership list' option is set, it allows that user to add members to the group. This has two implications:

  1. If your user happens to be the manager of a group with this option set, you can add yourself or any other user to the group.
  2. You could maintain Domain Admins persistence by setting the Domain Admins group (or any group which is also a member of the Domain Admins group) to be managed by your user. You would then have the ability to gain domain administrator privileges whenever you wished to acquire them.

This module is concerned with Implication 1; identifying AD groups which have a manager set.

Explanation of Impact

On a test domain (goat.stu), an unprivileged user has been created with default privileges. As can be seen, this user does not have sufficient privileges to manipulate the domain admins group.

unprivileged_user

However, if a domain admin user sets the unprivileged user to be the manager of the Domain Admins group and sets the 'Manager can update membership list' option:

domain_admin_set_managed

The function now returns an object showing the presence of a managed group:

PS C:\> Invoke-FindManagedSecurityGroups 

GroupDN         : CN=Domain Admins,CN=Users,DC=goat,DC=stu
ManagerDN       : CN=Unprivileged User,CN=Users,DC=goat,DC=stu
CanManagerWrite : True
ManagerCN       : Unprivileged User
ManagerType     : User
GroupCN         : Domain Admins
ManagerSAN      : unprivileged.user

manipulated_groups

Returned Object

Name Description
GroupDN The distinguished name of the group
ManagerDN The distinguished name of the manager of the group
CanManagerWrite Either TRUE or FALSE; if the 'Manager can update membership list', it will be TRUE.
GroupCN The common name of the group
ManagerSAN The sAMAccountName (i.e. username) of the manager of the group

This then allows the unprivileged.user to add themselves (or any other user) to the Domain Admins group.

Conclusion

This function is not likely to be regularly used, but could reveal an otherwise hidden horizontal privilege escalation vulnerability. It is unusual for groups to be managed by non-domain admins but is not unheard of.

@HarmJ0y

This comment has been minimized.

Copy link
Contributor

commented Dec 26, 2015

Awesome! Tested the code and it appears to work well. One request- can you rename "Invoke-FindManagedSecurityGroups" to "Find-ManagedSecurityGroup" ? After that we'll land it.

HarmJ0y added a commit that referenced this pull request Dec 28, 2015
@HarmJ0y HarmJ0y merged commit d152e71 into EmpireProject:master Dec 28, 2015
@HarmJ0y

This comment has been minimized.

Copy link
Contributor

commented Dec 28, 2015

Landed \m/

I'll roll this into a module at situational_awareness/network/powerview/find_managed_security_groups shortly with proper author citation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.