Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Identify Managed AD Security Groups #119
This function identifies AD groups which have the 'managedBy' attribute set (which will be the DN of a user who is allowed to manage the group) and is based on my initial msf module (rapid7/metasploit-framework#6375).
AD groups can be managed by otherwise low privileged users by setting the 'Managed By' attribute:
This is routinely used for distribution groups, but it turns out that security groups also support this option. If the 'manager can update membership list' option is set, it allows that user to add members to the group. This has two implications:
This module is concerned with Implication 1; identifying AD groups which have a manager set.
Explanation of Impact
On a test domain (goat.stu), an unprivileged user has been created with default privileges. As can be seen, this user does not have sufficient privileges to manipulate the domain admins group.
However, if a domain admin user sets the unprivileged user to be the manager of the Domain Admins group and sets the 'Manager can update membership list' option:
The function now returns an object showing the presence of a managed group:
This then allows the unprivileged.user to add themselves (or any other user) to the Domain Admins group.
This function is not likely to be regularly used, but could reveal an otherwise hidden horizontal privilege escalation vulnerability. It is unusual for groups to be managed by non-domain admins but is not unheard of.