An ACE Up the Sleeve - Designing Active Directory DACL Backdoors
AI, Data Science & Cloud Certificates from Google, IBM & Meta
Pass the PMP® Exam on Your First Try — Expert-Led Training
Overview
Google, IBM & Meta Certificates – 40% Off
One plan covers every Professional Certificate on Coursera.
Unlock All Certificates
Explore the untapped offensive landscape of Active Directory (AD) object discretionary access control lists (DACLs) in this Black Hat conference talk. Delve into how control relationships between AD objects align with the "attackers think in graphs" philosophy, exposing a new class of control edges that expand paths to domain compromise. Learn about elevation vs. persistence techniques, targeting various AD objects, and understanding AD generic and control rights. Discover stealthy primitives, hidden DCSync backdoors, and the implications for tools like LAPS. Examine the impact on event logs, replication metadata, and potential future developments in this critical area of cybersecurity.
Syllabus
Intro
Disclaimer
Why Care?
Previous Work
DS_CONTROL_ACCESS
SRM and Canonical ACE Order
Elevation vs. Persistence
Target: User Objects
Target: Group Objects
Target: Computer Objects
Target: Domain Objects
AD Generic Rights
AD Control Rights
BloodHound Analysis
Objective
Stealth Primitive
Primitives: Summary
A Hidden DCSync Backdoor
Admin SDHolder
Domain user can access AdmPwd! LAPS cmdlet doesn't detect it!
Exchange Strikes Back
Event Logs
Replication Metadata
Future Work
Taught by
Black Hat