“this makes operational sense, but if you ’ ve ever thought about it from an attacker ’ s perspective, the implications are significant : if your domain controllers run as vms on esxi, then anyone with administrative access to the hypervisor has implicit access to the dc guest. a …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1003.006DCSync
53%
“tier 0. consider migrating to azure ad cloud sync, which avoids provisioning a domain - level dcsync account. understanding shadow admin levels and detection what makes this especially concerning is that the azure ad connect server is often treated as a mid - tier application ser…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1003.006DCSync
37%
“ad connect for directory synchronization, you ’ ve almost certainly seen the msol _ prefixed service accounts that it provides. these accounts require dcsync rights by design, the exact permissions needed to replicate every password hash in the domain. on a recent engagement, gua…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558.003Kerberoasting
36%
“delegation ( rbcd ). an attacker who compromises a helpdesk account can configure any writable computer object to trust an attacker - controlled account for delegation, then use s4u2self and s4u2proxy to impersonate a domain admin on that machine. if the writable computer object …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1098Account Manipulation
34%
“delegation ( rbcd ). an attacker who compromises a helpdesk account can configure any writable computer object to trust an attacker - controlled account for delegation, then use s4u2self and s4u2proxy to impersonate a domain admin on that machine. if the writable computer object …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1098Account Manipulation
33%
“hypervisor admin can compromise it, extract the token - signing certificate, and forge saml tokens into your cloud environment, all without ever authenticating to active directory. that ’ s a shadow admin chain spanning three distinct administrative domains ( vmware, ad, aws ), a…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
What Are Shadow Admins in AD? A common problem we encounter within many customer Active Directory environments are accounts that, at first glance, may appear innocuous, but that actually have hidden administrative privileges or unrolled privileges equivalent to those of a domain administrator account. We call these accounts shadow domain admins. These accounts don’t show […]