Carlos García, Security Penetration Testing Lead in the Cyber Risk practice at Kroll, presented “Pentesting Active Directory Forests” last month at RootedCON 2019, one of the most important cybersecurity conferences in Spain. Carlos addressed the lack of knowledge about trust relationships between domains and forests and highlighted the often-unrecognized risks that different trust relationships present for organizations.
Watch the full presentation below (in Spanish).
Active Directory (AD) is a critical software for most organizations. The backbone of the organization, it is the single centralized point that handles authentication and authorization control access to all critical resources within an organization. However, AD deployments must be constantly adapted, evolved and restructured as employee and business needs change. As a result, they become hard to maintain over time. This is particularly relevant for large organizations with complex infrastructures supporting complex business processes.
In the presentation, Carlos investigated how attackers take advantage of AD trust relationships to compromise the domains and forests involved, especially when the target is in a different domain.
He showed how to carry out an in-depth reconnaissance phase, how authentication protocols across domains and forests work and the attacks and techniques to leverage to move laterally and vertically across domains and forests – in short, a methodology to penetration test AD forests.
- Domain trust boundaries are not security boundaries.
- Trusts can introduce unintended access paths. There should be a business justification for each trust and they need to be constantly managed and reviewed.
- Losing control of the Key Distribution Center Service Account responsible to grant Kerberos Authentication Ticket (KRBTGT) password hash of any domain could equate to losing control of the entire forest. You must reset KRBTGT twice in every domain in the forest.
Compromise of just one Domain Admin account in the AD forest exposes the entire organization to risk. The attacker would have unrestricted access to all resources managed by all domains, users, servers, workstations and data. Moreover, the attacker could instantly establish persistence in the AD environment, and this is difficult to notice and cannot be efficiently remediated with guarantees.
The video of the talk has not been published yet by RootedCON, however the slides are available for download on this page in PDF format.
Assessing Active Directory Security
Our Cyber Risk team observed that many companies face challenges around the security and integrity of their AD. We help assess the security maturity of your AD deployment and improve its resilience to meet the appropriate security level for your business in the threat environment you operate in.