The attack is demonstrated against my practise environment.Īfter some time on the network, I was able to collect local and domain credentials that I used in further lateral movement. This also served as a nice addition to our Infrastructure Training at SensePost by expanding the modern AD attack section and practicals. To test the attacks I created a typical client network using an AWS Domain Controller (DC) with some supporting infrastructure. In line with this research, Andrew Robbins and Will Schroeder presented DACL-based attacks at Black Hat back in 2017 that you can read here. Last year, Elad Shamir wrote a great blog post explaining how the attack works and how it can result in a Discretionary Access Control List (DACL)-based computer object takeover primitive. The core of the attack is about abusing resource-based constrained delegation (RBCD) in Active Directory (AD). But, this assessment required different approaches and I wanted to show defenders and attackers that if you understand the concepts you can take more than one path.
Worse, there are easier ways to do it as well. This blog post isn’t new and I used lots of existing tools to perform the attack.
Luckily for me, before this engagement I had used some of my research time to understand more advanced Active Directory attack concepts. I recently faced a network that had had several assessments done before.
In this blog post I want to show a simulation of a real-world Resource Based Constrained Delegation attack scenario that could be used to escalate privileges on an Active Directory domain.
0 kommentar(er)
