Top 3 Microsoft AD Security Horror Stories of 2021

This guest blog was contributed by Andy Robbins, Technical Architect at SpecterOps.



At SpecterOps, our experts bring extensive technical and operational backgrounds that provide a unique adversarial perspective into customers’ systems and Active Directory environments. As one of those experts, I’ve performed numerous red team operations and penetration tests against banks, credit unions, health-care providers, defense companies, and other Fortune 500 companies across the world to evaluate how well they can protect their most critical assets against the most skilled adversaries.


You know Blade Runner, “I’ve seen things you people wouldn’t believe”? Here are a few horror stories about real life security risks we’ve seen this year involving Microsoft Active Directory (AD).

  1. From zero to Domain Admin in 60 seconds or less. In an environment locked down against well-known attack primitives, we were able to escalate to Domain Admin from *any* user in the domain because the “Everyone” principal had been granted “Full Control” of the domain head object. With new attack research and primitives emerging all the time, defenders must stay on top of all attack possibilities: both new and old.

  2. Remote Desktop Protocol (RDP) from the perimeter that was forwarded internally to a Domain Controller where the admin username was “Administrator” and the password was “Password1” – meaning anybody from the internet could just RDP to their domain controller with super-generic credentials (and probably already had). This example, while seemingly egregious, is actually more common than you might think.

  3. Focusing on the exotic at the cost of missing the basics. An organization had very finely tuned detection and response capabilities for very advanced and exotic attack techniques -- including techniques our team developed during our engagement with them. The rock star defenders easily detected and responded to domain fronting when that was a new technique, and they had no trouble seeing our lateral movement via remote COM object instantiation. With all this focus on the new and exotic, however, they were blind to one of the most common lateral techniques: PsExec. A simple error in collecting the wrong Windows event ID left them blind for several years to this most basic attack primitive.


###