Active Directory Domain Services (or simply Active Directory) form the foundation of identity and access management in many organisations. They determine who is allowed to log in, which resources can be accessed and which administrative actions are permitted. This makes Active Directory not only a technical service, but also a central element of modern IT infrastructures. The security relevance of the authorisation structures mapped therein is correspondingly high.

This central role also makes the directory service a preferred target for attacks. While classic attack scenarios often target vulnerabilities in individual applications or operating systems, the focus here is on manipulating this central instance and thus also its authorisation structures. Access control via so-called access control lists (ACLs) in particular represents an effective point of attack here. They define which subjects within the directory service have which rights. Their targeted modification allows far-reaching privileges to be obtained without leaving any obvious administrative traces.

Access control as a structural principle

In order to understand the authorisation structure of Active Directory, the authorisation model itself must first be explained.

Access control in Active Directory follows a discretionary access control model. In this model, authorised security principals decide for themselves on the allocation of access rights. Security principals are uniquely identifiable entities such as user, group or computer accounts , each of which has a clearly defined identity and role within the system. This model is implemented technically using security descriptors, which are assigned to each security-relevant object (security principal). These formally describe the applicable access rights and the configuration of the associated logging.

A security descriptor consists of several components: the owner of the object, an optional group assignment (for historical compatibility reasons), a System Access Control List (SACL) and a Discretionary Access Control List (DACL). While the SACL determines which access attempts are logged, the DACL is crucial for the actual access control itself. It determines which actions are allowed or explicitly denied.

Figure 1: Structure of security descriptors

Figure 1: Structure of security descriptors


When access to an object is requested, this security descriptor is consulted to see, with the help of the ACL, whether the subject is allowed access in the first place and, secondly, what type of access is permitted and what is logged.

From a forensic point of view, the DACL is particularly important, as manipulation at this point has a direct impact on the effective permissions of an object and can often be used specifically to extend rights.

Permissions as semantic infrastructure

The DACL consists of an ordered list of individual access control entries (ACEs). Each ACE describes a specific access rule. It defines which subject – identified by a security identifier (SID) – is granted or denied certain rights. It is crucial that not only "access" in general is regulated, but also very precise operations, such as reading individual attributes, changing group memberships, deleting objects or taking ownership.

These rights are mapped using an access mask, a 32-bit bit field in which each set bit represents a specific authorisation. Multiple set bits result in a combination of rights, the effect of which is determined by the sum of the individual authorisations.

Figure 2: Access mask structure

Figure 2: Access mask structure 
(source: https://learn.microsoft.com/de-de/windows/win32/secauthz/access-mask-format?source=recommendations)


The so-called standard rights are particularly critical. They are object-independent and allow basic administrative operations. These include deleting objects, reading security-relevant information, and changing ownership or the access control lists themselves.

From a security and forensic perspective, the WRITE_DAC and WRITE_OWNER rights are particularly critical. WRITE_DAC allows the DACL of an object to be changed directly. A subject with this right can grant additional permissions to itself or others. WRITE_OWNER allows the owner of an object to be changed, thereby indirectly gaining control over its permissions.

These rights are more widespread than assumed. They are delegated, inherited or implicitly assigned via group memberships. Their effect is often not apparent, but their misuse is a central mechanism of ACL-based rights escalations.

In addition to standard rights, there are also object-specific rights. These are more closely linked to the function of an object and enable targeted, less conspicuous interventions in the structure of the directory service, making them particularly attractive to cybercriminals. In the case of group objects, they relate to adding or removing members, and in the case of user objects, to changing sensitive attributes. 

So-called extended rights play a special role here. They allow special operations that go beyond simple read or write access. Technically, they are referenced via GUIDs and are often difficult for administrators to track. Certain extended rights, for example, enable the replication of directory data and thus potentially access to password hashes or other highly sensitive information. Anyone who specifically assigns or receives them can therefore intervene deeply in the functioning of the directory service – up to and including reading the entire Active Directory database.

To make the complexity of permissions described above manageable, Windows also has generic rights such as GENERIC_READ, GENERIC_WRITE, and GENERIC_ALL. These are intended as abbreviations and are mapped internally to a combination of standard and object-specific rights and, unlike all the rights mentioned above, are not set as a single bit in the access mask. The specific permissions associated with these depend on the respective object type.

GENERIC_ALL in particular is attractive as an attack vector. It stands for complete access to an object and includes, among other things, the ability to change its DACL or take ownership. In practice, granting such a right may be sufficient to enable complete privilege escalation.

Summary: Complexity as a security risk

Active Directory has different levels of rights. There are standard rights that apply to almost every object. There are object-specific rights that deeply affect the functionality of individual object types. And there are generic rights that act as shortcuts.

Permissions in Active Directory are not simple switches based on the principle of "allowed" or "prohibited". Rather, they form a semantic infrastructure in which individual rights are combined, inherited, overridden or implicitly extended. What a user is actually allowed to do rarely results from a single assignment, but from the sum of many small decisions that have often been made over many years.

This complexity is intentional. It enables administration to be delegated in a targeted manner, responsibilities to be separated and organisational structures to be mapped technically. However, it also means that hardly anyone is able to fully understand the resulting authorisation model. This is precisely what makes Active Directory an attractive attack vector.

Manipulation of access control lists usually takes place via legitimate mechanisms of the system. It does not violate any technical rules and therefore often does not generate any noticeable error messages. The traces left behind are formally correct and are also distributed across various data sources.

This is tempting for attackers. ACL manipulations use legitimate functions of the system. They operate within the intended mechanisms. They resemble administrative activities and are therefore difficult to distinguish from regular operations. In many environments, they are not even logged – or at least not in such a way that they would be noticeable without a targeted search.

This poses a dilemma for digital forensics. The traces exist, but they are scattered, fragmented and technically challenging to interpret. The key question is therefore not whether traces exist, but how reliably they can be found and interpreted.

Outlook

In the next part of this series, we will use a realistic attack scenario to show exactly how such combinations of rights are exploited, how seemingly harmless delegations add up to complete control – and what forensic traces are actually created in the process.

For individual advice on hardening Active Directory environments, please contact us at or our Technical Consulting team will help you to secure your AD environment in a targeted manner and ensure that potential risks and security-related aspects are identified and taken into account in good time.


Cyber-attack?


For immediate assistance in the event of a cyber-attack, contact our specialists.



TO OUR EMERGENCY SERVICES

This article was written by