Full Report
Background Are you tired of working from home due to COVID? While this is quite a unique situation we find ourselves in, it also provides some fresh opportunities. Lately we have assessed several environments that was meant to provide a secure way for working from home. For one specific engagement, a client delivered one of their laptops that was domain joined. The laptop was accompanied with credentials of a low privilege domain user. The secure connection to their office was provided using DirectAccess.
Analysis Summary
# Tool/Technique: Rubeus
## Overview
Rubeus is a C# tool primarily used for offensive operations involving Kerberos, particularly in Active Directory environments. In the context described, it was used to facilitate an attack leveraging Kerberos Resource-Based Constrained Delegation (RBCD) after identifying a privilege misconfiguration. The article specifically notes a contribution to Rubeus for IPv6 support.
## Technical Details
- Type: Tool
- Platform: Microsoft Windows (PowerShell execution environment)
- Capabilities: Kerberos operations, manipulation of Active Directory attributes related to delegation, ticket manipulation, and exploitation of delegation misconfigurations like RBCD.
- First Seen: N/A (Rubeus has been evolving for some time, but the specific context is August 2020)
## MITRE ATT&CK Mapping
This tool is instrumental in achieving the following:
- **T1558 - Steal or Forge Kerberos Tickets**
- **T1558.004 - Kerberoasting** (Rubeus is commonly used for this, though the primary focus here is RBCD)
- **T1210 - Exploitation of Remote Services** (In the context of delegation abuse)
- **T1190 - Exploit Public-Facing Application** (If the delegation target is a web service)
*Note: The specific attack flow described falls under T1210 by exploiting a misconfigured delegation, leading toward credential access.* Kicking off the RBCD attack leverages privilege to modify AD attributes.
## Functionality
### Core Capabilities
- Performing Kerberos-related attacks and reconnaissance.
- Modifying AD computer object attributes, specifically `msDS-AllowedToActOnBehalfOfOtherIdentity`, to enable Resource-Based Constrained Delegation.
- Used to execute the RBCD attack chain outlined by Will Schreuder.
### Advanced Features
- Support for complex Kerberos scenarios, including the specific adaptation by the author to support IPv6 hostnames in SPNs for delegation requests, which was not default functionality.
## Indicators of Compromise
- File Hashes: N/A (Tool, depends on the specific downloaded version/script)
- File Names: `rbcd_demo.ps1`, `powerview.ps1`, `powermad.ps1` (Scripts used alongside Rubeus functionality)
- Registry Keys: N/A
- Network Indicators: N/A (The tool interacts with domain controllers for Kerberos operations)
- Behavioral Indicators: Modification of the `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute on a computer object; requesting Service Tickets (STs) referencing the newly created computer account (`ocd$`).
## Associated Threat Actors
Rubeus is a widely adopted tool used by penetration testers, red teams, and various sophisticated threat actors targeting Windows Active Directory environments.
## Detection Methods
- **Behavioral detection:** Monitoring for the creation of new computer objects by low-privileged users. Monitoring LDAP modification calls related to the `userAccountControl` or `msDS-AllowedToActOnBehalfOfOtherIdentity` attributes on high-privilege computer objects.
- **Signature-based detection:** Detection of the Rubeus executable/PowerShell module based on known hashes or embedded strings/APIs used by the tool.
## Mitigation Strategies
- **Restrict Attribute Modification:** Implement strict Access Control Lists (ACLs) on high-value computer objects to prevent low-privileged users from modifying delegation attributes (`msDS-AllowedToActOnBehalfOfOtherIdentity`).
- **Principle of Least Privilege (PoLP):** Ensure the low-privileged user has only the necessary permissions, preventing **GenericAll** rights over critical assets.
- **ACL Auditing:** Regularly audit Active Directory ACLs, especially on computer and user objects, for unintended permissions granted to Authenticated Users or specific low-privileged groups.
## Related Tools/Techniques
- **BloodHound / SharpHound:** Used for reconnaissance to map attack paths and identify the user possessing the required **GenericAll** rights.
- **Kerberos Resource-Based Constrained Delegation (RBCD):** The specific technique being abused.
- **Group Policy Password (CPASSWORD) Decryption:** Mentioned as an initial, failed attempt at privilege escalation using known decryption methods.
***
# Tool/Technique: BloodHound / SharpHound
## Overview
BloodHound is an analysis tool that uses graph theory to reveal complex, unintended relationships in an Active Directory environment. SharpHound is its accompanying ingestor tool, which gathers necessary data (like objects, ACLs, SIDs, and group memberships) from AD services (LDAP/LDAPS) to populate the BloodHound database.
## Technical Details
- Type: Tool
- Platform: Windows (SharpHound execution), Cross-platform (BloodHound visualization)
- Capabilities: Active Directory reconnaissance, privilege path mapping, security posture visualization, discovering relationships that lead to privilege escalation.
- First Seen: N/A (BloodHound was publicly released in 2016)
## MITRE ATT&CK Mapping
- **T1482 - Domain Trust Discovery** (Indirectly, by mapping relationships)
- **T1087.002 - Account Discovery: Domain Account**
- **T1069.002 - Permission Groups Discovery: Domain Groups**
## Functionality
### Core Capabilities
- Collecting data on users, groups, computers, ACLs, and trust relationships.
- Identifying the shortest path to high-value targets (e.g., Domain Admins).
- Highlighting misconfigurations such as excessive permissions (like **GenericAll**).
### Advanced Features
- Graph-based analysis allowing for the identification of multi-hop attack paths that would be difficult to spot manually.
- Identifying specific AD primitives like the ability to modify ACLs (`GenericAll`).
## Indicators of Compromise
- File Hashes: N/A (Depends on the downloaded version of SharpHound)
- File Names: `SharpHound.exe`
- Behavioral Indicators: High volume LDAP queries targeting domain controllers shortly after initial network access.
## Associated Threat Actors
BloodHound/SharpHound is standard operational technology for penetration testers and is frequently utilized by advanced threat actors due to its effectiveness in Active Directory enumeration.
## Detection Methods
- **Network Monitoring:** Detecting abnormal LDAP query volumes directed towards Domain Controllers originating from low-privilege endpoints.
- **Endpoint Monitoring:** Signature-based detection for SharpHound executables or scripts utilizing suspicious PowerShell commands related to AD querying.
## Mitigation Strategies
- **Restrict Data Exposure:** Limit what information can be queried by Authenticated Users via LDAP (though this is often difficult to enforce comprehensively).
- **Monitor SharpHound Activity:** Implement robust endpoint detection and response (EDR) to flag known SharpHound signatures or rapid credential enumeration activity.
- **Least Privilege:** By adhering to PoLP, the number of relationships mapped by BloodHound that originate from a compromised user will be significantly reduced.
## Related Tools/Techniques
- **Rubeus:** Used subsequent to BloodHound findings to exploit delegation weaknesses.
- **PowerView/PowerMad:** PowerShell tools for AD enumeration, often overlapping in functionality with ingested data for BloodHound.
***
# Technique: Kerberos Resource-based Constrained Delegation (RBCD) Abuse
## Overview
RBCD is a feature in Active Directory that allows a resource owner (a computer account) to delegate control to another service account or computer account for tickets requested on its behalf. Attackers abuse this when a low-privileged user has **GenericAll** control over a target computer object, allowing them to delegate the target computer to itself (or another sacrificial account) and request tickets for high-privileged users (like Domain Admins) that the resource can then impersonate.
## Technical Details
- Type: Technique
- Platform: Active Directory Domain Services
- Capabilities: Privilege escalation via forged Kerberos Service Tickets (STs) using delegated authentication rights on a computer object.
- First Seen: Introduced in Windows Server 2012 R2.
## MITRE ATT&CK Mapping
- **T1200 - Application Layer Protocol** (Leveraging Kerberos)
- **T1210 - Exploitation of Remote Services**
- **T1558.003 - Kerberos: Delegation**
## Functionality
### Core Capabilities
1. Obtain **GenericAll** (or sufficient write access) over a target computer object (`System_X`).
2. Create a new sacrificial computer object (`ocd$`) accessible to the attacker.
3. Modify `System_X`'s `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute to include `ocd$`.
4. Request a Ticket Granting Ticket (TGT) for `ocd$` and then request a Service Ticket (ST) for a Domain Admin using the newly granted delegation trust.
### Advanced Features
- The article highlights an advanced challenge related to using **IPv6 hostnames** in the SPN construction for the delegation request, requiring modifications to attacker tools (Rubeus) because standard Kerberos implementations sometimes lack full IPv6 SPN support by default.
## Indicators of Compromise
- **Behavioral Indicators:** Unauthorized modification of the `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute on service/computer objects.
- **Behavioral Indicators:** Attempted KDC requests utilizing Service Principal Names formatted with IPv6 literal addresses (e.g., `fd00-517a-c816-8888—ac01-2135.ipv6-literal.net`) targeting high-privilege services.
- **Error Code:** `0x7 – KDC_ERR_S_PRINCIPAL_UNKNOWN` observed when IPv6 SPNs are used but not properly supported by the KDC realm configuration.
## Associated Threat Actors
Threat actors leveraging post-exploitation offensive tools like Rubeus and BloodHound, often seen in advanced persistent threat (APT) groups or mature red team engagements upon discovering this specific misconfiguration.
## Detection Methods
- **LDAP Auditing:** Monitoring for changes to the `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute on computer objects.
- **Kerberos Monitoring:** Baseline normal Kerberos traffic. Flag anomalies when service tickets are requested for highly privileged accounts (`krbtgt`, domain admin accounts) originating from newly created or unusual service accounts.
## Mitigation Strategies
- **Restrict Write Permissions:** Remove unnecessary write permissions (especially **GenericAll**) from low-privileged users or groups on domain-joined computer objects.
- **Review SIDs:** Regularly audit which SIDs are listed in the `msDS-AllowedToActOnBehalfOfOtherIdentity` property on service accounts and computer objects.
- **IPv6 Configuration:** Ensure Kerberos infrastructure is configured to handle IPv6 SPNs correctly if IPv6 is in use environment-wide, or strictly limit the use of IPv6 addresses in service principals if not required.
## Related Tools/Techniques
- **GenericAll Privilege (T1078.003 - Abusable Service Account):** The primary prerequisite privilege required to execute this attack.
- **Rubeus:** The tool used to craft and execute the complex Kerberos requests needed for the delegation abuse.