![]() This post shows how an attacker can recon the Active Directory environment with just domain user rights. Once the attacker has their code running inside the enterprise, the first step is performing reconnaissance to discover useful resources to escalate permissions, persist, and of course, plunder information (often the “crown jewels” of an organization). It’s important for defenders to understand the different types of data accessible in AD with a regular user account.Īttacks frequently start with a spear-phishing email to one or more users enabling the attacker to get their code running on a computer inside the target network. There is a lot of data that can be gathered from Active Directory which can be used to update documentation or to recon the environment for the next attack stages. This often leads to password data being placed in user object attributes or in SYSVOL. ![]() The challenge is that admins may think that since this data is most easily accessible via admin tools such as “Active Directory User and Computers” (dsa.msc) or “Active Directory Administrative Center” (dsac.msc), that others can’t see user data (beyond what is exposed in Outlook’s GAL). A fact that is often forgotten (or misunderstood), is that most objects and their attributes can be viewed (read) by authenticated users (most often, domain users).
0 Comments
Leave a Reply. |