An ACE Up The Sleeve: Designing Security Descriptor Based Backdoors

Active Directory (AD) and host-based security descriptors are an untapped offensive landscape, often overlooked by attackers and defenders alike. The control relationships between AD and host objects align perfectly with the “attackers think in graphs” philosophy and expose an entire class of previously unseen control edges, dramatically expanding the number of paths to complete domain compromise.

While security descriptor misconfigurations can provide numerous paths that facilitate elevation of domain rights, they also present a unique chance to covertly deploy persistence in an Active Directory environment. It’s often difficult to determine whether a specific security descriptor misconfiguration was set intentionally or implemented by accident, and modifications to specific host security descriptors can have far-reaching and unintended consequences in the domain as a whole. This makes security descriptor-based backdoors an excellent persistence opportunity: minimal forensic footprint, and maximum plausible deniability.

This talk will cover Active Directory and host security descriptors in depth, including our “misconfiguration taxonomy” and enumeration/analysis with BloodHound’s ever-expanding released feature set. We will cover how specific host host-based security descriptor modifications can affect the security of the system as a whole, filling in the gaps from the pure Active Directory approach. We will then cover methods to design chains of these backdoors, producing novel Active Directory persistence paths that evade most current detections.