Abusing the DHCP Administrators Group to Escalate Privileges in Windows Domains

  • πŸ•΅οΈ Akamai researchers discovered a new privilege escalation technique in Active Directory environments using the DHCP administrators group.
  • πŸ›‘οΈ The technique leverages legitimate features and doesn’t rely on any vulnerability, making it challenging to fix.
  • πŸ”„ It can be used not only for privilege escalation but also as a domain persistence mechanism.
  • πŸ“Š Microsoft DHCP servers are popular, running in 40% of monitored networks, potentially exposing them to this technique.
  • πŸ› οΈ Mitigation steps are provided in the blog post to reduce the risk from this technique.
  • πŸ”’ “Just enough access” is critical for minimizing risks in access management, especially in large organizations.
  • πŸšͺ Managing access based on job function through user access groups is common, but vulnerabilities can still arise, as demonstrated in the “DNS Admins” group case.
  • πŸ–₯️ The DHCP administrators group manages DHCP servers but has no permissions over the server machine itself.
  • 🚨 Attackers can abuse DHCP options to inject malicious configurations, like impersonating a WPAD server for credential theft.
  • πŸ›‘οΈ DHCP Coerce technique can lead to Kerberos relay attacks, potentially compromising the entire domain.
  • πŸ”„ Attackers can establish a DHCP backdoor for domain persistence, utilizing DHCP scopes and relay agents.
  • πŸš‘ Removing the DNS credential from the DHCP server can nullify some of the attack vectors.
  • πŸ“ The DHCP relay agent feature allows an attacker to request an IP address from any scope, bypassing server interface restrictions.
  • 🚧 To prevent rogue clients, the relay server’s IP address must be part of an existing scope on the server.
  • ⚠️ An attacker can create a backdoor by setting up two scopes: an authorization scope and a coercion scope.
  • πŸ’» PowerShell code can be used to create these scopes and trigger the backdoor.
  • πŸ” Defensive measures include identifying risky DHCP configurations, mitigating relay attacks against AD CS, practicing DHCP administrators group hygiene, using segmentation to reduce the attack surface, and identifying DNS anomalies.
  • πŸ”’ For mitigation, avoid installing DHCP servers on DCs, enable Extended Protection for Authentication on AD CS servers, and limit membership in the DHCP administrators group.
  • πŸ“‘ Network segmentation can further mitigate the attack and reduce the attack surface.
  • πŸ”Ž Anomalies in DNS traffic can be a detection opportunity for this attack.
  • πŸ›‘οΈ Malicious privilege escalation leveraging legitimate processes poses a significant risk.

Full Post :
https://www.akamai.com/blog/security-research/abusing-dhcp-administrators-group-for-privilege-escalation-in-windows-domains