- π΅οΈ Akamai researchers discovered a new privilege escalation technique in Active Directory environments using the DHCP administrators group.
- π‘οΈ The technique leverages legitimate features and doesnβt rely on any vulnerability, making it challenging to fix.
- π It can be used not only for privilege escalation but also as a domain persistence mechanism.
- π Microsoft DHCP servers are popular, running in 40% of monitored networks, potentially exposing them to this technique.
- π οΈ Mitigation steps are provided in the blog post to reduce the risk from this technique.
- π “Just enough access” is critical for minimizing risks in access management, especially in large organizations.
- πͺ Managing access based on job function through user access groups is common, but vulnerabilities can still arise, as demonstrated in the “DNS Admins” group case.
- π₯οΈ The DHCP administrators group manages DHCP servers but has no permissions over the server machine itself.
- π¨ Attackers can abuse DHCP options to inject malicious configurations, like impersonating a WPAD server for credential theft.
- π‘οΈ DHCP Coerce technique can lead to Kerberos relay attacks, potentially compromising the entire domain.
- π Attackers can establish a DHCP backdoor for domain persistence, utilizing DHCP scopes and relay agents.
- π Removing the DNS credential from the DHCP server can nullify some of the attack vectors.
- π The DHCP relay agent feature allows an attacker to request an IP address from any scope, bypassing server interface restrictions.
- π§ To prevent rogue clients, the relay server’s IP address must be part of an existing scope on the server.
- β οΈ An attacker can create a backdoor by setting up two scopes: an authorization scope and a coercion scope.
- π» PowerShell code can be used to create these scopes and trigger the backdoor.
- π Defensive measures include identifying risky DHCP configurations, mitigating relay attacks against AD CS, practicing DHCP administrators group hygiene, using segmentation to reduce the attack surface, and identifying DNS anomalies.
- π For mitigation, avoid installing DHCP servers on DCs, enable Extended Protection for Authentication on AD CS servers, and limit membership in the DHCP administrators group.
- π‘ Network segmentation can further mitigate the attack and reduce the attack surface.
- π Anomalies in DNS traffic can be a detection opportunity for this attack.
- π‘οΈ Malicious privilege escalation leveraging legitimate processes poses a significant risk.
Full Post :
https://www.akamai.com/blog/security-research/abusing-dhcp-administrators-group-for-privilege-escalation-in-windows-domains