Akamai researchers discovered a new privilege escalation technique in Active Directory environments using the DHCP administrators group.
The technique leverages legitimate features and doesnβt rely on any vulnerability, making it challenging to fix.
It can be used not only for privilege escalation but also as a domain persistence mechanism.
Microsoft DHCP servers are popular, running in 40% of monitored networks, potentially exposing them to this technique.
Mitigation steps are provided in the blog post to reduce the risk from this technique.
βJust enough accessβ is critical for minimizing risks in access management, especially in large organizations.
Managing access based on job function through user access groups is common, but vulnerabilities can still arise, as demonstrated in the βDNS Adminsβ group case.
The DHCP administrators group manages DHCP servers but has no permissions over the server machine itself.
Attackers can abuse DHCP options to inject malicious configurations, like impersonating a WPAD server for credential theft.
Removing the DNS credential from the DHCP server can nullify some of the attack vectors.
The DHCP relay agent feature allows an attacker to request an IP address from any scope, bypassing server interface restrictions.
To prevent rogue clients, the relay serverβs IP address must be part of an existing scope on the server.
An attacker can create a backdoor by setting up two scopes: an authorization scope and a coercion scope.
PowerShell code can be used to create these scopes and trigger the backdoor.
Defensive measures include identifying risky DHCP configurations, mitigating relay attacks against AD CS, practicing DHCP administrators group hygiene, using segmentation to reduce the attack surface, and identifying DNS anomalies.
Network segmentation can further mitigate the attack and reduce the attack surface.
Anomalies in DNS traffic can be a detection opportunity for this attack.