Abusing The Dhcp Administrators Group To Escalate Privileges In Windows Domains
Category
  • ๐Ÿ•ต๏ธ Akamai researchers discovered a new privilege escalation technique in Active Directory environments using the DHCP administrators group.
  • ๐Ÿ›ก๏ธ The technique leverages legitimate features and doesnโ€™t rely on any vulnerability, making it challenging to fix.
  • ๐Ÿ”„ It can be used not only for privilege escalation but also as a domain persistence mechanism.
  • ๐Ÿ“Š Microsoft DHCP servers are popular, running in 40% of monitored networks, potentially exposing them to this technique.
  • ๐Ÿ› ๏ธ Mitigation steps are provided in the blog post to reduce the risk from this technique.
  • ๐Ÿ”’ โ€œJust enough accessโ€ is critical for minimizing risks in access management, especially in large organizations.
  • ๐Ÿšช Managing access based on job function through user access groups is common, but vulnerabilities can still arise, as demonstrated in the โ€œDNS Adminsโ€ group case.
  • ๐Ÿ–ฅ๏ธ The DHCP administrators group manages DHCP servers but has no permissions over the server machine itself.
  • ๐Ÿšจ Attackers can abuse DHCP options to inject malicious configurations, like impersonating a WPAD server for credential theft.
  • ๐Ÿ›ก๏ธ DHCP Coerce technique can lead to Kerberos relay attacks, potentially compromising the entire domain.
  • ๐Ÿ”„ Attackers can establish a DHCP backdoor for domain persistence, utilizing DHCP scopes and relay agents.
  • ๐Ÿš‘ Removing the DNS credential from the DHCP server can nullify some of the attack vectors.
  • ๐Ÿ“ The DHCP relay agent feature allows an attacker to request an IP address from any scope, bypassing server interface restrictions.
  • ๐Ÿšง To prevent rogue clients, the relay serverโ€™s IP address must be part of an existing scope on the server.
  • โš ๏ธ An attacker can create a backdoor by setting up two scopes: an authorization scope and a coercion scope.
  • ๐Ÿ’ป PowerShell code can be used to create these scopes and trigger the backdoor.
  • ๐Ÿ” Defensive measures include identifying risky DHCP configurations, mitigating relay attacks against AD CS, practicing DHCP administrators group hygiene, using segmentation to reduce the attack surface, and identifying DNS anomalies.
  • ๐Ÿ”’ For mitigation, avoid installing DHCP servers on DCs, enable Extended Protection for Authentication on AD CS servers, and limit membership in the DHCP administrators group.
  • ๐Ÿ“ก Network segmentation can further mitigate the attack and reduce the attack surface.
  • ๐Ÿ”Ž Anomalies in DNS traffic can be a detection opportunity for this attack.
  • ๐Ÿ›ก๏ธ Malicious privilege escalation leveraging legitimate processes poses a significant risk.

Full Post :
https://www.akamai.com/blog/security-research/abusing-dhcp-administrators-group-for-privilege-escalation-in-windows-domains