Privilege Management: An Advanced Guide to Available Tools
Privilege Management, often referred to as authorization, is a method by which users’ access to resources is allowed or denied. In the OWASP Top 10, vulnerabilities related to privilege management fall under the heading of Broken Access Control. In the most recent iteration of the Top 10 it is at the top of the list, meaning it has a higher occurrence in tested applications than any other vulnerability type.
Privilege management does not apply only to technology systems, with confidential and secret information being passed around government offices in hard copy to people with the relevant clearances, but it is a large part of ensuring the security of a computer system or application, especially as the world becomes more connected and one no longer needs physical access to a terminal to be able to interact with it and, in fact, can possibly do that from anywhere in the world that an internet connection can be achieved.
When working with a computer system or web application, the best option is to create a secure privilege management system from the very beginning; following best practices around groups and users in Active Directory to allow efficient revocation of accounts’ access privileges, for example. Unfortunately, it is often the case that someone will inherit a system from someone less security-minded than themselves. In this case it is important to perform an audit of permissions to discover whether there are any gaps that could be exploited by a malicious user, or even stumbled across by a legitimate user accidentally.
In this situation, there are numerous tools at your disposal, many of which are predominantly used by penetration testers or red teamers but can legitimately be used by an internal administrator to receive very similar results.
BloodHound is very well known in the Active Directory security world. It requires a little bit of setting up to get it running in the first instance, such as a neo4j database being installed. Once set up though, running it and keeping it updated with changes to the network is quite simple, as you simply run a small ingestor program and then drag the JSON/zip output from those into BloodHound.
It then displays a graphical representation of all the users, computers and current sessions on the network (who is logged in where) as well as the privileges each of those items have relative to each other. There are also queries that can be run, such as seeing if there are ways for a low-level user to escalate their privileges to domain admin. It is not uncommon for there to be strange and unexpected privilege relationships shown in BloodHound that the system admins were not aware of beforehand due to legacy changes and misconfigurations that have been carried over year after year.
After initial setup, this is probably the easiest tool to use for a simple audit as it has a GUI rather than relying on a Command Line Interface like the others listed here which all run in PowerShell.
Below is an example network shown in the BloodHound GUI, taken from https://bloodhound.readthedocs.io/en/latest/data-analysis/bloodhound-gui.html
BloodHound is open-source and free, though there is a paid Enterprise version available which provides more in-depth risk prioritisation and automation than the free version.
PowerView is a very powerful tool for an Active Directory audit. It can pull back information on devices, users, GPOs, domains/forests and their trusts and many other things. Many of these act as replacement for Windows “net” commands, but some of the more obscure functionalities are created through custom scripts inside PowerView. Carrying out a full Active Directory audit with PowerView would be a long process, but would be very thorough. Using BloodHound to do an initial assessment and then digging in deeper with PowerView afterwards would act as an in-depth audit that should pick up any misconfigurations.
PowerUp’s sole purpose is to find local privilege escalation vulnerabilities. Individual types of vulnerability can be looked for, but the command “Invoke-AllChecks” can be run and it will return any available misconfiguration-based privilege escalation vulnerabilities for that system, from unquoted service paths to modifiable scheduled tasks. For each finding, the tool returns a command you can run to exploit that finding and elevate privileges on the system, which of course isn’t required for auditing, as well as the path of the finding and which user it will run as.
PowerUpSQL is used to audit SQL Server permissions and find out whether they can be abused to elevate the privileges of a user. Among myriad other commands available, PowerUpSQL can do a reasonably thorough audit with two commands, one of which outputs database and privilege details etc as .csv files and the other which checks for misconfigurations and vulnerabilities. The latter will tell you which server and database it relates to, what the vulnerability is, if it’s exploitable and how to remediate against it.
There are numerous other tools available, some paid and some free, but using the above would go a long way to improving the security posture of an Active Directory network, or giving piece of mind that a network is as secure as it’s been thought to be.