An ACE Up The Sleeve: Designing Security Descriptor Based Backdoors

Presented at TROOPERS18 (2018), March 15, 2018, 1:30 p.m. (Unknown duration)

Active Directory (AD) and host-based security descriptors are an untapped offensive landscape, often overlooked by attackers and defenders alike. The control relationships between AD and host objects align perfectly with the "attackers think in graphs" philosophy and expose an entire class of previously unseen control edges, dramatically expanding the number of paths to complete domain compromise. While security descriptor misconfigurations can provide numerous paths that facilitate elevation of domain rights, they also present a unique chance to covertly deploy persistence in an Active Directory environment. It's often difficult to determine whether a specific security descriptor misconfiguration was set intentionally or implemented by accident, and modifications to specific host security descriptors can have far-reaching and unintended consequences in the domain as a whole. This makes security descriptor-based backdoors an excellent persistence opportunity: minimal forensic footprint, and maximum plausible deniability. This talk will cover Active Directory and host security descriptors in depth, including our "misconfiguration taxonomy" and enumeration/analysis with BloodHound's ever-expanding released feature set. We will cover how specific host host-based security descriptor modifications can affect the security of the system as a whole, filling in the gaps from the pure Active Directory approach. We will then cover methods to design chains of these backdoors, producing novel Active Directory persistence paths that evade most current detections.


  • Andy Robbins / @_wald0 as Andy Robbins
    Andy Robbins is the Adversary Resilience Lead at SpecterOps, an active red teamer, and co-author of the BloodHound project, a tool designed to reveal the hidden and unintended permission relationships in Active Directory domains. He has presented at DEF CON, Black Hat, BSides Las Vegas, DerbyCon, ekoparty, and actively researches Active Directory security.
  • Will Schroeder / @harmj0y as Will Schroeder
    Will Schroeder is a offensive engineer and red teamer for SpecterOps. He is a co-founder of Empire/Empyre, BloodHound, and the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a Microsoft PowerShell MVP. He has presented at a number of conferences on a variety of topics, including DEF CON, Black Hat, ShmooCon, DerbyCon, Troopers, BlueHat Israel, and various Security BSides conferences.