Attack and defend Microsoft Enhanced Security Administrative Environment

Presented at TROOPERS18 (2018), March 15, 2018, 4 p.m. (Unknown duration)

Microsoft Enhanced Security Administrative Environment (ESAE) known as "Red Forest" has become a very popular architecture solution to enhance the security of Active Directory. Can ESAE be used to completely prevent cyber attackers from compromising Active Directory? In this talk, we will demonstrate the commonly overlooked techniques that can be used to obtain domain dominance within ESAE.

With the hardened admin environment and credentials partitioning solution built into Microsoft Enhanced Security Administrative Environment (ESAE), it can be extremely hard to compromise critical components of Active Directory such as domain controllers even after obtaining complete control of servers and workstations. However, we found that there are multiple security controls that Enterprise always overlooks when implementing ESAE, which potentially allow cyber attackers to compromise Active Directory within a short period of time. During this presentation, we will focus on the commonly overlooked tools and techniques that can be used to compromise ESAE. First, we will demonstrate the approach used to identify and compromise shadow admin accounts with special delegated permissions that are typically overlooked since they are not members of a privileged Active Directory group. Our research disclosed that some domain accounts designed to run Microsoft Exchange and SharePoint servers are always configured with special delegated permissions which can be potentially used to replicate password hashes directly from domain controller, add any domain accounts into Domain Admin or Enterprise Admin group, and reset the passwords for privileged domain accounts within ESAE. Second, we will demonstrate how to compromise Enterprise virtualization platform such as VMware vCenter, which is used to host critical components of ESAE such as domain controllers. The secrets including all domain users' password hashes can be potentially extracted from the virtualized image of domain controller via a hot clone approach we discovered. Third, we will talk about how to attack Enterprise security solutions, such as System Center Configuration Manager (SCCM), Multi-Factor Authentication (MFA), and other endpoint monitoring technologies, which are implemented across ESAE. A number of Enterprise Security solutions are always granted to have privileged access to the endpoints with remote command execution capability but not well protected. We will introduce a few creative approaches to compromise ESAE and demonstrate how to bypass Multi-Factor Authentication (MFA) implemented within ESAE. We will conclude the presentation with some recommended strategic countermeasures. We hope that this talk helps to educate and arm Enterprise defenders with the knowledge to enhance the security controls of ESAE


  • Yothin Rodanant
    Yothin Rodanant is a Manager in Ernst & Young LLP's Advanced Security Center. Yothin has eight years of hands-on experience performing penetration testing, security research and cyber-investigations. Yothin is currently responsible for overseeing the development of various assessment methodologies, including Red Team, external and internal penetration testing, web application security assessments, physical security assessments, wireless assessments and social engineering tests. In this role, he regularly contributes cutting-edge hacking techniques to the team members. His areas of research include Active Directory security and accelerated password cracking.
  • Hao Wang
    Hao Wang is a manager in Ernst & Young's Advanced Security Center. Hao has more than six years of Attack & Penetration testing and Cyber Investigation experience. Hao is currently responsible for leading Attack & Penetration assessments for Fortune 500 companies. Hao has utilized his experience as a lead tester on a wide array of red team and purple team assessments. Hao serves as a core technical team member for ASC, regularly contributing new hacking techniques to the team. His areas of research include advanced Active Directory attack against Microsoft ESAE, exploit development for both point of sale systems and gaming systems, and cyber threat hunting.


Similar Presentations: