Microsoft Enhanced Security Administrative Environment (ESAE) known as "Red Forest" has become a very popular architecture solution to enhance the security of Active Directory. Can ESAE be used to completely prevent cyber attackers from compromising Active Directory? In this talk, we will demonstrate the commonly overlooked techniques that can be used to obtain domain dominance within ESAE.
With the hardened admin environment and credentials partitioning solution built into Microsoft Enhanced Security Administrative Environment (ESAE), it can be extremely hard to compromise critical components of Active Directory such as domain controllers even after obtaining complete control of servers and workstations. However, we found that there are multiple security controls that Enterprise always overlooks when implementing ESAE, which potentially allow cyber attackers to compromise Active Directory within a short period of time. During this presentation, we will focus on the commonly overlooked tools and techniques that can be used to compromise ESAE. First, we will demonstrate the approach used to identify and compromise shadow admin accounts with special delegated permissions that are typically overlooked since they are not members of a privileged Active Directory group. Our research disclosed that some domain accounts designed to run Microsoft Exchange and SharePoint servers are always configured with special delegated permissions which can be potentially used to replicate password hashes directly from domain controller, add any domain accounts into Domain Admin or Enterprise Admin group, and reset the passwords for privileged domain accounts within ESAE. Second, we will demonstrate how to compromise Enterprise virtualization platform such as VMware vCenter, which is used to host critical components of ESAE such as domain controllers. The secrets including all domain users' password hashes can be potentially extracted from the virtualized image of domain controller via a hot clone approach we discovered. Third, we will talk about how to attack Enterprise security solutions, such as System Center Configuration Manager (SCCM), Multi-Factor Authentication (MFA), and other endpoint monitoring technologies, which are implemented across ESAE. A number of Enterprise Security solutions are always granted to have privileged access to the endpoints with remote command execution capability but not well protected. We will introduce a few creative approaches to compromise ESAE and demonstrate how to bypass Multi-Factor Authentication (MFA) implemented within ESAE. We will conclude the presentation with some recommended strategic countermeasures. We hope that this talk helps to educate and arm Enterprise defenders with the knowledge to enhance the security controls of ESAE