Active Directory is the backbone of most organizations, and compromising this tool is the Holy Grail for most attackers. Any organization that has been around for a while has likely been through many iterations of Active Directory.
Over the years they may have seen hundreds or thousands of different recommendations, upgrades, administrators, applications, systems, and staff. The volume of changes that occur organically over time, or through different management styles, domain trusts, mergers and acquisitions, vendors, and contracted staff can lead to forgotten accounts, systems, and “fixes”; overly permissive roles; and “improper” service or resource accounts unless the organization has been meticulous in managing this behemoth of a system.
More often than not, there is a skeleton in everyone’s closet just waiting to be found. Having worked with many organizations, Soteria realizes this and is looking to help our clients, and the community at large, discover and mitigate these issues.
Whether it is a Service Account that was created during the reign of Server 2008, or simply “bad” practices carried over from years of doing things ‘this way,’ our aim is to highlight a better way, bring attention to newer, safer methodologies, and help guide you towards a more secure, safe, and controlled AD environment.
For the last seven months, Soteria has offered the 365Inspect tool on our GitHub page to help organizations boost their Office 365 security posture. The tool evaluates the Office 365 environment for best practices and misconfigurations, and provides configuration guidance. We are pleased that 365Inspect has been met by the community and our clients with great success.
As such, the team at Soteria has taken the inspect tool concept and applied it to On-Premises Active Directory environments, offering similar benefits. Leveraging our team’s experience, industry best practices, and community shared information, we have created a tool that will take a deep dive into your environment and surface commonly seen misconfigurations, accounts vulnerable to privilege escalation, and some general information about the environment as a whole.
Currently, the tool performs the following checks:
Forest information:
- Forest functional level
Domain information:
- Domain Functional Level
- Password Policy
- Fine-Grained Password Policy
- Lockout Policy
- Schema version
- Domain Trusts
- List of Domain Controllers
- Software installed on DC’s
- Services and state on DC’s
- Scheduled Tasks on DC’s
- Get ms-DS-MachineAccountQuota value
GPO inspection:
- Full report on all GPO — html format
- Check for UAC policy
- Policy to Prevent Accidental Script Execution
AD Rights and Permissions:
- List users and groups with delegated rights on OU’s
- List ACL’s on all Security Groups
- List ACL’s on all User Objects
- List ACL’s on all Computer Objects
- List all Objects with GenericAll or Write permissions
User Enumeration:
- Check for adminCount attribute
- List High Value Targets: Enumerate all members of admin groups where group SID starts with ‘S-1–5–32’
- Find all Admins who are Not marked as “Sensitive and cannot be delegated”
- Find all AD Objects vulnerable to Kerberoasting
- Find all AD Objects vulnerable to AS-REP Roasting
- Get all users with access (direct or unintended) to read LAPS information (passwords and password expiration)
- Find all users with non-expiring passwords
- Find all users with blank, empty, or marked as not requiring passwords
- Find all accounts with unchanged passwords (creation date and password last set date match)
- Find all users with passwords stored with reversible encryption
- Find all users with long-lived passwords (passwords that have outlived the password policy or users exempted from the policy)
- Find all stale accounts (unused for 120+ days)
- Inspect description field for sensitive information (passwords, IP addresses, SSN’s, phone numbers, UNC paths)
The tool can be found on our GitHub page, Soteria-security/ADInspect and is under active development.
Issues and bugs can be reported and feature requests submitted via the templates in our GitHub repository. We want to thank you all, and encourage community feedback so that we can continue to add value to the tool and the community that has bolstered and supported our sustained growth!