TL;DR
If an attacker gains control of an Organizational Unit (OU) in Active Directory and has the permissions to modify group membership within that OU, they can add themselves (or a compromised account) to privileged groups like Domain Admins. This guide explains how this is possible and what steps you can take to prevent it.
How It Works
Active Directory uses OUs to organize users, computers, and other objects. Permissions are often delegated at the OU level for easier management. If an attacker compromises an account with sufficient permissions on an OU containing accounts that *are members* of privileged groups (like Domain Admins), they can manipulate group membership to gain domain-wide control.
Steps to Prevent OU Control Leading to Domain Admin Access
- Review OU Permissions Regularly:
- Use the
dsaclscommand or Active Directory Users and Computers (ADUC) to audit permissions on all OUs, especially those containing critical accounts. - Look for excessive permissions granted to non-administrative accounts. Specifically, check for ‘Write’ access to properties that control group membership.
- Least Privilege Principle:
- Grant users only the minimum permissions necessary to perform their tasks. Avoid delegating broad ‘Write’ access to OUs.
- Use predefined Active Directory roles where possible instead of custom permission configurations.
- Protected Groups:
- Enable Protected Groups for highly sensitive groups like Domain Admins, Enterprise Admins, and Schema Admins. This prevents accidental or malicious modifications to group membership.
- You can enable protected groups using PowerShell:
Set-ADGroup -Identity "Domain Admins" -ProtectedGroups Enabled - Monitor Group Membership Changes:
- Implement auditing to track changes to privileged group membership. Configure Windows Event Collection to capture events related to group modifications (Event ID 4728, 4729, 4730).
- Use a SIEM (Security Information and Event Management) system to alert on suspicious activity, such as unexpected additions to Domain Admins.
- Implement Privileged Access Management (PAM):
- Consider using a PAM solution to control access to privileged accounts and groups. PAM solutions often provide features like just-in-time access and session recording.
- Regular Security Audits:
- Conduct regular security audits of your Active Directory environment to identify potential vulnerabilities and misconfigurations.
- Use tools like BloodHound to visualize attack paths within your AD forest, including those originating from OU control.
- Restrict Group Policy Object (GPO) Editing:
- Limit who can edit GPOs that apply to OUs containing critical accounts or privileged groups. Attackers could use malicious GPOs to modify group membership indirectly.
dsacls "OU=CriticalOU,DC=example,DC=com" /rec?includeaccessesDetecting an Active Attack
- Review Event Logs: Look for events indicating unauthorized changes to group memberships, particularly in the Domain Admins group.
- Check Group Membership: Regularly verify the membership of privileged groups using PowerShell:
Get-ADGroupMember -Identity "Domain Admins" - Monitor for New Accounts: Be alert for newly created accounts with administrative privileges, especially if they are not part of your standard onboarding process.