Before allowing junior administrators to take on solo projects of their own a few organizations hand them huge responsibilities for them to gain some on-the-job experience. Specific administrative access is delegated to user accounts so they can do a particular privileged task, and they promptly forget about it. Such accounts are called “Shadow Admins” who are often forgotten and ignored by everyone only to be discovered and exploited by threat actors.
Since Shadow Admins have privileged access to perform limited administrative functions on Active Directory objects, they pose a major threat to the organizations. To reset passwords, create and delete accounts, or other tasks, privileges can be delegated by AD administrators.
The danger of these accounts operating without the security team’s complete scrutiny is very high. If threat actors gain access and take control of one of these accounts they would be able to extend their attack in numerous ways, even seeking opportunities for lateral movement or privilege escalation whilst staying incognito.
There is no straightforward way for discovering such accounts except to conduct an exhaustive audit, meaning they can pose a threat that is often not fully quantified.
The million-dollar question here is – if one can’t identify the problem and gauge its extent, how can anyone prepare for it?
Veiled within the Darkness
Because of their privilege and the stealthiness they can bestow upon the threat actors, attackers are constantly in search of shadow admin accounts. The activities of these accounts can go unnoticed since these accounts are not part of a group of privileged users. AD admins can monitor accounts if they are part of an Active Directory (AD) group and unusual behavior is therefore relatively straightforward to pinpoint.
Since shadow admins gain a particular privilege by a direct assignment they are not members of a group. If control of one of these accounts is seized by attackers they would immediately have a degree of privileged access. By the already assigned privileges, attackers can try to advance their attacks in a subtle manner and eek further privileges and permissions while escaping defender scrutiny.
Rather than forgetting these shadow admins for them to be exploited by malevolent external forces, leaving shadow admin accounts on an organization’s AD is a considerable risk. AD admin groups can help in understanding that exactly which users have privileged access to the network.
Conversely, the presence of shadow admin accounts could be a sign that an attack is underway. If an attacker can create these shadow admins by granting themselves permissions and then assigning them with higher privileges, they can extend their attack in many directions.
What is a Shadow Admin?
Shadow admins are accounts that are not members of a privileged AD group. However, they have gained privileges through permission assigned using an access control list (ACL) applied to an object located on the AD. These said objects can be anything, ranging from files, events to processes, or anything else which has a security descriptor.
The Active Directory consists of a tree of objects that define the network and everything on it. Each object on the AD has its separate list of permissions called ACEs (Access Control Entries) that make up the ACL, with an object’s ACL defining who has permissions on that specific object and what actions they can perform on it. The list of permission includes both general permissions and individual permissions like “Full Control”, and “Write”, ”Delete”, “Read” while including some “Extended Rights” such as “User-Force-Change-Password”.
The privileged accounts are classified under four main categories:
- Privileged business accounts such as finance users or corporate social media account.
- Application and services accounts such as DB or SharePoint admins
- Local privileged accounts such as local admins on endpoints and servers or “root” on Unix and Linux systems
- Domain privileged accounts such as a domain admin user or DCHP (Dynamic Host Configuration Protocol) admin
Finding Shadow Admins
Finding shadow admins is not an easier task. In such a scenario, prevention is the best cure, which is fine if one is working with a newly installed AD. However, things get tricky if the AD has been around for a while and carries complications accumulated from issues of the past, including the havoc the network notices due to mergers and acquisitions.
Conducting an exhaustive audit of all ACL entries within AD is the native way of identifying the shadow admin accounts. Along with being time-consuming, this process can also be ineffective because it is manual in nature means there is an inevitable chance for these dangerous accounts to be overlooked.
With the advent of innovations, the security teams have now witnessed that they can identify shadow admin accounts at the AD controller level as excess privilege exposures. early and valuable insights to improve visibility can be gained if the organizations chose to employ these new-age tools and security teams can further provide detection of exposed API keys, credentials, and secrets that will show shadow admins, access to domain controllers, and other risks.
Deceptively Turning the Tables
The advantage of the fact that shadow admins are attractive to adversaries by using fake accounts to detect and redirect them to decoys can be taken by forward-looking organizations.
Access to accounts with privileges, such as domain or shadow admin accounts can be denied and hidden with the help of deception and concealment technologies
Decoy accounts can be placed instead of a shadow account which will trigger an alert if an external force tried to take over the account or even misdirect them away from production assets and into a decoy environment.
Organizations can snare attackers in a hall of mirrors to limit their damage by deploying decoys at other stages of the kill chain. Defenders in the meanwhile can study the techniques of the attackers and amass yet more information about system vulnerabilities or novel exploits the adversaries used.
Security teams and systems can closely analyze an attacker’s behavior if threat actors access a decoy, amassing valuable threat intelligence, which would help fend off future attacks.
Organizations that are mature enough to understand the possible dangers have shadow admins lurking in the network. They understand that it’s time to use identify these loopholes and make them work to one’s advantage by using attack path visibility tools along with deception and concealment technologies.
To read more, please check eScan Blog
