3. Elimination of Attack Paths
After determining the risk score on Tier0 objects, the process of eliminating attack paths should be started by prioritizing them. We can use sum_member_count metric for prioritization. The following Neo4j query lists the 5 most risky groups (which have most members) related to Tier0.
Identifying most risky 5 groups which have relation on Tier0
If we need to interpret the output; when the relationship between Group8 and Tier0 is somehow decoupled, the 1072 attack paths on Tier0 will be mitigated.
The following Neo4j query can also be used to determine the members of these groups and what relations these members have over Tier0. We call the objects that are not members of Tier0 but have privileges on Tier0 as Stealth Admins.
Identifying risky objects and their relations on Tier0 objects
As seen in this output, SOLOMON_GOFF has ExecuteDCOM privilege on the DC. With this privilege, this account can get admin privileges by running a command on the DC.
The output also shows that the Enterprise Read-Only Domain Controller group has GetChanges privilege on the domain object. This privilege is normal and default for Active Directory. Therefore, Enterprise Read-Only Domain Controller group should also be marked as highvalue. Objects identified as privileged like this group during the analysis process should be noted and marked as highvalue in the next iteration.
To analyze this output more easily, we can get a unique list of affected objects in the Tier0 group with the query below.
Identifying affected Tier0 objects
After the list is obtained, dangerous or improper privileges over Tier0 objects should be examined and mitigated step by step.
For example, when the Security tab of the fslab.local domain object is opened, the ACL values on this object can be seen. Unnecessary, broad, or suspicious entries should be removed or restricted. For example, in this interface, we can see that the group CO-blackgirl-admingroup has FullControl(GenericAll) privilege over the domain and all objects under the domain. This privilege is a very broad one and that should only exist for certain admin objects. Therefore, these and similar entries should be removed.
Dangerous access control entries on fslab.local domain object
In other case, three users with ExecuteDCOM privilege over the DC were identified. This privilege is due to the Distributed COM Users group membership. For this reason, users who do not need this privilege should be removed from this group.
Members of Distributed COM Users group
In our last example, we can see the ACL information on the BARBARA_CLINE object. The key point here is that the JO-teamojavi-admingroup group has FullControl(GenericAll) privilege on the BARBARA_CLINE not directly but because of inheritance. This ACE was actually applied to the FSR OU which the BARBARA_CLINE is a member. But it also affects the BARBARA because of ACL inheritance.
Therefore, this ACE value should be removed from the FSR OU, not from the BARBARA_CLINE object itself.
Interited Access Control Entries