Overview#
Active Directory RISK Related Searches shows some rather simple LDAP SearchRequests which probably reveal some risk issues that might be of concern.Many of these use the Microsoft Active Directory LDAP_MATCHING_RULE_BIT_AND ((1.2.840.113556.1.4.803)) control and evaluate the UserAccountControl for various User-Account-Control Attribute Values.
Risk: PASSWD_NOTREQD (32)#
PASSWD_NOTREQD implies the user could have no password and anyone could authenticate as the entry and set their own password.
ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 100000 "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=32))" "userAccountControl" "EmployeeStatus" "employeeType" "pwdLastSet" "sAMAccountName" "objectClass"
Ldapwiki was advised that this includes values with userAccountControl=2080 which are INTERDOMAIN_TRUST_ACCOUNT which you should not mess with these passwords. They do not have passwords but use non-password authentications. Here is one that excludes those accounts:
ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 100000 "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=32)(!(userAccountControl:1.2.840.113556.1.4.803:=2048))(pwdLastSet=0))" "sAMAccountName" "userAccountControl" "employeeStatus" "employeeType" "pwdLastSet" "lastLogonTimestamp" "createTimeStamp" "objectClass"
Risk: DONT_EXPIRE_PASSWORD (65536)#
The DONT_EXPIRE_PASSWORD is a FLAG that overrides the Password Policy assigned to the user.searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"
Risk: Users with accounts that do not expire" (accountExpires)#
Weird but this is different from DONT_EXPIRE_PASSWORD. This addresses accounts that never expire vs passwords. Read about accountExpires to learn why.
searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(|(accountExpires=0)(accountExpires=9223372036854775807)))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"
Risk: Users with accounts that do not expire #
searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(|(accountExpires=0)(accountExpires=9223372036854775807)))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE
Risk: NOT require Kerberos Pre-Authentication #
searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"
Risk: Sensitive and not trusted#
These are entries which have been assigned a "Sensitive Privilege" but are not "Trusted" for delegation. This has been observed during some attacks where an Attacker obtains the privilege but not is "Trusted"searchBase="DC=EXAMPLE,DC=COM" filer="(userAccountControl:1.2.840.113556.1.4.803:=1048576)" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"
Risk: NO Password Change since 2018#
Often you will find some of entries have NEVER performed a logon by evaluating the pwdLastSet attribute.searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(pwdLastSet<=131707986436733938))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"
And a slightly more specific to search using (sAMAccountType=805306368)
ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 100000 "(&(sAMAccountType=805306368)(lastLogonTimestamp<=131592420610000000))" "userAccountControl" "employeeType" "lastLogonTimestamp" "objectClass"
Risk: foreignSecurityPrincipal#
ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 10000 "(objectClass=foreignSecurityPrincipal)" "memberOf" "sAMAccountName" "sAMAccountType" "objectClass"
Risk: USE_DES_KEY_ONLY (2097152)#
ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 100000 "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2097152))" "userAccountControl" "employeeType" "createTimeStamp" "objectClass"