diff --git a/TierZeroTable.csv b/TierZeroTable.csv index c135ef5..02329b7 100644 --- a/TierZeroTable.csv +++ b/TierZeroTable.csv @@ -60,8 +60,10 @@ Domain Controllers (OU);AD OU;Active Directory;DistinguishedName: OU=Domain Cont Domain root object;AD domain;Active Directory;Top object in the Default Naming Context;A Domain root object represents the AD domain. It contains all AD objects in the Default Naming Context.;YES - Takeover;N/A - Compromise by default;YES;An attacker with control over the domain root object can compromise the domain in multiple ways, for example by a DCSync attack (see reference). The domain root object is therefore Tier Zero.;NO;NO;2;https://adsecurity.org/?p=1729 DnsAdmins;AD group;Active Directory;S-1-5-21--;"Members of the DnsAdmins group have access to network DNS information. The default permissions are Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group exists only if the DNS server role is or was once installed on a domain controller in the domain. -For more information about security and DNS, see DNSSEC in Windows Server 2012.";YES - Takeover;N/A - Compromise by default;YES;Users from the DnsAdmins group could use a “feature” in the Microsoft DNS management protocol to make the DNS service load any DLL. This service runs on Domain Controllers as NT AuthoritySystem, allowing DnsAdmins to escalate privileges to SYSTEM on DC (with permissions equal at least to Domain Admins).;NO;NO;Community contribution;"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#dnsadmins -https://www.semperis.com/blog/dnsadmins-revisited/" +For more information about security and DNS, see DNSSEC in Windows Server 2012.";YES - Takeover;N/A - Compromise by default;YES;"DnsAdmins controls DNS which enables an attacker to trick a privileged victim to authenticate against an attacker-controlled host as it was another host. This enables a Kerberos relay attack. Also, control over DNS enables disruption of Tier Zero since Kerberos depends on DNS by default. + +The group could previously use a feature in the Microsoft DNS management protocol to make the DNS service load any DLL and thereby obtain a session as SYSTEM on the DNS server. This vulnerability was patched in Dec 2021.";NO;NO;Community contribution;"https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html +https://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html" Enterprise Admins;AD group;Active Directory;SID: S-1-5-21--519;"The Enterprise Admins group exists only in the root domain of an Active Directory forest of domains. The group is a Universal group if the domain is in native mode. The group is a Global group if the domain is in mixed mode. Members of this group are authorized to make forest-wide changes in Active Directory, like adding child domains. By default, the only member of the group is the Administrator account for the forest root domain. This group is automatically added to the Administrators group in every domain in the forest, and it provides complete access to configuring all domain controllers. Members in this group can modify the membership of all administrative groups. Members of the default service administrator groups in the root domain can modify Enterprise Admins membership. This group is considered a service administrator account.