I gave a presentation at Defcon 21 on gaining domain admin by abusing commonly used management software:
The talk discussed domain controller isolation principles and how commonly used management software like System Center Operations Manager (SCOM), Out-of-band management devices (ex. HP iLO), Hyper-V, and security scanners can be abused in order to gain access to domain controllers.
Here are the slides and videos from the talk:
So You Think Your Domain Controller Is Secure
So You Think Your Domain Controller
Twitter - @Script_happens
basic domain controller isolation principles.
Recommendations for securely
configuring software used to manage domain controllers (SCOM, HP iLO,
No vulnerabilities are
on how features could be abused if not configured properly.
of domain accounts in Windows.
Stores password hashes
for all domain accounts.
The crown jewels of the
Recommendations for securing
domains focus on pass-the-hash and account segmentation
Software used to manage
DCs is often overlooked.
System Center Operations
Software used to monitor
Great SCOM security guide
Used to monitor and manage
servers over the network regardless of the server state.
Guidance on securing OOB
Windows Server Virtualization
Running domain controllers
System Center Operations
Manager (SCOM) is used for monitoring and alerting of server health.
SCOM management server
hosts the SCOM SDK service on port 5723 and 5724.
Required to be open
in order to pull data across environment boundaries. Firewalls often
configured to allow these ports.
Default NMap scan does
not check these ports.
SCOM agent which runs
on monitored servers typically runs as SYSTEM.
SCOM “tasks” allow
you to run VBScript on monitored servers.
Any account in the SCOM
‘Administrators’ or ‘Authors’ roles can run VBScript on any
Code runs under the
SCOM agent which is configured to run as SYSTEM by default.
SCOM servers that monitor
domain controllers should be treated as domain controllers.
SCOM SDK Architecture
Default SCOM Agent Credentials
Many existing articles
warn users of the dangers of running tasks under high-privileged accounts:
Creating SCOM tasks to
run arbitrary code.
Segregate SCOM servers
used to monitor domain controllers.
Close off SCOM SDK ports
(5723 and 5724).
Reduce SCOM ‘Administrators’
and ‘Authors’ roles to only domain admins.
Move support and engineers
to ‘Read-Only’ or ‘Operator’ SCOM roles.
Reduce SCOM agent privileges.
Follow the official SCOM
Detection and Evasion
SCOM tasks should be audited
to detect hidden malicious tasks.
SCOM stores task execution
logs in the SCOM database.
Default retention is
7 days, but can be changed.
SCOM SDK connections logged
in “Operations Manager” event log.
SCOM Task History
Out-Of-Band Management Devices
Servers usually have OOB
management hardware used for server monitoring and maintenance.
HP Integrated Lights Out
(iLO), Dell DRAC, IBM Integrated Management Module (IMM), etc
Equivalent to physical
access to a server.
Admin interface accessed
over HTTP/HTTPS, SSH, IPMI.
Commonly have default
Remote Root Vulnerabilities:
Difficult to patch.
HP ILO Security Override Switch
OOB Device Default Passwords
Remote Access Card (DRAC)
Integrated Management Module (IMM)
USERID PASSW 0RD
Integrated Lights Out (iLO)
8 char string>
Integrated Remote Management Controller
Integrated Lights Out Manager (ILOM)
Using HP iLO to mount
Linux live disc.
Change default passwords.
Have regular patching
process for OOB devices.
Monitor audit logs for
Configure 2FA when possible
Set up separate management
VLAN for OOB devices.
SANS paper on securing
software that hosts virtual machines.
Administrator on the host
is equivalent to admin rights on all guest virtual machines.
Can boot into a Linux
live disc or steal the VHD file to compromise domain controller VM.
Booting Into Linux Live Disc
Stealing NTDS.DIT and SYSTEM hive
Segregate Hyper-V servers
that host domain controllers.
Only domain admins should
have access to:
Hyper-V servers hosting
Domain controller VHDs.
Host should be in a separate
management network when possible.
perform authenticated vulnerability scanning.
The account used is typically
very high privileged and has admin access to domain controllers.
These servers should be
treated as a domain controller if they use domain admin credentials.
Management software and
hardware is often highly privileged and can be abused if not properly
Segregate management of
domain controllers from other categories of servers.
Using System Center Operations Manager To Start a Reverse Shell and Dump Domain Hashes:
Using HP Integrated Lights Out To Boot Into a Linux Live Disc and “Sticky Key” the Server:
Using System Center Operations Manager To Run Executable On Monitored Server To Dump Hashes:
Using System Center Operations Manager SDK to Run Arbitrary Commands On Monitored Servers: