A frequently overlooked vulnerability in Active Directory (AD) infrastructures is the machine account quota attribute. While this feature can be used for legitimate work by trusted domain administrators, malicious individuals can leverage it to bypass security measures. By default each standard user of a Windows enterprise network can enable up to 10 machine accounts. This default quota is much higher than necessary for a standard user in the environment. By decreasing the default machine account quota or configuring machine accounts to have fewer privileges, businesses can improve their security posture with minimal effort.
Default Machine Account Quota configuration can be leveraged for a few different attacks that may lead to unauthorized domain administrator privileges. The Networks Group Ethical Hacking team recently exploited this misconfiguration as part of a resource based constrained delegation attack (RBCD). The first step was to capture the certificate of a domain controller through coerced authentication using the Petitpotam exploit. After obtaining the cert, the team was able to leverage the default machine account quota configuration to add a new machine account to the domain. This is a critical step because machine accounts are able to modify a particular attribute that allows us to act on the behalf of another identity in the domain. The act of modifying this attribute is the essence of the RBCD attack. Once that was completed, the team used their newly created machine account to impersonate the domain administrator and grant access to the entire domain's database of usernames and hashes.
By adding a machine account, The Networks Group Ethical Hacking Team leveraged standard user privileges into unauthorized domain administrator control. This attack path can be blocked by simply reducing machine account quotas for standard users to zero. While reducing the quota does not ensure complete security, it can significantly increase the time required for an attacker to escalate privileges and provide an opportunity for defenders to respond.
If you have questions or want further information on how we can help you better understand and remediate security issues, please reach out. NetWorks Group has been helping customers secure their environments for over 25 years.
Published By: Rachel Park and Taylor Craig, Junior Penetration Testers, NetWorks Group
Publish Date: March 7, 2023
Security news, tips, webinars, and more straight to your inbox.