Few organizations would purposefully hand a huge responsibility to a junior staff member before letting them fly solo on their own personal projects, but that’s effectively what happens inside too many corporate networks: organizations delegate specific administrative access to user accounts so they can do a particular privileged task, and they promptly forget about it. These “shadow admin” accounts often get ignored by everyone except attackers and threat actors, for whom they are valuable targets.
Shadow admins pose a threat to organizations because these accounts have privileged access to perform limited administrative functions on Active Directory objects. AD administrators can delegate administrative privileges to reset passwords, create and delete accounts, or other tasks.
The danger is that these can slip off the radar, meaning they often operate without the security team’s full scrutiny. If threat actors take control of one of these accounts, they can extend their attack in many ways, perhaps seeking opportunities for lateral movement or privilege escalation whilst staying incognito.
Typically, there is no straightforward way of finding these delegated administrator accounts except to conduct an exhaustive audit, meaning they can pose a threat that is often not fully quantified. If one can’t see a problem and gauge its extent, how can one prepare for it?
Into the darkness
Threat actors seek shadow admin accounts because of their privilege and the stealthiness they can bestow upon attackers. These accounts are not part of a group of privileged users, meaning their activities can go unnoticed. If an account is part of an Active Directory (AD) group, AD admins can monitor it, and unusual behaviour is therefore relatively straightforward to pinpoint.
However, shadow admins are not members of a group since they gain a particular privilege by a direct assignment. If a threat actor seizes control of one of these accounts, they immediately have a degree of privileged access. This access allows them to advance their attack subtly and craftily seek further privileges and permissions while escaping defender scrutiny.
Leaving shadow admin accounts on an organization’s AD is a considerable risk that’s best compared to handing over the keys to one’s kingdom to do a particular task and then forgetting to track who has the keys and when to ask for it back. It pays to know who exactly has privileged access, which is where AD admin groups help.
Conversely, the presence of shadow admin accounts could be a sign that an attack is underway. If a threat actor can grant themselves permissions to create these accounts and then assign them with higher privileges, they can extend their attack in many directions.
What is a shadow admin?
Shadow admins gain privileges through permission assigned using an access control list (ACL) applied to an object located on the AD. These objects can be files, events, processes, or anything else which has a security descriptor. Crucially, shadow admins are accounts that are not members of a privileged AD group.
AD is composed of a tree of objects that define the network and all its accounts, assets, groups, system, GPOs, and more. Each AD object has its separate list of permissions called ACEs (Access Control Entries) that make up the ACL, with an object’s ACL defining who has permissions on that specific object and what actions they can perform on it. There are general permissions like “Full Control”, and individual permissions like “Write”, ”Delete”, “Read” and even some “Extended Rights” such as “User-Force-Change-Password”.
There are four main categories of privileged accounts:
- Domain privileged accounts such as a domain admin user or DCHP (Dynamic Host Configuration Protocol) admin
- Local privileged accounts such as local admins on endpoints and servers or “root” on Unix and Linux systems
- Application and services accounts such as DB or SharePoint admins
- Privileged business accounts such as finance users or the corporate social media account.
How to find shadow admins
Unfortunately, the nature of shadow admin accounts means that finding them is often easier said than done. The best cure, in this case, is prevention, which is fine if one is working with a newly installed AD, but tricky if the AD has been around for a while and carries the scars, knots, and gnarls accumulated over its lifetime – not to mention the increased havoc seen with mergers and acquisitions.
The native way to identify shadow admin accounts is to conduct an exhaustive audit of all ACL entries within AD. This process takes time and is also inefficient because its manual nature means an inevitable chance to overlook these dangerous accounts.
The security community is now seeing the advent of innovations that can identify shadow admin accounts at the AD controller level as excess privilege exposures. If an organization uses these new tools they can gain early and valuable insights to improve visibility and provide detection of exposed API keys, credentials, and secrets that will show shadow admins, access to domain controllers, and other risks.
Turning the tables with deception
Forward-looking organizations could also take advantage of the fact that shadow admins are attractive to adversaries by using fake accounts to detect and redirect them to decoys. Deception and concealment technologies can hide and deny access to accounts with privileges, such as domain or shadow admin accounts.
Defenders can then put decoy accounts in their place, which will trigger an alert if threat actors access them or even misdirect them away from production assets and into a decoy environment.
If the organization deploys decoys at other stages of the kill chain, they can snare attackers in a hall of mirrors to limit their damage. Meanwhile, the defenders can study their techniques and amass yet more information about system vulnerabilities or novel exploits the adversaries used. If threat actors access a decoy, security teams and systems can closely analyze their behaviour, amassing valuable threat intelligence, which helps fend off future attacks.
It’s a fair bet that mature organizations have shadow admins lurking in their networks. Perhaps it’s time to find them and even make them work to one’s advantage by using attack path visibility tools along with deception and concealment technologies.