Let’s take, for example, a well-known active directory group – Administrators.
Every user, group or computer that is a member of this group inherits all the Administrators group’s permissions.
Every group that is a member of this main group is called a “nested group”.
In addition, every child-group of these nested groups is a nested group as well.
Use Case: What If a Group is Added as a Member of a Child Group of a Sensitive group, Such as Administrators?
Usually, we monitor only the main groups.
If someone will add a user as a member of one of these sensitive groups, we would know.
If someone will add a group as a member of one of these sensitive groups, we would know.
But what if someone will add a user under one of these nested groups? Would we know?
Would we know if someone will add a group that contains dozens of users to one of these nested groups?
Therefore, we should pay attention to each and every nested group that is a member of our sensitive groups, to ensure that we will know about every user that inherits these kinds of permissions.
There are various ways to identify an attacker’s behavior when it comes to exploiting nested groups.
For security reasons, we don’t publish our specific ways of identifying these indicators, but this is one of the scenarios in which we liberate it for our customers.
We developed a PowerShell script that outputs a CEF file, which contains the main groups of your choice and all their nested groups under a forest/domain of your choice, as well.
The CEF file contains the following properties about these groups:
- The group name and DN.
- The main group name and DN.
- If the group is the main group or a nested group.
- The group’s forest and domain.
For ArcSight users, CyberSIEM also developed a “Nested Groups” package that contains the following resources:
- A master filter and a fieldset.
- Active lists with all the relevant columns.
- A lightweight rule that adds the group entries to the active list.
- Use Case Page with relevant resources.
The PowerShell script has been tested in a few environments, and it works without errors. If you have problems or getting errors, please send me mail with a short description, and we will do our best to improve the script and update it here.
Ben Aviv, ArcSight Expert – [email protected]
For any questions about this blog, premium “Nested Group” package, and more products, please contact us at [email protected].