Feature request: Impact report

[ruppde]

So far most metrics show how difficult it would be to attack an AD but pingcastle also has already a lot of data, which can show the impact of that actually happening. It would be useful to show the management, how many eggs actually are in the same basket and what would happen, if it gets broken in a short section:

• number of servers, desktops, users, services, non-windows-systems, ... (from the operating systems list)
• trusts which could be abused to break even more baskets
• cloud
• exchange servers
• this would make a bit of work: check if the backup servers are also attached to the AD and therefor could be wiped by a ransomware gang in one go. could be done by checking for strings like backup, veritas, netbackup, ... in the names of servers and accounts.

[vletoux]

The information you described are already in the report (which contains a lot of data) For the backup servers, I’ll be happy if you can share some algorithm, at least for a few brands

[ruppde]

It would be great to have all of that in one screenshotable area with the title "Impact of a theoretical compromise of domain ..." because lots of management (and security) people don't understand the importance of an AD. hey, it's 2h of work and will increase your sales like "wow, what are we doing to prevent this?" :)

searching should be done in names and description of users, groups, ou, services. title maybe "Potential AD-joined backup servers".

here's a list of backup software. included some regexish .? in places, where somebody might include a dash or underscore. also included some generic terms like restore and tape. with backup it might hit on stuff like a fallback-server or a backup-connection, so including that is a decision between missing stuff and false positives. maybe leave it out in the first run?

(backup ??)
Acronis
CyberProtect
BackupExec
CloudBerry 
MSP360
Commvault
Crashplan
NetWorker
Data.?Protector
Spectrum.?Protect 
Tivoli.?Storage 
Storage.?Manager
NetVault 
Retrospect
Rubrik
SpiderOak
Syncovery
Tonido 
Veeam 
Bacula
Duplicati
Restore
Cohesity
Druva
Nakivo
Zerto
StorageCraft
Backupify
Datto
NearStore
Tape

would be happy to test drive it.

have some memes :)

[vletoux]

it's not that simple. For each backup software, an algorithm has to be design to do the match (special schema extension ? service point ?) There is also some edge cases : if backup of tier 0 done offline, tier 1 may be connected

Looking for keywords is not effective: Imagine word matching partially any regular expression

Comments are even worse

[ruppde]

yes, would be really lots of work to make it perfect. but why not start with an informational rule titled "Potential AD-joined backup servers" ? if that shows a bunch of entries the pentester/ISO can ask his backup-team(s) on the details.

[An-dir]

I can't think of any algorithm that could get this data in a way that would fit into PingCastle. There are a lot of possible false positives if you focus on getting the data from Active Directory.

• Computer objects of old backup servers may be there, but no longer be used for backup.
• some vendors have other software. Not all of them are related to backup.

It is a BAD idea to have backup servers (and anything that can control them and the backup data) in the AD. This information should be in the area "Anomalies" -> "Backup" area, and it could also include more details about what was backed up (each NC) like Repadmin.exe /showbackup does. It would be great to have information like the useful life of a backup is the same as the "tombstone lifetime" setting for the enterprise or something helpful like that.

So i can only imagine improving the backup section with more details, and maybe a tiny statistical data area at the Active Directory Indicators area that tells you in a few lines something about that domain. The following table is just an idea of what i think that is possible.

Text	Value	Info
User (total)	31415
User (enabled and inactive for at least X days)	3141	Relatively much - keep it as low as possible
User (disabled)	314	Average amount - keep it as low as possible
Computer (total)	124816
Computer (enabled and inactive for at least X day)	12481	Average - keep it as low as possible
Computer (disabled)	4816	a lot - keep it as small as possible
Domain Controller (RWDC)	4	Have at least 2 for redundancy but not more than you can handle ....
Domain Controller (RODC)	41	...
Last full AD backup	01.02.2023 (oldest NC backup date)	should not be older than you require it
Trusts detected	4	be aware that trusting can bring more security risks and you should remove unnecessary/risky trusts
Domain Functional Level	2003 (Not OK)	Some security features require a newer functional level
Forest Functional Level	2003 (Not OK)	Some security features require a newer functional level
Recycle Bin	disabled (Not OK)	Can help a lot
Microsoft or Windows LAPS	Schema is extended (OK)	Using LAPS can help to reduce fraudulent lateral movement
Total Findings	49	Reduce your security risk by working continuously...

@ruppde Using PowerShell and the adhc*.xml created by PingCastle, you could create a copy&paste or screenshot of the PowerShell or a HTML file like this yourself. Here is a tiny example

([xml](gc .\ad_hc_yourcustomer_domain.xml)).HealthcheckData | select DomainFQDN,DomainCreation,LastADBackup,IsRecycleBinEnabled,LAPSInstalled,
@{Name="Findings count";Expression={$_.RiskRules.HealthcheckRiskRule.Count}},
@{Name="Trusts count";Expression={$_.Trusts.HealthCheckTrustData.Count}},
@{Name="DomainController count";Expression={$_.DomainControllers.HealthcheckDomainController.count}}  |
ConvertTo-Html -As List | Out-File NeedsMoreCSS.html

The result may look like this, but it can easily be improved and extended.

DomainFQDN             : yourcustomer_domain
DomainCreation         : 2022-07-16T09:4:23
LastADBackup           : 2023-05-23T23:28:15+02:00
IsRecycleBinEnabled    : true
LAPSInstalled          : 9999-12-31T23:59:59.9999999
Findings count         : 44
Trusts count           : 2
DomainController count : 3

The ConvertTo-Html accepts more parameter to add header and CSS so you get a great look if you woul like it that way.

[ruppde]

Thanks for the ideas. I would image the table like this:

Potential Ransomware Impact

Object	Value	Info
Users (active)	31415
Computers (active)	124816	Servers and desktop systems
Trusts detected	4	be aware that trusting can bring more security risks and you should remove unnecessary/risky trusts
Exploitable Trusts	2	Trust that could be exploited to compromise further domains
Potential file backup systems	42	It is a BAD idea to have backup servers (and anything that can control them and the backup data) in the AD, as it will end up encrypted in a domain compromise by a ransomware actor.