Few organizations would purposefully hand a huge responsibility to a junior staff member before letting them fly solo on their own personal projects, but that’s effectively what happens inside too many corporate networks: organizations delegate specific administrative access to user accounts so they can do a particular privileged task, and they promptly forget about it. These “shadow admin” accounts often get ignored by everyone except attackers and threat actors, for whom they are valuable targets.
Shadow admins pose a threat to organizations because these accounts have privileged access to perform limited administrative functions on Active Directory objects. AD administrators can delegate administrative privileges to reset passwords, create and delete accounts, or other tasks.
The danger is that these can slip off the radar, meaning they often operate without the security team’s full scrutiny. If threat actors take control of one of these accounts, they can extend their attack in many ways, perhaps seeking opportunities for lateral movement or privilege escalation whilst staying incognito.
Typically, there is no straightforward way of finding these delegated administrator accounts except to conduct an exhaustive audit, meaning they can pose a threat that is often not fully quantified. If one can’t see a problem and gauge its extent, how can one prepare for it?
Into the darkness
Threat actors seek shadow admin accounts because of their privilege and the stealthiness they can bestow upon attackers. These accounts are not part of a group of privileged users, meaning their activities can go unnoticed. If an account is part of an Active Directory (AD) group, AD admins can monitor it, and unusual behaviour is therefore relatively straightforward to pinpoint.
Howe ..
Support the originator by clicking the read the rest link below.
