Site Unseen: Enumerating and Attacking Active Directory Sites

Active Directory Sites are a feature allowing to optimize network performance and bandwidth usage in AD internal environments. They are commonly implemented by large, geographically dispersed organizations spanning across multiple countries or continents. Sites did not receive much attention by the Active Directory offensive research community, comparatively to other ACL-based attack vectors. This article aims to demonstrate that not only do attack vectors targeting Active Directory sites exist, but that they can lead to impactful privilege escalation scenarios and to domain(s) compromise. We will describe a pull request that we submitted to the BloodHound project in order to enumerate Site ACL attack paths, and how to exploit those paths in an efficient way with the tools that we recently released, related to GPO-based exploit vectors. Said compromise scenarios may allow attackers to elevate their privileges, as well as move laterally within an Active Directory forest.