DHCP Administrators group part of Tier 0?

[chryzsh]

DHCP Administrators can escalate to Tier 0 when DHCP runs on a DC or Tier 0 system. This Akamai research demonstrates privilege escalation via DHCP option abuse → Kerberos coercion → AD CS relay → DHCP machine account compromise / potential DC compromise.

But, the context matters. If DHCP is on network appliances only, it's likely only Tier 1. If DHCP is on DCs or systems controlling AD infrastructure, it's Tier 0. Akamai claims "57% have a DHCP server installed on a DC." Its not clear cut if this fulfils your criteria of "The abuse technique must work in an environment with default configurations" as its not clear if 57 % is enough to be considered default.

I propose including DHCP Administrators with notation that classification depends on where DHCP service runs. What do you think?

[JonasBK]

Hey!

You are absolutely right, thanks for pointing it out. It should definitely be added to the table.

How about like this:

• Compromise by default: NO
• Compromise by configuration: YES - Takeover
• Is Tier Zero: IT DEPENDS

What do you think?

[chryzsh]

I agree. Do you prefer a PR or to just add it yourself?

[JonasBK]

PR would be awesome!

[chryzsh]

I've submitted a PR now.