SlideShare a Scribd company logo

Exploiting Active Directory Administrator Insecurities

Priyanka Aash
Priyanka Aash

"Defenders have been slowly adapting to the new reality: Any organization is a target. They bought boxes that blink and software that floods the SOC with alerts. None of this matters as much as how administration is performed: Pop an admin, own the system. Admins are being dragged into a new paradigm where they have to more securely administer the environment. What does this mean for the pentester or Red Teamer? Admins are gradually using better methods like two-factor and more secure administrative channels. Security is improving at many organizations, often quite rapidly. If we can quickly identify the way that administration is being performed, we can better highlight the flaws in the admin process. This talk explores some common methods Active Directory administrators (and others) use to protect their admin credentials and the flaws with these approaches. New recon methods will be provided on how to identify if the org uses an AD Red Forest (aka Admin Forest) and what that means for one hired to test the organization's defenses, as well as how to successfully avoid the Red Forest and still be successful on an engagement. Some of the areas explored in this talk: Current methods organizations use to administer Active Directory and the weaknesses around them. Using RODCs in the environment in ways the organization didn't plan for (including persistence). Exploiting access to agents typically installed on Domain Controllers and other highly privileged systems to run/install code when that's not their typical purpose. Discovering and exploiting an AD forest that leverages an AD Admin Forest (aka Red Forest) without touching the Admin Forest. If you are wondering how to pentest/red team against organizations that are improving their defenses, this talk is for you. If you are a blue team looking for inspiration on effective defenses, this talk is also for you to gain better insight into how you can be attacked."

Technology
1 of 27
Download to read offline
Exploiting Active Directory Administrator Insecurities Sean Metcalf @Pyrotek3
ABOUT • Founder Trimarc (Trimarc.io), a professional services company that helps organizations better secure their Microsoft platform, including the Microsoft Cloud. • Microsoft Certified Master (MCM) Directory Services • Speaker: Black Hat, Blue Hat, BSides, DEF CON, DerbyCon, Shakacon, Sp4rkCon • Security Consultant / Researcher • Active Directory Enthusiast - Own & Operate ADSecurity.org (Microsoft platform security info)
AGENDA • Where We Were & Where We Are Now • Blue Sharpens Red • Old-School AD Admin Methods • The New School Methods • Exploiting Administrative Assumptions • The Latest “Best Way” to Admin AD (& How to Bypass It) • Conclusion
Where We Were • In the beginning, there were admins everywhere. • Some environments actually had almost as many Domain Admins as users. • This resulted in a target rich environment with multiple paths to exploit. • Traditional methods of administration are trivial to attack and compromise due to admin credentials being available on the workstation.
Where We Are Now • Organizations are slowly & gradually improving defenses. • Limit privileged rights • Reduce admin group membership • Reduce rights down to what's actually required • Limit Admin logon capability & location • Group Policy or user logon controls • This is definitely a step in the right direction, but still does not *solve* the issues with how administration is typically done • Mostly still performed from a regular workstation
Blue Sharpens Red (& vice versa) • if you were used to running your standard playbook and never made it past Chapter 1, know that this will change (if it hasn't already). • There will always be weaknesses to exploit, but defenders are getting better. Red needs to adapt. • What do you do when the standard playbook doesn’t work?
Old-School AD Administration • Logon to workstation as an admin • RunAs on workstation and run standard Microsoft MMC admin tools ("Active Directory Users & Computers“) • RDP to Domain Controllers to manage them
Old-School AD Administration • Logon to workstation as an admin • Credentials in LSASS • RunAs on workstation and run standard Microsoft MMC admin tools ("Active Directory Users & Computers“) • Credentials in LSASS. • RDP to Domain Controllers to manage them • Credentials in LSASS on remote server & keylog locally for creds.
The New School of Administration • No RunAs on workstations with admin rights. • RDP to Admin/Jump Server which may require two-factor/multi- factor auth. • AD Admin credential authentication may be limited to specific admin servers and DCs.
Demo: Bloodhound
Exploiting Administrative Assumptions • Read-Only Domain Controllers (RODCs) are often deployed and misconfigured. • Sometimes attributes contain passwords (or other sensitive info).
DEMO: How to determine what systems the Admins are authorized to logon to (using LDAP calls to AD) and probe those systems for enabled protocols (WMI, WSMan/PowerShell Remoting, etc).
Attacking the Password Vault
Attacking Password Vaults • Companies are frequently turning to password vault technology to help improve administrative security. • Tend to be either CyberArk or Thycotic SecretServer. • PV often has a “reconciliation” account which is a DA to bring accounts back into compliance.
Password Vault Management • Password vault maintains DA account(s) • Admin connects to website & authenticates to the PV. • Admin gets a password to use with the DA account • Admin is proxied via the webserver through a RDP session to an Admin server or DC
Password Vault Weaknesses • Authentication to the PV webserver is typically performed with the admin’s user account. • Connection to the PV webserver doesn’t always require 2FA/MFA. • The PV servers are often administered like any other server. • Anyone on the network can send traffic to the PV server(s).
Admin Servers
Jump (Admin) Servers • If Admins are not using Admin workstations, keylog for creds on admin’s workstation. • Discover all potential remoting services. • RDP (2FA?) • WMI • WinRM/PowerShell Remoting • PSExec • NamedPipe • Compromise a Jump Server, 0wn the domain! Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Hijacking the Admin/Jump Server • Get Admin on the server • Get SYSTEM • Run tscon.exe as SYSTEM ”if you run tscon.exe as the SYSTEM user, you can connect to any session without a password” https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to- move-through-an-da2a1e73a5f6 Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Alexander Korznikov demonstrates using Sticky Keys and tscon to access an administrator RDP session — without even logging into the server. https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to- move-through-an-da2a1e73a5f6 Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Red Forest
Red/Admin Forest Discovery • Check trusts for 1-way trust where the production AD trusts another AD forest and Selective Authentication is enabled. • Enumerate group membership of the domain Administrators group for a group or groups that are in this other forest.
The Latest “Best” Way to Admin AD & How to Get Around It • Several organizations have deployed an Admin Forest and often ignore the primary production AD since all administrators of the AD forest are in the Red Forest. • They often don't fix all the issues in the prod AD. • They often forget about service accounts. • Target agents on Domain Controllers. • Identify systems that connect to DCs with privileged credentials on DCs (backup accounts).
Recommendations
Conclusion • Most organizations have done "something" to better secure their environment • It's often not enough, though some are successfully detecting pentest/red team engagements. https://twitter.com/HackingDave/status/959131987264057345 https://twitter.com/malcomvetter/status/959913399592239104 • Summarize how to better operate in these "more secure" environments and what is needed. • Recommendations you can pass on to customers to help them improve their admin hygiene and security.

Recommended

Designing a Highly Available Management Cluster for the Cloud
Designing a Highly Available Management Cluster for the CloudDesigning a Highly Available Management Cluster for the Cloud
Designing a Highly Available Management Cluster for the CloudArron Stebbing
 
Planning For Catastrophe with IBM WAS and IBM BPM
Planning For Catastrophe with IBM WAS and IBM BPMPlanning For Catastrophe with IBM WAS and IBM BPM
Planning For Catastrophe with IBM WAS and IBM BPMWASdev Community
 
3 migration
3 migration3 migration
3 migrationROSHNI PRADHAN
 
PSU Security Conference 2015 - LAPS Presentation
PSU Security Conference 2015 - LAPS PresentationPSU Security Conference 2015 - LAPS Presentation
PSU Security Conference 2015 - LAPS PresentationDan Barr
 
Configuration management comes to Windows
Configuration management comes to WindowsConfiguration management comes to Windows
Configuration management comes to WindowsRavikanth Chaganti
 
eSynergy Dave Sayers - Applying DevOps principles in established corporate or...
eSynergy Dave Sayers - Applying DevOps principles in established corporate or...eSynergy Dave Sayers - Applying DevOps principles in established corporate or...
eSynergy Dave Sayers - Applying DevOps principles in established corporate or...PatrickCrompton
 
Architecting for Failures in micro services: patterns and lessons learned
Architecting for Failures in micro services: patterns and lessons learnedArchitecting for Failures in micro services: patterns and lessons learned
Architecting for Failures in micro services: patterns and lessons learnedBhakti Mehta
 
ECMDay2015 - Kent Agerlund – Configuration Manager 2012 – A Site Review
ECMDay2015 - Kent Agerlund – Configuration Manager 2012 – A Site ReviewECMDay2015 - Kent Agerlund – Configuration Manager 2012 – A Site Review
ECMDay2015 - Kent Agerlund – Configuration Manager 2012 – A Site ReviewKenny Buntinx
 

Recommended

Designing a Highly Available Management Cluster for the Cloud
Designing a Highly Available Management Cluster for the CloudDesigning a Highly Available Management Cluster for the Cloud
Designing a Highly Available Management Cluster for the CloudArron Stebbing
 
Planning For Catastrophe with IBM WAS and IBM BPM
Planning For Catastrophe with IBM WAS and IBM BPMPlanning For Catastrophe with IBM WAS and IBM BPM
Planning For Catastrophe with IBM WAS and IBM BPMWASdev Community
 
3 migration
3 migration3 migration
3 migrationROSHNI PRADHAN
 
PSU Security Conference 2015 - LAPS Presentation
PSU Security Conference 2015 - LAPS PresentationPSU Security Conference 2015 - LAPS Presentation
PSU Security Conference 2015 - LAPS PresentationDan Barr
 
Configuration management comes to Windows
Configuration management comes to WindowsConfiguration management comes to Windows
Configuration management comes to WindowsRavikanth Chaganti
 
eSynergy Dave Sayers - Applying DevOps principles in established corporate or...
eSynergy Dave Sayers - Applying DevOps principles in established corporate or...eSynergy Dave Sayers - Applying DevOps principles in established corporate or...
eSynergy Dave Sayers - Applying DevOps principles in established corporate or...PatrickCrompton
 
Architecting for Failures in micro services: patterns and lessons learned
Architecting for Failures in micro services: patterns and lessons learnedArchitecting for Failures in micro services: patterns and lessons learned
Architecting for Failures in micro services: patterns and lessons learnedBhakti Mehta
 
ECMDay2015 - Kent Agerlund – Configuration Manager 2012 – A Site Review
ECMDay2015 - Kent Agerlund – Configuration Manager 2012 – A Site ReviewECMDay2015 - Kent Agerlund – Configuration Manager 2012 – A Site Review
ECMDay2015 - Kent Agerlund – Configuration Manager 2012 – A Site ReviewKenny Buntinx
 
Managing Websphere Application Server certificates
Managing Websphere Application Server certificatesManaging Websphere Application Server certificates
Managing Websphere Application Server certificatesPiyush Chordia
 
Scaling Confluence Architecture: A Sneak Peek Under the Hood
Scaling Confluence Architecture: A Sneak Peek Under the HoodScaling Confluence Architecture: A Sneak Peek Under the Hood
Scaling Confluence Architecture: A Sneak Peek Under the HoodBhakti Mehta
 
Devoxx2017
Devoxx2017Devoxx2017
Devoxx2017Bhakti Mehta
 
From Workstation to Domain Admin: Why Secure Administration isn't Secure and ...
From Workstation to Domain Admin: Why Secure Administration isn't Secure and ...From Workstation to Domain Admin: Why Secure Administration isn't Secure and ...
From Workstation to Domain Admin: Why Secure Administration isn't Secure and ...Priyanka Aash
 
Webinar: Best Practices for Upgrading to MongoDB 3.0
Webinar: Best Practices for Upgrading to MongoDB 3.0Webinar: Best Practices for Upgrading to MongoDB 3.0
Webinar: Best Practices for Upgrading to MongoDB 3.0MongoDB
 
PHDVirtual Backups for VMware
PHDVirtual Backups for VMwarePHDVirtual Backups for VMware
PHDVirtual Backups for VMwareDevansh Chowdhary
 
VMware Log Insight
VMware Log Insight VMware Log Insight
VMware Log Insight Iwan Rahabok
 
vCenter Site Recovery Manager: Architecting a DR Solution
vCenter Site Recovery Manager: Architecting a DR SolutionvCenter Site Recovery Manager: Architecting a DR Solution
vCenter Site Recovery Manager: Architecting a DR SolutionRackspace
 
AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...
AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...
AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...WASdev Community
 
Censum - Garbage Collection Log Analyser
Censum - Garbage Collection Log AnalyserCensum - Garbage Collection Log Analyser
Censum - Garbage Collection Log AnalyserjClarity
 
Simple cloud computing for office workers
Simple cloud computing for office workersSimple cloud computing for office workers
Simple cloud computing for office workersChris Sparshott
 
VMworld 2013: Virtualize Active Directory ‒ The Right Way!
VMworld 2013: Virtualize Active Directory ‒ The Right Way!VMworld 2013: Virtualize Active Directory ‒ The Right Way!
VMworld 2013: Virtualize Active Directory ‒ The Right Way!VMworld
 
VMworld 2014: Virtualize Active Directory, the Right Way!
VMworld 2014: Virtualize Active Directory, the Right Way!VMworld 2014: Virtualize Active Directory, the Right Way!
VMworld 2014: Virtualize Active Directory, the Right Way!VMworld
 
Performance testing virtualized systems v5
Performance testing virtualized systems v5Performance testing virtualized systems v5
Performance testing virtualized systems v5Mentora
 
VMworld Europe 2014: Advanced SQL Server on vSphere Techniques and Best Pract...
VMworld Europe 2014: Advanced SQL Server on vSphere Techniques and Best Pract...VMworld Europe 2014: Advanced SQL Server on vSphere Techniques and Best Pract...
VMworld Europe 2014: Advanced SQL Server on vSphere Techniques and Best Pract...VMworld
 
Illuminate - Performance Analystics driven by Machine Learning
Illuminate - Performance Analystics driven by Machine LearningIlluminate - Performance Analystics driven by Machine Learning
Illuminate - Performance Analystics driven by Machine LearningjClarity
 
Cloudezz - Platform-as-Infrastructure via Turnkey Private Cloud
Cloudezz - Platform-as-Infrastructure via Turnkey Private CloudCloudezz - Platform-as-Infrastructure via Turnkey Private Cloud
Cloudezz - Platform-as-Infrastructure via Turnkey Private Cloudcloudezz
 
Cloud computing-2 (1)
Cloud computing-2 (1)Cloud computing-2 (1)
Cloud computing-2 (1)JUDYFLAVIAB
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
SQL Server 2005 Licensing Unplugged
SQL Server 2005 Licensing UnpluggedSQL Server 2005 Licensing Unplugged
SQL Server 2005 Licensing Unpluggedwebhostingguy
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopAjay Choudhary
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environmentDavid Rowe
 

More Related Content

What's hot

Managing Websphere Application Server certificates
Managing Websphere Application Server certificatesManaging Websphere Application Server certificates
Managing Websphere Application Server certificatesPiyush Chordia
 
Scaling Confluence Architecture: A Sneak Peek Under the Hood
Scaling Confluence Architecture: A Sneak Peek Under the HoodScaling Confluence Architecture: A Sneak Peek Under the Hood
Scaling Confluence Architecture: A Sneak Peek Under the HoodBhakti Mehta
 
From Workstation to Domain Admin: Why Secure Administration isn't Secure and ...
From Workstation to Domain Admin: Why Secure Administration isn't Secure and ...From Workstation to Domain Admin: Why Secure Administration isn't Secure and ...
From Workstation to Domain Admin: Why Secure Administration isn't Secure and ...Priyanka Aash
 
Webinar: Best Practices for Upgrading to MongoDB 3.0
Webinar: Best Practices for Upgrading to MongoDB 3.0Webinar: Best Practices for Upgrading to MongoDB 3.0
Webinar: Best Practices for Upgrading to MongoDB 3.0MongoDB
 
PHDVirtual Backups for VMware
PHDVirtual Backups for VMwarePHDVirtual Backups for VMware
PHDVirtual Backups for VMwareDevansh Chowdhary
 
VMware Log Insight
VMware Log Insight VMware Log Insight
VMware Log Insight Iwan Rahabok
 
vCenter Site Recovery Manager: Architecting a DR Solution
vCenter Site Recovery Manager: Architecting a DR SolutionvCenter Site Recovery Manager: Architecting a DR Solution
vCenter Site Recovery Manager: Architecting a DR SolutionRackspace
 
AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...
AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...
AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...WASdev Community
 
Censum - Garbage Collection Log Analyser
Censum - Garbage Collection Log AnalyserCensum - Garbage Collection Log Analyser
Censum - Garbage Collection Log AnalyserjClarity
 
Simple cloud computing for office workers
Simple cloud computing for office workersSimple cloud computing for office workers
Simple cloud computing for office workersChris Sparshott
 
VMworld 2013: Virtualize Active Directory ‒ The Right Way!
VMworld 2013: Virtualize Active Directory ‒ The Right Way!VMworld 2013: Virtualize Active Directory ‒ The Right Way!
VMworld 2013: Virtualize Active Directory ‒ The Right Way!VMworld
 
VMworld 2014: Virtualize Active Directory, the Right Way!
VMworld 2014: Virtualize Active Directory, the Right Way!VMworld 2014: Virtualize Active Directory, the Right Way!
VMworld 2014: Virtualize Active Directory, the Right Way!VMworld
 
Performance testing virtualized systems v5
Performance testing virtualized systems v5Performance testing virtualized systems v5
Performance testing virtualized systems v5Mentora
 
VMworld Europe 2014: Advanced SQL Server on vSphere Techniques and Best Pract...
VMworld Europe 2014: Advanced SQL Server on vSphere Techniques and Best Pract...VMworld Europe 2014: Advanced SQL Server on vSphere Techniques and Best Pract...
VMworld Europe 2014: Advanced SQL Server on vSphere Techniques and Best Pract...VMworld
 
Illuminate - Performance Analystics driven by Machine Learning
Illuminate - Performance Analystics driven by Machine LearningIlluminate - Performance Analystics driven by Machine Learning
Illuminate - Performance Analystics driven by Machine LearningjClarity
 
Cloudezz - Platform-as-Infrastructure via Turnkey Private Cloud
Cloudezz - Platform-as-Infrastructure via Turnkey Private CloudCloudezz - Platform-as-Infrastructure via Turnkey Private Cloud
Cloudezz - Platform-as-Infrastructure via Turnkey Private Cloudcloudezz
 
Cloud computing-2 (1)
Cloud computing-2 (1)Cloud computing-2 (1)
Cloud computing-2 (1)JUDYFLAVIAB
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
SQL Server 2005 Licensing Unplugged
SQL Server 2005 Licensing UnpluggedSQL Server 2005 Licensing Unplugged
SQL Server 2005 Licensing Unpluggedwebhostingguy
 

What's hot (20)

Managing Websphere Application Server certificates
Managing Websphere Application Server certificatesManaging Websphere Application Server certificates
Managing Websphere Application Server certificates
 
Scaling Confluence Architecture: A Sneak Peek Under the Hood
Scaling Confluence Architecture: A Sneak Peek Under the HoodScaling Confluence Architecture: A Sneak Peek Under the Hood
Scaling Confluence Architecture: A Sneak Peek Under the Hood
 
Devoxx2017
Devoxx2017Devoxx2017
Devoxx2017
 
From Workstation to Domain Admin: Why Secure Administration isn't Secure and ...
From Workstation to Domain Admin: Why Secure Administration isn't Secure and ...From Workstation to Domain Admin: Why Secure Administration isn't Secure and ...
From Workstation to Domain Admin: Why Secure Administration isn't Secure and ...
 
Webinar: Best Practices for Upgrading to MongoDB 3.0
Webinar: Best Practices for Upgrading to MongoDB 3.0Webinar: Best Practices for Upgrading to MongoDB 3.0
Webinar: Best Practices for Upgrading to MongoDB 3.0
 
PHDVirtual Backups for VMware
PHDVirtual Backups for VMwarePHDVirtual Backups for VMware
PHDVirtual Backups for VMware
 
VMware Log Insight
VMware Log Insight VMware Log Insight
VMware Log Insight
 
vCenter Site Recovery Manager: Architecting a DR Solution
vCenter Site Recovery Manager: Architecting a DR SolutionvCenter Site Recovery Manager: Architecting a DR Solution
vCenter Site Recovery Manager: Architecting a DR Solution
 
AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...
AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...
AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...
 
Censum - Garbage Collection Log Analyser
Censum - Garbage Collection Log AnalyserCensum - Garbage Collection Log Analyser
Censum - Garbage Collection Log Analyser
 
Simple cloud computing for office workers
Simple cloud computing for office workersSimple cloud computing for office workers
Simple cloud computing for office workers
 
VMworld 2013: Virtualize Active Directory ‒ The Right Way!
VMworld 2013: Virtualize Active Directory ‒ The Right Way!VMworld 2013: Virtualize Active Directory ‒ The Right Way!
VMworld 2013: Virtualize Active Directory ‒ The Right Way!
 
VMworld 2014: Virtualize Active Directory, the Right Way!
VMworld 2014: Virtualize Active Directory, the Right Way!VMworld 2014: Virtualize Active Directory, the Right Way!
VMworld 2014: Virtualize Active Directory, the Right Way!
 
Performance testing virtualized systems v5
Performance testing virtualized systems v5Performance testing virtualized systems v5
Performance testing virtualized systems v5
 
VMworld Europe 2014: Advanced SQL Server on vSphere Techniques and Best Pract...
VMworld Europe 2014: Advanced SQL Server on vSphere Techniques and Best Pract...VMworld Europe 2014: Advanced SQL Server on vSphere Techniques and Best Pract...
VMworld Europe 2014: Advanced SQL Server on vSphere Techniques and Best Pract...
 
Illuminate - Performance Analystics driven by Machine Learning
Illuminate - Performance Analystics driven by Machine LearningIlluminate - Performance Analystics driven by Machine Learning
Illuminate - Performance Analystics driven by Machine Learning
 
Cloudezz - Platform-as-Infrastructure via Turnkey Private Cloud
Cloudezz - Platform-as-Infrastructure via Turnkey Private CloudCloudezz - Platform-as-Infrastructure via Turnkey Private Cloud
Cloudezz - Platform-as-Infrastructure via Turnkey Private Cloud
 
Cloud computing-2 (1)
Cloud computing-2 (1)Cloud computing-2 (1)
Cloud computing-2 (1)
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
SQL Server 2005 Licensing Unplugged
SQL Server 2005 Licensing UnpluggedSQL Server 2005 Licensing Unplugged
SQL Server 2005 Licensing Unplugged
 

Similar to Exploiting Active Directory Administrator Insecurities

BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopAjay Choudhary
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environmentDavid Rowe
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise MongoDB
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and ResponseAlert Logic
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Andrejs Prokopjevs
 
SQL Server 2016: Just a Few of Our DBA's Favorite Things
SQL Server 2016: Just a Few of Our DBA's Favorite ThingsSQL Server 2016: Just a Few of Our DBA's Favorite Things
SQL Server 2016: Just a Few of Our DBA's Favorite ThingsHostway|HOSTING
 
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB
 
MongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyAmazon Web Services
 
Secure active directory in one day without spending a single dollar
Secure active directory in one day without spending a single dollarSecure active directory in one day without spending a single dollar
Secure active directory in one day without spending a single dollarDavid Rowe
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsAlert Logic
 
How HashiCorp platform tools can make the difference in development and deplo...
How HashiCorp platform tools can make the difference in development and deplo...How HashiCorp platform tools can make the difference in development and deplo...
How HashiCorp platform tools can make the difference in development and deplo...Dmytro Mykhailov
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
 
Protecting your data at rest with Apache Kafka by Confluent and Vormetric
Protecting your data at rest with Apache Kafka by Confluent and VormetricProtecting your data at rest with Apache Kafka by Confluent and Vormetric
Protecting your data at rest with Apache Kafka by Confluent and Vormetricconfluent
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access darkRoyce Davis
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 

Similar to Exploiting Active Directory Administrator Insecurities (20)

BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environment
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
 
SQL Server 2016: Just a Few of Our DBA's Favorite Things
SQL Server 2016: Just a Few of Our DBA's Favorite ThingsSQL Server 2016: Just a Few of Our DBA's Favorite Things
SQL Server 2016: Just a Few of Our DBA's Favorite Things
 
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the Cloud
 
MongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud Security
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your Company
 
Operations: Security
Operations: SecurityOperations: Security
Operations: Security
 
Secure active directory in one day without spending a single dollar
Secure active directory in one day without spending a single dollarSecure active directory in one day without spending a single dollar
Secure active directory in one day without spending a single dollar
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
 
How HashiCorp platform tools can make the difference in development and deplo...
How HashiCorp platform tools can make the difference in development and deplo...How HashiCorp platform tools can make the difference in development and deplo...
How HashiCorp platform tools can make the difference in development and deplo...
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
 
Protecting your data at rest with Apache Kafka by Confluent and Vormetric
Protecting your data at rest with Apache Kafka by Confluent and VormetricProtecting your data at rest with Apache Kafka by Confluent and Vormetric
Protecting your data at rest with Apache Kafka by Confluent and Vormetric
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
Dakotacon 2017
Dakotacon 2017Dakotacon 2017
Dakotacon 2017
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 

Recently uploaded (20)

Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 

Exploiting Active Directory Administrator Insecurities

  • 1. Exploiting Active Directory Administrator Insecurities Sean Metcalf @Pyrotek3
  • 2. ABOUT • Founder Trimarc (Trimarc.io), a professional services company that helps organizations better secure their Microsoft platform, including the Microsoft Cloud. • Microsoft Certified Master (MCM) Directory Services • Speaker: Black Hat, Blue Hat, BSides, DEF CON, DerbyCon, Shakacon, Sp4rkCon • Security Consultant / Researcher • Active Directory Enthusiast - Own & Operate ADSecurity.org (Microsoft platform security info)
  • 3. AGENDA • Where We Were & Where We Are Now • Blue Sharpens Red • Old-School AD Admin Methods • The New School Methods • Exploiting Administrative Assumptions • The Latest “Best Way” to Admin AD (& How to Bypass It) • Conclusion
  • 4. Where We Were • In the beginning, there were admins everywhere. • Some environments actually had almost as many Domain Admins as users. • This resulted in a target rich environment with multiple paths to exploit. • Traditional methods of administration are trivial to attack and compromise due to admin credentials being available on the workstation.
  • 5. Where We Are Now • Organizations are slowly & gradually improving defenses. • Limit privileged rights • Reduce admin group membership • Reduce rights down to what's actually required • Limit Admin logon capability & location • Group Policy or user logon controls • This is definitely a step in the right direction, but still does not *solve* the issues with how administration is typically done • Mostly still performed from a regular workstation
  • 6. Blue Sharpens Red (& vice versa) • if you were used to running your standard playbook and never made it past Chapter 1, know that this will change (if it hasn't already). • There will always be weaknesses to exploit, but defenders are getting better. Red needs to adapt. • What do you do when the standard playbook doesn’t work?
  • 7. Old-School AD Administration • Logon to workstation as an admin • RunAs on workstation and run standard Microsoft MMC admin tools ("Active Directory Users & Computers“) • RDP to Domain Controllers to manage them
  • 8. Old-School AD Administration • Logon to workstation as an admin • Credentials in LSASS • RunAs on workstation and run standard Microsoft MMC admin tools ("Active Directory Users & Computers“) • Credentials in LSASS. • RDP to Domain Controllers to manage them • Credentials in LSASS on remote server & keylog locally for creds.
  • 9.
  • 10. The New School of Administration • No RunAs on workstations with admin rights. • RDP to Admin/Jump Server which may require two-factor/multi- factor auth. • AD Admin credential authentication may be limited to specific admin servers and DCs.
  • 12. Exploiting Administrative Assumptions • Read-Only Domain Controllers (RODCs) are often deployed and misconfigured. • Sometimes attributes contain passwords (or other sensitive info).
  • 13. DEMO: How to determine what systems the Admins are authorized to logon to (using LDAP calls to AD) and probe those systems for enabled protocols (WMI, WSMan/PowerShell Remoting, etc).
  • 15. Attacking Password Vaults • Companies are frequently turning to password vault technology to help improve administrative security. • Tend to be either CyberArk or Thycotic SecretServer. • PV often has a “reconciliation” account which is a DA to bring accounts back into compliance.
  • 16. Password Vault Management • Password vault maintains DA account(s) • Admin connects to website & authenticates to the PV. • Admin gets a password to use with the DA account • Admin is proxied via the webserver through a RDP session to an Admin server or DC
  • 17. Password Vault Weaknesses • Authentication to the PV webserver is typically performed with the admin’s user account. • Connection to the PV webserver doesn’t always require 2FA/MFA. • The PV servers are often administered like any other server. • Anyone on the network can send traffic to the PV server(s).
  • 19. Jump (Admin) Servers • If Admins are not using Admin workstations, keylog for creds on admin’s workstation. • Discover all potential remoting services. • RDP (2FA?) • WMI • WinRM/PowerShell Remoting • PSExec • NamedPipe • Compromise a Jump Server, 0wn the domain! Sean Metcalf (@PyroTek3) TrimarcSecurity.com
  • 20. Hijacking the Admin/Jump Server • Get Admin on the server • Get SYSTEM • Run tscon.exe as SYSTEM ”if you run tscon.exe as the SYSTEM user, you can connect to any session without a password” https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to- move-through-an-da2a1e73a5f6 Sean Metcalf (@PyroTek3) TrimarcSecurity.com
  • 21. Sean Metcalf (@PyroTek3) TrimarcSecurity.com
  • 22. Alexander Korznikov demonstrates using Sticky Keys and tscon to access an administrator RDP session — without even logging into the server. https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to- move-through-an-da2a1e73a5f6 Sean Metcalf (@PyroTek3) TrimarcSecurity.com
  • 24. Red/Admin Forest Discovery • Check trusts for 1-way trust where the production AD trusts another AD forest and Selective Authentication is enabled. • Enumerate group membership of the domain Administrators group for a group or groups that are in this other forest.
  • 25. The Latest “Best” Way to Admin AD & How to Get Around It • Several organizations have deployed an Admin Forest and often ignore the primary production AD since all administrators of the AD forest are in the Red Forest. • They often don't fix all the issues in the prod AD. • They often forget about service accounts. • Target agents on Domain Controllers. • Identify systems that connect to DCs with privileged credentials on DCs (backup accounts).
  • 27. Conclusion • Most organizations have done "something" to better secure their environment • It's often not enough, though some are successfully detecting pentest/red team engagements. https://twitter.com/HackingDave/status/959131987264057345 https://twitter.com/malcomvetter/status/959913399592239104 • Summarize how to better operate in these "more secure" environments and what is needed. • Recommendations you can pass on to customers to help them improve their admin hygiene and security.