Walking through a series of three common attacks on Active Directory, I guide you on deploying three very simple solutions to prevent the escalation of the bad actors privileges.

1. Escalation
Defenses
A D G u a r d R a i l s E v e r y
C o m p a n y S h o u l d D e p l o y.
© 2 0 2 0 : : D a v i d Ro w e : : S e c f ra m e . c o m

2. David Rowe, CISSP
Cloud Security at Boston Children's Hospital.
IR advisor for multiple incident response teams
responding to Advanced Persistent Threat (Nation
State) attacks.
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

3. David Rowe, CISSP
Secframe.com
/in/davidprowe
@davidprowe
david@secframe.com
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

4. Today:
 What is Active Directory?
 Why is Access Important?
 Do you swear to talk about Active Directory, the
whole Active Directory and nothing but Active
Directory?
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

5. What is Active
Directory?
1
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

6. Object Information Store
A.D. stores information about OBJECTS
on a computer network
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

7. Object Information Store
Hierarchy: Parent/Child
Common Object Types:
Users
Computers
Groups
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

8. Security Defined Through:
Via ACLs; Ownership, & Membership
Objects authorized to perform actions
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

9. Ex A.D. Hierarchy:
So urce:
https://www.secframe.com/blog/account-operators-what-can-they-control
Ex: Account Operators
Top down access to
all these objects
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

10. AD
Administrative
Model
2
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

11. Microsoft’s Solution ESAE
Enhanced
Security
Administrative
Environment
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

12. ESAE Purpose
Protect identity systems using a set of
buffer zones between full control of
the Environment (Tier 0) and the high
risk workstation assets that attackers
frequently compromise.
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
https://docs.microsoft.com/en-us/windows-
server/identity/securing-privileged-access/securing-privileged-
access-reference-material

13. Microsoft’s Solution ESAE
ESAE’s first presentation:
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

14. ESAE: 3 Stages, 14 Steps
Stage 1:
Separate Admin accounts for
Wo rks ta tio ns
Sepa ra te Admin a cco unts fo r Servers
Sepa ra te Admin a cco unts fo r Do ma in
Co ntro llers
Stage 2:
Privileged Acces s Wo rks ta tio ns fo r
Admins
U nique Lo ca l Pa s s wo rds fo r
Servers & Wo rks ta tio ns
T ime B o und Privileges
J us t E no ugh Adminis tra tio n
Lower Attack Surfaces
o f DCs : Limit Admins
Atta ck Detectio n
Stage 3
Mo dernize ro les a nd delega tio n
mo del to be co mplia nt with the tiers
Sma rtca rd a uthentica tio n fo r a ll
a dmins
Admin Fo res t fo r AD a dmins
W indo ws Defender Device Gua rd
Shielded V Ms
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

15. Today’s Topic
Stage 1:
Separate Admin accounts for
Wo rks ta tio ns
Sepa ra te Admin a cco unts fo r Servers
Sepa ra te Admin a cco unts fo r Do ma in
Co ntro llers
Stage 2:
Privileged Acces s Wo rks ta tio ns fo r
Admins
U nique Lo ca l Pa s s wo rds fo r
Servers & Wo rks ta tio ns
T ime B o und Privileges
J us t E no ugh Adminis tra tio n
Lower Attack Surfaces
o f DCs : Limit Admins
Atta ck Detectio n
Stage 3
Mo dernize ro les a nd delega tio n
mo del to be co mplia nt with the tiers
Sma rtca rd a uthentica tio n fo r a ll
a dmins
Admin Fo res t fo r AD a dmins
W indo ws Defender Device Gua rd
Shielded V Ms
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

16. Active Directory Tier Model
The highest level of privilege. Accounts which have administrative control
over the entire environment through the ability to manage identity and
permissions enterprise-wide.
Objects: Domain Controllers; Systems that manage DCs; Accounts with access to these systems
Tier 0
Domain &
Enterprise
Admins
Tier 1
Server
Admins
Accounts which have administrative control over enterprise resources
that serve many users or manage business-critical data and
applications. Cannot control Tier 0 resources.
Objects: Servers and Srv admins; Enterprise apps & admins; Cloud service administrators
Tier 2
Workstation
Admins
Accounts with administrative privileges over only standard user
accounts and single-user devices. Cannot control Tier 1 or Tier 0
resources.
Objects: Helpdesk support; Device support; User support
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

17. Attacker’s
Access Path
3
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

18. What is an Access Path?
An access path, also called a compromise
path, is an indirect path to compromising
critical resources on a domain.
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

19. How can the Tiers help?
By limiting the use of administrators’
credentials, the exposure factor of the
credentials is decreased.
ELI5: If admins don’t log in everywhere,
passwords are harder to locate and crack
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

20. Access Path Example 1
Attacker compromises desktop computer
Breaks MS Word
Steals Field Tech account when they log in
Finds server where stolen creds work
Dumps cached server admin creds
Jumps to other available servers dumping
creds
Finds server with DA creds
Dumps and decrypts AD Password Database
NTDS.DIT
Traverses and attack other trusted domains
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

21. Access Path Example 2
Attacker compromises office printer
Printer interfaces with AD using LDAP
Attacker steals printer’s AD service account
Attacker uses creds to traverse desktops &
servers
Finds SCCM/Landesk/Ansible admin desktop
computer
Uses tool to add local admin privileges to
Jump Server
Harvests DA creds off Jump Server
Dump and decrypt AD Password Database
NTDS.DIT
Traverse and attack other trusted domains
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

22. Access Path Example 3
Attacker compromises desktop computer
Requests Kerberos Tickets to any account
with an SPN - Kerberoasting
Cracks cached creds into plaintext
Jumps to other available servers dumping
other cached credentials
Harvests DA creds off Server
Dump and decrypt AD Password Database
NTDS.DIT
Traverse and attack other trusted domains
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

23. • An unpatched public facing web server was compromised
• An attacker exploited a vulnerability, granting admin access
to the server
• The attacker dumped the cached credentials on the server
• Finds a local administrator password identical across
machines
• Attacker moved laterally across the domain probing servers
until he/she finds a computer where a domain administrator
(DA) credential was stored
• Attacker dumps DA hash from machine and cracks it
• The attacker now has full administrative access on the
domain
The Breach & Prevention
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

24. • An unpatched public facing web server was compromised
• An attacker exploited a vulnerability, granting admin access
to the server
• The attacker dumped the cached credentials on the server
• Finds a local administrator password identical across
machines
• Attacker moved laterally across the domain probing servers
until he/she finds a computer where a domain administrator
(DA) credential was stored
• Attacker dumps DA hash from machine and cracks it
• The attacker now has full administrative access on the
domain
The Breach & PreventionThis will eventually happen
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

25. • An unpatched public facing web server was compromised
• An attacker exploited a vulnerability, granting admin access
to the server
• The attacker dumped the cached credentials on the server
• Finds a local administrator password identical across
machines
• Attacker moved laterally across the domain probing servers
until he/she finds a computer where a domain administrator
(DA) credential was stored
• Attacker dumps DA hash from machine and cracks it
• The attacker now has full administrative access on the
domain
The Breach & PreventionThis will eventually happen
Patch
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

26. • An unpatched public facing web server was compromised
• An attacker exploited a vulnerability, granting admin access
to the server
• Finds a local administrator password identical across
machines
• Attacker moved laterally across the domain probing servers
until he/she finds a computer where a domain administrator
(DA) credential was stored
• Attacker dumps DA hash from machine and cracks it
• The attacker now has full administrative access on the
domain
The Breach & PreventionThis will eventually happen
Patch
Cached
cred GPO
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

27. • An unpatched public facing web server was compromised
• An attacker exploited a vulnerability, granting admin access
to the server
• Attacker moved laterally across the domain probing servers
until he/she finds a computer where a domain administrator
(DA) credential was stored
• Attacker dumps DA hash from machine and cracks it
• The attacker now has full administrative access on the
domain
The Breach & PreventionThis will eventually happen
Patch
Cached
cred GPO
LAPS or PWD Script
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

28. • An unpatched public facing web server was compromised
• An attacker exploited a vulnerability, granting admin access
to the server
• Attacker dumps DA hash from machine and cracks it
• The attacker now has full administrative access on the
domain
The Breach & PreventionThis will eventually happen
Patch
Cached
cred GPO
LAPS or PWD Script
Block DA
login GPO
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

29. • An unpatched public facing web server was compromised
• An attacker exploited a vulnerability, granting admin access
to the server
• The attacker now has full administrative access on the
domain
The Breach & PreventionThis will eventually happen
Patch
Cached
cred GPO
LAPS or PWD Script
Block DA
login GPO
Cached
cred GPO
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

30. • An unpatched public facing web server was compromised
• An attacker exploited a vulnerability, granting admin access
to the server
• The attacker now has full administrative access on the
domain
The Breach & Prevention
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
This will eventually happen
Patch
Cached
cred GPO
LAPS or PWD Script
Block DA
login GPO
Cached
cred GPO
Bad Actor Has No Direct
Path to DA
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

31. GPOS needed
4
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

32. Block logins across tiers
 Start by blocking Domain Admins (DAs)
logins
 They should not be able to log into
workstations or servers
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

33. Block logins across tiers
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

34. Cached Creds GPO
Create GPOs to remove the cached credentials from
computers
…then reboot
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

35. Cached Credentials?
 Computer level setting
 Interactive logon: Number of previous
logons to cache [store in memory] (in
case domain controller is not
available)
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

36. Cached Credentials Defaults
 Value indicates stored users
credentials on device –
 Windows Operating Systems default to
10
 Default stored as RC4 hash on system
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

37. Vulnerabilities
 Targeted Pass-the-hash -If you can’t
crack it, encapsulate and pass it
 RC4 Nomore – one type of RC4 Exploit
– 52 Hrs to crack
 One incident I observed evidence a
plaintext password 9 minutes after the
hash was compromised
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

38. Playground: Exploit Tools
Mimikatz, Impacket, JtR, Hashcat,
Ophcrack, Taskmanager… + lsass.exe,
Pwdumpx + passwordPro
Google for more!
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

39. Cached Creds: GPO Servers
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

40. Cached Creds: GPO Workstations
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m

41. Now what do I do?
D e p l o y t h e G P O s t o r e m o v e v u l n e ra b i l i t i e s
G u i d a n c e o n F ra m e w o r k s a n d To o l s
S e c u r i t y A u d i t s & Ro a d m a p s
Secframe.com/about

42. Slides available for
download at:
Secframe.com/presentations