Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Active Directory Security - AD Attacks & Mitigation


Published on

This presentation is supposed to be for IT Managers and CIO/CISO's to understand the common attacks on Active Directory.

Published in: Technology
  • DOWNLOAD FULL. BOOKS INTO AVAILABLE FORMAT, ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
    Are you sure you want to  Yes  No
    Your message goes here

Active Directory Security - AD Attacks & Mitigation

  1. 1. “Active Directory – AD Attacks & Mitigation” @_HuyKha – Presentation for IT Managers & CIO’s to understand attacks on AD
  2. 2. 2 Who am I? ● About me: ● Huy Kha – Information Security @ International Law Firm ● Security wizard with a focus on IT, Security and Privacy ● Interested in topics such as Governance, Risk and Compliance. ● The right hand of the CISO.
  3. 3. 3 What are we going to cover? ● The importance of Active Directory Security ● Insecure permissions in Active Directory & modern AD attacks. ● ● Basic pentest methods that still works to get Domain Admin. ● ● How to mitigate AD attacks
  4. 4. 4 (1) The importance of Active Directory ● Active Directory is a system that connects all of the individual machines on a network. ● It’s like a central database system that manages computers, applications and services on a network. Which can contain the finance or HR system for example. ● AD is often a first target for hackers to prepare the steps of the (Cyber) Kill Chain ● Compromising AD is like having full access to the crown jewels of Disneyland. ● The key to the kingdom
  5. 5. 5 (2) The importance of Active Directory
  6. 6. 6 Active Directory: The crown jewels for insider attacks
  7. 7. 7 Permissions
  8. 8. 8 Full control Everyone has Full Control
  9. 9. 9 Random user with edit rights on GPO’s (: User1 can modify the entire GPO
  10. 10. 10 AD Attacks & Mitigation
  11. 11. 11 How easy is it to get Domain Admin in a pentest or red team?
  12. 12. 12 (1) DCSync Attack – Retrieve password hashes from AD database & Impersonate users on the domain ● Those two rights allows the attacker to perform a so-called ‘’DCSync’’ attack. ● DCSync is an method that allows the attacker to impersonate a DC to synchronize all the credentials of users on the domain. ● DRS protocol is a necessary functionality in AD that will be used in a DCSync attack. Domain Controllers use DRS to replicate configurations, schema, and domain naming context to other DC’s. ● Attacker do not need to be on the DC to synchronize account credentials from the AD Database. Read access to AD database ;-) ● Attacker can also get every account information on the domain. Including username and hash(istory)
  13. 13. 13 (2) DCSync Attack - Information ● Default groups that can perform DCSync: ● Administrators ● Domain Admins ● Enterprise Admins ● Domain Controllers ● The impact of DCSync: ● Retrieving NTLM hashes of all accounts ● Attacker can use the obtained NTLM hashes for further actions ● DCSync is a less noisy attack, because it does not require to run any malicious code on the DC itself. ● Request account information of the krbtgt account to get the hash or key to create a Golden Ticket for persistence access. ● DCSync is also possible for non- privileged users with the following rights: ● Replicate Directory Change ● Replicate Directory Change all
  14. 14. 14 (3) DCSync Attack - Mitigation ● Limit access to high privileged AD groups by removing users from: ● Administrators ● Domain Admins ● Enterprise Admins ● Domain Controllers ● Find all non-privileged accounts with DCSync rights and take them away. ● riptcenter/Get-DCSyncRights-0e2ebbfe Way too much DA’s
  15. 15. 15 “The art is not about getting Domain Admin, but finding a way to keep persistence.” - H.K
  16. 16. 16 (1) Golden Ticket - Persistence ● Let’s assume the attacker has obtained AD Admin credentials, and wants to remain persistence inside the network. All he can do is create a Golden Ticket to achieve this. ● Golden Ticket allows the attacker to have unlimited access to the targeted domain in the environment. Which means that the attacker has complete access to everything and can swim around the network unnoticed. ● When a TGT is generated with the hash or key of the krbtgt account. Kerberos will automatically trust the ticket by default and gives the attacker unlimited access. ● Golden Ticket = Enterprise Admin Krbtgt account that provides the hash Hash that is needed to perform A Golden Ticket
  17. 17. 17 (2) Golden Ticket - Persistence ● The krbtgt account is like the Queen in Active Directory. ● Account has been there since the beginning of 2000. But we barely know the functionality of it!! ● Krbtgt is responsible for encrypting the authentication tokens for the DC and giving the golden key to the kingdom. ● ● _________________
  18. 18. 18 “But, we scan our network 24/7”
  19. 19. 19
  20. 20. 20 (3) Golden Ticket – Reset 2x krbtgt password If a organization has been compromised it is suggested to reset the password of the krbtgt twice to remove the persistence access of the intruder. 99% of all organizations have never heard of the krbtgt account and have never changed the password twice
  21. 21. 21 (4) Golden Ticket – Mitigation ● Limit access to the DC: Default Domain Controller Policy ● Administrators ● Account Operators ● Backup Operators ● Print Operators ● Server Operators ● Why you need to change the password of krbtgt twice? ● Removes the persistent access of the intruder by cleaning the current and previous password history ● Makes the Golden Ticket that was previously generated invalid. ● Reset the password twice when an AD admin leaves or do it every 3-6-12 months. Not sure if Print, Account and Server Operators needs access...
  22. 22. 22 (1) Kerberoasting – SPN Bruteforce ● Kerberoasting is a bruteforce attack that is used on Service accounts that are associated with Kerberos authentication. ● A service principal name (SPN) is the name by which a Kerberos client uniquely identifies an instance of a service for a given Kerberos target computer. ● A service account is a special domain user account that an application or service uses to interact with the operating system. You can recognize it through the servicePrincipalName ● (e.g.) SQL Server, IIS Webserver, File share, SharePoint, Exchange etc. ● Compromising a service account can lead to full access to a SQL server for example.
  23. 23. 23 (2) Kerberoasting - Mitigation ● Kerberoasting mitigation: ● Service accounts need to have a strong password length of 25+ characters ● Make sure that those Service accounts password are periodically expired (3-6-12 months) ● Use Group Managed Service Accounts 12/12/16/windows-server-2012-group-managed- service-accounts/ ● Why do Service Accounts needs to have a 25+ password length? ● Every domain user can launch a brute force attack without getting locked. ● If someone is able to crack a Service account password. He would be able to create Silver Tickets to get persistent access to that specific service (e.g. SQL Server) ● Service accounts are barely changed in a organization ● How to execute this plan? ● Get a list of all Service Accounts with the SPN value ● Remove Service accounts if not needed anymore ● Do NOT allow Service accounts to have Domain Admin rights. ● Make sure that all Service Accounts have a 25+ password length to reduce Kerberoasting.
  24. 24. 24 (1) Silver Ticket - Explanation ● Silver Ticket is an method that allows the attacker to create a forged service ticket for the compromised ‘’service’’ that runs for example the SQL server or SharePoint. ● This is usually done through Kerberoasting to convert the plain-text password into a NTLM hash to create a Silver Ticket ● With a Silver Ticket, the attacker has full access to that specific service until the sysadmin decides to change the password for that targeted service account. (Which never happens FYI) ● Scenario when a Silver Ticket can turn into getting a Golden Ticket: ● Attacker was able to get Domain Admin credentials ● Attacker dumps the entire AD database ● Organization is in fire ● Sysadmin needs to do an AD Recovery and change all the passwords for the users and services account including the 2x reset password of the krbtgt account. ● Attacker still has the NTLM hash of the Domain Controller, Computer account. Usually the one’s with a dollar sign. ● ● The impact of Silver Ticket: ● Attacker has full access to a specific resource, which may contain private information. ● Other scenario: If the attacker compromised the entire domain and still has access to one DC computer account (hash). He can create Silver Tickets to get the hash of the krbtgt and create a Golden Ticket ● Hard to detect, because there is no communication between the service & DC. Event logs won’t be on the DC. AD Computer Accounts with $ sign. NTLM hash
  25. 25. 25 (2) Silver Ticket – Exploitation with remote PowersHELL ● Attacker has obtain the hash of the DC’s Computer Account in a previous dump and can now start his further attack to get the Golden Ticket. ● Attacker creates a Silver Ticket for the HTTP Service. Using the HTTP service allows the attacker to leverage to remote PowerShell. ● Attacker will use a exploitation tool to inject the Silver ticket in the memory. ● Attacker starts the Enter-PSSession cmdlet and starts an interactive session with a single remote computer (In this case the DC). During the session, the commands that is typed will run on the remote computer, just as if you were typing directly on the remote computer. Works if remote PowerShell is enabled as well ● Exploitation tool (mimikatz) will be launched ● The hash of krbtgt will be extracted and Golden Ticket can be created! Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution. If you don’t need it
  26. 26. 26 (3) Silver Ticket with Service:LDAP = DCSync ● Attacker can create a Silver Ticket with DC Computer Account password hash with the LDAP service to leverage to DCSync. ● LDAP is a client/server protocol used to access and manage directory information ● SOC/SIEM might struggle to detect this.
  27. 27. 27 “Buy this Magic Box and you are secure”
  28. 28. 28 The FUD stops here!
  29. 29. 29 Basic attacks still work ● You should not think about buying fancy IDS systems or having a SOC/SIEM if you don’t have the basic in the right place. ● ● Most organizations are still getting pwned through: ● LLMNR/NBT-NS Poisoning ● SMB Relay Attacks ● MS17-010 ● Password Spraying ● WDigest ● Kerberoasting Read blog here
  30. 30. 30 EternalBlue (MS17-010) & NBT-NS Poisoining FireEye report from 2017
  31. 31. 31 (1) What is LLMNR & NBTS-NS Poisoining? ● LLMNR is a protocol based on the DNS protocol that allows computers to perform name resolution for addresses on the same local network without the need for a centrally coordinating DNS server ● Lets say someone tries to reach out to domain.local, but that domain is not even on the network. The first request will go to the DNS server, and if the DNS server can’t resolve it. It will be redirected to LLMNR. ● LLMNR protocol is used after the request to the DNS is unsuccessful ● NBT-NS provides communication services on the local network. NetBIOS allows computers on a LAN to communicate with the network hardware and to transmit data across the network. ● NetBIOS is an API, not a network protocol. Image is from Which explains LLMNR Poisoining very well.
  32. 32. 32 (2) – LLMNR Poisoining ● LLMNR Poisoining in eazy-peazy language ● Bob wants to access a file share on the network, but types accidentally the wrong address. He types fielshare instead of fileshare ● DNS server will respond that the request could not be found ● Since the DNS request was unsuccessful. LLMNR & NBT-NS will broadcast. ‘’WHO IS fielshare ?’’ ● Evil guy tells to Bob that he is fielshare and accepts the Challenge/Response hash of Bob ● Evil guy sends a error back to the client to tell him that it is a wrong share name or something. ● And the hash of the user is captured in the box of the attacker. ● Attacker will crack the hash(es) offline to try to escalate his privileges.
  33. 33. 33 (3) Disable LLMNR & NTB-NS for everyone – It’s legacy and insecure
  34. 34. 34 (1) SMB Relay Attack – What is SMB? ● SMB is a Microsoft client-server communication protocol that is used for sharing access to files, printers, serial ports and other resources on a network ● SMB enables an application or the user of that application to access files on a remote server, as well as other resources, including printers, etc. ● SMB operates on the Application Layer of the OSI model and can be used over TCP/IP on port 445 for transport. ● _ SMB was invented by IBM and has been around since the mid-eighties.
  35. 35. 35 (2) – SMB Relay Attack ● SMB Relay Attack allows the attacker to relay SMB authentication requests to another host and get access to an authenticated SMB session, but only if the user has access, and network logins are granted on the target host. If the user has administrator access on the target host. The attacker could execute arbitrary commands. ● ● An attacker can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the attacker or place a specially crafted file on navigation path for privileged accounts or on a publicly accessible share to be accessed by victim ● ● Impact of SMB Relay: ● When the user's system accesses the untrusted resource it will attempt authentication and send information including the user's hashed credentials over SMB to the adversary controlled server. ● Attackers can try to crack those hash(es) and perform a Brute force attack to get the plain-text password or re-use it for a Pass the Hash attack. ● ● Source: ATT&CK - T1187
  36. 36. 36 SMB Relay ● “The injected link is used to request an image on a remote server over the SMB protocol, with this trick attackers are able to extract victims’ user IP, username, domain name, and NTLM hash of the user’s password.” - ● ● US-CERT has covered this attack See here
  37. 37. 37 (3) – How to mitigate SMB Relay Attack? ● The reason that SMB Relay Attacks works most of the time is because, SMB signing is not enabled by default. This could break legacy stuff, so that’s why. Test this first! ● By default this setting is enabled for domain controllers, but disabled for other member servers within the domain. ● Network segmentation is an option as well. ● “I can’t turn this on SMB Signing on, because it would break things” ● ● If this is the case. You need to rely on detection, which is possible. If you are collecting event logs to your SIEM. ●
  38. 38. 38 MS17-010 ● Security update MS17-010 addresses several vulnerabilities in Windows Server Message Block (SMB) v1. The WannaCrypt ransomware is exploiting one of the vulnerabilities that is part of the MS17-010 update. Computers that do not have MS17-010 installed are at heightened risk because of several strains of malware ● ● How to verify if MS17-010 is installed? ● us/help/4023262/how-to-verify-that- ms17-010-is-installed
  39. 39. 39 (1) – Password Spraying
  40. 40. 40 (2) – What is Password Spraying and what to do about it? ● Password spraying is an attack that will, usually, feed a large number of usernames into a program that loops through those usernames and tries a number of passwords. Like Spring2018 for example. ● The default password policy is not ‘’secure’’ ● Use strong passwords with different characters etc ● Use at least 14 characters (Microsoft advise) ● Account lockout threshold: 1-4. maybe 5. ● Changing passwords every 3 months is a pain, and it is making your users password weaker. Consider it doing every half year or year, but force them to use a strong password.
  41. 41. 41 Disable WDigest – Expose plain text password ● A SSO mechanism that for Windows that was developed by Microsoft in 2003 for mainly Windows XP machines. ● Duo it’s design it is required to store plain text passwords in memory ● Disable Wdigest if you haven’t yet. Mimikatz
  42. 42. 42 What tools are used in Cyber attacks? ● Mimikatz is mainly used by attackers to collect the credentials of other users, who are logged into a targeted Windows machine. It does this by accessing the credentials in memory within a Windows process called Local Security Authority Subsystem Service (LSASS). ● These credentials, either in plain text, or in hashed form, can be reused to give access to other machines on a network. ● Since Mimikatz can only capture the accounts of those users logged into a compromised machine, privileged users (e.g., domain administrators) should avoid logging into machines with their privileged credentials ● It’s not only a Credential Stealer, but also a tool that can be used for Post-Exploitation. Source: US-CERT
  43. 43. 43 Mimikatz <3 LSASS Source: Microsoft
  44. 44. 44 Credentials in LSASS ● Once a attacker has gained local administrator privileges on a host, Mimikatz provides the ability to obtain the hashes and clear-text credentials of other users, enabling the attacker to escalate privileges within a domain and perform many other post-exploitation and lateral movement tasks. Local Admin is one of your biggest risk.
  45. 45. 45 Strategy to secure Active Directory
  46. 46. 46 Protect Rights & Permissions – Limit Local Admin rights. ● Local Admins can perform any action on a their ''local'' system ● The problem with ‘’Local Admin’’ is usually, because of legacy. ● A lot of organizations are still running on outdated OS etc, and old software requires to have ‘’Local Admin’’ to be able to run. ● ‘’We always had Local Admin, so why removing it?’’ ● Impact of Local Admin rights ● Install their own backdoor ● Remove security patches ● Change configuration settings (e.g. Enabling Wdigest or removing LSA protection for example) ● Turn off services
  47. 47. 47 Protect Rights & Permissions – Find all Local Admin users ● Make sure that you are ‘’in control’’ about who has Local Admin rights ● Remove Local Admin rights from users that really don’t need it. Usually people from HR is a example. ● Get support from the management to cut through the bullshit that people use as excuse to have Local Admin rights. ● PowerShell script that is used to find all Local Admins in your environment. ● uery-members-of-Local-d0f393a6
  48. 48. 48 Protect Rights & Permissions – Limit Domain Admin rights. ● Find all Domain Admins and start to discuss if they really need DA rights. (Most of the time, not) ● There are cases when I’ve seen that Help desk employees had Domain Admin. ● Only task was to add a new workstation to a domain and to reset passwords ● The best solution for this was to give those Help desk employees ‘’Delegated rights’’ so they could perform their daily duties, instead of having wide permissions. ● Delegate Controls of Wizard get-adgroupmember 'domain admins' | select name,samaccountname get-adgroupmember 'enterprise admins' | select name,samaccountname get-adgroupmember 'schema admins' | select name,samaccountname PowerShell command to find Domain, Enterprise and Schema Admins
  49. 49. 49 Protect Rights & Permissions – Delegation Controls instead of random DA rights. ●
  50. 50. 50 Protect Rights & Permissions – Try to avoid giving DA, because it’s most of the time, not needed. ● Best solution: Delegation of Control Wizard ● Instead of giving Domain Admin rights. Ask what there daily tasks are and what they need to do to perform their duties. ● Start a plan with the CISO, CIO & IT Managers to delegated rights for your 100 Domain Admins. 95 of them don’t need DA. ● Helpdesk, Sysadmins, Technical support, etc. Do not need to have Domain Admin, but they should have delegated rights. ● Create different groups like Helpdesk, Sysadmins, Support etc. Add users to the group they belong, and delegated their rights. Instead of giving DA. ● Same goes for vendors, don’t give them DA.
  51. 51. 51 Protect Rights & Permissions – Common mistake ● “Helpdesk employee only needs to add a workstation to a domain, and reset someone his password” - DO NOT NEED TO HAVE DOMAIN ADMIN ● “Support guy needs to add someone to an OU (Department) and modify or give permission to the AD groups that he needs” - DO NOT NEED TO HAVE DOMAIN ADMIN ● “Random guy in your organization needs to create, delete and manage users.” - DO NOT NEED TO HAVE DOMAIN ADMIN ● “Vendor is asking for random Domain Admin rights.” - SAY NO! ● Delegation Controls of Wizard FTW!!! Impact: Domain Admin gets compromised = Organization in fire ;-)
  52. 52. 52 Protect Rights & Permissions – Check OU & GPO permissions ● Check period for all the OU permissions to see if someone added himself for example in the AdminSDHolder OU or granted a random user some permissions that wasn’t allowed. ● PowerShell script to do so ● e-Directory-OU-1d09f989 ● Check period for all the GPO permissions. Are there any (inactive) users that have edit rights on GPO’s that wasn’t supposed to be case? See here: Get-GPPermission ● Delegate GPO permissions. Don’t give them too much rights that they needed.
  53. 53. 53 Protect Rights & Permissions – Delegate GPO permissions ● Default GPO permissions: ● Edit ● Settings ● Delete ● Modify ● Security
  54. 54. 54 Protect Rights & Permissions – User Right Assignment ● User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain ● Best practices for User Right Assignment: See here
  55. 55. 55 Protect Credentials – Protected Users Group ● Protected Users is a global security group and its primary function is to prevent users' credentials being abused on the devices where they log in. ● READ ME FIRST: ● Add (only) high privileged accounts with Domain Admin rights for example in this group, but test this first. Don’t add randomly all the DA’s in the group. Step by step first! ● Members in Protected Users group can no longer ● Default credential delegation (CredSSP) - plaintext credentials are not cached even when the Allow delegating default credentials policy is enabled ● Windows Digest - plaintext credentials are not cached even when they are enabled ● NTLM - NTOWF is not cached ● Kerberos long term keys - Kerberos ticket-granting ticket (TGT) is acquired at logon and cannot be re-acquired automatically ● Sign-on offline - the cached logon verifier is not created Add Domain Admins in this group. And you are compliant!! More info?: See Microsoft page
  56. 56. 56 Protect Credentials – Account is sensitive and cannot be delegated ● “Account is sensitive and cannot be delegated”, ensures that an account’s credentials cannot be forwarded to other computers or services on the network by a trusted application ● If the checkbox is then its credentials can✓ not be re-used by a trusted service ● Make sure that your high privileged accounts have this checkbox on ● Impact ● If a trusted computer is compromised, the trusted application could act on behalf of any user that has presented itself to the service to perform malicious activity. ● It’s described here much better: Microsoft blog
  57. 57. 57 Protect Credentials – Restrict Admin Mode → RDP ● Restricted Admin Mode was developed by Microsoft to help protect administrator accounts by ensuring that reusable credentials are not stored in the memory of the remote devices that they connected with. The purpose of this feature is to reduce the chance that your account is getting compromised. ● Restricted Admin Mode changes the Remote Desktop protocol so it uses the network logons rather than an interactive logons for authentication. ● Impact ● Bob the Domain Admin logs in with RDP into a client workstation ● The client workstation gets compromised and attacker runs mimikatz ● Attacker retrieves client his credentials, but also the creds of Bob in the memory. ● Game Over!!
  58. 58. 58 Protect Credentials – Restrict Admin Mode → RDP ● By default Restricted Admin Mode is not enabled, but if you want to enable it. ● Create a Registry key at: HKEY_LOCAL_MACHINESystemCurrentC ontrolSetControlLsa ● REG_DWORD: DisableRestrictedAdmin and value should be set on 0 ● Test plan ● First enable RDP Restrict Mode on workstations ● Second is to enable it on DC’s and Servers. ● Don’t force RDP Restrict Mode yet, but let your employees know the ‘’feeling’’ of using it and what the risk are! READ ME: All destination systems must have RestrictedAdmin mode enabled or the Remote Desktop connection request will fail.
  59. 59. 59 Protect Credentials – LAPS ● Local Administrator Password Solution (LAPS) is a Microsoft product that manages the local administrator password and stores it in Active Directory. ● LAPS automatically updates the built-in local administrator password on a routine basis of all the users in the domain. ● Why do you need LAPS? ● Built-in Local administrator accounts are 90% configured with the same password across all workstations in a corporate environment, which makes it easy for attackers to compromise every workstation on the domain by just compromising one user. ● Download LAPS here and use it if you haven’t yet. us/download/details.aspx?id=46899 The default local Administrator account is a user account for the system administrator. It is stored in the local SAM and it’s the first point of view that attackers will go after. By default the password for the built-in local admin account is the same across the network, which why Pass the hash still works. Use LAPS to make sure that those passwords are different from each device
  60. 60. 60 Protect Credentials – Please use LAPS ● Download LAPS here: us/download/details.aspx? id=46899 ● Even when the Administrator account has been disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it is disabled. ● 99% of pentesters are using Pass the Hash technique to get into an environment, because no one changes the local administrator account password. ● Use LAPS to mitigate this risk
  61. 61. 61 (Optional) -> Protect Credentials – Credential Guard ● Microsoft Windows Defender Credential Guard is a security feature that isolates users' login information from the rest of the operating system to prevent theft. ● Best way to prevent mimikatz to inject into LSASS ● Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them ● ● Only works for Windows Server 2016 and Windows 10. ● If you can enable it, go for it. ● See link for more information: ● us/windows/security/identity-protection/credential- guard/credential-guard-manage
  62. 62. 62 Protect Credentials – LSA Protection ● LSA protection mitigates that an attacker can inject code in the LSASS memory, but this can easily be bypassed. Nevertheless it’s still a good choice to enable it, because that means that the attacker has to do more steps to achieve his goals, and that’s by modifying the registry key. ● ● HKEY_LOCAL_MACHINESYSTEMCurrent ControlSetControlLsa ● REG_DWORD = RunAsPPL ● Value = 00000001
  63. 63. 63 AD Security Logging – Event logs ● Start forwarding Windows Event Viewer Logs to your SOC/SIEM. Usually most companies don’t do that ● Make sure that you have visibility into all of the activities happening in AD. ● Large enterprises usually have a lot of IT employees who are making tons of changes at Active Directory every day. You clearly need to be sure that there are no bad guys over there, right? ● If you don’t monitor all the activities of Active Directory, then you might get a hard time to find the intruder. ● Event logs from workstations, servers and domain controllers should be collected in a SIEM.
  64. 64. 64 AD Security Logging – Example ● Event: 1102 - “The audit log was cleared” ● This is a sign of malicious behavior that is trying to cover his logs. ● Without having visibility in your environment it is hard to discover the intruder ● Most attacks are starting on the workstation via a spear-phishing attack. ● Collect event logs from workstation should be a crucial point of view on your SOC/SIEM.
  65. 65. 65 Attackers love PowersHELL
  66. 66. 66 PowerShell Logs are important as well ● Attackers love PowerShell ● A lot of (hacker) tools are based on PowerShell ● Collecting PowerShell logs could help organizations identify the steps that the intruder is taking. ● In Active Directory it is possible to create a GPO to log PowerShell activities of users. ● Deploy PowerShell logging with WEF and forward it to your SOC/SIEM
  67. 67. 67 Conclusion ● Local Admin in a organization is a risk. ● Domain Admin is often not needed in AD. ● Domain Admins and all high privileged accounts needs to have a separate account. ● High privileged accounts should not log into workstations or servers to expose their credentials. Only the DC imo. ● Delegation rights is the best solution for giving someone the rights that he/she needs. ● Basic pentest techniques like LLNMR Poisoining and Password spraying still works. ● You can’t only rely on prevention, but you need also detection ● Check period for all the permissions on the OU & GPO ● Deploy LAPS please ● Start a plan to collect event logs from workstations, servers and Domain Controllers in your SIEM if you haven’t yet. ● Attackers love PowerShell, so it’s also good to deploy PowerShell logging (if possible)
  68. 68. 68 Credits to ● Sean Metcalf – adsecurity (Explained Silver Tickets very well, which made me dive into this technique) ● Benjamin Delpy & Vincent Le Toux – Authors of Mimikatz ● Bankinfosecurity, ZDNet, SCMagazine, Varonis ● Microsoft and all the people who share their PS scripts ● Pentestlab ● US-CERT ● Insider Threat Security Blog aka Stealthbits ● Google for all those (funny) images ● ATT&CK MITRE ● And everyone who I forgot.
  69. 69. 69 Questions?