Active Directory Security - AD Attacks & Mitigation
“Active Directory – AD Attacks &
@_HuyKha – Presentation
for IT Managers & CIO’s to
understand attacks on AD
Who am I?
● About me:
● Huy Kha – Information Security @ International Law Firm
● Security wizard with a focus on IT, Security and Privacy
● Interested in topics such as Governance, Risk and Compliance.
● The right hand of the CISO.
What are we going to cover?
● The importance of Active Directory
● Insecure permissions in Active
Directory & modern AD attacks.
● Basic pentest methods that still
works to get Domain Admin.
● How to mitigate AD attacks
(1) The importance of Active Directory
● Active Directory is a system that
connects all of the individual machines
on a network.
● It’s like a central database system that
manages computers, applications and
services on a network. Which can
contain the finance or HR system for
● AD is often a first target for hackers to
prepare the steps of the (Cyber) Kill
● Compromising AD is like having full
access to the crown jewels of
● The key to the kingdom
How easy is it to get Domain Admin in a
pentest or red team?
(1) DCSync Attack – Retrieve password hashes
from AD database & Impersonate users on the
● Those two rights allows the attacker to perform
a so-called ‘’DCSync’’ attack.
● DCSync is an method that allows the attacker to
impersonate a DC to synchronize all the
credentials of users on the domain.
● DRS protocol is a necessary functionality in AD
that will be used in a DCSync attack. Domain
Controllers use DRS to replicate configurations,
schema, and domain naming context to other
● Attacker do not need to be on the DC to
synchronize account credentials from the AD
Database. Read access to AD database ;-)
● Attacker can also get every account information
on the domain. Including username and
(2) DCSync Attack - Information
● Default groups that can perform
● Domain Admins
● Enterprise Admins
● Domain Controllers
● The impact of DCSync:
● Retrieving NTLM hashes of all
● Attacker can use the obtained NTLM
hashes for further actions
● DCSync is a less noisy attack,
because it does not require to run any
malicious code on the DC itself.
● Request account information of the
krbtgt account to get the hash or key
to create a Golden Ticket for
● DCSync is also possible for non-
privileged users with the following
● Replicate Directory Change
● Replicate Directory Change all
(3) DCSync Attack - Mitigation
● Limit access to high privileged AD
groups by removing users from:
● Domain Admins
● Enterprise Admins
● Domain Controllers
● Find all non-privileged accounts
with DCSync rights and take them
Way too much DA’s
“The art is not about getting Domain Admin, but
finding a way to keep persistence.” - H.K
(1) Golden Ticket - Persistence
● Let’s assume the attacker has obtained
AD Admin credentials, and wants to
remain persistence inside the network. All
he can do is create a Golden Ticket to
● Golden Ticket allows the attacker to have
unlimited access to the targeted domain in
the environment. Which means that the
attacker has complete access to
everything and can swim around the
● When a TGT is generated with the hash
or key of the krbtgt account. Kerberos will
automatically trust the ticket by default
and gives the attacker unlimited access.
● Golden Ticket = Enterprise Admin
Krbtgt account that provides the hash
Hash that is needed to perform
A Golden Ticket
(2) Golden Ticket - Persistence
● The krbtgt account is like the Queen in
● Account has been there since the beginning
of 2000. But we barely know the functionality
● Krbtgt is responsible for encrypting the
authentication tokens for the DC and giving
the golden key to the kingdom.
(3) Golden Ticket – Reset 2x krbtgt password
If a organization has been compromised
it is suggested to reset the password of
the krbtgt twice to remove the
persistence access of the intruder.
99% of all organizations have never
heard of the krbtgt account and have
never changed the password twice
(4) Golden Ticket – Mitigation
● Limit access to the DC: Default Domain
● Print Operators
● Server Operators
● Why you need to change the password of
● Removes the persistent access of the intruder by
cleaning the current and previous password
● Makes the Golden Ticket that was previously
● Reset the password twice when an AD admin
leaves or do it every 3-6-12 months.
Not sure if Print,
Account and Server
(1) Kerberoasting – SPN Bruteforce
● Kerberoasting is a bruteforce attack that is
used on Service accounts that are associated
with Kerberos authentication.
● A service principal name (SPN) is the name
by which a Kerberos client uniquely identifies
an instance of a service for a given Kerberos
● A service account is a special domain user
account that an application or service uses to
interact with the operating system. You can
recognize it through the
● (e.g.) SQL Server, IIS Webserver, File share,
SharePoint, Exchange etc.
● Compromising a service account can lead to
full access to a SQL server for example.
(2) Kerberoasting - Mitigation
● Kerberoasting mitigation:
● Service accounts need to have a strong
password length of 25+ characters
● Make sure that those Service accounts password
are periodically expired (3-6-12 months)
● Use Group Managed Service Accounts
● Why do Service Accounts needs to have a 25+
● Every domain user can launch a brute force attack without
● If someone is able to crack a Service account password.
He would be able to create Silver Tickets to get persistent
access to that specific service (e.g. SQL Server)
● Service accounts are barely changed in a organization
● How to execute this plan?
● Get a list of all Service Accounts with the SPN value
● Remove Service accounts if not needed anymore
● Do NOT allow Service accounts to have Domain Admin
● Make sure that all Service Accounts have a 25+
password length to reduce Kerberoasting.
(1) Silver Ticket - Explanation
● Silver Ticket is an method that allows the attacker to
create a forged service ticket for the compromised
‘’service’’ that runs for example the SQL server or
● This is usually done through Kerberoasting to convert
the plain-text password into a NTLM hash to create a
● With a Silver Ticket, the attacker has full access to that
specific service until the sysadmin decides to change the
password for that targeted service account. (Which
never happens FYI)
● Scenario when a Silver Ticket can
turn into getting a Golden Ticket:
● Attacker was able to get Domain Admin
● Attacker dumps the entire AD database
● Organization is in fire
● Sysadmin needs to do an AD Recovery and
change all the passwords for the users and
services account including the 2x reset
password of the krbtgt account.
● Attacker still has the NTLM hash of the
Domain Controller, Computer account.
Usually the one’s with a dollar sign.
● The impact of Silver Ticket:
● Attacker has full access to a specific resource, which may
contain private information.
Other scenario: If the attacker compromised the entire
domain and still has access to one DC computer account
(hash). He can create Silver Tickets to get the hash of the
krbtgt and create a Golden Ticket
● Hard to detect, because there is no communication between
the service & DC. Event logs won’t be on the DC.
AD Computer Accounts with $ sign. NTLM hash
(2) Silver Ticket – Exploitation with remote
Attacker has obtain the hash of the DC’s
Computer Account in a previous dump and
can now start his further attack to get the
Attacker creates a Silver Ticket for the HTTP
Service. Using the HTTP service allows the
attacker to leverage to remote PowerShell.
Attacker will use a exploitation tool to inject the
Silver ticket in the memory.
Attacker starts the Enter-PSSession cmdlet
and starts an interactive session with a single
remote computer (In this case the DC). During
the session, the commands that is typed will
run on the remote computer, just as if you were
typing directly on the remote computer. Works if
remote PowerShell is enabled as well
● Exploitation tool (mimikatz) will be launched
The hash of krbtgt will be extracted and Golden
Ticket can be created!
Disable/restrict the WinRM Service to help prevent
uses of PowerShell for remote execution.
If you don’t need it
(3) Silver Ticket with Service:LDAP = DCSync
● Attacker can create a Silver Ticket with DC
Computer Account password hash with the LDAP
service to leverage to DCSync.
● LDAP is a client/server protocol used to access and
manage directory information
● SOC/SIEM might struggle to detect this.
Basic attacks still work
● You should not think about buying
fancy IDS systems or having a
SOC/SIEM if you don’t have the basic
in the right place.
● Most organizations are still getting
● LLMNR/NBT-NS Poisoning
● SMB Relay Attacks
● Password Spraying
Read blog here
(1) What is LLMNR & NBTS-NS Poisoining?
● LLMNR is a protocol based on the DNS protocol that
allows computers to perform name resolution for
addresses on the same local network without the need
for a centrally coordinating DNS server
● Lets say someone tries to reach out to domain.local, but
that domain is not even on the network. The first request
will go to the DNS server, and if the DNS server can’t
resolve it. It will be redirected to LLMNR.
● LLMNR protocol is used after the request to the DNS is
● NBT-NS provides communication services on the
local network. NetBIOS allows computers on a
LAN to communicate with the network hardware
and to transmit data across the network.
● NetBIOS is an API, not a network protocol.
Image is from aptive.co.uk
Which explains LLMNR Poisoining very well.
(2) – LLMNR Poisoining
● LLMNR Poisoining in eazy-peazy language
● Bob wants to access a file share on the network, but types accidentally the wrong address. He types fielshare instead of fileshare
● DNS server will respond that the request could not be found
● Since the DNS request was unsuccessful. LLMNR & NBT-NS will broadcast. ‘’WHO IS fielshare ?’’
● Evil guy tells to Bob that he is fielshare and accepts the Challenge/Response hash of Bob
● Evil guy sends a error back to the client to tell him that it is a wrong share name or something.
● And the hash of the user is captured in the box of the attacker.
● Attacker will crack the hash(es) offline to try to escalate his privileges.
(3) Disable LLMNR & NTB-NS for everyone –
It’s legacy and insecure
(1) SMB Relay Attack – What is SMB?
● SMB is a Microsoft client-server
communication protocol that is used for
sharing access to files, printers, serial
ports and other resources on a network
● SMB enables an application or the user
of that application to access files on a
remote server, as well as other
resources, including printers, etc.
● SMB operates on the Application Layer
of the OSI model and can be used over
TCP/IP on port 445 for transport.
SMB was invented
by IBM and has been around since the mid-eighties.
(2) – SMB Relay Attack
● SMB Relay Attack allows the attacker to
relay SMB authentication requests to
another host and get access to an
authenticated SMB session, but only if the
user has access, and network logins are
granted on the target host. If the user has
administrator access on the target host. The
attacker could execute arbitrary commands.
● An attacker can send an attachment to a
user through spearphishing that contains
a resource link to an external server
controlled by the attacker or place a
specially crafted file on navigation path for
privileged accounts or on a publicly
accessible share to be accessed by victim
● Impact of SMB Relay:
● When the user's system accesses the untrusted
resource it will attempt authentication and send
information including the user's hashed
credentials over SMB to the adversary controlled
● Attackers can try to crack those hash(es) and
perform a Brute force attack to get the plain-text
password or re-use it for a Pass the Hash attack.
ATT&CK - T1187
● “The injected link is used to request an
image on a remote server over the
SMB protocol, with this trick attackers
are able to extract victims’ user IP,
username, domain name, and NTLM
hash of the user’s password.” -
US-CERT has covered this attack
(3) – How to mitigate SMB Relay Attack?
● The reason that SMB Relay Attacks works
most of the time is because, SMB signing
is not enabled by default. This could break
legacy stuff, so that’s why. Test this first!
● By default this setting is enabled for domain
controllers, but disabled for other member
servers within the domain.
● Network segmentation is an option as well.
● “I can’t turn this on SMB Signing on,
because it would break things”
● If this is the case. You need to rely on
detection, which is possible. If you are
collecting event logs to your SIEM.
● Security update MS17-010 addresses
several vulnerabilities in Windows
Server Message Block (SMB) v1. The
WannaCrypt ransomware is exploiting
one of the vulnerabilities that is part of
the MS17-010 update. Computers that
do not have MS17-010 installed are at
heightened risk because of several
strains of malware
● How to verify if MS17-010 is
(2) – What is Password Spraying
and what to do about it?
● Password spraying is an attack that will, usually, feed a large number of usernames into a program that loops
through those usernames and tries a number of passwords. Like Spring2018 for example.
● The default password policy is not ‘’secure’’
● Use strong passwords with different characters etc
● Use at least 14 characters (Microsoft advise)
● Account lockout threshold: 1-4. maybe 5.
● Changing passwords every 3 months is a pain, and it is making your users password weaker. Consider it doing
every half year or year, but force them to use a strong password.
Disable WDigest – Expose plain
● A SSO mechanism that for Windows
that was developed by Microsoft in
2003 for mainly Windows XP
● Duo it’s design it is required to store
plain text passwords in memory
● Disable Wdigest if you haven’t yet.
What tools are used in Cyber attacks?
● Mimikatz is mainly used by attackers to collect the credentials of other users, who are logged into a targeted
Windows machine. It does this by accessing the credentials in memory within a Windows process called
Local Security Authority Subsystem Service (LSASS).
● These credentials, either in plain text, or in hashed form, can be reused to give access to other machines on
● Since Mimikatz can only capture the accounts of those users logged into a compromised machine, privileged
users (e.g., domain administrators) should avoid logging into machines with their privileged credentials
● It’s not only a Credential Stealer, but also a tool that can be used for Post-Exploitation.
Credentials in LSASS
● Once a attacker has gained local
administrator privileges on a host,
Mimikatz provides the ability to obtain the
hashes and clear-text credentials of other
users, enabling the attacker to escalate
privileges within a domain and perform
many other post-exploitation and lateral
Local Admin is one of your biggest risk.
Protect Rights & Permissions – Limit Local
● Local Admins can perform any action on a their
● The problem with ‘’Local Admin’’ is usually,
because of legacy.
● A lot of organizations are still running on outdated
OS etc, and old software requires to have ‘’Local
Admin’’ to be able to run.
● ‘’We always had Local Admin, so why removing
● Impact of Local Admin rights
● Install their own backdoor
● Remove security patches
● Change configuration settings (e.g. Enabling
Wdigest or removing LSA protection for example)
● Turn off services
Protect Rights & Permissions – Find all Local
● Make sure that you are ‘’in control’’ about
who has Local Admin rights
● Remove Local Admin rights from users that
really don’t need it. Usually people from HR
is a example.
● Get support from the management to cut
through the bullshit that people use as
excuse to have Local Admin rights.
● PowerShell script that is used to find all
Local Admins in your environment.
Protect Rights & Permissions – Limit Domain
● Find all Domain Admins and start to
discuss if they really need DA rights. (Most
of the time, not)
● There are cases when I’ve seen that Help
desk employees had Domain Admin.
● Only task was to add a new workstation to a
domain and to reset passwords
● The best solution for this was to give those
Help desk employees ‘’Delegated rights’’ so
they could perform their daily duties, instead of
having wide permissions.
● Delegate Controls of Wizard
get-adgroupmember 'domain admins' | select name,samaccountname
get-adgroupmember 'enterprise admins' | select name,samaccountname
get-adgroupmember 'schema admins' | select name,samaccountname
command to find
Protect Rights & Permissions – Delegation
Controls instead of random DA rights.
Protect Rights & Permissions – Try to avoid
giving DA, because it’s most of the time, not
● Best solution: Delegation of Control
● Instead of giving Domain Admin rights. Ask
what there daily tasks are and what they
need to do to perform their duties.
● Start a plan with the CISO, CIO & IT
Managers to delegated rights for your 100
Domain Admins. 95 of them don’t need DA.
● Helpdesk, Sysadmins, Technical support,
etc. Do not need to have Domain Admin, but
they should have delegated rights.
● Create different groups like Helpdesk,
Sysadmins, Support etc. Add users to the
group they belong, and delegated their
rights. Instead of giving DA.
● Same goes for vendors, don’t give them DA.
Protect Rights & Permissions – Common
● “Helpdesk employee only needs to add a
workstation to a domain, and reset
someone his password” - DO NOT NEED
TO HAVE DOMAIN ADMIN
● “Support guy needs to add someone to
an OU (Department) and modify or give
permission to the AD groups that he
needs” - DO NOT NEED TO HAVE
● “Random guy in your organization needs
to create, delete and manage users.” -
DO NOT NEED TO HAVE DOMAIN
● “Vendor is asking for random Domain
Admin rights.” - SAY NO!
● Delegation Controls of Wizard FTW!!!
Impact: Domain Admin gets compromised
= Organization in fire ;-)
Protect Rights & Permissions – Check OU &
● Check period for all the OU permissions to
see if someone added himself for example in
the AdminSDHolder OU or granted a random
user some permissions that wasn’t allowed.
● PowerShell script to do so
● Check period for all the GPO
permissions. Are there any (inactive)
users that have edit rights on GPO’s
that wasn’t supposed to be case? See
● Delegate GPO permissions. Don’t
give them too much rights that they
Protect Rights & Permissions – User Right
● User rights govern the methods by which a
user can log on to a system. User rights are
applied at the local device level, and they
allow users to perform tasks on a device or
in a domain
● Best practices for User Right Assignment:
Protect Credentials – Protected Users Group
● Protected Users is a global security group and its
primary function is to prevent users' credentials
being abused on the devices where they log in.
● READ ME FIRST:
● Add (only) high privileged accounts with Domain
Admin rights for example in this group, but test
this first. Don’t add randomly all the DA’s in the
group. Step by step first!
Members in Protected Users group can no longer
● Default credential delegation (CredSSP) - plaintext credentials are
not cached even when the Allow delegating default credentials
policy is enabled
Windows Digest - plaintext credentials are not cached even when
they are enabled
NTLM - NTOWF is not cached
Kerberos long term keys - Kerberos ticket-granting ticket (TGT) is
acquired at logon and cannot be re-acquired automatically
● Sign-on offline - the cached logon verifier is not created
Add Domain Admins in this group.
And you are compliant!!
More info?: See Microsoft page
Protect Credentials – Account is sensitive and
cannot be delegated
● “Account is sensitive and cannot be
delegated”, ensures that an account’s
credentials cannot be forwarded to other
computers or services on the network by a
● If the checkbox is then its credentials can✓
not be re-used by a trusted service
● Make sure that your high privileged accounts
have this checkbox on
● If a trusted computer is compromised, the
trusted application could act on behalf of
any user that has presented itself to the
service to perform malicious activity.
● It’s described here much better:
Protect Credentials – Restrict Admin Mode →
● Restricted Admin Mode was developed by Microsoft to
help protect administrator accounts by ensuring that
reusable credentials are not stored in the memory of the
remote devices that they connected with. The purpose
of this feature is to reduce the chance that your account
is getting compromised.
● Restricted Admin Mode changes the Remote Desktop
protocol so it uses the network logons rather than an
interactive logons for authentication.
● Bob the Domain Admin logs in with RDP into a
● The client workstation gets compromised and
attacker runs mimikatz
● Attacker retrieves client his credentials, but also
the creds of Bob in the memory.
Protect Credentials – Restrict Admin Mode →
● By default Restricted Admin Mode is not
enabled, but if you want to enable it.
● Create a Registry key at:
● REG_DWORD: DisableRestrictedAdmin
and value should be set on 0
● Test plan
● First enable RDP Restrict Mode on
● Second is to enable it on DC’s and Servers.
● Don’t force RDP Restrict Mode yet, but let
your employees know the ‘’feeling’’ of using
it and what the risk are!
All destination systems must have
RestrictedAdmin mode enabled or
the Remote Desktop connection
request will fail.
Protect Credentials – LAPS
● Local Administrator Password Solution
(LAPS) is a Microsoft product that manages
the local administrator password and stores
it in Active Directory.
● LAPS automatically updates the built-in
local administrator password on a routine
basis of all the users in the domain.
● Why do you need LAPS?
● Built-in Local administrator accounts are 90%
configured with the same password across all
workstations in a corporate environment, which
makes it easy for attackers to compromise every
workstation on the domain by just compromising
Download LAPS here and use it if you haven’t yet.
The default local Administrator account is a user
account for the system administrator.
It is stored in the local SAM and it’s the first point of
view that attackers will go after. By default the
password for the built-in local admin account is the
same across the network, which why Pass the hash
Use LAPS to make sure that those passwords are
different from each device
Protect Credentials – Please use LAPS
● Download LAPS here:
Even when the Administrator account has been disabled, it
can still be used to gain access to a computer by using safe
mode. In the Recovery Console or in safe mode, the
Administrator account is automatically enabled. When
normal operations are resumed, it is disabled.
● 99% of pentesters are using Pass the Hash technique to get
into an environment, because no one changes the local
administrator account password.
● Use LAPS to mitigate this risk
(Optional) -> Protect Credentials – Credential
● Microsoft Windows Defender Credential Guard is
a security feature that isolates users' login
information from the rest of the operating system
to prevent theft.
● Best way to prevent mimikatz to inject into
● Credential Guard uses virtualization-based
security to isolate secrets so that only privileged
system software can access them
Only works for Windows Server 2016 and
● If you can enable it, go for it.
● See link for more information:
Protect Credentials – LSA Protection
● LSA protection mitigates that an attacker
can inject code in the LSASS memory, but
this can easily be bypassed. Nevertheless
it’s still a good choice to enable it, because
that means that the attacker has to do more
steps to achieve his goals, and that’s by
modifying the registry key.
● REG_DWORD = RunAsPPL
● Value = 00000001
AD Security Logging – Event logs
● Start forwarding Windows Event Viewer
Logs to your SOC/SIEM. Usually most
companies don’t do that
● Make sure that you have visibility into all of
the activities happening in AD.
● Large enterprises usually have a lot of IT
employees who are making tons of changes
at Active Directory every day. You clearly
need to be sure that there are no bad guys
over there, right?
● If you don’t monitor all the activities of Active
Directory, then you might get a hard time to
find the intruder.
● Event logs from workstations, servers and
domain controllers should be collected in
AD Security Logging – Example
● Event: 1102 - “The audit log was cleared”
● This is a sign of malicious behavior that is
trying to cover his logs.
● Without having visibility in your environment
it is hard to discover the intruder
● Most attacks are starting on the workstation
via a spear-phishing attack.
● Collect event logs from workstation should
be a crucial point of view on your
PowerShell Logs are important as well
● Attackers love PowerShell
● A lot of (hacker) tools are based on
● Collecting PowerShell logs could help
organizations identify the steps that the
intruder is taking.
● In Active Directory it is possible to create a
GPO to log PowerShell activities of users.
● Deploy PowerShell logging with WEF and
forward it to your SOC/SIEM
● Local Admin in a organization is a risk.
● Domain Admin is often not needed in AD.
● Domain Admins and all high privileged accounts needs to have a separate account.
● High privileged accounts should not log into workstations or servers to expose their
credentials. Only the DC imo.
● Delegation rights is the best solution for giving someone the rights that he/she needs.
● Basic pentest techniques like LLNMR Poisoining and Password spraying still works.
● You can’t only rely on prevention, but you need also detection
● Check period for all the permissions on the OU & GPO
● Deploy LAPS please
● Start a plan to collect event logs from workstations, servers and Domain Controllers in your
SIEM if you haven’t yet.
● Attackers love PowerShell, so it’s also good to deploy PowerShell logging (if possible)
● Sean Metcalf – adsecurity (Explained Silver Tickets very well, which made me dive
into this technique)
● Benjamin Delpy & Vincent Le Toux – Authors of Mimikatz
● Bankinfosecurity, ZDNet, SCMagazine, Varonis
● Microsoft and all the people who share their PS scripts
● Insider Threat Security Blog aka Stealthbits
● Google for all those (funny) images
● ATT&CK MITRE
● And everyone who I forgot.