SlideShare a Scribd company logo

Forging Trusts for Deception in Active Directory

Download as PPTX, PDF
Nikhil Mittal
Nikhil Mittal

The talk I gave at BruCON 2018 on using decoy objects for deception in Active Directory.

Technology
1 of 36
Forging Trusts for Deception in Active Directory Nikhil Mittal
About Me • Hacker, Red Teamer, Trainer, Speaker at PentesterAcademy • Twitter - @nikhil_mitt • Blog – https://labofapenetrationtester.com • Github - https://github.com/samratashok/ • Creator of Kautilya and Nishang • Interested in Offensive Information Security, new attack vectors and methodologies to pwn systems. • Previous Talks and/or Trainings − DefCon, BlackHat, CanSecWest, BruCON, 44CON and more. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 2
"Never attempt to win by force what can be won by deception. " - Niccolo Machiavelli* Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 3 Nikhil is the brightest scholar I have ever read - Niccolo Machiavelli*
Deception • Deception targets with psychology of an adversary. • Adversaries have been using deception for a long time: − Crafted emails tricking users to open attachments and ignoring warnings. − Phishing pages mimicking actual login pages. − Using credentials of legit users to access critical information. − Human Interface Devices disguised as thumb drives or other USB devices. • Defenders and Blue Teams have used: − Honeypots/HoneyTokens/HoneyCreds Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 4
Deception - Attacker Psychology • Attackers have illusory superiority over defenders - a mental state where they think of defenders as idiots who cannot take care of their own backyard. • Couple this with the long preached technique of "go for the lowest hanging fruit" and the urge to get Domain Admin privileges as quickly as possible and the defenders have it all set for deploying deception. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 5 Source: https://80000hours.org/2012/11/do-you-think-you-re- better-than-average/
Deception in Active Directory • In AD, adversaries mostly implement deception by pivoting and replaying credentials so as to appear legit in logs etc. • Defenders, try to counter this by injecting fake or decoy credentials which when used, result in alerts. • But, this is where deception in AD is mostly limited to. What if we want to catch an adversary before they use credentials? - We must target the enumeration phase of an attack! • We will also look at some techniques which can be used in the both the enumeration and lateral movement or post exploitation phase of an attack. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 6 Recon Exploitation / Foothold
Deception in Active Directory • Desired properties for a decoy: 1. Should be desirable enough so that an attacker enumerates the object. 2. Should be easily configurable. 3. No configuration changes required on endpoints. 4. Should not be triggered for normal admin activity. • Point 4 above is the hardest part. We must look for such an attribute for each type of objet which is not read by-default in system activity and possibly not by normal administrator enumeration like listing objects. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 7
Deception in Active Directory - Enumeration • We can trick an adversary to enumerate decoy AD objects like users, groups, OUs and computers which have aggressive logging turned on. • This not only increases the costs to an adversary in terms of time, it also increases detection rates. • We can use built-in tools like Group Policy, Windows Event Logging and PowerShell AD module to set it up. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 8
Deception in Active Directory - Enumeration - User Objects • Some of the attributes of a user object that are interesting for an adversary: − Password does not expire − Trusted for Delegation − Users with SPN − Password in description − Users who are members of high privilege groups − Users with ACL rights over other users, groups or containers Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 9
Deception in Active Directory - Enumeration - User Objects • We can turn on Audit for Directory Service Access using Group Policy: Windows Settings -> Security Settings - > Advanced Audit Policy Configuration -> DS Access - Audit Directory Service Access. • This setting generates a 4662 for every access to the object which has auditing turned on whenever the object is accessed. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 10
Deception in Active Directory - Enumeration - User Objects • Auditing needs be set on a decoy user object. A quick look at the structure of SYSTEM_AUDIT_ACE and AddAuditAccessObjectAce function is useful: BOOL AddAuditAccessObjectAce( PACL pAcl, DWORD dwAceRevision, DWORD AceFlags, DWORD AccessMask, // Rights for which Auditing is done GUID *ObjectTypeGuid, GUID *InheritedObjectTypeGuid, PSID pSid, // SID of Trustees for whom auditing is enabled BOOL bAuditSuccess, // Audit successful use of a right BOOL bAuditFailure // Audit failure to use a right ); Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 11
Deception in Active Directory - Enumeration - User Objects • A user is created with some "interesting" flags and auditing is set on it - For what rights? For auditing Enumeration these are useful ones: − GENERIC_READ − READ_CONTROL (Read DACL) − Specific rights like Read only a particular - a bit obscure - property. For example, read x500uniqueIdentifier. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 12
Deception in Active Directory - Enumeration - User Objects • How to automate this? • Introducing Deploy-Deception! A simple PowerShell module (uses the ActiveDirectory module cmdlets) which can be used to create decoy objects, set interesting attributes, turn on auditing for different Active Directory objects. https://github.com/samratashok/ • Deploy-Deception uses AI and ML to learn adversary behaviour and then uses next-gen Blockchain to compare with our resilient database of adversary behaviour from 10 million+ endpoints :) Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 13
Deception in Active Directory - Enumeration - User Objects • Let's create a decoy user "usermanager" whose password never expires and turn on GenericRead for "Everyone": Create-DecoyUser -UserFirstName user -UserLastName manager -Password Pass@123 | Deploy-UserDeception - UserFlag PasswordNeverExpires -Verbose • Please remember that an actual user is created on the DC where the above command is executed. Please remember to document this user's creation. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 14
Deception in Active Directory - Enumeration - User Objects • A GenericRead/ReadProperty triggers a 4662 in all cases even when the decoy user is not specifically enumerated. For example, following commands trigger a 4662 for decoy user called usermanager. net user /domain Get-WmiObject -Class win32_UserAccount Get-ADUser -Filter * (ActiveDirectory module) Get-NetUser (PowerView and other LDAP based tools) Find Users, Contacts, and Groups GUI Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 15
Deception in Active Directory - Enumeration - User Objects • A better use case is to get a log entry only when an obscure/uncommon property is read. • Let's create a decoy user "usermanager-uncommon" whose password never expires and turn on auditing x500uniqueIdentifier is read for "Everyone": Create-DecoyUser -UserFirstName user -UserLastName manager-uncommon -Password Pass@123 | Deploy- UserDeception -UserFlag PasswordNeverExpires -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 16
Deception in Active Directory - Enumeration - User Objects • For the previous decoy user, only LDAP based tools like PowerView, ADExplorer etc. trigger 4662. • Tools which use LDAP or other offensive tools fetch all the information in a single attempt which makes them stand out. • Since we are targeting very basic enumeration which means there is a lot of noise, this is useful for filtering out some of the noise. • Results are quite similar for user SPN (You may like to use a Kerberoast- able password when targeting lateral movement): Create-DecoyUser -UserFirstName user -UserLastName manager-spn -Password Pass@123 | Deploy-UserDeception -SPN 'dc/MSSQLSvc' -GUID f3a64788-5306-11d1-a9c5- 0000f80367c1 -Verbose Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 17
Deception in Active Directory - Enumeration - User Objects • Let's filter the noise a bit more by auditing for ReadControl (read DACL) property: Create-DecoyUser -UserFirstName user -UserLastName manager-control -Password Pass@123 | Deploy- UserDeception -UserFlag AllowReversiblePasswordEncryption -Right ReadControl - Verbose • The above is triggered only when either DACL or all attributes are read for the user. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 18
Deception in Active Directory - Enumeration - Computers • Computer objects can be created or modified to work as decoys. • It is better to use actual computers as decoys to avoid easy identification. Decoy computers should either be VMs or turned off after joining the domain unless they are used as honeypots. • What computers the attackers are interested in? − Older Operating Systems − Interesting SPN − Delegation Settings − Membership of privileged groups Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 19
Deception in Active Directory - Enumeration - Computers • Crete a computer object for auditing whenever x500uniqueIdentifier is read: Create-DecoyComputer -ComputerName revert-web -Verbose | Deploy-ComputerDeception -PropertyFlag TrustedForDelegation -GUID d07da11f-8a3d-42b6-b0aa- 76c962be719a -Verbose • Modify a computer object for auditing whenever its DACL is read: Deploy-ComputerDeception -DecoyComputerName comp1 - PropertyFlag TrustedForDelegation -Right ReadControl - Verbose • We can also use - with limited success- DCShadow (thanks to Benjamin and Vincent) to mimic a Domain Controller. See: https://www.labofapenetrationtester.com/2018/04/dcshadow.html Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 20
Deception in Active Directory - Enumeration - Groups • Groups are, of course, interesting to attackers. We can have decoy groups with logging enabled for interesting activity like when Group Membership is read or Group members are read or an obscure property like x500uniqueIdentifier or the DACL is read. • We can make a Group, a member of other interesting groups. • We can also create decoy users and make them member of the decoy group we are creating. • An example for auditing when the DecoyGroup DACL is read: Create-DecoyGroup -GroupName "Forest Admins" -Verbose | Deploy-GroupDeception -AddMembers -Members slaveuser -AddToGroup -AddToGroupName dnsadmins -Right ReadControl -Verbose Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 21
Deception in Active Directory - Enumeration - Groups • Here is an example which logs 4662 when Group membership property set is read: Create-DecoyGroup -GroupName "Forest Admins" -Verbose | Deploy-GroupDeception -AddMembers -Members slaveuser -AddToGroup -AddToGroupName dnsadmins -GUID bc0ac240- 79a9-11d0-9020-00c04fc2d4cf -Verbose • Similar to Groups for User objects we can create decoy OUs for Users and Computer objects. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 22
Deception in Active Directory - Lateral Movement - Users • Couple of very interesting techniques which are also usable with the popular honey-credentials method. Make the decoy user a part of the domain admins or other privileged group or rights like DCSync : − Set the Logon Workstation to a non-existent machine − Deny logon to the user. • In both the above cases, even with valid credentials, an adversary cannot abuse the credentials. • With Audit Kerberos Authentication Service with Audit Failure enabled, a 4768 is logged every time someone tries to use that user. • Such a decoy user will also be very interesting for enumeration! Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 23
Deception in Active Directory - Lateral Movement - Users • Create a decoy user who is member of the domain admins group and is denied logon: Create-DecoyUser -UserFirstName dec -UserLastName da -Password Pass@123 | Deploy-PrivilegedUserDeception - Technique DomainAdminsMemebership -Protection DenyLogon -Verbose • To enable Directory Access (4662) auditing on the above user: Deploy-UserDeception -DecoySamAccountName decda -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 24
Deception in Active Directory - Lateral Movement - Users • Another interesting technique is to provide a "master" user FullControl over a "slave" user. This makes both the master and slave users interesting for an adversary looking at ACLs. • Like the previous one, this technique is also useful in both the enumeration and lateral movement phase. • For targeting lateral movement, we can make either slave or master or both privileged users, set SPN or any other flag we saw in Deploy- UserDeception. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 25
Deception in Active Directory - Lateral Movement - Users • Create a slave user and set FullControl over it for a master user for targeting enumeration. Create-DecoyUser -UserFirstName master -UserLastName user -Password Pass@123 Create-DecoyUser -UserFirstName slave -UserLastName user -Password Pass@123 | Deploy-SlaveDeception - DecoySamAccountName masteruser -Verbose • To target lateral movement, as an example, we can set auditing whenever master user changes the ACL of slave: Deploy-UserDeception -DecoySamAccountName slaveuser - Principal masteruser -Right WriteDacl -Verbose Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 26
Deception in Active Directory - Lateral Movement - Users • To target lateral movement, for any existing "honeyuser", set auditing whenever honeyuser is used to interact with the slaveuser : Deploy-UserDeception -DecoySamAccountName slaveuser - Principal honeyuser -Right ReadProperty -Verbose Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 27
Deception in Active Directory - Lateral Movement - Forest Trusts • For forest trusts, I could not find a way yet, to automate setting up a decoy one. • There are many interesting approaches to this. We can have a complete forest (blue forest?) full of decoy users and computers. • A bi-directional trust can be established with that decoy forest with Selective Authentication. • By configuring selective authentication, we can allow enumeration of all users and computers in the decoy forest but no access to any other resource! Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 28
Red Team Revenge - Identifying Deception • I have seen multiple Enterprise solutions which do not use actual objects and can be spotted by looking at object properties like: − objectSID − lastLogon, lastlogontimestamp − Logoncount − whenCreated − Badpwdcount − Compare with known actual objects • No screenshots because NDA! Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 29
Red Team Revenge - Identifying Deception • Some Enterprise solutions also fill up ALL possible attributes for an object which can be easily spotted by comparing attributes with a real computer, say, the domain controller. • In an assume breach scenario or from a foothold box, you can always get the actual DC by looking at logonserver env variable. Use the DC or your own computer object's properties to compare properties of other computers. • For multiple solutions, using WMI for retrieving information lists only the actual objects and not the fake ones. • No screenshots because NDA! Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 30
Red Team Revenge - Avoiding Deception • Red teams need to change their approach to avoid detection by deception. • Please stop going for the lowest hanging fruit. Enterprise networks are mess but if something looks to good to be true, investigate carefully! • Avoid automated enumeration tools unless you absolutely know what they are doing in the background. • I have been urging this in my talks (on ATA) and trainings - Avoid the urge to go for the DA privileges so that you can brag about it in the reports! Focus on goals of your operation. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 31
Blue Teams - Avoiding identification • Using actual AD objects helps in avoiding detection. Deploy- Deception uses actual AD objects which means they may not stand out in very first attempt. At least, that is the idea :) • Specifically for user decoys, it makes sense to create a logon to avoid funny entries in lastlogon, lastlogontimestamp and logoncount. Even more for Domain Admin decoys! Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 32
Blue Teams - Avoiding identification • Deploy-Deception addresses this to a limited extent by starting (and stopping) a process as the decoy DA when LogonWorkstation is set to one of the DCs. This fills up the "suspicious" properties: Create-DecoyUser -UserFirstName test -UserLastName da -Password Pass@123 | Deploy-PrivilegedUserDeception - Technique DomainAdminsMemebership -Protection LogonWorkStation -LogonWorkStation revert-dc -Create Logon -Verbose • Please be warned that the CreateLogon option in above command will also create a profile for the decoy DA on the DC. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 33
Future Work • Fine tuning the logging - Want to get involved but does not know/want to code. Test the deployment and let me know how many false positives to you get (I think a lot initially) • Deploying decoy domain and forest objects by modifying active directory schema. • Utilizing virtualization to deploy decoy computers and forests in real time. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 34
Conclusion • By targeting the adversary mind-set we can trick them to interact with decoys which increases their cost in form of time and chances of detection. • Deception can be utilized in an AD environment to detect multiple phases of an attack cycle. • By cleverly using existing tools like ActiveDirectory module we can deploy deception which is - if not betters - matches the detection by paid solutions. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 35
Thank you • Please leave feedback. • Follow me @nikhil_mitt • For questions, training, assessments - nikhil.uitrgpv@gmail.com nikhil@pentesteracademy.com • Slides and blog posts will be posted on my blog and Github http://labofapenetrationtester.com/ https://github.com/samratashok Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 36

Recommended

RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
Nikhil Mittal
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
Mauricio Velazco
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
Nikhil Mittal
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
Nikhil Mittal
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 

Recommended

RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
Nikhil Mittal
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
Mauricio Velazco
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
Nikhil Mittal
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
Nikhil Mittal
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
Jorge Orchilles
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Michael Gough
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
Purple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatPurple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHat
Jorge Orchilles
 
Malicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryMalicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell Story
Daniel Bohannon
 
Purple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyPurple Team Use Case - Security Weekly
Purple Team Use Case - Security Weekly
Jorge Orchilles
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Chris Gates
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
Michael Gough
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
Nikhil Mittal
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeology
enigma0x3
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
Jorge Orchilles
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Jorge Orchilles
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshop
prithaaash
 
Webinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBWebinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDB
MongoDB
 
Case and User Security
Case and User SecurityCase and User Security
Case and User Security
Ipro Tech
 

More Related Content

What's hot

Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Chris Gates
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
Jorge Orchilles
 

What's hot (20)

Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Purple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatPurple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHat
 
Malicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryMalicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell Story
 
Purple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyPurple Team Use Case - Security Weekly
Purple Team Use Case - Security Weekly
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeology
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshop
 

Similar to Forging Trusts for Deception in Active Directory

Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
PROIDEA
 
201504 securing cassandraanddse
201504 securing cassandraanddse201504 securing cassandraanddse
201504 securing cassandraanddse
Johnny Miller
 
Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?
Tom Eston
 

Similar to Forging Trusts for Deception in Active Directory (20)

Webinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBWebinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDB
 
Case and User Security
Case and User SecurityCase and User Security
Case and User Security
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
 
201504 securing cassandraanddse
201504 securing cassandraanddse201504 securing cassandraanddse
201504 securing cassandraanddse
 
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
 
Troubles with Large Identity Providers.pptx
Troubles with Large Identity Providers.pptxTroubles with Large Identity Providers.pptx
Troubles with Large Identity Providers.pptx
 
Cassandra Day London 2015: Securing Cassandra and DataStax Enterprise
Cassandra Day London 2015: Securing Cassandra and DataStax EnterpriseCassandra Day London 2015: Securing Cassandra and DataStax Enterprise
Cassandra Day London 2015: Securing Cassandra and DataStax Enterprise
 
CIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market OverviewCIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market Overview
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
 
More zBang for the zBuck
More zBang for the zBuckMore zBang for the zBuck
More zBang for the zBuck
 
Challenges In Modern Application
Challenges In Modern ApplicationChallenges In Modern Application
Challenges In Modern Application
 
DLT analytics and AI workshop 13 march 2019
DLT analytics and AI workshop 13 march 2019DLT analytics and AI workshop 13 march 2019
DLT analytics and AI workshop 13 march 2019
 
Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?
 
Percona Live Europe 2018: What's New in MySQL 8.0 Security
Percona Live Europe 2018: What's New in MySQL 8.0 SecurityPercona Live Europe 2018: What's New in MySQL 8.0 Security
Percona Live Europe 2018: What's New in MySQL 8.0 Security
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
 
CyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdfCyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdf
 
CyberArk Interview Questions and Answers for 2023.pdf
CyberArk Interview Questions and Answers for 2023.pdfCyberArk Interview Questions and Answers for 2023.pdf
CyberArk Interview Questions and Answers for 2023.pdf
 
CyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdfCyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdf
 
SAP hybris - User Account Management
SAP hybris - User Account ManagementSAP hybris - User Account Management
SAP hybris - User Account Management
 

More from Nikhil Mittal

Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
Nikhil Mittal
 

More from Nikhil Mittal (11)

0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShell
 
Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a Boss
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HID
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Recently uploaded (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

Forging Trusts for Deception in Active Directory

  • 1. Forging Trusts for Deception in Active Directory Nikhil Mittal
  • 2. About Me • Hacker, Red Teamer, Trainer, Speaker at PentesterAcademy • Twitter - @nikhil_mitt • Blog – https://labofapenetrationtester.com • Github - https://github.com/samratashok/ • Creator of Kautilya and Nishang • Interested in Offensive Information Security, new attack vectors and methodologies to pwn systems. • Previous Talks and/or Trainings − DefCon, BlackHat, CanSecWest, BruCON, 44CON and more. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 2
  • 3. "Never attempt to win by force what can be won by deception. " - Niccolo Machiavelli* Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 3 Nikhil is the brightest scholar I have ever read - Niccolo Machiavelli*
  • 4. Deception • Deception targets with psychology of an adversary. • Adversaries have been using deception for a long time: − Crafted emails tricking users to open attachments and ignoring warnings. − Phishing pages mimicking actual login pages. − Using credentials of legit users to access critical information. − Human Interface Devices disguised as thumb drives or other USB devices. • Defenders and Blue Teams have used: − Honeypots/HoneyTokens/HoneyCreds Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 4
  • 5. Deception - Attacker Psychology • Attackers have illusory superiority over defenders - a mental state where they think of defenders as idiots who cannot take care of their own backyard. • Couple this with the long preached technique of "go for the lowest hanging fruit" and the urge to get Domain Admin privileges as quickly as possible and the defenders have it all set for deploying deception. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 5 Source: https://80000hours.org/2012/11/do-you-think-you-re- better-than-average/
  • 6. Deception in Active Directory • In AD, adversaries mostly implement deception by pivoting and replaying credentials so as to appear legit in logs etc. • Defenders, try to counter this by injecting fake or decoy credentials which when used, result in alerts. • But, this is where deception in AD is mostly limited to. What if we want to catch an adversary before they use credentials? - We must target the enumeration phase of an attack! • We will also look at some techniques which can be used in the both the enumeration and lateral movement or post exploitation phase of an attack. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 6 Recon Exploitation / Foothold
  • 7. Deception in Active Directory • Desired properties for a decoy: 1. Should be desirable enough so that an attacker enumerates the object. 2. Should be easily configurable. 3. No configuration changes required on endpoints. 4. Should not be triggered for normal admin activity. • Point 4 above is the hardest part. We must look for such an attribute for each type of objet which is not read by-default in system activity and possibly not by normal administrator enumeration like listing objects. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 7
  • 8. Deception in Active Directory - Enumeration • We can trick an adversary to enumerate decoy AD objects like users, groups, OUs and computers which have aggressive logging turned on. • This not only increases the costs to an adversary in terms of time, it also increases detection rates. • We can use built-in tools like Group Policy, Windows Event Logging and PowerShell AD module to set it up. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 8
  • 9. Deception in Active Directory - Enumeration - User Objects • Some of the attributes of a user object that are interesting for an adversary: − Password does not expire − Trusted for Delegation − Users with SPN − Password in description − Users who are members of high privilege groups − Users with ACL rights over other users, groups or containers Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 9
  • 10. Deception in Active Directory - Enumeration - User Objects • We can turn on Audit for Directory Service Access using Group Policy: Windows Settings -> Security Settings - > Advanced Audit Policy Configuration -> DS Access - Audit Directory Service Access. • This setting generates a 4662 for every access to the object which has auditing turned on whenever the object is accessed. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 10
  • 11. Deception in Active Directory - Enumeration - User Objects • Auditing needs be set on a decoy user object. A quick look at the structure of SYSTEM_AUDIT_ACE and AddAuditAccessObjectAce function is useful: BOOL AddAuditAccessObjectAce( PACL pAcl, DWORD dwAceRevision, DWORD AceFlags, DWORD AccessMask, // Rights for which Auditing is done GUID *ObjectTypeGuid, GUID *InheritedObjectTypeGuid, PSID pSid, // SID of Trustees for whom auditing is enabled BOOL bAuditSuccess, // Audit successful use of a right BOOL bAuditFailure // Audit failure to use a right ); Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 11
  • 12. Deception in Active Directory - Enumeration - User Objects • A user is created with some "interesting" flags and auditing is set on it - For what rights? For auditing Enumeration these are useful ones: − GENERIC_READ − READ_CONTROL (Read DACL) − Specific rights like Read only a particular - a bit obscure - property. For example, read x500uniqueIdentifier. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 12
  • 13. Deception in Active Directory - Enumeration - User Objects • How to automate this? • Introducing Deploy-Deception! A simple PowerShell module (uses the ActiveDirectory module cmdlets) which can be used to create decoy objects, set interesting attributes, turn on auditing for different Active Directory objects. https://github.com/samratashok/ • Deploy-Deception uses AI and ML to learn adversary behaviour and then uses next-gen Blockchain to compare with our resilient database of adversary behaviour from 10 million+ endpoints :) Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 13
  • 14. Deception in Active Directory - Enumeration - User Objects • Let's create a decoy user "usermanager" whose password never expires and turn on GenericRead for "Everyone": Create-DecoyUser -UserFirstName user -UserLastName manager -Password Pass@123 | Deploy-UserDeception - UserFlag PasswordNeverExpires -Verbose • Please remember that an actual user is created on the DC where the above command is executed. Please remember to document this user's creation. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 14
  • 15. Deception in Active Directory - Enumeration - User Objects • A GenericRead/ReadProperty triggers a 4662 in all cases even when the decoy user is not specifically enumerated. For example, following commands trigger a 4662 for decoy user called usermanager. net user /domain Get-WmiObject -Class win32_UserAccount Get-ADUser -Filter * (ActiveDirectory module) Get-NetUser (PowerView and other LDAP based tools) Find Users, Contacts, and Groups GUI Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 15
  • 16. Deception in Active Directory - Enumeration - User Objects • A better use case is to get a log entry only when an obscure/uncommon property is read. • Let's create a decoy user "usermanager-uncommon" whose password never expires and turn on auditing x500uniqueIdentifier is read for "Everyone": Create-DecoyUser -UserFirstName user -UserLastName manager-uncommon -Password Pass@123 | Deploy- UserDeception -UserFlag PasswordNeverExpires -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 16
  • 17. Deception in Active Directory - Enumeration - User Objects • For the previous decoy user, only LDAP based tools like PowerView, ADExplorer etc. trigger 4662. • Tools which use LDAP or other offensive tools fetch all the information in a single attempt which makes them stand out. • Since we are targeting very basic enumeration which means there is a lot of noise, this is useful for filtering out some of the noise. • Results are quite similar for user SPN (You may like to use a Kerberoast- able password when targeting lateral movement): Create-DecoyUser -UserFirstName user -UserLastName manager-spn -Password Pass@123 | Deploy-UserDeception -SPN 'dc/MSSQLSvc' -GUID f3a64788-5306-11d1-a9c5- 0000f80367c1 -Verbose Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 17
  • 18. Deception in Active Directory - Enumeration - User Objects • Let's filter the noise a bit more by auditing for ReadControl (read DACL) property: Create-DecoyUser -UserFirstName user -UserLastName manager-control -Password Pass@123 | Deploy- UserDeception -UserFlag AllowReversiblePasswordEncryption -Right ReadControl - Verbose • The above is triggered only when either DACL or all attributes are read for the user. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 18
  • 19. Deception in Active Directory - Enumeration - Computers • Computer objects can be created or modified to work as decoys. • It is better to use actual computers as decoys to avoid easy identification. Decoy computers should either be VMs or turned off after joining the domain unless they are used as honeypots. • What computers the attackers are interested in? − Older Operating Systems − Interesting SPN − Delegation Settings − Membership of privileged groups Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 19
  • 20. Deception in Active Directory - Enumeration - Computers • Crete a computer object for auditing whenever x500uniqueIdentifier is read: Create-DecoyComputer -ComputerName revert-web -Verbose | Deploy-ComputerDeception -PropertyFlag TrustedForDelegation -GUID d07da11f-8a3d-42b6-b0aa- 76c962be719a -Verbose • Modify a computer object for auditing whenever its DACL is read: Deploy-ComputerDeception -DecoyComputerName comp1 - PropertyFlag TrustedForDelegation -Right ReadControl - Verbose • We can also use - with limited success- DCShadow (thanks to Benjamin and Vincent) to mimic a Domain Controller. See: https://www.labofapenetrationtester.com/2018/04/dcshadow.html Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 20
  • 21. Deception in Active Directory - Enumeration - Groups • Groups are, of course, interesting to attackers. We can have decoy groups with logging enabled for interesting activity like when Group Membership is read or Group members are read or an obscure property like x500uniqueIdentifier or the DACL is read. • We can make a Group, a member of other interesting groups. • We can also create decoy users and make them member of the decoy group we are creating. • An example for auditing when the DecoyGroup DACL is read: Create-DecoyGroup -GroupName "Forest Admins" -Verbose | Deploy-GroupDeception -AddMembers -Members slaveuser -AddToGroup -AddToGroupName dnsadmins -Right ReadControl -Verbose Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 21
  • 22. Deception in Active Directory - Enumeration - Groups • Here is an example which logs 4662 when Group membership property set is read: Create-DecoyGroup -GroupName "Forest Admins" -Verbose | Deploy-GroupDeception -AddMembers -Members slaveuser -AddToGroup -AddToGroupName dnsadmins -GUID bc0ac240- 79a9-11d0-9020-00c04fc2d4cf -Verbose • Similar to Groups for User objects we can create decoy OUs for Users and Computer objects. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 22
  • 23. Deception in Active Directory - Lateral Movement - Users • Couple of very interesting techniques which are also usable with the popular honey-credentials method. Make the decoy user a part of the domain admins or other privileged group or rights like DCSync : − Set the Logon Workstation to a non-existent machine − Deny logon to the user. • In both the above cases, even with valid credentials, an adversary cannot abuse the credentials. • With Audit Kerberos Authentication Service with Audit Failure enabled, a 4768 is logged every time someone tries to use that user. • Such a decoy user will also be very interesting for enumeration! Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 23
  • 24. Deception in Active Directory - Lateral Movement - Users • Create a decoy user who is member of the domain admins group and is denied logon: Create-DecoyUser -UserFirstName dec -UserLastName da -Password Pass@123 | Deploy-PrivilegedUserDeception - Technique DomainAdminsMemebership -Protection DenyLogon -Verbose • To enable Directory Access (4662) auditing on the above user: Deploy-UserDeception -DecoySamAccountName decda -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 24
  • 25. Deception in Active Directory - Lateral Movement - Users • Another interesting technique is to provide a "master" user FullControl over a "slave" user. This makes both the master and slave users interesting for an adversary looking at ACLs. • Like the previous one, this technique is also useful in both the enumeration and lateral movement phase. • For targeting lateral movement, we can make either slave or master or both privileged users, set SPN or any other flag we saw in Deploy- UserDeception. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 25
  • 26. Deception in Active Directory - Lateral Movement - Users • Create a slave user and set FullControl over it for a master user for targeting enumeration. Create-DecoyUser -UserFirstName master -UserLastName user -Password Pass@123 Create-DecoyUser -UserFirstName slave -UserLastName user -Password Pass@123 | Deploy-SlaveDeception - DecoySamAccountName masteruser -Verbose • To target lateral movement, as an example, we can set auditing whenever master user changes the ACL of slave: Deploy-UserDeception -DecoySamAccountName slaveuser - Principal masteruser -Right WriteDacl -Verbose Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 26
  • 27. Deception in Active Directory - Lateral Movement - Users • To target lateral movement, for any existing "honeyuser", set auditing whenever honeyuser is used to interact with the slaveuser : Deploy-UserDeception -DecoySamAccountName slaveuser - Principal honeyuser -Right ReadProperty -Verbose Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 27
  • 28. Deception in Active Directory - Lateral Movement - Forest Trusts • For forest trusts, I could not find a way yet, to automate setting up a decoy one. • There are many interesting approaches to this. We can have a complete forest (blue forest?) full of decoy users and computers. • A bi-directional trust can be established with that decoy forest with Selective Authentication. • By configuring selective authentication, we can allow enumeration of all users and computers in the decoy forest but no access to any other resource! Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 28
  • 29. Red Team Revenge - Identifying Deception • I have seen multiple Enterprise solutions which do not use actual objects and can be spotted by looking at object properties like: − objectSID − lastLogon, lastlogontimestamp − Logoncount − whenCreated − Badpwdcount − Compare with known actual objects • No screenshots because NDA! Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 29
  • 30. Red Team Revenge - Identifying Deception • Some Enterprise solutions also fill up ALL possible attributes for an object which can be easily spotted by comparing attributes with a real computer, say, the domain controller. • In an assume breach scenario or from a foothold box, you can always get the actual DC by looking at logonserver env variable. Use the DC or your own computer object's properties to compare properties of other computers. • For multiple solutions, using WMI for retrieving information lists only the actual objects and not the fake ones. • No screenshots because NDA! Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 30
  • 31. Red Team Revenge - Avoiding Deception • Red teams need to change their approach to avoid detection by deception. • Please stop going for the lowest hanging fruit. Enterprise networks are mess but if something looks to good to be true, investigate carefully! • Avoid automated enumeration tools unless you absolutely know what they are doing in the background. • I have been urging this in my talks (on ATA) and trainings - Avoid the urge to go for the DA privileges so that you can brag about it in the reports! Focus on goals of your operation. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 31
  • 32. Blue Teams - Avoiding identification • Using actual AD objects helps in avoiding detection. Deploy- Deception uses actual AD objects which means they may not stand out in very first attempt. At least, that is the idea :) • Specifically for user decoys, it makes sense to create a logon to avoid funny entries in lastlogon, lastlogontimestamp and logoncount. Even more for Domain Admin decoys! Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 32
  • 33. Blue Teams - Avoiding identification • Deploy-Deception addresses this to a limited extent by starting (and stopping) a process as the decoy DA when LogonWorkstation is set to one of the DCs. This fills up the "suspicious" properties: Create-DecoyUser -UserFirstName test -UserLastName da -Password Pass@123 | Deploy-PrivilegedUserDeception - Technique DomainAdminsMemebership -Protection LogonWorkStation -LogonWorkStation revert-dc -Create Logon -Verbose • Please be warned that the CreateLogon option in above command will also create a profile for the decoy DA on the DC. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 33
  • 34. Future Work • Fine tuning the logging - Want to get involved but does not know/want to code. Test the deployment and let me know how many false positives to you get (I think a lot initially) • Deploying decoy domain and forest objects by modifying active directory schema. • Utilizing virtualization to deploy decoy computers and forests in real time. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 34
  • 35. Conclusion • By targeting the adversary mind-set we can trick them to interact with decoys which increases their cost in form of time and chances of detection. • Deception can be utilized in an AD environment to detect multiple phases of an attack cycle. • By cleverly using existing tools like ActiveDirectory module we can deploy deception which is - if not betters - matches the detection by paid solutions. Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 35
  • 36. Thank you • Please leave feedback. • Follow me @nikhil_mitt • For questions, training, assessments - nikhil.uitrgpv@gmail.com nikhil@pentesteracademy.com • Slides and blog posts will be posted on my blog and Github http://labofapenetrationtester.com/ https://github.com/samratashok Nikhil Mittal Forging Trusts for Deception in AD - BruCON 2018 36

Editor's Notes

  1. Image credit: http://www.inflatechdecoy.com
  2. * This is a misquote
  3. https://docs.microsoft.com/en-us/windows/desktop/api/winnt/ns-winnt-_system_audit_ace https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-control-entries
  4. https://docs.microsoft.com/en-us/windows/desktop/SecAuthZ/access-mask
  5. See http://dcshadow.com/ for details about the DCShadow attack by Benjamin and Vincent
  6. Configuration|Windows Settings|Security Settings|Advanced Audit Policy Configuration|Audit Policies|Account Logon | Audit Kerberos Authentication Service -> Success and Failure
  7. https://i.dailymail.co.uk/i/pix/2011/07/20/article-2017058-0D12DD6500000578-789_634x454.jpg