This document summarizes a presentation on designing Active Directory DACL backdoors for persistence after gaining initial domain elevation. It discusses how DACL misconfigurations can provide stealthy, long-term access. Specific techniques covered include hiding DACLs and principals from easy enumeration, as well as case studies on backdoors involving DCSync rights, AdminSDHolder, LAPS passwords, Exchange objects, and abusing GPOs. Defenses discussed include proper event log collection and SACL auditing. The document provides an overview of how DACLs can be stealthily misconfigured to maintain access without immediate detection.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Talk of Skip Duckwall and I at BlackHat 2014 USA / Defcon Wall of Sheep.
Kerberos, and new pass-the-* feature, like overpass-the-hash and the Golden Ticket
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
The talk I gave at Black Hat USA 2017 on bypassing Microsoft Advanced Threat Analytics (ATA). I demonstrate techniques to bypass, avoid and attack ATA in this talk.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Talk of Skip Duckwall and I at BlackHat 2014 USA / Defcon Wall of Sheep.
Kerberos, and new pass-the-* feature, like overpass-the-hash and the Golden Ticket
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
The talk I gave at Black Hat USA 2017 on bypassing Microsoft Advanced Threat Analytics (ATA). I demonstrate techniques to bypass, avoid and attack ATA in this talk.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
The talk I gave at Black Hat USA 2016 on Anti Malware Scan Interface. The talk looks at what good AMSI brings to Windows 10 and various methods of avoiding/bypassing it.
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
Kerberoasting has become the red team’s best friend over the past several years, with various tools being built to support this technique. However, by failing to understand a fundamental detail concerning account encryption support, we haven’t understood the entire picture. This talk will revisit our favorite TTP, bringing a deeper understanding to how the attack works, what we’ve been missing, and what new tooling and approaches to kerberoasting exist.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
Hashicorp Vault: Open Source Secrets Management at #OPEN18Kangaroot
HashiCorp Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. We'll show how this works.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
The talk I gave at Black Hat USA 2016 on Anti Malware Scan Interface. The talk looks at what good AMSI brings to Windows 10 and various methods of avoiding/bypassing it.
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
Kerberoasting has become the red team’s best friend over the past several years, with various tools being built to support this technique. However, by failing to understand a fundamental detail concerning account encryption support, we haven’t understood the entire picture. This talk will revisit our favorite TTP, bringing a deeper understanding to how the attack works, what we’ve been missing, and what new tooling and approaches to kerberoasting exist.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
Hashicorp Vault: Open Source Secrets Management at #OPEN18Kangaroot
HashiCorp Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. We'll show how this works.
Over the last few years threat hunting has risen from being a grassroots hands-on defensive technique to all-out hype as security vendors have jumped on the bandwagon. In this talk I wanted to strip away the marketing and talk about real-life threat hunting at scale and how it differs from traditional security monitoring. I'll cover the key datasets, different analytical approaches, cutting-edge TTPs and the people/skills needed to make it happen. I'll also share some real-world compromises that would have been missed by traditional detection but were found through hands-on threat hunting.
Slides for Building Better Backdoors with WMI - DerbyCon 2017 - Legacy
Code:
https://github.com/0xbadjuju/PowerProvider/
https://github.com/0xbadjuju/WheresMyImplant
The last few years have seen a dramatic increase in the number of PowerShell-based penetration testing tools. A benefit of tools written in PowerShell is that it is installed by default on every Windows system. This allows us as attackers to “”live off the land””. It also has built-in functionality to run in memory bypassing most security products.
I will walk through various methodologies I use surrounding popular PowerShell tools. Details on attacking an organization remotely, establishing command and control, and escalating privileges within an environment all with PowerShell will be discussed. You say you’ve blocked PowerShell? Techniques for running PowerShell in locked down environments that block PowerShell will be highlighted as well.
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...Puppet
Adding Windows servers to a Puppet instance can feel like a daunting task, even more so when you already have a large number of Linux servers in Puppet already. Learn how Walmart integrated their Windows servers into Puppet Enterprise. We’ll discuss not only why we chose Puppet over other tools, but why and how we still use tools like DSC, SCCM and GPOs. We’ll also go over the successes and pitfalls we had along the way in using Puppet on Windows, onboarding other teams, and evangelizing our team’s vision to others.
Taking the Attacker Eviction Red Pill (v2.0)Frode Hommedal
This presentation is about how you can structure your analysis to increase the chances of success when attempting to evict an advanced attacker. It's my thoughts on how to think when deciding how and when to respond and attempt to evict a mission driven attacker from your infrastructure. This is a continuation of my previous work on the Cyber Threat Intelligence Matrix.
P.S. The concepts are still work in progress, and the slide deck is a bit rough around the edges, but I hope it can spark some ideas and help you out. If you have feedback I would also greatly appreciate hearing from you, e.g. on Twitter (@FrodeHommedal).
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...Chris Thompson
"Windows Defender Advanced Threat Protection will soon be available for all Blue Teams to utilize within Windows 10 Enterprise, which includes detection of post breach tools, tactics and techniques commonly used by Red Teams, as well as behavior analytics. Combined with Microsoft Advanced Threat Analytics for user behavior analytics across the Domain, Red Teamers will soon face a significantly more challenging time maintaining stealth while performing internal recon, lateral movement, and privilege escalation in Windows 10/Active Directory environments.
This talk highlights challenges to red teams posed by Microsoft's new tools based on common hacking tools/techniques, and covers techniques which can be used to bypass, disable, or avoid high severity alerts within Windows Defender ATP and Microsoft ATA, as well as TTP used against mature organizations that may have additional controls in place such as Event Log Forwarding and Sysmon."
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamPriyanka Aash
With advanced cyber-actors evolving quickly and becoming more stealthy, it has become imperative to question the status quo of our existing cyber-operations. This session will outline how a case study and incident response led to changes in focus and philosophy and how that changed the structure of Defensive Cyber Operations.
(Source: RSA Conference USA 2017)
There is increased discussion around threats that adopt so-called “living off the land” tactics. Attackers are increasingly making use of tools already installed on targeted computers or are running simple scripts and shellcode directly in memory. Creating fewer new files on the hard disk, or being completely fileless, means less chance of being detected by traditional security tools and therefore minimizes the risk of an attack being blocked. Using simple and clean dual-use tools allows the attacker to hide in plain sight among legitimate system administration work.
Further reading:
Attackers are increasingly living off the land (https://www.symantec.com/connect/blogs/attackers-are-increasingly-living-land)
Living off the land and fileless attack techniques (https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf)
In this presentation I have explained about difference between regular malware attack and fileless attack. Also added ways to capture it using EventTracker.
The Unintended Risks of Trusting Active DirectoryWill Schroeder
This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.
XP Days 2019: First secret delivery for modern cloud-native applicationsVlad Fedosov
In this talk we’ll see how Authentication and Secrets delivery work in distributed containerized applications from the inside. We’ll start from the theory of security and will go through the topics like Container Auth Role, Static & Dynamic secrets, Env vars/volumes for secret delivery, Vault & K8S secrets. After this talk you’ll get an understanding how to securely deploy your containerized workloads.
Oracle Database Vault has been on the market for a few years now. The product has been constantly improved over the years. But where is it worthwhile to use it? Which security measures can be implemented with it? And from whom does DB Vault protect me at all? In this presentation, the technical possibilities of Database Vault 19c / 21c will be explained in addition to the experiences from two customer projects. We will try to show where the use of Database Vault is worthwhile under certain circumstances and under which conditions it is not. This also includes whether protection against snakes and thieves is ensured. PS: I asked my children what kind of presentation I should submit.The answers were snakes, thieves and cheetahs…
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot
The webinar will review a multi-layered framework for PostgreSQL security, with a deeper focus on limiting access to the database and data, as well as securing the data.
Using the popular AAA (Authentication, Authorisation, Auditing) framework EnterpriseDB will cover:
- Best practices for authentication (trust, certificate, MD5, Scram, etc).
- Advanced approaches, such as password profiles.
- Deep dive of authorisation and data access control for roles, database objects (tables, etc), view usage, row-level security, and data redaction.
- Auditing, encryption, and SQL injection attack prevention
In Cassandra Lunch #92, CEO of Anant, Rahul Singh, will discuss how to design and manage roles and permissions in Apache Cassandra to secure multiple applications and users for a growing platform with new use cases.
Accompanying YouTube: https://youtu.be/r5J9S0yGzfY
Sign Up For Our Newsletter: http://eepurl.com/grdMkn
Join Cassandra Lunch Weekly at 12 PM EST Every Wednesday: https://www.meetup.com/Cassandra-DataStax-DC/events/
Cassandra.Link:
https://cassandra.link/
Follow Us and Reach Us At:
Anant:
https://www.anant.us/
Awesome Cassandra:
https://github.com/Anant/awesome-cassandra
Cassandra.Lunch:
https://github.com/Anant/Cassandra.Lunch
Email:
solutions@anant.us
LinkedIn:
https://www.linkedin.com/company/anant/
Twitter:
https://twitter.com/anantcorp
Eventbrite:
https://www.eventbrite.com/o/anant-1072927283
Facebook:
https://www.facebook.com/AnantCorp/
Join The Anant Team:
https://www.careers.anant.us
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally we?ll show how PowerShell automation can be used to execute the SQL Server attacks on scale. All scripts created and demonstrated during the presentation will be open sourced. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
Your MongoDB Community Edition database can probably be a lot more secure than it is today, since Community Edition provides a wide range of capabilities for securing your system, and you are probably not using them all. If you are worried about cyber-threats, take action reduce your anxiety!
This presentation was given at DerbyCon 6 on 9/23/2016. It covers the fusion of the PowerShell Empire and Python EmPyre projects, as well as new Empire 2.0 transports.
PowerUp - Automating Windows Privilege EscalationWill Schroeder
This slidedeck was given as a firetalk at @BSidesBoston '14, and covers the genesis and implementation of PowerUp, a Powershell tool for Windows privilege escalation.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
1. An ACE Up the Sleeve
Designing Active Directory DACL Backdoors
Andy Robbins and Will Schroeder
SpecterOps
2. @_wald0
▪ Job: Adversary Resilience Lead at SpecterOps
▪ Co-founder/developer: BloodHound
▪ Trainer: BlackHat 2016
▪ Presenter: DEF CON, DerbyCon, ekoparty,
Paranoia, ISSA Intl, ISC2 World Congress, various
Security BSides
▪ Other: ask me about ACH
3. @harmj0y
▪ Job: Offensive Engineer at SpecterOps
▪ Co-founder/developer: Veil-Framework,
Empire/EmPyre, PowerView/PowerUp, BloodHound,
KeeThief
▪ Trainer: BlackHat 2014-2016
▪ Presenter: DEF CON, DerbyCon, ShmooCon,
Troopers, BlueHat Israel, various BSides
▪ Other: PowerSploit developer and Microsoft
PowerShell MVP
4. tl;dr
▪ DACL/ACE Background
▪ DACL Misconfiguration and Abuse
▪ Analysis with BloodHound
▪ Designing ACL Based Backdoors
▪ Case Studies and Demos
▪ Defenses
5. Disclaimer
▪ There is no exploit/CVE/whatnot here, just
ways to purposely implement Active Directory
DACL misconfigurations
▪ These backdoors are post-elevation
techniques that require some type of
elevated access to the objects you’re
manipulating
6. Why Care?
▪ It’s often difficult to determine whether a specific AD
DACL misconfiguration was set maliciously or
configured by accident
▪ These changes also have a minimal forensic footprint
and often survive OS and domain functional level
upgrades
□ This makes them a great chance for subtle, long-term
domain persistence!
▪ These may have been in your environment for YEARS!
7. “As an offensive researcher, if
you can dream it, someone has
likely already done it...and that
someone isn’t the kind of
person who speaks at security
cons” Matt Graeber
“Abusing Windows Management Instrumentation
(WMI) to Build a Persistent, Asynchronous, and
Fileless Backdoor” - BlackHat 2015
14. ACLs, DACLs, and SACLs
▪ Access Control List (ACL) is basically shorthand for
the DACL/SACL superset
▪ An object’s Discretionary Access Control List
(DACL) and System Access Control List (SACL) are
ordered collections of Access Control Entries (ACEs)
□ The DACL specifies what principals/trustees have what
rights over the object
□ The SACL allows for auditing of access attempts to the
object
16. DS_CONTROL_ACCESS
▪ AD access mask bit that grants privileges that aren’t
easily expressed in the access mask
▪ Interpreted a few different ways...
▪ If the ObjectAceType of an ACE with
CONTROL_ACCESS set is the GUID of a confidential
property or property set, this bit controls read
access to that property
□ E.g. in the case of the Local Administrator Password
Soltution (LAPS)
17. DS_CONTROL_ACCESS
and Extended Rights
▪ If the ObjectAceType GUID matches a registered
extended-right GUID in the schema, then
control_access grants that particular “control access
right”
□ User-Force-Change-Password on user objects
□ DS-Replication-Get-Changes and DS-Replication-Get-
Changes-All on the domain object itself
20. Elevation vs. Persistence
▪ Our work in this area was first motivated by a desire
to find AD misconfigurations for the purposes of
domain privilege escalation
□ I.e. searching for specific ACE relationships that result in a
lesser-privileged object modifying a higher-privileged one
▪ This presentation is about modifying/adding ACEs
(or chains of ACEs) in order to provide persistence in
a domain environment
21. ▪ The two takeover primitives are forcing a password
reset, and targeted Kerberoasting through SPN
modification (to recover creds)
▪ So the additional rights we care about are:
□ WriteProperty to all properties
□ WriteProperty to servicePrincipalName
□ All extended rights
□ User-Force-Change-Password (extended)
▪ Abusable through Set-DomainObjectOwner and Set-
DomainUserPassword
Target: User Objects
22. ▪ The main takeover primitive involves adding a
user to the target group
▪ So the additional rights we care about are:
□ WriteProperty to all properties
□ WriteProperty to the member property
▪ Abusable through Add-DomainGroupMember
Target: Group Objects
23. ▪ If LAPS is enabled:
□ We care about DS_CONTROL_ACCESS or GenericAll to
the ms-MCS-AdmPwd (plaintext password) property
▪ Otherwise, we don’t know of a practical way to
abuse a control relationship to computer
objects :(
□ If you have any ideas, please let us know!
Target: Computer Objects
24. ▪ The main takeover primitive involves granting a
user domain replications rights (for DCSync)
□ Or someone who currently has DCSync rights
▪ So the main effective right we care about is
WriteDacl, so we can grant a principal DCSync
rights with Add-DomainObjectAcl
□ Or explicit DS-Replication-Get-Changes/ DS-
Replication-Get-Changes-All
Target: Domain Objects
25. ▪ The main takeover primitive involves the right to edit
the group policy (that’s then linked to an
OU/site/domain)
□ This gives the ability to compromise users/computers in
these containers
▪ So the additional rights we care about are:
□ WriteProperty to all properties
□ WriteProperty to GPC-File-Sys-Path
▪ GPOs can be edited on SYSVOL
Target: GPOs
26. AD Generic Rights
▪ GenericAll
□ Allows ALL generic rights to the specified object
□ Also grants “control rights” (see next slide)
▪ GenericWrite
□ Allows for the modification of (almost) all properties on a
specified object
▪ Both are abusable with PowerView’s Set-
DomainObject, and these two rights generally apply
to most objects for takeover
27. AD Control Rights
▪ Rights that allow a trustee/principal to take control of
the object in some way
▪ WriteDacl grants the ability to modify the DACL in the
object security descriptor
□ Abusable with PowerView: Add-DomainObjectAcl
▪ WriteOwner grants the ability to take ownership of the
object
□ Object owners implicitly have full rights!
□ Abusable with PowerView: Set-DomainObjectOwner
29. BloodHound Analysis
▪ BloodHound enables simple, graphical analysis of
control relationships in AD
▪ Defenders can use this for:
□ least privilege enforcement
□ identifying misconfigured ACLs
□ detecting “non-stealthy” ACL-enabled backdoors
▪ Attackers can use this to:
□ identify ACL-enabled escalation paths
□ select targets for highly stealthy backdoors
□ understand privilege relationships in the target domain
32. Objective
▪ We want to implement an Active Directory
DACL-based backdoor that:
□ Facilitates the regaining of elevated control in the AD
environment
□ Blends in with normal ACL configurations (“hiding in
plain sight”), or is otherwise hidden from easy
enumeration by defenders
▪ Let’s see what we can come up with!
33. Stealth Primitive:
Hiding the DACL
▪ Effectively hiding DACLs from defenders
requires two steps
▪ Change the object owner from “Domain
Admins” to the attacker account.
▪ Add a new explicit ACE, denying the
“Everyone” principal the “Read Permissions”
privilege.
35. ▪ Hiding a principal from defenders requires
three steps:
a.Change the principal owner to itself, or another
controlled principal
b.Grant explicit control of the principal to either itself,
or another controlled principal
c.On the OU containing your hidden principal, deny
the “List Contents” privilege to “Everyone”
Stealth Primitive:
Hiding the Principal
37. Primitives: Summary
▪ We know which ACEs result in object takeover
▪ We can control who can enumerate the DACL
▪ We can hide principals/trustees that are
present in a specific ACE
39. A Hidden DCSync
Backdoor
▪ Backdoor:
□ Add DS-Replication-Get-Changes and DS-Replication-
Get-Changes-All on the domain object itself where the
principal is a user/computer account the attacker controls
□ The user/computer doesn’t have to be in any special
groups or have any other special privileges!
▪ Execution:
□ DCSync whoever you want!
40.
41. AdminSDHolder
▪ Backdoor:
□ Attacker grants themselves the User-Force-Change-
Password (or GenericAll) right on
CN=AdminSDHolder,CN=System,DC=domain,…
□ Every 60 minutes, this permission is cloned to every
sensitive/protected AD object through SDProp
□ Attacker “hides” their account using methods described
▪ Execution:
□ Attacker force resets the password for any adminCount=1
account
42.
43. LAPS
▪ Microsoft’s “Local Administrator Password
Solution”
▪ Randomizes the a machine’s local admin password
every 30 days
□ The password is stored in the confidential ms-Mcs-
AdmPwd attribute on computer objects
▪ Administered with the AdmPwd.PS cmdlets
□ Find-AdmPwdExtendedRights “Audits” who can read
ms-Mcs-AdmPwd
https://technet.microsoft.com/en-us/mt227395.aspx
44. Who can read AdmPwd?*
▪ DS_CONTROL_ACCESSS where the ACE
□ applies to AdmPwd and all descendant computers
□ applies to AdmPwd and all descendant objects
□ applies to any object and all descendant objects
□ applies to any object and all descendant computers
▪ Above checks are also necessary for GENERIC_ALL
▪ Object control == Ability to grant the above rights
□ You are the owner
□ You can become the owner:
□ WriteDACL, WriteOwner
* See the whitepaper for more details - the list here is not comprehensive
45. Shortcomings of Find-
AdmPwdExtendedRights
▪ DS_CONTROL_ACCESSS where the ACE
□ applies to AdmPwd and all descendant computers
□ applies to AdmPwd and all descendant objects
□ applies to any object and all descendant objects
□ applies to any object and all descendant computers
▪ Above checks are also necessary for GENERIC_ALL
▪ Object control == Ability to grant the above rights
□ You are the owner
□ You can become the owner
□ WriteDACL, WriteOwner
▪ Only analyzes OUs and (optionally) computers
48. Domain user can access
AdmPwd! LAPS cmdlet doesn’t
detect it!
49. Exchange Strikes Back
▪ Exchange Server introduces several schema changes,
new nested security groups, and MANY control
relationships to Active Directory, making it a perfect
spot to blend in amongst the noise.
▪ Pre Exchange Server 2007 SP1, this included the
“WriteDACL” privilege against the domain object
itself, which was distributed down to ALL securable
objects!
50. Exchange Strikes Back
▪ Backdoor:
□ Identify a non-protected security group with local
admin rights on one or more Exchange servers
□ Grant “Authenticated Users” full control over this
security group
□ Change the owner of the group to an Exchange server
□ Deny “Read Permissions” on this group to the
“Everyone” principal
51. ▪ Execution:
□ Regain access to the Active Directory domain as any user
□ Add your current user to the back-doored security group
□ Use your new local admin rights on an Exchange server to
execute commands as the SYSTEM user on that
computer.
□ Exchange Trusted Subsystem often has full control of the
domain, so this may include DCSync!
Exchange Strikes Back
52.
53. Abusing GPOs
▪ Backdoor:
□ Attacker grants herself GenericAll to any user object with the attacker as
the trustee
□ Grant that “patsy” user WriteDacl to the default domain controllers GPO
▪ Execution:
□ Force resets the “patsy” account password
□ Adds a DACL to the GPO that allows write access for the patsy to GPC-
File-Sys-Path of the GPO
□ Grants the attack SeEnableDelegationPrivilege rights in GptTmpl.inf
□ Executes a constrained delegation attack using the patsy account’s
credentials
55. Event Logs
▪ Proper event log tuning and monitoring is pretty
much your only hope for performing real “forensics”
on these actions
□ But if you weren’t collecting event logs when the
backdoor was implemented, you might not ever know
who the perpetrator was :(
▪ For example:
□ Event log 4738 (“A user account was changed”), filtered by
the property modified
56. Replication Metadata
▪ Metadata remnants from domain controller
replication can grant a few clues
□ Specifically, when a given attribute was modified, and
from what domain controller the modification event
occurred on
▪ This points you in the right direction, but needs to be
used with event logs to get the full picture
□ More information in a post soon on
http://blog.harmj0y.net
57. SACLs
▪ SACLs contain ACEs that, “specify the types of
access attempts that generate audit records in the
security event log of a domain controller”
▪ You don’t have to SACL every success/failure action
on every object type and property:
□ A great start- build SACLs for all of the attack primitives
we’ve talked about on the specific target objects we’ve
outlined
□ More information: http://bit.ly/2tOAGn7
58. ▪ We were not able to utilize NULL DACLs or otherwise
manipulate the header control bits (i.e.
SE_DACL_PRESENT)
□ Any attempts to set ntSecurityDescriptor on an object
remotely ignores any header bits, however this warrants
another look
▪ Research additional control relationships
□ Particularly any relationship that allows for computer
object takeover
Future Work
59. Credits
Special thanks to all the people who helped us
with this research and slide deck:
▪ Lee Christensen (@tifkin_)
▪ Jeff Dimmock (@bluscreenofjeff)
▪ Everyone else at SpecterOps!
▪ Matt Graeber (@mattifestation)