This document provides an overview of attack methodologies from an attacker's perspective when targeting Active Directory environments. It discusses initial access techniques, privilege escalation to domain admin rights, maintaining situational awareness through techniques like password spraying and Kerberoasting, and lateral movement tactics like pass the hash and pass the ticket. It also provides mitigation strategies and detection opportunities for defenders.
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
The talk I gave at Black Hat USA 2017 on bypassing Microsoft Advanced Threat Analytics (ATA). I demonstrate techniques to bypass, avoid and attack ATA in this talk.
Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases.
Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078
Many thanks to Teymur for great tech dive
The Unintended Risks of Trusting Active DirectoryWill Schroeder
This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.
This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in most IT security programs. It will also include a brief overview of the common skill sets and tools used by today’s security professionals. Finally, it will offer some basic advice for getting started in penetration testing. This should be interesting to aspiring pentesters trying to gain a better understanding of how penetration testing fits into the larger IT security world.
Additional resources can be found in the blog below:
https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
The talk I gave at Black Hat USA 2017 on bypassing Microsoft Advanced Threat Analytics (ATA). I demonstrate techniques to bypass, avoid and attack ATA in this talk.
Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases.
Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078
Many thanks to Teymur for great tech dive
The Unintended Risks of Trusting Active DirectoryWill Schroeder
This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.
This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in most IT security programs. It will also include a brief overview of the common skill sets and tools used by today’s security professionals. Finally, it will offer some basic advice for getting started in penetration testing. This should be interesting to aspiring pentesters trying to gain a better understanding of how penetration testing fits into the larger IT security world.
Additional resources can be found in the blog below:
https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
Introducción a las pruebas de intrusión en entornos Microsoft Active Directory en forma de ponencia práctica para auditores o personas interesadas en el pentesting en entornos corporativos. Se dará una breve introducción al servicio de directorio Active Directory y sus componentes más críticos desde el punto de vista de la seguridad.Posteriormente, se explicarán las principales diferencias con respecto a un pentesting clásico de infraestructura, así como las técnicas y ataques más comunes para llevar a cabo el ejercicio y comprometer completamente el dominio corporativo.Requisitos: Se recomienda que los asistentes tengan conocimientos básicos de Active Directory y básicos/medios de pentesting o hacking ético, preferiblemente en infraestructuras y/o Sistemas Operativos.
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
This talk presents a case study which demonstrates that we should consider the knowledge and wisdom contained within ATT&CK in all organizational security initiatives to make sure by fixing one thing we have not just created an opportunity.
The presentation shows how to leverage the analysis and classification of APT tactics and procedures (TTP) to guide research into new and novel techniques, specifically focusing on exfiltration and command and control.
DNS over HTTPS (DoH) aims to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks. Major web browsers such as Firefox are considering its implementation by default. But what could this possibly mean for exfiltration and command and control?
This session provides an end-to-end demo that shows DoH being implemented to provide full command and control in a popular attack simulation framework and discusses associated mitigations.
+ Background & Basics of Web App Security, The HTTP Protocol, Web.
+ Application Insecurities, OWASP Top 10 Vulnerabilities (XSS, SQL Injection, CSRF, etc.)
+ Web App Security Tools (Scanners, Fuzzers, etc), Remediation of Web App
+ Vulnerabilities, Web Application Audits and Risk Assessment.
Web Application Security 101 was conducted by:
Vaibhav Gupta, Vishal Ashtana, Sandeep Singh from Null.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
The last few years have seen a dramatic increase in the number of PowerShell-based penetration testing tools. A benefit of tools written in PowerShell is that it is installed by default on every Windows system. This allows us as attackers to “”live off the land””. It also has built-in functionality to run in memory bypassing most security products.
I will walk through various methodologies I use surrounding popular PowerShell tools. Details on attacking an organization remotely, establishing command and control, and escalating privileges within an environment all with PowerShell will be discussed. You say you’ve blocked PowerShell? Techniques for running PowerShell in locked down environments that block PowerShell will be highlighted as well.
Every IR presents unique challenges. But - when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day - the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.
Details a massive intrusion by Russian APT29 (AKA CozyDuke, Cozy Bear)
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
Attackers don’t just search for technology vulnerabilities, they take the easiest path and find the human vulnerabilities. Drive by web attacks, targeted spear phishing, and more are commonplace today with the goal of delivering custom malware. In a world where delivering custom advanced malware that handily evades signature and blacklisting approaches, and does not depend on application software vulnerabilities, how do we understand when are environments are compromised? What are the telltale signs that compromise activity has started, and how can we move to arrest a compromise in progress before the attacker laterally moves and reinforces their position? The penetration testing community knows these signs and artifacts of advanced malware presence, and it is up to us to help educate defenders on what to look for.
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
Introducción a las pruebas de intrusión en entornos Microsoft Active Directory en forma de ponencia práctica para auditores o personas interesadas en el pentesting en entornos corporativos. Se dará una breve introducción al servicio de directorio Active Directory y sus componentes más críticos desde el punto de vista de la seguridad.Posteriormente, se explicarán las principales diferencias con respecto a un pentesting clásico de infraestructura, así como las técnicas y ataques más comunes para llevar a cabo el ejercicio y comprometer completamente el dominio corporativo.Requisitos: Se recomienda que los asistentes tengan conocimientos básicos de Active Directory y básicos/medios de pentesting o hacking ético, preferiblemente en infraestructuras y/o Sistemas Operativos.
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
This talk presents a case study which demonstrates that we should consider the knowledge and wisdom contained within ATT&CK in all organizational security initiatives to make sure by fixing one thing we have not just created an opportunity.
The presentation shows how to leverage the analysis and classification of APT tactics and procedures (TTP) to guide research into new and novel techniques, specifically focusing on exfiltration and command and control.
DNS over HTTPS (DoH) aims to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks. Major web browsers such as Firefox are considering its implementation by default. But what could this possibly mean for exfiltration and command and control?
This session provides an end-to-end demo that shows DoH being implemented to provide full command and control in a popular attack simulation framework and discusses associated mitigations.
+ Background & Basics of Web App Security, The HTTP Protocol, Web.
+ Application Insecurities, OWASP Top 10 Vulnerabilities (XSS, SQL Injection, CSRF, etc.)
+ Web App Security Tools (Scanners, Fuzzers, etc), Remediation of Web App
+ Vulnerabilities, Web Application Audits and Risk Assessment.
Web Application Security 101 was conducted by:
Vaibhav Gupta, Vishal Ashtana, Sandeep Singh from Null.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
The last few years have seen a dramatic increase in the number of PowerShell-based penetration testing tools. A benefit of tools written in PowerShell is that it is installed by default on every Windows system. This allows us as attackers to “”live off the land””. It also has built-in functionality to run in memory bypassing most security products.
I will walk through various methodologies I use surrounding popular PowerShell tools. Details on attacking an organization remotely, establishing command and control, and escalating privileges within an environment all with PowerShell will be discussed. You say you’ve blocked PowerShell? Techniques for running PowerShell in locked down environments that block PowerShell will be highlighted as well.
Every IR presents unique challenges. But - when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day - the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.
Details a massive intrusion by Russian APT29 (AKA CozyDuke, Cozy Bear)
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
Attackers don’t just search for technology vulnerabilities, they take the easiest path and find the human vulnerabilities. Drive by web attacks, targeted spear phishing, and more are commonplace today with the goal of delivering custom malware. In a world where delivering custom advanced malware that handily evades signature and blacklisting approaches, and does not depend on application software vulnerabilities, how do we understand when are environments are compromised? What are the telltale signs that compromise activity has started, and how can we move to arrest a compromise in progress before the attacker laterally moves and reinforces their position? The penetration testing community knows these signs and artifacts of advanced malware presence, and it is up to us to help educate defenders on what to look for.
The security landscape has changed such that simply focusing on preventing is no longer an effective strategy. This talk will look at the idea of Assume Breach and how detection and response to threats aligns to an attacker methodology. Demonstrations and research will highlight how organizations can achieve more finely tuned detection capabilities through threat simulation and war-game exercises.
A Process is No One - Jared Atkinson and Robby Winchester
Does your organization want to start Threat Hunting, but you're not sure how to begin? Most people start with collecting ALL THE DATA, but data means nothing if you're not able to analyze it properly. This talk begins with the often overlooked first step of hunt hypothesis generation which can help guide targeted collection and analysis of forensic artifacts. We will demonstrate how to use the MITRE ATTACK Framework and our five-phase Hypothesis Generation Process to develop actionable hunt processes, narrowing the scope of your Hunt operation and avoiding "analysis paralysis." We will then walk through a detailed case study of detecting access token impersonation/manipulation from concept to technical execution by way of the Hypothesis Generation Process. Along the way, we will detail some of the most common access token manipulations in use and detail the defensive detection implications for each of these cases. This comprehensive case study will better arm both attackers and defenders with how to better utilize their toolset to detect or avoid detection of token theft and manipulation.
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
The recorded version of 'Best Of The World Webcast Series' [Webinar] where Jacob Holcomb speaks on 'RIoT (Raiding Internet of Things)' is available on CISOPlatform.
Best Of The World Webcast Series are webinars where breakthrough/original security researchers showcase their study, to offer the CISO/security experts the best insights in information security.
For more signup(it's free): www.cisoplatform.com
CONFidence 2014: Yaniv Miron: ATMs – We kick their assPROIDEA
ATMs (Automated Teller Machines) are usually weak spots in any organization that operates them. We would like to share with you how we hack ATMs. We will show GENERIC ways to attack ATMs. Specific attacks are kewl but we like GENERIC ones that work in the often complex ATM world. Join us to pwn some ATMs and learn from our vast experience in the trenches.
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
After successfully attacking an endpoint and gaining a foothold there, sophisticated attackers know that to get to the valuable data within an organization they must quietly pivot. From reconnaissance to escalation of privileges to stealing credentials, learn about the tactics and tools that attackers are using today.
Заполучили права администратора домена? Игра еще не оконченаPositive Hack Days
Получение прав администратора домена не всегда означает, что сразу появляется доступ ко всем хостам, общим ресурсам или базам данных сети. Хитрость в том, чтобы найти нужный аккаунт. Докладчик приведет примеры различных сценариев внутреннего тестирования на проникновение, расскажет о сложностях, с которыми столкнулась его команда и о том, как разрабатывался инструмент, позволивший справиться с ними.
Similar to Attacker's Perspective of Active Directory (20)
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
2. whoami
•Penetration Tester
•Disclaimer: All opinions are all mine, not representation of the
company I work for or organizations I am affiliated with
•None of these materials are original. They are just a compilation of
researches done by awesome people
•Test all recommendations first, before implementing them. I take no
liability if they mess up your environment
2
3. Shout Out
•Sean Metcalf (@PyroTek3) for running https://adsecurity.org
•Will Schroeder (@harmj0y) for developing and releasing tools for
Modern Red Teaming (Empire, PowerSploit, Veil-Framework,
Bloodhound)
•Benjamin Delpy (@gentilkiwi) for mimikatz and continuously
improving it
•And Everyone else who contributed!
3
5. Attacker’s Dilemma
•The new cliché
•Attackers need to evade all detection
•Defenders just need one alarm/trigger to know attackers are in
•“Defender's Dilemma vs Intruder's Dilemma” – TaoSecurity (2009)
5
6. Assume Breach Mentality
•Prepare for threats beyond the WALL (Defence in Depth / Layered
Defence) – CYBER RESILIENCE
•Contain threats (Limit the attacker’s movement)
•Detect & Respond to threats (Threat Hunting / IOC) – CYBER AGILITY
•Prevention is still important but critical to move beyond it
6
7. Adversarial Tactics, Techniques, and
Common Knowledge (ATT&CK™)
Source: https://attack.mitre.org/wiki/Main_Page
7
Red Team’s Tactics, Techniques and
Procedures (TTPs)
8. Active Directory
•Microsoft’s Directory Service (AD DS)– A set of services to manage
network resources
•Domain Controller (DC) – Server running AD DS
•Domain Admin (DA) – The User Group that has full control of network
resources in the Domain
•Local Administrators – The User Group that has full control for
Local/Specific Machine
8
12. Kerberos Authentication
• Ticket Granting Ticket (TGT) contains
• Privilege Attribute Certificate (PAC) stores
• Account Name
• Security Identifiers
• Group Membership
• User requests for TGT by sending timestamp that is encrypted with his secret key (NTLM
Hash for RC4 cipher)
• TGT is encrypted and its PAC is signed by domainKRBTGT’s secret key (NTLM Hash) –
Only readable by Domain Controller (DC)
• Service ticket issued by Ticket Granting Service (TGS) is encrypted by service account ’s
secret key (NTLM Hash)
12
15. Privilege Escalation: User to Local Admin
•Unpatched Vulnerabilities
•System Misconfigurations
• Passwords stored in SYSVOL or Group Policy Preference (GPP)
•Check out Paul Craig’s talk on Local Privilege Escalation
http://www.vantagepoint.sg/news/48-security-wednesdays-9-local-p
rivilege-escalation-nus-greyhats or
https://pentest.blog/windows-privilege-escalation-methods-for-pent
esters/
15
16. Passwords stored in SYSVOL
•SYSVOL
• Domain-wide shared folder
• Stores logon scripts, domain group policies
• Any authenticated user on the domain can access it
•Scripts with cleartext admin credentials stored in SYSVOL
16
17. Passwords stored in SYSVOL
•Group Policy with Password defined for Local Administrator account
17
18. Passwords stored in SYSVOL
•Encryption key is well known
18
Source: https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx
20. Passwords stored in SYSVOL Mitigation &
Detection
•Install KB2962486 to disable new credentials from being stored in
GPP and Delete existing XMLs/Group Policies
•Plant a XML with “Password” in SYSVOL
•Configure SACL on the XML to audit for access
20
22. Why do we need to Privilege Escalate?
•Gain access to implicit trust relationship artifacts
•Assume artifacts found on one machine could be used to access other
machines
•More Information:
http://foofus.net/goons/hinge/presos/insidious-implicit-windows-tru
st-relationships.pdf
22
25. Dump Credentials Mitigation
• Audit for misconfigurations that can lead to privilege escalation with
windows-privesc-check (https://github.com/pentestmonkey/windows-privesc-check) or
Powerup (https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc)
• Install KB2871997 on Windows 7, 8, Server 2008 and 2012
• Deploy Application Whitelisting (Applocker & Device Guard)
• Get rid of Windows 2003 Server
• Have different trust levels for machines – Domain Admin should not log on to machines
with lower Trust Level
25
26. Dump Credentials Detection
•Monitor Registry Value for “UseLogonCredential” at
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurity
ProvidersWdigest
•Value: “1” to enable cleartext password to be stored in LSASS
•Honey Credentials
26
27. Dump Credentials Detection (Not a good idea)
● Detect mimikatz in memory using Sysmon (Be careful of performance impact)
● Look for loading of
○ C:WindowsSystem32WinSCard.dll
○ C:WindowsSystem32cryptdll.dll
○ C:WindowsSystem32hid.dll
○ C:WindowsSystem32samlib.dll
○ C:WindowsSystem32vaultcli.dll
● LSA Protection Enabled - mimidrv.sys (mimikatz’s driver to turn off LSA Protection)
● More information:
https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTK
B_V1J5ow ← Sysmon Tutorial
https://medium.com/@lennartkoopmann/explaining-and-adapting-tays-sysmon-configuration-27d9719a89a8#.c8sokq3nj
https://cyberwardog.blogspot.sg/2017/03/chronicles-of-threat-hunter-hunting-for.html
27
30. User Account Control (UAC) is Enabled!
•UAC is introduced since Windows Vista
•Run processes as standard user rights
even if user is in Administrators group
unless explicit permission is given
30
31. UAC Bypass
• Old School
• Privilege File Copy (IFile Operation
COM)
• DLL Hijacking
• Auto-elevation
• New School
• Fileless UAC Bypass via Registry
Hijacking
• Write to
HKCUSoftwareClassesmscfileshell
opencommand
• Launch eventvwr.exe
31
• More information:
https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hij
acking/
https://blog.cobaltstrike.com/2014/03/20/user-account-control-what-penetration-testers-s
hould-know/
32. UAC Bypass Mitigation & Detection
• Reduce Users with Administrator Privilege
• Set UAC level to “Always Notify” instead of Default configuration (can be
bypassed with Disk Clean up)
• Monitor Registry entry
“HKCUSoftwareClassesmscfileshellopencommand”
• More information:
https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-di
sk-cleanup/
32
33. Situational Awareness
• Port Scan
• DNS Enumeration (SRV records, *._tcp.domain.com)
• Password / Hash Spray
• Service Principal Name (SPN) Scanning
• Domain Enumeration & Admin Hunting
• BloodHound
33
34. Password / Hash Spray
•Quick and dirty way to identify access across the network
•Good for pen test that doesn’t require stealth
34
35. Service Principal Name (SPN) Scanning
•SPN is used to uniquely identify service instances for Kerberos
Authentication
•Gather services across the domain (Without a Single Port Scanned!)
35
36. Service Principal Name (SPN) Scanning
•PowerShell scripts from Sean Metacalf
https://github.com/PyroTek3/PowerShell-AD-Recon
•Comprehensive List of SPN
http://adsecurity.org/?page_id=183
•How SPN is used by Kerberos
http://social.technet.microsoft.com/wiki/contents/articles/717.servic
e-principal-names-spns-setspn-syntax-setspn-exe.aspx
36
39. Domain Enumeration with PowerView
•PowerView
• Based on PowerShell
• Capitalize on PowerShell alternatives for “NET” command
• Capitalize on Win32 API
• Gain network situational awareness
•More Information:
https://github.com/PowerShellMafia/PowerSploit/tree/master/Reco
n
39
44. Admin Hunting with PowerView
• Implicit trust relationship
• Look at where the current user has Local Administrators Right
• Look for where privilege users are logged on to
• Target machines with privilege users
• Steal their tokens / credentials
• Profit!
44
45. Admin Hunting with PowerView
45
• Invoke-UserHunter
• Get a list of hosts from AD
• Get a list of users of a specific Domain Group (Domain Admins/Local Administrators)
• Run NetSessionEnum (User Sessions) and NetWkstaUserNum (Logged On Users)
with information gathered
• (Optionally) Check if current user has Local Administrators right on each host
• More Information
http://www.slideshare.net/harmj0y/i-hunt-sys-admins-20
http://www.slideshare.net/harmj0y/i-have-the-powerview
46. Admin Hunting with PowerView
46Source: http://www.slideshare.net/harmj0y/i-hunt-sys-admins-20
48. BloodHound
• Provide a graphical representation of attack path based on information
gathered via customized PowerView
• Simplify Admin Hunting across the Network to achieve Derivative Local
Admin
• More information
https://wald0.com/?p=14
http://www.slideshare.net/AndyRobbins3/six-degrees-of-domain-admin-bl
oodhound-at-def-con-24
https://github.com/BloodHoundAD/BloodHound/wiki
48
50. Domain Enumeration Mitigation
•Use Net Cease to modify NetSessionEnum default permission
https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dc
b5b
•Upgrade to Windows 10 and Windows Server 2016
•Use SAMRi10 to restrict Remote SAM Query(>=Win 10 & Server 2016)
https://www.bleepingcomputer.com/news/security/microsoft-resear
chers-release-anti-reconnaissance-tool-named-samri10/
50
51. Lateral Movement
• Reuse cleartext credentials (Not working well after KB2871997)
• Pass the Hash (Not working well after KB2871997)
• Pass the Key (Overpass-the-hash)
• Impersonate Tokens
• Pass the Ticket
• Kerberoasting
51
52. Pass the Hash (PtH)
52
Source: http://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it
53. Pass the Hash (PtH)
•Not working well after KB2871997
•Local accounts cannot login remotely
•PtH still possible for
• Default Local Administrator (RID 500) hash
• Domain hashes
53
54. Pass the Key (Overpass the Hash)
•KB2871997 stops Windows from storing cleartext credentials in
memory (LSASS)
•NTLM Hashes/(e)Keys are still stored in memory (SSO)
•Remember how Kerberos ticket request is done?
54
57. Pass the Key (Overpass the Hash)
•User’s secret key is dependent on the cipher used
•Exploit Steps
• Privilege Escalate to Local Admin
• Dump Hashes/(e)Keys
• Create a new process and Inject stolen hash/(e)key into memory
• SSO will refer to the Injected secret key in memory
• Impersonate Token of newly created Process
• Win!
57
58. Pass the Key (Overpass the Hash)
58
•User “labgg” is Domain Admin logged in on Compromised Machine
60. Pass the Key (Overpass the Hash)
60
•Some bug with Empire’s “shell” command so switched it to Meterpreter
61. Pass the Key (Overpass the Hash)
61
More Information:
http://blog.cobaltstrike.com/2015/05/21/how-to-pass-the-hash-with-mimikatz/
http://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-cc/
62. Pass the Ticket
•Export Ticket-Granting-Ticket (TGT) from memory of a compromised
Host
•Import the TGT into Attacker’s Machine
•Profit!
62
63. Pass the Ticket with MS14-068
•MS014-068
• Privilege escalation for Authenticated Domain User to Domain Admin by
forging PAC
• PAC stores Authorization Data (Group Membership, Security Identifier)
• Improper validation of the Privilege Attribute Certificate (PAC) Signature
63
64. Pass the Ticket with MS14-068
64
More Information:
https://labs.mwrinfosecurity.com/blog/digging-into-ms14-068-exploitation-and-defence/
https://www.trustedsec.com/december-2014/ms14-068-full-compromise-step-step/
https://github.com/bidord/pykek/
66. Kerberoasting
•Service Ticket can be obtained without actually using it
•Service Ticket issued by TGS is encrypted with target service’s account
secret key
•Service Accounts are usually privilege accounts on the domain
66
67. Kerberoasting
•Why not just crack it?
• Offline Attack without contacting the Target Service’s Machine
67
Source: https://adsecurity.org/?p=2293
70. Kerberoasting Mitigation
•Use password with >=25 characters for Service Accounts
•Use Managed Service Accounts
•More Information:
https://adsecurity.org/?p=2293
https://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx
70
71. Kerberoasting Detection
•Audit “Audit Kerberos Service Ticket Operations” on Success
•Look for Event 4769 and Ticket Option: 0x40810000 and Ticket
Encryption type: RC4 (0x17/0x18)
•Create Honey Service ☺
•More information:
https://adsecurity.org/?p=3458
https://adsecurity.org/?p=3513
71
72. Lateral Movement Mitigation
• Deploy Microsoft LAPS on Servers and Workstations to manage Local Administrator Passwords
• Deploy Group Policy: “Deny access to this computer from the network” & “Deny log on through Remote
Desktop Services” for “Local account and member of Administrators group” or “*S-1-5-114” [Block RID 500
accounts]
• Add Users with High Privileges to “Protected User” Group if possible
• Network Segmentation – It’s always about the Trust Path
• Restrict Workstation to Workstation Communication with GPO – Windows Firewall
• More Information:
https://adsecurity.org/?p=3299
https://adsecurity.org/?p=3377
https://technet.microsoft.com/en-us/library/dn466518.aspx
72
73. Lateral Movement Mitigation
• Different Tiers of Administrators for Different Tiers of Servers & Workstations
73
More Information:
https://technet.microsoft.com/en-us/library/mt631193.aspx
74. Lateral Movement Detection
•Turn on Audit for Local Account Logon
•Turn on Audit for Kerberos
• Look out for Domain Names in lower case/non-standard (Not comprehensive)
• Look out for Ticket Encryption Type 0x17/0x18 for RC4 (Not comprehensive)
•More Information:
https://dfir-blog.com/2015/12/13/protecting-windows-networks-ker
beros-attacks/
https://dfir-blog.com/2016/03/13/how-to-parse-windows-eventlog/
74
76. Hash Dump & Crack The Hashes
•Old School
• Get NTDS.dit file
• Backup
• Virtual Machine Disk
• Shadow Volume
• Process NTDS.dit for Hashes
•New School
• DCSync (No need for direct access to NTDS.dit)
76
77. DCSync
•Impersonate as a Domain Controller
•Replicate User Credentials via Directory Replication Service (DRS)
Remote Protocol
•No Code Execution required, however “Domain Admins” privilege is
needed
•If used with “Domain Controllers” privilege, it will not be logged
77
79. Golden Ticket
• Forged TGT with Admin Privilege, then PTT
• TGT is encrypted & signed by
• Domain KRBTGT’s secret key
• Important to note that KRBTGT’s password is almost never changed
• Information required to create Golden Ticket
• Domain Name
• Domain SID
• Domain KRBTGT NTLM Hash/(e)Keys
• UserID for Impersonation
79
83. Silver Ticket
•Forged Service Ticket
•Require only the service account key instead of KRBTGT
•Access is restricted to the specific Service
•More Information:
https://adsecurity.org/?p=2011
83
86. Persistence Mitigation and Detection
•Change KRBTGT’s password twice (to purge Password History) and
regularly
•Look out for RC4 Kerberos traffic – Vista and onwards default cipher
for Kerberos is AES (Not comprehensive)
•Use Group Managed Service Account
•More information:
https://adsecurity.org/?p=1515
86
87. Mitigations for PowerShell Activities
● Lock down PowerShell.exe, PowerShell_ISE.exe (Not Ideal)
● Uninstall PowerShell v2
● Use PowerShell v5 with
○ Constrained Language Mode with AppLocker / Device Guard
○ Log all PowerShell Activities (Module Logging, Script Block Logging, System-wide
Transcript Logging)
● More information:
https://adsecurity.org/?p=2604
87
88. Microsoft Advanced Threat Analytics (ATA)
• Machine Learning Platform to detect quite a number of things we have
discussed
• Receive logs and events from SIEM and Windows Event Forwarding(WEF)
• More information:
https://docs.microsoft.com/en-us/advanced-threat-analytics/understand-expl
ore/ata-threats
https://adsecurity.org/?p=1583
https://gallery.technet.microsoft.com/Advanced-Threat-Analytics-8b0a86bc/fi
le/169608/1/ATA%20Playbook.pdf
88
89. Microsoft Advanced Threat Analytics
89
Source:
https://blogs.technet.microsoft.com/enterprisemobility/2015/05/04/microsoft-advanced-threat-analytics-public-preview-releas
e-is-now-available/
91. Reference
• Adversarial Tactics, Techniques & Common Knowledge
https://attack.mitre.org/wiki/Main_Page
• Attack Methods for Gaining Domain Admin Rights in Active Directory
https://adsecurity.org/?p=2362
• PROTECTING WINDOWS NETWORKS – KERBEROS ATTACKS
https://dfir-blog.com/2015/12/13/protecting-windows-networks-kerberos-attacks/
• The Most Common Active Directory Security Issues and What You Can Do to Fix Them
https://adsecurity.org/?p=1684
• Building an Empire with PowerShell
http://www.slideshare.net/harmj0y/building-an-empire-with-powershell
91
92. Reference
• Mimikatz and DCSync and ExtraSids, Oh My
http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
• Make PowerView Great Again
http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
• Six Degree of Domain Admin
https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Robbins-Vazarkar-Schroeder-Six-
Degrees-of-Domain-Admin.pdf
• kerberos, kerberoast and golden tickets
https://leonjza.github.io/blog/2016/01/09/kerberos-kerberoast-and-golden-tickets/
• Mimikatz 2.0 - Silver Ticket Walkthrough
https://www.beneaththewaves.net/Projects/Mimikatz_20_-_Silver_Ticket_Walkthrough.html#Why
92