Enumerating Active Directory: Lateral Movement and Privilege Escalation

•

0 likes•167 views

Attackers first gain access to an endpoint, then use enumeration tools to learn about the Active Directory environment and discover privileged accounts and configurations that can enable lateral movement and privilege escalation. They analyze the directory to find the easiest points of access, leveraging outdated, unknown, or improperly secured settings and delegations. Their goal is to spread ransomware or steal data with actions that may not log or can bypass logging.

Software

© A L S I D C O P Y R I G H T 2 0 2 1
Enumerating Active Directory:
Lateral Movement and Privilege Escalation
Security Evangelist & Microsoft MVP

AtTACK structure
© A L S I D C O P Y R I G H T 2 0 2 1
The attackers are looking for the easiest path into the network, then they
want to move laterally and gain privileges. Once obtained, they can spread
ransomware, steal data, and more.
1 2 3 4 5 6
Infect endpoint with
phishing or e-mail
attack, and gain local
admin privileges
Install payload, disable
local defense, start to
enumerate AD and the
network topology
Attempt to move
laterally, to other
endpoints, servers,
and devices
Exploit known
configurations to gain
privileges on different
servers using AD
Create backdoors and
persistence within AD
and other network
devices
Collect data and/or
encrypt data - Steal
data for economic
intelligence
Attack
Steps

Enumeration tools
© A L S I D C O P Y R I G H T 2 0 2 1
Bloodhound
PowerView
Ldapdomaindump
Adidnsdump
ACLight
ADRecon
Domains and trusts
Domain SID
Password Policy
DCs
Domain Users and attributes
Domain computers
Domain Groups and
Members
Shared folders
Group Policies
OUs
ACLs
Sessions
Local Admin Rights
…
AdminTo
MemberOf
HasSession
ForceChangePassword
AddMembers
CanRDP
CanPSRemote
ExecuteDCOM
SQLAdmin
AllowedToDelegate
GetChangesAll
GenericAll
WriteDacl
Owns
…
Sources:
https://bloodhound.readthedocs.io/en/latest/data-analysis/nodes.html
https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet#useful-enumeration-tools
https://mcpmag.com/articles/2019/11/13/bloodhound-active-directory-domain-admin.aspx
Tools Objects/settings Actions/privileges

Analyzing the enumeration
© A L S I D C O P Y R I G H T 2 0 2 1
Leverage Unknown
Settings
- Kerberos
Delegations
- adminSDHolder
- adminCount
- SYSVOL
permissions
Leverage Cloud
Settings
- AAD Connect
permissions
- AAD Sync
- AAD SSO
- Bounce to Azure AD
Leverage Old
Settings
- Service Principal
Names
- Primary Group ID
- SIDHistory
- AD Delegations
- GP Delegations

ATTACKER strategy
© A L S I D C O P Y R I G H T 2 0 2 1
Enumeration of
Active Directory and
all settings
▪ AD is « old »
▪ AD installation was made
10+ years ago
▪ AD is changing every day
Analysis of AD to find
easiest target
▪ Attackers don’t analyze the
« world » with lines &
columns but with graphs
▪ Remember, every user has a
read access to AD
Leverage actions
which don’t log
▪ Security logs are not really
useful
▪ Attackers can bypass the
logs
▪ Attackers implement
backdoors under the SIEM
radar

In a nutshell
© A L S I D C O P Y R I G H T 2 0 2 1
▪ No users with
local admin rights
▪ Encrypt local disk
▪ Use LAPS (free)
▪ Implement EDR
▪ Harden your
endpoint
configuration
▪ Do not base your
security strategy
only on logs
▪ Implement
Microsoft Tier-
model
▪ Detect in real-
time AD security
deviances &
Attack paths
▪ Detect in real-
time AD attacks
Final advice: Doubt about yourself ! Too much self-
confidence is the first enemy of cybersecurity…

© A L S I D C O P Y R I G H T 2 0 2 0
alsid.com
you.

The document discusses the importance of server security and highlights key cloud security risks. It begins by establishing that servers are critical for storing customer data and content. The main sections cover the role of servers, cloud computing models, and the top 4 OWASP cloud security risks: accountability and data risks, issues with managing user identities across providers, challenges with regulatory compliance given data locations, and ensuring business continuity during outages. The document emphasizes that both data owners and cloud providers share responsibility for security and compliance.

Privacy Preserving Searchable Encryption with Fine-grained Access Control

JAYAPRAKASH JPINFOTECH

Présentation ELK/SIEM et démo Wazuh

Aurélie Henriot

CipherCloud for Any App

CipherCloud

CipherCloud for Any App uses a gateway architecture to provide transparent access to cloud applications while enforcing security controls on a field-by-field basis. Encryption keys remain on-premises so that unauthorized users cannot access decrypted data in the cloud. CipherCloud retains application functionality like search and sorting even on encrypted data, and provides activity monitoring and auditing of cloud usage.

Q radar pci-v2-matrix

CMR WORLD TECH

The QRadar Security Intelligence Platform is a family of security solutions that provides risk management, log management, network behavior analytics, and security event management through a single integrated console. More than 1700 customers worldwide use QRadar as the most intelligent, integrated and automated security intelligence solution available. QRadar helps address PCI DSS 2.0 requirements through log management, security information and event management (SIEM), and risk management capabilities.

Network ssecurity toolkit

أحلام انصارى

This document discusses network security and introduces several common network security tools. It begins by defining network security and explaining the importance of securing a network. It then profiles six security tools: Snort is an open-source network intrusion detection and prevention system that can detect attacks and probes. Ettercap is used for network protocol analysis and can intercept traffic, capture passwords, and conduct eavesdropping. Sam Spade is a network tool suite that finds public information about IP and DNS addresses. BackTrack is a Linux distribution focused on penetration testing. Hydra performs rapid dictionary attacks against network protocols. Deep Freeze makes computer configurations indestructible by wiping out any changes made during a session.

NuCypher - A Security and Encryption Platform for Big Data

MacLane Wilkison

Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...

Identity Days

Pierre angulaire du système de sécurité de nos infrastructures, Active Directory (AD) est aussi, malheureusement, l’un de ses maillons les plus faibles. Depuis le début des années 2000, il est le dénominateur commun de toutes les attaques de grande ampleur visant les ordinateurs et les systèmes d’information des entreprises. La récente annonce de la compromission de 3 grands éditeurs d’anti-virus en raison de la vulnérabilité de leur infrastructure AD est un exemple révélateur, quoi qu’ironique. Et étonnamment, la cause première de ces attaques n’est pas toujours une vulnérabilité logicielle ou une faiblesse architecturale. Bien plus souvent que vous pourriez le penser, il arrive qu’elles soient dues à des mesures de sécurité mal implémentées, voire franchement contre productives, qui causent plus de problèmes qu’elles n’en règlent. Durant cette conférence, nous ferons la lumière sur les échecs les plus cuisants qu’il nous a été donné de voir lors de réponses à des attaques réelles. Nous présenterons en détail des scénarios d’attaque déployés par des hackers pour s’introduire dans l’AD de leurs victimes et pour semer le chaos dans leurs données. En prenant en compte ce que nous savons des menaces les plus récentes, nous présenterons ensuite des stratégies pragmatiques permettant de reprendre le contrôle de nos infrastructures AD.

1. Create a diagram of the relevant processes, data stores, data flows, and external entities. 2. Apply the STRIDE methodology to systematically identify potential threats to each element in the diagram. 3. Mitigate the identified threats through techniques like redesigning to eliminate threats, applying standard security controls, or inventing new controls. 4. Validate that the threat modeling process was comprehensive by ensuring all elements and potential threats were considered, and that the proposed mitigations adequately address the threats.

Will your cloud be compliant

Evgeniya Shumakher

Get to know which security standards are applicable to OpenStack clouds Evgeniya Shumakher, Mirantis Compliance with critical industry and regulatory standards used to be mostly the concern of application makers and customers integrating their solutions. Cloud computing – especially IaaS – has made things a lot more complicated. Meanwhile, emerging cloud-specific standards, like FedRAMP or CSA cloud security guidelines, are suggesting new, complex and stringent requirements – while also offering critical guidance. The presentation offers an inside look at the process: The most important compliance and security standards for cloud builders, Where existing OpenStack resources can fully or partially solve common compliance problems Where standards support within OpenStack is currently thin The common workflow for architecting standards-compliant clouds, Common risks and emerging opportunities. Take a closer look at PCI Compliance for private OpenStack clouds Scott Carlson, PayPal PCI Compliance is very important for large financial institutions. As one of the larger installations of OpenStack within the Financial space, PayPal has driven forward the PCI conversation and will be sharing the technical perspective on the following related to PCI and OpenStack Private Clouds: How does OpenStack fit into an existing PCI-Compliant Environment When there is not an external Cloud Service Provider, how does your team need to compensate What are the design choices required to continue to be PCI-Compliant Physical versus Logical devices Hypervisor versus Guest compliance Management Networks for PCI and non-PCI Zones The case study won’t give a fully prescriptive talk on how to obtain PCI compliance, because there is a lot more to gaining compliance than just making your cloud compliant, but will help to understand: Where existing OpenStack resources can fully or partially solve PCI compliance problems, Where OpenStack community needs to join together to solve in order to continue growth into PCI-compliant spaces.

DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...

DataStax

This talk will review the advanced security features in DataStax Enterprise and discuss best practices for secure deployments. In particular, topics reviewed will cover: Authentication with Kerberos & LDAP/Active Directory, Role-based Authorization and LDAP role assignment, Auditing, Securing network communication, Encrypting data files and using the Key-Management Interoperability Protocol (KMIP) for secure off-host key management. The talk will also suggest strategies for addressing security needs not met directly by the built-in features of the database such as how to address applications that require Attribute Based Access Control (ABAC). About the Speaker Matt Kennedy Sr. Product Manager, DataStax Matt Kennedy works at DataStax as the product manager for DataStax Enterprise Core. Matt has been a Cassandra user and occasional contributor since version 0.7 and was named a Cassandra MVP in 2013 shortly before joining DataStax. Unlike Cassandra, Matt is not partition tolerant.

CIS13: Next Generation Privileged Identity Management: A Market Overview

CloudIDSummit

The document discusses next generation privileged identity management. It describes how enterprises are moving to hybrid cloud environments which increase security risks and complexity for managing privileged access. Next generation PIM solutions need to provide comprehensive control across on-premise, virtualized and cloud systems through features like credential vaulting, access control, session monitoring and attribution. The document promotes Xceedium's Xsuite product as a solution that uniquely addresses requirements for controlling and auditing privileged access in highly dynamic cloud environments.

Get started with Cloudera's cyber solution

Cloudera, Inc.

Cloudera empowers cybersecurity innovators to proactively secure the enterprise by accelerating threat detection, investigation, and response through machine learning and complete enterprise visibility. Cloudera’s cybersecurity solution, based on Apache Spot, enables anomaly detection, behavior analytics, and comprehensive access across all enterprise data using an open, scalable platform. But what’s the easiest way to get started?

Multi-Cloud, Multi-Network Cyber Awareness, Monitoring and Management by Fran...

TheAnfieldGroup

This document describes a partnership between SolarWinds and BlueSpace to provide cross-domain cyber situational awareness, monitoring, and management. It summarizes SolarWinds' network monitoring software capabilities and introduces BlueSpace's Sentinel product, which uses BlueSpace's SmartXD technology to enable cross-domain access to SolarWinds' Enterprise Operations Console for improved cyber monitoring across isolated networks and clouds in a secure manner. The solution aims to increase visibility and efficiency while simplifying certification.

Kripta Key Product Key Management System.pdf

langkahgontay88

Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...

AWS Chicago

Snowflake Data Science and AI/ML at Scale

Adam Doyle

Creating a Multi-Layered Secured Postgres Database

EDB

The Hacking Games - Security vs Productivity and Operational Efficiency 20230119

lior mazor

Day 2 Dns Cert 4b Name Server Redirection

vngundi

- The document discusses nameserver redirection attacks and SQL injection attacks against domain name registry systems. - It provides examples of how attackers can change domain name registrations through SQL injection or by directly modifying registry databases to redirect traffic to malicious sites. - A live demonstration shows how SQL injection can be used to enumerate and modify a registry database, redirecting a domain to a rogue IP address and server. - Mitigation strategies include securing web applications, validating input, using authentication for changes, and information sharing about attacks.

SDX Pitch Deck (201) - Apresentação SDP 2024

PauloEduardoBitarJun

DDS-Security 1.2 - What's New? Stronger security for long-running systems

Gerardo Pardo-Castellote

F5 TLS & SSL Practices

Brian A. McHenry

The document discusses SSL/TLS trends, practices, and futures. It covers global SSL encryption trends and drivers like increased spending on security and regulatory pressure. It discusses SSL best practices like enabling TLS 1.2, disabling weak protocols, using strong cipher strings, and enabling HTTP Strict Transport Security. The document also looks at solutions from F5 like hardware security modules, advanced key and certificate management, and market leading encryption support. It explores emerging standards like TLS 1.3 and topics like elliptic curve cryptography. Finally, it discusses what's next such as OCSP stapling and F5's SSL everywhere architecture.

Escalation defenses ad guardrails every company should deploy

David Rowe

Webinar: Cloud Data Masking - Tips to Test Software Securely

Skytap Cloud

Cloud Security Top Threats

Tiago de Almeida

The document discusses the top threats to cloud computing as identified by the Cloud Security Alliance. The threats are: 1) abuse and nefarious use of cloud computing due to ease of access, 2) insecure interfaces and APIs that cloud services rely on, 3) malicious insiders such as employees with access to physical and virtual assets, 4) shared technology issues where one customer can impact others due to lack of isolation, 5) data loss or leakage through deletion or access of sensitive data, 6) account or service hijacking like credential theft, and 7) unknown risk profiles when companies do not track or disclose security information. Remediations are provided for each threat.

Vue d'ensemble Dremio

Modern Data Stack France

Dremio, une architecture simple et performance pour votre data lakehouse. Dans le monde de la donnée, Dremio, est inclassable ! C’est à la fois une plateforme de diffusion des données, un moteur SQL puissant basé sur Apache Arrow, Apache Calcite, Apache Parquet, un catalogue de données actif et aussi un Data Lakehouse ouvert ! Après avoir fait connaissance avec cette plateforme, il s’agira de préciser comment Dremio aide les organisations à relever les défis qui sont les leurs en matière de gestion et gouvernance des données facilitant l’exécution de leurs analyses dans le cloud (et/ou sur site) sans le coût, la complexité et le verrouillage des entrepôts de données.

Cybersécurité et Jeux d'Arcade

Sylvain Cortes

This document discusses cybersecurity lessons that can be learned from classic arcade games. It begins by thanking sponsors and introducing the speaker. Then each of 10 "rules" is presented, pairing a classic arcade game like Space Invaders or Donkey Kong with an analogous cybersecurity principle. For example, it notes that in Space Invaders hiding behind a wall is not enough for defense, just as passive defenses are not sufficient in cybersecurity. The document concludes by recommending a video of arcade games and mentioning additional resources.

Spraykatz installation & basic usage

Sylvain Cortes

Similar to Enumerating Active Directory: Lateral Movement and Privilege Escalation

Derbycon - The Unintended Risks of Trusting Active Directory

Will Schroeder

Introduction to threat_modeling

Prabath Siriwardena

Will your cloud be compliant

Evgeniya Shumakher

DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...

DataStax

CIS13: Next Generation Privileged Identity Management: A Market Overview

CloudIDSummit

Get started with Cloudera's cyber solution

Cloudera, Inc.

Multi-Cloud, Multi-Network Cyber Awareness, Monitoring and Management by Fran...

TheAnfieldGroup

Kripta Key Product Key Management System.pdf

langkahgontay88

Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...

AWS Chicago

Snowflake Data Science and AI/ML at Scale

Adam Doyle

Creating a Multi-Layered Secured Postgres Database

EDB

The Hacking Games - Security vs Productivity and Operational Efficiency 20230119

lior mazor

Day 2 Dns Cert 4b Name Server Redirection

vngundi

SDX Pitch Deck (201) - Apresentação SDP 2024

PauloEduardoBitarJun

DDS-Security 1.2 - What's New? Stronger security for long-running systems

Gerardo Pardo-Castellote

F5 TLS & SSL Practices

Brian A. McHenry

Escalation defenses ad guardrails every company should deploy

David Rowe

Webinar: Cloud Data Masking - Tips to Test Software Securely

Skytap Cloud

Cloud Security Top Threats

Tiago de Almeida

Vue d'ensemble Dremio

Modern Data Stack France

Similar to Enumerating Active Directory: Lateral Movement and Privilege Escalation (20)

Derbycon - The Unintended Risks of Trusting Active Directory

Introduction to threat_modeling

Will your cloud be compliant

DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...

CIS13: Next Generation Privileged Identity Management: A Market Overview

Get started with Cloudera's cyber solution

Multi-Cloud, Multi-Network Cyber Awareness, Monitoring and Management by Fran...

Kripta Key Product Key Management System.pdf

Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...

Snowflake Data Science and AI/ML at Scale

Creating a Multi-Layered Secured Postgres Database

The Hacking Games - Security vs Productivity and Operational Efficiency 20230119

Day 2 Dns Cert 4b Name Server Redirection

SDX Pitch Deck (201) - Apresentação SDP 2024

DDS-Security 1.2 - What's New? Stronger security for long-running systems

F5 TLS & SSL Practices

Escalation defenses ad guardrails every company should deploy

Webinar: Cloud Data Masking - Tips to Test Software Securely

Cloud Security Top Threats

Vue d'ensemble Dremio

Recently uploaded

GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)

Alina Yurenko

Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx

rickgrimesss22

GraphSummit Paris - The art of the possible with Graph Technology

Neo4j

UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions

Peter Muessig

The UI5 tooling is the development and build tooling of UI5. It is built in a modular and extensible way so that it can be easily extended by your needs. This session will showcase various tooling extensions which can boost your development experience by far so that you can really work offline, transpile your code in your project to use even newer versions of EcmaScript (than 2022 which is supported right now by the UI5 tooling), consume any npm package of your choice in your project, using different kind of proxies, and even stitching UI5 projects during development together to mimic your target environment.

Vitthal Shirke Java Microservices Resume.pdf

Vitthal Shirke

Using Xen Hypervisor for Functional Safety

Ayan Halder

How to write a program in any programming language

Rakesh Kumar R

SWEBOK and Education at FUSE Okinawa 2024

Hironori Washizaki

Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris

Neo4j

Fundamentals of Programming and Language Processors

Rakesh Kumar R

LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM

lorraineandreiamcidl

AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App

Google

AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App 👉👉 Click Here To Get More Info 👇👇 https://sumonreview.com/ai-fusion-buddy-review AI Fusion Buddy Review: Key Features ✅Create Stunning AI App Suite Fully Powered By Google's Latest AI technology, Gemini ✅Use Gemini to Build high-converting Converting Sales Video Scripts, ad copies, Trending Articles, blogs, etc.100% unique! ✅Create Ultra-HD graphics with a single keyword or phrase that commands 10x eyeballs! ✅Fully automated AI articles bulk generation! ✅Auto-post or schedule stunning AI content across all your accounts at once—WordPress, Facebook, LinkedIn, Blogger, and more. ✅With one keyword or URL, generate complete websites, landing pages, and more… ✅Automatically create & sell AI content, graphics, websites, landing pages, & all that gets you paid non-stop 24*7. ✅Pre-built High-Converting 100+ website Templates and 2000+ graphic templates logos, banners, and thumbnail images in Trending Niches. ✅Say goodbye to wasting time logging into multiple Chat GPT & AI Apps once & for all! ✅Save over $5000 per year and kick out dependency on third parties completely! ✅Brand New App: Not available anywhere else! ✅ Beginner-friendly! ✅ZERO upfront cost or any extra expenses ✅Risk-Free: 30-Day Money-Back Guarantee! ✅Commercial License included! See My Other Reviews Article: (1) AI Genie Review: https://sumonreview.com/ai-genie-review (2) SocioWave Review: https://sumonreview.com/sociowave-review (3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review (4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review #AIFusionBuddyReview, #AIFusionBuddyFeatures, #AIFusionBuddyPricing, #AIFusionBuddyProsandCons, #AIFusionBuddyTutorial, #AIFusionBuddyUserExperience #AIFusionBuddyforBeginners, #AIFusionBuddyBenefits, #AIFusionBuddyComparison, #AIFusionBuddyInstallation, #AIFusionBuddyRefundPolicy, #AIFusionBuddyDemo, #AIFusionBuddyMaintenanceFees, #AIFusionBuddyNewbieFriendly, #WhatIsAIFusionBuddy?, #HowDoesAIFusionBuddyWorks

Need for Speed: Removing speed bumps from your Symfony projects ⚡️

Łukasz Chruściel

No one wants their application to drag like a car stuck in the slow lane! Yet it’s all too common to encounter bumpy, pothole-filled solutions that slow the speed of any application. Symfony apps are not an exception. In this talk, I will take you for a spin around the performance racetrack. We’ll explore common pitfalls - those hidden potholes on your application that can cause unexpected slowdowns. Learn how to spot these performance bumps early, and more importantly, how to navigate around them to keep your application running at top speed. We will focus in particular on tuning your engine at the application level, making the right adjustments to ensure that your system responds like a well-oiled, high-performance race car.

Mobile App Development Company In Noida | Drona Infotech

Drona Infotech

ALGIT - Assembly Line for Green IT - Numbers, Data, Facts

Green Software Development

Energy consumption of Database Management - Florina Jonuzi

Green Software Development

KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD

rodomar2

Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris

Neo4j

Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...

kalichargn70th171

A dynamic process unfolds in the intricate realm of software development, dedicated to crafting and sustaining products that effortlessly address user needs. Amidst vital stages like market analysis and requirement assessments, the heart of software development lies in the meticulous creation and upkeep of source code. Code alterations are inherent, challenging code quality, particularly under stringent deadlines.

What is Augmented Reality Image Tracking

pavan998932

Recently uploaded (20)

GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)

Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx

GraphSummit Paris - The art of the possible with Graph Technology

UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions

Vitthal Shirke Java Microservices Resume.pdf

Using Xen Hypervisor for Functional Safety

How to write a program in any programming language

SWEBOK and Education at FUSE Okinawa 2024

Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris

Fundamentals of Programming and Language Processors

LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM

AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App

Need for Speed: Removing speed bumps from your Symfony projects ⚡️

Mobile App Development Company In Noida | Drona Infotech

ALGIT - Assembly Line for Green IT - Numbers, Data, Facts

Energy consumption of Database Management - Florina Jonuzi

KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD

Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris

Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...

What is Augmented Reality Image Tracking

Enumerating Active Directory: Lateral Movement and Privilege Escalation

1. © A L S I D C O P Y R I G H T 2 0 2 1 Enumerating Active Directory: Lateral Movement and Privilege Escalation Security Evangelist & Microsoft MVP

2. AtTACK structure © A L S I D C O P Y R I G H T 2 0 2 1 The attackers are looking for the easiest path into the network, then they want to move laterally and gain privileges. Once obtained, they can spread ransomware, steal data, and more. 1 2 3 4 5 6 Infect endpoint with phishing or e-mail attack, and gain local admin privileges Install payload, disable local defense, start to enumerate AD and the network topology Attempt to move laterally, to other endpoints, servers, and devices Exploit known configurations to gain privileges on different servers using AD Create backdoors and persistence within AD and other network devices Collect data and/or encrypt data - Steal data for economic intelligence Attack Steps

3. Enumeration tools © A L S I D C O P Y R I G H T 2 0 2 1 Bloodhound PowerView Ldapdomaindump Adidnsdump ACLight ADRecon Domains and trusts Domain SID Password Policy DCs Domain Users and attributes Domain computers Domain Groups and Members Shared folders Group Policies OUs ACLs Sessions Local Admin Rights … AdminTo MemberOf HasSession ForceChangePassword AddMembers CanRDP CanPSRemote ExecuteDCOM SQLAdmin AllowedToDelegate GetChangesAll GenericAll WriteDacl Owns … Sources: https://bloodhound.readthedocs.io/en/latest/data-analysis/nodes.html https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet#useful-enumeration-tools https://mcpmag.com/articles/2019/11/13/bloodhound-active-directory-domain-admin.aspx Tools Objects/settings Actions/privileges

4. Analyzing the enumeration © A L S I D C O P Y R I G H T 2 0 2 1 Leverage Unknown Settings - Kerberos Delegations - adminSDHolder - adminCount - SYSVOL permissions Leverage Cloud Settings - AAD Connect permissions - AAD Sync - AAD SSO - Bounce to Azure AD Leverage Old Settings - Service Principal Names - Primary Group ID - SIDHistory - AD Delegations - GP Delegations

5. ATTACKER strategy © A L S I D C O P Y R I G H T 2 0 2 1 Enumeration of Active Directory and all settings ▪ AD is « old » ▪ AD installation was made 10+ years ago ▪ AD is changing every day Analysis of AD to find easiest target ▪ Attackers don’t analyze the « world » with lines & columns but with graphs ▪ Remember, every user has a read access to AD Leverage actions which don’t log ▪ Security logs are not really useful ▪ Attackers can bypass the logs ▪ Attackers implement backdoors under the SIEM radar

6. In a nutshell © A L S I D C O P Y R I G H T 2 0 2 1 ▪ No users with local admin rights ▪ Encrypt local disk ▪ Use LAPS (free) ▪ Implement EDR ▪ Harden your endpoint configuration ▪ Do not base your security strategy only on logs ▪ Implement Microsoft Tier- model ▪ Detect in real- time AD security deviances & Attack paths ▪ Detect in real- time AD attacks Final advice: Doubt about yourself ! Too much self- confidence is the first enemy of cybersecurity…

Enumerating Active Directory: Lateral Movement and Privilege Escalation

Recommended

Recommended

More Related Content

Similar to Enumerating Active Directory: Lateral Movement and Privilege Escalation

Similar to Enumerating Active Directory: Lateral Movement and Privilege Escalation (20)

More from Sylvain Cortes

More from Sylvain Cortes (8)

Recently uploaded

Recently uploaded (20)

Enumerating Active Directory: Lateral Movement and Privilege Escalation