Mauricio Velazco, profile picture
Uploaded byMauricio Velazco
930 views

SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks

The document outlines the concept and methodologies of a Purple Team approach to enhance Active Directory security through adversary simulations and collaborative exercises. It introduces the use of the PurpleSharp tool to execute simulations of various attacks, such as Kerberoasting and password spraying, to test detection capabilities and improve incident response. Additionally, it presents a library of playbooks for Blue Teams to conduct internal exercises at no cost, enhancing their defensive strategies against common Active Directory vulnerabilities.

Embed presentation

Downloaded 25 times
Active Directory Purple Team playbooks Mauricio Velazco @mvelazco
✘ Threat Research @ Splunk ✘ @mvelazco ✘ Bsides, Derbycon, Defcon, BlackHat ✘ github.com/mvelazc0 #whoami
Purple in my mind
Purple Teaming / Adversary simulation Goal: Identify gaps in visibility & detection capabilities ✘ Collaborative exercise / knowledge transfer ✘ Allows blue to identify and understand TTPs ✘ Allows red to identify evasion paths
(Our) Purple Team Process
Simulation Scenarios Simulating the same TTP under different scenarios will test detection resilience ✘ Example: Kerberoasting Simulation 1: Invoke-Kerberoast –Domain domain.com Simulation 2: GetUserSPNs.py -dc-ip X.X.X.X domain.com/user vs Simulation 3: PowerView / SharpView recon to identify target Rubeus.exe kerberoast /user:secureservice
Active Directory ✘ 90% of the Fortune 1000 use Active Directory for AA Frost & Sullivan - March 2020 https://ww2.frost.com/frost-perspectives/active-directory-holds-the-keys-to-your-kingdom-but-is-it-secure/ ✘ Adversaries will use and abuse Active Directory across the attack lifecycle to achieve operational success ✘ Recent ransomware cases (Ryuk, Conti, Revil) rely heavily on AD attacks
The DFIR Report
PurpleSharp ✘ Executes adversary techniques within Windows AD environments following the MITRE ATT&CK Framework (47 supported). ✘ Goal: Generate telemetry to build, test & enhance detection controls https://github.com/mvelazc0/PurpleSharp
Local Simulations ✘ Execute the simulation locally from fixed infrastructure ✘ Runs under the context of the operator ✘ Interactive or scheduled
Remote Simulations ✘ Deploy simulations on a remote endpoint in the network (arbitrary or random) ✘ The simulation runs under the context of the logged user from a user path as an exe ✘ Uses Windows native features: wmi, smb, namedpipes, etc.
✘ Orchestrator Runs on the operator’s endpoint and is responsible for orchestrating the simulation deployment ✘ Scout Runs on the simulation target and performs recon tasks to identify logged users and suitable processes. ✘ Simulator Runs on the simulation target and is responsible for running the specified techniques/
Demo 1 Active Directory Discovery AD Discovery Scenario #2 - PowerShell T1087.001 - Local Account Discovery T1087.002 - Domain Account Discovery T1069.002 - Domain Group Discovery T1018 - Remote System Discovery AD Discovery Scenario #3 - LDAP T1087.002 - Domain Account Discovery T1069.002 - Domain Group Discovery AD Discovery Scenario #1 - Cmdline T1033 - User Discovery T1018 - Remote System Discovery T1482 - Domain Trust Discovery T1087.001 - Local Account Discovery T1069.001 - Domain Group Discovery
https://youtu.be/8jRsitZb1UE
Detection Takeaways ✘ 4688 + Command line, Sysmon or your favorite EDR Identify most common enumeration techniques Should deploy the capability to decode base64 encoded commands ✘ PowerShell visibility Script Block Logging - Event Id 4104 Module Logging Transcription Logging ✘ Network visibility Zeek or favorite comercial NTA vendor
Password Spraying ✘ Iterate through a list of users with a commonly used password ( Summer2021 ) ✘ Used to obtain initial access / situational awareness / privilege escalation ✘ https://attack.mitre.org/techniques/T1110/003 https://us-cert.cisa.gov/ncas/alerts/aa21-116a APT 29
Demo 2 Password Spraying Scenario #2 A domain joined device has been compromised and is being controlled by a trojan. With this access, an adversary executes a Password Spraying attack using the Kerberos protocol. Scenario #3 A domain joined device has been compromised and is being controlled by a trojan. With this access, an adversary executes a Password Spraying attack using the NTLM protocol. Scenario #1 An adversary has obtained physical access to the target network and performs a password spray attack against one host using the SMB protocol.
https://youtu.be/HGDUxKQx-_E
Detection Takeaways ✘ For full visibility, we need to log both Domain Controller and Domain Member endpoints ✘ ✘ Events Seen 4771 - Kerberos Authentication Service 4776 - Credential Validation 4625 - Logon 4648 - Logon
Enterprise Security Content Update v3.21 ✘ Active Directory Password Spraying Analytic Story Uses standard deviation to detect outliers ✘ 8 detections for different password spraying scenarios ✘ You don't need be a Splunk user to leverage the logic https://github.com/splunk/security_content https://splunkbase.splunk.com/app/3449/ https://docs.splunk.com/Documentation/ESSOC/3.21.0/stories/
The Active Directory Purple Team Playbook ( BETA ) ✘ Library of ready-to-use playbooks designed to be used with PurpleSharp ✘ Allows blue teams to run internal Purple Team exercises against Active Directory in an easy way at 0 cost ! https://github.com/mvelazc0/PurpleAD/
Thank You ! https://twitter.com/mvelazco https://github.com/mvelazc0/PurpleSharp https://github.com/mvelazc0/PurpleAD
Active Directory Purple Team playbooks SANS Purple Team Summit 2021 Mauricio Velazco @mvelazco

More Related Content

PDF
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
byTeymur Kheirkhabarov
 
PDF
Windows Threat Hunting
byGIBIN JOHN
 
PPTX
PowerShell for Practical Purple Teaming
byNikhil Mittal
 
PDF
How to Hunt for Lateral Movement on Your Network
bySqrrl
 
PDF
How to Plan Purple Team Exercises
byHaydn Johnson
 
PDF
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
byJorge Orchilles
 
PDF
Hunting for Credentials Dumping in Windows Environment
byTeymur Kheirkhabarov
 
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
PHDays 2018 Threat Hunting Hands-On Lab
byTeymur Kheirkhabarov
 
Windows Threat Hunting
byGIBIN JOHN
 
PowerShell for Practical Purple Teaming
byNikhil Mittal
 
How to Hunt for Lateral Movement on Your Network
bySqrrl
 
How to Plan Purple Team Exercises
byHaydn Johnson
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
byJorge Orchilles
 
Hunting for Credentials Dumping in Windows Environment
byTeymur Kheirkhabarov
 

What's hot

PDF
Windows attacks - AT is the new black
byChris Gates
 
PDF
Adversary Emulation and Red Team Exercises - EDUCAUSE
byJorge Orchilles
 
PDF
Windows logging cheat sheet
byMichael Gough
 
PDF
A Threat Hunter Himself
bySergey Soldatov
 
PDF
Hunting Lateral Movement in Windows Infrastructure
bySergey Soldatov
 
PDF
Introduction to red team operations
bySunny Neo
 
PDF
Breach and attack simulation tools
byBangladesh Network Operators Group
 
PDF
Cyber Threat hunting workshop
byArpan Raval
 
PDF
Threat Hunting with Splunk
bySplunk
 
PDF
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
byMITRE - ATT&CKcon
 
PDF
ATT&CK Updates- Defensive ATT&CK
byMITRE ATT&CK
 
PPTX
WTF is Penetration Testing v.2
byScott Sutherland
 
PPTX
Effective Threat Hunting with Tactical Threat Intelligence
byDhruv Majumdar
 
PPTX
Detection Rules Coverage
bySunny Neo
 
PPTX
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
byJorge Orchilles
 
PDF
Penetration testing
byAmmar WK
 
PPTX
Threat hunting - Every day is hunting season
byBen Boyd
 
PDF
Physical Penetration Testing (RootedCON 2015)
byEduardo Arriols Nuñez
 
PPTX
PSConfEU - Offensive Active Directory (With PowerShell!)
byWill Schroeder
 
PDF
So you want to be a red teamer
byJorge Orchilles
 
Windows attacks - AT is the new black
byChris Gates
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
byJorge Orchilles
 
Windows logging cheat sheet
byMichael Gough
 
A Threat Hunter Himself
bySergey Soldatov
 
Hunting Lateral Movement in Windows Infrastructure
bySergey Soldatov
 
Introduction to red team operations
bySunny Neo
 
Breach and attack simulation tools
byBangladesh Network Operators Group
 
Cyber Threat hunting workshop
byArpan Raval
 
Threat Hunting with Splunk
bySplunk
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
byMITRE - ATT&CKcon
 
ATT&CK Updates- Defensive ATT&CK
byMITRE ATT&CK
 
WTF is Penetration Testing v.2
byScott Sutherland
 
Effective Threat Hunting with Tactical Threat Intelligence
byDhruv Majumdar
 
Detection Rules Coverage
bySunny Neo
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
byJorge Orchilles
 
Penetration testing
byAmmar WK
 
Threat hunting - Every day is hunting season
byBen Boyd
 
Physical Penetration Testing (RootedCON 2015)
byEduardo Arriols Nuñez
 
PSConfEU - Offensive Active Directory (With PowerShell!)
byWill Schroeder
 
So you want to be a red teamer
byJorge Orchilles
 

Similar to SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks

PDF
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
byMauricio Velazco
 
PDF
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
byMauricio Velazco
 
PDF
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
byMauricio Velazco
 
PDF
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
byMauricio Velazco
 
PDF
Derbycon - The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
PDF
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
byMauricio Velazco
 
PDF
Attacker's Perspective of Active Directory
bySunny Neo
 
PPTX
BSides SG Practical Red Teaming Workshop
byAjay Choudhary
 
PDF
The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
PDF
Beyond the mcse red teaming active directory
byPriyanka Aash
 
PDF
Hacktive Directory Forensics - HackCon18, Oslo
byYossi Sassi
 
PDF
Get Active Directory Security Guide 1st Edition Picussecurity free all chapters
bywesxhalink
 
PDF
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
byFelipe Prado
 
PDF
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
byGabriel Mathenge
 
PPTX
Implementing Active Directory and Information Security Audit also VAPT in Fin...
byKajolPatel17
 
PDF
Active Directory Security Guide 1st Edition Picussecurity
bylautjeoghina
 
PDF
Purple Team Use Case - Security Weekly
byJorge Orchilles
 
PDF
Carlos García - Pentesting Active Directory [rooted2018]
byRootedCON
 
PDF
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
byAlex Pinto
 
PDF
Hacking our chairmans inbox - Charl van der Walt - SensePost
byHarry Gunns
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
byMauricio Velazco
 
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
byMauricio Velazco
 
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
byMauricio Velazco
 
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
byMauricio Velazco
 
Derbycon - The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
byMauricio Velazco
 
Attacker's Perspective of Active Directory
bySunny Neo
 
BSides SG Practical Red Teaming Workshop
byAjay Choudhary
 
The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
Beyond the mcse red teaming active directory
byPriyanka Aash
 
Hacktive Directory Forensics - HackCon18, Oslo
byYossi Sassi
 
Get Active Directory Security Guide 1st Edition Picussecurity free all chapters
bywesxhalink
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
byFelipe Prado
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
byGabriel Mathenge
 
Implementing Active Directory and Information Security Audit also VAPT in Fin...
byKajolPatel17
 
Active Directory Security Guide 1st Edition Picussecurity
bylautjeoghina
 
Purple Team Use Case - Security Weekly
byJorge Orchilles
 
Carlos García - Pentesting Active Directory [rooted2018]
byRootedCON
 
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
byAlex Pinto
 
Hacking our chairmans inbox - Charl van der Walt - SensePost
byHarry Gunns
 

More from Mauricio Velazco

PDF
BlackHat Arsenal 2025 - msInvader : Automating Adversary Simulation in M365 a...
byMauricio Velazco
 
PDF
BSides NYC 2025: Inside Cloud Attack Paths End-to-End Adversary Simulation
byMauricio Velazco
 
PDF
BlackHat Europe Arsenal 2024 - msInvader : Simulating Adversary Techniques in...
byMauricio Velazco
 
PDF
BlackHat Arsenal USA 2024 : Simulating and Exploring Entra ID Attack Paths
byMauricio Velazco
 
PPTX
PurpleSharp BlackHat Arsenal Asia
byMauricio Velazco
 
PDF
Detection-as-Code: Test Driven Detection Development.pdf
byMauricio Velazco
 
PDF
BSides Panama 2022
byMauricio Velazco
 
PDF
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
byMauricio Velazco
 
PDF
Bsides NYC 2018 - Hunting for Lateral Movement
byMauricio Velazco
 
PDF
LimaHack 2011 - Stuxnet : El arma del futuro
byMauricio Velazco
 
PDF
Peruhack 2015 - Cyberespionaje de Naciones
byMauricio Velazco
 
PDF
PeruHack 2014 - Post Explotacion en Entornos Windows
byMauricio Velazco
 
PDF
Limahack 2010 - Creando exploits para GNU/Linux
byMauricio Velazco
 
PDF
Limahack 2009 - SSL no esta roto ... o si ?
byMauricio Velazco
 
PDF
Bsides Latam 2019
byMauricio Velazco
 
PDF
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
byMauricio Velazco
 
PDF
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
byMauricio Velazco
 
PDF
Defcon 27 - Writing custom backdoor payloads with C#
byMauricio Velazco
 
PDF
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
byMauricio Velazco
 
PDF
Bsides Long Island 2019
byMauricio Velazco
 
BlackHat Arsenal 2025 - msInvader : Automating Adversary Simulation in M365 a...
byMauricio Velazco
 
BSides NYC 2025: Inside Cloud Attack Paths End-to-End Adversary Simulation
byMauricio Velazco
 
BlackHat Europe Arsenal 2024 - msInvader : Simulating Adversary Techniques in...
byMauricio Velazco
 
BlackHat Arsenal USA 2024 : Simulating and Exploring Entra ID Attack Paths
byMauricio Velazco
 
PurpleSharp BlackHat Arsenal Asia
byMauricio Velazco
 
Detection-as-Code: Test Driven Detection Development.pdf
byMauricio Velazco
 
BSides Panama 2022
byMauricio Velazco
 
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
byMauricio Velazco
 
Bsides NYC 2018 - Hunting for Lateral Movement
byMauricio Velazco
 
LimaHack 2011 - Stuxnet : El arma del futuro
byMauricio Velazco
 
Peruhack 2015 - Cyberespionaje de Naciones
byMauricio Velazco
 
PeruHack 2014 - Post Explotacion en Entornos Windows
byMauricio Velazco
 
Limahack 2010 - Creando exploits para GNU/Linux
byMauricio Velazco
 
Limahack 2009 - SSL no esta roto ... o si ?
byMauricio Velazco
 
Bsides Latam 2019
byMauricio Velazco
 
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
byMauricio Velazco
 
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
byMauricio Velazco
 
Defcon 27 - Writing custom backdoor payloads with C#
byMauricio Velazco
 
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
byMauricio Velazco
 
Bsides Long Island 2019
byMauricio Velazco
 

Recently uploaded

PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
Workflow and decision Automation with Flowable
bychakib ch
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 

SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks

  • 2.
    Active Directory Purple Teamplaybooks Mauricio Velazco @mvelazco
  • 3.
    ✘ Threat Research@ Splunk ✘ @mvelazco ✘ Bsides, Derbycon, Defcon, BlackHat ✘ github.com/mvelazc0 #whoami
  • 4.
  • 5.
    Purple Teaming /Adversary simulation Goal: Identify gaps in visibility & detection capabilities ✘ Collaborative exercise / knowledge transfer ✘ Allows blue to identify and understand TTPs ✘ Allows red to identify evasion paths
  • 6.
  • 7.
    Simulation Scenarios Simulating thesame TTP under different scenarios will test detection resilience ✘ Example: Kerberoasting Simulation 1: Invoke-Kerberoast –Domain domain.com Simulation 2: GetUserSPNs.py -dc-ip X.X.X.X domain.com/user vs Simulation 3: PowerView / SharpView recon to identify target Rubeus.exe kerberoast /user:secureservice
  • 8.
    Active Directory ✘ 90%of the Fortune 1000 use Active Directory for AA Frost & Sullivan - March 2020 https://ww2.frost.com/frost-perspectives/active-directory-holds-the-keys-to-your-kingdom-but-is-it-secure/ ✘ Adversaries will use and abuse Active Directory across the attack lifecycle to achieve operational success ✘ Recent ransomware cases (Ryuk, Conti, Revil) rely heavily on AD attacks
  • 9.
  • 10.
    PurpleSharp ✘ Executes adversarytechniques within Windows AD environments following the MITRE ATT&CK Framework (47 supported). ✘ Goal: Generate telemetry to build, test & enhance detection controls https://github.com/mvelazc0/PurpleSharp
  • 11.
    Local Simulations ✘ Executethe simulation locally from fixed infrastructure ✘ Runs under the context of the operator ✘ Interactive or scheduled
  • 12.
    Remote Simulations ✘ Deploysimulations on a remote endpoint in the network (arbitrary or random) ✘ The simulation runs under the context of the logged user from a user path as an exe ✘ Uses Windows native features: wmi, smb, namedpipes, etc.
  • 13.
    ✘ Orchestrator Runs onthe operator’s endpoint and is responsible for orchestrating the simulation deployment ✘ Scout Runs on the simulation target and performs recon tasks to identify logged users and suitable processes. ✘ Simulator Runs on the simulation target and is responsible for running the specified techniques/
  • 14.
    Demo 1 Active DirectoryDiscovery AD Discovery Scenario #2 - PowerShell T1087.001 - Local Account Discovery T1087.002 - Domain Account Discovery T1069.002 - Domain Group Discovery T1018 - Remote System Discovery AD Discovery Scenario #3 - LDAP T1087.002 - Domain Account Discovery T1069.002 - Domain Group Discovery AD Discovery Scenario #1 - Cmdline T1033 - User Discovery T1018 - Remote System Discovery T1482 - Domain Trust Discovery T1087.001 - Local Account Discovery T1069.001 - Domain Group Discovery
  • 15.
  • 16.
    Detection Takeaways ✘ 4688+ Command line, Sysmon or your favorite EDR Identify most common enumeration techniques Should deploy the capability to decode base64 encoded commands ✘ PowerShell visibility Script Block Logging - Event Id 4104 Module Logging Transcription Logging ✘ Network visibility Zeek or favorite comercial NTA vendor
  • 17.
    Password Spraying ✘ Iteratethrough a list of users with a commonly used password ( Summer2021 ) ✘ Used to obtain initial access / situational awareness / privilege escalation ✘ https://attack.mitre.org/techniques/T1110/003 https://us-cert.cisa.gov/ncas/alerts/aa21-116a APT 29
  • 18.
    Demo 2 Password Spraying Scenario#2 A domain joined device has been compromised and is being controlled by a trojan. With this access, an adversary executes a Password Spraying attack using the Kerberos protocol. Scenario #3 A domain joined device has been compromised and is being controlled by a trojan. With this access, an adversary executes a Password Spraying attack using the NTLM protocol. Scenario #1 An adversary has obtained physical access to the target network and performs a password spray attack against one host using the SMB protocol.
  • 19.
  • 20.
    Detection Takeaways ✘ Forfull visibility, we need to log both Domain Controller and Domain Member endpoints ✘ ✘ Events Seen 4771 - Kerberos Authentication Service 4776 - Credential Validation 4625 - Logon 4648 - Logon
  • 21.
    Enterprise Security ContentUpdate v3.21 ✘ Active Directory Password Spraying Analytic Story Uses standard deviation to detect outliers ✘ 8 detections for different password spraying scenarios ✘ You don't need be a Splunk user to leverage the logic https://github.com/splunk/security_content https://splunkbase.splunk.com/app/3449/ https://docs.splunk.com/Documentation/ESSOC/3.21.0/stories/
  • 22.
    The Active DirectoryPurple Team Playbook ( BETA ) ✘ Library of ready-to-use playbooks designed to be used with PurpleSharp ✘ Allows blue teams to run internal Purple Team exercises against Active Directory in an easy way at 0 cost ! https://github.com/mvelazc0/PurpleAD/
  • 23.
  • 24.
    Active Directory Purple Teamplaybooks SANS Purple Team Summit 2021 Mauricio Velazco @mvelazco