This document provides an overview of attack methodologies from an attacker's perspective when targeting Active Directory environments. It discusses initial access techniques, privilege escalation to domain admin rights, maintaining situational awareness through techniques like password spraying and Kerberoasting, and lateral movement tactics like pass the hash and pass the ticket. It also provides mitigation strategies and detection opportunities for defenders.
2. whoami
•Penetration Tester
•Disclaimer: All opinions are all mine, not representation of the
company I work for or organizations I am affiliated with
•None of these materials are original. They are just a compilation of
researches done by awesome people
•Test all recommendations first, before implementing them. I take no
liability if they mess up your environment
2
3. Shout Out
•Sean Metcalf (@PyroTek3) for running https://adsecurity.org
•Will Schroeder (@harmj0y) for developing and releasing tools for
Modern Red Teaming (Empire, PowerSploit, Veil-Framework,
Bloodhound)
•Benjamin Delpy (@gentilkiwi) for mimikatz and continuously
improving it
•And Everyone else who contributed!
3
5. Attacker’s Dilemma
•The new cliché
•Attackers need to evade all detection
•Defenders just need one alarm/trigger to know attackers are in
•“Defender's Dilemma vs Intruder's Dilemma” – TaoSecurity (2009)
5
6. Assume Breach Mentality
•Prepare for threats beyond the WALL (Defence in Depth / Layered
Defence) – CYBER RESILIENCE
•Contain threats (Limit the attacker’s movement)
•Detect & Respond to threats (Threat Hunting / IOC) – CYBER AGILITY
•Prevention is still important but critical to move beyond it
6
7. Adversarial Tactics, Techniques, and
Common Knowledge (ATT&CK™)
Source: https://attack.mitre.org/wiki/Main_Page
7
Red Team’s Tactics, Techniques and
Procedures (TTPs)
8. Active Directory
•Microsoft’s Directory Service (AD DS)– A set of services to manage
network resources
•Domain Controller (DC) – Server running AD DS
•Domain Admin (DA) – The User Group that has full control of network
resources in the Domain
•Local Administrators – The User Group that has full control for
Local/Specific Machine
8
12. Kerberos Authentication
• Ticket Granting Ticket (TGT) contains
• Privilege Attribute Certificate (PAC) stores
• Account Name
• Security Identifiers
• Group Membership
• User requests for TGT by sending timestamp that is encrypted with his secret key (NTLM
Hash for RC4 cipher)
• TGT is encrypted and its PAC is signed by domainKRBTGT’s secret key (NTLM Hash) –
Only readable by Domain Controller (DC)
• Service ticket issued by Ticket Granting Service (TGS) is encrypted by service account ’s
secret key (NTLM Hash)
12
15. Privilege Escalation: User to Local Admin
•Unpatched Vulnerabilities
•System Misconfigurations
• Passwords stored in SYSVOL or Group Policy Preference (GPP)
•Check out Paul Craig’s talk on Local Privilege Escalation
http://www.vantagepoint.sg/news/48-security-wednesdays-9-local-p
rivilege-escalation-nus-greyhats or
https://pentest.blog/windows-privilege-escalation-methods-for-pent
esters/
15
16. Passwords stored in SYSVOL
•SYSVOL
• Domain-wide shared folder
• Stores logon scripts, domain group policies
• Any authenticated user on the domain can access it
•Scripts with cleartext admin credentials stored in SYSVOL
16
17. Passwords stored in SYSVOL
•Group Policy with Password defined for Local Administrator account
17
18. Passwords stored in SYSVOL
•Encryption key is well known
18
Source: https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx
20. Passwords stored in SYSVOL Mitigation &
Detection
•Install KB2962486 to disable new credentials from being stored in
GPP and Delete existing XMLs/Group Policies
•Plant a XML with “Password” in SYSVOL
•Configure SACL on the XML to audit for access
20
22. Why do we need to Privilege Escalate?
•Gain access to implicit trust relationship artifacts
•Assume artifacts found on one machine could be used to access other
machines
•More Information:
http://foofus.net/goons/hinge/presos/insidious-implicit-windows-tru
st-relationships.pdf
22
25. Dump Credentials Mitigation
• Audit for misconfigurations that can lead to privilege escalation with
windows-privesc-check (https://github.com/pentestmonkey/windows-privesc-check) or
Powerup (https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc)
• Install KB2871997 on Windows 7, 8, Server 2008 and 2012
• Deploy Application Whitelisting (Applocker & Device Guard)
• Get rid of Windows 2003 Server
• Have different trust levels for machines – Domain Admin should not log on to machines
with lower Trust Level
25
26. Dump Credentials Detection
•Monitor Registry Value for “UseLogonCredential” at
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurity
ProvidersWdigest
•Value: “1” to enable cleartext password to be stored in LSASS
•Honey Credentials
26
27. Dump Credentials Detection (Not a good idea)
● Detect mimikatz in memory using Sysmon (Be careful of performance impact)
● Look for loading of
○ C:WindowsSystem32WinSCard.dll
○ C:WindowsSystem32cryptdll.dll
○ C:WindowsSystem32hid.dll
○ C:WindowsSystem32samlib.dll
○ C:WindowsSystem32vaultcli.dll
● LSA Protection Enabled - mimidrv.sys (mimikatz’s driver to turn off LSA Protection)
● More information:
https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTK
B_V1J5ow ← Sysmon Tutorial
https://medium.com/@lennartkoopmann/explaining-and-adapting-tays-sysmon-configuration-27d9719a89a8#.c8sokq3nj
https://cyberwardog.blogspot.sg/2017/03/chronicles-of-threat-hunter-hunting-for.html
27
30. User Account Control (UAC) is Enabled!
•UAC is introduced since Windows Vista
•Run processes as standard user rights
even if user is in Administrators group
unless explicit permission is given
30
31. UAC Bypass
• Old School
• Privilege File Copy (IFile Operation
COM)
• DLL Hijacking
• Auto-elevation
• New School
• Fileless UAC Bypass via Registry
Hijacking
• Write to
HKCUSoftwareClassesmscfileshell
opencommand
• Launch eventvwr.exe
31
• More information:
https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hij
acking/
https://blog.cobaltstrike.com/2014/03/20/user-account-control-what-penetration-testers-s
hould-know/
32. UAC Bypass Mitigation & Detection
• Reduce Users with Administrator Privilege
• Set UAC level to “Always Notify” instead of Default configuration (can be
bypassed with Disk Clean up)
• Monitor Registry entry
“HKCUSoftwareClassesmscfileshellopencommand”
• More information:
https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-di
sk-cleanup/
32
33. Situational Awareness
• Port Scan
• DNS Enumeration (SRV records, *._tcp.domain.com)
• Password / Hash Spray
• Service Principal Name (SPN) Scanning
• Domain Enumeration & Admin Hunting
• BloodHound
33
34. Password / Hash Spray
•Quick and dirty way to identify access across the network
•Good for pen test that doesn’t require stealth
34
35. Service Principal Name (SPN) Scanning
•SPN is used to uniquely identify service instances for Kerberos
Authentication
•Gather services across the domain (Without a Single Port Scanned!)
35
36. Service Principal Name (SPN) Scanning
•PowerShell scripts from Sean Metacalf
https://github.com/PyroTek3/PowerShell-AD-Recon
•Comprehensive List of SPN
http://adsecurity.org/?page_id=183
•How SPN is used by Kerberos
http://social.technet.microsoft.com/wiki/contents/articles/717.servic
e-principal-names-spns-setspn-syntax-setspn-exe.aspx
36
39. Domain Enumeration with PowerView
•PowerView
• Based on PowerShell
• Capitalize on PowerShell alternatives for “NET” command
• Capitalize on Win32 API
• Gain network situational awareness
•More Information:
https://github.com/PowerShellMafia/PowerSploit/tree/master/Reco
n
39
44. Admin Hunting with PowerView
• Implicit trust relationship
• Look at where the current user has Local Administrators Right
• Look for where privilege users are logged on to
• Target machines with privilege users
• Steal their tokens / credentials
• Profit!
44
45. Admin Hunting with PowerView
45
• Invoke-UserHunter
• Get a list of hosts from AD
• Get a list of users of a specific Domain Group (Domain Admins/Local Administrators)
• Run NetSessionEnum (User Sessions) and NetWkstaUserNum (Logged On Users)
with information gathered
• (Optionally) Check if current user has Local Administrators right on each host
• More Information
http://www.slideshare.net/harmj0y/i-hunt-sys-admins-20
http://www.slideshare.net/harmj0y/i-have-the-powerview
46. Admin Hunting with PowerView
46Source: http://www.slideshare.net/harmj0y/i-hunt-sys-admins-20
48. BloodHound
• Provide a graphical representation of attack path based on information
gathered via customized PowerView
• Simplify Admin Hunting across the Network to achieve Derivative Local
Admin
• More information
https://wald0.com/?p=14
http://www.slideshare.net/AndyRobbins3/six-degrees-of-domain-admin-bl
oodhound-at-def-con-24
https://github.com/BloodHoundAD/BloodHound/wiki
48
50. Domain Enumeration Mitigation
•Use Net Cease to modify NetSessionEnum default permission
https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dc
b5b
•Upgrade to Windows 10 and Windows Server 2016
•Use SAMRi10 to restrict Remote SAM Query(>=Win 10 & Server 2016)
https://www.bleepingcomputer.com/news/security/microsoft-resear
chers-release-anti-reconnaissance-tool-named-samri10/
50
51. Lateral Movement
• Reuse cleartext credentials (Not working well after KB2871997)
• Pass the Hash (Not working well after KB2871997)
• Pass the Key (Overpass-the-hash)
• Impersonate Tokens
• Pass the Ticket
• Kerberoasting
51
52. Pass the Hash (PtH)
52
Source: http://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it
53. Pass the Hash (PtH)
•Not working well after KB2871997
•Local accounts cannot login remotely
•PtH still possible for
• Default Local Administrator (RID 500) hash
• Domain hashes
53
54. Pass the Key (Overpass the Hash)
•KB2871997 stops Windows from storing cleartext credentials in
memory (LSASS)
•NTLM Hashes/(e)Keys are still stored in memory (SSO)
•Remember how Kerberos ticket request is done?
54
57. Pass the Key (Overpass the Hash)
•User’s secret key is dependent on the cipher used
•Exploit Steps
• Privilege Escalate to Local Admin
• Dump Hashes/(e)Keys
• Create a new process and Inject stolen hash/(e)key into memory
• SSO will refer to the Injected secret key in memory
• Impersonate Token of newly created Process
• Win!
57
58. Pass the Key (Overpass the Hash)
58
•User “labgg” is Domain Admin logged in on Compromised Machine
60. Pass the Key (Overpass the Hash)
60
•Some bug with Empire’s “shell” command so switched it to Meterpreter
61. Pass the Key (Overpass the Hash)
61
More Information:
http://blog.cobaltstrike.com/2015/05/21/how-to-pass-the-hash-with-mimikatz/
http://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-cc/
62. Pass the Ticket
•Export Ticket-Granting-Ticket (TGT) from memory of a compromised
Host
•Import the TGT into Attacker’s Machine
•Profit!
62
63. Pass the Ticket with MS14-068
•MS014-068
• Privilege escalation for Authenticated Domain User to Domain Admin by
forging PAC
• PAC stores Authorization Data (Group Membership, Security Identifier)
• Improper validation of the Privilege Attribute Certificate (PAC) Signature
63
64. Pass the Ticket with MS14-068
64
More Information:
https://labs.mwrinfosecurity.com/blog/digging-into-ms14-068-exploitation-and-defence/
https://www.trustedsec.com/december-2014/ms14-068-full-compromise-step-step/
https://github.com/bidord/pykek/
66. Kerberoasting
•Service Ticket can be obtained without actually using it
•Service Ticket issued by TGS is encrypted with target service’s account
secret key
•Service Accounts are usually privilege accounts on the domain
66
67. Kerberoasting
•Why not just crack it?
• Offline Attack without contacting the Target Service’s Machine
67
Source: https://adsecurity.org/?p=2293
70. Kerberoasting Mitigation
•Use password with >=25 characters for Service Accounts
•Use Managed Service Accounts
•More Information:
https://adsecurity.org/?p=2293
https://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx
70
71. Kerberoasting Detection
•Audit “Audit Kerberos Service Ticket Operations” on Success
•Look for Event 4769 and Ticket Option: 0x40810000 and Ticket
Encryption type: RC4 (0x17/0x18)
•Create Honey Service ☺
•More information:
https://adsecurity.org/?p=3458
https://adsecurity.org/?p=3513
71
72. Lateral Movement Mitigation
• Deploy Microsoft LAPS on Servers and Workstations to manage Local Administrator Passwords
• Deploy Group Policy: “Deny access to this computer from the network” & “Deny log on through Remote
Desktop Services” for “Local account and member of Administrators group” or “*S-1-5-114” [Block RID 500
accounts]
• Add Users with High Privileges to “Protected User” Group if possible
• Network Segmentation – It’s always about the Trust Path
• Restrict Workstation to Workstation Communication with GPO – Windows Firewall
• More Information:
https://adsecurity.org/?p=3299
https://adsecurity.org/?p=3377
https://technet.microsoft.com/en-us/library/dn466518.aspx
72
73. Lateral Movement Mitigation
• Different Tiers of Administrators for Different Tiers of Servers & Workstations
73
More Information:
https://technet.microsoft.com/en-us/library/mt631193.aspx
74. Lateral Movement Detection
•Turn on Audit for Local Account Logon
•Turn on Audit for Kerberos
• Look out for Domain Names in lower case/non-standard (Not comprehensive)
• Look out for Ticket Encryption Type 0x17/0x18 for RC4 (Not comprehensive)
•More Information:
https://dfir-blog.com/2015/12/13/protecting-windows-networks-ker
beros-attacks/
https://dfir-blog.com/2016/03/13/how-to-parse-windows-eventlog/
74
76. Hash Dump & Crack The Hashes
•Old School
• Get NTDS.dit file
• Backup
• Virtual Machine Disk
• Shadow Volume
• Process NTDS.dit for Hashes
•New School
• DCSync (No need for direct access to NTDS.dit)
76
77. DCSync
•Impersonate as a Domain Controller
•Replicate User Credentials via Directory Replication Service (DRS)
Remote Protocol
•No Code Execution required, however “Domain Admins” privilege is
needed
•If used with “Domain Controllers” privilege, it will not be logged
77
79. Golden Ticket
• Forged TGT with Admin Privilege, then PTT
• TGT is encrypted & signed by
• Domain KRBTGT’s secret key
• Important to note that KRBTGT’s password is almost never changed
• Information required to create Golden Ticket
• Domain Name
• Domain SID
• Domain KRBTGT NTLM Hash/(e)Keys
• UserID for Impersonation
79
83. Silver Ticket
•Forged Service Ticket
•Require only the service account key instead of KRBTGT
•Access is restricted to the specific Service
•More Information:
https://adsecurity.org/?p=2011
83
86. Persistence Mitigation and Detection
•Change KRBTGT’s password twice (to purge Password History) and
regularly
•Look out for RC4 Kerberos traffic – Vista and onwards default cipher
for Kerberos is AES (Not comprehensive)
•Use Group Managed Service Account
•More information:
https://adsecurity.org/?p=1515
86
87. Mitigations for PowerShell Activities
● Lock down PowerShell.exe, PowerShell_ISE.exe (Not Ideal)
● Uninstall PowerShell v2
● Use PowerShell v5 with
○ Constrained Language Mode with AppLocker / Device Guard
○ Log all PowerShell Activities (Module Logging, Script Block Logging, System-wide
Transcript Logging)
● More information:
https://adsecurity.org/?p=2604
87
88. Microsoft Advanced Threat Analytics (ATA)
• Machine Learning Platform to detect quite a number of things we have
discussed
• Receive logs and events from SIEM and Windows Event Forwarding(WEF)
• More information:
https://docs.microsoft.com/en-us/advanced-threat-analytics/understand-expl
ore/ata-threats
https://adsecurity.org/?p=1583
https://gallery.technet.microsoft.com/Advanced-Threat-Analytics-8b0a86bc/fi
le/169608/1/ATA%20Playbook.pdf
88
89. Microsoft Advanced Threat Analytics
89
Source:
https://blogs.technet.microsoft.com/enterprisemobility/2015/05/04/microsoft-advanced-threat-analytics-public-preview-releas
e-is-now-available/
91. Reference
• Adversarial Tactics, Techniques & Common Knowledge
https://attack.mitre.org/wiki/Main_Page
• Attack Methods for Gaining Domain Admin Rights in Active Directory
https://adsecurity.org/?p=2362
• PROTECTING WINDOWS NETWORKS – KERBEROS ATTACKS
https://dfir-blog.com/2015/12/13/protecting-windows-networks-kerberos-attacks/
• The Most Common Active Directory Security Issues and What You Can Do to Fix Them
https://adsecurity.org/?p=1684
• Building an Empire with PowerShell
http://www.slideshare.net/harmj0y/building-an-empire-with-powershell
91
92. Reference
• Mimikatz and DCSync and ExtraSids, Oh My
http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
• Make PowerView Great Again
http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
• Six Degree of Domain Admin
https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Robbins-Vazarkar-Schroeder-Six-
Degrees-of-Domain-Admin.pdf
• kerberos, kerberoast and golden tickets
https://leonjza.github.io/blog/2016/01/09/kerberos-kerberoast-and-golden-tickets/
• Mimikatz 2.0 - Silver Ticket Walkthrough
https://www.beneaththewaves.net/Projects/Mimikatz_20_-_Silver_Ticket_Walkthrough.html#Why
92