SlideShare a Scribd company logo

Attacker's Perspective of Active Directory

Sunny Neo
Sunny Neo

This document provides an overview of attack methodologies from an attacker's perspective when targeting Active Directory environments. It discusses initial access techniques, privilege escalation to domain admin rights, maintaining situational awareness through techniques like password spraying and Kerberoasting, and lateral movement tactics like pass the hash and pass the ticket. It also provides mitigation strategies and detection opportunities for defenders.

Technology
1 of 92
Download to read offline
Attacker’s Perspective of Active Directory Sunny Neo 1
whoami •Penetration Tester •Disclaimer: All opinions are all mine, not representation of the company I work for or organizations I am affiliated with •None of these materials are original. They are just a compilation of researches done by awesome people •Test all recommendations first, before implementing them. I take no liability if they mess up your environment 2
Shout Out •Sean Metcalf (@PyroTek3) for running https://adsecurity.org •Will Schroeder (@harmj0y) for developing and releasing tools for Modern Red Teaming (Empire, PowerSploit, Veil-Framework, Bloodhound) •Benjamin Delpy (@gentilkiwi) for mimikatz and continuously improving it •And Everyone else who contributed! 3
Defender’s Dilemma •Cliché •Attackers just need to win once •Defenders need to win all the time 4
Attacker’s Dilemma •The new cliché •Attackers need to evade all detection •Defenders just need one alarm/trigger to know attackers are in •“Defender's Dilemma vs Intruder's Dilemma” – TaoSecurity (2009) 5
Assume Breach Mentality •Prepare for threats beyond the WALL (Defence in Depth / Layered Defence) – CYBER RESILIENCE •Contain threats (Limit the attacker’s movement) •Detect & Respond to threats (Threat Hunting / IOC) – CYBER AGILITY •Prevention is still important but critical to move beyond it 6
Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) Source: https://attack.mitre.org/wiki/Main_Page 7 Red Team’s Tactics, Techniques and Procedures (TTPs)
Active Directory •Microsoft’s Directory Service (AD DS)– A set of services to manage network resources •Domain Controller (DC) – Server running AD DS •Domain Admin (DA) – The User Group that has full control of network resources in the Domain •Local Administrators – The User Group that has full control for Local/Specific Machine 8
Windows Authentications •NTLM Authentication • Challenge-Response Protocol •Kerberos •Single Sign On (SSO) 9
NTLM Authentication 10 Source: https://msdn.microsoft.com/en-us/library/ff647076.aspx
Kerberos Authentication 11 Source: https://msdn.microsoft.com/en-us/library/ff647076.aspx
Kerberos Authentication • Ticket Granting Ticket (TGT) contains • Privilege Attribute Certificate (PAC) stores • Account Name • Security Identifiers • Group Membership • User requests for TGT by sending timestamp that is encrypted with his secret key (NTLM Hash for RC4 cipher) • TGT is encrypted and its PAC is signed by domainKRBTGT’s secret key (NTLM Hash) – Only readable by Domain Controller (DC) • Service ticket issued by Ticket Granting Service (TGS) is encrypted by service account ’s secret key (NTLM Hash) 12
High Level Methodology Initial Foothold Privilege Escalation Situational Awareness Lateral Movement Persistence 13 *Missing Data Exfiltration
Initial Foothold •Unpatched Vulnerabilities •Spear Phishing •Weak Credentials 14
Privilege Escalation: User to Local Admin •Unpatched Vulnerabilities •System Misconfigurations • Passwords stored in SYSVOL or Group Policy Preference (GPP) •Check out Paul Craig’s talk on Local Privilege Escalation http://www.vantagepoint.sg/news/48-security-wednesdays-9-local-p rivilege-escalation-nus-greyhats or https://pentest.blog/windows-privilege-escalation-methods-for-pent esters/ 15
Passwords stored in SYSVOL •SYSVOL • Domain-wide shared folder • Stores logon scripts, domain group policies • Any authenticated user on the domain can access it •Scripts with cleartext admin credentials stored in SYSVOL 16
Passwords stored in SYSVOL •Group Policy with Password defined for Local Administrator account 17
Passwords stored in SYSVOL •Encryption key is well known 18 Source: https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx
Passwords stored in SYSVOL 19
Passwords stored in SYSVOL Mitigation & Detection •Install KB2962486 to disable new credentials from being stored in GPP and Delete existing XMLs/Group Policies •Plant a XML with “Password” in SYSVOL •Configure SACL on the XML to audit for access 20
Why do we need Local Privilege Escalation? 21
Why do we need to Privilege Escalate? •Gain access to implicit trust relationship artifacts •Assume artifacts found on one machine could be used to access other machines •More Information: http://foofus.net/goons/hinge/presos/insidious-implicit-windows-tru st-relationships.pdf 22
Dump Implicit Trust Relationship Artifacts •Dump & Crack Local Accounts’ Hashes (Hashes == Passwords) •Dump Credentials in memory •Dump Kerberos Tickets •Dump Access Tokens 23
Dump Credentials in memory (mimikatz) 24 •Single Sign On experience ☺
Dump Credentials Mitigation • Audit for misconfigurations that can lead to privilege escalation with windows-privesc-check (https://github.com/pentestmonkey/windows-privesc-check) or Powerup (https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc) • Install KB2871997 on Windows 7, 8, Server 2008 and 2012 • Deploy Application Whitelisting (Applocker & Device Guard) • Get rid of Windows 2003 Server • Have different trust levels for machines – Domain Admin should not log on to machines with lower Trust Level 25
Dump Credentials Detection •Monitor Registry Value for “UseLogonCredential” at HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurity ProvidersWdigest •Value: “1” to enable cleartext password to be stored in LSASS •Honey Credentials 26
Dump Credentials Detection (Not a good idea) ● Detect mimikatz in memory using Sysmon (Be careful of performance impact) ● Look for loading of ○ C:WindowsSystem32WinSCard.dll ○ C:WindowsSystem32cryptdll.dll ○ C:WindowsSystem32hid.dll ○ C:WindowsSystem32samlib.dll ○ C:WindowsSystem32vaultcli.dll ● LSA Protection Enabled - mimidrv.sys (mimikatz’s driver to turn off LSA Protection) ● More information: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTK B_V1J5ow ← Sysmon Tutorial https://medium.com/@lennartkoopmann/explaining-and-adapting-tays-sysmon-configuration-27d9719a89a8#.c8sokq3nj https://cyberwardog.blogspot.sg/2017/03/chronicles-of-threat-hunter-hunting-for.html 27
Dump Credentials Detection 28Source https://twitter.com/markrussinovich/status/830997478182785024
Dump Credentials Detection Bypass 29 Source: https://twitter.com/raka_baraka/status/831040028436525056
User Account Control (UAC) is Enabled! •UAC is introduced since Windows Vista •Run processes as standard user rights even if user is in Administrators group unless explicit permission is given 30
UAC Bypass • Old School • Privilege File Copy (IFile Operation COM) • DLL Hijacking • Auto-elevation • New School • Fileless UAC Bypass via Registry Hijacking • Write to HKCUSoftwareClassesmscfileshell opencommand • Launch eventvwr.exe 31 • More information: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hij acking/ https://blog.cobaltstrike.com/2014/03/20/user-account-control-what-penetration-testers-s hould-know/
UAC Bypass Mitigation & Detection • Reduce Users with Administrator Privilege • Set UAC level to “Always Notify” instead of Default configuration (can be bypassed with Disk Clean up) • Monitor Registry entry “HKCUSoftwareClassesmscfileshellopencommand” • More information: https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-di sk-cleanup/ 32
Situational Awareness • Port Scan • DNS Enumeration (SRV records, *._tcp.domain.com) • Password / Hash Spray • Service Principal Name (SPN) Scanning • Domain Enumeration & Admin Hunting • BloodHound 33
Password / Hash Spray •Quick and dirty way to identify access across the network •Good for pen test that doesn’t require stealth 34
Service Principal Name (SPN) Scanning •SPN is used to uniquely identify service instances for Kerberos Authentication •Gather services across the domain (Without a Single Port Scanned!) 35
Service Principal Name (SPN) Scanning •PowerShell scripts from Sean Metacalf https://github.com/PyroTek3/PowerShell-AD-Recon •Comprehensive List of SPN http://adsecurity.org/?page_id=183 •How SPN is used by Kerberos http://social.technet.microsoft.com/wiki/contents/articles/717.servic e-principal-names-spns-setspn-syntax-setspn-exe.aspx 36
Domain Enumeration 37
Domain Enumeration 38
Domain Enumeration with PowerView •PowerView • Based on PowerShell • Capitalize on PowerShell alternatives for “NET” command • Capitalize on Win32 API • Gain network situational awareness •More Information: https://github.com/PowerShellMafia/PowerSploit/tree/master/Reco n 39
Domain Enumeration with PowerView 40
Domain Enumeration with PowerView 41
Domain Enumeration with PowerView 42
Domain Enumeration with PowerView 43
Admin Hunting with PowerView • Implicit trust relationship • Look at where the current user has Local Administrators Right • Look for where privilege users are logged on to • Target machines with privilege users • Steal their tokens / credentials • Profit! 44
Admin Hunting with PowerView 45 • Invoke-UserHunter • Get a list of hosts from AD • Get a list of users of a specific Domain Group (Domain Admins/Local Administrators) • Run NetSessionEnum (User Sessions) and NetWkstaUserNum (Logged On Users) with information gathered • (Optionally) Check if current user has Local Administrators right on each host • More Information http://www.slideshare.net/harmj0y/i-hunt-sys-admins-20 http://www.slideshare.net/harmj0y/i-have-the-powerview
Admin Hunting with PowerView 46Source: http://www.slideshare.net/harmj0y/i-hunt-sys-admins-20
Admin Hunting with PowerView 47
BloodHound • Provide a graphical representation of attack path based on information gathered via customized PowerView • Simplify Admin Hunting across the Network to achieve Derivative Local Admin • More information https://wald0.com/?p=14 http://www.slideshare.net/AndyRobbins3/six-degrees-of-domain-admin-bl oodhound-at-def-con-24 https://github.com/BloodHoundAD/BloodHound/wiki 48
BloodHound 49Source: Raphael Mudge – BloodHound - Analyzing Active Directory Trust Relationships https://www.youtube.com/watch?v=gOpsLiJFI1o
Domain Enumeration Mitigation •Use Net Cease to modify NetSessionEnum default permission https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dc b5b •Upgrade to Windows 10 and Windows Server 2016 •Use SAMRi10 to restrict Remote SAM Query(>=Win 10 & Server 2016) https://www.bleepingcomputer.com/news/security/microsoft-resear chers-release-anti-reconnaissance-tool-named-samri10/ 50
Lateral Movement • Reuse cleartext credentials (Not working well after KB2871997) • Pass the Hash (Not working well after KB2871997) • Pass the Key (Overpass-the-hash) • Impersonate Tokens • Pass the Ticket • Kerberoasting 51
Pass the Hash (PtH) 52 Source: http://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it
Pass the Hash (PtH) •Not working well after KB2871997 •Local accounts cannot login remotely •PtH still possible for • Default Local Administrator (RID 500) hash • Domain hashes 53
Pass the Key (Overpass the Hash) •KB2871997 stops Windows from storing cleartext credentials in memory (LSASS) •NTLM Hashes/(e)Keys are still stored in memory (SSO) •Remember how Kerberos ticket request is done? 54
Kerberos Authentication Recap 55 Source: http://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it
Kerberos Authentication Recap 56
Pass the Key (Overpass the Hash) •User’s secret key is dependent on the cipher used •Exploit Steps • Privilege Escalate to Local Admin • Dump Hashes/(e)Keys • Create a new process and Inject stolen hash/(e)key into memory • SSO will refer to the Injected secret key in memory • Impersonate Token of newly created Process • Win! 57
Pass the Key (Overpass the Hash) 58 •User “labgg” is Domain Admin logged in on Compromised Machine
Pass the Key (Overpass the Hash) 59
Pass the Key (Overpass the Hash) 60 •Some bug with Empire’s “shell” command so switched it to Meterpreter
Pass the Key (Overpass the Hash) 61 More Information: http://blog.cobaltstrike.com/2015/05/21/how-to-pass-the-hash-with-mimikatz/ http://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-cc/
Pass the Ticket •Export Ticket-Granting-Ticket (TGT) from memory of a compromised Host •Import the TGT into Attacker’s Machine •Profit! 62
Pass the Ticket with MS14-068 •MS014-068 • Privilege escalation for Authenticated Domain User to Domain Admin by forging PAC • PAC stores Authorization Data (Group Membership, Security Identifier) • Improper validation of the Privilege Attribute Certificate (PAC) Signature 63
Pass the Ticket with MS14-068 64 More Information: https://labs.mwrinfosecurity.com/blog/digging-into-ms14-068-exploitation-and-defence/ https://www.trustedsec.com/december-2014/ms14-068-full-compromise-step-step/ https://github.com/bidord/pykek/
Pass the Ticket with MS14-068 65
Kerberoasting •Service Ticket can be obtained without actually using it •Service Ticket issued by TGS is encrypted with target service’s account secret key •Service Accounts are usually privilege accounts on the domain 66
Kerberoasting •Why not just crack it? • Offline Attack without contacting the Target Service’s Machine 67 Source: https://adsecurity.org/?p=2293
Kerberoasting 68 More Information: http://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/ https://room362.com/post/2016/kerberoast-pt3/
Kerberoasting 69
Kerberoasting Mitigation •Use password with >=25 characters for Service Accounts •Use Managed Service Accounts •More Information: https://adsecurity.org/?p=2293 https://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx 70
Kerberoasting Detection •Audit “Audit Kerberos Service Ticket Operations” on Success •Look for Event 4769 and Ticket Option: 0x40810000 and Ticket Encryption type: RC4 (0x17/0x18) •Create Honey Service ☺ •More information: https://adsecurity.org/?p=3458 https://adsecurity.org/?p=3513 71
Lateral Movement Mitigation • Deploy Microsoft LAPS on Servers and Workstations to manage Local Administrator Passwords • Deploy Group Policy: “Deny access to this computer from the network” & “Deny log on through Remote Desktop Services” for “Local account and member of Administrators group” or “*S-1-5-114” [Block RID 500 accounts] • Add Users with High Privileges to “Protected User” Group if possible • Network Segmentation – It’s always about the Trust Path • Restrict Workstation to Workstation Communication with GPO – Windows Firewall • More Information: https://adsecurity.org/?p=3299 https://adsecurity.org/?p=3377 https://technet.microsoft.com/en-us/library/dn466518.aspx 72
Lateral Movement Mitigation • Different Tiers of Administrators for Different Tiers of Servers & Workstations 73 More Information: https://technet.microsoft.com/en-us/library/mt631193.aspx
Lateral Movement Detection •Turn on Audit for Local Account Logon •Turn on Audit for Kerberos • Look out for Domain Names in lower case/non-standard (Not comprehensive) • Look out for Ticket Encryption Type 0x17/0x18 for RC4 (Not comprehensive) •More Information: https://dfir-blog.com/2015/12/13/protecting-windows-networks-ker beros-attacks/ https://dfir-blog.com/2016/03/13/how-to-parse-windows-eventlog/ 74
Persistence •Hash Dump & Crack the Hashes •Golden Ticket •Silver Ticket 75
Hash Dump & Crack The Hashes •Old School • Get NTDS.dit file • Backup • Virtual Machine Disk • Shadow Volume • Process NTDS.dit for Hashes •New School • DCSync (No need for direct access to NTDS.dit) 76
DCSync •Impersonate as a Domain Controller •Replicate User Credentials via Directory Replication Service (DRS) Remote Protocol •No Code Execution required, however “Domain Admins” privilege is needed •If used with “Domain Controllers” privilege, it will not be logged 77
DCSync 78
Golden Ticket • Forged TGT with Admin Privilege, then PTT • TGT is encrypted & signed by • Domain KRBTGT’s secret key • Important to note that KRBTGT’s password is almost never changed • Information required to create Golden Ticket • Domain Name • Domain SID • Domain KRBTGT NTLM Hash/(e)Keys • UserID for Impersonation 79
Golden Ticket 80
Golden Ticket 81
Golden Ticket 82 More Information: https://blog.didierstevens.com/2016/08/12/mimikatz-golden-ticket-dcsync/ http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
Silver Ticket •Forged Service Ticket •Require only the service account key instead of KRBTGT •Access is restricted to the specific Service •More Information: https://adsecurity.org/?p=2011 83
Silver Ticket 84
Silver Ticket 85
Persistence Mitigation and Detection •Change KRBTGT’s password twice (to purge Password History) and regularly •Look out for RC4 Kerberos traffic – Vista and onwards default cipher for Kerberos is AES (Not comprehensive) •Use Group Managed Service Account •More information: https://adsecurity.org/?p=1515 86
Mitigations for PowerShell Activities ● Lock down PowerShell.exe, PowerShell_ISE.exe (Not Ideal) ● Uninstall PowerShell v2 ● Use PowerShell v5 with ○ Constrained Language Mode with AppLocker / Device Guard ○ Log all PowerShell Activities (Module Logging, Script Block Logging, System-wide Transcript Logging) ● More information: https://adsecurity.org/?p=2604 87
Microsoft Advanced Threat Analytics (ATA) • Machine Learning Platform to detect quite a number of things we have discussed • Receive logs and events from SIEM and Windows Event Forwarding(WEF) • More information: https://docs.microsoft.com/en-us/advanced-threat-analytics/understand-expl ore/ata-threats https://adsecurity.org/?p=1583 https://gallery.technet.microsoft.com/Advanced-Threat-Analytics-8b0a86bc/fi le/169608/1/ATA%20Playbook.pdf 88
Microsoft Advanced Threat Analytics 89 Source: https://blogs.technet.microsoft.com/enterprisemobility/2015/05/04/microsoft-advanced-threat-analytics-public-preview-releas e-is-now-available/
Q & A? 90
Reference • Adversarial Tactics, Techniques & Common Knowledge https://attack.mitre.org/wiki/Main_Page • Attack Methods for Gaining Domain Admin Rights in Active Directory https://adsecurity.org/?p=2362 • PROTECTING WINDOWS NETWORKS – KERBEROS ATTACKS https://dfir-blog.com/2015/12/13/protecting-windows-networks-kerberos-attacks/ • The Most Common Active Directory Security Issues and What You Can Do to Fix Them https://adsecurity.org/?p=1684 • Building an Empire with PowerShell http://www.slideshare.net/harmj0y/building-an-empire-with-powershell 91
Reference • Mimikatz and DCSync and ExtraSids, Oh My http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/ • Make PowerView Great Again http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ • Six Degree of Domain Admin https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Robbins-Vazarkar-Schroeder-Six- Degrees-of-Domain-Admin.pdf • kerberos, kerberoast and golden tickets https://leonjza.github.io/blog/2016/01/09/kerberos-kerberoast-and-golden-tickets/ • Mimikatz 2.0 - Silver Ticket Walkthrough https://www.beneaththewaves.net/Projects/Mimikatz_20_-_Silver_Ticket_Walkthrough.html#Why 92

Recommended

Enumeration and system hacking
Enumeration and system hackingEnumeration and system hacking
Enumeration and system hackingbegmohsin
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssln|u - The Open Security Community
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA RulesLionel Faleiro
 

Recommended

Enumeration and system hacking
Enumeration and system hackingEnumeration and system hacking
Enumeration and system hackingbegmohsin
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssln|u - The Open Security Community
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA RulesLionel Faleiro
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleHimani Singh
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHaydn Johnson
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Ipsec
IpsecIpsec
IpsecRupesh Mishra
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationSam Bowne
 
Supply chain-attack
Supply chain-attackSupply chain-attack
Supply chain-attackvikram vashisth
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
RAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial TradecraftRAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial Tradecraft⭕Alexander Rymdeko-Harvey
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsFaithWestdorp
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 

More Related Content

What's hot

PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleHimani Singh
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHaydn Johnson
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationSam Bowne
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 

What's hot (20)

PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team Exercises
 
Android Security
Android SecurityAndroid Security
Android Security
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Ipsec
IpsecIpsec
Ipsec
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: Enumeration
 
Supply chain-attack
Supply chain-attackSupply chain-attack
Supply chain-attack
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
RAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial TradecraftRAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial Tradecraft
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
 

Similar to Attacker's Perspective of Active Directory

EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsFaithWestdorp
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
Paranoia 2018: A Process is No One
Paranoia 2018: A Process is No OneParanoia 2018: A Process is No One
Paranoia 2018: A Process is No OneJared Atkinson
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
 
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assCONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assPROIDEA
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsDemetrio Milea
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesST_World
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key ManagementNCC Group
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.pptajajkhan16
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Accesseightbit
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Xavier Ashe
 
Заполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаЗаполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаPositive Hack Days
 

Similar to Attacker's Perspective of Active Directory (20)

EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume Compromise
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
Paranoia 2018: A Process is No One
Paranoia 2018: A Process is No OneParanoia 2018: A Process is No One
Paranoia 2018: A Process is No One
 
Dominique
DominiqueDominique
Dominique
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
Red Team P2.pdf
Red Team P2.pdfRed Team P2.pdf
Red Team P2.pdf
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assCONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practices
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key Management
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.ppt
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
 
Заполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаЗаполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не окончена
 

Recently uploaded

Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 

Recently uploaded (20)

Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 

Attacker's Perspective of Active Directory

  • 1. Attacker’s Perspective of Active Directory Sunny Neo 1
  • 2. whoami •Penetration Tester •Disclaimer: All opinions are all mine, not representation of the company I work for or organizations I am affiliated with •None of these materials are original. They are just a compilation of researches done by awesome people •Test all recommendations first, before implementing them. I take no liability if they mess up your environment 2
  • 3. Shout Out •Sean Metcalf (@PyroTek3) for running https://adsecurity.org •Will Schroeder (@harmj0y) for developing and releasing tools for Modern Red Teaming (Empire, PowerSploit, Veil-Framework, Bloodhound) •Benjamin Delpy (@gentilkiwi) for mimikatz and continuously improving it •And Everyone else who contributed! 3
  • 4. Defender’s Dilemma •Cliché •Attackers just need to win once •Defenders need to win all the time 4
  • 5. Attacker’s Dilemma •The new cliché •Attackers need to evade all detection •Defenders just need one alarm/trigger to know attackers are in •“Defender's Dilemma vs Intruder's Dilemma” – TaoSecurity (2009) 5
  • 6. Assume Breach Mentality •Prepare for threats beyond the WALL (Defence in Depth / Layered Defence) – CYBER RESILIENCE •Contain threats (Limit the attacker’s movement) •Detect & Respond to threats (Threat Hunting / IOC) – CYBER AGILITY •Prevention is still important but critical to move beyond it 6
  • 7. Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) Source: https://attack.mitre.org/wiki/Main_Page 7 Red Team’s Tactics, Techniques and Procedures (TTPs)
  • 8. Active Directory •Microsoft’s Directory Service (AD DS)– A set of services to manage network resources •Domain Controller (DC) – Server running AD DS •Domain Admin (DA) – The User Group that has full control of network resources in the Domain •Local Administrators – The User Group that has full control for Local/Specific Machine 8
  • 9. Windows Authentications •NTLM Authentication • Challenge-Response Protocol •Kerberos •Single Sign On (SSO) 9
  • 12. Kerberos Authentication • Ticket Granting Ticket (TGT) contains • Privilege Attribute Certificate (PAC) stores • Account Name • Security Identifiers • Group Membership • User requests for TGT by sending timestamp that is encrypted with his secret key (NTLM Hash for RC4 cipher) • TGT is encrypted and its PAC is signed by domainKRBTGT’s secret key (NTLM Hash) – Only readable by Domain Controller (DC) • Service ticket issued by Ticket Granting Service (TGS) is encrypted by service account ’s secret key (NTLM Hash) 12
  • 15. Privilege Escalation: User to Local Admin •Unpatched Vulnerabilities •System Misconfigurations • Passwords stored in SYSVOL or Group Policy Preference (GPP) •Check out Paul Craig’s talk on Local Privilege Escalation http://www.vantagepoint.sg/news/48-security-wednesdays-9-local-p rivilege-escalation-nus-greyhats or https://pentest.blog/windows-privilege-escalation-methods-for-pent esters/ 15
  • 16. Passwords stored in SYSVOL •SYSVOL • Domain-wide shared folder • Stores logon scripts, domain group policies • Any authenticated user on the domain can access it •Scripts with cleartext admin credentials stored in SYSVOL 16
  • 17. Passwords stored in SYSVOL •Group Policy with Password defined for Local Administrator account 17
  • 18. Passwords stored in SYSVOL •Encryption key is well known 18 Source: https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx
  • 19. Passwords stored in SYSVOL 19
  • 20. Passwords stored in SYSVOL Mitigation & Detection •Install KB2962486 to disable new credentials from being stored in GPP and Delete existing XMLs/Group Policies •Plant a XML with “Password” in SYSVOL •Configure SACL on the XML to audit for access 20
  • 21. Why do we need Local Privilege Escalation? 21
  • 22. Why do we need to Privilege Escalate? •Gain access to implicit trust relationship artifacts •Assume artifacts found on one machine could be used to access other machines •More Information: http://foofus.net/goons/hinge/presos/insidious-implicit-windows-tru st-relationships.pdf 22
  • 23. Dump Implicit Trust Relationship Artifacts •Dump & Crack Local Accounts’ Hashes (Hashes == Passwords) •Dump Credentials in memory •Dump Kerberos Tickets •Dump Access Tokens 23
  • 24. Dump Credentials in memory (mimikatz) 24 •Single Sign On experience ☺
  • 25. Dump Credentials Mitigation • Audit for misconfigurations that can lead to privilege escalation with windows-privesc-check (https://github.com/pentestmonkey/windows-privesc-check) or Powerup (https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc) • Install KB2871997 on Windows 7, 8, Server 2008 and 2012 • Deploy Application Whitelisting (Applocker & Device Guard) • Get rid of Windows 2003 Server • Have different trust levels for machines – Domain Admin should not log on to machines with lower Trust Level 25
  • 26. Dump Credentials Detection •Monitor Registry Value for “UseLogonCredential” at HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurity ProvidersWdigest •Value: “1” to enable cleartext password to be stored in LSASS •Honey Credentials 26
  • 27. Dump Credentials Detection (Not a good idea) ● Detect mimikatz in memory using Sysmon (Be careful of performance impact) ● Look for loading of ○ C:WindowsSystem32WinSCard.dll ○ C:WindowsSystem32cryptdll.dll ○ C:WindowsSystem32hid.dll ○ C:WindowsSystem32samlib.dll ○ C:WindowsSystem32vaultcli.dll ● LSA Protection Enabled - mimidrv.sys (mimikatz’s driver to turn off LSA Protection) ● More information: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTK B_V1J5ow ← Sysmon Tutorial https://medium.com/@lennartkoopmann/explaining-and-adapting-tays-sysmon-configuration-27d9719a89a8#.c8sokq3nj https://cyberwardog.blogspot.sg/2017/03/chronicles-of-threat-hunter-hunting-for.html 27
  • 28. Dump Credentials Detection 28Source https://twitter.com/markrussinovich/status/830997478182785024
  • 29. Dump Credentials Detection Bypass 29 Source: https://twitter.com/raka_baraka/status/831040028436525056
  • 30. User Account Control (UAC) is Enabled! •UAC is introduced since Windows Vista •Run processes as standard user rights even if user is in Administrators group unless explicit permission is given 30
  • 31. UAC Bypass • Old School • Privilege File Copy (IFile Operation COM) • DLL Hijacking • Auto-elevation • New School • Fileless UAC Bypass via Registry Hijacking • Write to HKCUSoftwareClassesmscfileshell opencommand • Launch eventvwr.exe 31 • More information: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hij acking/ https://blog.cobaltstrike.com/2014/03/20/user-account-control-what-penetration-testers-s hould-know/
  • 32. UAC Bypass Mitigation & Detection • Reduce Users with Administrator Privilege • Set UAC level to “Always Notify” instead of Default configuration (can be bypassed with Disk Clean up) • Monitor Registry entry “HKCUSoftwareClassesmscfileshellopencommand” • More information: https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-di sk-cleanup/ 32
  • 33. Situational Awareness • Port Scan • DNS Enumeration (SRV records, *._tcp.domain.com) • Password / Hash Spray • Service Principal Name (SPN) Scanning • Domain Enumeration & Admin Hunting • BloodHound 33
  • 34. Password / Hash Spray •Quick and dirty way to identify access across the network •Good for pen test that doesn’t require stealth 34
  • 35. Service Principal Name (SPN) Scanning •SPN is used to uniquely identify service instances for Kerberos Authentication •Gather services across the domain (Without a Single Port Scanned!) 35
  • 36. Service Principal Name (SPN) Scanning •PowerShell scripts from Sean Metacalf https://github.com/PyroTek3/PowerShell-AD-Recon •Comprehensive List of SPN http://adsecurity.org/?page_id=183 •How SPN is used by Kerberos http://social.technet.microsoft.com/wiki/contents/articles/717.servic e-principal-names-spns-setspn-syntax-setspn-exe.aspx 36
  • 39. Domain Enumeration with PowerView •PowerView • Based on PowerShell • Capitalize on PowerShell alternatives for “NET” command • Capitalize on Win32 API • Gain network situational awareness •More Information: https://github.com/PowerShellMafia/PowerSploit/tree/master/Reco n 39
  • 40. Domain Enumeration with PowerView 40
  • 41. Domain Enumeration with PowerView 41
  • 42. Domain Enumeration with PowerView 42
  • 43. Domain Enumeration with PowerView 43
  • 44. Admin Hunting with PowerView • Implicit trust relationship • Look at where the current user has Local Administrators Right • Look for where privilege users are logged on to • Target machines with privilege users • Steal their tokens / credentials • Profit! 44
  • 45. Admin Hunting with PowerView 45 • Invoke-UserHunter • Get a list of hosts from AD • Get a list of users of a specific Domain Group (Domain Admins/Local Administrators) • Run NetSessionEnum (User Sessions) and NetWkstaUserNum (Logged On Users) with information gathered • (Optionally) Check if current user has Local Administrators right on each host • More Information http://www.slideshare.net/harmj0y/i-hunt-sys-admins-20 http://www.slideshare.net/harmj0y/i-have-the-powerview
  • 46. Admin Hunting with PowerView 46Source: http://www.slideshare.net/harmj0y/i-hunt-sys-admins-20
  • 47. Admin Hunting with PowerView 47
  • 48. BloodHound • Provide a graphical representation of attack path based on information gathered via customized PowerView • Simplify Admin Hunting across the Network to achieve Derivative Local Admin • More information https://wald0.com/?p=14 http://www.slideshare.net/AndyRobbins3/six-degrees-of-domain-admin-bl oodhound-at-def-con-24 https://github.com/BloodHoundAD/BloodHound/wiki 48
  • 49. BloodHound 49Source: Raphael Mudge – BloodHound - Analyzing Active Directory Trust Relationships https://www.youtube.com/watch?v=gOpsLiJFI1o
  • 50. Domain Enumeration Mitigation •Use Net Cease to modify NetSessionEnum default permission https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dc b5b •Upgrade to Windows 10 and Windows Server 2016 •Use SAMRi10 to restrict Remote SAM Query(>=Win 10 & Server 2016) https://www.bleepingcomputer.com/news/security/microsoft-resear chers-release-anti-reconnaissance-tool-named-samri10/ 50
  • 51. Lateral Movement • Reuse cleartext credentials (Not working well after KB2871997) • Pass the Hash (Not working well after KB2871997) • Pass the Key (Overpass-the-hash) • Impersonate Tokens • Pass the Ticket • Kerberoasting 51
  • 52. Pass the Hash (PtH) 52 Source: http://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it
  • 53. Pass the Hash (PtH) •Not working well after KB2871997 •Local accounts cannot login remotely •PtH still possible for • Default Local Administrator (RID 500) hash • Domain hashes 53
  • 54. Pass the Key (Overpass the Hash) •KB2871997 stops Windows from storing cleartext credentials in memory (LSASS) •NTLM Hashes/(e)Keys are still stored in memory (SSO) •Remember how Kerberos ticket request is done? 54
  • 55. Kerberos Authentication Recap 55 Source: http://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it
  • 57. Pass the Key (Overpass the Hash) •User’s secret key is dependent on the cipher used •Exploit Steps • Privilege Escalate to Local Admin • Dump Hashes/(e)Keys • Create a new process and Inject stolen hash/(e)key into memory • SSO will refer to the Injected secret key in memory • Impersonate Token of newly created Process • Win! 57
  • 58. Pass the Key (Overpass the Hash) 58 •User “labgg” is Domain Admin logged in on Compromised Machine
  • 59. Pass the Key (Overpass the Hash) 59
  • 60. Pass the Key (Overpass the Hash) 60 •Some bug with Empire’s “shell” command so switched it to Meterpreter
  • 61. Pass the Key (Overpass the Hash) 61 More Information: http://blog.cobaltstrike.com/2015/05/21/how-to-pass-the-hash-with-mimikatz/ http://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-cc/
  • 62. Pass the Ticket •Export Ticket-Granting-Ticket (TGT) from memory of a compromised Host •Import the TGT into Attacker’s Machine •Profit! 62
  • 63. Pass the Ticket with MS14-068 •MS014-068 • Privilege escalation for Authenticated Domain User to Domain Admin by forging PAC • PAC stores Authorization Data (Group Membership, Security Identifier) • Improper validation of the Privilege Attribute Certificate (PAC) Signature 63
  • 64. Pass the Ticket with MS14-068 64 More Information: https://labs.mwrinfosecurity.com/blog/digging-into-ms14-068-exploitation-and-defence/ https://www.trustedsec.com/december-2014/ms14-068-full-compromise-step-step/ https://github.com/bidord/pykek/
  • 65. Pass the Ticket with MS14-068 65
  • 66. Kerberoasting •Service Ticket can be obtained without actually using it •Service Ticket issued by TGS is encrypted with target service’s account secret key •Service Accounts are usually privilege accounts on the domain 66
  • 67. Kerberoasting •Why not just crack it? • Offline Attack without contacting the Target Service’s Machine 67 Source: https://adsecurity.org/?p=2293
  • 70. Kerberoasting Mitigation •Use password with >=25 characters for Service Accounts •Use Managed Service Accounts •More Information: https://adsecurity.org/?p=2293 https://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx 70
  • 71. Kerberoasting Detection •Audit “Audit Kerberos Service Ticket Operations” on Success •Look for Event 4769 and Ticket Option: 0x40810000 and Ticket Encryption type: RC4 (0x17/0x18) •Create Honey Service ☺ •More information: https://adsecurity.org/?p=3458 https://adsecurity.org/?p=3513 71
  • 72. Lateral Movement Mitigation • Deploy Microsoft LAPS on Servers and Workstations to manage Local Administrator Passwords • Deploy Group Policy: “Deny access to this computer from the network” & “Deny log on through Remote Desktop Services” for “Local account and member of Administrators group” or “*S-1-5-114” [Block RID 500 accounts] • Add Users with High Privileges to “Protected User” Group if possible • Network Segmentation – It’s always about the Trust Path • Restrict Workstation to Workstation Communication with GPO – Windows Firewall • More Information: https://adsecurity.org/?p=3299 https://adsecurity.org/?p=3377 https://technet.microsoft.com/en-us/library/dn466518.aspx 72
  • 73. Lateral Movement Mitigation • Different Tiers of Administrators for Different Tiers of Servers & Workstations 73 More Information: https://technet.microsoft.com/en-us/library/mt631193.aspx
  • 74. Lateral Movement Detection •Turn on Audit for Local Account Logon •Turn on Audit for Kerberos • Look out for Domain Names in lower case/non-standard (Not comprehensive) • Look out for Ticket Encryption Type 0x17/0x18 for RC4 (Not comprehensive) •More Information: https://dfir-blog.com/2015/12/13/protecting-windows-networks-ker beros-attacks/ https://dfir-blog.com/2016/03/13/how-to-parse-windows-eventlog/ 74
  • 75. Persistence •Hash Dump & Crack the Hashes •Golden Ticket •Silver Ticket 75
  • 76. Hash Dump & Crack The Hashes •Old School • Get NTDS.dit file • Backup • Virtual Machine Disk • Shadow Volume • Process NTDS.dit for Hashes •New School • DCSync (No need for direct access to NTDS.dit) 76
  • 77. DCSync •Impersonate as a Domain Controller •Replicate User Credentials via Directory Replication Service (DRS) Remote Protocol •No Code Execution required, however “Domain Admins” privilege is needed •If used with “Domain Controllers” privilege, it will not be logged 77
  • 79. Golden Ticket • Forged TGT with Admin Privilege, then PTT • TGT is encrypted & signed by • Domain KRBTGT’s secret key • Important to note that KRBTGT’s password is almost never changed • Information required to create Golden Ticket • Domain Name • Domain SID • Domain KRBTGT NTLM Hash/(e)Keys • UserID for Impersonation 79
  • 83. Silver Ticket •Forged Service Ticket •Require only the service account key instead of KRBTGT •Access is restricted to the specific Service •More Information: https://adsecurity.org/?p=2011 83
  • 86. Persistence Mitigation and Detection •Change KRBTGT’s password twice (to purge Password History) and regularly •Look out for RC4 Kerberos traffic – Vista and onwards default cipher for Kerberos is AES (Not comprehensive) •Use Group Managed Service Account •More information: https://adsecurity.org/?p=1515 86
  • 87. Mitigations for PowerShell Activities ● Lock down PowerShell.exe, PowerShell_ISE.exe (Not Ideal) ● Uninstall PowerShell v2 ● Use PowerShell v5 with ○ Constrained Language Mode with AppLocker / Device Guard ○ Log all PowerShell Activities (Module Logging, Script Block Logging, System-wide Transcript Logging) ● More information: https://adsecurity.org/?p=2604 87
  • 88. Microsoft Advanced Threat Analytics (ATA) • Machine Learning Platform to detect quite a number of things we have discussed • Receive logs and events from SIEM and Windows Event Forwarding(WEF) • More information: https://docs.microsoft.com/en-us/advanced-threat-analytics/understand-expl ore/ata-threats https://adsecurity.org/?p=1583 https://gallery.technet.microsoft.com/Advanced-Threat-Analytics-8b0a86bc/fi le/169608/1/ATA%20Playbook.pdf 88
  • 89. Microsoft Advanced Threat Analytics 89 Source: https://blogs.technet.microsoft.com/enterprisemobility/2015/05/04/microsoft-advanced-threat-analytics-public-preview-releas e-is-now-available/
  • 91. Reference • Adversarial Tactics, Techniques & Common Knowledge https://attack.mitre.org/wiki/Main_Page • Attack Methods for Gaining Domain Admin Rights in Active Directory https://adsecurity.org/?p=2362 • PROTECTING WINDOWS NETWORKS – KERBEROS ATTACKS https://dfir-blog.com/2015/12/13/protecting-windows-networks-kerberos-attacks/ • The Most Common Active Directory Security Issues and What You Can Do to Fix Them https://adsecurity.org/?p=1684 • Building an Empire with PowerShell http://www.slideshare.net/harmj0y/building-an-empire-with-powershell 91
  • 92. Reference • Mimikatz and DCSync and ExtraSids, Oh My http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/ • Make PowerView Great Again http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ • Six Degree of Domain Admin https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Robbins-Vazarkar-Schroeder-Six- Degrees-of-Domain-Admin.pdf • kerberos, kerberoast and golden tickets https://leonjza.github.io/blog/2016/01/09/kerberos-kerberoast-and-golden-tickets/ • Mimikatz 2.0 - Silver Ticket Walkthrough https://www.beneaththewaves.net/Projects/Mimikatz_20_-_Silver_Ticket_Walkthrough.html#Why 92