Submit Search
Upload
Enumerating Active Directory: Lateral Movement and Privilege Escalation
•
0 likes
•
165 views
Sylvain Cortes
Follow
FS-ISAC - Enumerating Active Directory: Lateral Movement and Privilege Escalation
Read less
Read more
Software
Report
Share
Report
Share
1 of 7
Download now
Download to read offline
Recommended
Your only as strong as your weakest link – Edward Ogden
Your only as strong as your weakest link – Edward Ogden
owaspsuffolk
Privacy Preserving Searchable Encryption with Fine-grained Access Control
Privacy Preserving Searchable Encryption with Fine-grained Access Control
JAYAPRAKASH JPINFOTECH
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo Wazuh
Aurélie Henriot
CipherCloud for Any App
CipherCloud for Any App
CipherCloud
Q radar pci-v2-matrix
Q radar pci-v2-matrix
CMR WORLD TECH
Network ssecurity toolkit
Network ssecurity toolkit
أحلام انصارى
NuCypher - A Security and Encryption Platform for Big Data
NuCypher - A Security and Encryption Platform for Big Data
MacLane Wilkison
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Identity Days
Recommended
Your only as strong as your weakest link – Edward Ogden
Your only as strong as your weakest link – Edward Ogden
owaspsuffolk
Privacy Preserving Searchable Encryption with Fine-grained Access Control
Privacy Preserving Searchable Encryption with Fine-grained Access Control
JAYAPRAKASH JPINFOTECH
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo Wazuh
Aurélie Henriot
CipherCloud for Any App
CipherCloud for Any App
CipherCloud
Q radar pci-v2-matrix
Q radar pci-v2-matrix
CMR WORLD TECH
Network ssecurity toolkit
Network ssecurity toolkit
أحلام انصارى
NuCypher - A Security and Encryption Platform for Big Data
NuCypher - A Security and Encryption Platform for Big Data
MacLane Wilkison
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Identity Days
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
Introduction to threat_modeling
Introduction to threat_modeling
Prabath Siriwardena
Will your cloud be compliant
Will your cloud be compliant
Evgeniya Shumakher
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax
CIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market Overview
CloudIDSummit
Get started with Cloudera's cyber solution
Get started with Cloudera's cyber solution
Cloudera, Inc.
Multi-Cloud, Multi-Network Cyber Awareness, Monitoring and Management by Fran...
Multi-Cloud, Multi-Network Cyber Awareness, Monitoring and Management by Fran...
TheAnfieldGroup
Kripta Key Product Key Management System.pdf
Kripta Key Product Key Management System.pdf
langkahgontay88
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
AWS Chicago
Snowflake Data Science and AI/ML at Scale
Snowflake Data Science and AI/ML at Scale
Adam Doyle
Creating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres Database
EDB
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
lior mazor
Day 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server Redirection
vngundi
SDX Pitch Deck (201) - Apresentação SDP 2024
SDX Pitch Deck (201) - Apresentação SDP 2024
PauloEduardoBitarJun
F5 TLS & SSL Practices
F5 TLS & SSL Practices
Brian A. McHenry
Escalation defenses ad guardrails every company should deploy
Escalation defenses ad guardrails every company should deploy
David Rowe
Webinar: Cloud Data Masking - Tips to Test Software Securely
Webinar: Cloud Data Masking - Tips to Test Software Securely
Skytap Cloud
Cloud Security Top Threats
Cloud Security Top Threats
Tiago de Almeida
Vue d'ensemble Dremio
Vue d'ensemble Dremio
Modern Data Stack France
Implement a Universal Data Distribution Architecture to Manage All Streaming ...
Implement a Universal Data Distribution Architecture to Manage All Streaming ...
Timothy Spann
Cybersécurité et Jeux d'Arcade
Cybersécurité et Jeux d'Arcade
Sylvain Cortes
Spraykatz installation & basic usage
Spraykatz installation & basic usage
Sylvain Cortes
More Related Content
Similar to Enumerating Active Directory: Lateral Movement and Privilege Escalation
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
Introduction to threat_modeling
Introduction to threat_modeling
Prabath Siriwardena
Will your cloud be compliant
Will your cloud be compliant
Evgeniya Shumakher
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax
CIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market Overview
CloudIDSummit
Get started with Cloudera's cyber solution
Get started with Cloudera's cyber solution
Cloudera, Inc.
Multi-Cloud, Multi-Network Cyber Awareness, Monitoring and Management by Fran...
Multi-Cloud, Multi-Network Cyber Awareness, Monitoring and Management by Fran...
TheAnfieldGroup
Kripta Key Product Key Management System.pdf
Kripta Key Product Key Management System.pdf
langkahgontay88
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
AWS Chicago
Snowflake Data Science and AI/ML at Scale
Snowflake Data Science and AI/ML at Scale
Adam Doyle
Creating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres Database
EDB
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
lior mazor
Day 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server Redirection
vngundi
SDX Pitch Deck (201) - Apresentação SDP 2024
SDX Pitch Deck (201) - Apresentação SDP 2024
PauloEduardoBitarJun
F5 TLS & SSL Practices
F5 TLS & SSL Practices
Brian A. McHenry
Escalation defenses ad guardrails every company should deploy
Escalation defenses ad guardrails every company should deploy
David Rowe
Webinar: Cloud Data Masking - Tips to Test Software Securely
Webinar: Cloud Data Masking - Tips to Test Software Securely
Skytap Cloud
Cloud Security Top Threats
Cloud Security Top Threats
Tiago de Almeida
Vue d'ensemble Dremio
Vue d'ensemble Dremio
Modern Data Stack France
Implement a Universal Data Distribution Architecture to Manage All Streaming ...
Implement a Universal Data Distribution Architecture to Manage All Streaming ...
Timothy Spann
Similar to Enumerating Active Directory: Lateral Movement and Privilege Escalation
(20)
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Introduction to threat_modeling
Introduction to threat_modeling
Will your cloud be compliant
Will your cloud be compliant
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
CIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market Overview
Get started with Cloudera's cyber solution
Get started with Cloudera's cyber solution
Multi-Cloud, Multi-Network Cyber Awareness, Monitoring and Management by Fran...
Multi-Cloud, Multi-Network Cyber Awareness, Monitoring and Management by Fran...
Kripta Key Product Key Management System.pdf
Kripta Key Product Key Management System.pdf
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Snowflake Data Science and AI/ML at Scale
Snowflake Data Science and AI/ML at Scale
Creating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres Database
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
Day 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server Redirection
SDX Pitch Deck (201) - Apresentação SDP 2024
SDX Pitch Deck (201) - Apresentação SDP 2024
F5 TLS & SSL Practices
F5 TLS & SSL Practices
Escalation defenses ad guardrails every company should deploy
Escalation defenses ad guardrails every company should deploy
Webinar: Cloud Data Masking - Tips to Test Software Securely
Webinar: Cloud Data Masking - Tips to Test Software Securely
Cloud Security Top Threats
Cloud Security Top Threats
Vue d'ensemble Dremio
Vue d'ensemble Dremio
Implement a Universal Data Distribution Architecture to Manage All Streaming ...
Implement a Universal Data Distribution Architecture to Manage All Streaming ...
More from Sylvain Cortes
Cybersécurité et Jeux d'Arcade
Cybersécurité et Jeux d'Arcade
Sylvain Cortes
Spraykatz installation & basic usage
Spraykatz installation & basic usage
Sylvain Cortes
aOS Aix/Marseille - Intégration des environnements UNIX, Linux et MacOS dans ...
aOS Aix/Marseille - Intégration des environnements UNIX, Linux et MacOS dans ...
Sylvain Cortes
Comment securiser votre annuaire Active Directory contre les attaques de malw...
Comment securiser votre annuaire Active Directory contre les attaques de malw...
Sylvain Cortes
Comment securiser votre usage ou migration vers Office 365 [2018 12-04]
Comment securiser votre usage ou migration vers Office 365 [2018 12-04]
Sylvain Cortes
Modern Worplace Conference 2018 - Usage de IoT et bigdata dans les espaces co...
Modern Worplace Conference 2018 - Usage de IoT et bigdata dans les espaces co...
Sylvain Cortes
Active directory et cyber attaques [2018 05-15]
Active directory et cyber attaques [2018 05-15]
Sylvain Cortes
Révolutionnez l'usage de vos espaces collaboratifs grâce aux objets connectés...
Révolutionnez l'usage de vos espaces collaboratifs grâce aux objets connectés...
Sylvain Cortes
More from Sylvain Cortes
(8)
Cybersécurité et Jeux d'Arcade
Cybersécurité et Jeux d'Arcade
Spraykatz installation & basic usage
Spraykatz installation & basic usage
aOS Aix/Marseille - Intégration des environnements UNIX, Linux et MacOS dans ...
aOS Aix/Marseille - Intégration des environnements UNIX, Linux et MacOS dans ...
Comment securiser votre annuaire Active Directory contre les attaques de malw...
Comment securiser votre annuaire Active Directory contre les attaques de malw...
Comment securiser votre usage ou migration vers Office 365 [2018 12-04]
Comment securiser votre usage ou migration vers Office 365 [2018 12-04]
Modern Worplace Conference 2018 - Usage de IoT et bigdata dans les espaces co...
Modern Worplace Conference 2018 - Usage de IoT et bigdata dans les espaces co...
Active directory et cyber attaques [2018 05-15]
Active directory et cyber attaques [2018 05-15]
Révolutionnez l'usage de vos espaces collaboratifs grâce aux objets connectés...
Révolutionnez l'usage de vos espaces collaboratifs grâce aux objets connectés...
Recently uploaded
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
SimonedeGijt
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
SelfMade bd
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
WSO2
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
JinanKordab
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
kalichargn70th171
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Clinic
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Lisi Hocke
The Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test Automation
Element34
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?
Maxim Salnikov
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
Andrea Goulet
From Knowledge Graphs via Lego Bricks to scientific conversations.pptx
From Knowledge Graphs via Lego Bricks to scientific conversations.pptx
Neo4j
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements Engineering
Prakhyath Rai
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio, Inc.
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
Shane Coughlan
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
Neo4j
Encryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key Concepts
thomashtkim
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST API
Inflectra
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
Novo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMs
Neo4j
Recently uploaded
(20)
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
The Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test Automation
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
From Knowledge Graphs via Lego Bricks to scientific conversations.pptx
From Knowledge Graphs via Lego Bricks to scientific conversations.pptx
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements Engineering
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
Encryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key Concepts
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST API
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
Novo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMs
Enumerating Active Directory: Lateral Movement and Privilege Escalation
1.
© A L
S I D C O P Y R I G H T 2 0 2 1 Enumerating Active Directory: Lateral Movement and Privilege Escalation Security Evangelist & Microsoft MVP
2.
AtTACK structure © A
L S I D C O P Y R I G H T 2 0 2 1 The attackers are looking for the easiest path into the network, then they want to move laterally and gain privileges. Once obtained, they can spread ransomware, steal data, and more. 1 2 3 4 5 6 Infect endpoint with phishing or e-mail attack, and gain local admin privileges Install payload, disable local defense, start to enumerate AD and the network topology Attempt to move laterally, to other endpoints, servers, and devices Exploit known configurations to gain privileges on different servers using AD Create backdoors and persistence within AD and other network devices Collect data and/or encrypt data - Steal data for economic intelligence Attack Steps
3.
Enumeration tools © A
L S I D C O P Y R I G H T 2 0 2 1 Bloodhound PowerView Ldapdomaindump Adidnsdump ACLight ADRecon Domains and trusts Domain SID Password Policy DCs Domain Users and attributes Domain computers Domain Groups and Members Shared folders Group Policies OUs ACLs Sessions Local Admin Rights … AdminTo MemberOf HasSession ForceChangePassword AddMembers CanRDP CanPSRemote ExecuteDCOM SQLAdmin AllowedToDelegate GetChangesAll GenericAll WriteDacl Owns … Sources: https://bloodhound.readthedocs.io/en/latest/data-analysis/nodes.html https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet#useful-enumeration-tools https://mcpmag.com/articles/2019/11/13/bloodhound-active-directory-domain-admin.aspx Tools Objects/settings Actions/privileges
4.
Analyzing the enumeration ©
A L S I D C O P Y R I G H T 2 0 2 1 Leverage Unknown Settings - Kerberos Delegations - adminSDHolder - adminCount - SYSVOL permissions Leverage Cloud Settings - AAD Connect permissions - AAD Sync - AAD SSO - Bounce to Azure AD Leverage Old Settings - Service Principal Names - Primary Group ID - SIDHistory - AD Delegations - GP Delegations
5.
ATTACKER strategy © A
L S I D C O P Y R I G H T 2 0 2 1 Enumeration of Active Directory and all settings ▪ AD is « old » ▪ AD installation was made 10+ years ago ▪ AD is changing every day Analysis of AD to find easiest target ▪ Attackers don’t analyze the « world » with lines & columns but with graphs ▪ Remember, every user has a read access to AD Leverage actions which don’t log ▪ Security logs are not really useful ▪ Attackers can bypass the logs ▪ Attackers implement backdoors under the SIEM radar
6.
In a nutshell ©
A L S I D C O P Y R I G H T 2 0 2 1 ▪ No users with local admin rights ▪ Encrypt local disk ▪ Use LAPS (free) ▪ Implement EDR ▪ Harden your endpoint configuration ▪ Do not base your security strategy only on logs ▪ Implement Microsoft Tier- model ▪ Detect in real- time AD security deviances & Attack paths ▪ Detect in real- time AD attacks Final advice: Doubt about yourself ! Too much self- confidence is the first enemy of cybersecurity…
7.
© A L
S I D C O P Y R I G H T 2 0 2 0 alsid.com you.
Download now