SlideShare a Scribd company logo

Enumerating Active Directory: Lateral Movement and Privilege Escalation

Sylvain Cortes
Sylvain Cortes

FS-ISAC - Enumerating Active Directory: Lateral Movement and Privilege Escalation

Software
1 of 7
Download to read offline
© A L S I D C O P Y R I G H T 2 0 2 1 Enumerating Active Directory: Lateral Movement and Privilege Escalation Security Evangelist & Microsoft MVP
AtTACK structure © A L S I D C O P Y R I G H T 2 0 2 1 The attackers are looking for the easiest path into the network, then they want to move laterally and gain privileges. Once obtained, they can spread ransomware, steal data, and more. 1 2 3 4 5 6 Infect endpoint with phishing or e-mail attack, and gain local admin privileges Install payload, disable local defense, start to enumerate AD and the network topology Attempt to move laterally, to other endpoints, servers, and devices Exploit known configurations to gain privileges on different servers using AD Create backdoors and persistence within AD and other network devices Collect data and/or encrypt data - Steal data for economic intelligence Attack Steps
Enumeration tools © A L S I D C O P Y R I G H T 2 0 2 1 Bloodhound PowerView Ldapdomaindump Adidnsdump ACLight ADRecon Domains and trusts Domain SID Password Policy DCs Domain Users and attributes Domain computers Domain Groups and Members Shared folders Group Policies OUs ACLs Sessions Local Admin Rights … AdminTo MemberOf HasSession ForceChangePassword AddMembers CanRDP CanPSRemote ExecuteDCOM SQLAdmin AllowedToDelegate GetChangesAll GenericAll WriteDacl Owns … Sources: https://bloodhound.readthedocs.io/en/latest/data-analysis/nodes.html https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet#useful-enumeration-tools https://mcpmag.com/articles/2019/11/13/bloodhound-active-directory-domain-admin.aspx Tools Objects/settings Actions/privileges
Analyzing the enumeration © A L S I D C O P Y R I G H T 2 0 2 1 Leverage Unknown Settings - Kerberos Delegations - adminSDHolder - adminCount - SYSVOL permissions Leverage Cloud Settings - AAD Connect permissions - AAD Sync - AAD SSO - Bounce to Azure AD Leverage Old Settings - Service Principal Names - Primary Group ID - SIDHistory - AD Delegations - GP Delegations
ATTACKER strategy © A L S I D C O P Y R I G H T 2 0 2 1 Enumeration of Active Directory and all settings ▪ AD is « old » ▪ AD installation was made 10+ years ago ▪ AD is changing every day Analysis of AD to find easiest target ▪ Attackers don’t analyze the « world » with lines & columns but with graphs ▪ Remember, every user has a read access to AD Leverage actions which don’t log ▪ Security logs are not really useful ▪ Attackers can bypass the logs ▪ Attackers implement backdoors under the SIEM radar
In a nutshell © A L S I D C O P Y R I G H T 2 0 2 1 ▪ No users with local admin rights ▪ Encrypt local disk ▪ Use LAPS (free) ▪ Implement EDR ▪ Harden your endpoint configuration ▪ Do not base your security strategy only on logs ▪ Implement Microsoft Tier- model ▪ Detect in real- time AD security deviances & Attack paths ▪ Detect in real- time AD attacks Final advice: Doubt about yourself ! Too much self- confidence is the first enemy of cybersecurity…
© A L S I D C O P Y R I G H T 2 0 2 0 alsid.com you.

Recommended

Your only as strong as your weakest link – Edward Ogden
Your only as strong as your weakest link – Edward OgdenYour only as strong as your weakest link – Edward Ogden
Your only as strong as your weakest link – Edward Ogdenowaspsuffolk
 
Privacy Preserving Searchable Encryption with Fine-grained Access Control
Privacy Preserving Searchable Encryption with Fine-grained Access ControlPrivacy Preserving Searchable Encryption with Fine-grained Access Control
Privacy Preserving Searchable Encryption with Fine-grained Access ControlJAYAPRAKASH JPINFOTECH
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhAurélie Henriot
 
CipherCloud for Any App
CipherCloud for Any AppCipherCloud for Any App
CipherCloud for Any AppCipherCloud
 
Q radar pci-v2-matrix
Q radar pci-v2-matrixQ radar pci-v2-matrix
Q radar pci-v2-matrixCMR WORLD TECH
 
Network ssecurity toolkit
Network ssecurity toolkitNetwork ssecurity toolkit
Network ssecurity toolkitأحلام انصارى
 
NuCypher - A Security and Encryption Platform for Big Data
NuCypher - A Security and Encryption Platform for Big DataNuCypher - A Security and Encryption Platform for Big Data
NuCypher - A Security and Encryption Platform for Big DataMacLane Wilkison
 
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...Identity Days
 

Recommended

Your only as strong as your weakest link – Edward Ogden
Your only as strong as your weakest link – Edward OgdenYour only as strong as your weakest link – Edward Ogden
Your only as strong as your weakest link – Edward Ogdenowaspsuffolk
 
Privacy Preserving Searchable Encryption with Fine-grained Access Control
Privacy Preserving Searchable Encryption with Fine-grained Access ControlPrivacy Preserving Searchable Encryption with Fine-grained Access Control
Privacy Preserving Searchable Encryption with Fine-grained Access ControlJAYAPRAKASH JPINFOTECH
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhAurélie Henriot
 
CipherCloud for Any App
CipherCloud for Any AppCipherCloud for Any App
CipherCloud for Any AppCipherCloud
 
Q radar pci-v2-matrix
Q radar pci-v2-matrixQ radar pci-v2-matrix
Q radar pci-v2-matrixCMR WORLD TECH
 
Network ssecurity toolkit
Network ssecurity toolkitNetwork ssecurity toolkit
Network ssecurity toolkitأحلام انصارى
 
NuCypher - A Security and Encryption Platform for Big Data
NuCypher - A Security and Encryption Platform for Big DataNuCypher - A Security and Encryption Platform for Big Data
NuCypher - A Security and Encryption Platform for Big DataMacLane Wilkison
 
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...Identity Days
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modelingPrabath Siriwardena
 
Will your cloud be compliant
Will your cloud be compliantWill your cloud be compliant
Will your cloud be compliantEvgeniya Shumakher
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax
 
CIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market OverviewCIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market OverviewCloudIDSummit
 
Get started with Cloudera's cyber solution
Get started with Cloudera's cyber solutionGet started with Cloudera's cyber solution
Get started with Cloudera's cyber solutionCloudera, Inc.
 
Multi-Cloud, Multi-Network Cyber Awareness, Monitoring and Management by Fran...
Multi-Cloud, Multi-Network Cyber Awareness, Monitoring and Management by Fran...Multi-Cloud, Multi-Network Cyber Awareness, Monitoring and Management by Fran...
Multi-Cloud, Multi-Network Cyber Awareness, Monitoring and Management by Fran...TheAnfieldGroup
 
Kripta Key Product Key Management System.pdf
Kripta Key Product Key Management System.pdfKripta Key Product Key Management System.pdf
Kripta Key Product Key Management System.pdflangkahgontay88
 
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...AWS Chicago
 
Snowflake Data Science and AI/ML at Scale
Snowflake Data Science and AI/ML at ScaleSnowflake Data Science and AI/ML at Scale
Snowflake Data Science and AI/ML at ScaleAdam Doyle
 
Creating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres DatabaseCreating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres DatabaseEDB
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119lior mazor
 
Day 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server RedirectionDay 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server Redirectionvngundi
 
SDX Pitch Deck (201) - Apresentação SDP 2024
SDX Pitch Deck (201) - Apresentação SDP 2024SDX Pitch Deck (201) - Apresentação SDP 2024
SDX Pitch Deck (201) - Apresentação SDP 2024PauloEduardoBitarJun
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL PracticesBrian A. McHenry
 
Escalation defenses ad guardrails every company should deploy
Escalation defenses ad guardrails every company should deployEscalation defenses ad guardrails every company should deploy
Escalation defenses ad guardrails every company should deployDavid Rowe
 
Webinar: Cloud Data Masking - Tips to Test Software Securely
Webinar: Cloud Data Masking - Tips to Test Software Securely Webinar: Cloud Data Masking - Tips to Test Software Securely
Webinar: Cloud Data Masking - Tips to Test Software Securely Skytap Cloud
 
Cloud Security Top Threats
Cloud Security Top ThreatsCloud Security Top Threats
Cloud Security Top ThreatsTiago de Almeida
 
Vue d'ensemble Dremio
Vue d'ensemble DremioVue d'ensemble Dremio
Vue d'ensemble DremioModern Data Stack France
 
Implement a Universal Data Distribution Architecture to Manage All Streaming ...
Implement a Universal Data Distribution Architecture to Manage All Streaming ...Implement a Universal Data Distribution Architecture to Manage All Streaming ...
Implement a Universal Data Distribution Architecture to Manage All Streaming ...Timothy Spann
 
Cybersécurité et Jeux d'Arcade
Cybersécurité et Jeux d'ArcadeCybersécurité et Jeux d'Arcade
Cybersécurité et Jeux d'ArcadeSylvain Cortes
 
Spraykatz installation & basic usage
Spraykatz installation & basic usageSpraykatz installation & basic usage
Spraykatz installation & basic usageSylvain Cortes
 

More Related Content

Similar to Enumerating Active Directory: Lateral Movement and Privilege Escalation

Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax
 
CIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market OverviewCIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market OverviewCloudIDSummit
 
Get started with Cloudera's cyber solution
Get started with Cloudera's cyber solutionGet started with Cloudera's cyber solution
Get started with Cloudera's cyber solutionCloudera, Inc.
 
Multi-Cloud, Multi-Network Cyber Awareness, Monitoring and Management by Fran...
Multi-Cloud, Multi-Network Cyber Awareness, Monitoring and Management by Fran...Multi-Cloud, Multi-Network Cyber Awareness, Monitoring and Management by Fran...
Multi-Cloud, Multi-Network Cyber Awareness, Monitoring and Management by Fran...TheAnfieldGroup
 
Kripta Key Product Key Management System.pdf
Kripta Key Product Key Management System.pdfKripta Key Product Key Management System.pdf
Kripta Key Product Key Management System.pdflangkahgontay88
 
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...AWS Chicago
 
Snowflake Data Science and AI/ML at Scale
Snowflake Data Science and AI/ML at ScaleSnowflake Data Science and AI/ML at Scale
Snowflake Data Science and AI/ML at ScaleAdam Doyle
 
Creating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres DatabaseCreating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres DatabaseEDB
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119lior mazor
 
Day 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server RedirectionDay 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server Redirectionvngundi
 
SDX Pitch Deck (201) - Apresentação SDP 2024
SDX Pitch Deck (201) - Apresentação SDP 2024SDX Pitch Deck (201) - Apresentação SDP 2024
SDX Pitch Deck (201) - Apresentação SDP 2024PauloEduardoBitarJun
 
Escalation defenses ad guardrails every company should deploy
Escalation defenses ad guardrails every company should deployEscalation defenses ad guardrails every company should deploy
Escalation defenses ad guardrails every company should deployDavid Rowe
 
Webinar: Cloud Data Masking - Tips to Test Software Securely
Webinar: Cloud Data Masking - Tips to Test Software Securely Webinar: Cloud Data Masking - Tips to Test Software Securely
Webinar: Cloud Data Masking - Tips to Test Software Securely Skytap Cloud
 
Cloud Security Top Threats
Cloud Security Top ThreatsCloud Security Top Threats
Cloud Security Top ThreatsTiago de Almeida
 
Implement a Universal Data Distribution Architecture to Manage All Streaming ...
Implement a Universal Data Distribution Architecture to Manage All Streaming ...Implement a Universal Data Distribution Architecture to Manage All Streaming ...
Implement a Universal Data Distribution Architecture to Manage All Streaming ...Timothy Spann
 

Similar to Enumerating Active Directory: Lateral Movement and Privilege Escalation (20)

Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
 
Will your cloud be compliant
Will your cloud be compliantWill your cloud be compliant
Will your cloud be compliant
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
 
CIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market OverviewCIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market Overview
 
Get started with Cloudera's cyber solution
Get started with Cloudera's cyber solutionGet started with Cloudera's cyber solution
Get started with Cloudera's cyber solution
 
Multi-Cloud, Multi-Network Cyber Awareness, Monitoring and Management by Fran...
Multi-Cloud, Multi-Network Cyber Awareness, Monitoring and Management by Fran...Multi-Cloud, Multi-Network Cyber Awareness, Monitoring and Management by Fran...
Multi-Cloud, Multi-Network Cyber Awareness, Monitoring and Management by Fran...
 
Kripta Key Product Key Management System.pdf
Kripta Key Product Key Management System.pdfKripta Key Product Key Management System.pdf
Kripta Key Product Key Management System.pdf
 
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
 
Snowflake Data Science and AI/ML at Scale
Snowflake Data Science and AI/ML at ScaleSnowflake Data Science and AI/ML at Scale
Snowflake Data Science and AI/ML at Scale
 
Creating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres DatabaseCreating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres Database
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
 
Day 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server RedirectionDay 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server Redirection
 
SDX Pitch Deck (201) - Apresentação SDP 2024
SDX Pitch Deck (201) - Apresentação SDP 2024SDX Pitch Deck (201) - Apresentação SDP 2024
SDX Pitch Deck (201) - Apresentação SDP 2024
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
Escalation defenses ad guardrails every company should deploy
Escalation defenses ad guardrails every company should deployEscalation defenses ad guardrails every company should deploy
Escalation defenses ad guardrails every company should deploy
 
Webinar: Cloud Data Masking - Tips to Test Software Securely
Webinar: Cloud Data Masking - Tips to Test Software Securely Webinar: Cloud Data Masking - Tips to Test Software Securely
Webinar: Cloud Data Masking - Tips to Test Software Securely
 
Cloud Security Top Threats
Cloud Security Top ThreatsCloud Security Top Threats
Cloud Security Top Threats
 
Vue d'ensemble Dremio
Vue d'ensemble DremioVue d'ensemble Dremio
Vue d'ensemble Dremio
 
Implement a Universal Data Distribution Architecture to Manage All Streaming ...
Implement a Universal Data Distribution Architecture to Manage All Streaming ...Implement a Universal Data Distribution Architecture to Manage All Streaming ...
Implement a Universal Data Distribution Architecture to Manage All Streaming ...
 

More from Sylvain Cortes

Cybersécurité et Jeux d'Arcade
Cybersécurité et Jeux d'ArcadeCybersécurité et Jeux d'Arcade
Cybersécurité et Jeux d'ArcadeSylvain Cortes
 
Spraykatz installation & basic usage
Spraykatz installation & basic usageSpraykatz installation & basic usage
Spraykatz installation & basic usageSylvain Cortes
 
aOS Aix/Marseille - Intégration des environnements UNIX, Linux et MacOS dans ...
aOS Aix/Marseille - Intégration des environnements UNIX, Linux et MacOS dans ...aOS Aix/Marseille - Intégration des environnements UNIX, Linux et MacOS dans ...
aOS Aix/Marseille - Intégration des environnements UNIX, Linux et MacOS dans ...Sylvain Cortes
 
Comment securiser votre annuaire Active Directory contre les attaques de malw...
Comment securiser votre annuaire Active Directory contre les attaques de malw...Comment securiser votre annuaire Active Directory contre les attaques de malw...
Comment securiser votre annuaire Active Directory contre les attaques de malw...Sylvain Cortes
 
Comment securiser votre usage ou migration vers Office 365 [2018 12-04]
Comment securiser votre usage ou migration vers Office 365 [2018 12-04]Comment securiser votre usage ou migration vers Office 365 [2018 12-04]
Comment securiser votre usage ou migration vers Office 365 [2018 12-04]Sylvain Cortes
 
Modern Worplace Conference 2018 - Usage de IoT et bigdata dans les espaces co...
Modern Worplace Conference 2018 - Usage de IoT et bigdata dans les espaces co...Modern Worplace Conference 2018 - Usage de IoT et bigdata dans les espaces co...
Modern Worplace Conference 2018 - Usage de IoT et bigdata dans les espaces co...Sylvain Cortes
 
Active directory et cyber attaques [2018 05-15]
Active directory et cyber attaques [2018 05-15]Active directory et cyber attaques [2018 05-15]
Active directory et cyber attaques [2018 05-15]Sylvain Cortes
 
Révolutionnez l'usage de vos espaces collaboratifs grâce aux objets connectés...
Révolutionnez l'usage de vos espaces collaboratifs grâce aux objets connectés...Révolutionnez l'usage de vos espaces collaboratifs grâce aux objets connectés...
Révolutionnez l'usage de vos espaces collaboratifs grâce aux objets connectés...Sylvain Cortes
 

More from Sylvain Cortes (8)

Cybersécurité et Jeux d'Arcade
Cybersécurité et Jeux d'ArcadeCybersécurité et Jeux d'Arcade
Cybersécurité et Jeux d'Arcade
 
Spraykatz installation & basic usage
Spraykatz installation & basic usageSpraykatz installation & basic usage
Spraykatz installation & basic usage
 
aOS Aix/Marseille - Intégration des environnements UNIX, Linux et MacOS dans ...
aOS Aix/Marseille - Intégration des environnements UNIX, Linux et MacOS dans ...aOS Aix/Marseille - Intégration des environnements UNIX, Linux et MacOS dans ...
aOS Aix/Marseille - Intégration des environnements UNIX, Linux et MacOS dans ...
 
Comment securiser votre annuaire Active Directory contre les attaques de malw...
Comment securiser votre annuaire Active Directory contre les attaques de malw...Comment securiser votre annuaire Active Directory contre les attaques de malw...
Comment securiser votre annuaire Active Directory contre les attaques de malw...
 
Comment securiser votre usage ou migration vers Office 365 [2018 12-04]
Comment securiser votre usage ou migration vers Office 365 [2018 12-04]Comment securiser votre usage ou migration vers Office 365 [2018 12-04]
Comment securiser votre usage ou migration vers Office 365 [2018 12-04]
 
Modern Worplace Conference 2018 - Usage de IoT et bigdata dans les espaces co...
Modern Worplace Conference 2018 - Usage de IoT et bigdata dans les espaces co...Modern Worplace Conference 2018 - Usage de IoT et bigdata dans les espaces co...
Modern Worplace Conference 2018 - Usage de IoT et bigdata dans les espaces co...
 
Active directory et cyber attaques [2018 05-15]
Active directory et cyber attaques [2018 05-15]Active directory et cyber attaques [2018 05-15]
Active directory et cyber attaques [2018 05-15]
 
Révolutionnez l'usage de vos espaces collaboratifs grâce aux objets connectés...
Révolutionnez l'usage de vos espaces collaboratifs grâce aux objets connectés...Révolutionnez l'usage de vos espaces collaboratifs grâce aux objets connectés...
Révolutionnez l'usage de vos espaces collaboratifs grâce aux objets connectés...
 

Recently uploaded

Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024SimonedeGijt
 
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdfAuto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdfSelfMade bd
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfWSO2
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksJinanKordab
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfkalichargn70th171
 
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...Abortion Clinic
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Lisi Hocke
 
The Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationThe Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationElement34
 
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Maxim Salnikov
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletAndrea Goulet
 
From Knowledge Graphs via Lego Bricks to scientific conversations.pptx
From Knowledge Graphs via Lego Bricks to scientific conversations.pptxFrom Knowledge Graphs via Lego Bricks to scientific conversations.pptx
From Knowledge Graphs via Lego Bricks to scientific conversations.pptxNeo4j
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringPrakhyath Rai
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio, Inc.
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAShane Coughlan
 
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale IbridaUNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale IbridaNeo4j
 
Encryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key ConceptsEncryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key Conceptsthomashtkim
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIInflectra
 
Novo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNovo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNeo4j
 

Recently uploaded (20)

Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
 
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdfAuto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
 
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
 
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
 
The Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationThe Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test Automation
 
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
 
From Knowledge Graphs via Lego Bricks to scientific conversations.pptx
From Knowledge Graphs via Lego Bricks to scientific conversations.pptxFrom Knowledge Graphs via Lego Bricks to scientific conversations.pptx
From Knowledge Graphs via Lego Bricks to scientific conversations.pptx
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements Engineering
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
 
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale IbridaUNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
 
Encryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key ConceptsEncryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key Concepts
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST API
 
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
 
Novo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNovo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMs
 

Enumerating Active Directory: Lateral Movement and Privilege Escalation

  • 1. © A L S I D C O P Y R I G H T 2 0 2 1 Enumerating Active Directory: Lateral Movement and Privilege Escalation Security Evangelist & Microsoft MVP
  • 2. AtTACK structure © A L S I D C O P Y R I G H T 2 0 2 1 The attackers are looking for the easiest path into the network, then they want to move laterally and gain privileges. Once obtained, they can spread ransomware, steal data, and more. 1 2 3 4 5 6 Infect endpoint with phishing or e-mail attack, and gain local admin privileges Install payload, disable local defense, start to enumerate AD and the network topology Attempt to move laterally, to other endpoints, servers, and devices Exploit known configurations to gain privileges on different servers using AD Create backdoors and persistence within AD and other network devices Collect data and/or encrypt data - Steal data for economic intelligence Attack Steps
  • 3. Enumeration tools © A L S I D C O P Y R I G H T 2 0 2 1 Bloodhound PowerView Ldapdomaindump Adidnsdump ACLight ADRecon Domains and trusts Domain SID Password Policy DCs Domain Users and attributes Domain computers Domain Groups and Members Shared folders Group Policies OUs ACLs Sessions Local Admin Rights … AdminTo MemberOf HasSession ForceChangePassword AddMembers CanRDP CanPSRemote ExecuteDCOM SQLAdmin AllowedToDelegate GetChangesAll GenericAll WriteDacl Owns … Sources: https://bloodhound.readthedocs.io/en/latest/data-analysis/nodes.html https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet#useful-enumeration-tools https://mcpmag.com/articles/2019/11/13/bloodhound-active-directory-domain-admin.aspx Tools Objects/settings Actions/privileges
  • 4. Analyzing the enumeration © A L S I D C O P Y R I G H T 2 0 2 1 Leverage Unknown Settings - Kerberos Delegations - adminSDHolder - adminCount - SYSVOL permissions Leverage Cloud Settings - AAD Connect permissions - AAD Sync - AAD SSO - Bounce to Azure AD Leverage Old Settings - Service Principal Names - Primary Group ID - SIDHistory - AD Delegations - GP Delegations
  • 5. ATTACKER strategy © A L S I D C O P Y R I G H T 2 0 2 1 Enumeration of Active Directory and all settings ▪ AD is « old » ▪ AD installation was made 10+ years ago ▪ AD is changing every day Analysis of AD to find easiest target ▪ Attackers don’t analyze the « world » with lines & columns but with graphs ▪ Remember, every user has a read access to AD Leverage actions which don’t log ▪ Security logs are not really useful ▪ Attackers can bypass the logs ▪ Attackers implement backdoors under the SIEM radar
  • 6. In a nutshell © A L S I D C O P Y R I G H T 2 0 2 1 ▪ No users with local admin rights ▪ Encrypt local disk ▪ Use LAPS (free) ▪ Implement EDR ▪ Harden your endpoint configuration ▪ Do not base your security strategy only on logs ▪ Implement Microsoft Tier- model ▪ Detect in real- time AD security deviances & Attack paths ▪ Detect in real- time AD attacks Final advice: Doubt about yourself ! Too much self- confidence is the first enemy of cybersecurity…
  • 7. © A L S I D C O P Y R I G H T 2 0 2 0 alsid.com you.