attacking and defending active directory in2018 con 26/def con 26... · can control can control...
TRANSCRIPT
![Page 1: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/1.jpg)
Attacking and Defending Active Directory in 2018
August, 2018
![Page 2: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/2.jpg)
About: Adam Steed - @aBoy
Associate Director ProtivitiSecurity and Privacy PracticeIdentity and Access Management
20 years of experience in IAM, working for financial, websites, and healthcare organizations
![Page 3: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/3.jpg)
About: James Albany
Senior Consultant ProtivitiSecurity and Privacy PracticePenetration Testing
Specialize in Social Engineering, Network Pen testing, and Red Teaming.
![Page 4: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/4.jpg)
Credits• https://blog.harmj0y.net/ - Will Schroeder (@harmj0y)• http://adsecurity.org/ - Sean Metcalf (@PyroTek3 )• http://blog.gentilkiwi.com/mimikatz - Benjamin Delpy (@gentilkiwi)• http://dsinternals.com - Michael Grafnetter (@Mgrafnetter)• https://blogs.technet.microsoft.com/pfesweplat/ - Robin Granberg
(@ipcdollar1)• https://github.com/byt3bl33d3r - Marcello Salvati (@Byt3bl33d3r)• https://hashcat.net/hashcat/• http://hashsuite.openwall.net/• http://ophcrack.sourceforge.net/• https://github.com/PowerShellMafia/PowerSploit
![Page 5: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/5.jpg)
Todays Attacks (Time Permitting)• Lab 1
• LM Hash Cracking
• Lab 2• Enumeration Of AD/Endpoint
• Lab 3• Kerberoast• Excessive Permissions (ACL/Delegated)
• Lab 4• Group Policy Preferences (GPP) in SYSVOL• Shared Local Admin• Credential Theft From LSASS• NTDS.DIT (Domain Hashdump)
• Lab 5• Scripts In SYSVOL• DCSync• Golden Tickets
![Page 6: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/6.jpg)
Todays Goal
![Page 7: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/7.jpg)
1. Don’t get yelled at by your boss because you got hacked.
![Page 8: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/8.jpg)
2. Don’t get yelled at because you failed a Pen Test.
![Page 9: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/9.jpg)
Lets Start With A Demo
![Page 10: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/10.jpg)
Intro into Windows Passwords Hashes
![Page 11: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/11.jpg)
Passwords are not stored in Active Directory
![Page 12: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/12.jpg)
Windows Password Hashes Contain No Salt
![Page 13: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/13.jpg)
There Are Many Places To Steal the Hash
![Page 14: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/14.jpg)
Attacker: Why Not Just Steal A Copy Of NTDS.DIT?
![Page 15: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/15.jpg)
NTDS.DIT File Contains All Of The Password Hashes For The Domain
What does it mean when you see users with the same password hash?
![Page 16: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/16.jpg)
Defender: Making A Copy Of NTDS.DIT Is Hard
• NTDS.DIT is a locked file by LSASS process so you cant just copy it• If you tamper with the LSASS process on a domain controller
you could crash it• NTDS.DIT is encrypted so you cant just open it
![Page 17: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/17.jpg)
Attacker: Volume Shadow Copy…FTW!
![Page 18: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/18.jpg)
Defender: I Hate You!!
![Page 19: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/19.jpg)
Volume Shadow Copy
![Page 20: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/20.jpg)
NTDS.DIT Is “Protected” With EncryptionThank you Microsoft for storing the encryption key in the registry
![Page 21: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/21.jpg)
Why we don’t need to guess passwords
![Page 22: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/22.jpg)
Why we don’t need to guess passwords
![Page 23: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/23.jpg)
Abusing the LSASS Process
![Page 24: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/24.jpg)
Lab 1
Attacking the NTDS.DIT
![Page 25: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/25.jpg)
Lab 1 Remediation
• Stopping LAN Manager• Password Quality Report
![Page 26: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/26.jpg)
• The more you know the quieter you can be
![Page 27: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/27.jpg)
Attacker: You know why I like to drive in through brand new expensive neighborhood?
![Page 28: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/28.jpg)
Defender: No Idea
![Page 29: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/29.jpg)
Attacker: Because no one can afford blinds or curtains so I can see inside everything
![Page 30: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/30.jpg)
![Page 31: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/31.jpg)
Active Directory Enumeration (The GUI Method)
![Page 32: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/32.jpg)
PowerShell Active Directory Module Cmdlet (System Admin Method)
Requires install of AD PowerShell modules https://technet.microsoft.com/en-us/library/ee617195.aspx
![Page 33: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/33.jpg)
PowerView (@harmj0y) (Hacker Method)
https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
![Page 34: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/34.jpg)
PowEnum (Lazy Hacker Method)
https://github.com/whitehat-zero/PowEnum
![Page 35: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/35.jpg)
Lab 2 - Recap
• Enumeration• Active Directory Users and Computers• PowerShell• PowerView• PowEnum
• Overall Takeaway• Live off the land• More you know the quieter you become
![Page 36: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/36.jpg)
Defender: I feel a little violated … but your information is more detailed than my
documentation. Can I get a copy?
![Page 37: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/37.jpg)
Remediation For Lab 2
• Does every user need to know every object in Active Directory?• Does everyone need to know who a member of Domain Admins?
![Page 38: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/38.jpg)
Remediation For Lab 2
• Controlling who has the ability to discover sessions running a host
![Page 39: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/39.jpg)
Lab 3
• Kerberoasting: Beating the three headed dog
![Page 40: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/40.jpg)
Kerberoast Agenda
• What is Kerberos• Invoke-Kerberoast / PowEnum Roasting• Cracking with Hashcat
![Page 41: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/41.jpg)
What is Kerberos?
• 3 Heads1. Client2. Server3. Key Distribution Center (KDC)
https://redmondmag.com/articles/2012/02/01/understanding-the-essentials-of-the-kerberos-protocol.aspx
![Page 42: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/42.jpg)
Kerberos
• 3 Exchanges1. Authentication Service (AS)
Exchange2. Ticket Granting Service (TGS)
Exchange3. Client/Server (CS) Exchange
https://redmondmag.com/articles/2012/02/01/understanding-the-essentials-of-the-kerberos-protocol.aspx
Ticket Granting Ticket (TGT)Portion is encrypted with User Account Password Hash
![Page 43: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/43.jpg)
Kerberos
• 3 Exchanges1. Authentication Service (AS)
Exchange2. Ticket Granting Service (TGS)
Exchange3. Client/Server (CS) Exchange
https://redmondmag.com/articles/2012/02/01/understanding-the-essentials-of-the-kerberos-protocol.aspx
Service Ticket (ST)Portion is encrypted with the Service Account Password Hash
![Page 44: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/44.jpg)
Kerberos
• 3 Exchanges1. Authentication Service (AS)
Exchange2. Ticket Granting Service (TGS)
Exchange3. Client/Server (CS) Exchange
https://redmondmag.com/articles/2012/02/01/understanding-the-essentials-of-the-kerberos-protocol.aspx
Service Ticket (ST)Portion is encrypted with the Service Account Password Hash
![Page 45: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/45.jpg)
Kerberoast Service Ticket (ST)Portion is encrypted with the Service Account Password Hash
Kerberoast
https://redmondmag.com/articles/2012/02/01/understanding-the-essentials-of-the-kerberos-protocol.aspx
![Page 46: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/46.jpg)
Kerberos Attacks
Kerberoast
ASREPRoast
Golden Ticket
Silver Ticket
![Page 47: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/47.jpg)
Kerberoast (Powerview)
![Page 48: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/48.jpg)
Kerberoast – Downloading PowEnum
![Page 49: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/49.jpg)
Kerberoast – Requesting a TGS (PowEnum)
What do you see?
![Page 50: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/50.jpg)
Kerberoast – Requesting a TGS (PowEnum)
![Page 51: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/51.jpg)
Cracking with HashcatPart of the service ticket is encrypted with the NTLM hash of the target service instance
https://hashcat.net/wiki/doku.php?id=oclhashcat
![Page 52: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/52.jpg)
Cracking with Hashcat
![Page 53: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/53.jpg)
Cracking with Hashcat
![Page 54: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/54.jpg)
Abusing Insecure ACLs Agenda
• What is an ACL• Objects access vs. system access
• How To Identify Insecure ACLs• Attacking an Insecure ACL
![Page 55: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/55.jpg)
Abusing Insecure ACLs – What is an ACL
• An access control list (ACL) is a list of access control entries (ACE). • 2 types of ACLs: • Discretionary access control
list (DACL) • System access control list
(SACL)
![Page 56: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/56.jpg)
Abusing Insecure ACLs - How To Identify Insecure ACLs
![Page 57: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/57.jpg)
Abusing Insecure ACLs - How To Identify Insecure ACLs
![Page 58: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/58.jpg)
Abusing Insecure ACLs - How To Identify Insecure ACLs
![Page 59: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/59.jpg)
Abusing Insecure ACLs - How To Identify Insecure ACLs
• What Do You See?
![Page 60: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/60.jpg)
Abusing Insecure ACLs - How To Identify Insecure ACLsIs this a problem?
What other issues?
![Page 61: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/61.jpg)
Abusing Insecure ACLs - How To Identify Insecure ACLs
• Normal?
![Page 62: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/62.jpg)
Abusing Insecure ACLs - Attacking an Insecure ACL
• How can this be leveraged?
![Page 63: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/63.jpg)
Abusing Insecure ACLs - Attacking an Insecure ACL
• How can this be leveraged?
![Page 64: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/64.jpg)
Lab 3 - Recap
• Kerberoasted Elliott.Alderson• Cracked the Password Elliott.Alderson• Used Elliott.Alderson full control of DA Object to add Elliot to DA
group• DOMAIN ADMIN!
Kerberoast Weak Service Account Password Abusing Insecure ACLs
+ + =
![Page 65: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/65.jpg)
Remediation For Attack Path 3Kerberoast Weak Service Account Password Abusing Insecure ACLs
Fine Grained Password Policies
![Page 66: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/66.jpg)
Remediation For Attack Path 3
• Policies to require Service Account Passwords rotated at least on a yearly basis and Fine Grained Password Policies• Manage Service Accounts: The Good and The Bad
Kerberoast Weak Service Account Password Abusing Insecure ACLs
![Page 67: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/67.jpg)
Lab 4
• When Microsoft gives you the keys
![Page 68: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/68.jpg)
GPP Password Decryption Agenda• What Is Group Policy• Group Policy Preferences Files
• Get-GPPPassword (Powersploit) / PowEnum
![Page 69: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/69.jpg)
GPP Password Decryption - What Is Group Policy
![Page 70: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/70.jpg)
GPP Password Decryption - Group Policy Preferences Files• Map drives (Drives.xml)• Create Local Users (Groups.xml)• Data Sources (DataSources.xml)• Printer configuration (Printers.xml)• Create/Update Services (Services.xml)• Scheduled Tasks (ScheduledTasks.xml)
• https://support.microsoft.com/en-us/help/2962486/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevati
![Page 71: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/71.jpg)
GPP Password Decryption – Downloading PowEnum
![Page 72: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/72.jpg)
GPP Password Decryption – SYSVOL
What do you see?
![Page 73: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/73.jpg)
GPP Password Decryption – SYSVOL
![Page 74: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/74.jpg)
GPP Password Decryption - PowerSploit
![Page 75: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/75.jpg)
Credential Theft Agenda
• Windows Credential Theft (SAM / LSASS / Credman / LSA Secrets/NTDS.DIT)• Mimikatz• Invoke-Mimikatz• CrackMapExec
• https://technet.microsoft.com/en-us/library/hh994565(v=ws.11).aspx
![Page 76: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/76.jpg)
Credential Theft Agenda - Windows Credential Theft (SAM)
• Security Accounts Manager (SAM) database• Stores password HASHES for all LOCAL accounts
• Built-in local admin, local users, guest account, etc.
• NT Hashes (LM on legacy OS)• Unsalted MD4 hash of user’s clear text
![Page 77: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/77.jpg)
Credential Theft Agenda - Windows Credential Theft (LSASS)• LSASS (Local Security Authority Subsystem Service)
• Stores Creds in-memory • Single Sign On• Multiple Forms of Storage
• LSA credentials created in memory when…• RDP• RunAs task started• Run active windows service• Schedule task or batch job• Run task remotely using admin tool (Psexec, etc.)
• https://technet.microsoft.com/en-us/library/hh994565(v=ws.11).aspx
![Page 78: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/78.jpg)
Credential Theft Agenda - Windows Credential Theft (LSA Secrets)• Secret piece of data that is accessible only to SYSTEM account
processes• May persist through reboot• LSA Secrets Creds include• Computer AD DS account• Windows Service configured locally• Scheduled task accounts• IIS app pools and websites
• https://technet.microsoft.com/en-us/library/hh994565(v=ws.11).aspx
![Page 79: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/79.jpg)
Credential Theft Agenda - Windows Credential Theft (Credman)• Credential Manager Control Panel (Credman)• Saved passwords in windows• Stored on disk protected by Data Protection App. Programming Interface
(DPAPI)• Credman obtains information in two ways
• Explicit creation• System population
• Uses Credential Locker (Formally Windows Vault)• Dumped at same time as LSASS with mimikatz
![Page 80: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/80.jpg)
AD DS database (NTDS.DIT)• Store of credentials for all users in the AD DS domain• The database stores a number of attributes for each account, which
includes user names types and the following:• LM/NT hash for the current password• LM/NT hashes for password history (if configured)
![Page 81: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/81.jpg)
Credential Theft Agenda – Mimikatz / Invoke-Mimikatz
https://github.com/gentilkiwi/mimikatzhttps://github.com/PowerShellMafia/PowerSploit/tree/master/Exfiltration
![Page 82: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/82.jpg)
Credential Theft Agenda – CrackMapExec
• Target 2 – Win 2012• cme 10.0.0.6 -u gpo_LA -p 'HoldTheDoor!' -M mimikatz
![Page 83: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/83.jpg)
Credential Theft Agenda – Dump Domain Creds
ALL DOMAIN CREDS!!!
![Page 84: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/84.jpg)
Lab 4 - Recap
• Decrypted GPO_LA from a GPP file• Used GPO_LA to perform a local login on LabWin2012.defcon.local as
a local admin• As a local admin dumped account (Domain Admin) creds with
mimikatz• Dump domain creds with NTDS.DIT• DOMAIN ADMIN!!!!
GPP Password Decryption Shared Local Admin Credential Theft (LSASS)
![Page 85: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/85.jpg)
Can Control
Can Control
Effectively: Can Control
Implement 3-Tier Administration Model for Enhanced Security
The Attack Surface of an environment is the sum of the different points from where an unauthorized user can compromise the environment.
3-Tier Administration Model reduces the attack surface by isolating the environment into 3 Tiers.
Account used to logon to the servers/workstations in each tier must be different and can’t be used in other two.
Tier-0:Domain/Forest Level Servers(Domain Controllers) and any jump/admin servers used in administration.
Tier-1:Member Servers, servers which host internal, monitoring, security, mail & collaboration apps.
Tier-2:User Workstations/Devices, where users logon to do their regular day to day work like checking emails, creating documents/reports etc.
GPP Password Decryption Shared Local Admin Credential Theft (LSASS)
Remediation For Lab 4
![Page 86: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/86.jpg)
Tokyo New York
Database e-Mail & Collaboration Tier – 2
Tier – 3
Define clear administrative Boundaries, even within the same tier
Security Recommendations: Admin Boundaries
Example 1. (Tier 3)Helpdesk Technicians in Tokyo cannot exercise the same rights on the workstations/Desktops @ New York office
Example 2. (Tier 2)Similarly, DBA groups should not have the same rights on Mail & Collaboration servers
![Page 87: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/87.jpg)
1.Computer Configuration\Policies\Windows Settings\Security Settings\Local Settings\User Rights Assignments:
1. Deny access to this computer from the network 2. Deny log on as a batch job 3. Deny log on as a service 4. Deny log on locally 5. Deny log on through Remote Desktop Services user rights
Security Recommendations: Admin BoundariesRemediation For Lab 4
![Page 88: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/88.jpg)
Security Recommendations: Remove Workstation To Workstation Communication
Remediation For Lab 4
Implementing Private VLANs or Host Firewall Rules
![Page 89: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/89.jpg)
Lab 5
• More Low Hanging Fruit / Abuse of Core AD functionality
![Page 90: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/90.jpg)
SYSVOL Script - Agenda
• What is the SYSVOL• How to access the SYSVOL• Powerview / PowEnum
![Page 91: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/91.jpg)
SYSVOL Scripts - What is the SYSVOL
• SYSVOL is simply a folder which resides on each and every domain controller within the domain. • It contains the domains public files that need to be accessed by
clients and kept synchronized between domain controllers. • The SYSVOL folder can be accessed through its
share \\domainname.com\sysvol or the local share name on the server \\servername\sysvol.
![Page 92: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/92.jpg)
SYSVOL Scripts - Powerview
![Page 93: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/93.jpg)
SYSVOL Scripts– Downloading PowEnum
![Page 94: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/94.jpg)
SYSVOL Scripts– Downloading PowEnum
What do you see?
![Page 95: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/95.jpg)
SYSVOL Scripts– Downloading PowEnum
![Page 96: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/96.jpg)
• Anything Juicy?
SYSVOL Scripts– Reviewing Scripts
![Page 97: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/97.jpg)
DCSync- Agenda
• What is DCSync• Who can DCSync• Mimikatz (lsadump::dcsync)
![Page 98: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/98.jpg)
DCSync- What is DCSync
• Abuse DC Replication Services• Impersonate a Domain Controller to request account password data• With appropriate rights (replication rights), extract password hash for ANY
account in the FOREST
• Mimikatz• Pull past and present hashes for any user• No interactive logon• No copy of NTDS.DIT• QUIET Persistence
![Page 99: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/99.jpg)
DCSync- Who can DCSync
• How can we identify who has the correct privileges?
![Page 100: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/100.jpg)
DCSync- Who can DCSync
• How can we identify who has the correct privileges?
![Page 101: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/101.jpg)
DCSync- Mimikatz
![Page 102: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/102.jpg)
Golden Tickets
![Page 103: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/103.jpg)
Lab 5 - Recap
• Identified cleartext credentials for a Sharepoint Service Account• Identified that the Sharepoint account has replication rights• Used DCSync to steal the KRBTGT account hash• Created a “Golden Ticket” with the KRBTGT account hash
SYSVOL Scripts DcSync Golden Ticket
![Page 104: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/104.jpg)
Remediation For Lab 5
• 3 Tier Architecture• Monitor SYSVOL changes and validate no hard coded creds in script
(.bat/ps1/.cmd…) files• Lock down replication rights to appropriate users
SYSVOL Scripts DcSync Golden Ticket
![Page 105: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/105.jpg)
1. 3 Tier Architecture 2. Effective Local Admin Management3. Workstation Isolation4. Active Directory Enumeration Hardening5. Effective Application Whitelisting
Top 5 ways to make pentesters angry
![Page 106: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/106.jpg)
Questions
![Page 107: Attacking and Defending Active Directory in2018 CON 26/DEF CON 26... · Can Control Can Control Effectively: Can Control Implement 3-Tier Administration Model for Enhanced Security](https://reader035.vdocuments.site/reader035/viewer/2022062505/5ee0cab9ad6a402d666be629/html5/thumbnails/107.jpg)
The End