#blackalps17 · managing consultant at defendza pen tester/security consulting tweets are welcome...
TRANSCRIPT
![Page 1: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/1.jpg)
Harman Singhwww.defendza.com
@defendzaltd
DEFENDZA LTD. 1
#BLACKALPS17
![Page 2: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/2.jpg)
Managing consultant at Defendza
Pen Tester/Security Consulting
Tweets are welcome @digitalamli #BlackAlps17
Hacktivity, BlackAlps☺, Bsides, BlackHat USA 2015
Sometimes clients listen and fix issues, sometimes they blame me, other times they don’t fix !
2DEFENDZA LTD.
![Page 3: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/3.jpg)
whoami
Active Directory
Fundamentals
Latest Features (2016)
Nuts & Bolts of a DC
Threats
Detections
Q&A
3DEFENDZA LTD.
![Page 4: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/4.jpg)
4DEFENDZA LTD.
![Page 5: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/5.jpg)
No new exploits/CVE/<groundbreaking stuff> being released today, just a few ways to help improve threat detection capabilities
Attack details are stressed to ensure understanding helps the thought process around detection work
These issues have affected or still affect AD environments - yes, you are part of this game!
5DEFENDZA LTD.
![Page 6: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/6.jpg)
AD?
Basic structure Forest
Domain
OU
Sites
6DEFENDZA LTD.
![Page 7: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/7.jpg)
7DEFENDZA LTD.
![Page 8: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/8.jpg)
Domain Services
Certificate Services
Federation Services
Lightweight Directory Services
Rights Management Services
8DEFENDZA LTD.
![Page 9: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/9.jpg)
AD DS?
Role
Benefits Forests
Scalability
Delegation
Security (Authentication + Access Control) – A single network logon = compromise☺
9DEFENDZA LTD.
![Page 10: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/10.jpg)
Features
Schema
Global catalog
A query and index mechanism
Replication
Operations master roles/FSMO
10DEFENDZA LTD.
![Page 11: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/11.jpg)
Since Win Server 2008
RODC
Admin role separation
Secure installation media
Restartable AD DS
Fine-grained Password Policy
a few more…
11DEFENDZA LTD.
![Page 12: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/12.jpg)
AD CS
Benefits of AD CS
Certificate Services CA’s
Web Enrolment
Online Responder
Network Device Enrolment Service
CS Architecture
12DEFENDZA LTD.
![Page 13: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/13.jpg)
13DEFENDZA LTD.
![Page 14: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/14.jpg)
14
Logs
The only directory (by default) in use systemdir\CertLog
Certutil.exe -> systemroot\certutil.log
CA snap-in logs -> windir\certmmc.log
Certs and CRLs
\\Localhost\Certenroll
\\Localhost\Certconfig
SystemCertificates\My folder located at:
C:\Users\<username>\Application Data\Microsoft\SystemCertificates\My
Trusted root CA container HKEY_Local_Machine\Software\Microsoft\SystemCertificates\Root
DEFENDZA LTD.
![Page 15: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/15.jpg)
AD FS?
ADFS Features
ADFS Role Services Federation Services
Proxy
Claims-aware
Windows Token-based
15DEFENDZA LTD.
![Page 16: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/16.jpg)
16DEFENDZA LTD.
![Page 17: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/17.jpg)
AD LDS ( ADAM? ) Much of the same as AD DS Deployment of domains/DC’s not required Multiple instances of LDS on a single computer Can use AD DS for authentication of Windows security
principals.
Why is it a big deal?
Enterprise directory store
Extranet authentication store
…
17DEFENDZA LTD.
![Page 18: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/18.jpg)
AD RMS?
Role description
Benefits? Persistent use policies
Preventing authorized users from unauthorized use
Supports file expiration
Enforce corporate policies
HSM support
What it does not?
18DEFENDZA LTD.
![Page 19: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/19.jpg)
19DEFENDZA LTD.
![Page 20: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/20.jpg)
Security & Cloud !
Major improvements: PAM
Azure AD Join
MS Passport
Other improvements Time synchronisation
Group membership expiration
Forest/domain functional level (2008)
20DEFENDZA LTD.
![Page 21: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/21.jpg)
21DEFENDZA LTD.
![Page 22: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/22.jpg)
Isolation/scoping of privileges
Step up
Additional logging
Customizable workflow
✓Credential Theft, pth, and other credential theft mitigations – stay tuned
22DEFENDZA LTD.
![Page 23: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/23.jpg)
Azure AD Join: Register Join
Benefits:
Single-Sign On (MS & other Apps)
BYOD devices
MDM Integration
Access organizational resources on mobile devices
Modern Settings (Backup and restore, roaming , etc) , Imaging, Dev experience, etc.
23DEFENDZA LTD.
![Page 24: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/24.jpg)
MS Passport Key-based auth Breach, theft and phish-resistant (Microsoft claims that!) Authenticating identities without passwords
Windows Hello for Business
Cert based auth, supports MS and non-MS accounts (using FIDO)
Keys generated on TPM 1.2 or TPM 2.0 (Hardware preferred option)
Complexity and length of the PIN
Support for smart card-like scenarios by using cert based trust
24DEFENDZA LTD.
![Page 25: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/25.jpg)
25DEFENDZA LTD.
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-azureadjoin-passport
![Page 26: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/26.jpg)
DSA
26DEFENDZA LTD.
![Page 27: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/27.jpg)
DSA
27DEFENDZA LTD.
![Page 28: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/28.jpg)
Data Store Physical Structure
28DEFENDZA LTD.
![Page 29: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/29.jpg)
29DEFENDZA LTD.
![Page 30: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/30.jpg)
30DEFENDZA LTD. Source: Lockheed Martin
CKC
![Page 31: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/31.jpg)
31DEFENDZA LTD. Source: https://www.nist.gov/sites/default/files/documents/2017/06/08/20131213_charles_alsup_insa_part3.pdf
![Page 32: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/32.jpg)
Building up the ground: Enumeration
Information collection and analysis
Privilege Escalation
Accessing Secrets
Token stealing/impersonation
Hash Dumping
32DEFENDZA LTD.
![Page 33: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/33.jpg)
33DEFENDZA LTD.
![Page 34: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/34.jpg)
OFFENSE
Recon – Identifying targets, gathering thesurrounding info for attack prep.
Escalation – Target exploitation to gain accessand escalate privileges
Persistence – Maintain access
34DEFENDZA LTD.
![Page 35: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/35.jpg)
RID cycling is used to enumerate user accounts through null sessions and the SID to RID enum.
SID (Security Identifier)
✓ Just like AD users refer to accounts by name, OS refers to accounts by SID numbers.
✓ primary key for any object in AD unique to a domain.
✓ No two accounts or groups on the computer ever share the same SID.
RID (Relative Identifier)
✓ unique, and assigned sequentially by domain controller
For eg: A security identifier(SID) is actually SID + RID
✓ S-1-5-21-2000478354-1708537768-1957994488-500
35DEFENDZA LTD.
![Page 36: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/36.jpg)
Well-known RID’s:
✓ Accounts & Groups - 500-999. For eg: 500 - Administrator, 501 - Guest, 502 - Krbtgt.
✓ Users, groups, computers start at 1000.
Well known security identifiers list : https://support.microsoft.com/en-us/kb/243330
RID Cycling over NULL session may not work on Windows 2k8 onwards.
RID Cycling over an authenticated “domain user account” will always work
Attackers run a rid cycling enumeration with valid domain user even if it works over null session asthe former reveals some “extra” juicy information.
The juicy information include domain groups, account description, password policy etc.
36DEFENDZA LTD.
![Page 37: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/37.jpg)
enum4linux example (both auth and unauthattempts)
37DEFENDZA LTD.
![Page 38: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/38.jpg)
Info Gathering Exercises
OS Information ,echo “%username%” or ‘whoami’
Patch levels – “wmic qfe get description,hotfixid,installedon”
KiTrap0D (KB979682), MS11-011 (KB2393802), MS10-059 (KB982799), MS10-021 (KB979683), MS11-080 (KB2592799).
Networking – route print, arp –A, ipconfig /all , netstat –ano
Firewall state – ‘netsh firewall show state’,‘netsh firewall show config’
What is running – ‘schtasks /query /fo LIST /v’
Services under each process ‘tasklist /svc’, Modules - C:\>tasklist /M wind*
Running Services ‘net start’
WMIC info gathering
38DEFENDZA LTD.
![Page 39: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/39.jpg)
Unattended Installation Files (clear text, base 64 , may be encrypted at times)
✓ c:\sysprep.inf
✓ c:\sysprep\sysprep.xml
✓ %WINDIR%\Software\Unattended.xml
Registry settings “AlwaysInstallElevated”
GPP saved passwords
Insecure File/Service Permissions
many more ways …
39DEFENDZA LTD.
![Page 40: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/40.jpg)
These include but not limited:
Insecure Password Storage Practices (clear text credentials in text readable configs, registry)
Write access to System32 Dir (Remember – sticky keys ☺ )
Write access to all users start up folder/Weak file permissions (such as c:\, start-up folder)
Insecure configurations ( Applications running as SYSTEM)
Unquoted Service/Binary Path Enumeration
DLL Hijacking (Insecure Library Loading) Attacks
Install a user-defined service, or replace that as a malicious service ☺ - come back when you want!
Local exploits (MS14-058, MS15-077, MS10-015, Kerberos fake TGT, token kidnapping, etc)
40DEFENDZA LTD.
![Page 41: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/41.jpg)
Your five of five a day Domain Controller ☺
Common ways for DC:
AD Kerberos attacks
PtH/PtT/OPtH
Insecure Service Permissions
Stepping up using other member servers
Nested administration groups
41DEFENDZA LTD.
![Page 42: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/42.jpg)
SPN Scanning
MSSQL, RDP, Exchange Client Access Servers, Hyper-V, Vcenter, WinRM, PS Remoting.
https://github.com/PyroTek3/PowerShell-AD-Recon
Silver and Golden Ticket (forged Kerberos TGS, TGT tickets)
MS14-068 Kerberos Fake TGT Attacks
“Kerberoast” technique?
42DEFENDZA LTD.
![Page 43: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/43.jpg)
SPN Scanning
https://github.com/PyroTek3/PowerShell-AD-Recon
Silver and Golden Ticket (forged Kerberos TGS, TGT tickets)
MS14-068 Kerberos Fake TGT Attacks
“Kerberoast” technique?
43DEFENDZA LTD.
![Page 44: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/44.jpg)
44DEFENDZA LTD.
![Page 45: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/45.jpg)
The date : 04/12/2014
The issue : MS14-068 Request a TGT without a PAC by sending a AS-REQ with PA-PAC-
REQUEST set to false. Forge a PAC claiming membership of DA group. ‘Sign’ it using plain
MD5. Create a TGS-ERQ message with krbtgt as the target. The TGT from the
first step is used along the fake PAC encrypted with a sub-session key. Send this to a vulnerable DC. KDC service will accept the forged and
issue you a new TGT that contains a PAC, injected into memory.
The exploit : PyKEK
The DC : it’s yours☺
45DEFENDZA LTD.
![Page 46: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/46.jpg)
PyKEK ms14-068.py needs:✓ User Principal Name for e.g. [email protected]
✓ User Password : W0rdP@ss987$$
✓ SID (User security identifier): S-1-5-21-2812033177-3903828100-4160366606-1107
✓ DC: pdc.skyfall.local
✓ Don’t’ forget to config synch (/etc/resolv.conf)
46DEFENDZA LTD.
![Page 47: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/47.jpg)
Obtain Kerberos ticket of the user bob from DC
Copy this Kerberos ticket to local cache:
“mv [email protected] /tmp/krb6cc_0”
47DEFENDZA LTD.
![Page 48: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/48.jpg)
Check if it’s valid ticket:
48DEFENDZA LTD.
![Page 49: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/49.jpg)
Mimikatz, related modules ported into PowerShell
PowerShell frameworks for offensive use
PowerView, PowerUp
Empire
Nishang
PowerOPS
…
49DEFENDZA LTD.
![Page 50: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/50.jpg)
Passwords
50DEFENDZA LTD.
![Page 51: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/51.jpg)
Today’s attacks are outsmarting traditional attacks:✓ Utilizing inbuilt/IT tools rather than tools written by security community to avoid
detection. Multiple scenarios include:
✓ Enumeration and discovery exercises using inbuilt tools
✓ Priv escalation work – Info gathering using inbuilt tools
✓ ntds.dit dump using ntdsutil
✓ Kerberoasting
✓ Powershell techniques to evade AV’s and other defences.
Security Analytics
51DEFENDZA LTD.
![Page 52: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/52.jpg)
52DEFENDZA LTD.
Detection for
Known attacks + Security
Analytics = Advanced Threat
Solution
![Page 53: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/53.jpg)
DEFENSE
Detect – Identifying the malicious events inaction (incident and event monitoring)
Mitigate – Mitigating threats to the organization(vulnerability management)
Prevent – Raising the game ( costs/difficulty –purple stuff)
53DEFENDZA LTD.
![Page 54: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/54.jpg)
Detect
Kerberos Attacks Detection Look for Kerberos RC4 stuff!
Ensure forest trusts support and AES is enabled*, otherwise watch out for RC4 usage (0x17 events)
Audit Kerberos Service Ticket Operations via GPO
Advanced Audit Policy Configuration
( If TGS fails, failure events with Failure Code field 0x0 on DC’s)
Trust Properties -AES* : https://technet.microsoft.com/en-us/library/dd145414.aspx
54DEFENDZA LTD.
Event ID Event
4769 A Kerberos service ticket was requested
4770 A Kerberos service ticket was renewed
![Page 55: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/55.jpg)
Detect
Admin logon, logon and logoff events
Golden – DC
Silver - members
55DEFENDZA LTD.
![Page 56: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/56.jpg)
Kerberos Encryption Types
56DEFENDZA LTD.
Source : https://blogs.technet.microsoft.com/askds/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos/
![Page 57: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/57.jpg)
57DEFENDZA LTD.
![Page 58: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/58.jpg)
58DEFENDZA LTD.
![Page 59: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/59.jpg)
Monitoring Recommendations Account Naming Conventions
High Privilege Accounts (EA, DA, BA, DBA, so on)
Outside working hours, external vendors with VPN access, or other anomalies with malicious action probability
Non-active, disabled or guest accounts that should never be used
Restricted Use systems/devices
59DEFENDZA LTD.
![Page 60: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/60.jpg)
Detect
Offensive Powershell PowerShell logging via GPO
Computer Configuration\Policies\Administrative
Template\Windows Components\Windows PowerShell
Modules Logging
Script Block Logging
Transcription Logging
60DEFENDZA LTD.
![Page 61: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/61.jpg)
Detect Automatic Script Block Logging Microsoft-Windows-PowerShell/Operational
Log events – EventId 4104
Invocation logging – EventId 4105
Tools
System.reflection , Token_privileges, Token_impersonate, token_duplicate, token_privileges
4103
61DEFENDZA LTD.
![Page 62: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/62.jpg)
Detect Monitoring AD
62DEFENDZA LTD.
Event ID P. Criticality Event
4618 High A monitored security event pattern
4649 High Replay attack
4719 High System audit policy changed
4765 High SID history was added to an account
4766 High An attempt for SID history change failed
4794 High DS restore mode attempt
4706 High A new trust was created to a domain
1102 Medium to High Audit log was cleared
![Page 63: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/63.jpg)
Detect
Audit Sensitive Privilege Use
https://technet.microsoft.com/en-us/library/dd772724%28v=ws.10%29.aspx
63DEFENDZA LTD.
Event ID P. Criticality Event
4672 High Assigned special privileges to a new
logon
4673 High Called a privilege service
4674 Medium Attempted an operation on a privileged
object
![Page 64: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/64.jpg)
Mitigate - Kerberos Attacks
KerberoastingEnsure that service account passwords are longer than 25
characters
Ensure that passwords aren’t easily guessable
AMSI (Antimalware Scan Interface) Integration
Antimalware, Security and Identity, PowerShell, Jscript,VBScript
64DEFENDZA LTD.
![Page 65: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/65.jpg)
Prevent
Implementing Least-Privilege Administrative Model
Implementing Secure Administrative Hosts
Securing Domain Controllers against an attack
65DEFENDZA LTD.
![Page 66: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/66.jpg)
Everyone knows, NO ONE follows
The Privilege Problem
Overuse of privileges - Permanently granted
Pass the hash attacks
✓ Easily obtained deep privs to be sprayed around
✓ Excessive number of permanent accounts with high priv.
EA, DA, BA are all powerful groups
66DEFENDZA LTD.
![Page 67: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/67.jpg)
Excessive Privilege Problems
Active Directory
Member Server
Workstations
Applications
67DEFENDZA LTD.
![Page 68: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/68.jpg)
Securing Local Administrator Accounts
Disabling local admin
Configuring GPOs to Restrict Administrator Accounts on Domain-Joined Systems (Computer Configuration\Policies\Windows Settings\Security Settings\Local Settings\User Rights Assignments)
Securing Local Privileged Accounts and Groups in AD
Securing built-in accounts in AD
Controls for built-in Administrator Accounts
68DEFENDZA LTD.
![Page 69: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/69.jpg)
Goal is to slow down attacker’s progress and limit the damage
Enable the "Account is sensitive and cannot be delegated" flag on the account
Enable the "Smart card is required for interactive logon" flag on the account
Disable the account
Configuring GPOs to Restrict Domains' Administrator Accounts on Domain-Joined Systems & Domain Controllers
69DEFENDZA LTD.
![Page 70: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/70.jpg)
Principles
Never administer a trusted system from a less-trusted host
Do not rely on a single auth factor when performing privileged tasks. Configuring GPOs to Restrict Domains' Administrator Accounts on Domain-Joined Systems & Domain Controllers
Do not forget physical security when designing and implementing secure administrative hosts
70DEFENDZA LTD.
![Page 71: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/71.jpg)
Account Configuration
Physical Security
AppLocker
RDP Restrictions
Patch and Configuration Management
Blocking Internet Access
Virtualization
Perimeter FW settings
71DEFENDZA LTD.
![Page 72: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/72.jpg)
72
Images Sources – Mostly Technet
Best Practices for Securing AD
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory
Events to monitor
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor
A very good resource
https://adsecurity.org/
DEFENDZA LTD.
![Page 73: #BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes](https://reader033.vdocuments.site/reader033/viewer/2022060610/6060d0b3c8a15a644e3dd8a7/html5/thumbnails/73.jpg)
Further…
Microsoft ATA (formerly Aorato)
Upcoming Players
73DEFENDZA LTD.