Attacker's Perspective of Active Directory
1 like1,893 views
This document provides an overview of attack methodologies from an attacker's perspective when targeting Active Directory environments. It discusses initial access techniques, privilege escalation to domain admin rights, maintaining situational awareness through techniques like password spraying and Kerberoasting, and lateral movement tactics like pass the hash and pass the ticket. It also provides mitigation strategies and detection opportunities for defenders.
![Lateral Movement Mitigation
• Deploy Microsoft LAPS on Servers and Workstations to manage Local Administrator Passwords
• Deploy Group Policy: “Deny access to this computer from the network” & “Deny log on through Remote
Desktop Services” for “Local account and member of Administrators group” or “*S-1-5-114” [Block RID 500
accounts]
• Add Users with High Privileges to “Protected User” Group if possible
• Network Segmentation – It’s always about the Trust Path
• Restrict Workstation to Workstation Communication with GPO – Windows Firewall
• More Information:
https://adsecurity.org/?p=3299
https://adsecurity.org/?p=3377
https://technet.microsoft.com/en-us/library/dn466518.aspx
72](https://image.slidesharecdn.com/attackerperspectiveofactivedirectory-190602143508/85/Attacker-s-Perspective-of-Active-Directory-72-320.jpg)
Attacker's Perspective of Active Directory
- 1. Attacker’s Perspective of Active Directory Sunny Neo 1
- 2. whoami •Penetration Tester •Disclaimer: All opinions are all mine, not representation of the company I work for or organizations I am affiliated with •None of these materials are original. They are just a compilation of researches done by awesome people •Test all recommendations first, before implementing them. I take no liability if they mess up your environment 2
- 3. Shout Out •Sean Metcalf (@PyroTek3) for running https://adsecurity.org •Will Schroeder (@harmj0y) for developing and releasing tools for Modern Red Teaming (Empire, PowerSploit, Veil-Framework, Bloodhound) •Benjamin Delpy (@gentilkiwi) for mimikatz and continuously improving it •And Everyone else who contributed! 3
- 4. Defender’s Dilemma •Cliché •Attackers just need to win once •Defenders need to win all the time 4
- 5. Attacker’s Dilemma •The new cliché •Attackers need to evade all detection •Defenders just need one alarm/trigger to know attackers are in •“Defender's Dilemma vs Intruder's Dilemma” – TaoSecurity (2009) 5
- 6. Assume Breach Mentality •Prepare for threats beyond the WALL (Defence in Depth / Layered Defence) – CYBER RESILIENCE •Contain threats (Limit the attacker’s movement) •Detect & Respond to threats (Threat Hunting / IOC) – CYBER AGILITY •Prevention is still important but critical to move beyond it 6
- 7. Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) Source: https://attack.mitre.org/wiki/Main_Page 7 Red Team’s Tactics, Techniques and Procedures (TTPs)
- 8. Active Directory •Microsoft’s Directory Service (AD DS)– A set of services to manage network resources •Domain Controller (DC) – Server running AD DS •Domain Admin (DA) – The User Group that has full control of network resources in the Domain •Local Administrators – The User Group that has full control for Local/Specific Machine 8
- 9. Windows Authentications •NTLM Authentication • Challenge-Response Protocol •Kerberos •Single Sign On (SSO) 9
- 12. Kerberos Authentication • Ticket Granting Ticket (TGT) contains • Privilege Attribute Certificate (PAC) stores • Account Name • Security Identifiers • Group Membership • User requests for TGT by sending timestamp that is encrypted with his secret key (NTLM Hash for RC4 cipher) • TGT is encrypted and its PAC is signed by domainKRBTGT’s secret key (NTLM Hash) – Only readable by Domain Controller (DC) • Service ticket issued by Ticket Granting Service (TGS) is encrypted by service account ’s secret key (NTLM Hash) 12
- 13. High Level Methodology Initial Foothold Privilege Escalation Situational Awareness Lateral Movement Persistence 13 *Missing Data Exfiltration
- 14. Initial Foothold •Unpatched Vulnerabilities •Spear Phishing •Weak Credentials 14
- 15. Privilege Escalation: User to Local Admin •Unpatched Vulnerabilities •System Misconfigurations • Passwords stored in SYSVOL or Group Policy Preference (GPP) •Check out Paul Craig’s talk on Local Privilege Escalation http://www.vantagepoint.sg/news/48-security-wednesdays-9-local-p rivilege-escalation-nus-greyhats or https://pentest.blog/windows-privilege-escalation-methods-for-pent esters/ 15
- 16. Passwords stored in SYSVOL •SYSVOL • Domain-wide shared folder • Stores logon scripts, domain group policies • Any authenticated user on the domain can access it •Scripts with cleartext admin credentials stored in SYSVOL 16
- 17. Passwords stored in SYSVOL •Group Policy with Password defined for Local Administrator account 17
- 18. Passwords stored in SYSVOL •Encryption key is well known 18 Source: https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx
- 19. Passwords stored in SYSVOL 19
- 20. Passwords stored in SYSVOL Mitigation & Detection •Install KB2962486 to disable new credentials from being stored in GPP and Delete existing XMLs/Group Policies •Plant a XML with “Password” in SYSVOL •Configure SACL on the XML to audit for access 20
- 21. Why do we need Local Privilege Escalation? 21
- 22. Why do we need to Privilege Escalate? •Gain access to implicit trust relationship artifacts •Assume artifacts found on one machine could be used to access other machines •More Information: http://foofus.net/goons/hinge/presos/insidious-implicit-windows-tru st-relationships.pdf 22
- 23. Dump Implicit Trust Relationship Artifacts •Dump & Crack Local Accounts’ Hashes (Hashes == Passwords) •Dump Credentials in memory •Dump Kerberos Tickets •Dump Access Tokens 23
- 24. Dump Credentials in memory (mimikatz) 24 •Single Sign On experience ☺
- 25. Dump Credentials Mitigation • Audit for misconfigurations that can lead to privilege escalation with windows-privesc-check (https://github.com/pentestmonkey/windows-privesc-check) or Powerup (https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc) • Install KB2871997 on Windows 7, 8, Server 2008 and 2012 • Deploy Application Whitelisting (Applocker & Device Guard) • Get rid of Windows 2003 Server • Have different trust levels for machines – Domain Admin should not log on to machines with lower Trust Level 25
- 26. Dump Credentials Detection •Monitor Registry Value for “UseLogonCredential” at HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurity ProvidersWdigest •Value: “1” to enable cleartext password to be stored in LSASS •Honey Credentials 26
- 27. Dump Credentials Detection (Not a good idea) ● Detect mimikatz in memory using Sysmon (Be careful of performance impact) ● Look for loading of ○ C:WindowsSystem32WinSCard.dll ○ C:WindowsSystem32cryptdll.dll ○ C:WindowsSystem32hid.dll ○ C:WindowsSystem32samlib.dll ○ C:WindowsSystem32vaultcli.dll ● LSA Protection Enabled - mimidrv.sys (mimikatz’s driver to turn off LSA Protection) ● More information: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTK B_V1J5ow ← Sysmon Tutorial https://medium.com/@lennartkoopmann/explaining-and-adapting-tays-sysmon-configuration-27d9719a89a8#.c8sokq3nj https://cyberwardog.blogspot.sg/2017/03/chronicles-of-threat-hunter-hunting-for.html 27
- 28. Dump Credentials Detection 28Source https://twitter.com/markrussinovich/status/830997478182785024
- 29. Dump Credentials Detection Bypass 29 Source: https://twitter.com/raka_baraka/status/831040028436525056
- 30. User Account Control (UAC) is Enabled! •UAC is introduced since Windows Vista •Run processes as standard user rights even if user is in Administrators group unless explicit permission is given 30
- 31. UAC Bypass • Old School • Privilege File Copy (IFile Operation COM) • DLL Hijacking • Auto-elevation • New School • Fileless UAC Bypass via Registry Hijacking • Write to HKCUSoftwareClassesmscfileshell opencommand • Launch eventvwr.exe 31 • More information: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hij acking/ https://blog.cobaltstrike.com/2014/03/20/user-account-control-what-penetration-testers-s hould-know/
- 32. UAC Bypass Mitigation & Detection • Reduce Users with Administrator Privilege • Set UAC level to “Always Notify” instead of Default configuration (can be bypassed with Disk Clean up) • Monitor Registry entry “HKCUSoftwareClassesmscfileshellopencommand” • More information: https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-di sk-cleanup/ 32
- 33. Situational Awareness • Port Scan • DNS Enumeration (SRV records, *._tcp.domain.com) • Password / Hash Spray • Service Principal Name (SPN) Scanning • Domain Enumeration & Admin Hunting • BloodHound 33
- 34. Password / Hash Spray •Quick and dirty way to identify access across the network •Good for pen test that doesn’t require stealth 34
- 35. Service Principal Name (SPN) Scanning •SPN is used to uniquely identify service instances for Kerberos Authentication •Gather services across the domain (Without a Single Port Scanned!) 35
- 36. Service Principal Name (SPN) Scanning •PowerShell scripts from Sean Metacalf https://github.com/PyroTek3/PowerShell-AD-Recon •Comprehensive List of SPN http://adsecurity.org/?page_id=183 •How SPN is used by Kerberos http://social.technet.microsoft.com/wiki/contents/articles/717.servic e-principal-names-spns-setspn-syntax-setspn-exe.aspx 36
- 39. Domain Enumeration with PowerView •PowerView • Based on PowerShell • Capitalize on PowerShell alternatives for “NET” command • Capitalize on Win32 API • Gain network situational awareness •More Information: https://github.com/PowerShellMafia/PowerSploit/tree/master/Reco n 39
- 40. Domain Enumeration with PowerView 40
- 41. Domain Enumeration with PowerView 41
- 42. Domain Enumeration with PowerView 42
- 43. Domain Enumeration with PowerView 43
- 44. Admin Hunting with PowerView • Implicit trust relationship • Look at where the current user has Local Administrators Right • Look for where privilege users are logged on to • Target machines with privilege users • Steal their tokens / credentials • Profit! 44
- 45. Admin Hunting with PowerView 45 • Invoke-UserHunter • Get a list of hosts from AD • Get a list of users of a specific Domain Group (Domain Admins/Local Administrators) • Run NetSessionEnum (User Sessions) and NetWkstaUserNum (Logged On Users) with information gathered • (Optionally) Check if current user has Local Administrators right on each host • More Information http://www.slideshare.net/harmj0y/i-hunt-sys-admins-20 http://www.slideshare.net/harmj0y/i-have-the-powerview
- 46. Admin Hunting with PowerView 46Source: http://www.slideshare.net/harmj0y/i-hunt-sys-admins-20
- 47. Admin Hunting with PowerView 47
- 48. BloodHound • Provide a graphical representation of attack path based on information gathered via customized PowerView • Simplify Admin Hunting across the Network to achieve Derivative Local Admin • More information https://wald0.com/?p=14 http://www.slideshare.net/AndyRobbins3/six-degrees-of-domain-admin-bl oodhound-at-def-con-24 https://github.com/BloodHoundAD/BloodHound/wiki 48
- 49. BloodHound 49Source: Raphael Mudge – BloodHound - Analyzing Active Directory Trust Relationships https://www.youtube.com/watch?v=gOpsLiJFI1o
- 50. Domain Enumeration Mitigation •Use Net Cease to modify NetSessionEnum default permission https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dc b5b •Upgrade to Windows 10 and Windows Server 2016 •Use SAMRi10 to restrict Remote SAM Query(>=Win 10 & Server 2016) https://www.bleepingcomputer.com/news/security/microsoft-resear chers-release-anti-reconnaissance-tool-named-samri10/ 50
- 51. Lateral Movement • Reuse cleartext credentials (Not working well after KB2871997) • Pass the Hash (Not working well after KB2871997) • Pass the Key (Overpass-the-hash) • Impersonate Tokens • Pass the Ticket • Kerberoasting 51
- 52. Pass the Hash (PtH) 52 Source: http://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it
- 53. Pass the Hash (PtH) •Not working well after KB2871997 •Local accounts cannot login remotely •PtH still possible for • Default Local Administrator (RID 500) hash • Domain hashes 53
- 54. Pass the Key (Overpass the Hash) •KB2871997 stops Windows from storing cleartext credentials in memory (LSASS) •NTLM Hashes/(e)Keys are still stored in memory (SSO) •Remember how Kerberos ticket request is done? 54
- 55. Kerberos Authentication Recap 55 Source: http://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it
- 57. Pass the Key (Overpass the Hash) •User’s secret key is dependent on the cipher used •Exploit Steps • Privilege Escalate to Local Admin • Dump Hashes/(e)Keys • Create a new process and Inject stolen hash/(e)key into memory • SSO will refer to the Injected secret key in memory • Impersonate Token of newly created Process • Win! 57
- 58. Pass the Key (Overpass the Hash) 58 •User “labgg” is Domain Admin logged in on Compromised Machine
- 59. Pass the Key (Overpass the Hash) 59
- 60. Pass the Key (Overpass the Hash) 60 •Some bug with Empire’s “shell” command so switched it to Meterpreter
- 61. Pass the Key (Overpass the Hash) 61 More Information: http://blog.cobaltstrike.com/2015/05/21/how-to-pass-the-hash-with-mimikatz/ http://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-cc/
- 62. Pass the Ticket •Export Ticket-Granting-Ticket (TGT) from memory of a compromised Host •Import the TGT into Attacker’s Machine •Profit! 62
- 63. Pass the Ticket with MS14-068 •MS014-068 • Privilege escalation for Authenticated Domain User to Domain Admin by forging PAC • PAC stores Authorization Data (Group Membership, Security Identifier) • Improper validation of the Privilege Attribute Certificate (PAC) Signature 63
- 64. Pass the Ticket with MS14-068 64 More Information: https://labs.mwrinfosecurity.com/blog/digging-into-ms14-068-exploitation-and-defence/ https://www.trustedsec.com/december-2014/ms14-068-full-compromise-step-step/ https://github.com/bidord/pykek/
- 65. Pass the Ticket with MS14-068 65
- 66. Kerberoasting •Service Ticket can be obtained without actually using it •Service Ticket issued by TGS is encrypted with target service’s account secret key •Service Accounts are usually privilege accounts on the domain 66
- 67. Kerberoasting •Why not just crack it? • Offline Attack without contacting the Target Service’s Machine 67 Source: https://adsecurity.org/?p=2293
- 69. Kerberoasting 69
- 70. Kerberoasting Mitigation •Use password with >=25 characters for Service Accounts •Use Managed Service Accounts •More Information: https://adsecurity.org/?p=2293 https://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx 70
- 71. Kerberoasting Detection •Audit “Audit Kerberos Service Ticket Operations” on Success •Look for Event 4769 and Ticket Option: 0x40810000 and Ticket Encryption type: RC4 (0x17/0x18) •Create Honey Service ☺ •More information: https://adsecurity.org/?p=3458 https://adsecurity.org/?p=3513 71
- 72. Lateral Movement Mitigation • Deploy Microsoft LAPS on Servers and Workstations to manage Local Administrator Passwords • Deploy Group Policy: “Deny access to this computer from the network” & “Deny log on through Remote Desktop Services” for “Local account and member of Administrators group” or “*S-1-5-114” [Block RID 500 accounts] • Add Users with High Privileges to “Protected User” Group if possible • Network Segmentation – It’s always about the Trust Path • Restrict Workstation to Workstation Communication with GPO – Windows Firewall • More Information: https://adsecurity.org/?p=3299 https://adsecurity.org/?p=3377 https://technet.microsoft.com/en-us/library/dn466518.aspx 72
- 73. Lateral Movement Mitigation • Different Tiers of Administrators for Different Tiers of Servers & Workstations 73 More Information: https://technet.microsoft.com/en-us/library/mt631193.aspx
- 74. Lateral Movement Detection •Turn on Audit for Local Account Logon •Turn on Audit for Kerberos • Look out for Domain Names in lower case/non-standard (Not comprehensive) • Look out for Ticket Encryption Type 0x17/0x18 for RC4 (Not comprehensive) •More Information: https://dfir-blog.com/2015/12/13/protecting-windows-networks-ker beros-attacks/ https://dfir-blog.com/2016/03/13/how-to-parse-windows-eventlog/ 74
- 75. Persistence •Hash Dump & Crack the Hashes •Golden Ticket •Silver Ticket 75
- 76. Hash Dump & Crack The Hashes •Old School • Get NTDS.dit file • Backup • Virtual Machine Disk • Shadow Volume • Process NTDS.dit for Hashes •New School • DCSync (No need for direct access to NTDS.dit) 76
- 77. DCSync •Impersonate as a Domain Controller •Replicate User Credentials via Directory Replication Service (DRS) Remote Protocol •No Code Execution required, however “Domain Admins” privilege is needed •If used with “Domain Controllers” privilege, it will not be logged 77
- 78. DCSync 78
- 79. Golden Ticket • Forged TGT with Admin Privilege, then PTT • TGT is encrypted & signed by • Domain KRBTGT’s secret key • Important to note that KRBTGT’s password is almost never changed • Information required to create Golden Ticket • Domain Name • Domain SID • Domain KRBTGT NTLM Hash/(e)Keys • UserID for Impersonation 79
- 80. Golden Ticket 80
- 81. Golden Ticket 81
- 83. Silver Ticket •Forged Service Ticket •Require only the service account key instead of KRBTGT •Access is restricted to the specific Service •More Information: https://adsecurity.org/?p=2011 83
- 84. Silver Ticket 84
- 85. Silver Ticket 85
- 86. Persistence Mitigation and Detection •Change KRBTGT’s password twice (to purge Password History) and regularly •Look out for RC4 Kerberos traffic – Vista and onwards default cipher for Kerberos is AES (Not comprehensive) •Use Group Managed Service Account •More information: https://adsecurity.org/?p=1515 86
- 87. Mitigations for PowerShell Activities ● Lock down PowerShell.exe, PowerShell_ISE.exe (Not Ideal) ● Uninstall PowerShell v2 ● Use PowerShell v5 with ○ Constrained Language Mode with AppLocker / Device Guard ○ Log all PowerShell Activities (Module Logging, Script Block Logging, System-wide Transcript Logging) ● More information: https://adsecurity.org/?p=2604 87
- 88. Microsoft Advanced Threat Analytics (ATA) • Machine Learning Platform to detect quite a number of things we have discussed • Receive logs and events from SIEM and Windows Event Forwarding(WEF) • More information: https://docs.microsoft.com/en-us/advanced-threat-analytics/understand-expl ore/ata-threats https://adsecurity.org/?p=1583 https://gallery.technet.microsoft.com/Advanced-Threat-Analytics-8b0a86bc/fi le/169608/1/ATA%20Playbook.pdf 88
- 89. Microsoft Advanced Threat Analytics 89 Source: https://blogs.technet.microsoft.com/enterprisemobility/2015/05/04/microsoft-advanced-threat-analytics-public-preview-releas e-is-now-available/
- 90. Q & A? 90
- 91. Reference • Adversarial Tactics, Techniques & Common Knowledge https://attack.mitre.org/wiki/Main_Page • Attack Methods for Gaining Domain Admin Rights in Active Directory https://adsecurity.org/?p=2362 • PROTECTING WINDOWS NETWORKS – KERBEROS ATTACKS https://dfir-blog.com/2015/12/13/protecting-windows-networks-kerberos-attacks/ • The Most Common Active Directory Security Issues and What You Can Do to Fix Them https://adsecurity.org/?p=1684 • Building an Empire with PowerShell http://www.slideshare.net/harmj0y/building-an-empire-with-powershell 91
- 92. Reference • Mimikatz and DCSync and ExtraSids, Oh My http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/ • Make PowerView Great Again http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ • Six Degree of Domain Admin https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Robbins-Vazarkar-Schroeder-Six- Degrees-of-Domain-Admin.pdf • kerberos, kerberoast and golden tickets https://leonjza.github.io/blog/2016/01/09/kerberos-kerberoast-and-golden-tickets/ • Mimikatz 2.0 - Silver Ticket Walkthrough https://www.beneaththewaves.net/Projects/Mimikatz_20_-_Silver_Ticket_Walkthrough.html#Why 92