Get Active Directory Security Guide 1st Edition Picussecurity free all chapters

Get the full ebook with Bonus Features for a Better Reading Experience on ebookmeta.com
Active Directory Security Guide 1st Edition
Picussecurity
https://ebookmeta.com/product/active-directory-security-
guide-1st-edition-picussecurity/
OR CLICK HERE
DOWLOAD NOW
Download more ebook instantly today at https://ebookmeta.com

The Complete Active Directory
Security Handbook
Exploitation, Detection, and Mitigation Strategies
Active Directory Security Guide

2
The Complete Active Directory Security Handbook
03
04
05
16
23
28
32
37
42
47
48
Introduction
Active Directory
Attack Technique 1:
Use of Alternate Authentication Methods (T1550)
Attack Technique 2:
Kerberoasting
Attack Technique 3:
Golden Ticket Attack
Attack Technique 4:
DCShadow Attack
Attack Technique 5:
AS-REP Roasting
Attack Technique 6:
LDAP Injection Attack
Attack Technique 7:
PetitPotam NTLM Relay Attack on a Active Directory
Certificate Services (AD CS)
Conclusion
References
Table of Contents

3
Introduction
Active Directory (AD), introduced with Windows 2000 [1], has become an integral part of
modern organizations, serving as the backbone of identity infrastructure for 90% of Fortune
1000 companies [2]. Active Directory is widely used by organizations for its simplicity and
centralized management approach. It is an attractive solution for businesses as it makes it
easier for employees to access resources and applications with a single set of credentials,
which increases productivity and efficiency [3]. Additionally, its centralized management
structure provides a single point of control for IT administrators, allowing them to manage
users, computers, and access to resources in one place [4].
However, due to its widespread use and architectural limitations, Active Directory becomes
a liability in the event of a security breach and becomes a priority target for adversaries
seeking to elevate privileges, infect multiple systems, and launch devastating attacks such
as data exfiltration, full system compromises, and ransomware.
The biggest challenges in recovery after an AD breach include identifying the source,
determining the extent of damage, and creating a secure new environment. According to
Verizon’s 2022 Data Breach Investigations Report [5], 80% of breaches come from external
agents, and as IBM's 2021 Cost of a Data Breach Report points out that once a domain
admin is hacked, attackers can hide within your network for up to 277 days before
detection, posing a significant threat [6].
The widespread use and ease of access to resources for employees make it challenging for
organizations to retire outdated Active Directory (AD) and adopt more secure alternatives
like Microsoft Azure Active Directory (AAD). The transition to AAD addresses some of AD's
limitations by automating administrative tasks such as user management and group
membership assignment for improved efficiency [7]. However, the same security risks still
apply, as a compromise of the identity infrastructure can have devastating consequences.
Adversaries can also exploit Microsoft Endpoint Manager to move laterally from an Azure
tenant to an on-prem AD domain, creating attack paths between separate identity
management environments [8].
The importance of Active Directory security cannot be overstated, and organizations must
be prepared with disaster recovery plans and vigilant monitoring to stop attacks before the
system is corrupted or becomes irreparable. The choice between AD and AAD will largely
depend on the needs and resources of the organization, but the risk of compromise remains
regardless of choice. The secure and effective use of Active Directory requires a clear
understanding of the potential risks and a commitment to security practices and protocols.

4
Active Directory
Active Directory (AD) is a crucial directory service for managing network resources in
Windows-based networks. It enables the centralization of management for various
network resources, including user and computer accounts, resources, and security
policies. In this way, AD facilitates efficient and secure management of networks in a
hierarchical structure.
AD operates on a hierarchical structure consisting of domains at the top level and various
objects nested within, such as users, computers, and groups. The structure is designed
to provide an organized and efficient way of managing network resources, and it ensures
that security policies are enforced consistently across the network.
AD uses Lightweight Directory Access Protocol (LDAP) for communication between
domains and domain controllers. LDAP is a directory service protocol that enables the
management of distributed directory services over an IP network. Additionally, AD
employs Kerberos, a secure authentication protocol for authentication over a network.
This ensures that only authorized users and computers can access network resources,
thereby enhancing network security.
To manage network resources efficiently, Active Directory uses Group Policy Objects
(GPOs). GPOs are used to control and enforce security policies, software deployment,
and other administrative tasks across the network. AD also provides support for Remote
Procedure Calls (RPCs), allowing for remote management of network resources. This
ensures that network administrators can efficiently manage network resources from a
centralized location, regardless of the location of the resources themselves.
However, Active Directory is not immune to attacks, and attacks on AD can result in
disastrous consequences for the network. Successful Active Directory attacks consist of
three primary steps: discovery, privilege escalation through theft of valid account
credentials, and gaining access to other computers in the network/domain. Once
attackers gain a foothold in the target network, they immediately shift their focus to
gaining elevated access to additional systems that will help them accomplish their final
goal, such as encrypting and exfiltrating organizational data.
In summary, Active Directory is a vital component for managing and securing network
resources in Windows-based networks. Its hierarchical structure and various features,
such as LDAP and Kerberos, GPOs, and RPCs, provide efficient and secure management
of network resources. To keep your network secure, it is critical to protect Active
Directory from attacks by implementing strong security measures and keeping security
protocols up-to-date to prevent unauthorized access to network resources.

5
Pass-the-Hash (T1550.002)
Pass-the-Hash (PtH) is an identity-based attack that is leveraged by attackers to gain
access to additional systems and privileges within a network once they have already
compromised the system.
In a typically Pass-the-Hash scenario, adversaries
● gain initial access to a target network,
● steals/dumps “hashed” user credentials,
● uses dumped credentials
to create a new user session on the compromised host.
Attack Technique 1:
Use of Alternate Authentication
Methods (T1550)
Attack Technique 1: Use of Alternate Authentication Methods (T1550)
Adversarial attacks on a system can often bypass normal access controls by using alternate
authentication materials such as password hashes, Kerberos tickets, and application access
tokens. This technique, known as T1550 in the MITRE ATT&CK framework, enables attackers
to move laterally within an environment and gain unauthorized access.
This section will provide a detailed description of two sub-techniques of the Use Alternate
Authentication Methods (T1150) technique: Pass-the-Hash (T1550.002) and Pass-the-Ticket
(T1550.003).

6
A hash is a unique digested output of a one-way mathematical function that takes an
input of various sizes (could be as long as a classical novel or short as an 8-digits
password) and returns a fixed-size string of characters. As these functions are
designed to be one-way, meaning that having an output, it should be computationally
infeasible for an adversary to reverse the output, i.e., to gain the cleartext input,
password hashing is still a prevalent security practice against data-breach attacks.
As opposed to other attacks, Pass-the-Hash attacks represent a unique form of credential
theft in which an attacker leverages the Windows New Technology LAN Manager (NTLM)
authentication protocol to authenticate to a remote system using the pre-computed hash of
a valid user's password. When a user logs into a Windows system that relies on the NTLM
protocol, the system generates an NTLM hash of the user's password without leveraging a
technique called salting that enhances the security of hashed passwords stored on servers
and domain controllers.
NTLM is a single sign-on method that utilizes a challenge-response system to verify the
user's identity without requiring the user's password. Therefore, this attack technique does
not require adversaries to use any third-party cracking tools, as the plaintext version of the
password is not needed; therefore, it eliminates the need to perform time-consuming
cracking operations.
If an attacker obtains the NTLM hash of a user's password through means such as extracting
it from lsass.exe memory or from the %systemroot%system32configSAM file, capturing it
during network transmissions, or dumping it from a backup or image of a system, they can
utilize the hashed password by passing the hash to a remote system that recognizes the
compromised user's account. Depending on the privileges and level of access of the
compromised user, adversaries may gain full system access and successfully perform lateral
movement attacks.
It is important to note that this is not a vulnerability, but rather a deliberate design
choice aimed at reducing friction and improving the overall user experience.
Tools and Techniques to Perform Pass-the-Hash Attacks
Pass-the-Hash (PtH) attacks can be executed by utilizing various publicly available tools,
such as Mimikatz [9] and evil-winrm [10], as well as built-in PowerShell cmdlets. Attackers
often employ these tools or commands to extract the hash from the memory of a
compromised system and then use it to gain access to other systems on the network.
Tool 1: Mimikatz
The usage of Mimikatz for the Pass-the-Hash attack consists of three main steps.

7
Step 1: Stealing the password hash
To dump a list of recently logged-on users and their OS credentials, adversaries often use
the sekurlsa module in Mimikatz, which leverages a number of different techniques to
extract authentication information from LSASS memory, including parsing memory structures
and using Windows APIs. The "logonpasswords" function of this module specifically extracts
login session data such as saved password hashes and cached credentials. This can include
the current user's logon information, as well as information for other users who have logged
onto the same machine.
Note that before leveraging the sekurlsa::logonpasswords command, attackers need to run
the privilege::debug command so that the Mimikatz can run properly.
By default, LSASS runs with high integrity and is protected from being debugged by
unauthorized processes. However, by enabling the debugger privilege, the attacker can
bypass this protection and access LSASS memory to extract the logon session data.
Below, you will find an example output of step one.
PS> .mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords"
Authentication Id : 0 ; 302247 (00000000:00049ca7)
Session : UndefinedLogonType from 0
User Name : Alice
Domain : DOMAIN
Logon Server : DC1
Logon Time : 12/01/2023 15:13:19
SID : S-1-5-21-3501040295-3816137123-30697657-1109
msv :
[00000003] Primary
* Username : Alice
* Domain : DOMAIN
* NTLM : a0c8746a6efc7782c7c19c55185145be
Having this NTLM hash, it is time for adversaries to jump to the second stage.
It is important to note that Mimikatz is not the only way to dump NTLM hashes. Adversaries
often leverage other built-in command-line applications or third-party tools, such as
ProcDump [11] and Gsecdump [12], for credential dumping.

8
Step 2: Authentication through the stolen password hash
This is the main step where the adversary passes the hash to impersonate the user and gain
access to the remote system.
The "sekurlsa::pth" command in Mimikatz is a feature that facilitates "Pass-the-Hash"
attacks. This technique allows an attacker to authenticate to a remote system by using a
captured NTLM hash of a user's password, without the need for the actual password. To
execute this command, the attacker must provide only the following parameters:
● /user: (the username),
● /domain: (the domain name), and
● /ntlm: (the NTLM hash of the user's password).
Note that Windows passwords are not only limited to the NTLM protocol, but may also
use popular block encryption algorithms like AES-128 and AES-256 for password
storage. In such cases, adversaries would need to use the /aes128: or /aes256:
parameters instead of /ntlm:.
PS> .mimikatz.exe "sekurlsa::pth /user:Alice /domain:domain.com
/ntlm:a0c8746a6efc7782c7c19c55185145be"
user : Alice
domain : domain.com
program : cmd.exe
impers. : no
NTLM : a0c8746a6efc7782c7c19c55185145be
. . .
Notice how easily we gained access to a remote system without knowing only the username
and NTLM hash of the victim’s password.
Step 3: Accessing resources through new user account
In the third step, the attacker uses the newly obtained user account to expand their network
access. For instance, the adversary can use a command-line utility called PsExec to perform
remote code execution on another host.
For instance, the attacker can run the following command to run the "cmd.exe" process on
the remote machine with an internal IP address "192.168.52.146":
psexec.exe 192.168.52.146 cmd.exe
Mimikatz is not the only way to perform a Pass-the-Hash attack. Adversaries often use the
PowerShell, too.

9
Tool 2: PowerShell
It is common for adversaries to use the Invoke-WMIExec cmdlet, which allows execution of
arbitrary commands on a remote Windows machine using WMI (Windows Management
Instrumentation), to perform a PtH attack.
Note that Invoke-WMIExec is a built-in PowerShell cmdlet that is present in many
recent Windows systems. This feature enables the execution of arbitrary commands
on a remote Windows machine through Windows Management Instrumentation (WMI).
You can run Invoke-WMIExec directly from a PowerShell prompt or integrate it into a
PowerShell script.
Being a built-in cmdlet makes the attack using Invoke-WMIExec more covert, as it
does not require any additional downloads or installations.
For instance, having a password hash of the user called Alice from our previous scenario,
an adversary can run the following command.
Invoke-WmiExec -target 192.168.52.146 -hash a0c8746a6efc7782c7c19c55185145be
-username Alice -command hostname
In the command above, an adversary is using the Invoke-WmiExec script to run the command
"hostname" on the remote machine with the internal IP address 192.168.52.146.
Tool 3: evil-winrm
The "evil-winrm" tool is a Ruby gem that enables the execution of remote commands on a
Windows machine using the Windows Remote Management (WinRM) protocol. As evil-winrm
is not a built-in tool, adversaries have to install it before the use. Various installation options
are available in the corresponding GitHub repository [10].
In a Pass-the-Hash attack using evil-winrm, the attacker specifies the username, NTLM
hash, and IP address of the target system as parameters in the evil-winrm command [14].
For example, the following command can be used to perform a PtH attack on a Windows
machine with IP address 192.168.52.146, using the username "Alice" and the NTLM hash
"a0c8746a6efc7782c7c19c55185145be":
evil-winrm -u Alice -H a0c8746a6efc7782c7c19c55185145be -i 192.168.52.146
With this information, evil-winrm establishes a remote connection to the target system and
authenticates as the specified user (Alice), allowing the attacker to execute arbitrary
commands on the remote machine.

10
Detection Methods for the Pass the Hash Attack
Below, known Event IDs are added to detect a possible Pass-the-Hash attack [15], [16], [17],
[18]:
Event ID 1 - Process Create.
● Key Description Fields: LogonId, ParentProcessId, ParentImage, CurrentDirectory,
CommandLine, IntegrityLevel, ParentCommandLine, ParentCommandLine, UtcTime,
ProcessId, User, Hashes, Image
Event ID 5 - Process terminated.
● Key Description Fields: UtcTime, ProcessId:, Image
Event ID 10 - Process accessed.
● Key Description Fields: SourceThreadId, TargetProcessId, GrantedAccess,
SourceImage, TargetImage
Event ID 4624 - An account was successfully logged on.
● Key Description Fields: Account Name, Account Domain, Logon ID
Event ID 4663 - An attempt was made to access an object.
● Key Description Fields: Process ID, Access Mask, Account Domain, Object Name,
Process Name, Object Type, Logon ID, Handle ID
Event ID 4672 - Special privileges assigned to new logon.
● Key Description Fields: Security ID, Account Name, Account Domain
Event ID 4688 - A new process has been created.
● Key Description Fields: Required Label, Account Domain, Source Process Name, New
Process Name, Token Escalation Type, New Process ID, Source Process ID
Mitigation Techniques for the Pass the Hash Attack
To mitigate the risk of pass-the-hash attacks, organizations can employ several technical
measures. One such measure is to enable Windows Defender Credential Guard, a feature
that was introduced in Windows 10 and Windows Server 2016. This tool leverages
virtualization to secure credential storage and restrict access to trusted processes only.

11
Randomizing and storing local administrator passwords with a solution like Microsoft's
Local Administrator Password Solution (LAPS) also adds an extra layer of security, as it
reduces an attacker's ability to move laterally with local accounts that share the same
password. It is also recommended to prevent local accounts from authenticating over the
network, which can be achieved through the use of well-known SID's in group policies.
Pass-the-Ticket (T1550.003)
Pass the Ticket (PtT) is a technique that allows an attacker to use a previously acquired
Kerberos Ticket Granting Ticket. The TGT is a crucial component of the Kerberos protocol,
as it enables a user to authenticate to multiple systems without having to enter their
password each time.
The Ticket Granting Ticket (TGT) is a type of ticket issued by the Domain Controller
(DC) to a user upon successful authentication to the domain. It includes crucial
information such as the user's session key, group membership, and privileges, which
are used to request service tickets for specific services on target systems. Kerberos
encrypts the TGT using the user's password hash and employs symmetric encryption
algorithms (such as DES or AES) depending on the configuration of the Kerberos
environment. After encryption, the TGT is sent to the user's computer and stored in
memory.
Having a stolen TGT key, an adversary can request a service ticket from the DC for a
specific service on a target system to gain access to its resources.
When the user wants to access a resource on another system, they use the TGT to
request a service ticket from the DC. The service ticket is also encrypted with the
user's session key, and it contains an encrypted session key that can be used to
authenticate to the target system. The service ticket is then sent to the user's
computer, where it is used to authenticate to the target system.
Tools and Techniques to Perform Pass-the-Ticket Attacks
Pass-the-Ticket (PtH) attacks can be executed by utilizing various publicly available tools,
such as Mimikatz, Kekeo [19], Rubeus [20], Creddump7 [21], etc. Attackers often employ
these tools to extract Kerberos TGTs from the memory of a compromised system and then
use them to gain access to other systems on the network.
Another measure is to revoke administrator privileges from user workstations. This limits an
attacker's ability to execute malware and extract hashes from LSASS.exe. Additionally,
limiting the number of endpoints that users have administrative privileges on and avoiding
administrative privileges across security boundaries reduces the risk of a compromised
credential being used to escalate privileges.

12
Step 1: Capturing Kerberos tickets for valid accounts
An attacker can use the sekurlsa::tickets Mimikatz command with the /export parameter to
extract all the Kerberos tickets from memory and save them as .kirbi files and save them in
the same folder where the Mimikatz executable file is located.
By examining the names of the .kirbi files, it is possible to determine if there are any
Kerberos tickets for a domain administrator, such as DOMAINAlice:
PS> mimikatz.exe "privilege::debug" "sekurlsa::tickets /export"
PS> dir | findet "Alice" | findstr "krbtgt"
...
[0;1e4c7df]-2-0-40e10000-Alice@krbtgt-DOMAIN.COM.kirbi
...
The second command, dir | findet "Alice" | findstr "krbtgt", lists all the files in the current
directory and pipes the output to the findstr command to search for the text "krbtgt". The
purpose of this command is to find the Kerberos ticket file(s) related to the user "Alice",
which may include the "krbtgt" string in the file name.
Step 2: Reusing the ticket
This is the main step of the Pass-the-Ticket attack.
In this step, the attacker employs the Mimikatz command kerberos::ptt to insert the obtained
TGT into their own session, resulting in their session taking on the identity and permissions
of the stolen TGT for future access to resources without knowing the plaintext credentials.
This allows the adversary to access resources that would otherwise be protected by
Kerberos authentication [23].
Note that Mimikatz is not the only tool to obtain Kerberos tickets. Adversaries can
employ the Rubeus [20] tool to generate raw AS-REQ traffic in order to ask for a TGT
with a provided username and password. The advantage of this attack is that the
password supplied to Rubeus can be encrypted in RC4, DES and AES algorithms,
and the attack still would work [22].
Tool 1: Mimikatz
Usage of Mimikatz for the PtT attack consists of four main steps.

13
PS> mimikatz.exe "kerberos::ptt
C:KerberosTickets[0;1e4c7df]-2-0-40e10000-Alice@krbtgt-DOMAIN.COM.kirbi"
* File:
'C:KerberosTickets[0;1e4c7df]-2-0-40e10000-joed@krbtgt-DOMAIN.COM.kirbi': OK
Note that the above command is used to insert the Kerberos Ticket Granting Ticket (TGT)
stored in the corresponding .kirbi file into the current session.
To make sure that the right ticket was injected, an adversary can use the “kerberos::list”
Mimikatz command.
PS> mimikatz.exe "kerberos::list"
[00000000] - 0x00000012 - aes256_hmac
Start/End/MaxRenew: 13/01/2022 09:47:44 ; 13/01/2022 09:47:44 ; 13/01/2022
09:47:44
Server Name : krbtgt/DOMAIN.COM @ DOMAIN.COM
Client Name : Alice @ DOMAIN.COM
Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ;
forwardable ;
It is important to mention that the TGT has a finite lifetime, and it will expire after a
certain period of time. The user will need to re-authenticate to the domain to obtain
a new TGT.
Step 3: Discovering privileges of the stolen ticket
Once an obtained ticket is ready for reuse, the attacker needs to identify its capabilities, i.e.,
where it can be utilized. A TGS can only provide access to the specific resource it was issued
for, and the attacker can find out that information by examining the TGS.
To use a TGT, the attacker may have to perform an internal discovery phase to figure out the
access it grants. This can be as simple as checking the user's group memberships and
looking for clear signs.
Numerous tools can be employed to gather information about Active Directory.
However, an attacker can also use built-in commands like "net" to gather such
information without alerting security controls.

14
PS> net user Alice /domain
The request will be processed at a domain controller for domain domain.com.
User name Alice
Full Name Alice Oswell
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
. . .
Local Group Memberships
Global Group memberships *Workstation Administrators *VPNUser
*FileServer1_PublicShare *Domain Users
The command completed successfully.
Step 4: Accessing resources through new user account
Lastly, the attacker can employ built-in OS utilities to move laterally in a stealthy manner so
that they can try and gain access to other resources and further their goals. For instance, the
adversary might leverage the PsExec command-line utility to run the powershell.exe on a
remote workstation.
Detection Methods for the Pass the Ticket Attack
Below, known Event IDs are added to detect a possible Pass-the-Ticket attack [15], [16]:
Event ID 4768 - A Kerberos Authentication Ticket (TGT) was requested.
● Key Description Fields: Account Name, Service Name (always "krbtgt"), Service ID,
Client Address
Event ID 4769 - A Kerberos Service Ticket was requested.
● Key Description Fields: Account Name, Service Name, Client Address
Event ID 4770 - A Kerberos Service Ticket was renewed.
● Key Description Fields: Account Name, User ID, Service Name, Service ID

15
Mitigation Techniques for the Pass the Ticket Attack
Effective measures to counter pass-the-hash attacks concentrate on making tickets more
difficult to steal and limiting the potential impact of a stolen ticket. One such measure is to
utilize Microsoft's Windows Defender Credential Guard. This technology, which was
introduced in Windows 10 and Windows Server 2016, leverages virtualization to secure
credential storage and provide access only to trusted processes.
Another important step is to limit the number of endpoints where users have administrative
privileges. This significantly reduces the risk of an attacker using a stolen ticket for lateral
movement. It is also important to avoid granting administrative privileges across security
boundaries, as this greatly reduces the risk of an attacker using a stolen ticket to escalate
their privileges.

Other documents randomly have
different content

Tuuli on tuima, ankarat aallot,
Ruuhet on rannalla pienoiset;
Ruuhet on aivan pienoiset,
Kultaseni sormet on hienoiset.
Oi, älä lähde aaltojen valtaan!
Aallot ne sun pian pettäisi.
Ei mua murhe heittäisi,
Ennen kuin mun multakin peittäisi.

KULTASENI
(Kansan-laulu)
Minun kultan' kaunis on, sen
suu kun auran kukka;
Silmat on sen siniset
keltanen sen tukka.
Älä sure sorja neitto,
vaikka toisen orja;
Kohta kuluu kuusi vuotta (1),
kyllä sinun korjaan.
(1) Tästä näkyy, että Suomalaisen orjalla oli sama oikeus kun
hebrealaisenkin. Hän sai kuuden palvelus-vuoden perästä lähteä
pois seitsemäntenä, vapaana lunastamata 2 Mos. 21:2.

KULTAANSA SUREWA
(Kansan-laulu)
Itkettää ja surettaa ja
huoleks' tahtoo tulla,
Kuin on muilla kultasensa
eikä ole mulla.
Kultani on kaukana ja
kaukana se kukkuu;
Yksin täytyy maata mennä,
yksin täytyy nukkuu.
Kultani on kaukana, niin
kauas taisi mennä,
Ettei sinne pienet linnut
ijässänsä lennä.
Oi, jos pieni lintunenkin
sanoman nyt toisi,
Suru menis mielestäni,
sydän hyvin voisi.

Lennä, lennä lintu raukka,
puhu kuullakseni! –
Kävitköstä kullan maalla,
näitkö kultaseni?
Sano, kuinka kullan maalla
aamu armas koitti;
Ilossako elettiin, vai
suruko he voitti.
Mitä näit sä muutakin, ja
näitköstä senkin,
Jos ne oli terveena ja
kulta liiatenkin.
Tule kulta tälle maalle,
tule poika kulta,
Ett'ei rientäis turhaan tämä
ikä nuori multa.

TURWATON
(Kansan-laulu) (1)
Onneton olin minä ollessani,
Onneton tähän kylään tullessani;
Onnettomaksi olen minä luotu,
Ei ole minulle ilo-päivää suotu.
Ei ole turvaa siellä eikä täällä,
Enenpää kuin linnulla lentonsa päällä.
Maalima minua nyt paljokin vaivaa,
Kuoppia teilleni eteeni kaivaa.
Ystäväni myöskin on ynsiäksi tullut,
Kuin hän on maailmalta juttuja kuullut.
Kuuleppas kultani, vielä sana yksi:
Kuinkahan näin tulin minä hyljätyksi?
Kuka sinun öksytti rakkauden tiellä?
Tule, tule kertakin luokseni vielä!

Muistakkos muinen kun marjassa käytiin,
Ahosilla istuttiin ja leikkiä lyötiin?
Päivä se paisti, ja pienet kukat loisti;
Kukatkin ne ketosilla iloamme toisti.
Linnut ne laulelivat metsien päällä;
Meistä he lauloivat siellä ja täällä.
Ei ole ajat enää, niinkun olit ennen,
Entiset ajat ovat olleet ja menneet.
Entinen oma kulta ei enää hoida;
Niin se mun heitti kun pienen linnun-pojan.
Toivoni raukesi, meni juuri tyhjään,
Ei ole mulla nyt ilo-päivää yhtään.
Enkä mä itselleni näin luullu käyvän;
Ikäväni kestää nyt kuolema-päivään.
Olen niinkun kyyhkynen vierahalla maalla,
Lentävä lintunen taivahan alla.
Olen niinkuin oksalla varpunen pieni,
En tiedä kuhun otan matkan ja tieni.
Nuoruus-ikä rientää ja aikani kulkee;
Jopa noista vaivoista väsymyskin tulee.
Päiväni päätyy ja elämäni katkee,
Multa se murheeni peittää ja kätkee.
[On enemmiten yhtäläinen kuin Kantelettaressakin.]

SUOSIO
Suosio on soma
Onnen siemen oma,
Josta kasvu kaunis ilmestyy;
Sillä suloisella
Levon laitumella
Kaikki meille hyvin menestyy.
Sydän siivollinen,
Rinta riemullinen
Sulattaavat mielen suosioon;
Mutta viha, vaino,
Kateuskin kaino
Jouduttavat järjen turmioon.
Karhu kontiolla
Woipi vielä olla
Luonto kauhiampi lausuttaa,
Kuin on kulkevalla
Wainon vallan alla,
Joka pahan sisun paisuttaa.

Tunnoton ja tuima,
Päästä hullu, huima
Siis on suotta nurja sovintoon;
Sillä kukin kurja,
Hirmun henki, hurja
Waipunut on itse vahinkoon.
J. Juteini

LEIWOSELLE
Ilon ääni ihanainen
Intohoni ilmestyi,
Kuin tuo lintu laulavainen
Laksohimme lähestyi.
Katsos! kuinka korkialla
Lentelee ja laulelee;
Lempeällä laulamalla
Korkehinta kiittelee.
Koska ensin äänes kuulin,
Wielä varsin nuorena,
Wäinämöisen soitoks' luulin,
Kevähänä kauniina.
Älä väsy veisaamasta!
Korvani sua kaipaavat;
Älä lakkaa laulamasta!
Silmäni sua seuraavat.
Laula, laula lintuseni,
Lennä ylös pilvihin

Kantamahan kiitokseni
Luojan tykö taivaisiin.
Terve sieltä tultuasi
Lohduttamaan luontooni!
Sieltä alas astuissasi
Ilahuttaan intooni!

KIILTO-MATO
Kiilto-mato kukkasissa
Loisti hiljasuudesaan
Yli kedon, tienohissa,
Tietämätön loistostaan.
Sulosesti tätä tähti
Katsoi korkeudestaan.
Kätköstänsä kärme lähti
Myrkkyänsä valamaan.
Sääli madon surkeutta!
Miks’ hän syyttä surmattiin?
Syyttä! sanoi kärme, mutta
Miksikäs hän loisti niin?

LÄHTEELLÄ
Ruotsinkielisestä: "Jag sitter källa vid din rand" (1).
Sua, lähe kaunis, katselen
Likellä vettesi,
Kuin pilven varjot vaeltavat
Kuvastimessasi (2).
Kah tuoll’ on pilvi loistava,
Ihana, kaunoinen;
Jo lähti pois pakenemaan —
Hyvästi varjonen!
Taas tuossa toinen kullallaan
Kuvoaa taivahan;
Se ei pitemp’ – iällinen
Jo lähti matkahan.
Kah vielä muuan (3) hirviä
Hias kulullehen;
Woi siirtyisitkö sievemmin
Jälestä toisien!

Wain näitä katsellessani
Mä muistan mieltäni,
Kuin monta kullan loistoa
Jo siirtyi siltäki.
Kuin pilvet paksut, synkiät,
Sitäi’ pimittivät,
Yhtäkkiähän nousivat,
Hitaasti lähtivät.
Waan jospa kuinkin kulkivat,
Ne eivät outoja:
Ne tyhjiä kuvaamia
Ja pilven varjoja.
Ne mieli raukan kuitenki
Moneksi muuttavat;
Woi koskastapa varjojen
Walehet loppuvat!
E. Lönnrot
(1) Wähän toisellainen on tämä laulu "Maamiehen Ystävässä"
N:o 15, v. 1844.
(2) Peilissäsi.
(3) Muutama, joku, eräs.

JOUTSEN
Ruotsinkielisestä: "Från molnens purpurstänka rand" (1).
Kesäisen illan kullasta
Tuo joutsen tultuaan,
Joen lahelle laskihen,
Ja loihen (2) laulamaan.
Suloa Suomen lauloi hän,
Kesiä pohjolan,
Kuin halkiöisin aurinko
Walaisee maailman.
Kuin varjopuien suojassa
On hetket herttaiset,
Ja aallot uia armahat,
Ja rannat rauhaiset.
Ja kuin suloista siellä on
Syleillä kultoa,
Ja kuinka vilppi, viekkaus,
Siell’ uppo (3) outoja.

Näin souti salmi salmelle
Se joutsen joikuen (4),
Ja kultansa kohattua
Syleili lausuen:
”Wähänpä tuosta, kuinka jo
Ikäni määrän sain –
Olen uinut pohjan aalloilla,
Syleillyt kultoain”.
E. Lönnrot
(1) Toisellainen on tämän laulun käännös "Oulun Wiikko-
Sanomissa"
N:o 5, v. 1834, ja toisellainen "Maamiehen Ystävässä" N:o 33,
v. 1844.
(2) Loi itsensä, rupesi.
(3) Peräti, varsin.
(4) Yksiäänisesti laulaen.

MIES
Mies on maassa oivallinen,
Waivoissakin voimallinen,
Koska konna värisee,
Waaroissaansa vapisee.
Mies on viisas vahingossa,
Tuskan alla, turmioissa;
Onni häntä hyödyttää,
Joka pahan pyörryttää.
Mies ei mieli hoiperella,
Eikä huoli huikennella,
Mutta missä tarvitaan,
Siellä miestä mainitaan.
Tammesta on miehen tahto,
Waan ei höllä, niin kuin vahto,
Walmis töitä täyttämään,
Oikein onnen käyttämään.
Tutkittaissa tuntoansa,
Taikka muuta menoansa,

Miehen tavat tunnetaan,
Joilla arvo ansaitaan.
Miehen jalon, järjellisen,
Retkillänsä rehellisen,
Tie on tietty kunniaan
Avun kautta armiaan.
J. Juteini

TALON-POJAN LAULU
Nuotti: "Ecce novum gaudium" etc.
Talon-poika, taitava
Elon etsinnöissä,
Aina olen alkava
Päivät pellon töissä;
Näissä voiman näytän,
Kaikki hyvin käytän,
Aina työni täytän,
Urhollisena.
Ei omalla pellolla
Aura paljo paina,
Mies on itse ilolla
Ahkera siell’ aina.
Waimo, kuva valon,
Ompi turva talon,
Äiti joukon jalon
Toimellisena.

Tämä sääty suuri on,
Suuri Suomen kansa,
Eikä ole osaton
Perhe pellollansa;
Itse täytän aitan,
Leivän paksun laitan,
Toisellekkin taitan
Riemullisena.
Juhla jalo johdattaa
Kestin keskellemme,
Olu-kannu kuljettaa
Riemun rinnoillemme.
Työ on alku elon,
Itse lähde ilon,
Juotavankin jalon
Herkullisena.
Tavara on tallella
Tämän säädyn tiellä;
Siis on syytä suojella
Wapautta vielä;
Sydämellä, suulla
Esivaltaa kuulla,
Hyvää muista luulla,
Alinomati.
J. Juteini

NUOREN-MIEHEN LAULU
(Ruotsinkielisen johdosta.)
Jos vaikka kaikki järjestänsä
Kerskaisi naima-säädystänsä,
Niin nuoren-miehen elosta,
Sen riemuista ja ilosta,
Nyt laualan ihastuksissani,
Sen aina pitäin muistossani,
Ett' nuoren-miehen paras on.
Kun mies on nuori, naimatonna,
Niin saa hän olla murheetonna
Ja elää huvituksissa,
Waan nainut huokauksissa,
Kateen ja häijyn vaimon kanssa
Hän aina pitää muistossansa,
Ett' nuoren-miehen paras on.
On kyllä naima-sääty kanssa
Myös hohtavainen muodoltansa
Ja loistavasta arvossa,

Get Active Directory Security Guide 1st Edition Picussecurity free all chapters

More Related Content

Similar to Get Active Directory Security Guide 1st Edition Picussecurity free all chapters (20)

Recently uploaded (20)

Get Active Directory Security Guide 1st Edition Picussecurity free all chapters