25 KiB
25 KiB
Active Directory Kill Chain Attack & Defense
Summary
This document was designed to be a useful, informational asset for those looking to understand the specific tactics, techniques, and procedures (TTPs) attackers are leveraging to compromise active directory and guidance to mitigation, detection, and prevention. And understand Active Directory Kill Chain Attack and Modern Post Exploitation Adversary Tradecraft Activity.
Table of Contents
- Discovery
- Privilege Escalation
- Defense Evasion
- Credential Dumping
- Lateral Movement
- Persistence
- Defense & Detection
Discovery
SPN Scanning
Data Mining
User Hunting
- Hidden Administrative Accounts: BloodHound to the Rescue
- Active Directory Recon Without Admin Rights
- Gathering AD Data with the Active Directory PowerShell Module
- Using ActiveDirectory module for Domain Enumeration from PowerShell Constrained Language Mode
- PowerUpSQL Active Directory Recon Functions
- Derivative Local Admin
- Dumping Active Directory Domain Info – with PowerUpSQL!
- Local Group Enumeration
- Attack Mapping With Bloodhound
LAPS
- Microsoft LAPS Security & Active Directory LAPS Configuration Recon
- Running LAPS with PowerView
- RastaMouse LAPS Part 1 & 2
Privilege Escalation
Passwords in SYSVOL & Group Policy Preferences
- Finding Passwords in SYSVOL & Exploiting Group Policy Preferences
- Pentesting in the Real World: Group Policy Pwnage
MS14-068 Kerberos Vulnerability
- MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of Privilege
- Digging into MS14-068, Exploitation and Defence
- From MS14-068 to Full Compromise – Step by Step
DNSAdmins
- Abusing DNSAdmins privilege for escalation in Active Directory
- From DNSAdmins to Domain Admin, When DNSAdmins is More than Just DNS Administration
Unconstrained Delegation
- Domain Controller Print Server + Unconstrained Kerberos Delegation = Pwned Active Directory Forest
- Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)
- Unconstrained Delegation Permissions
- Trust? Years to earn, seconds to break
Constrained Delegation
Insecure Group Policy Object Permission Rights
Insecure ACLs Permission Rights
- Exploiting Weak Active Directory Permissions With Powersploit
- Escalating privileges with ACLs in Active Directory
- Abusing Active Directory Permissions with PowerView
- BloodHound 1.3 – The ACL Attack Path Update
- Scanning for Active Directory Privileges & Privileged Accounts
Domain Trusts
- A Guide to Attacking Domain Trusts
- It's All About Trust – Forging Kerberos Trust Tickets to Spoof Access across Active Directory Trusts
- Active Directory forest trusts part 1 - How does SID filtering work?
- The Forest Is Under Control. Taking over the entire Active Directory forest
DCShadow
- Privilege Escalation With DCShadow
- DCShadow
- DCShadow explained: A technical deep dive into the latest AD attack technique
- [DCShadow - Silently turn off Active Directory Auditing] (http://www.labofapenetrationtester.com/2018/05/dcshadow-sacl.html)
- DCShadow - Minimal permissions, Active Directory Deception, Shadowception and more
RID
Microsoft SQL Server
- How to get SQL Server Sysadmin Privileges as a Local Admin with PowerUpSQL
- Compromise With Powerupsql – Sql Attacks
Red Forest
Lateral Movement
Microsoft SQL Server Database links
- SQL Server – Link… Link… Link… and Shell: How to Hack Database Links in SQL Server!
- SQL Server Link Crawling with PowerUpSQL
Pass The Hash
System Center Configuration Manager (SCCM)
WSUS
Password Spraying
- Password Spraying Windows Active Directory Accounts - Tradecraft Security Weekly #5
- Attacking Exchange with MailSniper
Defense Evasion
In-Memory Evasion
- Bypassing Memory Scanners with Cobalt Strike and Gargoyle
- In-Memory Evasions Course
- Bring Your Own Land (BYOL) – A Novel Red Teaming Technique
Endpoint Detection and Response (EDR) Evasion
OPSEC
- Modern Defenses and YOU!
- OPSEC Considerations for Beacon Commands
- Red Team Tradecraft and TTP Guidance
- Fighting the Toolset
Microsoft ATA & ATP Evasion
- Red Team Techniques for Evading, Bypassing, and Disabling MS Advanced Threat Protection and Advanced Threat Analytics
- Red Team Revenge - Attacking Microsoft ATA
- Evading Microsoft ATA for Active Directory Domination
PowerShell ScriptBlock Logging Bypass
PowerShell Anti-Malware Scan Interface (AMSI) Bypass
- How to bypass AMSI and execute ANY malicious Powershell code
- AMSI: How Windows 10 Plans to Stop Script-Based Attacks
- AMSI Bypass: Patching Technique
AppLocker & Device Guard Bypass
Sysmon Evasion
HoneyTokens Evasion
Credential Dumping
NTDS.DIT Password Extraction
- How Attackers Pull the Active Directory Database (NTDS.dit) from a Domain Controller
- Extracting Password Hashes From The Ntds.dit File
Kerberoasting
- Kerberoasting Without Mimikatz
- Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain
- Extracting Service Account Passwords With Kerberoasting
- Cracking Service Account Passwords with Kerberoasting
Kerberos AP-REP Roasting
Windows Credential Manager/Vault
DCSync
LLMNR/NBT-NS Poisoning
Persistence
Golden Ticket
SID History
Silver Ticket
- How Attackers Use Kerberos Silver Tickets to Exploit Systems
- Sneaky Active Directory Persistence #16: Computer Accounts & Domain Controller Silver Tickets
DCShadow
AdminSDHolder
- Sneaky Active Directory Persistence #15: Leverage AdminSDHolder & SDProp to (Re)Gain Domain Admin Rights
- Persistence Using Adminsdholder And Sdprop
Group Policy Object
Skeleton Keys
- Unlocking All The Doors To Active Directory With The Skeleton Key Attack
- Skeleton Key
- Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest
SeEnableDelegationPrivilege
- The Most Dangerous User Right You (Probably) Have Never Heard Of
- SeEnableDelegationPrivilege Active Directory Backdoor
Security Support Provider
Directory Services Restore Mode
- Sneaky Active Directory Persistence #11: Directory Service Restore Mode (DSRM)
- Sneaky Active Directory Persistence #13: DSRM Persistence v2
ACLs & Security Descriptors
- An ACE Up the Sleeve: Designing Active Directory DACL Backdoors
- Shadow Admins – The Stealthy Accounts That You Should Fear The Most
Tools & Scripts
- PowerView - Situational Awareness PowerShell framework
- BloodHound - Six Degrees of Domain Admin
- ADACLScanner - A tool with GUI or command linte used to create reports of access control lists (DACLs) and system access control lists (SACLs) in Active Directory
- PowerUpSQL - A PowerShell Toolkit for Attacking SQL Server
- Rubeus - Rubeus is a C# toolset for raw Kerberos interaction and abuses
- Mimikatz - Utility to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory but also perform pass-the-hash, pass-the-ticket or build Golden tickets
- Grouper - A PowerShell script for helping to find vulnerable settings in AD Group Policy.
- Tools Cheat Sheets - Tools (PowerView, PowerUp, Empire, and PowerSploit)
Detect & Defense
Tools & Scripts
- SAMRi10 - Hardening SAM Remote Access in Windows 10/Server 2016
- Net Cease - Hardening Net Session Enumeration
- PingCastle Active Directory Security Audit
- Aorato Skeleton Key Malware Remote DC Scanner
- Reset the krbtgt account password/keys
- Deploy-Deception - A PowerShell module to deploy active directory decoy objects
- dcept - A tool for deploying and detecting use of Active Directory honeytokens
- LogonTracer - Investigate malicious Windows logon by visualizing and analyzing Windows event log
Detection
Attack | Event ID |
---|---|
Account and Group Enumeration | 4798: A user's local group membership was enumerated 4799: A security-enabled local group membership was enumerated |
AdminSDHolder | 4780: The ACL was set on accounts which are members of administrators groups |
Kekeo | 4624: Account Logon 4672: Admin Logon 4768: Kerberos TGS Request |
Silver Ticket | 4624: Account Logon 4634: Account Logoff 4672: Admin Logon |
Golden Ticket | 4624: Account Logon 4672: Admin Logon |
PowerShell | 4103: Script Block Logging 400: Engine Lifecycle 403: Engine Lifecycle 4103: Module Logging 600: Provider Lifecycle |
DCShadow | 4742: A computer account was changed 5137: A directory service object was created 5141: A directory service object was deleted 4929: An Active Directory replica source naming context was removed |
Skeleton Keys | 4673: A privileged service was called 4611: A trusted logon process has been registered with the Local Security Authority 4688: A new process has been created 4689: A new process has exited |
PYKEK MS14-068 | 4672: Admin Logon 4624: Account Logon 4768: Kerberos TGS Request |
Kerberoasting | 4769: A Kerberos ticket was requested |
Lateral Movement | 4688: A new process has been created 4689: A process has exited 4624: An account was successfully logged on 4625: An account failed to log on |
Resources
- Reducing the Active Directory Attack Surface
- Securing Domain Controllers to Improve Active Directory Security
- Securing Windows Workstations: Developing a Secure Baseline
- Implementing Secure Administrative Hosts
- Privileged Access Management for Active Directory Domain Services
- Awesome Windows Domain Hardening
- Best Practices for Securing Active Directory
- Introducing the Adversary Resilience Methodology — Part One
- Introducing the Adversary Resilience Methodology — Part Two
- Mitigating Pass-the-Hash and Other Credential Theft, version 2
- Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings
- Monitoring Active Directory for Signs of Compromise
- Detecting Lateral Movement through Tracking Event Logs
- Kerberos Golden Ticket Protection Mitigating Pass-the-Ticket on Active Directory
- Overview of Microsoft's "Best Practices for Securing Active Directory"
- The Keys to the Kingdom: Limiting Active Directory Administrators
- The Most Common Active Directory Security Issues and What You Can Do to Fix Them
- Event Forwarding Guidance
- Planting the Red Forest: Improving AD on the Road to ESAE
- Detecting Kerberoasting Activity
- Security Considerations for Trusts
- Advanced Threat Analytics suspicious activity guide
- Windows 10 Credential Theft Mitigation Guide
- Detecting Pass-The- Ticket and Pass-The- Hash Attack Using Simple WMI Commands
- Step by Step Deploy Microsoft Local Administrator Password Solution
- Active Directory Security Best Practices
- Finally Deploy and Audit LAPS with Project VAST, Part 1 of 2
- Windows Security Log Events
- Talk Transcript BSidesCharm Detecting the Elusive: Active Directory Threat Hunting
- Preventing Mimikatz Attacks
- Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials
- Monitors for DCSYNC and DCSHADOW attacks and create custom Windows Events for these events
- Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques
- Hunting For In-Memory .NET Attacks
- Mimikatz Overview, Defenses and Detection
- Hunting for Gargoyle Memory Scanning Evasion
- Planning and getting started on the Windows Defender Application Control deployment process
- How to Go from Responding to Hunting with Sysinternals Sysmon
License
To the extent possible under law, Rahmat Nurfauzi "@infosecn1nja" has waived all copyright and related or neighboring rights to this work.