Attacking & Securing Active Directory
Table of Contents
Active Directory
- Looking for Azure? Check the Cloud page
-
101
- What is Active Directory Domain Services and how does it work?
- The Most Common Active Directory Security Issues and What You Can Do to Fix Them - Sean Metcalf
- What is Active Directory Red Forest Design? - social.technet.ms
- Presentations by Sean Metcalf(ADSecurity.org)
- Top 16 Active Directory Vulnerabilities - InfosecMatter(2020)
- Paid Courses
-
Articles/Blogposts/Writeups
-
Beyond Domain Admins – Domain Controller & AD Administration - ADSecurity.org
- This post provides information on how Active Directory is typically administered and the associated roles & rights.
- Setting up Samba as a Domain Member
- DS Restore Mode Password Maintenance - techcommunity.microsoft(2009)
-
Beyond Domain Admins – Domain Controller & AD Administration - ADSecurity.org
-
Talks/Videos
-
Beyond the MCSE: Active Directory for the Security Professional - Sean Metcalf(BHUSA 2016)
- Active Directory (AD) is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and management capabilities. This means tSMBhat both Red and Blue teams need to have a better understanding of Active Directory, it's security, how it's attacked, and how best to align defenses. This presentation covers key Active Directory components which are critical for security professionals to know in order to defend AD. Properly securing the enterprise means identifying and leveraging appropriate defensive technologies. The provided information is immediately useful and actionable in order to help organizations better secure their enterprise resources against attackers. Highlighted are areas attackers go after including some recently patched vulnerabilities and the exploited weaknesses. This includes the critical Kerberos vulnerability (MS14-068), Group Policy Man-in-the-Middle (MS15-011 & MS15-014) and how they take advantages of AD communication.
-
Beyond the MCSE: Active Directory for the Security Professional - Sean Metcalf(BHUSA 2016)
-
Attacking101
-
Articles/Blogposts/Writeups
-
Active Directory Security Workshop: A Red and Blue Guide to Popular AD Attacks -
@_theViVi
(AfricaHackon2019) -
Active Directory Kill Chain Attack & Defense - infosecn1nja
- This document was designed to be a useful, informational asset for those looking to understand the specific tactics, techniques, and procedures (TTPs) attackers are leveraging to compromise active directory and guidance to mitigation, detection, and prevention. And understand Active Directory Kill Chain Attack and Modern Post Exploitation Adversary Tradecraft Activity.
- Penetration Testing Active Directory, Part I - Hausec
- Active Directory Attacks - PayloadsAllTheThings
- Pen Testing Active Directory Series - Andy Green
-
Active Directory Security Workshop: A Red and Blue Guide to Popular AD Attacks -
-
Talks/Videos
-
Abusing Active Directory in Post-Exploitation - Carlos Perez(Derbycon4)
- Windows APIs are often a blackbox with poor documentation, taking input and spewing output with little visibility on what actually happens in the background. By reverse engineering (and abusing) some of these seemingly benign APIs, we can effectively manipulate Windows into performing stealthy custom attacks using previously unknown persistent and injection techniques. In this talk, we’ll get Windows to play with itself nonstop while revealing 0day persistence, previously unknown DLL injection techniques, and Windows API tips and tricks. To top it all off, a custom HTTP beaconing backdoor will be released leveraging the newly released persistence and injection techniques. So much Windows abuse, so little time.
-
Red vs Blue: Modern Active Directory Attacks & Defense - Sean Metcalf(Defcon23)
- Kerberos “Golden Tickets” were unveiled by Alva “Skip” Duckwall & Benjamin Delpy in 2014 during their Black Hat USA presentation. Around this time, Active Directory (AD) admins all over the world felt a great disturbance in the Force. Golden Tickets are the ultimate method for persistent, forever AD admin rights to a network since they are valid Kerberos tickets and can’t be detected, right? This talk explores the latest Active Directory attack vectors and describes how Golden Ticket usage can be detected. When forged Kerberos tickets are used in AD, there are some interesting artifacts that can be identified. Yes, despite what you may have read on the internet, there are ways to detect Golden & Silver Ticket usage. Skip the fluff and dive right into the technical detail describing the latest methods for gaining and maintaining administrative access in Active Directory, including some sneaky AD persistence methods. Also covered are traditional security measures that work (and ones that don’t) as well as the mitigation strategies that disrupts the attacker’s preferred game-plan. Prepare to go beyond “Pass-the-Hash” and down the rabbit hole.
-
Red Vs. Blue: Modern Active Directory Attacks, Detection, And Protection - Sean Metcalf(BHUSA15)
- Kerberos "Golden Tickets" were unveiled by Alva "Skip" Duckwall & Benjamin Delpy in 2014 during their Black Hat USA presentation. Around this time, Active Directory (AD) admins all over the world felt a great disturbance in the Force. Golden Tickets are the ultimate method for persistent, forever AD admin rights to a network since they are valid Kerberos tickets and can't be detected, right? The news is filled with reports of breached companies and government agencies with little detail on the attack vectors and mitigation. This briefing discusses in detail the latest attack methods for gaining and maintaining administrative access in Active Directory. Also covered are traditional defensive security measures that work (and ones that don't) as well as the mitigation strategies that can keep your company's name off the front page. Prepare to go beyond "Pass-the-Hash" and down the rabbit hole. This talk explores the latest Active Directory attack vectors and describes how Golden Ticket usage can be detected. When forged Kerberos tickets are used in AD, there are some interesting artifacts that can be identified. Yes, despite what you may have read on the internet, there are ways to detect Golden & Silver Ticket usage!
-
Beyond the MCSE: Red Teaming Active Directory - Sean Metcalf(Defcon24)
- Active Directory (AD) is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and management capabilities, so why do red teams barely scratch the surface when it comes to leveraging the data it contains? This talk skips over the standard intro to Active Directory fluff and dives right into the compelling offensive information useful to a Red Teamer, such as quickly identifying target systems and accounts. AD can yield a wealth of information if you know the right questions to ask. This presentation ventures into areas many didn't know existed and leverages capability to quietly identify interesting accounts & systems, identify organizations the target company does business with regularly, build target lists without making a sound, abuse misconfigurations/existing trusts, and quickly discover the most interesting shares and their location. PowerShell examples and AD defense evasion techniques are provided throughout the talk.Let's go beyond the MCSE and take a different perspective on the standard AD recon and attack tactics.
- Offensive Active Directory with Powershell - harmj0y(Troopers2016)
-
Hacking without Domain Admin - Tim Medin, Mike Saunders(2019)
- Tim and Mike will show you tools and techniques to find vulnerabilities and demonstrate risk, without using Domain Administrator (DA) access. DA access is the goal for many penetration tests and red teams, but it is misguided. DA is a tool, not a destination. Sometimes, a penetration tester or red team will be unable to obtain this access, but it does not mean that the test is without value.
-
Abusing Active Directory in Post-Exploitation - Carlos Perez(Derbycon4)
-
Articles/Blogposts/Writeups
-
Active Directory Attributes & Technologies
-
Active Directory Service Interaces
- 101
- Articles/Blogposts/Writeups
- Talks/Videos
-
Tools
-
AdsiPS
- PowerShell module to interact with Active Directory using ADSI and the
System.DirectoryServices
namespace (.NET Framework).
- PowerShell module to interact with Active Directory using ADSI and the
-
AdsiPS
-
AD Permissions/Rights
-
101
-
Extended Rights Reference - docs.ms
- This page lists all the extended rights available for delegation in Active Directory. These rights have been categorized according to the object (such as the user account object) that the right applies to; each listing includes the extended right name, a brief description, and the object GUID required when writing a script to delegate that right.
-
Extended Rights Reference - docs.ms
-
101
- Groups
-
Account Logon History
-
Get All AD Users Logon History with their Logged on Computers (with IPs)& OUs
- This script will list the AD users logon information with their logged on computers by inspecting the Kerberos TGT Request Events(EventID 4768) from domain controllers. Not Only User account Name is fetched, but also users OU path and Computer Accounts are retrieved. You can also list the history of last logged on users. In Environment where Exchange Servers are used, the exchange servers authentication request for users will also be logged since it also uses EventID (4768) to for TGT Request. You can also export the result to CSV file format. Powershell version 3.0 is needed to use the script.
-
Get All AD Users Logon History with their Logged on Computers (with IPs)& OUs
-
ADFS
-
101
-
Active Directory Federation Services - docs.ms
- This document contains a list of all of the documentation areas for AD FS for Windows Server 2016, 2012 R2, and 2012.
- Active Directory Federation Services - Wikipedia
- What is ADFS (Active Directory Federation Services)? - Serverfault.com(2017)
-
Active Directory Federation Services - docs.ms
- Articles/Blogposts/Writeups
-
Talks/Presentations/Videos
-
Attacking ADFS Endpoints with PowerShell - Karl Fosaaen(Derbycon 2016)
- Active Directory Federation Services (ADFS) has become increasingly popular in the last few years. As a penetration tester, I'm seeing organizations opening themselves up to attacks on ADFS endpoints across the Internet. Manually completing attacks against these endpoints can be tedious. The current native Microsoft management tools are handy, but what if we weaponized them. During this talk, I will show you how to identify domains that support ADFS, confirm email addresses for users of the domain, and help you guess passwords for those users. We'll cover how you can set up your own hosted ADFS domain (on the cheap), and use it to attack other federated domains. On top of that, we'll show you how you can wrap all of the native functionality with PowerShell to automate your attacks. This talk should give penetration testers an overview on how they can start leveraging ADFS endpoints during a penetration test.
-
Attacking ADFS Endpoints with PowerShell - Karl Fosaaen(Derbycon 2016)
-
101
-
AdminSDHolder
- 101
- Articles/Blogposts/Writeups
- ATA
-
(Discretionary)Access Control Lists
-
Articles/Blogposts/Writeups
- Here Be Dragons The Unexplored Land of Active Directory ACLs - Andy Robbins, Will Schroeder, Rohan(Derbycon7)
- An ACE Up the Sleeve: Designing Active Directory DACL Backdoors
- Shadow Admins – The Stealthy Accounts That You Should Fear The Most
- The Unintended Risks of Trusting Active Directory
- Exploiting Weak Active Directory Permissions With Powersploit
- Abusing Active Directory Permissions with PowerView
- BloodHound 1.3 – The ACL Attack Path Update
- Scanning for Active Directory Privileges & Privileged Accounts
- Active Directory Access Control List – Attacks and Defense
- Abusing Active Directory ACLs/ACEs - ired.team
-
Escalating privileges with ACLs in Active Directory - Rindert Kramer and Dirk-jan Mollema(Fox-IT)
- During internal penetration tests, it happens quite often that we manage to obtain Domain Administrative access within a few hours. Contributing to this are insufficient system hardening and the use of insecure Active Directory defaults. In such scenarios publicly available tools help in finding and exploiting these issues and often result in obtaining domain administrative privileges. This blogpost describes a scenario where our standard attack methods did not work and where we had to dig deeper in order to gain high privileges in the domain. We describe more advanced privilege escalation attacks using Access Control Lists and introduce a new tool called Invoke-Aclpwn and an extension to ntlmrelayx that automate the steps for this advanced attack.
- Viewing Service ACLs - rohnspowershellblog(2013)
-
Modifying Service ACLs - rohnspowershellblog(2014)
- In my last post, I showed an early version of a function to get the Discretionary Access Control List (DACL) of a Windows service. In this post, I’m going to show a newer version of that function, along with a function to change the DACL, and a helper function to create Access Control Entries (ACEs). The source code is quite a bit longer, so I’m not going to walk through each bit of code. What I will do is give a brief overview of each of the three functions, along with some examples of how to use them. I’ll also mention where I plan to take the functions in the future. I’ll include the source code of the functions as they currently stand at the end of the post. Included in the source code is comment based help for each of the three functions.
- AD Privilege Escalation Exploit: The Overlooked ACL - David Rowe
-
Talks & Presentations
- aclpwn - Active Directory ACL exploitation with BloodHound
-
Invoke-ACLpwn
- Invoke-ACLpwn is a tool that automates the discovery and pwnage of ACLs in Active Directory that are unsafe configured.
-
Tools
-
Windows DACL Enum Project
- A collection of tools to enumerate and analyse Windows DACLs
-
DAMP - The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification.
- This project contains several files that implement host-based security descriptor "backdoors" that facilitate the abuse of various remotely accessible services for arbitrary trustees/security principals. tl;dr - this grants users/groups (local, domain, or 'well-known' like 'Everyone') of an attacker's choosing the ability to perform specific administrative actions on a modified host without needing membership in the local administrators group. Note: to implement these backdoors, you need the right to change the security descriptor information for the targeted service, which in stock configurations nearly always means membership in the local administrators group.
-
Windows DACL Enum Project
-
Articles/Blogposts/Writeups
-
DNS
-
Articles/Blogposts/Writeups
- Abusing DNSAdmins privilege for escalation in Active Directory
- From DNSAdmins to Domain Admin, When DNSAdmins is More than Just DNS Administration
- AD Zone Transfers as a user - mubix
- Feature, not bug: DNSAdmin to DC compromise in one line - Shay Ber
-
Getting in the Zone: dumping Active Directory DNS using adidnsdump - Dirk-jan Mollema
- Zone transfers are a classical way of performing reconnaissance in networks (or even from the internet). They require an insecurely configured DNS server that allows anonymous users to transfer all records and gather information about host in the network. What not many people know however is that if Active Directory integrated DNS is used, any user can query all the DNS records by default. This blog introduces a tool to do this and describes a method to do this even for records normal users don’t have read rights for.
- Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS - Kevin Robertson
-
Compiling a DLL using MingGW - mubix
- Compiling a DLL using MingGW to pull of the DNSAdmins attack
- Feature, not bug: DNSAdmin to DC compromise in one line - Shay Ber(2017)
- Abusing DNSAdmins privilege for escalation in Active Directory - Nikil Mittal(2017)
-
Tools
-
DnsCache
- This is a reference example for how to call the Windows API to enumerate cached DNS records in the Windows resolver. Proof of concept or pattern only.
-
adidnsdump
- By default any user in Active Directory can enumerate all DNS records in the Domain or Forest DNS zones, similar to a zone transfer. This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks.
- Blogpost
-
DnsCache
-
Articles/Blogposts/Writeups
-
Domain Trusts
- 101
-
Articles/Blogposts/Writeups
- Domain Trusts: Why You Should Care
- Trusts You Might Have Missed
- A Guide to Attacking Domain Trusts - harmj0y
- Domain Trusts: We’re Not Done Yet - harmj0y
- The Trustpocalypse - harmj0y
- Subverting Trust in Windows - Matt Graeber
- A Guide to Attacking Domain Trusts - harmj0y
- Trust Direction: An Enabler for Active Directory Enumeration and Trust Exploitation - BOHOPS
- Presentations/Talks/Videos
- Tools
-
Forests
- 101
- Articles/Blogposts/Writeups
- Presentations/Talks/Videos
-
Group Managed Service Accounts(GMSA)
- 101
- Articles/Blogposts/Writeups
-
Tools
-
GMSAPasswordReader
- Reads the password blob from a GMSA account using LDAP, and parses the values into hashes for re-use.
-
GMSAPasswordReader
-
Internal Monologue
-
101
-
Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS
- In secure environments, where Mimikatz should not be executed, an adversary can perform an Internal Monologue Attack, in which they invoke a local procedure call to the NTLM authentication package (MSV1_0) from a user-mode application through SSPI to calculate a NetNTLM response in the context of the logged on user, after performing an extended NetNTLM downgrade.
-
Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS
- Articles/Blogposts/Writeups
-
Tools
-
selfhash
- Selfhash allows you to get password hashes of the current user. This tool doesn't requere high privileges i.e. SYSTEM, but on another hand it returns NTLM Challenge Response, so you could crack it later.
-
selfhash
-
101
-
Groups
-
101
-
Active Directory Security Groups - docs.ms
- This reference topic for the IT professional describes the default Active Directory security groups.
- How-to: Understand the different types of Active Directory group. - SS64
-
Active Directory Security Groups - docs.ms
- Articles/Blogposts/Writeups
-
101
-
Group Policy
- 101
-
Articles/Blogposts/Writeups
- Abusing GPO Permissions - harmj0y
- Sneaky Active Directory Persistence #17: Group Policy
- A Red Teamer’s Guide to GPOs and OUs
- File templates for GPO Abuse
- GPO Abuse - Part 1
- Local Group Enumeration - harmj0y
- Where My Admins At? (GPO Edition) - harmj0y
- Bypassing Group Policy Proxy Settings Using The Windows Registry - Scriptmonkey
- Local Admin Acces and Group Policy Don't Mix - Oddvar Moe(2019)
-
Talks & Presentations
-
Get-GPTrashFire - Mike Loss(BSides Canberra2018)
- Identifying and Abusing Vulnerable Configurations in MS AD Group Policy
- Slides Tools
-
Grouper
- Grouper is a slightly wobbly PowerShell module designed for pentesters and redteamers (although probably also useful for sysadmins) which sifts through the (usually very noisy) XML output from the Get-GPOReport cmdlet (part of Microsoft's Group Policy module) and identifies all the settings defined in Group Policy Objects (GPOs) that might prove useful to someone trying to do something fun/evil.
-
Grouper2
- Grouper2 is a tool for pentesters to help find security-related misconfigurations in Active Directory Group Policy. It might also be useful for other people doing other stuff, but it is explicitly NOT meant to be an audit tool. If you want to check your policy configs against some particular standard, you probably want Microsoft's Security and Compliance Toolkit, not Grouper or Grouper2.
-
SharpGPO-RemoteAccessPolicies
- A C# tool for enumerating remote access policies through group policy.
-
Get-GPTrashFire
- Identifiying and Abusing Vulnerable Configuraitons in MS AD Group Policy
-
SharpGPOAbuse
- SharpGPOAbuse is a .NET application written in C# that can be used to take advantage of a user's edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO. Blogpost
-
GetVulnerableGPO
- PowerShell script to find 'vulnerable' security-related GPOs that should be hardended
-
Policy Plus
- Local Group Policy Editor plus more, for all Windows editions.
-
Get-GPTrashFire - Mike Loss(BSides Canberra2018)
-
Kerberos
-
101
- Kerberos (I): How does Kerberos work? – Theory - Eloy Perez
-
Kerberos (II): How to attack Kerberos? - Eloy Perez
- In this article about Kerberos, a few attacks against the protocol will be shown. In order to refresh the concepts behind the following attacks, it is recommended to check the first part of this series which covers Kerberos theory. * Kerberos Attacks Questions - social.technet.ms
- Explain like I’m 5: Kerberos - Lynn Roots
-
Abusing Microsoft Kerberos: Sorry You Guys Don't Get It - Alva Duckwall, Benjamin Delpy(BHUSA 2015)
- Microsoft Active Directory uses Kerberos to handle authentication requests by default. However, if the domain is compromised, how bad can it really be? With the loss of the right hash, Kerberos can be completely compromised for years after the attacker gained access. Yes, it really is that bad. In this presentation Skip Duckwall, @passingthehash on twitter and Benjamin Delpy, @gentilkiwi on twitter and the author of Mimikatz, will demonstrate just how thoroughly compromised Kerberos can be under real world conditions.
- Kerberos Attacks Questions - social.technet.ms
-
Kerberos and Attacks 101 - Tim Medin(WWHF2019)
- Want to understand how Kerberos works? Would you like to understand modern Kerberos attacks? If so, then join Tim Medin as he walks you through how to attack Kerberos with ticket attacks and Kerberoasting. We'll cover the basics of Kerberos authentication and then show you how the trust model can be exploited for persistence, pivoting, and privilege escalation.
- Kerberos & Attacks 101 - Tim Medin & BHIS(2020)
-
Articles/Writeups
- How To Attack Kerberos 101 - m0chan
- Kerberos, Active Directory’s Secret Decoder Ring - Sean Metcalf
- Credential cache - MIT Kerberos Documentation
- Kerberos Authentication problems – Service Principal Name (SPN) issues – Part 1 - blogs.technet
- Security Focus: Analysing 'Account is sensitive and cannot be delegated' for Privileged Accounts - Ian Fann(2015)
-
Delegating like a boss: Abusing Kerberos Delegation in Active Directory - Kevin Murphy
- I wanted to write a post that could serve as a (relatively) quick reference for how to abuse the various types of Kerberos delegation that you may find in an Active Directory environment during a penetration test or red team engagement.
- Kerberos Tickets on Linux Red Teams - Trevor Haskell(2020)
- Kerberos Double-Hop Workarounds - slayerlabs.com(2020)
-
Talks & Presentations
-
Attacking Microsoft Kerberos: Kicking the Guard Dog of Hades
- Kerberos- besides having three heads and guarding the gates of hell- protects services on Microsoft Windows Domains. Its use is increasing due to the growing number of attacks targeting NTLM authentication. Attacking Kerberos to access Windows resources represents the next generation of attacks on Windows authentication.In this talk Tim will discuss his research on new attacks against Kerberos- including a way to attack the credentials of a remote service without sending traffic to the service as well as rewriting tickets to access systems.He will also examine potential countermeasures against Kerberos attacks with suggestions for mitigating the most common weaknesses in Windows Kerberos deployments.
-
Et tu - Kerberos?
- For over a decade we have been told that Kerberos is the answer to Microsoft’s authentication woes and now we know that isn’t the case. The problems with LM and NTLM are widely known- but the problems with Kerberos have only recently surfaced. In this talk we will look back at previous failures in order to look forward. We will take a look at what recent problems in Kerberos mean to your enterprise and ways you could possibly mitigate them. Attacks such as Spoofed-PAC- Pass-the-Hash- Golden Ticket- Pass-the-Ticket and Over-Pass-the-Ticket will be explained. Unfortunately- we don’t really know what is next – only that what we have now is broken.
- Attacking Kerberos: Kicking the Guard Dog of Hades
- Kerberos Party Tricks: Weaponizing Kerberos Protocol Flaws - Exumbraops.com
-
Abusing Microsoft Kerberos: Sorry You Guys Don't Get It - Alva Duckwall and Benjamin Delpy(BHUSA 2014)
- "Microsoft Active Directory uses Kerberos to handle authentication requests by default. However, if the domain is compromised, how bad can it really be? With the loss of the right hash, Kerberos can be completely compromised for years after the attacker gained access. Yes, it really is that bad. In this presentation Skip Duckwall, @passingthehash on twitter and Benjamin Delpy, @gentilkiwi on twitter and the author of Mimikatz, will demonstrate just how thoroughly compromised Kerberos can be under real world conditions. Prepare to have all your assumptions about Kerberos challenged!"
- Slides
- Return From The Underworld - The Future Of Red Team Kerberos - Jim Shaver & Mitchell Hennigan
- You (dis)liked mimikatz? Wait for kekeo - Benjamin Delpy(BlueHat IL 2019)
-
Attacking Microsoft Kerberos: Kicking the Guard Dog of Hades
-
Tools
- Kerberos Party Tricks: Weaponizing Kerberos Protocol Flaws - Geoffrey Janja
-
kekeo
- A little toolbox to play with Microsoft Kerberos in C
-
PyKEK
- PyKEK (Python Kerberos Exploitation Kit), a python library to manipulate KRB5-related data. (Still in development)
-
Kerberom
- Kerberom is a tool aimed to retrieve ARC4-HMAC'ed encrypted Tickets Granting Service (TGS) of accounts having a Service Principal Name (SPN) within an Active Directory
-
Kerbrute - ropnop
- A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication
-
kerbrute - Tarlogic
- An script to perform kerberos bruteforcing by using the Impacket library.
-
101
-
LDAP
- Articles/Writeups
-
Talks & Presentations
-
Fun with LDAP and Kerberos: Attacking AD from non-Windows machines - Ronnie Flathers(Troopers19)
- Slides
- You don’t need Windows to talk to Windows. This talk will explain and walk through various techniques to (ab)use LDAP and Kerberos from non-Windows machines to perform reconnaissance, gain footholds, and maintain persistence, with an emphasis on explaining how the attacks and protocols work. This talk will walk through some lesser known tools and techniques for doing reconnaissance and enumeration in AD environments, as well as gaining an initial foothold, and using credentials in different, stealthier ways (i.e. Kerberos). While tools like Bloodhound, CrackMapExec and Deathstar have made footholds and paths to DA very easy and automated, this talk will instead discuss how tools like this work “under-the-hood” and will stress living off the land with default tools and manual recon and exploitation. After discussing some of the technologies and protocols that make up Active Directory Domain Services, I’ll explain how to interact with these using Linux tools and Python. You don’t need a Windows foothold to talk Windows - everything will be done straight from Linux using DNS, LDAP, Heimdal Kerberos, Samba and Python Impacket.
-
Fun with LDAP and Kerberos: Attacking AD from non-Windows machines - Ronnie Flathers(Troopers19)
-
Tools
-
LDAPDomainDump
- In an Active Directory domain, a lot of interesting information can be retrieved via LDAP by any authenticated user (or machine). This makes LDAP an interesting protocol for gathering information in the recon phase of a pentest of an internal network. A problem is that data from LDAP often is not available in an easy to read format. ldapdomaindump is a tool which aims to solve this problem, by collecting and parsing information available via LDAP and outputting it in a human readable HTML format, as well as machine readable json and csv/tsv/greppable files.
-
windapsearch
- windapsearch is a Python script to help enumerate users, groups and computers from a Windows domain through LDAP queries. By default, Windows Domain Controllers support basic LDAP operations through port 389/tcp. With any valid domain account (regardless of privileges), it is possible to perform LDAP queries against a domain controller for any AD related information. You can always use a tool like ldapsearch to perform custom LDAP queries against a Domain Controller. I found myself running different LDAP commands over and over again, and it was difficult to memorize all the custom LDAP queries. So this tool was born to help automate some of the most useful LDAP queries a pentester would want to perform in an AD environment.
-
msldap
- Documentation
- LDAP library for MS AD
-
LDAPDomainDump
-
LAPS
- 101
-
Articles/Blogposts/Writeups
- Running LAPS with PowerView - harmj0y
- RastaMouse LAPS Part 1 & 2
- Mise en place d'une Backdoor LAPS via modification de l'attribut SearchFlags avec DCShadow - Gregory Lucand
- Malicious use of Microsoft LAPS - akijos
- Microsoft LAPS Security & Active Directory LAPS Configuration Recon - adsecurity.org
- Running LAPS Around Cleartext Passwords - Karl Fosaaen
-
Tools
-
LAPSToolkit
- Tool to audit and attack LAPS environments
-
LAPSToolkit
-
Lync
-
LyncSniper
- A tool for penetration testing Skype for Business and Lync deployments
- Blogpost/Writeup
- LyncSmash
-
LyncSniper
-
MachineAccountQuota
-
MS-DS-Machine-Account-Quota attribute - docs.ms
- The number of computer accounts that a user is allowed to create in a domain.
- MachineAccountQuota is USEFUL Sometimes: Exploiting One of Active Directory’s Oddest Settings - Kevin Robertson(2019)
- MachineAccountQuota Transitive Quota: 110 Accounts and Beyond - Kevin Robertson(2019)
-
PowerMAD
- PowerShell MachineAccountQuota and DNS exploit tools
- Blogpost
-
MS-DS-Machine-Account-Quota attribute - docs.ms
- MS SQL Server
-
NTLM Reflection
- 101
- Articles/Blogposts/Writeups
-
NTLM Relay
-
Articles/Blogposts/Writeups
- Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes) - byt3bl33d3r
- NTLM Relay - Pixis
- Playing with Relayed Credentials - @agsolino(2018)
- Server Message Block: SMB Relay Attack (Attack That Always Works) - CQURE Academy
- An SMB Relay Race – How To Exploit LLMNR and SMB Message Signing for Fun and Profit - Jordan Drysdale
- Effective NTLM / SMB Relaying - mubix
- SMB Relay with Snarf - Jeff Dimmock
- Pwning with Responder – A Pentester’s Guide
- Relaying credentials everywhere with ntlmrelayx
- Responder with NTLM relay and Empire - chryzsh
-
What is old is new again: The Relay Attack - @0xdeaddood, @agsolino(2020)
- The purpose of this blog post is to present a new approach to ntlmrelayx.py allowing multi-relay attacks, that means, using just a single connection to attack several targets. On top of this, we added the capability of relaying connections for specific target users.
-
Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin - Dirk-jan Mollema
- Earlier this week, Microsoft issued patches for CVE-2019-1040, which is a vulnerability that allows for bypassing of NTLM relay mitigations. The vulnerability was discovered by Marina Simakov and Yaron Zinar (as well as several others credited in the Microsoft advisory), and they published a technical write-up about the vulnerability here. The short version is that this vulnerability allows for bypassing of the Message Integrity Code in NTLM authentication. The impact of this however, is quite big if combined with the Printer Bug discovered by Lee Christensen and some of my own research that builds forth on the Kerberos research of Elad Shamir. Using a combination of these vulnerabilities, it is possible to relay SMB authentication to LDAP. This allows for Remote code execution as SYSTEM on any unpatched Windows server or workstation (even those that are in different Active Directory forests), and for instant escalation to Domain Admin via any unpatched Exchange server (unless Exchange permissions were reduced in the domain). The most important takeaway of this post is that you should apply the June 2019 patches as soon as possible.
- CVE-2019-1040 scanner
- Mitigation
-
Articles/Blogposts/Writeups
-
Read-Only Domain Controllers
-
101
-
Read-Only DCs and the Active Directory Schema - docs.ms
- Windows Server 2008 introduces a new type of domain controller, the Read-only Domain Controller (RODC). This provides a domain controller for use at branch offices where a full domain controller cannot be placed. The intent is to allow users in the branch offices to logon and perform tasks like file/printer sharing even when there is no network connectivity to hub sites.
-
Read-Only DCs and the Active Directory Schema - docs.ms
- Articles/Blogposts/Writeups
-
101
-
Red Forest
- 101
- Articles/Blogposts/Writeups
-
Talks/Presentations/Videos
- From Workstation to Domain Admin: Why Secure Administration Isn't Secure and How to Fix It - Sean Metcalf(BHUSA2018)
-
Attack and defend Microsoft Enhanced Security Administrative Environment - Hao Wang, Yothin Rodanant(Troopers2018)
- Slides
- Microsoft Enhanced Security Administrative Environment (ESAE) known as “Red Forest” has become a very popular architecture solution to enhance the security of Active Directory. Can ESAE be used to completely prevent cyber attackers from compromising Active Directory? In this talk, we will demonstrate the commonly overlooked techniques that can be used to obtain domain dominance within ESAE.
- Tiered Administrative Model - ESAE - Active Directory Red Forest Architecture - Russel Smith(2018)
- Understanding “Red Forest”: The 3-Tier Enhanced Security Admin Environment (ESAE) and Alternative Ways to Protect Privileged Credentials - ultimatewindowsecurity.com
-
Service Principal Names
- 101
- Articles/Blogposts/Writeups
- See: Kerberoasting
- System Center Configuration Manager
-
Trusts
- 101
-
Articles/Blogposts/Writeups
- A Guide to Attacking Domain Trusts
- It's All About Trust – Forging Kerberos Trust Tickets to Spoof Access across Active Directory Trusts
- Active Directory forest trusts part 1 - How does SID filtering work?
- The Forest Is Under Control. Taking over the entire Active Directory forest
- [Not A Security Bou* Read-Only Domain Controllers
- Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory
- Not a Security Boundary: Breaking Forest Trusts](https://posts.specterops.io/not-a-security-boundary-breaking-forest-trusts-cd125829518d)
- Pentesting Active Directory Forests
- Active Directory forest trusts part 1 - How does SID filtering work? - Dirk-jan Mollema
- The Trustpocalypse
-
WSUS
-
WSUSPect
- WSUSPect - Compromising the Windows Enterprise via Windows Update - Paul Stone, Alex Chapman - BHUS15
-
WSuspect Proxy
- WSUSpect Proxy - a tool for MITM'ing insecure WSUS connections
-
WSUSpendu
-
WSUSpendu: How to Hang WSUS Clients - Romain Coltel & Yves Le Provost(BHUSA2017)
- Slides
- Paper
- SSTIC 2017 Version of the Talk
- We will present a new approach, allowing you to circumvent limitations and control the targeted network from the very WSUS server you own. By extension, this approach may serve as a basis for an air gap attack for disconnected networks.
-
WSUSpendu
- Implement WSUSpendu attack
-
WSUSpendu: How to Hang WSUS Clients - Romain Coltel & Yves Le Provost(BHUSA2017)
-
WSUSPect
-
Active Directory Service Interaces
-
Attack(s/ing)a
-
Hunting Users
-
Articles/Blogposts/Writeups
- Derivative Local Admin - sixdub
-
Active Directory Control Paths
- Control paths in Active Directory are an aggregation of "control relations" between entities of the domain (users, computers, groups, GPO, containers, etc.) which can be visualized as graphs (such as above) and whose purpose is to answer questions like "Who can get 'Domain Admins' privileges ?" or "What resources can a user control ?" and even "Who can read the CEO's emails ?".
- 5 Ways to Find Systems Running Domain Admin Processes - Scott Sutherland
- Attack Methods for Gaining Domain Admin Rights in Active Directory
- Nodal Analysis of Domain Trusts – Maximizing the Win!
- Derivative Local Admin - sixdub
- Abusing DNSAdmins privilege for escalation in Active Directory
- How Attackers Dump Active Directory Database Credentials
- “I Hunt Sys Admins”
- Gaining Domain Admin from Outside Active Directory - markitzeroday
-
Talks/Videos
- I Hunt Sys Admins - Will Schroeder/@harmj0y(Shmoocon 2015)
-
I Hunt Sysadmins 2.0 - slides
- It covers various ways to hunt for users in Windows domains, including using PowerView.
-
Requiem For An Admin, Walter Legowski (@SadProcessor) - BSides Amsterdam 2017
- Orchestrating BloodHound and Empire for Automated AD Post-Exploitation. Lateral Movement and Privilege Escalation are two of the main steps in the Active Directory attacker kill- chain. Applying the 'assume breach' mentality, more and more companies are asking for red-teaming type of assessments, and security researcher have therefor developed a wide range of open-source tools to assist them during these engagements. Out of these, two have quickly gained a solid reputation: PowerShell Empire and BloodHound (Both by @Harmj0y & ex-ATD Crew). In this Session, I will be presenting DogStrike, a new tool (PowerShell Modules) made to interface Empire & BloodHound, allowing penetration testers to merge their Empire infrastructure into the bloodhound graph database. Doing so allows the operator to request a bloodhound path that is 'Agent Aware', and makes it possible to automate the entire kill chain, from initial foothold to DA - or any desired part of an attacker's routine. Presentation will be demo-driven. Code for the module will be made public after the presentation. Automation of Active Directory post-exploitation is going to happen sooner than you might think. (Other tools are being released with the same goal). Is it a good thing? Is it a bad thing? If I do not run out of time, I would like to finish the presentation by opening the discussion with the audience and see what the consequences of automated post- exploitation could mean, from the red, the blue or any other point of view... : DeathStar by @Byt3Bl33d3r | GoFetch by @TalTheMaor.
-
Tools
-
Check-LocalAdminHash
- Check-LocalAdminHash is a PowerShell tool that attempts to authenticate to multiple hosts over either WMI or SMB using a password hash to determine if the provided credential is a local administrator. It's useful if you obtain a password hash for a user and want to see where they are local admin on a network.
- Blogpost
-
hunter
- (l)user hunter using WinAPI calls only
-
icebreaker
- Automates network attacks against Active Directory to deliver you piping hot plaintext credentials when you're inside the network but outside of the Active Directory environment. Performs 5 different network attacks for plaintext credentials as well as hashes. Autocracks hashes found with JohnTheRipper and the top 10 million most common passwords.
-
Invoke-HostRecon
- This function runs a number of checks on a system to help provide situational awareness to a penetration tester during the reconnaissance phase. It gathers information about the local system, users, and domain information. It does not use any 'net', 'ipconfig', 'whoami', 'netstat', or other system commands to help avoid detection.
-
DeathStar
- DeathStar is a Python script that uses Empire's RESTful API to automate gaining Domain Admin rights in Active Directory environments using a variety of techinques.
-
ANGRYPUPPY
- Bloodhound Attack Path Execution for Cobalt Strike
-
GoFetch
- GoFetch is a tool to automatically exercise an attack plan generated by the BloodHound application. GoFetch first loads a path of local admin users and computers generated by BloodHound and converts it to its own attack plan format. Once the attack plan is ready, GoFetch advances towards the destination according to plan step by step, by successively applying remote code execution techniques and compromising credentials with Mimikatz.
- DogWhisperer - BloodHound Cypher Cheat Sheet (v2)
-
DomainTrustExplorer
- Python script for analyis of the "Trust.csv" file generated by Veil PowerView. Provides graph based analysis and output.
-
Check-LocalAdminHash
-
Articles/Blogposts/Writeups
-
Credential Attacks
-
101
-
Cached and Stored Credentials Technical Overview - docs.ms
- This topic for the IT professional describes how credentials are formed in Windows and how the operating system manages them. Applies To: Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8
-
Credentials Processes in Windows Authentication - docs.ms
- This reference topic for the IT professional describes how Windows authentication processes credentials. Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016
- Cached Credentials: Important Facts That You Cannot Miss - CQURE
-
Security Focus: Analysing 'Account is sensitive and cannot be delegated' for Privileged Accounts - Ian Farr(MSFT2015)
- There are a number of configuration options we recommend for securing high privileged accounts. One of them, enabling 'Account is sensitive and cannot be delegated', ensures that an account’s credentials cannot be forwarded to other computers or services on the network by a trusted application.
- Protected Users Security Group - docs.ms
- AD DS: Fine-Grained Password Policies - docs.ms -
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770394(v=ws.10)
- Clearing cached/saved Windows credentials - University of Waterloo
- Protect derived domain credentials with Windows Defender Credential Guard - docs.ms
- KB2871997 and Wdigest - Part 1 - docs.ms
-
Cached and Stored Credentials Technical Overview - docs.ms
-
Articles/Blogposts/Writeups
- Remotely dump "Active Directory Domain Controller" machine user database using web shell - Indishell
- Auto-Dumping Domain Credentials using SPNs, PowerShell Remoting, and Mimikatz - Scott Sutherland
- How Attackers Dump Active Directory Database Credentials - adsecurity.org
- Playing with Relayed Credentials - SecureAuth
- Using Domain Controller Account Passwords To HashDump Domains - Mubix
-
Password Hunting with Machine Learning in Active Directory - HunniCyber
- tdlr: Situation: - Passwords embedded in files on fileshares lead to compromise. Complication: - It is hard to tell what is a password. Resolution: - Use SharpML to scan.
-
Credential theft without admin or touching LSASS with Kekeo by abusing CredSSP / TSPKG (RDP SSO) - Clement Notin(2019)
- If you have compromised a Windows host, and cannot or do not want to, dump clear-text passwords using traditional techniques (e.g. mimikatz’s sekurlsa::logonpasswords, or LSASS dumping), you should check out the credential delegations settings. If enabled, it allows to obtain clear-text passwords without touching the LSASS process or even without having administrator rights (limited to the current user’s password then)!
-
Offline-based
-
Offline Attacks on Active Directory - Michael Grafnetter
- This lab will guide you through some of the most interesting features of the DSInternals PowerShell Module, which was featured at Black Hat Europe 2019 and is also included in FireEye’s Commando VM. This open-source toolset exposes many internal and undocumented security-related features of Active Directory (AD), but we will primarily focus on its state-of-the-art offline database access capabilities. In the course of this lab, you will learn how to perform Active Directory password audits, offline password resets and group membership changes, or SID history injection.
-
Offline Attacks on Active Directory - Michael Grafnetter
- Reversible Encryption/Fine Grained Password Policies
-
Presentations/Talks/Videos
-
Credential Assessment: Mapping Privilege Escalation at Scale - Matt Weeks(Hack.lu 2016)
- In countless intrusions from large retail giants to oil companies, attackers have progressed from initial access to complete network compromise. In the aftermath, much ink is spilt and products are sold on how the attackers first obtained access and how the malware they used could or could not have been detected, while little attention is given to the credentials they found that turned their access on a single-system into thousands more. This process, while critical for offensive operations, is often complex, involving many links in the escalation chain composed of obtaining credentials on system A that grant access to system B and credentials later used on system B that grant further access, etc. We’ll show how to identify and combat such credential exposure at scale with the framework we developed. We comprehensively identify exposed credentials and automatically construct the compromise chains to identify maximal access and privileges gained, useful for either offensive or defensive purposes.
- When Everyone's Dog is Named Fluffy: Abusing the Brand New Security Questions in Windows 10 to Gain Domain-Wide Persistence - Magal Baz, Tom Sela(BHEU18)
-
You (dis)liked mimikatz? Wait for kekeo - Benjamin Delpy(BlueHat IL 2019)
- Slides - https://msrnd-cdn-stor.azureedge.net/bluehat/bluehatil/2019/assets/doc/You%20(dis)iked%20mimikatz%20Wait%20for%20kekeo.pdf
- For years, you’ve tried to fight mimikatz, first to understand it, and maybe fight it again. This little kiwi fruit shaped program has given you a hard time, extracted your password, stolen your credentials, played with your nerves and certificates... But our friends in New Zealand know it best: there are many different kiwis... and perhaps the fruit is the most lucrative, but it's not the most sadistic. The kiwi animal may not fly, and it remains complex to build it from source, its effects are not less devastating...I will introduce "kekeo", the little animal brother of mimikatz. If you enjoyed playing with Kerberos, ASN1, security providers..., then you'll love adopting this furry, sweet animal. From its birth with MS14-068 to cleartext passwords without local administrator rights, you'll know everything about this animal. This talk will embed CredSSP and TSSP with cleartext credential, explore a little bit about PKINITMustiness and the RSA-on-the-fly for Kerberos with PKI!
-
Credential Assessment: Mapping Privilege Escalation at Scale - Matt Weeks(Hack.lu 2016)
-
Tools
-
DomainPasswordTest
- Tests AD passwords while respecting Bad Password Count
-
serviceFu
- Automates credential skimming from service accounts in Windows Registry using Mimikatz lsadump::secrets. The use case for this tool is when you have administrative rights across certain computers in a domain but do not have any clear-text credentials. ServiceFu will remotely connect to target computers, check if any credentialed services are present, download the system and security registry hive, and decrypt clear-text credentials for the domain service account.
-
DomainPasswordTest
- Brute-Force Attacks
-
Dumping NTDS.dit
- 101
-
Articles/Blogposts/Writeups
- Dumping Domain Password Hashes - Pentestlab.blog(2018)
- Credential Dumping: NTDS.dit - Yashika Dir(2020)
- How Attackers Pull the Active Directory Database (NTDS.dit) from a Domain Controller
- Extracting Password Hashes From The Ntds.dit File
- Obtaining NTDS.Dit Using In-Built Windows Commands - Cyberis(2014)
- Volume Shadow Copy NTDS.dit Domain Hashes Remotely - Part 1 - mubix
- Getting Hashes from NTDS.dit File - swordshield.com
- Extracting Hashes and Domain Info From ntds.dit - ropnop
- Practice ntds.dit File Part 2: Extracting Hashes - Didier Stevens
-
Tools
- adXtract
-
DIT Snapshot Viewer
- DIT Snapshot Viewer is an inspection tool for Active Directory database, ntds.dit. This tool connects to ESE (Extensible Storage Engine) and reads tables/records including hidden objects by low level C API. The tool can extract ntds.dit file without stopping lsass.exe. When Active Directory Service is running, lsass.exe locks the file and does not allow to access to it. The snapshot wizard copies ntds.dit using VSS (Volume Shadow Copy Service) even if the file is exclusively locked. As copying ntds.dit may cause data inconsistency in ESE DB, the wizard automatically runs esentutil /repair command to fix the inconsistency.
-
NTDSXtract - Active Directory Forensics Framework
- This framework was developed by the author in order to provide the community with a solution to extract forensically important information from the main database of Microsoft Active Directory (NTDS.DIT).
-
NTDSDumpEx
- NTDS.dit offline dumper with non-elevated
-
NTDS-Extraction-Tools
- Automated scripts that use an older version of libesedb (2014-04-06) to extract large NTDS.dit files
-
gosecretsdump
- This is a conversion of the impacket secretsdump module into golang. It's not very good, but it is quite fast. Please let me know if you find bugs, I'll try and fix where I can - bonus points if you can provide sample .dit files for me to bash against.
-
MFA-Related
-
Articles/Blogposts/Writeups
-
Multi-Factor Mixup: Who Were You Again? - Okta
- A weakness in the Microsoft ADFS protocol for integration with MFA products allows a second factor for one account to be used for second-factor authentication to all other accounts in an organization.
-
Multi-Factor Mixup: Who Were You Again? - Okta
-
Articles/Blogposts/Writeups
- Net-NTLM
-
NetNTLMtoSilverTicket
-
SpoolSample -> NetNTLMv1 -> NTLM -> Silver Ticket
- This technique has been alluded to by others, but I haven't seen anything cohesive out there. Below we'll walk through the steps of obtaining NetNTLMv1 Challenge/Response authentication, cracking those to NTLM Hashes, and using that NTLM Hash to sign a Kerberos Silver ticket. This will work on networks where "LAN Manager authentication level" is set to 2 or less. This is a fairly common scenario in older, larger Windows deployments. It should not work on Windows 10 / Server 2016 or newer.
-
SpoolSample -> NetNTLMv1 -> NTLM -> Silver Ticket
-
Password Spraying
-
Tools
-
ADFSpray
- ADFSpray is a python3 tool to perform password spray attack against Microsoft ADFS. ALWAYS VERIFY THE LOCKOUT POLICY TO PREVENT LOCKING USERS.
-
ADFSpray
-
Tools
-
101
-
DCShadow
-
101
- Active Directory: What can make your million dollar SIEM go blind? - Vincent Le Toux, Benjamin Delpy
-
DCShadow
- DCShadow is a new feature in mimikatz located in the lsadump module. It simulates the behavior of a Domain Controller (using protocols like RPC used only by DC) to inject its own data, bypassing most of the common security controls and including your SIEM. It shares some similarities with the DCSync attack (already present in the lsadump module of mimikatz).
- DCShadow explained: A technical deep dive into the latest AD attack technique - Luc Delsalle
- What is DCShadow? - Stealthbits
- Articles/Blogposts/Writeups
- Tools
-
101
-
DCSync Attack
- 101
-
Articles/Blogposts/Writeups
- DCSync - Yojimbo Security
- DCSync: Dump Password Hashes from Domain Controller - ired.team
- Mimikatz DCSync Usage, Exploitation, and Detection - Sean Metcalf
- Mimikatz and DCSync and ExtraSids, Oh My - harmj0y
- Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync
- Extracting User Password Data with Mimikatz DCSync - Jeff Warren
- Tools
-
Constrained-Delegation
-
101
-
Kerberos Constrained Delegation Overview - docs.ms
- This overview topic for the IT professional describes new capabilities for Kerberos constrained delegation in Windows Server 2012 R2 and Windows Server 2012. Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016
- What is Kerberos Delegation? An Overview of Kerberos Delegation - Kevin Joyce(2020)
- Kerberos Constrained Delegation - AWS
-
Kerberos Constrained Delegation Overview - docs.ms
-
Articles/Blogposts/Writeups
- Another Word on Delegation
- From Kekeo to Rubeus
- S4U2Pwnage
- Kerberos Delegation, Spns And More...
- A Case Study in Wagging the Dog: Computer Takeover - harmj0y
-
Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory - Elad Shamir
- Back in March 2018, I embarked on an arguably pointless crusade to prove that the TrustedToAuthForDelegation attribute was meaningless, and that “protocol transition” can be achieved without it. I believed that security wise, once constrained delegation was enabled (msDS-AllowedToDelegateTo was not null), it did not matter whether it was configured to use “Kerberos only” or “any authentication protocol”. I started the journey with Benjamin Delpy’s (@gentilkiwi) help modifying Kekeo to support a certain attack that involved invoking S4U2Proxy with a silver ticket without a PAC, and we had partial success, but the final TGS turned out to be unusable. Ever since then, I kept coming back to it, trying to solve the problem with different approaches but did not have much success. Until I finally accepted defeat, and ironically then the solution came up, along with several other interesting abuse cases and new attack techniques.
-
Kerberos Delegation, SPNs and More... - Alberto Solino(2017)
- In this blog post, I will cover some findings (and still remaining open questions) around the Kerberos Constrained Delegation feature in Windows as well as Service Principal Name (SPN) filtering that might be useful when considering using/testing this technology.
-
The worst of both worlds: Combining NTLM Relaying and Kerberos delegation - Dirk-jan Mollema
- After my in-depth post last month about unconstrained delegation, this post will discuss a different type of Kerberos delegation: resource-based constrained delegation. The content in this post is based on Elad Shamir’s Kerberos research and combined with my own NTLM research to present an attack that can get code execution as SYSTEM on any Windows computer in Active Directory without any credentials, if you are in the same network segment. This is another example of insecure Active Directory default abuse, and not any kind of new exploit.
- Kerberos Resource-Based Constrained Delegation: When an Image Change Leads to a Privilege Escalation - Daniel López Jiménez and Simone Salucci
- Talks & Presentations
-
101
-
Unconstrained Delegation
- 101
-
Articles/Blogposts/Writeups
- Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)
- Unconstrained Delegation Permissions
- Trust? Years to earn, seconds to break
- Getting Domain Admin with Kerberos Unconstrained Delegation - Nikhil Mittal
- Domain Controller Print Server + Unconstrained Kerberos Delegation = Pwned Active Directory Forest - adsecurity.org
- Abusing Users Configured with Unconstrained Delegation -
- “Relaying” Kerberos - Having fun with unconstrained delegation - Dirk-jan Mollema(2019)
-
Talks & Presentations
- Red vs Blue: Modern Active Directory Attacks Detection and Protection - Sean Metcalf
-
The Unintended Risks of Trusting Active Directory - Lee Christensen, Will Schroeder, Matt Nel(Derbycon 2018)
- Your crown jewels are locked in a database, the system is patched, utilizes modern endpoint security software, and permissions are carefully controlled and locked down. Once this system is joined to Active Directory, however, does that static trust model remain the same? Or has the number of attack paths to your data increased by an order of magnitude? We’ve spent the last year exploring the access control model of Active Directory and recently broadened our focus to include security descriptor misconfigurations/backdoor opportunities at the host level. We soon realized that the post-exploitation “attack surface” of Windows hosts spans well beyond what we originally realized, and that host misconfigurations can sometimes have a profound effect on the security of every other host in the forest. This talk will explore a number of lesser-known Active Directory and host-based permission settings that can be abused in concert for remote access, privilege escalation, or persistence. We will show how targeted host modifications (or existing misconfigurations) can facilitate complex Active Directory attack chains with far-reaching effects on other systems and services in the forest, and can allow new AD attack paths to be built without modifying Active Directory itself.
- Slides
-
Tools
-
SpoolSample -> NetNTLMv1 -> NTLM -> Silver Ticket
- This technique has been alluded to by others, but I haven't seen anything cohesive out there. Below we'll walk through the steps of obtaining NetNTLMv1 Challenge/Response authentication, cracking those to NTLM Hashes, and using that NTLM Hash to sign a Kerberos Silver ticket. This will work on networks where "LAN Manager authentication level" is set to 2 or less. This is a fairly common scenario in older, larger Windows deployments. It should not work on Windows 10 / Server 2016 or newer.
-
SpoolerScanner
- Check if the spooler (MS-RPRN) is remotely available with powershell/c#
-
SpoolSample
- PoC tool to coerce Windows hosts authenticate to other machines via the MS-RPRN RPC interface. This is possible via other protocols as well.
-
krbrelayx
- Kerberos unconstrained delegation abuse toolkit
-
SpoolSample -> NetNTLMv1 -> NTLM -> Silver Ticket
- Mitigation
-
AS-REP Roasting
- 101
-
Informational
- Roasting AS-REPs - harmj0y
- IOC differences between Kerberoasting and AS-REP Roasting - Jonathan Johnson(2019)
- AS_REP Roasting - hackndo(2020)
-
Roasting your way to DA - Build-Break-Defend-Fix - Andy Gill(2020)
- Dive into both Kerberoasting and ASREP Roasting, looking at how they work, how to introduce them into an environment and how to fix them or where possible monitor and defend against them.
-
How-Tos
- AS-REP Roasting - @spottheplanet
- Kerberos AD Attacks - More Roasting with AS-REP - Adam Chester(2017)
- AS-REP Roasting – Cracking User Account Password - akijos(2018)
- Cracking Active Directory Passwords with AS-REP Roasting - Jeff Warren(2019)
- AS-REP Roasting - Pavandeep Singh(2020)
- ASREP Roasting - AkimboCore(2020)
-
Tools
-
Rubeus
- Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpy's Kekeo project (CC BY-NC-SA 4.0 license) and Vincent LE TOUX's MakeMeEnterpriseAdmin project (GPL v3.0 license). Full credit goes to Benjamin and Vincent for working out the hard components of weaponization- without their prior work this project would not exist.
-
Rubeus
-
Kerberoast(ing)
-
Articles/Blogposts/Writueps
- Kerberoasting - Part 1 - mubix
- Kerberoasting - Part 2 - mubix
- Kerberoasting - Part 3 - mubix
- Kerberoasting - Pixis
- Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain - adsecurity.org
- Kerberoasting Without Mimikatz - Will Schroeder
-
Mimikatz 2.0 - Brute-Forcing Service Account Passwords
- If everything about that ticket-generation operation is valid except for the NTLM hash, then accessing the web application will result in a failure. However, this will not cause a failed logon to appear in the Windows® event log. It will also not increment the count of failed logon attempts for the service account. Therefore, the result is an ability to perform brute-force (or, more realistically, dictionary-based) password checks for such a service account, without locking it out or generating suspicious event log entries.
- kerberos, kerberoast and golden tickets - leonjza
- Extracting Service Account Passwords with Kerberoasting - Jeff Warren
- Cracking Service Account Passwords with Kerberoasting
- Targeted Kerberoasting - harmj0y
- Kerberoast PW list for cracking passwords with complexity requirements
- kerberos, kerberoast and golden tickets - leonzja
- Kerberoast - pentestlab.blog
- A Toast to Kerberoast - Derek Banks
- Kerberoasting, exploiting unpatched systems – a day in the life of a Red Teamer - Chetan Nayak
- Discovering Service Accounts Without Using Privileges - Jeff Warren
- Kerberoasting and SharpRoast output parsing! - grumpy-sec
-
Talks & Presentations
-
Attacking Kerberos: Kicking the Guard Dog of Hades - Tim Medin
- Kerberos, besides having three heads and guarding the gates of hell, protects services on Microsoft Windows Domains. Its use is increasing due to the growing number of attacks targeting NTLM authentication. Attacking Kerberos to access Windows resources represents the next generation of attacks on Windows authentication.In this talk Tim will discuss his research on new attacks against Kerberos- including a way to attack the credentials of a remote service without sending traffic to the service as well as rewriting tickets to access systems.He will also examine potential countermeasures against Kerberos attacks with suggestions for mitigating the most common weaknesses in Windows Kerberos deployments.
- Demo of kerberoasting on EvilCorp Derbycon6
- Attacking EvilCorp Anatomy of a Corporate Hack - Sean Metcalf, Will Schroeder
-
Kerberos & Attacks 101 - Tim Medin(SANS Webcast)
- Want to understand how Kerberos works? Would you like to understand modern Kerberos attacks? If so, then join Tim Medin as he walks you through how to attack Kerberos with ticket attacks and Kerberoasting. Well cover the basics of Kerberos authentication and then show you how the trust model can be exploited for persistence, pivoting, and privilege escalation.
-
Kerberoasting Revisited - Will Schroeder(Derbycon2019)
- Kerberoasting has become the red team'?'s best friend over the past several years, with various tools being built to support this technique. However, by failing to understand a fundamental detail concerning account encryption support, we haven'?'t understood the entire picture. This talk will revisit our favorite TTP, bringing a deeper understanding to how the attack works, what we?ve been missing, and what new tooling and approaches to kerberoasting exist.
-
Attacking Kerberos: Kicking the Guard Dog of Hades - Tim Medin
-
Tools
-
kerberoast
- Kerberoast is a series of tools for attacking MS Kerberos implementations.
-
tgscrack
- Kerberos TGS_REP cracker written in Golang
-
kerberoast
-
AS-REP
-
Roasting AS-REPs - harmj0y
- tl;dr – if you can enumerate any accounts in a Windows domain that don’t require Kerberos preauthentication, you can now easily request a piece of encrypted information for said accounts and efficiently crack the material offline, revealing the user’s password.
-
Roasting AS-REPs - harmj0y
-
Articles/Blogposts/Writueps
-
Machine-Account Quota
-
101
-
MS-DS-Machine-Account-Quota attribute - docs.ms
- The number of computer accounts that a user is allowed to create in a domain.
-
MS-DS-Machine-Account-Quota attribute - docs.ms
- Articles/Blogposts/Writeups
-
101
-
MS-Cache
-
101
-
Interactive logon: Number of previous logons to cache (in case domain controller is not available) - docs.ms
- This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. Applies To: Windows Server 2003, Windows Vista, Windows XP, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8
-
(Win10)Interactive logon: Number of previous logons to cache (in case domain controller is not available) - docs.ms
- Describes the best practices, location, values, policy management and security considerations for the Interactive logon: Number of previous logons to cache (in case domain controller is not available) security policy setting. Applies To: Win10
- Cached domain logon information - support.ms
-
Interactive logon: Number of previous logons to cache (in case domain controller is not available) - docs.ms
- Articles/Blogposts/Writeups
-
Tools
-
passlib.hash.msdcc2 - Windows’ Domain Cached Credentials v2
- This class implements the DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer to cache and verify remote credentials when the relevant server is unavailable. It is known by a number of other names, including “mscache2” and “mscash2” (Microsoft CAched haSH). It replaces the weaker msdcc v1 hash used by previous releases of Windows. Security wise it is not particularly weak, but due to its use of the username as a salt, it should probably not be used for anything but verifying existing cached credentials.
-
passlib.hash.msdcc2 - Windows’ Domain Cached Credentials v2
-
101
-
Pass-the-
*
- 101
-
Cache
- Tweet by Benjamin Delpy(2014)
-
Pass-the-Cache to Domain Compromise - Jamie Shaw
- This post is going to go over a very quick domain compromise by abusing cached Kerberos tickets discovered on a Linux-based jump-box within a Windows domain environment. In essence, we were able to steal cached credentials from a Linux host and use them on a Window-based system to escalate our privileges to domain administrator level.
-
Hash
- For this kind of attack and related ones, check out the Network Attacks page, under Pass-the-Hash.
- Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy - harmj0y
- Windows Credential Guard & Mimikatz - nviso
- Wendel's Small Hacking Tricks - The Annoying NT_STATUS_INVALID_WORKSTATION
-
Passing the hash with native RDP client (mstsc.exe)
- TL;DR: If the remote server allows Restricted Admin login, it is possible to login via RDP by passing the hash using the native Windows RDP client mstsc.exe. (You’ll need mimikatz or something else to inject the hash into the process)
-
Invoke-TheHash
- Invoke-TheHash contains PowerShell functions for performing pass the hash WMI and SMB tasks. WMI and SMB services are accessed through .NET TCPClient connections. Authentication is performed by passing an NTLM hash into the NTLMv2 authentication protocol. Local administrator privilege is not required client-side.
- Pass-The-Hash with RDP in 2019 - shellz.club
- Pass the Hash - hackndo
- Pass-the-Hash Web Style - SANS
- Over-Pass-the-Hash
-
Ticket
- How To Pass the Ticket Through SSH Tunnels
- Pass-the-ticket - ldapwiki
- Silver & Golden Tickets - hackndo
- Silver
-
Golden
-
Abusing Microsoft Kerberos: Sorry You Guys Don't Get It - Alva Duckwall, Benjamin Delpy(BHUSA 2015)
- Microsoft Active Directory uses Kerberos to handle authentication requests by default. However, if the domain is compromised, how bad can it really be? With the loss of the right hash, Kerberos can be completely compromised for years after the attacker gained access. Yes, it really is that bad. In this presentation Skip Duckwall, @passingthehash on twitter and Benjamin Delpy, @gentilkiwi on twitter and the author of Mimikatz, will demonstrate just how thoroughly compromised Kerberos can be under real world conditions.
- mimikatz - golden ticket
- Golden Ticket - ldapwiki
- Advanced Targeted Attack. PoC Golden Ticket Attack - BSides Tampa 17
- Complete Domain Compromise with Golden Tickets - stealthbits
- Pass-the-(Golden)-Ticket with WMIC
- Kerberos Golden Tickets are Now More Golden - ADSecurity.org
- Mimikatz 2.0 - Golden Ticket Walkthrough - Ben Lincoln
-
Abusing Microsoft Kerberos: Sorry You Guys Don't Get It - Alva Duckwall, Benjamin Delpy(BHUSA 2015)
-
Shadow Admins(ACLs)
- Shadow Admins – The Stealthy Accounts That You Should Fear The Most - Asaf Hecht
-
ACLight
- ACLight is a tool for discovering privileged accounts through advanced ACLs analysis (objects’ ACLs - Access Lists, aka DACL\ACEs). It includes the discovery of Shadow Admins in the scanned network.
-
(NTLM)SMB Relay
- See
Network_Attacks.md
- Redirect to SMB - Cylance SPEAR
- See
-
Skeleton Key
- Active Directory Domain Controller Skeleton Key Malware & Mimikatz - ADSecurity
- Skeleton Key Malware Analysis - SecureWorks
- Unlocking All The Doors To Active Directory With The Skeleton Key Attack
- Skeleton Key
- Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest
-
Specific Vulnerabilities"
-
MS14-068
-
About
- MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of Privilege
- MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of Privilege - adsecurity.org
- Kerberos Vulnerability in MS14-068 (KB3011780) Explained - adsecurity.org
- Detecting MS14-068 Kerberos Exploit Packets on the Wire aka How the PyKEK Exploit Works - adsecurity.org
- Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK) - adsecurity.org
- Digging into MS14-068, Exploitation and Defence - Ben Campbell, Jon Cave
-
Exploiting
- Digging into MS14-068, Exploitation and Defence
- From MS14-068 to Full Compromise - Stepy by Step - David Kennedy
- Microsoft Security Bulletin MS14-068 - Critical - docs.ms
- Exploiting MS14-068 with PyKEK and Kali - Zach Grace
- Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK) - adsecurity.org
-
About
- MS15-011
-
MS14-068
-
Hunting Users
-
WIP
-
Defense Evasion
-
Evading Microsoft ATA for Active Directory Domination - Nikhil Mittal
- Microsoft Advanced Threat Analytics (ATA) is a defense platform which reads information from multiple sources like traffic for certain protocols to the Domain Controller, Windows Event Logs and SIEM events. The information thus collected is used to detect Reconnaissance, Credentials replay, Lateral movement, Persistence attacks etc. Well known attacks like Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, Golden Ticket, Directory services replication, Brute-force, Skeleton key etc. can be detected using ATA.
- [Red Team Techniques for Evading, Bypassing & Disabling MS - Chris Thompson]
- Windows Defender Advanced Threat Protection is now available for all Blue Teams to utilize within Windows 10 Enterprise and Server 2012/16, which includes detection of post breach tools, tactics and techniques commonly used by Red Teams, as well as behavior analytics.
- Slides
-
Evading Microsoft ATA for Active Directory Domination - Nikhil Mittal
-
Collection
- Articles/Blogposts/Writeps
-
Tools
-
SharpML
- SharpML is C# and Python based tool that performs a number of operations with a view to mining file shares, querying Active Directory for users, dropping an ML model and associated rules, perfoming Active Directory authentication checks, with a view to automating the process of hunting for passwords in file shares by feeding the mined data into the ML model.
-
SharpML
-
Persistence
- Articles/Blogposts/Writeups
-
Presentations/Talks/Videos
-
Catch Me if You Can - Eduardo Arriols(DefconSafeMode RTV2020
- The presentation will show, from a technical point of view, how to deploy backdoors to guarantee access to an organization. Initially, a brief review about types of persistance, locations where it can be deploy and common aspects to be taken into account will be carried out, to then go on to describe all the details that allow a Red Team to guarantee access to the entity without the organization being able to detect it or being able to expel the attacker before the attacker re-enters using another alternative persistence.
- The Active Directory Botnet - Ty Miller, Paul Kalinin(BHUSA 17)
-
Catch Me if You Can - Eduardo Arriols(DefconSafeMode RTV2020
- ACLs & Security Descriptors
- AdminSDHolder
- DCShadow
- Directory Services Restore Mode
- Group Policy Object
- Golden Ticket
- SeEnableDelegationPrivilege
- Security Support Provider
- SID History
- Silver Ticket
- Skeleton Keys
- SPNs/Kerberoast
-
Privilege Escalation
-
ACEs/ACLs/DACLs
-
DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) - Nabeel Ahmed(2019)
- This vulnerability allows low privileged users to hijack file that are owned by NT AUTHORITY\SYSTEM by overwriting permissions on the targeted file. Successful exploitation results in "Full Control" permissions for the low privileged user.
- Microsoft Exchange – ACL - NetbiosX
- RACE Minimal Rights and ACE for Active Directory Dominance - Nikhil Mittal(Defcon27)
-
DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) - Nabeel Ahmed(2019)
-
Aiming for DA
- Post-Exploitation in Windows: From Local Admin To Domain Admin (efficiently) - pentestmonkey)
- Scenario-based pen-testing: From zero to domain admin with no missing patches required - Georgia Weidman
- Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher
- Attack Methods for Gaining Domain Admin Rights in Active Directory - adsecurity
- Gaining Domain Admin from Outside Active Directory - markitzeroday.com
- Group Policy
-
Exploits/CVEs
-
Gone to the Dogs - Elad Shamir
- Win10 PrivEsc Domain Joined
-
CVE-2018-8340: Multi-Factor Mixup: Who Were You Again? - Andrew Lee
- A weakness in the Microsoft ADFS protocol for integration with MFA products allows a second factor for one account to be used for second-factor authentication to all other accounts in an organization.
- MS CVE-2018-8340
- CVE-2020-0665 | Active Directory Elevation of Privilege Vulnerability - portal.msrc
-
CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability - msrc
- An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
-
Gone to the Dogs - Elad Shamir
-
Tools
-
ADAPE-Script
- Active Directory Assessment and Privilege Escalation Script
-
ADAPE-Script
-
ACEs/ACLs/DACLs
-
Reconaissance
-
Articles/Blogposts/Presentations/Talks/Writeups
- Active Directory Firewall Ports – Let’s Try To Make This Simple - Ace Fekay(2011)
- Automating the Empire with the Death Star: getting Domain Admin with a push of a button
- Active Directory Pentest Recon Part 1: SPN Scanning aka Mining Kerberos Service Principal Names
- Active Directory Recon Without Admin Rights - adsecurity
- Using ActiveDirectory module for Domain Enumeration from PowerShell Constrained Language Mode - Nikhil Mittal
- Kerberos Domain Username Enumeration - matt
- adcli info - Fedora documentation
- adcli info forest - Fedora documentation
- AD Zone Transfers as a user - mubix
- Gathering AD Data with the Active Directory PowerShell Module - ADSecurity.com
- Enumerating remote access policies through GPO - William Knowles, Jon Cave
- Getting around Active Directory search size limit via ldapsearch - Fabio Martelli
- Domain Goodness – How I Learned to LOVE AD Explorer - Sally Vandeven
- LDAPFragger: Bypassing network restrictions using LDAP attributes - Rindert Kramer
-
Active Directory Enumeration with PowerShell - Haboob
- Nowadays, most of the environments are using Active Directory to manage their networks and resources. And over the past years, the attackers have been focused to abuse and attack the Active Directory environments using different techniques and methodologies. So in this research paper, we are going to use the power of the PowerShell to enumerate the resources of the Active Directory, like enumerating the domains, users, groups, ACL, GPOs, domain trusts also hunting the users and the domain admins. With this valuable information, we can increase our attack surface to abuse the AD like Privilege escalation, lateral movements and persistence and so on.
-
Tools
-
BloodHound
- 101
-
BloodHound
- BloodHound is a single page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a PowerShell ingestor. BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.
- Articles/Blogposts/Writeups
-
Historical Posts
- Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win. - JohnLaTwC
- Automated Derivative Administrator Search - wald0
- BloodHound 1.3 – The ACL Attack Path Update - wald0
- BloodHound 1.4: The Object Properties Update - CptJesus
- SharpHound: Target Selection and API Usage
- BloodHound 1.5: The Container Update
- A Red Teamer’s Guide to GPOs and OUs - wald0
- BloodHound 2.0 - CptJesus
- BloodHound 2.1: The Fix Broken Stuff Update - Rohan Vazarkar
-
Using
- BloodHound: Intro to Cypher - CptJesus
- The Dog Whisperer's Handbook: A Hacker's Guide to the BloodHound Galaxy - @SadProcessor
- My First Go with BloodHound
- Lay of the Land with BloodHound
-
Bloodhound walkthrough. A Tool for Many Tradecrafts - Andy Gill
- A walkthrough on how to set up and use BloodHound
- BloodHound From Red to Blue - Mathieu Saulnier(BSides Charm2019)
- BloodHound Tips and Tricks - Riccardo Ancarani
- Neo4j
-
Extending Functionality
- Visualizing BloodHound Data with PowerBI — Part 1 - Andy Robbins
- Visualizing BloodHound Data with PowerBI — Part 2 - Andy Robbins
-
Extending BloodHound: Track and Visualize Your Compromise
- Customizing BloodHound's UI and taking advantage of Custom Queries to document a compromise, find collateral spread of owned nodes, and visualize deltas in privilege gains.
- Extending BloodHound Part 1 - GPOs and User Right Assignment - Riccardo Ancarani
-
Cypheroth
- Automated, extensible toolset that runs cypher queries against Bloodhound's Neo4j backend and saves output to spreadsheets.
-
Plumhound
- Released as Proof of Concept for Blue and Purple teams to more effectively use BloodHoundAD in continual security life-cycles by utilizing the BloodHoundAD pathfinding engine to identify Active Directory security vulnerabilities resulting from business operations, procedures, policies and legacy service operations. PlumHound operates by wrapping BloodHoundAD's powerhouse graphical Neo4J backend cypher queries into operations-consumable reports. Analyzing the output of PlumHound can steer security teams in identifying and hardening common Active Directory configuration vulnerabilities and oversights.
-
Ingestors
-
BloodHound.py
- A Python based ingestor for BloodHound
-
BloodHound.py
-
API
-
CypherDog
- PowerShell Cmdlets to interact with BloodHound Data via Neo4j REST API
-
CypherDog
-
Domain Reconaissance
- PowerView.ps1
-
PywerView
- A (partial) Python rewriting of PowerSploit's PowerView.
- The PowerView PowerUsage Series #1 - harmjoy
-
goddi
- goddi (go dump domain info) dumps Active Directory domain information
-
ADRecon
- ADRecon is a tool which extracts and combines various artefacts (as highlighted below) out of an AD environment. The information can be presented in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis and provide a holistic picture of the current state of the target AD environment. The tool is useful to various classes of security professionals like auditors, DFIR, students, administrators, etc. It can also be an invaluable post-exploitation tool for a penetration tester. It can be run from any workstation that is connected to the environment, even hosts that are not domain members. Furthermore, the tool can be executed in the context of a non-privileged (i.e. standard domain user) account. Fine Grained Password Policy, LAPS and BitLocker may require Privileged user accounts. The tool will use Microsoft Remote Server Administration Tools (RSAT) if available, otherwise it will communicate with the Domain Controller using LDAP.
-
AdEnumerator
- Active Directory enumeration from non-domain system. Powershell script
-
Orchard
- Live off the land for macOS. This program allows users to do Active Directory enumeration via macOS' JXA (JavaScript for Automation) code. This is the newest version of AppleScript, and thus has very poor documentation on the web.
-
PowerShell-AD-Recon
- AD PowerShell Recon Scripts
-
ADCollector
- A lightweight tool that enumerates the Active Directory environment to identify possible attack vectors
-
AdsiPS
- PowerShell module to interact with Active Directory using ADSI and the
System.DirectoryServices
namespace (.NET Framework).
- PowerShell module to interact with Active Directory using ADSI and the
-
jackdaw
- Jackdaw is here to collect all information in your domain, store it in a SQL database and show you nice graphs on how your domain objects interact with each-other an how a potential attacker may exploit these interactions. It also comes with a handy feature to help you in a password-cracking project by storing/looking up/reporting hashes/passowrds/users.
-
LDAP-based
-
go-windapsearch
- windapsearch is a tool to assist in Active Directory Domain enumeration through LDAP queries. It contains several modules to enumerate users, groups, computers, as well as perform searching and unauthenticated information gathering.
-
go-windapsearch
-
Local Machine
-
HostEnum
- A PowerShell v2.0 compatible script comprised of multiple system enumeration / situational awareness techniques collected over time. If system is a member of a Windows domain, it can also perform limited domain enumeration with the -Domain switch. However, domain enumeration is significantly limited with the intention that PowerView or BoodHound could also be used.
-
HostEnum
-
Passwords
-
NtdsAudit
- NtdsAudit is an application to assist in auditing Active Directory databases. It provides some useful statistics relating to accounts and passwords. It can also be used to dump password hashes for later cracking.
-
NtdsAudit
-
Service Principal Name(SPN) Scanning
- Service Principal Names - docs.ms
-
SPNs - adsecurity.org
- This page is a comprehensive reference (as comprehensive as possible) for Active Directory Service Principal Names (SPNs). As I discover more SPNs, they will be added.
- Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe - social.technet.ms.com)
- SPN Discovery - pentestlab.blog
- Discovering Service Accounts Without Using Privileges - Jeff Warren
-
BloodHound
-
Miscellaneous Tools
-
ActiveReign
- A Network Enumeration and Attack Toolset
-
CrackMapExec
- A swiss army knife for pentesting networks
-
Windows Vault Password Dumper
- The following code shows how to use native undocumented functions of Windows Vault API to enumerate and extract credentials stored by Microsoft Windows Vault. The code has been successfully tested on Windows7 and Windows8 operating systems.
-
knit_brute.sh
- A quick tool to bruteforce an AD user's password by requesting TGTs from the Domain Controller with 'kinit'
-
BTA
- BTA is an open-source Active Directory security a5udit framework.
-
WinPwn
- Automation for internal Windows Penetrationtest / AD-Security
-
Check-LocalAdminHash & Exfiltrating All PowerShell History - Beau Bullock
- Check-LocalAdminHash is a new PowerShell script that can check a password hash against multiple hosts to determine if it’s a valid administrative credential. It also has the ability to exfiltrate all PowerShell PSReadline console history files from every profile on every system that the credential provided is an administrator of.
-
Check-LocalAdminHash
- Check-LocalAdminHash is a PowerShell tool that attempts to authenticate to multiple hosts over either WMI or SMB using a password hash to determine if the provided credential is a local administrator. It's useful if you obtain a password hash for a user and want to see where they are local admin on a network. It is essentially a Frankenstein of two of my favorite tools along with some of my own code. It utilizes Kevin Robertson's (@kevin_robertson) Invoke-TheHash project for the credential checking portion. Additionally, the script utilizes modules from PowerView by Will Schroeder (@harmj0y) and Matt Graeber (@mattifestation) to enumerate domain computers to find targets for testing admin access against.
-
Wireless_Query
- Query Active Directory for Workstations and then Pull their Wireless Network Passwords. This tool is designed to pull a list of machines from AD and then use psexec to pull their wireless network passwords. This should be run with either a DOMAIN or WORKSTATION Admin account.
- Find AD users with empty password using PowerShell
-
ACLight
- The tool queries the Active Directory (AD) for its objects' ACLs and then filters and analyzes the sensitive permissions of each one. The result is a list of domain privileged accounts in the network (from the advanced ACLs perspective of the AD). You can run the scan with just any regular user (could be non-privileged user) and it automatically scans all the domains of the scanned network forest.
-
zBang
- zBang is a special risk assessment tool that detects potential privileged account threats in the scanned network.
- Blogpost
-
ActiveReign
-
Articles/Blogposts/Presentations/Talks/Writeups
-
Lateral Movement
- Articles/Blogposts/Writeups
- DCOM
- Internal Phishing
- GPO
- Pass-the-Ticket
- Over-Pass-the-Hash
- RDP
- RPC
- SCCM
- Scheduled Tasks
- Service Creation/Modification
- SMB
- SSH
- WinRM
- WMI
- Tools
-
Defense Evasion
Email/Microsoft Exchange
- Look at the phishing page
- Articles/Blogposts/Writeups
- Privilege Escalation (ab)using
-
Tools
-
Exchange-AD-Privesc
- This repository provides a few techniques and scripts regarding the impact of Microsoft Exchange deployment on Active Directory security. This is a side project of AD-Control-Paths, an AD permissions auditing project to which I recently added some Exchange-related modules.
- Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema
-
Exploiting PrivExchange - chryzsh
- expansion and demo of how to use the PrivExchange exploit
-
MailSniper
- MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an Exchange administrator to search the mailboxes of every user in a domain. MailSniper also includes additional modules for password spraying, enumerating users/domains, gathering the Global Address List from OWA and EWS, and checking mailbox permissions for every Exchange user at an organization.
-
PowerPriv
- A powershell implementation of PrivExchange by
@_dirkjan
(original code found here: https://github.com/dirkjanm/PrivExchange/blob/master/privexchange.py) Useful for environments on which you cannot run python-based applications, have user credentials, or do not want to drop files to disk. Will cause the target exchange server system account to attempt to authenticate to a system of your choice.
- A powershell implementation of PrivExchange by
-
exchange_hunter2
- This script uses a valid credential, a DC IP and Hostname to log into the DC over LDAP and query the LDAP server for the wherabouts of the Microsoft Exchange servers in the environment.
-
Exchange-AD-Privesc
properly sort out
Hardening & Securing Active Directory
-
101
-
Ping Castle Methodology
- Here is exposed the 4 steps of the PingCastle methodology which has been designed based on our experience putting hundreds of domains under control.
- What would a real hacker do to your Active Directory
- Securing Microsoft Active Directory Federation Server (ADFS)
- Awesome Windows Domain Hardening
- The Most Common Active Directory Security Issues and What You Can Do to Fix Them - adsecurity
-
Beyond Domain Admins – Domain Controller & AD Administration - ADSecurity.org
- This post provides information on how Active Directory is typically administered and the associated roles & rights.
-
Ping Castle Methodology
- Adversary Resilience Methodology
-
Awareness
-
NtdsAudit
- NtdsAudit is an application to assist in auditing Active Directory databases. It provides some useful statistics relating to accounts and passwords. It can also be used to dump password hashes for later cracking.
-
Grouper
- Grouper is a slightly wobbly PowerShell module designed for pentesters and redteamers (although probably also useful for sysadmins) which sifts through the (usually very noisy) XML output from the Get-GPOReport cmdlet (part of Microsoft's Group Policy module) and identifies all the settings defined in Group Policy Objects (GPOs) that might prove useful to someone trying to do something fun/evil.
-
NtdsAudit
-
Bloodhound
- 101
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
-
Tools
-
Cypheroth
- Automated, extensible toolset that runs cypher queries against Bloodhound's Neo4j backend and saves output to spreadsheets.
-
Cypheroth
- Building/Designing Infrastructure
-
Deceiving Attackers
-
Weaponizing Active Directory - David Fletcher
- This webcast covers basic techniques to catch attackers attempting lateral movement and privilege escalation within your environment with the goal of reducing that Mean Time to Detect (MTTD) metric. Using tactical deception, we will lay out strategies to increase the odds that an attacker will give away their presence early after initial compromise.
- Creating Honey Credentials with LSA Secrets - Scot Berner
-
Weaponizing Active Directory - David Fletcher
-
Domain Controllers/Admins
- Securing Domain Controllers to Improve Active Directory Security - adsecurity.org
- Protecting Privileged Domain Accounts: Network Authentication In-Depth
-
Active Directory: Real Defense for Domain Admins
- Did your AD recently get owned on a pentest? It’s always fun to see an unknown entry show up in your Domain Admins group (#fail). Come learn how to truly protect your organization’s IT crown jewels from some of the most popular AD attacks. If you’re stuck trying to figure out what to do with null sessions, pass the hash techniques, or protecting your Domain Admins, then you will want to be here.
- Security WatchLock Up Your Domain Controllers - Steve Riley - docs.ms
- Securing Active Directory Administrative Groups and Accounts - docs.ms(2009)
- Designing RODCs in the Perimeter Network - docs.ms(2012)
-
Enhanced Security Administrative Environment(ESAE)/Red Foreset
- ESAE
- Red Forest
-
AppLocker
-
101
-
AppLocker - docs.ms
- This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
- What Is AppLocker? - docs.ms
- AppLocker design guide - docs.ms
- AppLocker deployment guide - docs.ms
- AppLocker technical reference - docs.ms
- Security considerations for AppLocker - docs.ms
- Requirements to use AppLocker - docs.ms
- Administer AppLocker - docs.ms
- How AppLocker works - docs.ms
-
AppLocker - docs.ms
-
Articles/Blogposts/Writeups
- Getting Started With AppLocker - John Strand(2019)
- Script Rules in AppLocker - technet
- DLL Rules in AppLocker
- Application Whitelisting Using Microsoft AppLocker
- Harden Windows with AppLocker – based on Case study Part 1 - oddvar.moe
- Harden Windows with AppLocker – based on Case study part 2 - oddvar.moe
- AppLocker Case study: How insecure is it really? Part 1 oddvar.moe
- AppLocker Case study: How insecure is it really? Part 2](https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/)
- Talks/Presentations/Videos
-
101
-
Auditing Account Passwords/Privileges
- Account lockout threshold - technet
- Password Policy - technet
-
AccessChk
- As a part of ensuring that they've created a secure environment Windows administrators often need to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output.
-
Guarded Fabric/Shielded VMs
- Guarded fabric and shielded VMs
- Shielded VMs – additional considerations when running a guarded fabric - blogs.technet
- Shielded VMs: A conceptual review of the components and steps necessary to deploy a guarded fabric
- Step-by-step: Quick reference guide to deploying guarded hosts
- Step by Step – Configuring Guarded Hosts with Virtual Machine Manager 2016 - blogs.technet
- Guarded Fabric Deployment Guide for Windows Server 2016
- Step by Step – Configuring Key Protection for the Host Guardian Service in Windows Server 2016
- Why use shielded VMs for your privileged access workstation (PAW) solution?
- Frequently Asked Questions About HGS Certificates
- Join Host Guardian Servers to an existing bastion forest
- Step by Step: Shielding existing VMs without VMM - blogs.technet
- Step-by-step: Quick reference guide to deploying guarded hosts
- Step by Step – Shielded VM Recovery - blogs.technet
-
Group Policy
- The 10 Windows group policy settings you need to get right
- Group Policy for WSUS - grouppolicy.biz
- GPO Best Policies - grouppolicy.biz
- Securing Windows with Group Policy Josh - Rickard - Derbycon7
- Guidance on Deployment of MS15-011 and MS15-014 - blogs.technet
- MS15-011 & MS15-014: Hardening Group Policy - blogs.technet
-
Hardening
-
Awesome Windows Domain Hardening
- A curated list of awesome Security Hardening techniques for Windows.
- Threats and Countermeasures Guide: Security Settings in Windows Server 2008 R2 and Windows 7 - technet
- Harden windows IP Stack
-
Secure Host Baseline
- Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. iadgov
- Second section good resource for hardening windows
-
Secure-Host-Baseline
- Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. iadgov
-
Network access: Restrict clients allowed to make remote calls to SAM - docs.ms
- The Network access: Restrict clients allowed to make remote calls to SAM security policy setting controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database and Active Directory. The setting was first supported by Windows 10 version 1607 and Windows Server 2016 (RTM) and can be configured on earlier Windows client and server operating systems by installing updates from the KB articles listed in Applies to section of this topic.
-
SAMRi10 - Hardening SAM Remote Access in Windows 10/Server 2016
- "SAMRi10" tool is a short PowerShell (PS) script which alters remote SAM access default permissions on Windows 10 & Windows Server 2016. This hardening process prevents attackers from easily getting some valuable recon information to move laterally within their victim's network.
-
Enable Attack surface reduction - docs.ms
- Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
- Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware
-
LogonTracer
- Investigate malicious Windows logon by visualizing and analyzing Windows event log
-
Software Restriction Policies - docs.ms
- This topic for the IT professional describes Software Restriction Policies (SRP) in Windows Server 2012 and Windows 8, and provides links to technical information about SRP beginning with Windows Server 2003.
- Detecting Lateral Movement through Tracking Event Logs - JPCERTCC
- Detecting Lateral Movements in Windows Infrastructure - CERT-EU
-
Designing a Multilayered, In-Depth Defense Approach to AD Security - Quest.com
- There are a number of configuration options we recommend for securing high privileged accounts. One of them, enabling 'Account is sensitive and cannot be delegated', ensures that an account’s credentials cannot be forwarded to other computers or services on the network by a trusted application.
- New features in Active Directory Domain Services in Windows Server 2012, Part 11: Kerberos Armoring (FAST) - Sander Berkouwer
- Protect your enterprise data using Windows Information Protection (WIP) - docs.ms
-
Awesome Windows Domain Hardening
-
Just Enough Administration (JEA)
- Just Enough Administration - docs.ms
- Just Enough Administration: Windows PowerShell security controls help protect enterprise data - msdn
- JEA Pre-requisites
- JEA Role Capabilities
- JEA Session Configurations
- Registering JEA Configurations
- Using JEA
- JEA Security Considerations
- Auditing and Reporting on JEA
-
Just Enough Administration Samples and Resources
- Just Enough Administration (JEA) is a PowerShell security technology that provides a role based access control platform for anything that can be managed with PowerShell. It enables authorized users to run specific commands in an elevated context on a remote machine, complete with full PowerShell transcription and logging. JEA is included in PowerShell version 5 and higher on Windows 10 and Windows Server 2016, and older OSes with the Windows Management Framework updates.
-
KRBTGT
- Kerberos & KRBTGT: Active Directory’s Domain Kerberos Service Account - adsecurity.org
- KRBTGT Account Password Reset Scripts now available for customers - Tim Rains(Ms.com)
- AD Forest Recovery - Resetting the krbtgt password - docs.ms
- PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs - Jorge
-
LLMNR/NBNS
-
Conveigh
- Conveigh is a Windows PowerShell LLMNR/NBNS spoofer detection tool. LLMNR/NBNS requests sent by Conveigh are not legitimate requests to any enabled LLMNR/NBNS services. The requests will not result in name resolution in the event that a spoofer is present.
-
Respounder
- Respounder sends LLMNR name resolution requests for made-up hostnames that do not exist. In a normal non-adversarial network we do not expect such names to resolve. However, a responder, if present in the network, will resolve such queries and therefore will be forced to reveal itself.
-
asker
- This tool takes a list of known-bogus local hostnames, and sends out LLMNR requests for them every 5-25 legitimate LLMNR requests from other hosts. This is intended for use by a blue team who wants to catch a red team or attacker using Responder, who either does not target-select carefully enough, or falls for the bogus hostnames which should be tailored to the environment (e.g. if there is a DC named "addc1", you might want to add "adddc1" to the list.
-
Conveigh
-
Local Administrator Password Solution
-
101
-
Local Administrator Password Solution - technet
- The "Local Administrator Password Solution" (LAPS) provides a centralized storage of secrets/passwords in Active Directory (AD) - without additional computers. Each organization’s domain administrators determine which users, such as helpdesk admins, are authorized to read the passwords.
- Introduction to Microsoft LAPS (Local Administrator Password Solution) - 4sysops)
-
Local Administrator Password Solution - technet
-
Articles/Blogposts/Writeups
- Auditing Access to LAPS Passwords in Active Directory - Russell Smith
- Microsoft security advisory: Local Administrator Password Solution
- [Set up Microsoft LAPS (Local Administrator Password Solution) in Active Directory]((https://4sysops.com/archives/set-up-microsoft-laps-local-administrator-password-solution-in-active-directory/)
- FAQs for Microsoft Local Administrator Password Solution (LAPS) - Part 1 - 4sysops
- Talks/Presentations/Videos
-
101
- NTLM
-
Office Documents/Macros/DDE/Flavor-of-the-week
- Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields
- Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016
- New feature in Office 2016 can block macros and help prevent infection (2016)
- Block or unblock external content in Office documents - support.office
-
CIRClean
- CIRCLean is an independent hardware solution to clean documents from untrusted (obtained) USB keys / USB sticks. The device automatically converts untrusted documents into a readable but disarmed format and stores these clean files on a trusted (user owned) USB key/stick.
- Github
- Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields - docs.ms
-
Passwords
-
Articles/Blogposts/Writeups
- Active Directory Password Blacklisting - Leeren Chang(2018)
- Azure AD and ADFS best practices: Defending against password spray attacks
- Detect Password Spraying With Windows Event Log Correlation
- Managing Domain Password Policy in the Active Directory - WindowsOSHub
- Configuring Password Policies with Windows Server 2016 - Mukhatar Jafari
- Password Policy - docs.ms
- Talks/Presentations/Videos
-
Tools
-
Domain Password Audit Tool (DPAT)
- This is a python script that will generate password use statistics from password hashes dumped from a domain controller and a password crack file such as hashcat.potfile generated from the Hashcat tool during password cracking. The report is an HTML report with clickable links.
- Tutorial Video & Demo
-
Domain Password Audit Tool (DPAT)
-
Articles/Blogposts/Writeups
-
Privileged Access Workstation
-
What Is
- Privileged Access Workstation(PAW) - blogs.technet
-
How Microsoft IT used Windows 10 and Windows Server 2016 to implement privileged access workstations
- As part of the security strategy to protect administrative privilege, Microsoft recommends using a dedicated machine, referred to as PAW (privileged access workstation), for administrative tasks; and using a separate device for the usual productivity tasks such as Outlook and Internet browsing. This can be costly for the company to acquire machines just for server administrative tasks, and inconvenient for the admins to carry multiple machines. In this session, we show you how MSIT uses shielded VMs on the new release of Windows client to implement a PAW.
- Documentation
- Setup
- Reference
-
What Is
-
PowerShell
-
Articles/Blogposts/Writeups
- PowerShell ♥ the Blue Team
- Powershell Security at Enterprise Customers - blogs.msdn
- More Detecting Obfuscated PowerShell
- Detecting and Preventing PowerShell Downgrade Attacks - leeholmes
- Creating a Secure Environment using PowerShell Desired State Configuration - blogs.ms
-
Securing PowerShell in the Enterprise - Australian Cyber Security Center(2020)
- This document describes a maturity framework for PowerShell in a way that balances the security and business requirements of organisations. This maturity framework will enable organisations to take incremental steps towards securing PowerShell across their environment.
-
Talks & Presentations
- Hijacking .NET to Defend PowerShell - Amanda Rousseau(BSidesSF 2017)
-
Automating security with PowerShell, Jaap Brasser (@Jaap_Brasser)
- There is no doubt that security has been in the spotlight over the last few years, recent events have been responsible for the increased demand for better and more secure systems. Security was often treated as an afterthought or something that could be implemented ‘later’. In this session, we will go over some best practices, using existing tools and frameworks to help you set up a more secure environment and to get a grasp of what is happening in your environment. We will leverage your existing automation skills to secure and automate these workflows. Expect a session with a lot of demos and resources that can directly be implemented.
-
Tools
-
Revoke-Obfuscation - tool
- PowerShell v3.0+ compatible PowerShell obfuscation detection framework.
- Revoke Obfuscation PowerShell Obfuscation Detection And Evasion Using Science Lee Holmes Daniel - Derbycon7 - talk
-
PSRecon
- PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.
-
Revoke-Obfuscation - tool
-
Articles/Blogposts/Writeups
- Services
- SMB
- Unwanted Admins
-
USB Detection
-
BEAMGUN
- A rogue-USB-device defeat program for Windows.
- How to Analyze USB Device History in Windows - magnetforensics.com
- How to track down USB flash drive usage with Windows 10's Event Viewer - techrepublic
-
BEAMGUN
-
Tools
-
Artillery
- Artillery is a combination of a honeypot, monitoring tool, and alerting system. Eventually this will evolve into a hardening monitoring platform as well to detect insecure configurations from nix systems.
-
zBang
- zBang is a special risk assessment tool that detects potential privileged account threats in the scanned network.
- Blogpost
-
Artillery
-
Visualization/Tracking/Reporting
- General
-
Userline
- This tool automates the process of creating logon relations from MS Windows Security Events by showing a graphical relation among users domains, source and destination logons as well as session duration.
-
VOYEUR
- VOYEUR's main purpose is to automate several tasks of an Active Directory build review or security assessment. Also, the tool is able to create a fast (and pretty) Active Directory report. The tool is developed entirely in PowerShell (a powerful scripting language) without dependencies like Microsoft Remote Administration tools. (Just .Net Framework 2.0 and Office Excel if you want a useful and pretty report). The generated report is a perfect starting point for well-established forensic, incident response team, security consultants or security researchers who want to quickly analyze threats in Active Directory Services.
-
Userline
- General
-
WMI
- General
-
Tools
-
Uproot
- Uproot is a Host Based Intrusion Detection System (HIDS) that leverages Permanent Windows Management Instrumentation (WMI) Event Susbcriptions to detect malicious activity on a network. For more details on WMI Event Subscriptions please see the WMIEventing Module
-
WMIEvent
- A PowerShell module to abstract the complexities of Permanent WMI Event Subscriptions
-
Uproot
-
Advanced Threat Analytics
- 101
-
Articles/Blogposts/Writeups
-
Working with Suspicious Activities - docs.ms(2018)
- This article explains the basics of how to work with Advanced Threat Analytics.
- Advanced Threat Analytics suspicious activity guide - docs.ms(2019)
-
ATA Console: Sensitive Groups
- The following list of groups are considered Sensitive by ATA. Any entity that is a member of these groups is considered sensitive:
- Best Practices for Securing Advanced Threat Analytics - techcommunity.ms
- Microsoft Advanced Threat Analytics – My best practices - Oddvar Moe
-
Working with Suspicious Activities - docs.ms(2018)
- Talks/Presentations/Videos
-
Advanced Threat Protection
-
101
- What's new in Windows Server 2019 - docs.ms
-
Microsoft Defender Advanced Threat Protection - ms
- Microsoft Defender Advanced Threat Protection (ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
-
Articles/Blogposts/Writeups
- Detecting reflective DLL loading with Windows Defender ATP - cloudblogs.ms
- WindowsDefenderATP-Hunting-Queries - MS's Github
- Sample queries for Advanced hunting in Windows Defender ATP
-
WindowsDefenderATP-Hunting-Queries
- This repo contains sample queries for Advanced hunting on Windows Defender Advanced Threat Protection. With these sample queries, you can start to experience Advanced hunting, including the types of data that it covers and the query language it supports. You can also explore a variety of attack techniques and how they may be surfaced through Advanced hunting.
- Onboard non-Windows machines(ATP) - docs.ms
- Talks/Presentations/Videos
-
101
-
Auditing Processes
- Know your Windows Processes or Die Trying - sysforensics
-
TaskExplorer
- Explore all the tasks (processes) running on your Mac with TaskExplorer.
-
Baselining
- Measure Boot Performance with the Windows Assessment and Deployment Toolkit
- Securing Windows Workstations: Developing a Secure Baseline
- Evaluate Fast Startup Using the Assessment Toolkit
- Windows Performance Toolkit Reference
- The Malware Management Framework
- Securing Windows Workstations: Developing a Secure Baselineadsecurity.org
-
ADRecon
- ADRecon is a tool which extracts various artifacts (as highlighted below) out of an AD environment in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis. The report can provide a holistic picture of the current state of the target AD environment. It can be run from any workstation that is connected to the environment, even hosts that are not domain members. Furthermore, the tool can be executed in the context of a non-privileged (i.e. standard domain user) accounts. Fine Grained Password Policy, LAPS and BitLocker may require Privileged user accounts. The tool will use Microsoft Remote Server Administration Tools (RSAT) if available, otherwise it will communicate with the Domain Controller using LDAP.
-
CMD.exe Analysis
-
Invoke-DOSfuscation
- Cmd.exe Command Obfuscation Generator & Detection Test Harness
-
Invoke-DOSfuscation
- Credential Guard
-
Device Guard
- Device Guard and Credential Guard hardware readiness tool
- Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control - docs.ms
- Requirements and deployment planning guidelines for Windows Defender Device Guard - docs.ms
- Driver compatibility with Device Guard in Windows 10 - docs.ms
-
Defender Application Control
-
Planning and getting started on the Windows Defender Application Control deployment process - docs.ms
- This topic provides a roadmap for planning and getting started on the Windows Defender Application Control (WDAC) deployment process, with links to topics that provide additional detail. Planning for WDAC deployment involves looking at both the end-user and the IT pro impact of your choices.
-
Planning and getting started on the Windows Defender Application Control deployment process - docs.ms
-
Event Log & Monitoring
- General
-
Event Forwarding
-
Windows Event Forwarding Guidance
- Over the past few years, Palantir has a maintained an internal Windows Event Forwarding (WEF) pipeline for generating and centrally collecting logs of forensic and security value from Microsoft Windows hosts. Once these events are collected and indexed, alerting and detection strategies (ADS) can be constructed not only on high-fidelity security events (e.g. log deletion), but also for deviations from normalcy, such as unusual service account access, access to sensitive filesystem or registry locations, or installation of malware persistence. The goal of this project is to provide the necessary building blocks for organizations to rapidly evaluate and deploy WEF to a production environment, and centralize public efforts to improve WEF subscriptions and encourage adoption. While WEF has become more popular in recent years, it is still dramatically underrepresented in the community, and it is our hope that this project may encourage others to adopt it for incident detection and response purposes. We acknowledge the efforts that Microsoft, IAD, and other contributors have made to this space and wish to thank them for providing many of the subscriptions, ideas, and techniques that will be covered in this post.
-
Windows Event Forwarding Guidance
-
Tools
-
DCSYNCMonitor
- Monitors for DCSYNC and DCSHADOW attacks and create custom Windows Events for these events.
-
EventLogParser
- Parse PowerShell and Security event logs for sensitive information.
-
DCSYNCMonitor
-
Firewall
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
-
General Hardening
-
General
-
Awesome Windows Domain Hardening
- A curated list of awesome Security Hardening techniques for Windows.
-
Awesome Windows Domain Hardening
- Documentation
-
Guides
- Enable Attack surface reduction(Win10)- docs.ms
- Harden windows IP Stack
-
Secure Host Baseline
- Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. iadgov
- Windows Server guidance to protect against speculative execution side-channel vulnerabilities
-
End user device (EUD) security guidance - NCSC.gov.uk
- Guidance for organisations deploying a range of end user device platforms as part of a remote working solution
-
Educational/Informative
- The Evolution of Protected Processes – Part 1: Pass-the-Hash Mitigations in Windows 8.1
- The Evolution of Protected Processes Part 2: Exploit/Jailbreak Mitigations, Unkillable Processes and Protected Services
- Protected Processes Part 3: Windows PKI Internals (Signing Levels, Scenarios, Signers, Root Keys, EKUs & Runtime Signers)
- Mitigate threats by using Windows 10 security features
-
General
-
.NET Instrumentation
-
ClrGuard
- ClrGuard is a proof of concept project to explore instrumenting the Common Language Runtime (CLR) for security purposes. ClrGuard leverages a simple appInit DLL (ClrHook32/64.dll) in order to load into all CLR/.NET processes. From there, it performs an in-line hook of security critical functions. Currently, the only implemented hook is on the native LoadImage() function. When events are observed, they are sent over a named pipe to a monitoring process for further introspection and mitigation decision.
-
ClrGuard
- Powershell
-
Service Accounts
-
Service Account best practices Part 1: Choosing a Service Account
- In this article you will learn the fundamentals of Windows service accounts. Specifically, we discover the options and best practices concerning the selection of a service account for a particular service application.
-
Service Account best practices - Part 2: Least Privilege implementation
- In this article you will learn some best-practice suggestions for using service applications according to the IT security rule of least privilege.
- Best Practice: Securing Windows Service Accounts and Privileged Access – Part 1 - SecurIT360
- Best Practice: Securing Windows Service Accounts and Privileged Access – Part 2 - SecurIT360
- Securing Windows Service Accounts (Part 1) - Derek Meiber(2013)
-
Service Account best practices Part 1: Choosing a Service Account