Jan 01

Attack Methods for Gaining Domain Admin Rights in Active Directory

There are many ways an attacker can gain Domain Admin rights in Active Directory. This post is meant to describe some of the more popular ones in current use. The techniques described here “assume breach” where an attacker already has a foothold on an internal system and has gained domain user credentials (aka post-exploitation).

The unfortunate reality for most enterprises, is that it often does not take long from an attacker to go from domain user to domain admin. The question on defenders’ minds is “how does this happen?”.

The attack frequently starts with a spear-phishing email to one or more users enabling the attacker to get their code running on a computer inside the target network. Once the attacker has their code running inside the enterprise, the first step is performing reconnaissance to discover useful resources to escalate permissions, persist, and of course, plunder information (often the “crown jewels” of an organization).

While the overall process detail varies, the overall theme remains:

  • Malware Injection (Spear-Phish, Web Exploits, etc)
  • Reconnaissance (Internal)
  • Credential Theft
  • Exploitation & Privilege Escalation
  • Data Access & Exfiltration
  • Persistence (retaining access)

We start with the attacker having a foothold inside the enterprise, since this is often not difficult in modern networks. Furthermore, it is also typically not difficult for the attacker to escalate from having user rights on the workstation to having local administrator rights. This escalation can occur by either exploiting an unpatched privilege escalation vulnerability on the system or more frequently, finding local admin passwords in SYSVOL, such as Group Policy Preferences.

I spoke about most of these techniques when at several security conferences in 2015 (BSides, Shakacon, Black Hat, DEF CON, & DerbyCon).

I also covered some of these issues in the post “The Most Common Active Directory Security Issues and What You Can Do to Fix Them“.

Read the rest of this entry »

Oct 14

The Most Common Active Directory Security Issues and What You Can Do to Fix Them

The past couple of years of meeting with customers is enlightening since every environment, though unique, often has the same issues. These issues often boil down to legacy management of the enterprise Microsoft platform going back a decade or more.

I spoke about Active Directory attack and defense at several security conferences this year including BSides, Shakacon, Black Hat, DEF CON, and DerbyCon. These talks include information about how to best protect the Active Directory enterprise from the latest, and most successful, attack vectors.

While the threats have changed over the past decade, the way systems and networks are managed often have not. We continue with the same operations and support paradigm despite the fact that internal systems are compromised regularly. We must embrace the new reality of “Assume Breach.”

Assume breach means that we must assume that an attacker has control of a computer on the internal network and can access the same resources the users who have recently logged on to that computer has access to.
Note that when I describe risks and mitigations of Active Directory,this includes overall enterprise configuration.

Here are some of the biggest AD security issues (as I see them). This list is not complete, but reflects common enterprise issues.
I continue to find many of these issues when I perform Active Directory Security Assessments for organizations.

Read the rest of this entry »

Jul 19

Black Hat USA 2016 Talk – Beyond the MCSE: Active Directory for the Security Professional

This summer in Las Vegas, I’m speaking at Black Hat USA 2016 on Active Directory security, “Beyond the MCSE: Active Directory for the Security Professional.” This talk covers the key AD security components with specific focus on the things security professionals should know.

I put this talk together because I have noticed that while Active Directory admins, engineers, and MCSEs typically know what areas of Active Directory are critical security components, others often do not. The presentation covers the core AD components and how they impact enterprise security before diving into the most common AD security issues, new AD security enhancements in recent Windows versions, and AD security best practices.

On Wednesday, August 3rd, 2016, I am speaking at the Mandalay Bay room GH from 10:20am to 11:10am.

BHUSA2016-metcalf

Here’s my talk description from the Black Hat website:

Active Directory (AD) is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and management capabilities. This means that both Red and Blue teams need to have a better understanding of Active Directory, it’s security, how it’s attacked, and how best to align defenses. This presentation covers key Active Directory components which are critical for security professionals to know in order to defend AD. Properly securing the enterprise means identifying and leveraging appropriate defensive technologies. The provided information is immediately useful and actionable in order to help organizations better secure their enterprise resources against attackers. Highlighted are areas attackers go after including some recently patched vulnerabilities and the exploited weaknesses. This includes the critical Kerberos vulnerability (MS14-068), Group Policy Man-in-the-Middle (MS15-011 & MS15-014) and how they take advantages of AD communication.

Some of the content covered:

  • Differing views of Active Directory: admin, attacker, and infosec.
  • The differences between forests and domains, including how multi-domain AD forests affect the security of the forest.
  • Dig into trust relationships and the available security features describing how attack techniques are impacted by implementing these trust security features.
  • AD database format, files, and object storage (including password data).
  • Read-Only Domain Controllers (RODCs), security impact, and potential issues with RODC implementation.
  • Key Domain Controller information and how attackers take advantage.
  • Windows authentication protocols over the years and their weaknesses, including Microsoft’s next-generation credential system, Microsoft Passport, and what it means for credential protection.
  • Security posture differences between AD on-premises and in the cloud (Microsoft Azure AD vs Office 365).
  • Key Active Directory security features in the latest Windows OS versions – the benefits and implementation challenges.

Let’s go beyond the standard MCSE material and dive into how Active Directory works focusing on the key components and how they relate to enterprise security.

For the curious, here’s an outline of my talk at Black Hat next week:

Read the rest of this entry »

Jul 06

DEF CON 24 (2016) Talk – Beyond the MCSE: Red Teaming Active Directory

This August at DEF CON 24, I will be speaking about Active Directory security evaluation in my talk “Beyond the MCSE: Red Teaming Active Directory”. This talk is focused on the Red side of AD security, specifically how to best evaluate the security of AD and quickly identify potential security issues. Whether you perform “Red Teaming” or “Penetration testing”, this presentation covers efficient methods of Active Directory recon which can quickly identify AD privilege escalation methods, several of which aren’t well described or understood. Also discussed are the latest Active Directory defensive measures, what this means to the Red Teamer, and potential bypasses.
Note that this is the 3rd talk at DEF CON and is on Thursday, DEF CON’s opening day.

DEFCON24-2016-BTMCSE-TitleSlide

On Thursday, August 4th, 2016, I have a DEF CON 101 talk from 12:00pm to 12:50pm in the Pacific Ballroom (Bally’s Jubilee Tower, 2nd floor).
DEF CON 24 Floorplan (map)

Here’s my talk description from the DEF CON website:

Active Directory (AD) is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and management capabilities, so why do red teams barely scratch the surface when it comes to leveraging the data it contains? This talk skips over the standard intro to Active Directory fluff and dives right into the compelling offensive information useful to a Red Teamer, such as quickly identifying target systems and accounts. AD can yield a wealth of information if you know the right questions to ask. This presentation ventures into areas many didn’t know existed and leverages capability to quietly identify interesting accounts & systems, identify organizations the target company does business with regularly, build target lists without making a sound, abuse misconfigurations/existing trusts, and quickly discover the most interesting shares and their location. PowerShell examples and AD defense evasion techniques are provided throughout the talk.

Let’s go beyond the MCSE and take a different perspective on the standard AD recon and attack tactics.


DEF CON 24 talk outline:

Read the rest of this entry »

Jun 26

So You Want to Speak at a Security Conference Part 2: How to Craft a Great Talk for a Security Conference!

This is a continuation of my earlier “So You Want to Speak at a Security Conference?” post where I cover creating a good submission to speak at a conference. I have spoken a handful of times and am definitely not an expert, though I do want to share some of the best tips I’ve discovered with others. I don’t have all the answers and I’m not an expert speaker. What I do have is some speaking experience at some notable security conferences and the tips and strategy that got me through them. 🙂 Hopefully these posts help you.

 

The Acceptance

After putting together a stellar presentation submission, you receive an email with the words you were hoping for: “your submission is accepted!”
This email arrives weeks if not months after submitting to a conference and typically about 1-3 months before the actual conference date.

After taking some time to celebrate, and you really should since most conferences get more submissions than available slots (often many times that number), it’s time to get down to business. This is also a good time to make travel arrangements (assuming you need to travel). Also review the conference CFP pages and/or speaker section (if available) for speaker logistics.

Before getting started, please read through Speaking.io it’s a great resource and has lots of great tips for speakers.

The important ones:

  • Presentation duration – usually 45 – 50 minutes, though some conferences also have other presentation formats, like 20 or 100 minutes.
  • Milestone dates:
    • Deadline to update abstract/summary and bio.
    • Deadline for slides/whitepaper/other material (typically for conference CD/DVD)
  • Projector: standard or widescreen (this matters for your slide format)
  • Note if there’s a presentation template and/or file type requirement (PDF is typically required).

Also remember that the email address the acceptance was sent to will be the one conference/speaker updates are sent to, if there are any changes (i.e. you switch jobs, etc), make sure the conference contact knows about it.

 

Creating the Presentation

The first thing to do is to review your submission (hopefully you also included an outline) and start mapping out the presentation narrative. This is the time to figure out how you are going to get all the content in the abstract/summary into the presentation slides.

Make sure that the presentation slide material, including demos, can be covered in the time allowed.

Read the rest of this entry »

Apr 24

BSides Charm Presentation Posted: PowerShell Security: Defending the Enterprise from the Latest Attack Platform

This was my second year speaking at BSides Charm in Baltimore. Last year I spoke about Active Directory attack & defense and it was my first time speaking at a conference. 🙂

The presentation slides for my talk “PowerShell Security: Defending the Enterprise from the Latest Attack Platform” are now on the Presentations tab here on ADSecurity.org. The talk was recorded, so follow @BSidesCharm on Twitter for information about video publishing.

AD Security Presentations

Here’s my PowerShell talk description:

PowerShell is a boon to administrators, providing command consistency and the ability to quickly gather system data and set configuration settings. However, what can be used to help, can also be used for less altruistic activities. Attackers have quickly learned over the past few years that leveraging PowerShell provides simple bypass methods for most defenses and a platform for initial compromise, recon, exploitation, privilege escalation, data exfiltration, and persistence.

With the industry shift to an “”Assume Breach”” mentality, it’s important to understand the impact on the defensive paradigm. Simply put, don’t block PowerShell, embrace it. Blocking PowerShell.exe does not stop PowerShell execution and can provide a false sense of security. The key is monitoring PowerShell usage to enable detection of recon and attack activity. As attack tools like the recently released PowerShell Empire become more prevalent, it’s more important than ever to understand the full capabilities of PowerShell as an attack platform as well as how to effectively detect and mitigate standard PowerShell attack methods.

The presentation walks the audience through the evolution of PowerShell as an attack platform and shows why a new approach to PowerShell attack defense is required. Some Active Directory recon & attack techniques are shown as well as potential mitigation. This journey ends showing why PowerShell version 5 should be the new baseline version of PowerShell due to new defensive capability.

This talk is recommended for anyone tasked with defending an organization from attack as well as system administrators/engineers.


BSides Charm talk outline:

  • Brief PowerShell Overview
  • Typical PowerShell defenses (and why they fail)
  • PowerShell as an Attack Platform
  • Real-world PowerShell attacks
  • PowerShell Persistence
  • PowerShell without PowerShell.exe
  • PowerShell Remoting
  • PowerShell Logging & Attack Detection
  • PowerShell Defenses
  • PowerShell v5 Security Enhancements
  • Windows 10 PowerShell Security
  • Securing PowerShell: A Layered Defense
  • Appendix: Microsoft Office Macro Security

Some of this information is in the post titled “Detecting Offensive PowerShell Attack Tools “.

As a follow-up to one of the questions regarding the Invoke-NinjaCopy powershell tool that can copy a locked file from a server (such as NTDS.dit), I refer you to the author’s blog post on his tool.

There was also a question after the talk about managing computers without leaving credentials behind. PowerShell remoting is ideal since it uses a “Network” logon where no credentials are placed on the target system. This has been a problem with RDP since logging into a server via RDP involves entering a username and password. This action usually involves placing the user credentials on the remote system and when connected to a computer via RDP, the user credentials are placed on that system. RDP /RestrictedAdmin is a new feature (now available for Windows 7 / Windows 2008 R2 and newer) which prevents the credentials from being placed on the target RDP server, so they can’t be stolen. This is great for help desk support that needs to RDP to user workstations as a workstation admin. When using standard RDP, these credentials could be stolen. With RDP /RestrictedAdmin, the credentials aren’t on the box to take.

Thanks to the BSides Charm organizers for a great event!

Follow-up note:
Test PowerShell logging levels. Someone reported to me that checking the box “Log script block invocation start / stop events” can generate a large amount of PowerShell log events, so check before deploying.

 

Mar 25

DarkOperator.com: Using PowerShell to Gather Information from Active Directory

Carlos Perez (@DarkOperator) recently posted on DarkOperator.com how to use PowerShell to get data from Active Directory. He is working on an Active Directory audit PowerShell project and is documenting most of the work put into it. He also covers leveraging functions for portability and using Pester to write better PowerShell code  (as well as debug and handle error conditions better). Carlos also walks through how to properly code a PowerShell module as well as create and use a PowerShell project in GitHub (something I need to do better! 🙂 ). Anyone who uses PowerShell to gather Active Directory data should read these posts. The amount of detail he put into these posts is impressive and they are well worth reading!

 

1 Writing a Active Directory Audit Module – Creating the Project

I got in my head this week that I would like to write a Windows PowerShell module for getting information from Active Directory for the purpose of gathering information to aid in detecting miss configurations and also aid in incident response. My idea is to write the module and start publishing blog posts as I go through the process of writing the code and how I go about it. This will be my first experience with Pester also so I think it would be a fun adventure.

Requirements

I start by setting goals for the module, these are:

  • All output from each function will be objects.
  • I will assign each object a custom type so I can create custom views for the output.
  • The module must not depend on the ActiveDirectory module that ships with the different RSAT tools and use .NET and COM so as to leverage the use alternate credentials.
  • Module should be able to pull information as a base for Users, Groups, Computers, Sites, Domains, Forest, OUs and GPOs.
  • Module will be PSv3 or above so as to use new improvements int he latest versions of Windows PowerShell.

2 Writing a Active Directory Audit Module – Getting Forest Info

Carlos covers several scenarios that may arise when attempting to gather Active Directory forest data using PowerShell, including connecting to the current forest as well as others.

In the last blog post we covered setting the goals for the project, general guidelines, how I set up a project in GitHub and the creation of the module manifest. In this blog post we will cover some of the API around Active Directory that we can use in Windows PowerShell to access and query it either from a host already in the domain or with alternate credentials against a specific host.

Currently when working in Windows PowerShell there are 4 main ways to interact with Active Directory:

  • Active Directory module – gets installed with RSAT or when then Domain Controller role is added to a server. Varies per version of Windows.
  • System.DirectoryServices Namespace – it is a .Net wrapper around the ADSI (Active Directory Service Interface) COM object. It represents a specific path or Object in AD allowing for the pulling of information and modification.
  • System.DirectoryServices.ActiveDirectory namespace – It provides several .Net classes that abstract AD services. Provides access to manipulating forest, domain, site, subnet, partition, and schema are part of the object model.
  • System.DirectoryServices.AccountManagement namespace provides uniform access and manipulation of user, computer, and group security principals

Each one of the namespaces have their own peculiarities and uses. The most powerful one is classes under System.DirectoryServices do to the control it provides but with it comes more complexity, this is why it is used for those cases where the other 2 do not fit a specific role or complex searches of AD are required.

 

3 Writing a Active Directory Audit Module – Getting a DirectoryEntry

Extending the information

In the previous blog post when we look at the object returned it has all of the information properly parsed and shown so I do not have to run around parsing fields and converting them but for me a critical piece of information is not shown and that is the SID of the forest domain. If you have played with analysis of some logs and with Mimikatz attacks you know the SID is of great importance. For this we will use the System.DirectoryServices namespace, specifically the DirectoryEntry class that represents a path in AD.

Designing Get-DSDirectoryEntry

We will create a helper function to generate the DirectoryEntry object, by creating the function we ensure we do not duplicate a lot of code unless we have to and will also make it easier to test.

Before we start coding lets define what we want to achieve and this is dictated in part by the APIs we want to use. in this case the Class has several constructors to create an instance of it:

We want to be able to get a DirectoryEntry int he following manners:

  • For a specified path using the current user credentials.
  • For a specified path using alternated credentials.
  • For a specified path by connecting to a server and providing credentials

 

 

Mar 14

Sneaky Active Directory Persistence #17: Group Policy

The content in this post describes a method through which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for about 5 minutes.

Complete list of Sneaky Active Directory Persistence Tricks posts

This post explores how an attacker could leverage the built-in Active Directory management capability called Group Policy and how to mitigate potential security issues.

Read the rest of this entry »

Mar 09

Sneaky Active Directory Persistence #16: Computer Accounts & Domain Controller Silver Tickets

The content in this post describes a method by which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for about 5 minutes.

All posts in my Sneaky Active Directory Persistence Tricks series

This post explores how an attacker could leverage computer account credentials to persist in an enterprise and how to mitigate potential security issues.

Read the rest of this entry »

Mar 02

ADSecurity.org’s Unofficial Guide to Mimikatz & Command Reference Updated for Mimikatz v2.1 alpha 20160229

ADSecurity.org’s Unofficial Guide to Mimikatz & Command Reference page is updated for the new modules/features in Mimikatz v2.1 alpha 20160229.

According to Mimikatz author, Benjamin Delpy, the following updates are included in the most recent Mimikatz version(s):

Mimikatz Release Date: 2/29/2016
2.1 alpha 20160229 (oe.eo) edition
System Environment Variables & other stuff
[new] System Environment Variables user module
[new] System Environment Variables kernel IOCTL for Set
[enhancement] privilege::sysenv
[enhancement] Busylight
[enhancement] misc::skeleton can avoid anti-AES patching for aware clients with /letaes

2.1 alpha 20160217 (oe.eo) edition
[new] crypto::certificates /silent & /nokey flags
[new] crypto::keys /silent flag
[new] kull_m_busylight module now support protocol for new devices

Visit the Unofficial Guide to Mimikatz & Command Reference page

 

Mar 01

ADSecurity.org Now Sponsored by Trimarc!

Sean has founded a new security company called Trimarc focused on providing enterprise security solutions. Launching today, Trimarc’s mission is to identify ways to better protect organizations from modern threats not effectively stopped by traditional security measures.

ADSecurity.org will continue thanks to Trimarc!

Check out Trimarc’s capabilities at TrimarcSecurity.com.

Older posts «