Jan 01

Attack Methods for Gaining Domain Admin Rights in Active Directory

There are many ways an attacker can gain Domain Admin rights in Active Directory. This post is meant to describe some of the more popular ones in current use. The techniques described here “assume breach” where an attacker already has a foothold on an internal system and has gained domain user credentials (aka post-exploitation).

The unfortunate reality for most enterprises, is that it often does not take long from an attacker to go from domain user to domain admin. The question on defenders’ minds is “how does this happen?”.

The attack frequently starts with a spear-phishing email to one or more users enabling the attacker to get their code running on a computer inside the target network. Once the attacker has their code running inside the enterprise, the first step is performing reconnaissance to discover useful resources to escalate permissions, persist, and of course, plunder information (often the “crown jewels” of an organization).

While the overall process detail varies, the overall theme remains:

  • Malware Injection (Spear-Phish, Web Exploits, etc)
  • Reconnaissance (Internal)
  • Credential Theft
  • Exploitation & Privilege Escalation
  • Data Access & Exfiltration
  • Persistence (retaining access)

We start with the attacker having a foothold inside the enterprise, since this is often not difficult in modern networks. Furthermore, it is also typically not difficult for the attacker to escalate from having user rights on the workstation to having local administrator rights. This escalation can occur by either exploiting an unpatched privilege escalation vulnerability on the system or more frequently, finding local admin passwords in SYSVOL, such as Group Policy Preferences.

I spoke about most of these techniques when at several security conferences in 2015 (BSides, Shakacon, Black Hat, DEF CON, & DerbyCon).

I also covered some of these issues in the post “The Most Common Active Directory Security Issues and What You Can Do to Fix Them“.

Read the rest of this entry »

Oct 14

The Most Common Active Directory Security Issues and What You Can Do to Fix Them

The past couple of years of meeting with customers is enlightening since every environment, though unique, often has the same issues. These issues often boil down to legacy management of the enterprise Microsoft platform going back a decade or more.

I spoke about Active Directory attack and defense at several security conferences this year including BSides, Shakacon, Black Hat, DEF CON, and DerbyCon. These talks include information about how to best protect the Active Directory enterprise from the latest, and most successful, attack vectors.

While the threats have changed over the past decade, the way systems and networks are managed often have not. We continue with the same operations and support paradigm despite the fact that internal systems are compromised regularly. We must embrace the new reality of “Assume Breach.”

Assume breach means that we must assume that an attacker has control of a computer on the internal network and can access the same resources the users who have recently logged on to that computer has access to.
Note that when I describe risks and mitigations of Active Directory,this includes overall enterprise configuration.

Here are some of the biggest AD security issues (as I see them). This list is not complete, but reflects common enterprise issues.
I continue to find many of these issues when I perform Active Directory Security Assessments for organizations.

Read the rest of this entry »

Jun 26

So You Want to Speak at a Security Conference Part 2: How to Craft a Great Talk for a Security Conference!

This is a continuation of my earlier “So You Want to Speak at a Security Conference?” post where I cover creating a good submission to speak at a conference. I have spoken a handful of times and am definitely not an expert, though I do want to share some of the best tips I’ve discovered with others. I don’t have all the answers and I’m not an expert speaker. What I do have is some speaking experience at some notable security conferences and the tips and strategy that got me through them. 🙂 Hopefully these posts help you.


The Acceptance

After putting together a stellar presentation submission, you receive an email with the words you were hoping for: “your submission is accepted!”
This email arrives weeks if not months after submitting to a conference and typically about 1-3 months before the actual conference date.

After taking some time to celebrate, and you really should since most conferences get more submissions than available slots (often many times that number), it’s time to get down to business. This is also a good time to make travel arrangements (assuming you need to travel). Also review the conference CFP pages and/or speaker section (if available) for speaker logistics.

Before getting started, please read through Speaking.io it’s a great resource and has lots of great tips for speakers.

The important ones:

  • Presentation duration – usually 45 – 50 minutes, though some conferences also have other presentation formats, like 20 or 100 minutes.
  • Milestone dates:
    • Deadline to update abstract/summary and bio.
    • Deadline for slides/whitepaper/other material (typically for conference CD/DVD)
  • Projector: standard or widescreen (this matters for your slide format)
  • Note if there’s a presentation template and/or file type requirement (PDF is typically required).

Also remember that the email address the acceptance was sent to will be the one conference/speaker updates are sent to, if there are any changes (i.e. you switch jobs, etc), make sure the conference contact knows about it.


Creating the Presentation

The first thing to do is to review your submission (hopefully you also included an outline) and start mapping out the presentation narrative. This is the time to figure out how you are going to get all the content in the abstract/summary into the presentation slides.

Make sure that the presentation slide material, including demos, can be covered in the time allowed.

Sample presentation outline:

  • Begin
    • Title slide – presentation title and contact info
    • About Me slide – keep this short – most likely no one wants to hear about what you’ve done for more than 1 minute, except if your Elon Musk, and in that case most people already know what you’ve done. Keep it shorter than you think.
    • Agenda slide – major topics covered
    • Introduction – why people should care
  • Content
    • Content Section 1
    • Content Section 2
    • Content Section 3
  •  End
    • Key Points
    • Conclusion/Summary
    • Final slide – contact info
    • References

The first section (“Begin”) should take less than 5 minutes then get into the content. I like to break the content component into discrete sections help the presentation flow. Place some URLs in the slides for later reference, though there’s nothing wrong with having “reference” slides at the end of the deck. Provide references so others can find the same resources easily without having to search.

Finally, provide concluding slides. Highlight the key points of what you covered during the presentation and include some important takeaways for the audience. The final slide can include contact info as well. I’ve found that people really appreciate placing your Twitter handle on the bottom of each slide as well.


Key Points on Slide Creation

Remember that slides are supposed to compliment your talk, not be the talk.
Save the detail for your talk and the whitepaper/blog post.

  • Keep information on the slide minimal – don’t include “wall of text” slides that have people reading more than a couple of seconds.
  • 1-2 slides per minute seems to be a good rule of thumb. This will depend on how much time you want to spend on each major topic and you may add more information when presenting live.
  • Your slides should inform and make people smile occasionally.
  • Limit bullets to around 4 to 6 points. If you need more, split into multiple slides or reduce the content down to what’s absolutely necessary.
  • Limit the number of words per bullet – don’t use long sentences.
  • Make the text big – I aim for 36-point font to ensure people in the back have a chance at reading the slides.
  • Screenshots should be big – maximize for text readability. Mark up the graphic to highlight what you want the audience to focus on. Increase the text size in demos so the audience can follow along.
  • Put relevant pictures on as many slides as possible to keep audience interest. I like to insert memes at each new section and at certain points along the way to inject humor and keep the audience engaged (this may/may not be appropriate, so make that call).
  • Plan to talk about material off-slide – either place keywords on the slide and talk in more depth about them or provide some information on the slide and provide additional information about the topic when speaking.
    Never read your slides.

Slides are intended to help the audience remember your information—not to help you remember your own information.”

Keep in mind that before you have started to talk about the content on the slide, most of audience has finished reading it, so don’t read the text on the slide. Reference the information on the slide and expand upon it.


The where & when: Speaker schedule posted

Once the schedule is posted, don’t expect to have your talk moved to a different time slot. For this reason, it’s important to email the conference organizer/speaker contact when you receive the acceptance email to let them know about any potential scheduling conflicts. If you know you won’t be able to fly into the conference on Tuesday afternoon and it starts Tuesday morning, let them know as soon as possible.


The Final Draft

Once you have your presentation slides to a good final draft (trust me they’re never really “done”), it’s time to run through them. Connect your laptop to a projector or external monitor and act like you are presenting to a crowd. The difference here is you want to take notes while going through the presentation. Note what works and what doesn’t. Note required slide changes. Most importantly, keep a stopwatch running (presentation mode usually has this) and note times for each major section as well as the total time to run through the entire presentation, including any demos. I prefer screenshots since it’s easier to walk through what’s on the screen, but live demos do have more impact (typically). It’s often best to record a video of the demo just in case the live demo fails. It’s also highly recommended to video yourself going through the presentation which will highlight any distracting movements (visual) or “umms” or “uhhs” (audio). I have found that when I feel a little bored of going through the talk, I’m ready to give it live. This sense of “boredom” is actually a sign of familiarity and comfort.

Buy a remote for presenting. I like the Logitech Professional Presenter R800 which is usually available around $60 on Amazon (MSRP $79.99).



So, you’ve run through the entire presentation several times (I’ve found around 5 to be a sweet spot) to optimize the slides, flow, and timing. Going through the presentation fully several times before getting on stage has multiple benefits:

  1. Confidence – when you are comfortable with the content and flow, you feel more at ease improving confidence in front of a crowd.
  2. Anxiety – many people, including me, suffer from anxiety before speaking in front of people, especially on stage. Running through the presentation many times reduces some of the anxiety since you feel more confident and comfortable about what you will say and when.
  3. Nerves – obviously related to #2. Most people who present will be really nervous before stepping on stage and likely for the first part of the presentation, if not the entire presentation. Gaining confidence in the presentation helps reduce these nerves, especially when on stage and you forget what you were going to say. When this happens, relax, take a drink of water, breathe, and check where you are in the presentation. Since you have run through it several times already, the next item on the agenda will come to you (it’s on the slide after all 🙂 ) and keep going.


Presentation Day

First piece of advice: relax, it will go fine. Remember that the audience wants you to do well.

Plan to get to the venue a couple hours before your presentation time and bring everything you need: laptop, remote clicker, video adapters (plan for HDMI and VGA), laptop power, and a bottle of water. Most likely the conference will provide water and video adapters, but always better to be safe and by bringing these, it’s one less thing you need to worry about before presenting. Water is the best thing to drink while presenting since it helps with dry mouth and any potential nerves. Use the bathroom about 15 minutes before your scheduled presentation time.

A few tips while presenting:

  • Don’t say you’re nervous.
  • Don’t call yourself out for mistakes. Make a mistake? Keep on moving.
  • Take your time and yet be cognizant of the time allotted – don’t run over.
  • When asked a question, repeat the question so the audience can hear it (and it’s captured if recorded).




Apr 24

BSides Charm Presentation Posted: PowerShell Security: Defending the Enterprise from the Latest Attack Platform

This was my second year speaking at BSides Charm in Baltimore. Last year I spoke about Active Directory attack & defense and it was my first time speaking at a conference. 🙂

The presentation slides for my talk “PowerShell Security: Defending the Enterprise from the Latest Attack Platform” are now on the Presentations tab here on ADSecurity.org. The talk was recorded, so follow @BSidesCharm on Twitter for information about video publishing.

AD Security Presentations

Here’s my PowerShell talk description:

PowerShell is a boon to administrators, providing command consistency and the ability to quickly gather system data and set configuration settings. However, what can be used to help, can also be used for less altruistic activities. Attackers have quickly learned over the past few years that leveraging PowerShell provides simple bypass methods for most defenses and a platform for initial compromise, recon, exploitation, privilege escalation, data exfiltration, and persistence.

With the industry shift to an “”Assume Breach”” mentality, it’s important to understand the impact on the defensive paradigm. Simply put, don’t block PowerShell, embrace it. Blocking PowerShell.exe does not stop PowerShell execution and can provide a false sense of security. The key is monitoring PowerShell usage to enable detection of recon and attack activity. As attack tools like the recently released PowerShell Empire become more prevalent, it’s more important than ever to understand the full capabilities of PowerShell as an attack platform as well as how to effectively detect and mitigate standard PowerShell attack methods.

The presentation walks the audience through the evolution of PowerShell as an attack platform and shows why a new approach to PowerShell attack defense is required. Some Active Directory recon & attack techniques are shown as well as potential mitigation. This journey ends showing why PowerShell version 5 should be the new baseline version of PowerShell due to new defensive capability.

This talk is recommended for anyone tasked with defending an organization from attack as well as system administrators/engineers.

BSides Charm talk outline:

  • Brief PowerShell Overview
  • Typical PowerShell defenses (and why they fail)
  • PowerShell as an Attack Platform
  • Real-world PowerShell attacks
  • PowerShell Persistence
  • PowerShell without PowerShell.exe
  • PowerShell Remoting
  • PowerShell Logging & Attack Detection
  • PowerShell Defenses
  • PowerShell v5 Security Enhancements
  • Windows 10 PowerShell Security
  • Securing PowerShell: A Layered Defense
  • Appendix: Microsoft Office Macro Security

Some of this information is in the post titled “Detecting Offensive PowerShell Attack Tools “.

As a follow-up to one of the questions regarding the Invoke-NinjaCopy powershell tool that can copy a locked file from a server (such as NTDS.dit), I refer you to the author’s blog post on his tool.

There was also a question after the talk about managing computers without leaving credentials behind. PowerShell remoting is ideal since it uses a “Network” logon where no credentials are placed on the target system. This has been a problem with RDP since logging into a server via RDP involves entering a username and password. This action usually involves placing the user credentials on the remote system and when connected to a computer via RDP, the user credentials are placed on that system. RDP /RestrictedAdmin is a new feature (now available for Windows 7 / Windows 2008 R2 and newer) which prevents the credentials from being placed on the target RDP server, so they can’t be stolen. This is great for help desk support that needs to RDP to user workstations as a workstation admin. When using standard RDP, these credentials could be stolen. With RDP /RestrictedAdmin, the credentials aren’t on the box to take.

Thanks to the BSides Charm organizers for a great event!

Follow-up note:
Test PowerShell logging levels. Someone reported to me that checking the box “Log script block invocation start / stop events” can generate a large amount of PowerShell log events, so check before deploying.


Mar 25

DarkOperator.com: Using PowerShell to Gather Information from Active Directory

Carlos Perez (@DarkOperator) recently posted on DarkOperator.com how to use PowerShell to get data from Active Directory. He is working on an Active Directory audit PowerShell project and is documenting most of the work put into it. He also covers leveraging functions for portability and using Pester to write better PowerShell code  (as well as debug and handle error conditions better). Carlos also walks through how to properly code a PowerShell module as well as create and use a PowerShell project in GitHub (something I need to do better! 🙂 ). Anyone who uses PowerShell to gather Active Directory data should read these posts. The amount of detail he put into these posts is impressive and they are well worth reading!


1 Writing a Active Directory Audit Module – Creating the Project

I got in my head this week that I would like to write a Windows PowerShell module for getting information from Active Directory for the purpose of gathering information to aid in detecting miss configurations and also aid in incident response. My idea is to write the module and start publishing blog posts as I go through the process of writing the code and how I go about it. This will be my first experience with Pester also so I think it would be a fun adventure.


I start by setting goals for the module, these are:

  • All output from each function will be objects.
  • I will assign each object a custom type so I can create custom views for the output.
  • The module must not depend on the ActiveDirectory module that ships with the different RSAT tools and use .NET and COM so as to leverage the use alternate credentials.
  • Module should be able to pull information as a base for Users, Groups, Computers, Sites, Domains, Forest, OUs and GPOs.
  • Module will be PSv3 or above so as to use new improvements int he latest versions of Windows PowerShell.

2 Writing a Active Directory Audit Module – Getting Forest Info

Carlos covers several scenarios that may arise when attempting to gather Active Directory forest data using PowerShell, including connecting to the current forest as well as others.

In the last blog post we covered setting the goals for the project, general guidelines, how I set up a project in GitHub and the creation of the module manifest. In this blog post we will cover some of the API around Active Directory that we can use in Windows PowerShell to access and query it either from a host already in the domain or with alternate credentials against a specific host.

Currently when working in Windows PowerShell there are 4 main ways to interact with Active Directory:

  • Active Directory module – gets installed with RSAT or when then Domain Controller role is added to a server. Varies per version of Windows.
  • System.DirectoryServices Namespace – it is a .Net wrapper around the ADSI (Active Directory Service Interface) COM object. It represents a specific path or Object in AD allowing for the pulling of information and modification.
  • System.DirectoryServices.ActiveDirectory namespace – It provides several .Net classes that abstract AD services. Provides access to manipulating forest, domain, site, subnet, partition, and schema are part of the object model.
  • System.DirectoryServices.AccountManagement namespace provides uniform access and manipulation of user, computer, and group security principals

Each one of the namespaces have their own peculiarities and uses. The most powerful one is classes under System.DirectoryServices do to the control it provides but with it comes more complexity, this is why it is used for those cases where the other 2 do not fit a specific role or complex searches of AD are required.


3 Writing a Active Directory Audit Module – Getting a DirectoryEntry

Extending the information

In the previous blog post when we look at the object returned it has all of the information properly parsed and shown so I do not have to run around parsing fields and converting them but for me a critical piece of information is not shown and that is the SID of the forest domain. If you have played with analysis of some logs and with Mimikatz attacks you know the SID is of great importance. For this we will use the System.DirectoryServices namespace, specifically the DirectoryEntry class that represents a path in AD.

Designing Get-DSDirectoryEntry

We will create a helper function to generate the DirectoryEntry object, by creating the function we ensure we do not duplicate a lot of code unless we have to and will also make it easier to test.

Before we start coding lets define what we want to achieve and this is dictated in part by the APIs we want to use. in this case the Class has several constructors to create an instance of it:

We want to be able to get a DirectoryEntry int he following manners:

  • For a specified path using the current user credentials.
  • For a specified path using alternated credentials.
  • For a specified path by connecting to a server and providing credentials



Mar 14

Sneaky Active Directory Persistence #17: Group Policy

The content in this post describes a method through which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for about 5 minutes.

Complete list of Sneaky Active Directory Persistence Tricks posts

This post explores how an attacker could leverage the built-in Active Directory management capability called Group Policy and how to mitigate potential security issues.

Read the rest of this entry »

Mar 09

Sneaky Active Directory Persistence #16: Computer Accounts & Domain Controller Silver Tickets

The content in this post describes a method by which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for about 5 minutes.

All posts in my Sneaky Active Directory Persistence Tricks series

This post explores how an attacker could leverage computer account credentials to persist in an enterprise and how to mitigate potential security issues.

Read the rest of this entry »

Mar 02

ADSecurity.org’s Unofficial Guide to Mimikatz & Command Reference Updated for Mimikatz v2.1 alpha 20160229

ADSecurity.org’s Unofficial Guide to Mimikatz & Command Reference page is updated for the new modules/features in Mimikatz v2.1 alpha 20160229.

According to Mimikatz author, Benjamin Delpy, the following updates are included in the most recent Mimikatz version(s):

Mimikatz Release Date: 2/29/2016
2.1 alpha 20160229 (oe.eo) edition
System Environment Variables & other stuff
[new] System Environment Variables user module
[new] System Environment Variables kernel IOCTL for Set
[enhancement] privilege::sysenv
[enhancement] Busylight
[enhancement] misc::skeleton can avoid anti-AES patching for aware clients with /letaes

2.1 alpha 20160217 (oe.eo) edition
[new] crypto::certificates /silent & /nokey flags
[new] crypto::keys /silent flag
[new] kull_m_busylight module now support protocol for new devices

Visit the Unofficial Guide to Mimikatz & Command Reference page


Mar 01

ADSecurity.org Now Sponsored by Trimarc!

Sean has founded a new security company called Trimarc focused on providing enterprise security solutions. Launching today, Trimarc’s mission is to identify ways to better protect organizations from modern threats not effectively stopped by traditional security measures.

ADSecurity.org will continue thanks to Trimarc!

Check out Trimarc’s capabilities at TrimarcSecurity.com.

Feb 24

PowerShell Version 5 is Available for Download (again)

After about two months of Microsoft PowerShell developers working around the clock (probably), the bug that wound up causing the WMF 5.0 RTM installer to be pulled is now fixed. There was an issue with the original release dealing with PSModulePath ($Env:PSModulePath) which was reset to default after installation of the original PowerShell v5 installer.

The Windows Management Framework (WMF) 5.0 RTM packages for Windows 2008 R2 SP1/2012 R2/2012 and Windows 7 SP1/8.1 are available for download in the Microsoft Download Center.

As I’ve stated before, due to the security enhancements including logging, updating to PowerShell v5 is highly recommended. More details on the advantages of enabling PowerShell logging and attack detection, including PowerShell v5 security enhancements are in two posts:

Download PowerShell version 5 aka “Windows Management Framework (WMF) 5.0 RTM”

Read the rest of this entry »

Feb 23

Building an Effective Active Directory Lab Environment for Testing

This post is not meant to describe the ultimate lab configuration. Instead the focus is on a lab environment that can be stood up quickly and easily as a learning tool. The best way to learn about computer networking and security is to have a home lab. The great thing is that a home lab no longer requires several physical computers as it did in the past. Virtualization enables anyone to take a computer with a decent processor and enough RAM to create a lab environment without being overly complex. Furthermore, it’s possible to build a Windows environment at minimal cost for testing.

Hosting The Lab

The Cloud:

Amazon AWS, Microsoft Azure, and others provide capability to install and configure VMs in the cloud which is helpful when traveling since the lab is available and accessible from anywhere (perhaps saving power at home).

The Server:

I have friends that buy older servers from various internet sources (ebay, etc) at a tremendous discount and run those with (potentially) massive hard drive arrays. The big drawback is the power consumption (and associated power bill). The associated components are usually more expensive, though they do last longer.

The Workstation:

This is my preference – build/buy a hefty workstation-class system with a Core i7 processor. I highly recommend using an SSD as the primary OS drive. Also highly recommended is using a separate SSD for the Virtual Machine files. SSDs are exponentially faster than traditional hard drives and the difference is obvious when running a lab on them. For example, my lab computer has 2 SSDs: a C: drive and a D: drive. I can build a new VM in ~7 minutes. Installing a new Windows Server from an ISO file on the C: drive (SSD) takes ~12 minutes. Also, the server VMs boot almost instantly! It’s extremely fast! 🙂

The key is to outfit the lab computer with as much RAM as possible. My recommendation is 16GB at a minimum, 32GB preferred, with more than that even better!
What matters in the system:

  • Processor: Does the work for the virtualization host as well as all VMs. Core i7 (or better) preferred.
  • Hard Drive: SSD all the way! Recommend at least 128GB for system drive and at least 256GB for the drive holding the VM files (preferably more!). I also use a traditional hard drive 1-3TBs in size for VM backups. I really like the Samsung EVO SSDs since they are fast and reliable. A 500GB Samsung EVO SSD runs around $300 online (possibly cheaper by the time you read this).
  • Memory: This is the one you want to put your money into. Personally, I would rather spend a little bit more upfront and have the ability to put 64GB (or more) into a system, then go cheap and have the computer max out at 16GB. The more memory you have, the more VMs you can run which means you can run more involved (& interesting!) scenarios.

I also attach external traditional hard drives (1.5TB and larger) for lab VM backups, though I tend to keep the operating system ISO files and OS template VM files (Sysprep’d operating system VMs) on a SSD for maximum install speed.

Read the rest of this entry »

Older posts «