Jan 01

Attack Methods for Gaining Domain Admin Rights in Active Directory

There are many ways an attacker can gain Domain Admin rights in Active Directory. This post is meant to describe some of the more popular ones in current use. The techniques described here “assume breach” where an attacker already has a foothold on an internal system and has gained domain user credentials (aka post-exploitation).

The unfortunate reality for most enterprises, is that it often does not take long from an attacker to go from domain user to domain admin. The question on defenders’ minds is “how does this happen?”.

The attack frequently starts with a spear-phishing email to one or more users enabling the attacker to get their code running on a computer inside the target network. Once the attacker has their code running inside the enterprise, the first step is performing reconnaissance to discover useful resources to escalate permissions, persist, and of course, plunder information (often the “crown jewels” of an organization).

While the overall process detail varies, the overall theme remains:

  • Malware Injection (Spear-Phish, Web Exploits, etc)
  • Reconnaissance (Internal)
  • Credential Theft
  • Exploitation & Privilege Escalation
  • Data Access & Exfiltration
  • Persistence (retaining access)

We start with the attacker having a foothold inside the enterprise, since this is often not difficult in modern networks. Furthermore, it is also typically not difficult for the attacker to escalate from having user rights on the workstation to having local administrator rights. This escalation can occur by either exploiting an unpatched privilege escalation vulnerability on the system or more frequently, finding local admin passwords in SYSVOL, such as Group Policy Preferences.

I spoke about most of these techniques when at several security conferences in 2015 (BSides, Shakacon, Black Hat, DEF CON, & DerbyCon).

I also covered some of these issues in the post “The Most Common Active Directory Security Issues and What You Can Do to Fix Them“.

Read the rest of this entry »

Oct 14

The Most Common Active Directory Security Issues and What You Can Do to Fix Them

The past couple of years of meeting with customers is enlightening since every environment, though unique, often has the same issues. These issues often boil down to legacy management of the enterprise Microsoft platform going back a decade or more.

I spoke about Active Directory attack and defense at several security conferences this year including BSides, Shakacon, Black Hat, DEF CON, and DerbyCon. These talks include information about how to best protect the Active Directory enterprise from the latest, and most successful, attack vectors.

While the threats have changed over the past decade, the way systems and networks are managed often have not. We continue with the same operations and support paradigm despite the fact that internal systems are compromised regularly. We must embrace the new reality of “Assume Breach.”

Assume breach means that we must assume that an attacker has control of a computer on the internal network and can access the same resources the users who have recently logged on to that computer has access to.
Note that when I describe risks and mitigations of Active Directory,this includes overall enterprise configuration.

Here are some of the biggest AD security issues (as I see them). This list is not complete, but reflects common enterprise issues.
I continue to find many of these issues when I perform Active Directory Security Assessments for organizations.

Read the rest of this entry »

Sep 27

Some Favorite DerbyCon 6 Talks (2016)

This post is a collection of my favorite and interesting talks from DerbyCon 6 (2016). There were a lot of great talks and as I discover them, I’ll add them here. My goal is to collect and provide the talk videos and slides together for a single, easy reference. I’m sure I missed a few.
To read about the DerbyCon 6 presentations visit the DerbyCon 6 Schedule page and the DerbyCon 6 presentation videos are on YouTube.

Read the rest of this entry »

Sep 13

DerbyCon 6 (2016) Talk – Attacking EvilCorp: Anatomy of a Corporate Hack

Next week at DerbyCon 6, Will Schroeder (aka Will Harmjoy, @Harmj0y) & I are presenting on enterprise security, “Attacking EvilCorp: Anatomy of a Corporate Hack.”
We call this one the “How You Got Hacked” presentation.

The company and events are fictional.

The techniques are real.

On Saturday, September 24th, 2016, Will & I are speaking at DerbyCon Track 1 (Break Me) in the Regency North room from 10:00am to 10:50am.

Here’s the talk description from the DerbyCon website:

With the millions of dollars invested in defensive solutions, how are attackers still effective?
Why do defensive techniques seem to rarely stop or slow down even mid-tier adversaries?
And is there anything the underfunded admin can do to stop the carnage?
Join us in a shift to “assume breach” and see how an attacker can easily move from a single machine compromise to a complete domain take over.
Instead of “death by PowerPoint,” see first-hand how a fictional corporation suffers “death by a thousand cuts”. The fictional EvilCorp presents their top defensive tools and practically dares someone to attack the network. The battle of Red vs. Blue unfolds showing EvilCorp’s network submit to the unrelenting attacks by an experienced adversary.
When the dust settles, the Red Team looks victorious. But what, if anything, could have tipped the scales in the other direction?
In this demo-heavy session (several demos are shown to demonstrate modern attack effectiveness), we showcase the latest attack techniques and ineffective defenses still used to protect companies. Defense evasion tools and techniques are detailed as well as attack detection methods. Effective mitigation strategies are highlighted and the Blue Team is provided a roadmap to properly shore up defenses that can stop all but the most determined attacker.

This presentation is not a standard conference talk with lots of slides. In fact, there are only a handful of slides, mostly to highlight how to mitigate the demonstrated attacks. Over the course of the 45 minute presentation, we show several attack demonstrations highlighting typical phases of how a company could be hacked and talk through the issues in the environment and real world mitigations. Instead of walking through the attacks and showing slides, we present this as a “skit”.

During the talk, Sean assumes the role of E Corp CIO who is on stage at a conference presenting about their perfect security. He effectively challenges the world to hack his company.

Will takes up this challenge and explains the problems with E Corp’s security posture by showing several demos how he can pwn them in about 25 minutes.

After this “skit”, we switch back to more traditional presentation to cover real-world mitigations.

For the curious, here’s an outline of our talk at DerbyCon next week:

Read the rest of this entry »

Aug 15

Microsoft LAPS Security & Active Directory LAPS Configuration Recon

Over the years, there have been several methods attempted for managing local Administrator accounts:

  1. Scripted password change – Don’t do this. The password is exposed in SYSVOL.
  2. Group Policy Preferences. The credentials are exposed in SYSVOL.
  3. Password vault/safe product (Thycotic, CyberArk, Lieberman, Quest, Exceedium, etc).
  4. Microsoft Local Administrator Password Solution (LAPS).

 

LAPS Overview

Microsoft’s LAPS is a useful tool for automatically managing Windows computer local Administrator passwords. It’s important to ensure every computer changes their local Administrator password regularly, that it’s unique for every computer, there’s a way to track when it gets changed, and there’s a way to force password changes. I cover LAPS in an earlier post, including deployment, pros & cons, among other information.

Here’s a quick overview of LAPS:

  • Initial install which includes schema extensions – adds ms-mcs-AdmPwd (clear-text password) & ms-mcs-AdmPwdExpirationTime (date/time when password expires which forces the LAPS client to reset the password) attributes to computer objects.
  • Deploy the LAPS client to all computers to manage their local Administrator account password.
  • Delegate all computers access to update the ms-mcs-AdmPwd & ms-mcs-AdmPwdExpirationTime LAPS attributes on their own computer account (SELF write access).
  • Delegate the LAPS computer attributes so the appropriate users have access to view the LAPS password and/or force a reset of the LAPS password (clearing the value of ms-mcs-AdmPwdExpirationTime forces the LAPS client to change the local Administrator password).
  • Configure a new Group Policy Object (GPO) to enable & configure LAPS management of local Administrator account password management.
    LAPS-GroupPolicy-Config

Note that the LAPS GPO setting “Do not allow password expiration time longer than required by policy” is set to Enabled. This is important as you’ll see at the end of this post.

Read the rest of this entry »

Aug 13

PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection

This post is a follow-up of sorts from my earlier posts on PowerShell, my PowerShell presentation at BSides Baltimore, and my presentation at DEF CON 24.
Hopefully this post provides current information on PowerShell usage for both Blue and Red teams.

Related posts:

The Evolution of PowerShell as an attack tool

PowerShell is a built-in command shell available on every supported version of Microsoft Windows (Windows 7 / Windows 2008 R2 and newer) and provides incredible flexibility and functionality to manage Windows systems. This power makes PowerShell an enticing tool for attackers. Once an attacker can get code to run on a computer, they often invoke PowerShell code since it can be run in memory where antivirus can’t see it. Attackers may also drop PowerShell script files (.ps1) to disk, but since PowerShell can download code from a website and run it in memory, that’s often not necessary.

PowerShellSecurity-PowerShell-I-Thought-This-Was-DOS

Dave Kennedy & Josh Kelley presented at DEF CON 18 (2010) on how PowerShell could be leveraged by attackers. Matt Graeber developed PowerSploit and blogged at Exploit-Monday.com on why PowerShell is a great attack platform. Offensive PowerShell usage has been on the rise since the release of “PowerSploit” in 2012, though it wasn’t until Mimikatz was PowerShell-enabled (aka Invoke-Mimikatz) about a year later that PowerShell usage in attacks became more prevalent. PowerShell provides tremendous capability since it can run .Net code and execute dynamic code downloaded from another system (or the internet) and execute it in memory without ever touching disk. These features make PowerShell a preferred method for gaining and maintaining access to systems since they can move around using PowerShell without being seen. PowerShell Version 5 (v5) greatly improves the defensive posture of PowerShell and when run on a Windows 10 system, PowerShell attack capability is greatly reduced.

Read the rest of this entry »

Aug 04

DEF CON 24 (2016) Talk “Beyond the MCSE: Red Teaming Active Directory” Presentation Slides Posted

On Thursday, August 4th, I presented “Beyond the MCSE: Red Teaming Active Directory” at DEF CON 24 (2016).

Here are the slides for this talk:  DEFCON24-2016-Metcalf-BeyondTheMCSE-RedTeamingActiveDirectory

Here’s my talk description from the DEF CON website:

Active Directory (AD) is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and management capabilities, so why do red teams barely scratch the surface when it comes to leveraging the data it contains? This talk skips over the standard intro to Active Directory fluff and dives right into the compelling offensive information useful to a Red Teamer, such as quickly identifying target systems and accounts. AD can yield a wealth of information if you know the right questions to ask. This presentation ventures into areas many didn’t know existed and leverages capability to quietly identify interesting accounts & systems, identify organizations the target company does business with regularly, build target lists without making a sound, abuse misconfigurations/existing trusts, and quickly discover the most interesting shares and their location. PowerShell examples and AD defense evasion techniques are provided throughout the talk.

Let’s go beyond the MCSE and take a different perspective on the standard AD recon and attack tactics.

 

Aug 03

Presentation Slides Posted for Black Hat USA 2016 Talk “Beyond the MCSE: Active Directory for the Security Professional”

On Wednesday, August 3rd, I presented “Beyond the MCSE: Active Directory for the Security Professional” at Black Hat USA 2016.

Here are the slides for this talk:  US-16-Metcalf-BeyondTheMCSE-ActiveDirectoryForTheSecurityProfessional

Here’s my talk description from the Black Hat website:

Active Directory (AD) is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and management capabilities. This means that both Red and Blue teams need to have a better understanding of Active Directory, it’s security, how it’s attacked, and how best to align defenses. This presentation covers key Active Directory components which are critical for security professionals to know in order to defend AD. Properly securing the enterprise means identifying and leveraging appropriate defensive technologies. The provided information is immediately useful and actionable in order to help organizations better secure their enterprise resources against attackers. Highlighted are areas attackers go after including some recently patched vulnerabilities and the exploited weaknesses. This includes the critical Kerberos vulnerability (MS14-068), Group Policy Man-in-the-Middle (MS15-011 & MS15-014) and how they take advantages of AD communication.

Some of the content covered:

  • Differing views of Active Directory: admin, attacker, and infosec.
  • The differences between forests and domains, including how multi-domain AD forests affect the security of the forest.
  • Dig into trust relationships and the available security features describing how attack techniques are impacted by implementing these trust security features.
  • AD database format, files, and object storage (including password data).
  • Read-Only Domain Controllers (RODCs), security impact, and potential issues with RODC implementation.
  • Key Domain Controller information and how attackers take advantage.
  • Windows authentication protocols over the years and their weaknesses, including Microsoft’s next-generation credential system, Microsoft Passport, and what it means for credential protection.
  • Security posture differences between AD on-premises and in the cloud (Microsoft Azure AD vs Office 365).
  • Key Active Directory security features in the latest Windows OS versions – the benefits and implementation challenges.

Let’s go beyond the standard MCSE material and dive into how Active Directory works focusing on the key components and how they relate to enterprise security.

 

Jul 19

Black Hat USA 2016 Talk – Beyond the MCSE: Active Directory for the Security Professional

This summer in Las Vegas, I’m speaking at Black Hat USA 2016 on Active Directory security, “Beyond the MCSE: Active Directory for the Security Professional.” This talk covers the key AD security components with specific focus on the things security professionals should know.

I put this talk together because I have noticed that while Active Directory admins, engineers, and MCSEs typically know what areas of Active Directory are critical security components, others often do not. The presentation covers the core AD components and how they impact enterprise security before diving into the most common AD security issues, new AD security enhancements in recent Windows versions, and AD security best practices.

On Wednesday, August 3rd, 2016, I am speaking at the Mandalay Bay room GH from 10:20am to 11:10am.

BHUSA2016-metcalf

Here’s my talk description from the Black Hat website:

Active Directory (AD) is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and management capabilities. This means that both Red and Blue teams need to have a better understanding of Active Directory, it’s security, how it’s attacked, and how best to align defenses. This presentation covers key Active Directory components which are critical for security professionals to know in order to defend AD. Properly securing the enterprise means identifying and leveraging appropriate defensive technologies. The provided information is immediately useful and actionable in order to help organizations better secure their enterprise resources against attackers. Highlighted are areas attackers go after including some recently patched vulnerabilities and the exploited weaknesses. This includes the critical Kerberos vulnerability (MS14-068), Group Policy Man-in-the-Middle (MS15-011 & MS15-014) and how they take advantages of AD communication.

Some of the content covered:

  • Differing views of Active Directory: admin, attacker, and infosec.
  • The differences between forests and domains, including how multi-domain AD forests affect the security of the forest.
  • Dig into trust relationships and the available security features describing how attack techniques are impacted by implementing these trust security features.
  • AD database format, files, and object storage (including password data).
  • Read-Only Domain Controllers (RODCs), security impact, and potential issues with RODC implementation.
  • Key Domain Controller information and how attackers take advantage.
  • Windows authentication protocols over the years and their weaknesses, including Microsoft’s next-generation credential system, Microsoft Passport, and what it means for credential protection.
  • Security posture differences between AD on-premises and in the cloud (Microsoft Azure AD vs Office 365).
  • Key Active Directory security features in the latest Windows OS versions – the benefits and implementation challenges.

Let’s go beyond the standard MCSE material and dive into how Active Directory works focusing on the key components and how they relate to enterprise security.

For the curious, here’s an outline of my talk at Black Hat next week:

Read the rest of this entry »

Jul 06

DEF CON 24 (2016) Talk – Beyond the MCSE: Red Teaming Active Directory

This August at DEF CON 24, I will be speaking about Active Directory security evaluation in my talk “Beyond the MCSE: Red Teaming Active Directory”. This talk is focused on the Red side of AD security, specifically how to best evaluate the security of AD and quickly identify potential security issues. Whether you perform “Red Teaming” or “Penetration testing”, this presentation covers efficient methods of Active Directory recon which can quickly identify AD privilege escalation methods, several of which aren’t well described or understood. Also discussed are the latest Active Directory defensive measures, what this means to the Red Teamer, and potential bypasses.
Note that this is the 3rd talk at DEF CON and is on Thursday, DEF CON’s opening day.

DEFCON24-2016-BTMCSE-TitleSlide

On Thursday, August 4th, 2016, I have a DEF CON 101 talk from 12:00pm to 12:50pm in the Pacific Ballroom (Bally’s Jubilee Tower, 2nd floor).
DEF CON 24 Floorplan (map)

Here’s my talk description from the DEF CON website:

Active Directory (AD) is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and management capabilities, so why do red teams barely scratch the surface when it comes to leveraging the data it contains? This talk skips over the standard intro to Active Directory fluff and dives right into the compelling offensive information useful to a Red Teamer, such as quickly identifying target systems and accounts. AD can yield a wealth of information if you know the right questions to ask. This presentation ventures into areas many didn’t know existed and leverages capability to quietly identify interesting accounts & systems, identify organizations the target company does business with regularly, build target lists without making a sound, abuse misconfigurations/existing trusts, and quickly discover the most interesting shares and their location. PowerShell examples and AD defense evasion techniques are provided throughout the talk.

Let’s go beyond the MCSE and take a different perspective on the standard AD recon and attack tactics.


DEF CON 24 talk outline:

Read the rest of this entry »

Jun 26

So You Want to Speak at a Security Conference Part 2: How to Craft a Great Talk for a Security Conference!

This is a continuation of my earlier “So You Want to Speak at a Security Conference?” post where I cover creating a good submission to speak at a conference. I have spoken a handful of times and am definitely not an expert, though I do want to share some of the best tips I’ve discovered with others. I don’t have all the answers and I’m not an expert speaker. What I do have is some speaking experience at some notable security conferences and the tips and strategy that got me through them. 🙂 Hopefully these posts help you.

 

The Acceptance

After putting together a stellar presentation submission, you receive an email with the words you were hoping for: “your submission is accepted!”
This email arrives weeks if not months after submitting to a conference and typically about 1-3 months before the actual conference date.

After taking some time to celebrate, and you really should since most conferences get more submissions than available slots (often many times that number), it’s time to get down to business. This is also a good time to make travel arrangements (assuming you need to travel). Also review the conference CFP pages and/or speaker section (if available) for speaker logistics.

Before getting started, please read through Speaking.io it’s a great resource and has lots of great tips for speakers.

The important ones:

  • Presentation duration – usually 45 – 50 minutes, though some conferences also have other presentation formats, like 20 or 100 minutes.
  • Milestone dates:
    • Deadline to update abstract/summary and bio.
    • Deadline for slides/whitepaper/other material (typically for conference CD/DVD)
  • Projector: standard or widescreen (this matters for your slide format)
  • Note if there’s a presentation template and/or file type requirement (PDF is typically required).

Also remember that the email address the acceptance was sent to will be the one conference/speaker updates are sent to, if there are any changes (i.e. you switch jobs, etc), make sure the conference contact knows about it.

 

Creating the Presentation

The first thing to do is to review your submission (hopefully you also included an outline) and start mapping out the presentation narrative. This is the time to figure out how you are going to get all the content in the abstract/summary into the presentation slides.

Make sure that the presentation slide material, including demos, can be covered in the time allowed.

Read the rest of this entry »

Apr 24

BSides Charm Presentation Posted: PowerShell Security: Defending the Enterprise from the Latest Attack Platform

This was my second year speaking at BSides Charm in Baltimore. Last year I spoke about Active Directory attack & defense and it was my first time speaking at a conference. 🙂

The presentation slides for my talk “PowerShell Security: Defending the Enterprise from the Latest Attack Platform” are now on the Presentations tab here on ADSecurity.org. The talk was recorded, so follow @BSidesCharm on Twitter for information about video publishing.

AD Security Presentations

Here’s my PowerShell talk description:

PowerShell is a boon to administrators, providing command consistency and the ability to quickly gather system data and set configuration settings. However, what can be used to help, can also be used for less altruistic activities. Attackers have quickly learned over the past few years that leveraging PowerShell provides simple bypass methods for most defenses and a platform for initial compromise, recon, exploitation, privilege escalation, data exfiltration, and persistence.

With the industry shift to an “”Assume Breach”” mentality, it’s important to understand the impact on the defensive paradigm. Simply put, don’t block PowerShell, embrace it. Blocking PowerShell.exe does not stop PowerShell execution and can provide a false sense of security. The key is monitoring PowerShell usage to enable detection of recon and attack activity. As attack tools like the recently released PowerShell Empire become more prevalent, it’s more important than ever to understand the full capabilities of PowerShell as an attack platform as well as how to effectively detect and mitigate standard PowerShell attack methods.

The presentation walks the audience through the evolution of PowerShell as an attack platform and shows why a new approach to PowerShell attack defense is required. Some Active Directory recon & attack techniques are shown as well as potential mitigation. This journey ends showing why PowerShell version 5 should be the new baseline version of PowerShell due to new defensive capability.

This talk is recommended for anyone tasked with defending an organization from attack as well as system administrators/engineers.


BSides Charm talk outline:

  • Brief PowerShell Overview
  • Typical PowerShell defenses (and why they fail)
  • PowerShell as an Attack Platform
  • Real-world PowerShell attacks
  • PowerShell Persistence
  • PowerShell without PowerShell.exe
  • PowerShell Remoting
  • PowerShell Logging & Attack Detection
  • PowerShell Defenses
  • PowerShell v5 Security Enhancements
  • Windows 10 PowerShell Security
  • Securing PowerShell: A Layered Defense
  • Appendix: Microsoft Office Macro Security

Some of this information is in the post titled “Detecting Offensive PowerShell Attack Tools “.

As a follow-up to one of the questions regarding the Invoke-NinjaCopy powershell tool that can copy a locked file from a server (such as NTDS.dit), I refer you to the author’s blog post on his tool.

There was also a question after the talk about managing computers without leaving credentials behind. PowerShell remoting is ideal since it uses a “Network” logon where no credentials are placed on the target system. This has been a problem with RDP since logging into a server via RDP involves entering a username and password. This action usually involves placing the user credentials on the remote system and when connected to a computer via RDP, the user credentials are placed on that system. RDP /RestrictedAdmin is a new feature (now available for Windows 7 / Windows 2008 R2 and newer) which prevents the credentials from being placed on the target RDP server, so they can’t be stolen. This is great for help desk support that needs to RDP to user workstations as a workstation admin. When using standard RDP, these credentials could be stolen. With RDP /RestrictedAdmin, the credentials aren’t on the box to take.

Thanks to the BSides Charm organizers for a great event!

Follow-up note:
Test PowerShell logging levels. Someone reported to me that checking the box “Log script block invocation start / stop events” can generate a large amount of PowerShell log events, so check before deploying.

 

Older posts «