Active Directory Security

Scanning for Active Directory Privileges & Privileged Accounts

Active Directory Recon is the new hotness since attackers, Red Teamers, and penetration testers have realized that control of Active Directory provides power over the organization. I covered ways to enumerate permissions in AD using PowerView (written by Will @harmj0y) during my Black Hat & DEF CON talks in 2016 from both a Blue Team …

View full post

AD Reading: Windows Server 2016 Active Directory Features

The following are useful resources for Windows Server 2016 Active Directory Features. Windows 2016 Features What’s New in Windows 2016 Active Directory Windows Server 2016 AD Functional Level Privileged Access Management (PAM) Windows 2016 PAM Shadow Security Principals (temporary group membership) Azure AD Join Windows 2016 Azure AD Join Microsoft Hello …

View full post

BSides Charm (2017) Talk Slides Posted – Detecting the Elusive: Active Directory Threat Hunting

I recently presented my talk “Detecting the Elusive: Active Directory Threat Hunting” at BSides Charm in Baltimore, MD. Slides are now posted in the Presentations section. I cover some of the information I’ve posted here before: PowerShell Security Detecting Kerberoasting: Part 1 and Part 2 On Sunday, April 30th, 2017, I spoke at BSides Charm in …

View full post

Sp4rkCon (2017) Talk Slides Posted – Active Directory Security: The Good, the Bad, & the UGLY

I recently presented my talk “Active Directory Security: The Good, the Bad, & the UGLY” at Sp4rkCon in Bentonville, AR in April 2017. Slides are now posted in the Presentations section. I cover some of the information I’ve posted here before: PowerShell Security Detecting Kerberoasting: Part 1 and Part 2 Here’s the talk description: Active Directory Security:The Good, the …

View full post

Detecting Kerberoasting Activity Part 2 – Creating a Kerberoast Service Account Honeypot

In my previous post, “Detecting Kerberoasting Activity” I explain how Kerberoasting works and describe how to detect potential Kerberoasting activity. The trick to this is understanding what activity is normal in order to filter out the noise and increase the fidelity of the alert. This post describes how to filter from millions of events to …

View full post

Scanning for Active Directory Privileges & Privileged Accounts AD Reading: Windows Server 2016 Active Directory Features BSides Charm (2017) Talk Slides Posted – Detecting the Elusive: Active Directory Threat Hunting Sp4rkCon (2017) Talk Slides Posted – Active Directory Security: The Good, the Bad, & the UGLY Detecting Kerberoasting Activity Part 2 – Creating a Kerberoast Service Account Honeypot

Jan 01

Attack Methods for Gaining Domain Admin Rights in Active Directory

Categories:

ActiveDirectorySecurity, Microsoft Security, Technical Reference

by Sean Metcalf

There are many ways an attacker can gain Domain Admin rights in Active Directory. This post is meant to describe some of the more popular ones in current use. The techniques described here “assume breach” where an attacker already has a foothold on an internal system and has gained domain user credentials (aka post-exploitation).

The unfortunate reality for most enterprises, is that it often does not take long from an attacker to go from domain user to domain admin. The question on defenders’ minds is “how does this happen?”.

The attack frequently starts with a spear-phishing email to one or more users enabling the attacker to get their code running on a computer inside the target network. Once the attacker has their code running inside the enterprise, the first step is performing reconnaissance to discover useful resources to escalate permissions, persist, and of course, plunder information (often the “crown jewels” of an organization).

While the overall process detail varies, the overall theme remains:

Malware Injection (Spear-Phish, Web Exploits, etc)
Reconnaissance (Internal)
Credential Theft
Exploitation & Privilege Escalation
Data Access & Exfiltration
Persistence (retaining access)

We start with the attacker having a foothold inside the enterprise, since this is often not difficult in modern networks. Furthermore, it is also typically not difficult for the attacker to escalate from having user rights on the workstation to having local administrator rights. This escalation can occur by either exploiting an unpatched privilege escalation vulnerability on the system or more frequently, finding local admin passwords in SYSVOL, such as Group Policy Preferences.

I spoke about most of these techniques when at several security conferences in 2015 (BSides, Shakacon, Black Hat, DEF CON, & DerbyCon).

I also covered some of these issues in the post “The Most Common Active Directory Security Issues and What You Can Do to Fix Them“.

Read the rest of this entry »

Tags: ActiveDirectory, administratorpassword, AESprivatekey, AESsharedsecret, cpassword, CredentialTheft, CredentialTheftShuffle, DomainAdmins, DomainController, DumpCredentiasls, DumpLSASS, EnterpriseAdmins, Get-GPPPassword, GoldenTickets, GPP, GroupPolicyPreferences, groups.xml, IFM, InstallFromMedia, KB2962486, KB3011780, Kekeo, Kerberoast, Kerberos, KerberosHacking, LAPS, lateralmovement, localadministratoraccountpassword, LSASS, LSASSDumpFile, MicrosoftLAPS, mimikatz, MS14068, ms14068.exe, MS14068Exploit, MSDN, ntds.dit, PAWS, Persistence, PowerSploit, PyKEK, RC4_HMAC_MD5, RDP, RunAs, scheduledtasks.xml, separateAdminWorkstation, ServicePrincipalName, Services.xml, SPN, systemcompromise, SYSVOL, TGS, TGSCracking, TGT, xml

2 comments

Oct 14

The Most Common Active Directory Security Issues and What You Can Do to Fix Them

Categories:

ActiveDirectorySecurity, Microsoft Security, Technical Reference

by Sean Metcalf

The past couple of years of meeting with customers is enlightening since every environment, though unique, often has the same issues. These issues often boil down to legacy management of the enterprise Microsoft platform going back a decade or more.

I spoke about Active Directory attack and defense at several security conferences this year including BSides, Shakacon, Black Hat, DEF CON, and DerbyCon. These talks include information about how to best protect the Active Directory enterprise from the latest, and most successful, attack vectors.

While the threats have changed over the past decade, the way systems and networks are managed often have not. We continue with the same operations and support paradigm despite the fact that internal systems are compromised regularly. We must embrace the new reality of “Assume Breach.”

Assume breach means that we must assume that an attacker has control of a computer on the internal network and can access the same resources the users who have recently logged on to that computer has access to.
Note that when I describe risks and mitigations of Active Directory,this includes overall enterprise configuration.

Here are some of the biggest AD security issues (as I see them). This list is not complete, but reflects common enterprise issues.
I continue to find many of these issues when I perform Active Directory Security Assessments for organizations.

Read the rest of this entry »

Tags: ActiveDirectoryAttack, ActiveDirectoryDefense, ActiveDirectorySecurity, CommonSecurityIssues, DomainControllerSecurity, EnterpriseSecurity

Jun 14

Scanning for Active Directory Privileges & Privileged Accounts

Categories:

ActiveDirectorySecurity, Microsoft Security

by Sean Metcalf

Active Directory Recon is the new hotness since attackers, Red Teamers, and penetration testers have realized that control of Active Directory provides power over the organization.

I covered ways to enumerate permissions in AD using PowerView (written by Will @harmj0y) during my Black Hat & DEF CON talks in 2016 from both a Blue Team and Red Team perspective.

This post details how privileged access is delegated in Active Directory and how best to discover who has what rights and permissions in AD. When we perform an Active Directory Security Assessment for customers, we review all of the data points listed in this post, including the privileged groups and the rights associated with them by fully interrogating Active Directory and mapping the associated permissions to rights and associating these rights to the appropriate groups (or accounts).

I have had this post in draft for a while and with Bloodhound now supporting AD ACLs (nice work Will @harmj0y & Andy @_Wald0!), it’s time to get more information out about AD permissions. Examples in this post use the PowerView PowerShell cmdlets.

Active Directory Privileged Access

The challenge is often determining what access each group actually has. Often the full impact of what access a group actually has is not fully understood by the organization. Attackers leverage access (though not always privileged access) to compromise Active Directory.

The key point often missed is that rights to Active Directory and key resources is more than just group membership, it is the combined rights the user has which is made up of:

Active Directory group membership.
AD groups with privileged rights on computers
Delegated rights to AD objects by modifying the default permissions (for security principals, both direct and indirect).
Rights assigned to SIDs in SIDHistory to AD objects.
Delegated rights to Group Policy Objects.
User Rights Assignments configured on workstations, servers, and Domain Controllers via Group Policy (or Local Policy) defines elevated rights and permissions on these systems.
Local group membership on a computer or computers (similar to GPO assigned settings).
Delegated rights to shared folders.

Read the rest of this entry »

Tags: Account Operators, Active Directory permissions, Active Directory PRivileged Access, Active Directory Security, AD, AD ACLs, AD Delegation, AD groups in Local Groups, AD Security, AdminSDHolder, Allow logon locally, Allow logon over Remote Desktop Services, Backup Operators, Bloodhound, Create GPO rights, CreateChild, DCSync, DeleteChild, Domain Admins, Enable computer and user accounts to be trusted for delegation, Enterprise Admins, Extended Right, Full Control, GenericAll, GenericWrite, GPO, Greoup Policy Delegation, Group Membership, Group Policy Object, Group Policy Permission, Impersonate a client after authentication, Link GPO rights, Manage auditing and security log, Manage Group Policy link, PowerView, Print Operators, Replicating Directory Changes All, Restricted Groups, S-1-5--512, S-1-5--517, S-1-5--520, S-1-5-21--1102, S-1-5-21--519, S-1-5-21--525, S-1-5-21--571, S-1-5-32--574, S-1-5-32-544, S-1-5-32-548, S-1-5-32-550, S-1-5-32-551, S-1-5-32-554, S-1-5-32-562, S-1-5-32-573, S-1-5-32-578, SACL, Schema Admins, SDDL, SDProp, Self, SeMachineAccountPrivilege, SeNetworkLogonRight, SeTcbPrivilege, SeTrustedCredManAccessPrivilege, SIDHistory, Synchronize directory service data, User Rights Assignments, Validated Write, WriteDACL, WriteOwner, WritePRoperty

2 comments

May 30

AD Reading: Windows Server 2016 Active Directory Features

Categories:

Technical Reference

by Sean Metcalf

The following are useful resources for Windows Server 2016 Active Directory Features.

Windows 2016 Features

Privileged Access Management (PAM)

Azure AD Join

Windows 2016 Azure AD Join

Microsoft Hello for Business (formerly Microsoft Passport)

Windows 2016 – Hello for Business

This post has no tag

May 01

BSides Charm (2017) Talk Slides Posted – Detecting the Elusive: Active Directory Threat Hunting

Categories:

ActiveDirectorySecurity, Security Conference Presentation/Video

by Sean Metcalf

I recently presented my talk “Detecting the Elusive: Active Directory Threat Hunting” at BSides Charm in Baltimore, MD.
Slides are now posted in the Presentations section.

I cover some of the information I’ve posted here before:

PowerShell Security
Detecting Kerberoasting: Part 1 and Part 2

On Sunday, April 30th, 2017, I spoke at BSides Charm in Track 2 at 2pm.

Here’s the talk description from the BSides Charm website:

Detecting the Elusive: Active Directory Threat Hunting
Attacks are rarely detected even after months of activity. What are defenders missing and how could an attack by detected?

This talk covers effective methods to detect attacker activity using the features built into Windows and how to optimize a detection strategy. The primary focus is on what knobs can be turned and what buttons can be pushed to better detect attacks.

One of the latest tools in the offensive toolkit is “”Kerberoast”” which involves cracking service account passwords offline without admin rights. This attack technique is covered at length including the latest methods to extract and crack the passwords. Furthermore, this talk describes a new detection method the presenter developed.

The attacker’s playbook evolves quickly, defenders need to stay up to speed on the latest attack methods and ways to detect them. This presentation will help you better understand what events really matter and how to better leverage Windows features to track, limit, and detect attacks

This presentation covers the type of log data required to properly

For the curious, here’s an outline of the talk:

Read the rest of this entry »

Tags: Active Directory, Command Logging, Domain Controllers, Event logging, Microsoft WEF, PowerShell logging, Presentation, Sp4rkCon, Sysinternals SysMon

May 01

Sp4rkCon (2017) Talk Slides Posted – Active Directory Security: The Good, the Bad, & the UGLY

Categories:

ActiveDirectorySecurity, Security Conference Presentation/Video

by Sean Metcalf

I recently presented my talk “Active Directory Security: The Good, the Bad, & the UGLY” at Sp4rkCon in Bentonville, AR in April 2017.
Slides are now posted in the Presentations section.

I cover some of the information I’ve posted here before:

PowerShell Security
Detecting Kerberoasting: Part 1 and Part 2

Here’s the talk description:

Active Directory Security:The Good, the Bad, & the UGLY

While security of the enterprise has been laid bare for years, exploitation techniques targeting Active Directory were relatively rare. In recent years, attackers have focused on more than passing hashes and getting Domain Admin. From SPN Scanning for services to Kerberoasting for credentials to Golden Tickets for persistence, there are multiple methods for attacking Active Directory. Active Directory is the primary identity and management infrastructure for most enterprises and properly securing the AD forest has never been more important.

Some of the topics covered:

* PowerShell attacks

* Active Directory recon

* Credential theft

* Kerberos delegation

This talk is an update of Sean’s talk from 2015 entitled: “Red vs. Blue:
Modern Active Directory Attacks & Defense” where he covered various attack methods and related mitigation. This update explores the current attack techniques and the latest detection.

The presented Information is useful for both Red & Blue Team members.

This presentation is a remix of talks I did last year with some additional information mixed in. New to this talk is coverage of Kerberos delegation issues (not just unconstrained) and how to detect Kerberoasting.

For the curious, here’s an outline of the talk:

Read the rest of this entry »

Tags: Active Directory recon, AD admin tiers, Credential theft, Kerberoasting detection, Kerberos Delegation, PowerShell logging, Secure AD administration

Feb 08

Detecting Kerberoasting Activity Part 2 – Creating a Kerberoast Service Account Honeypot

Categories:

ActiveDirectorySecurity, Microsoft Security, Technical Reference

by Sean Metcalf

This post describes how to filter from millions of events to a single one to detect Kerberoasting activity.

Read the rest of this entry »

Tags: AP-REQ, Audit Kerberos Service Ticket Operations, Detect Kerberoast Activity, Detecting Kerberoast activity, Event ID 4769, Kerberoast honeypot, Kerberoasting activity, Kerberos RC4 Encryption, Kerberos Service Ticket, Kerberos TGS, Kerberos TGS Ticket, NTLM Password, RC4_HMAC_MD5, service account honeypot, TGS-REP, TGS-REQ

Feb 05

Detecting Kerberoasting Activity

Categories:

ActiveDirectorySecurity, Hacking, Microsoft Security, Technical Reference

by Sean Metcalf

Introduction

Kerberoasting can be an effective method for extracting service account credentials from Active Directory as a regular user without sending any packets to the target system. This attack is effective since people tend to create poor passwords. The reason why this attack is successful is that most service account passwords are the same length as the domain password minimum (often 10 or 12 characters long) meaning that even brute force cracking doesn’t likely take longer than the password maximum password age (expiration). Most service accounts don’t have passwords set to expire, so it’s likely the same password will be in effect for months if not years. Furthermore, most service accounts are over-permissioned and are often members of Domain Admins providing full admin rights to Active Directory (even when the service account only needs to modify an attribute on certain object types or admin rights on specific servers).

Tim Medin presented on this at DerbyCon 2014 in his “Attacking Microsoft Kerberos Kicking the Guard Dog of Hades” presentation (slides & video) where he released the Kerberoast Python TGS cracker.

This is a topic we have covered in the past in the posts “Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain” & “Sneaky Persistence Active Directory Trick #18: Dropping SPNs on Admin Accounts for Later Kerberoasting.”
Also Will Schroeder, aka Will Harmjoy (@harmj0y), and I spoke at DerbyCon 2016 about how to Kerberoast to escalate privileges.

Note: This attack will not be successful when targeting services hosted by the Windows system since these services are mapped to the computer account in Active Directory which has an associated 128 character password which won’t be cracked anytime soon.

Let’s quickly cover how Kerberos authentication works before diving into how Kerberoasting works and how to detect Kerberoast type activity.

Read the rest of this entry »

Tags: AP-REQ, Audit Kerberos Service Ticket Operations, Detect Kerberoast Activity, Detecting Kerberoast activity, Event ID 4769, Kerberoasting Active Directory, Kerberoasting activity, Kerberos RC4 Encryption, Kerberos Service Ticket, Kerberos TGS, Kerberos TGS Ticket, KerberosRequestorSecurityToken, NTLM Password, PowerShell Kerberoast, RC4_HMAC_MD5, TGS-REP, TGS-REQ

Jan 29

Sneaky Persistence Active Directory Trick #18: Dropping SPNs on Admin Accounts for Later Kerberoasting

Categories:

ActiveDirectorySecurity, Microsoft Security, Technical Reference

by Sean Metcalf

The content in this post describes a method through which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for about 5 minutes.

Complete list of Sneaky Active Directory Persistence Tricks posts

This post explores how an attacker could leverage existing admin rights and/or over-permissive delegation to gain persistence on an admin account or accounts..

Any account with a Service Principal Name can be Kerberoasted. It’s possible with the appropriate rights to add SPNs to accounts, including admin accounts, to discover the password for those accounts in order to gain/re-gain access to the account.

Read the rest of this entry »

Tags: AD Sneaky Persistence, attacking kerberos, Kerberoast, kerberoasting, Kerberos attack, Kerberos Ticket Cracking, KerberosRequestorSecurityToken, PowerShell Kerberoasting, RC4 TGS ticket, service principal name, sneaky persistence tricks, SPN, System.IdentityModel, TGS cracking, Write ServicePrincipalName

Nov 03

Securing Domain Controllers to Improve Active Directory Security

Categories:

ActiveDirectorySecurity, Microsoft Security, Technical Reference

by Sean Metcalf

Active Directory security effectively begins with ensuring Domain Controllers (DCs) are configured securely. At BlackHat USA this past Summer, I spoke about AD for the security professional and provided tips on how to best secure Active Directory. This post focuses on Domain Controller security with some cross-over into Active Directory security. The blog is called ADSecurity after all… 😉

This post covers some of the best methods to secure Active Directory by securing Domain Controllers in the following sections:

Default Domain & Domain Controller Policies
Creating Domain & Domain Controller Security Baseline GPOs
Patching Domain Controllers
Protecting Domain Controllers
Domain Controller Recommended Group Policy Settings
Configuring Domain Controller Auditing (Event Logs)
Domain Controller Events to Monitor (Event Logs)
Key Domain Controller Security Items

As with any major change to infrastructure, please test before deploying changes.

Read the rest of this entry »

Tags: 31B2F340-016D-11D2-945F-00C04FB984F9, 6AC1786C-016F-11D2-945F-00C04FB984F9, Active Directory Best Practices analyzer, Active Directory Security, Active Directory security best practices, Audit: Force audit policy subcategory settings, Configuring Domain Controller Auditing, Default Domain Controllers Policy, Default Domain Policy GPO, Domain Controller security, domain password policy, Enable LSA Protection, Enable NTLM Auditing, Event Logs, Fine-Grained Password Policy, GPMC, Group Policy Management Console, HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential, KB2871997, Key Domain Controller Security Items, LAN Manager authentication level, LSA Protection, Lsass.exe audit mode, Microsoft domain controller auditing, Microsoft SCM Domain Controller Security Compliance Policy, Microsoft SCM Domain Security Compliance Policy, Microsoft Security Compliance Manager, Minimum password age, Patching Domain Controllers, Protecting Domain Controllers, Recommended Group Policy Settings, Require 128-bit encryption, Require NTLMv2 session security, Require strong (Windows 2000 or later) session key, SCM, secure Active Directory, Securing Active Directory, Security Compliance, Send NTLMv2 response only. Refuse LM & NTLM, SYSVOL, User Rights Assignments, WDigest Authentication, Windows Server 2012 R2, Windows Server 2016

4 comments

Oct 21

Securing Windows Workstations: Developing a Secure Baseline

Categories:

Microsoft Security, Security Recommendation, Technical Reference

by Sean Metcalf

Securing workstations against modern threats is challenging. It seems like every week there’s some new method attackers are using to compromise a system and user credentials.

The best way to create a secure Windows workstation is to download the Microsoft Security Compliance Manager (currently at version 4.0) and select “Security Compliance” option under the operating system version for which you want to create the security baseline GPO. Review the options, change as needed, and export as a GPO Backup (folder). Create a new empty GPO and Import the settings from the SCM GPO backup. Then apply this newly created GPO to your workstations. This will improve your workstation security baseline if you have minimal security settings already configured, especially if you have no existing workstation GPO.

scm-workstation

As part of developing your Windows Workstation Security Baseline GPO, there are several large organizations that have spent time and money determining what’s “secure”:

DoD STIG: http://iase.disa.mil/stigs/os/windows
DoD Windows 10 Secure Host Baseline files: https://github.com/iadgov/Secure-Host-Baseline
Australian Information Security Manual: http://www.asd.gov.au/infosec/ism/index.htm
CIS Benchmarks: https://benchmarks.cisecurity.org/downloads/browse/?category=benchmarks.os.windows

Microsoft Administrative Templates for controlling settings via Group Policy are here:

Windows 7 & Windows Server 2008 R2: https://www.microsoft.com/en-us/download/details.aspx?id=6243
Windows 8.1 & Windows Server 2012 R2: https://www.microsoft.com/en-us/download/details.aspx?id=43413
Windows 10 (v1607) & Windows Server 2016: https://www.microsoft.com/en-us/download/details.aspx?id=53430
Office 2010: https://www.microsoft.com/en-us/download/details.aspx?id=18968
Office 2013: https://www.microsoft.com/en-us/download/details.aspx?id=35554
Office 2016: https://www.microsoft.com/en-us/download/details.aspx?id=49030

Note that these locations are subject to change with further updates.
Group Policy Settings Reference for Windows and Windows Server

Windows 10 (v1607) & Windows Server 2016 security configuration baseline settings: https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/

If you already have a GPO configuring workstation security, you can compare what you have to the SCM generated “Security Compliance” GPO using Microsoft’s Policy Analyzer.

Beyond the standard “Windows security things”, there are legacy and often unused components that linger and are carried forward from earlier Windows versions that are often no longer needed, but kept for compatibility reasons. This post covers many of these as well as other good security practices and configuration.

Obviously, you should move to the most recent version of Windows and rapidly deploy security patches when they are available.
The following items are recommended for deploying a secure Windows workstation baseline, though test first since some of these may break things.

Securing Windows Workstation:

Deploying Free/Near-Free Microsoft Tools to Improve Windows Security
- Deploy Microsoft AppLocker to lock down what can run on the system.
- Deploy current version of EMET with recommended software settings.
- Deploy LAPS to manage the local Administrator (RID 500) password.
- Force Group Policy to reapply settings during “refresh”
Disable Windows Legacy & Typically Unused Features
- Disable Net Session Enumeration (NetCease)
- Disable WPAD
- Disable LLMNR
- Disable Windows Browser Protocol
- Disable NetBIOS
- Disable Windows Scripting Host (WSH) & Control Scripting File Extensions
- Deploy security back-port patch (KB2871997).
- Prevent local Administrator (RID 500) accounts from authenticating over the network
- Ensure WDigest is disabled
- Remove SMB v1 support
Windows 10 & Windows 2016
- Windows 10 & 2016 System Image Configuration
- Block Untrusted Fonts
- Enable Credential Guard
- Configure Device Guard
Application Security Settings
- Disable Microsoft Office Macros
- Disable Microsoft Office OLE
Additional Group Policy Security Settings
- Configure Lanman Authentication to a secure setting
- Configure restrictions for unauthenticated RPC clients
- Configure NTLM session security

Read the rest of this entry »

Tags: AppLocker, block macros, Block macros from running in Office files from the Internet, cmd, Control Local Administrator Account, Control Macros, DHCP option 43 hex 0104.0000.0002, Direct hosting of SMB over TCP/IP, Disable LLMNR, Disable NetBIOS, Disable NetSession Enumeration, Disable PowerShell version 2, Disable SMB 1, Disable Windows Scripting Host (WSH), Disable WPAD, EMET, Group Policy, jscript, KB2871997, KB3177451, Lanman Authentication, LAPS, LLMNR, Microsoft Office Macro Security, Microsoft Office Macros, mimikatz, NetCease, NTLM session security, Office 2013 macro, Office 2016 macro security, Office OLE, OLE, packager.dll, port 445, Responder, RID 500, Secure Windows Workstation, Server Message Block, SMB, Telemetry Dashboard, VBA, VBScript, WDigest, Windows 10 build image, WPAD, wscript

6 comments

Oct 18

BSides DC (2016) Talk – PowerShell Security: Defending the Enterprise from the Latest Attack Platform

Categories:

Microsoft Security

by Sean Metcalf

This Saturday at BSides DC, I am presenting on the current state of PowerShell security in a talk called, “PowerShell Security: Defending the Enterprise from the Latest Attack Platform.”

I cover some of the information I’ve posted here before:

On Saturday, October 21st, 2016, I am speaking at BSides DC in Track 2 (“Grand Central”) at 1:30pm.

Here’s the talk description from the BSides DC website:

PowerShell is a boon to administrators, providing command consistency and the ability to quickly gather system data and set configuration settings. However, what can be used to help, can also be used for less altruistic activities. Attackers have recently learned that leveraging PowerShell provides simple bypass methods for most defenses and a platform for initial compromise, recon, exploitation, privilege escalation, data exfiltration, and persistence.

With the industry shift to an “Assume Breach” mentality, it’s important to understand the impact of defending against an attacker on the internal network since this is a major shift from the traditional defensive paradigm. In its default configuration, there’s minimal PowerShell logging and nothing to slow an attacker’s activities. Many organizations seek to block the PowerShell executable to stop attacks. However, blocking PowerShell.exe does not stop PowerShell execution and can provide a false sense of security. Simply put, don’t block PowerShell, embrace it. The key is monitoring PowerShell usage to enable detection of recon and attack activity. As attack tools like PowerSploit (Invoke-Mimikatz) and the recently released PowerShell Empire become more prevalent (and more commonly used), it’s more important than ever to understand the full capabilities of PowerShell as an attack platform as well as how to effectively detect and mitigate a variety of PowerShell attack methods.

The presentation walks the audience through the evolution of PowerShell as an attack platform and shows why a new approach to PowerShell attack defense is required. PowerShell recon & attack techniques are shown as well as methods of detection & mitigation. Also covered are the latest methods to bypass and subvert PowerShell security measures including PowerShell v5 logging, constrained language mode, and Windows 10’s AMSI anti-malware for scanning PowerShell code in memory.The final part of the presentation explains why PowerShell version 5 should be every organization’s new baseline version of PowerShell due to new and enhanced defensive capability.

This talk is recommended for anyone tasked with defending and testing the defenses for an organization as well as system administrators/engineers.

This presentation outlines that capability of the current PowerShell version and how current attacks are leveraging PowerShell, including how current PowerShell security (& logging) can be bypassed!
The talk wraps up with a summary of the defensive recommendations provided throughout the presentation.

For the curious, here’s an outline of the talk*:

Read the rest of this entry »

Tags: BSidesDC Presentation, Detect PowerShell attacks, PowerShell logging, PowerShell Security, PowerShell v5, Presentation

Active Directory & Enterprise Security, Methods to Secure Active Directory, Attack Methods & Effective Defenses, PowerShell, Tech Notes, & Geek Trivia…

Scanning for Active Directory Privileges & Privileged Accounts

AD Reading: Windows Server 2016 Active Directory Features

BSides Charm (2017) Talk Slides Posted – Detecting the Elusive: Active Directory Threat Hunting

Sp4rkCon (2017) Talk Slides Posted – Active Directory Security: The Good, the Bad, & the UGLY

Detecting Kerberoasting Activity Part 2 – Creating a Kerberoast Service Account Honeypot

Attack Methods for Gaining Domain Admin Rights in Active Directory

The Most Common Active Directory Security Issues and What You Can Do to Fix Them

AD Reading: Windows Server 2016 Active Directory Features

BSides Charm (2017) Talk Slides Posted – Detecting the Elusive: Active Directory Threat Hunting

Sp4rkCon (2017) Talk Slides Posted – Active Directory Security: The Good, the Bad, & the UGLY

Detecting Kerberoasting Activity Part 2 – Creating a Kerberoast Service Account Honeypot

Detecting Kerberoasting Activity

Sneaky Persistence Active Directory Trick #18: Dropping SPNs on Admin Accounts for Later Kerberoasting

BSides DC (2016) Talk – PowerShell Security: Defending the Enterprise from the Latest Attack Platform

Recent Posts

Trimarc Active Directory Security Services

Popular Posts

Categories

Copyright

Copyright