Active Directory Security

Gathering AD Data with the Active Directory PowerShell Module

Microsoft provided several Active Directory PowerShell cmdlets with Windows Server 2008 R2 (and newer) which greatly simplify tasks which previously required putting together lengthy lines of code involving ADSI. On a Windows client, install the Remote Sever Administration Tools (RSAT) and ensure the Active Directory PowerShell module is installed. On a Windows server (2008 R2 …

View full post

Beyond Domain Admins – Domain Controller & AD Administration

Active Directory has several levels of administration beyond the Domain Admins group. In a previous post, I explored: “Securing Domain Controllers to Improve Active Directory Security” which explores ways to better secure Domain Controllers and by extension, Active Directory. For more information on Active Directory specific rights and permission review my post “Scanning for Active …

View full post

Scanning for Active Directory Privileges & Privileged Accounts

Active Directory Recon is the new hotness since attackers, Red Teamers, and penetration testers have realized that control of Active Directory provides power over the organization. I covered ways to enumerate permissions in AD using PowerView (written by Will @harmj0y) during my Black Hat & DEF CON talks in 2016 from both a Blue Team …

View full post

AD Reading: Windows Server 2016 Active Directory Features

The following are useful resources for Windows Server 2016 Active Directory Features. Windows 2016 Features What’s New in Windows 2016 Active Directory Windows Server 2016 AD Functional Level Privileged Access Management (PAM) Windows 2016 PAM Shadow Security Principals (temporary group membership) Azure AD Join Windows 2016 Azure AD Join Microsoft Hello …

View full post

BSides Charm (2017) Talk Slides Posted – Detecting the Elusive: Active Directory Threat Hunting

I recently presented my talk “Detecting the Elusive: Active Directory Threat Hunting” at BSides Charm in Baltimore, MD. Slides are now posted in the Presentations section. I cover some of the information I’ve posted here before: PowerShell Security Detecting Kerberoasting: Part 1 and Part 2 On Sunday, April 30th, 2017, I spoke at BSides Charm in …

View full post

Gathering AD Data with the Active Directory PowerShell Module Beyond Domain Admins – Domain Controller & AD Administration Scanning for Active Directory Privileges & Privileged Accounts AD Reading: Windows Server 2016 Active Directory Features BSides Charm (2017) Talk Slides Posted – Detecting the Elusive: Active Directory Threat Hunting

Jan 01

Attack Methods for Gaining Domain Admin Rights in Active Directory

Categories:

ActiveDirectorySecurity, Microsoft Security, Technical Reference

by Sean Metcalf

There are many ways an attacker can gain Domain Admin rights in Active Directory. This post is meant to describe some of the more popular ones in current use. The techniques described here “assume breach” where an attacker already has a foothold on an internal system and has gained domain user credentials (aka post-exploitation).

The unfortunate reality for most enterprises, is that it often does not take long from an attacker to go from domain user to domain admin. The question on defenders’ minds is “how does this happen?”.

The attack frequently starts with a spear-phishing email to one or more users enabling the attacker to get their code running on a computer inside the target network. Once the attacker has their code running inside the enterprise, the first step is performing reconnaissance to discover useful resources to escalate permissions, persist, and of course, plunder information (often the “crown jewels” of an organization).

While the overall process detail varies, the overall theme remains:

Malware Injection (Spear-Phish, Web Exploits, etc)
Reconnaissance (Internal)
Credential Theft
Exploitation & Privilege Escalation
Data Access & Exfiltration
Persistence (retaining access)

We start with the attacker having a foothold inside the enterprise, since this is often not difficult in modern networks. Furthermore, it is also typically not difficult for the attacker to escalate from having user rights on the workstation to having local administrator rights. This escalation can occur by either exploiting an unpatched privilege escalation vulnerability on the system or more frequently, finding local admin passwords in SYSVOL, such as Group Policy Preferences.

I spoke about most of these techniques when at several security conferences in 2015 (BSides, Shakacon, Black Hat, DEF CON, & DerbyCon).

I also covered some of these issues in the post “The Most Common Active Directory Security Issues and What You Can Do to Fix Them“.

Read the rest of this entry »

Tags: ActiveDirectory, administratorpassword, AESprivatekey, AESsharedsecret, cpassword, CredentialTheft, CredentialTheftShuffle, DomainAdmins, DomainController, DumpCredentiasls, DumpLSASS, EnterpriseAdmins, Get-GPPPassword, GoldenTickets, GPP, GroupPolicyPreferences, groups.xml, IFM, InstallFromMedia, KB2962486, KB3011780, Kekeo, Kerberoast, Kerberos, KerberosHacking, LAPS, lateralmovement, localadministratoraccountpassword, LSASS, LSASSDumpFile, MicrosoftLAPS, mimikatz, MS14068, ms14068.exe, MS14068Exploit, MSDN, ntds.dit, PAWS, Persistence, PowerSploit, PyKEK, RC4_HMAC_MD5, RDP, RunAs, scheduledtasks.xml, separateAdminWorkstation, ServicePrincipalName, Services.xml, SPN, systemcompromise, SYSVOL, TGS, TGSCracking, TGT, xml

2 comments

Oct 14

The Most Common Active Directory Security Issues and What You Can Do to Fix Them

Categories:

ActiveDirectorySecurity, Microsoft Security, Technical Reference

by Sean Metcalf

The past couple of years of meeting with customers is enlightening since every environment, though unique, often has the same issues. These issues often boil down to legacy management of the enterprise Microsoft platform going back a decade or more.

I spoke about Active Directory attack and defense at several security conferences this year including BSides, Shakacon, Black Hat, DEF CON, and DerbyCon. These talks include information about how to best protect the Active Directory enterprise from the latest, and most successful, attack vectors.

While the threats have changed over the past decade, the way systems and networks are managed often have not. We continue with the same operations and support paradigm despite the fact that internal systems are compromised regularly. We must embrace the new reality of “Assume Breach.”

Assume breach means that we must assume that an attacker has control of a computer on the internal network and can access the same resources the users who have recently logged on to that computer has access to.
Note that when I describe risks and mitigations of Active Directory,this includes overall enterprise configuration.

Here are some of the biggest AD security issues (as I see them). This list is not complete, but reflects common enterprise issues.
I continue to find many of these issues when I perform Active Directory Security Assessments for organizations.

Read the rest of this entry »

Tags: ActiveDirectoryAttack, ActiveDirectoryDefense, ActiveDirectorySecurity, CommonSecurityIssues, DomainControllerSecurity, EnterpriseSecurity

Aug 11

Gathering AD Data with the Active Directory PowerShell Module

Categories:

PowerShell, Technical Reference

by Sean Metcalf

On a Windows client, install the Remote Sever Administration Tools (RSAT) and ensure the Active Directory PowerShell module is installed.

On a Windows server (2008 R2 or newer), run the following commands in a PowerShell console (as an Adminsitrator):

Import-Module ServerManager ; Add-WindowsFeature RSAT-AD-PowerShell

Here’s my (poor) ADSI example:

$UserID = “JoeUser”
$root = [ADSI]''
$searcher = new-object System.DirectoryServices.DirectorySearcher($root)
$searcher.filter = "(&(objectClass=user)(sAMAccountName= $UserID))"
$user = $searcher.findall()
$user

Here’s the same thing with the AD PowerShell cmdlet:

Import-module ActiveDirectory
$UserID = “JoeUser”
Get-ADUser $UserID –property *

Note that with PowerShell version 3 and newer, you don’t need to run the first line since Powershell will identify the necessary module and auto load it.

Once you have the Active Directory PowerShell module loaded, you can do cool stuff like browse AD like a file system

Finding Useful Commands (Cmdlets):

Discover available PowerShell modules: Get-Module -ListAvailable

Discover cmdlets in a PowerShell module: Get-Command -module ActiveDirectory

PowerShell AD Module Cmdlets:

Windows Server 2008 R2: 76 cmdlets
Windows Server 2012: 135 cmdlets
Windows Server 2012 R2: 147 cmdlets
Windows Server 2016: 147 cmdlets

(Get-Command -module ActiveDirectory).count

Finding Active Directory Flexible Master Single Operation (FSMO) Roles:

Active Directory Module:

```
(Get-ADForest).SchemaMaster
```
```
(Get-ADForest).DomainNamingMaster
```
```
(Get-ADDomain).InfrastructureMaster
```
```
(Get-ADDomain).PDCEmulator
```
```
(Get-ADDomain).RIDMaster
```

.NET Calls:

([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).SchemaRoleOwner

([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).NamingRoleOwner

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).InfrastructureRoleOwner

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).PdcRoleOwner

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).RidRoleOwner

Active Directory PowerShell Module Cmdlet Examples:

Read the rest of this entry »

Tags: Active Directory PowerShell Module, Active Directory Trusts, AD cmdlets, AD PowerShell cmdlets, Add-WindowsFeature RSAT-AD-PowerShell, ADSI, Backup domain GPOs, Enumerate Domain Trusts, Find AD Kerberos Service Accounts, Finding Active Directory Flexible Master Single Operation (FSMO) Roles, Get AD site information., Get-ADComputer, Get-ADDomain, Get-ADDomainController, Get-ADForest, Get-ADGroup, Get-ADGroupMember, Get-ADReplicationPartnerFailure, Get-ADReplicationPartnerMetadata, Get-ADReplicationUptodatenessVectorTable, Get-ADUser, Get-Command -module ActiveDirectory, Get-Module -ListAvailable, Get-RootDSE, Import-Module ServerManager, Inventory Domain Controllers, PowerShell, PowerShell Find inactive computers, PowerShell Find inactive users

4 comments

Aug 10

Beyond Domain Admins – Domain Controller & AD Administration

Categories:

ActiveDirectorySecurity, Microsoft Security, Technical Reference

by Sean Metcalf

This post provides information on how Active Directory is typically administered and the associated roles & rights.

Domain Admins is the AD group that most people think of when discussing Active Directory administration. This group has full admin rights by default on all domain-joined servers and workstations, Domain Controllers, and Active Directory. It gains admin rights on domain-joined computers since when these systems are joined to AD, the Domain Admins group is added to the computer’s Administrators group.
Enterprise Admins is a group in the forest root domain that has full AD rights to every domain in the AD forest. It is granted this right through membership in the Administrators group in every domain in the forest.
Administrators in the AD domain, is the group that has default admin rights to Active Directory and Domain Controllers and provides these rights to Domain Admins and Enterprise Admins, as well as any other members.
Schema Admins is a group in the forest root domain that has the ability to modify the Active Directory forest schema.

Since the Administrators group is the domain group that provides full rights to AD and Domain Controllers, it’s important to monitor this group’s membership (including all nested groups). The Active Directory PowerShell cmdlet “Get-ADGroupMember” can provide group membership information.

Default groups in Active Directory often have extensive rights – many more than typically required. For this reason, we don’t recommend using these groups for delegation. Where possible, perform custom delegation to ensure the principle of least privilege is followed. The following groups should have a “DC” prefix added to them since the scope applies to Domain Controllers by default. Furthermore, they have elevated rights on Domain Controllers and should be considered effectively Domain Controller admins.

Backup Operators is granted the ability to logon to, shut down, and perform backup/restore operations on Domain Controllers (assigned via the Default Domain Controllers Policy GPO). This group cannot directly modify AD admin groups, though associated privileges provides a path for escalation to AD admin. Backup Operators have the ability to schedule tasks which may provide an escalation path. They also are able to clear the event logs on Domain Controllers.
Print Operators is granted the ability to manage printers and load/unload device drivers on Domain Controllers as well as manage printer objects in Active Directory. By default, this group can logon to Domain Controllers and shut them down. This group cannot directly modify AD admin groups.
Server Operators is granted the ability to logon to, shut down, and perform backup/restore operations on Domain Controllers (assigned via the Default Domain Controllers Policy GPO). This group cannot directly modify AD admin groups, though associated privileges provides a path for escalation to AD admin.

To a lesser extend, we’ll group Remote Desktop Users into this category as well.

Remote Desktop Users is a domain group designed to easily provide remote access to systems. In many AD domains, this group is added to the “Allow log on through Terminal Services” right in the Default Domain Controllers Policy GPO providing potential remote logon capability to DCs.

We also see that many times the following is configured via GPO linked to the Domain Controllers OU:

Remote Desktop Users: granted “Allow log on through Terminal Services” right via Group Policy linked to the Domain Controllers OU.
Server Operators: granted “Allow log on through Terminal Services” right via Group Policy linked to the Domain Controllers OU.
Server Operators: granted “Log on as a batch job” right via GPO providing the ability to schedule tasks.

Review the GPOs linked to the Domain and the Domain Controllers OU and ensure the GPO settings are appropriate.
We often find that a servers GPO is also linked to the Domain Controllers OU and it adds a “Server Admins” group to the local Administrators group. Since Domain Controllers don’t have a “local” Administrators group, the DC updates the domain Administrators group by adding Server Admins. This scenario makes all members of Server Admins Active Directory admins.

Any group/account granted logon locally rights to Domain Controllers should be scrutinized.

Server Operators & Backup Operators have elevated rights on Domain Controllers and should be monitored. The Active Directory PowerShell cmdlet “Get-ADGroupMember” can provide group membership information.

Other default groups with elevated rights:

Read the rest of this entry »

Tags: Active Directory Admins, Active Directory groups, Active Directory Security, ActiveDirectory, AD Administrators, AD Admins, AD Security, allow log on locally, Back-up files & directories, Backup Operators, Builtin, DC rights, DCSync, Default AD groups, Default Domain Controller Policy, domain Administrators group, Domain Admins, Domain Controller, Domain Controller groups, Domain Controller rights, Enable computer and user accounts to be trusted for delegation, Force shutdown from a remote system, Get-ADGroupMember, Log on as a batch job, Log on as a service, Manage auditing and security log, Print Operators, Remote Desktop users, Restore files & directories, Schema Admins, Server Operators, Synchronize directory service data

1 comment

Jun 14

Scanning for Active Directory Privileges & Privileged Accounts

Categories:

ActiveDirectorySecurity, Microsoft Security

by Sean Metcalf

Active Directory Recon is the new hotness since attackers, Red Teamers, and penetration testers have realized that control of Active Directory provides power over the organization.

I covered ways to enumerate permissions in AD using PowerView (written by Will @harmj0y) during my Black Hat & DEF CON talks in 2016 from both a Blue Team and Red Team perspective.

This post details how privileged access is delegated in Active Directory and how best to discover who has what rights and permissions in AD. When we perform an Active Directory Security Assessment for customers, we review all of the data points listed in this post, including the privileged groups and the rights associated with them by fully interrogating Active Directory and mapping the associated permissions to rights and associating these rights to the appropriate groups (or accounts).

I have had this post in draft for a while and with Bloodhound now supporting AD ACLs (nice work Will @harmj0y & Andy @_Wald0!), it’s time to get more information out about AD permissions. Examples in this post use the PowerView PowerShell cmdlets.

Active Directory Privileged Access

The challenge is often determining what access each group actually has. Often the full impact of what access a group actually has is not fully understood by the organization. Attackers leverage access (though not always privileged access) to compromise Active Directory.

The key point often missed is that rights to Active Directory and key resources is more than just group membership, it is the combined rights the user has which is made up of:

Active Directory group membership.
AD groups with privileged rights on computers
Delegated rights to AD objects by modifying the default permissions (for security principals, both direct and indirect).
Rights assigned to SIDs in SIDHistory to AD objects.
Delegated rights to Group Policy Objects.
User Rights Assignments configured on workstations, servers, and Domain Controllers via Group Policy (or Local Policy) defines elevated rights and permissions on these systems.
Local group membership on a computer or computers (similar to GPO assigned settings).
Delegated rights to shared folders.

Read the rest of this entry »

Tags: Account Operators, Active Directory permissions, Active Directory PRivileged Access, Active Directory Security, AD, AD ACLs, AD Delegation, AD groups in Local Groups, AD Security, AdminSDHolder, Allow logon locally, Allow logon over Remote Desktop Services, Backup Operators, Bloodhound, Create GPO rights, CreateChild, DCSync, DeleteChild, Domain Admins, Enable computer and user accounts to be trusted for delegation, Enterprise Admins, Extended Right, Full Control, GenericAll, GenericWrite, GPO, Greoup Policy Delegation, Group Membership, Group Policy Object, Group Policy Permission, Impersonate a client after authentication, Link GPO rights, Manage auditing and security log, Manage Group Policy link, PowerView, Print Operators, Replicating Directory Changes All, Restricted Groups, S-1-5--512, S-1-5--517, S-1-5--520, S-1-5-21--1102, S-1-5-21--519, S-1-5-21--525, S-1-5-21--571, S-1-5-32--574, S-1-5-32-544, S-1-5-32-548, S-1-5-32-550, S-1-5-32-551, S-1-5-32-554, S-1-5-32-562, S-1-5-32-573, S-1-5-32-578, SACL, Schema Admins, SDDL, SDProp, Self, SeMachineAccountPrivilege, SeNetworkLogonRight, SeTcbPrivilege, SeTrustedCredManAccessPrivilege, SIDHistory, Synchronize directory service data, User Rights Assignments, Validated Write, WriteDACL, WriteOwner, WritePRoperty

2 comments

May 30

AD Reading: Windows Server 2016 Active Directory Features

Categories:

Technical Reference

by Sean Metcalf

The following are useful resources for Windows Server 2016 Active Directory Features.

Windows 2016 Features

Privileged Access Management (PAM)

Azure AD Join

Windows 2016 Azure AD Join

Microsoft Hello for Business (formerly Microsoft Passport)

Windows 2016 – Hello for Business

This post has no tag

May 01

BSides Charm (2017) Talk Slides Posted – Detecting the Elusive: Active Directory Threat Hunting

Categories:

ActiveDirectorySecurity, Security Conference Presentation/Video

by Sean Metcalf

I recently presented my talk “Detecting the Elusive: Active Directory Threat Hunting” at BSides Charm in Baltimore, MD.
Slides are now posted in the Presentations section.

I cover some of the information I’ve posted here before:

PowerShell Security
Detecting Kerberoasting: Part 1 and Part 2

On Sunday, April 30th, 2017, I spoke at BSides Charm in Track 2 at 2pm.

Here’s the talk description from the BSides Charm website:

Detecting the Elusive: Active Directory Threat Hunting
Attacks are rarely detected even after months of activity. What are defenders missing and how could an attack by detected?

This talk covers effective methods to detect attacker activity using the features built into Windows and how to optimize a detection strategy. The primary focus is on what knobs can be turned and what buttons can be pushed to better detect attacks.

One of the latest tools in the offensive toolkit is “”Kerberoast”” which involves cracking service account passwords offline without admin rights. This attack technique is covered at length including the latest methods to extract and crack the passwords. Furthermore, this talk describes a new detection method the presenter developed.

The attacker’s playbook evolves quickly, defenders need to stay up to speed on the latest attack methods and ways to detect them. This presentation will help you better understand what events really matter and how to better leverage Windows features to track, limit, and detect attacks

This presentation covers the type of log data required to properly

For the curious, here’s an outline of the talk:

Read the rest of this entry »

Tags: Active Directory, Command Logging, Domain Controllers, Event logging, Microsoft WEF, PowerShell logging, Presentation, Sp4rkCon, Sysinternals SysMon

May 01

Sp4rkCon (2017) Talk Slides Posted – Active Directory Security: The Good, the Bad, & the UGLY

Categories:

ActiveDirectorySecurity, Security Conference Presentation/Video

by Sean Metcalf

I recently presented my talk “Active Directory Security: The Good, the Bad, & the UGLY” at Sp4rkCon in Bentonville, AR in April 2017.
Slides are now posted in the Presentations section.

I cover some of the information I’ve posted here before:

PowerShell Security
Detecting Kerberoasting: Part 1 and Part 2

Here’s the talk description:

Active Directory Security:The Good, the Bad, & the UGLY

While security of the enterprise has been laid bare for years, exploitation techniques targeting Active Directory were relatively rare. In recent years, attackers have focused on more than passing hashes and getting Domain Admin. From SPN Scanning for services to Kerberoasting for credentials to Golden Tickets for persistence, there are multiple methods for attacking Active Directory. Active Directory is the primary identity and management infrastructure for most enterprises and properly securing the AD forest has never been more important.

Some of the topics covered:

* PowerShell attacks

* Active Directory recon

* Credential theft

* Kerberos delegation

This talk is an update of Sean’s talk from 2015 entitled: “Red vs. Blue:
Modern Active Directory Attacks & Defense” where he covered various attack methods and related mitigation. This update explores the current attack techniques and the latest detection.

The presented Information is useful for both Red & Blue Team members.

This presentation is a remix of talks I did last year with some additional information mixed in. New to this talk is coverage of Kerberos delegation issues (not just unconstrained) and how to detect Kerberoasting.

For the curious, here’s an outline of the talk:

Read the rest of this entry »

Tags: Active Directory recon, AD admin tiers, Credential theft, Kerberoasting detection, Kerberos Delegation, PowerShell logging, Secure AD administration

Feb 08

Detecting Kerberoasting Activity Part 2 – Creating a Kerberoast Service Account Honeypot

Categories:

ActiveDirectorySecurity, Microsoft Security, Technical Reference

by Sean Metcalf

In my previous post, “Detecting Kerberoasting Activity” I explain how Kerberoasting works and describe how to detect potential Kerberoasting activity. The trick to this is understanding what activity is normal in order to filter out the noise and increase the fidelity of the alert.

This post describes how to filter from millions of events to a single one to detect Kerberoasting activity.

Read the rest of this entry »

Tags: AP-REQ, Audit Kerberos Service Ticket Operations, Detect Kerberoast Activity, Detecting Kerberoast activity, Event ID 4769, Kerberoast honeypot, Kerberoasting activity, Kerberos RC4 Encryption, Kerberos Service Ticket, Kerberos TGS, Kerberos TGS Ticket, NTLM Password, RC4_HMAC_MD5, service account honeypot, TGS-REP, TGS-REQ

Feb 05

Detecting Kerberoasting Activity

Categories:

ActiveDirectorySecurity, Hacking, Microsoft Security, Technical Reference

by Sean Metcalf

Introduction

Kerberoasting can be an effective method for extracting service account credentials from Active Directory as a regular user without sending any packets to the target system. This attack is effective since people tend to create poor passwords. The reason why this attack is successful is that most service account passwords are the same length as the domain password minimum (often 10 or 12 characters long) meaning that even brute force cracking doesn’t likely take longer than the password maximum password age (expiration). Most service accounts don’t have passwords set to expire, so it’s likely the same password will be in effect for months if not years. Furthermore, most service accounts are over-permissioned and are often members of Domain Admins providing full admin rights to Active Directory (even when the service account only needs to modify an attribute on certain object types or admin rights on specific servers).

Tim Medin presented on this at DerbyCon 2014 in his “Attacking Microsoft Kerberos Kicking the Guard Dog of Hades” presentation (slides & video) where he released the Kerberoast Python TGS cracker.

This is a topic we have covered in the past in the posts “Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain” & “Sneaky Persistence Active Directory Trick #18: Dropping SPNs on Admin Accounts for Later Kerberoasting.”
Also Will Schroeder, aka Will Harmjoy (@harmj0y), and I spoke at DerbyCon 2016 about how to Kerberoast to escalate privileges.

Note: This attack will not be successful when targeting services hosted by the Windows system since these services are mapped to the computer account in Active Directory which has an associated 128 character password which won’t be cracked anytime soon.

Let’s quickly cover how Kerberos authentication works before diving into how Kerberoasting works and how to detect Kerberoast type activity.

Read the rest of this entry »

Tags: AP-REQ, Audit Kerberos Service Ticket Operations, Detect Kerberoast Activity, Detecting Kerberoast activity, Event ID 4769, Kerberoasting Active Directory, Kerberoasting activity, Kerberos RC4 Encryption, Kerberos Service Ticket, Kerberos TGS, Kerberos TGS Ticket, KerberosRequestorSecurityToken, NTLM Password, PowerShell Kerberoast, RC4_HMAC_MD5, TGS-REP, TGS-REQ

Jan 29

Sneaky Persistence Active Directory Trick #18: Dropping SPNs on Admin Accounts for Later Kerberoasting

Categories:

ActiveDirectorySecurity, Microsoft Security, Technical Reference

by Sean Metcalf

The content in this post describes a method through which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for about 5 minutes.

Complete list of Sneaky Active Directory Persistence Tricks posts

This post explores how an attacker could leverage existing admin rights and/or over-permissive delegation to gain persistence on an admin account or accounts..

Any account with a Service Principal Name can be Kerberoasted. It’s possible with the appropriate rights to add SPNs to accounts, including admin accounts, to discover the password for those accounts in order to gain/re-gain access to the account.

Read the rest of this entry »

Tags: AD Sneaky Persistence, attacking kerberos, Kerberoast, kerberoasting, Kerberos attack, Kerberos Ticket Cracking, KerberosRequestorSecurityToken, PowerShell Kerberoasting, RC4 TGS ticket, service principal name, sneaky persistence tricks, SPN, System.IdentityModel, TGS cracking, Write ServicePrincipalName

Nov 03

Securing Domain Controllers to Improve Active Directory Security

Categories:

ActiveDirectorySecurity, Microsoft Security, Technical Reference

by Sean Metcalf

Active Directory security effectively begins with ensuring Domain Controllers (DCs) are configured securely. At BlackHat USA this past Summer, I spoke about AD for the security professional and provided tips on how to best secure Active Directory. This post focuses on Domain Controller security with some cross-over into Active Directory security. The blog is called ADSecurity after all… 😉

This post covers some of the best methods to secure Active Directory by securing Domain Controllers in the following sections:

Default Domain & Domain Controller Policies
Creating Domain & Domain Controller Security Baseline GPOs
Patching Domain Controllers
Protecting Domain Controllers
Domain Controller Recommended Group Policy Settings
Configuring Domain Controller Auditing (Event Logs)
Domain Controller Events to Monitor (Event Logs)
Key Domain Controller Security Items

As with any major change to infrastructure, please test before deploying changes.

Read the rest of this entry »

Tags: 31B2F340-016D-11D2-945F-00C04FB984F9, 6AC1786C-016F-11D2-945F-00C04FB984F9, Active Directory Best Practices analyzer, Active Directory Security, Active Directory security best practices, Audit: Force audit policy subcategory settings, Configuring Domain Controller Auditing, Default Domain Controllers Policy, Default Domain Policy GPO, Domain Controller security, domain password policy, Enable LSA Protection, Enable NTLM Auditing, Event Logs, Fine-Grained Password Policy, GPMC, Group Policy Management Console, HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential, KB2871997, Key Domain Controller Security Items, LAN Manager authentication level, LSA Protection, Lsass.exe audit mode, Microsoft domain controller auditing, Microsoft SCM Domain Controller Security Compliance Policy, Microsoft SCM Domain Security Compliance Policy, Microsoft Security Compliance Manager, Minimum password age, Patching Domain Controllers, Protecting Domain Controllers, Recommended Group Policy Settings, Require 128-bit encryption, Require NTLMv2 session security, Require strong (Windows 2000 or later) session key, SCM, secure Active Directory, Securing Active Directory, Security Compliance, Send NTLMv2 response only. Refuse LM & NTLM, SYSVOL, User Rights Assignments, WDigest Authentication, Windows Server 2012 R2, Windows Server 2016

4 comments

Active Directory & Enterprise Security, Methods to Secure Active Directory, Attack Methods & Effective Defenses, PowerShell, Tech Notes, & Geek Trivia…

Gathering AD Data with the Active Directory PowerShell Module

Beyond Domain Admins – Domain Controller & AD Administration

Scanning for Active Directory Privileges & Privileged Accounts

AD Reading: Windows Server 2016 Active Directory Features

BSides Charm (2017) Talk Slides Posted – Detecting the Elusive: Active Directory Threat Hunting

Attack Methods for Gaining Domain Admin Rights in Active Directory

The Most Common Active Directory Security Issues and What You Can Do to Fix Them

Gathering AD Data with the Active Directory PowerShell Module

Beyond Domain Admins – Domain Controller & AD Administration

AD Reading: Windows Server 2016 Active Directory Features

BSides Charm (2017) Talk Slides Posted – Detecting the Elusive: Active Directory Threat Hunting

Sp4rkCon (2017) Talk Slides Posted – Active Directory Security: The Good, the Bad, & the UGLY

Detecting Kerberoasting Activity Part 2 – Creating a Kerberoast Service Account Honeypot

Detecting Kerberoasting Activity

Sneaky Persistence Active Directory Trick #18: Dropping SPNs on Admin Accounts for Later Kerberoasting

Recent Posts

Trimarc Active Directory Security Services

Popular Posts

Categories

Copyright

Copyright