Category: Technical Reference

There’s Something About Service Accounts

Service accounts are that gray area between regular user accounts and admin accounts that are often highly privileged. They are almost always over-privileged due to documented vendor requirements or because of operational challenges (“just make it work”). We can discover service accounts by looking for user accounts with Kerberos Service Principal Names (SPNs) which I …

Continue reading

Mitigating Exchange Permission Paths to Domain Admins in Active Directory

This article is a cross-post from TrimarcSecurity.comOriginal article: https://www.trimarcsecurity.com/single-post/2019/02/12/Mitigating-Exchange-Permission-Paths-to-Domain-Admins-in-Active-Directory The Issue Recently a blog post was published by Dirk-jan Mollema titled “Abusing Exchange: One API call away from Domain Admin ” (https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/)which highlighted several issues with Exchange permissions and a chained attack which would likely result in a regular user with a mailbox being able to …

Continue reading

From DNSAdmins to Domain Admin, When DNSAdmins is More than Just DNS Administration

It’s been almost 1.5 years since the Medium post by Shay Ber was published that explained how to execute a DLL as SYSTEM on a Domain Controller provided the account is a member of DNSAdmins. I finally got around to posting here since many I speak with aren’t aware of this issue. Shay describes this …

Continue reading

Securing Microsoft Active Directory Federation Server (ADFS)

Many organizations are moving to the cloud and this often requires some level of federation. Federation, put simply, extends authentication from one system (or organization) to another. Gerald Steere (@Darkpawh) and I spoke about cloud security at DEF CON in July 2017. Presentation slides and video are here: “Hacking the Cloud” One of the key …

Continue reading

Beyond Domain Admins – Domain Controller & AD Administration

Active Directory has several levels of administration beyond the Domain Admins group. In a previous post, I explored: “Securing Domain Controllers to Improve Active Directory Security” which explores ways to better secure Domain Controllers and by extension, Active Directory. For more information on Active Directory specific rights and permission review my post “Scanning for Active …

Continue reading

AD Reading: Windows Server 2016 Active Directory Features

The following are useful resources for Windows Server 2016 Active Directory Features.   Windows 2016 Features What’s New in Windows 2016 Active Directory Windows Server 2016 AD Functional Level   Privileged Access Management (PAM) Windows 2016 PAM Shadow Security Principals (temporary group membership)   Azure AD Join Windows 2016 Azure AD Join   Microsoft Hello …

Continue reading

Detecting Kerberoasting Activity

Introduction Kerberoasting can be an effective method for extracting service account credentials from Active Directory as a regular user without sending any packets to the target system. This attack is effective since people tend to create poor passwords. The reason why this attack is successful is that most service account passwords are the same length …

Continue reading

Sneaky Persistence Active Directory Trick #18: Dropping SPNs on Admin Accounts for Later Kerberoasting

The content in this post describes a method through which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for about 5 minutes. Complete list of Sneaky Active Directory Persistence Tricks posts This post explores how an attacker could leverage existing admin rights and/or over-permissive delegation to gain persistence …

Continue reading