Next week at Black Hat USA 2015, I will be speaking about Active Directory attack & defense in my talk “Red vs Blue: Modern Active Directory Attacks Detection and Protection”. This is the 3rd iteration of this talk and includes the latest updates to attack methods and defensive strategies. I’m including lots of updates and now has at least two brand new attack methods and additional defense strategies.
I put this talk together because I saw that the conversation around breaches and compromises focuses on the malware and there seems to be an information gap. This gap exists between what happens after an attacker gains a foothold on a system inside the network (spear-phishing to get malware installed) to when they gain full Domain Admin rights. Approaching the subject from both an attack and defense perspective, I walk through the latest attack methods that the best ways to detect and defend against them. There are ways to mitigate and defend against these attacks which can prevent a full Active Directory compromise.
On Wednesday, August 5th, 2015, I am speaking at the Mandalay Bay room EF from 1:50pm to 2:40pm .
Kerberos “Golden Tickets” were unveiled by Alva “Skip” Duckwall & Benjamin Delpy in 2014 during their Black Hat USA presentation. Around this time, Active Directory (AD) admins all over the world felt a great disturbance in the Force. Golden Tickets are the ultimate method for persistent, forever AD admin rights to a network since they are valid Kerberos tickets and can’t be detected, right?
The news is filled with reports of breached companies and government agencies with little detail on the attack vectors and mitigation. This briefing discusses in detail the latest attack methods for gaining and maintaining administrative access in Active Directory. Also covered are traditional defensive security measures that work (and ones that don’t) as well as the mitigation strategies that can keep your company’s name off the front page. Prepare to go beyond “Pass-the-Hash” and down the rabbit hole.
This talk explores the latest Active Directory attack vectors and describes how Golden Ticket usage can be detected. When forged Kerberos tickets are used in AD, there are some interesting artifacts that can be identified. Yes, despite what you may have read on the internet, there are ways to detect Golden & Silver Ticket usage!
Some of the topics covered:
* How attackers go from zero to (Domain) Admin
* MS14-068: the vulnerability, the exploit, and the danger.
* “SPN Scanning” with PowerShell to identify potential targets without network scans (SQL, Exchange, FIM, webservers, etc.).
* Exploiting weak service account passwords as a regular AD user.
* Mimikatz, the attacker’s multi-tool.
* Using Silver Tickets for stealthy persistence that won’t be detected (until now).
* Identifying forged Kerberos tickets (Golden & Silver Tickets) on your network.
* Detecting offensive PowerShell tools like Invoke-Mimikatz.
* PowerShell v5 security enhancements
* Active Directory attack mitigation.
Kerberos expertise is not required since the presentation covers how Active Directory leverages Kerberos for authentication identifying the areas useful for attack. Information presented is useful for both Red Team & Blue Team members.
For the curious, here’s an outline of my talk at Black Hat next week:
- Latest PowerShell attack tools.
- Current recon techniques.
- Cracking service account passwords as a domain user (with no elevated permissions).
- Group Policy Preferences: the issues.
- Preventing/mitigating lateral movement throughout the network.
- One method for an attacker to compromise an Active Directory domain/forest by compromising a single member server. Hint: it’s Kerberos related…
- Several methods showing how attackers go from domain user to domain admin.
- Different methods for credential theft.
Compromising a Mac (yes, a Mac) to elevate permissions.
- Converting an NTLM password hash to a Kerberos ticket (no need to Pass-the-Hash).
- The one vulnerability to rule them all! (AD domains).
- How my security research made Golden Tickets more powerful.
- Silver Tickets can be more dangerous than Golden Tickets.
- Forging Trust Tickets to expand access.
- Detecting forge tickets.
- Detecting/mitigating PowerShell attacks.
- PowerShell v5 security enhancements
- Active Directory defense and mitigation techniques that work.
- Advanced attack detection – how to detect these current threats without relying on event logs.
- Windows 10 architecture updates that can prevent/mitigate against credential theft
I look forward to speaking with lots of people next week about their challenges and how we can best protect critical data.
Later this week, I expect to have a post describing my DEF CON talk (and how it’s different than Black Hat).
Trimarc helps companies and organizations improve their security to better protect against and detect attacks.
Visit TrimarcSecurity.com for more information.