This week at DEF CON 23, I will be speaking about Active Directory attack & defense in my talk “Red vs Blue: Modern Active Directory Attacks & Defense”. This is the 4th iteration of this talk and includes the latest updates to attack methods and defensive strategies.This DEF CON version has a new segment I call “Sneaky AD Persistence” which covers difficult to detect methods an attacker could retain Domain Admin level access after having admin rights on a Domain Controller for 5 minutes.
Kerberos “Golden Tickets” were unveiled by Alva “Skip” Duckwall & Benjamin Delpy in 2014 during their Black Hat USA presentation. Around this time, Active Directory (AD) admins all over the world felt a great disturbance in the Force. Golden Tickets are the ultimate method for persistent, forever AD admin rights to a network since they are valid Kerberos tickets and can’t be detected, right?
This talk explores the latest Active Directory attack vectors and describes how Golden Ticket usage can be detected. When forged Kerberos tickets are used in AD, there are some interesting artifacts that can be identified. Yes, despite what you may have read on the internet, there are ways to detect Golden & Silver Ticket usage.
Skip the fluff and dive right into the technical detail describing the latest methods for gaining and maintaining administrative access in Active Directory, including some sneaky AD persistence methods. Also covered are traditional security measures that work (and ones that don’t) as well as the mitigation strategies that disrupts the attacker’s preferred game-plan. Prepare to go beyond “Pass-the-Hash” and down the rabbit hole.
Some of the topics covered:
- Sneaky persistence methods attackers use to maintain admin rights.
- How attackers go from zero to (Domain) Admin
- MS14-068: the vulnerability, the exploit, and the danger.
- “SPN Scanning” with PowerShell to identify potential targets without network scans (SQL, Exchange, FIM, webservers, etc.).
- Exploiting weak service account passwords as a regular AD user.
- Mimikatz, the attacker’s multi-tool.
- Using Silver Tickets for stealthy persistence that won’t be detected (until now).
- Identifying forged Kerberos tickets (Golden & Silver Tickets) on your network.
- Detecting offensive PowerShell tools like Invoke-Mimikatz.
- Active Directory attack mitigation.
Kerberos expertise is not required since the presentation covers how Active Directory leverages Kerberos for authentication identifying the areas useful for attack. Information presented is useful for both Red Team & Blue Team members.
While the primary components of this talk are similar to my Black Hat presentation two days earlier, key differences are in bold.
DEF CON talk outline:
- From PowerSploit to Empire: modern PowerShell attack tools.
- SPN Scanning: service discovery without network port scanning
- Cracking service account passwords as a domain user (with no elevated permissions).
- Group Policy Preferences – detecting credential theft from GPP
- Several methods showing how attackers go from domain user to domain admin.
- Converting an NTLM password hash to a Kerberos ticket (no need to Pass-the-Hash).
- The one vulnerability to rule them all! (AD domains).
- Sneaky AD Persistence Tricks
- How my security research made Golden Tickets more powerful.
- Silver Tickets can be more dangerous than Golden Tickets.
- Forging Trust Tickets to expand access.
- Detecting forged tickets.
- Detecting/mitigating PowerShell attacks.
- PowerShell v5 security enhancements
- Active Directory defense and mitigation techniques that work.
- Advanced attack detection – how to detect these current threats without relying on event logs.
- Windows 10 architecture updates that can prevent/mitigate against credential theft
Trimarc helps companies and organizations improve their security to better protect against and detect attacks.
Visit TrimarcSecurity.com for more information.