This page is a reference with security documents, posts, videos and presentations I find useful for staying up to date on current security issues and exploits.
Last Updated: May 2016
Note that this page isn’t actively updated. Visit the Attack, Defense, & Detection page for updated content.
Microsoft Enterprise & Active Directory Security Documents (& Blog Posts):
- Best Practices for Securing Active Directory (Microsoft IT) Published April 2013. (Microsoft Word document download) .
- Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2 (Microsoft) (PDF document download).
- Best Practices for Delegating Active Directory Administration (Microsoft) Published November 2003. (Microsoft Word document download) .
- Active Directory Domain Controller Operations Guide (Microsoft) Published September 2008. (Microsoft Word document download).
- “Admin Free” Active Directory and Windows, Part 1- Understanding Privileged Groups in AD (Blog post by Laura Robinson)
- “Admin Free” Active Directory and Windows, Part 2- Protected Accounts and Groups in Active Directory (Blog post by Laura Robinson)
- LSA (LSASS) Protection Option in Windows 8.1 & Windows Server 2012 R2 (technical article)
- Microsoft Security Compliance Manager (SCM) – Build configuration files and GPOs with Microsoft recommended enterprise security recommended settings based on Microsoft security guidelines.
- Microsoft Local Administrator Password Solution (LAPS) for randomizing local Administrator account password on all enterprise computers.
- Securing Privileged Access – protecting administrative credentials with a “Privileged Access Workstation” to mitigate Pass-the-Hash (PTH).
- Privileged Access Workstations – Privileged Access Workstations (PAWs) provide a dedicated operating system for sensitive tasks that is protected from Internet attacks and threat vectors. Separating these sensitive tasks and accounts from the daily use workstations and devices provides very strong protection from phishing attacks, application and OS vulnerabilities, various impersonation attacks, and credential theft attacks such as keystroke logging, Pass-the-Hash, and Pass-The-Ticket.
- Securing Privileged Access Reference Material – covers the administrative tiers and admin forest concept.
- Microsoft Enhanced Mitigation Experience Toolkit (EMET) – EMET helps prevent application vulnerabilities from being exploited (including some 0-days). It’s a free product that effectively “wraps” popular applications so when vulnerability exploitation is attempted, the attempt is stopped at the “wrapper” and doesn’t make it to the OS.
- Microsoft AppLocker – AppLocker can be used to limit application execution to specific approved applications. There are several difference phases I recommend for AppLocker:
- Phase 1: Audit Mode – audit all execution by users and the path they were run from. This logging mode provides information on what programs are run in the enterprise and this data is logged to the event log.
- Phase 2: “Blacklist Mode” – Configure AppLocker to block execution of any file in a user’s home directory, profile path, and temporary file location the user has write access to, such as c:\temp.
- Phase 3: “Folder Whitelist Mode” – Configure AppLocker to build on Phase 2 by adding new rules to only allow execution of files in specific folders such as c:\Windows and c:\Program Files.
- Phase 4: “Application Whitelisting” – Inventory all applications in use in the enterprise environment and whitelist those applications by path and/or file hash (preferably digital signature). This ensures that only approved organization applications will execute.
NOTE: Application whitelisting is not a panacea and is a journey – it takes time to build a secure enterprise and every defensive layer helps, though each layer on its own may not be enough to stop an attack.
Raphael Mudge (@armitagehacker) has great resources (and videos) describing red team actions and is extremely helpful in understanding how attackers compromise an environment. While much of the content is specific to Cobalt Strike, it’s a treasure trove of red team information. Highly recommended!
http://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/
ADSecurity.org Active Directory Security Posts:
- The Most Common Active Directory Security Issues and What You Can Do to Fix Them
- Attack Methods for Gaining Domain Admin Rights in Active Directory
- How Attackers Dump Active Directory Database Credentials
- Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain
- Finding Passwords in SYSVOL & Exploiting Group Policy Preferences
- MS14-068 Vulnerability, Exploitation, and Exploit Detection
- Sneaky Active Directory Persistence Tricks
- Kerberos, Active Directory’s Secret Decoder Ring
- Kerberos & KRBTGT: Active Directory’s Domain Kerberos Service Account
- Golden Tickets are Now More Golden
- How Attackers Use Kerberos Silver Tickets to Exploit Systems
- Microsoft Local Administrator Password Solution (LAPS)
- Mimikatz Guide and Command Reference
- Mimikatz DCSync Usage, Exploitation, and Detection
- Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync
- Great Active Directory Attack & Defense Resources
- Active Directory Security Risk #101: Kerberos Unconstrained Delegation
- It’s All About Trust – Forging Kerberos Trust Tickets to Spoof Access across Active Directory Trusts
- Windows 10 Microsoft Passport (aka Microsoft Next Generation Credential) In Detail
- Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory
- SPN Scanning – Service Discovery without Network Port Scanning
- Active Directory Pentest Recon Part 1: SPN Scanning aka Mining Kerberos Service Principal Names
- Active Directory Domain Controller Skeleton Key Malware & Mimikatz
- Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest
- PowerShell Security: Execution Policy is Not An Effective Security Strategy – How to Bypass the PowerShell Execution Policy
- Interesting Windows Computer & Active Directory Well-Known Security Identifiers (SIDs)
- Using Group Policy Preferences for Password Management = Bad Idea
- Group Policy Preferences Password Vulnerability Now Patched
- Microsoft KB2871997: Back-Porting Windows 8.1/Win2012R2 Enhanced Security & Pass The Hash Mitigation to Windows 7, Windows 8, & Windows 2008R2
- The Ultimate Movie Hacking Tool – Command Shell at Windows Logon Screen (via “StickyKeys”)
- PowerShell for Pentesters
- Black Hat USA 2014 Presentation: Investigating PowerShell Attacks
- Active Directory Domain Trusts & Trust Password Management
- Read-Only Domain Controller (RODC) Information
- Machine Account (AD Computer Object) Password Updates
- PowerShell: Using Active Directory .Net methods in PowerShell Part 1
- PowerShell: Using Active Directory .Net methods in PowerShell Part 2
- Posts on Microsoft Enhanced Mitigation Experience Toolkit (EMET) 5 & Protection Methods
- Active Directory 2012 DCPromo
- PowerShell Code: Get & Set Active Directory Tombstone Lifetime and Active Directory Delete & Recycle Operations
Sean Metcalf’s (ADSecurity.org) Active Directory Security Presentations
- DerbyCon V (2015): Red vs. Blue: Modern Active Directory Attacks & Defense Talk Detail
- DEF CON 23 (2015) Red vs Blue: Modern Active Directory Attacks & Defense Talk Detail
- Black Hat USA 2015 Red vs Blue Active Directory Attack & Defense Talk Detail
Other Great Enterprise & AD Security Resources
- Mitigating Service Account Credential Theft (Rapid 7) Published September 2014.
Microsoft Ignite 2015 Security Sessions
Windows Security Sessions:
How to Protect Your Corporate Resources from Advanced Attacks (Microsoft Advanced Threat Analytics, formerly Aorato)
https://channel9.msdn.com/Events/Ignite/2015/BRK3870
Demi Albuz, Michael Dubinsky, Benny Lakunishok, Idan Plotnik
Slides (view online)
How You Can Hack-Proof Your Clients and Servers in a Day
Hasain Alshakarti, Marcus Murray
https://channel9.msdn.com/Events/Ignite/2015/BRK2346
Hacker Tools for Ethical Hackers to Protect Windows Clients
Raymond Comvalius, Erdal Ozkaya
https://channel9.msdn.com/Events/Ignite/2015/BRK2332
Slides (view online)
Detecting the Undetectable
Roger Grimes
https://channel9.msdn.com/Events/Ignite/2015/BRK2344
Slides (view online)
Adventures in Underland: What Your System Stores on the Disk without Telling You
Paula Januszkiewicz
https://channel9.msdn.com/Events/Ignite/2015/BRK3320
Hidden Talents: Things Administrators Never Expect from Their Users Regarding Security
Paula Januszkiewicz
https://channel9.msdn.com/Events/Ignite/2015/BRK3323
The Ultimate Hardening Guide: What to Do to Make Hackers Pick Someone Else
Paula Januszkiewicz
https://channel9.msdn.com/Events/Ignite/2015/BRK3343
Black Belt Security with Windows 10
Sami Laiho
https://channel9.msdn.com/Events/Ignite/2015/BRK3336
Zero Admins – Zero Problems
Sami Laiho
https://channel9.msdn.com/Events/Ignite/2015/BRK2335
Slides (view online)
Barbarians Inside the Gates: Protecting against Credential Theft and Pass the Hash Today
Aaron Margosis, Mark Simos
https://channel9.msdn.com/Events/Ignite/2015/BRK2334
Slides (view online)
Advanced Windows Defense
Erdal Ozkaya
https://channel9.msdn.com/Events/Ignite/2015/BRK2311
Slides (view online)
Zombies in Social Networks
Erdal Ozkaya
https://channel9.msdn.com/Events/Ignite/2015/BRK2315
Slides (view online)
Modern Hardening: Lessons Learned on Hardening Applications and Services
Shawn Rabourn, Mark Simos
https://channel9.msdn.com/Events/Ignite/2015/BRK3486
Windows 10 Security Sessions:
Dropping the Hammer Down on Malware Threats with Windows 10’s Device Guard
Scott Anderson, Jeffrey Sutherland
https://channel9.msdn.com/Events/Ignite/2015/BRK2336
Slides (view online)
The End Game for Passwords and Credential Theft?
Nelly Porter
https://channel9.msdn.com/Events/Ignite/2015/BRK2333
Slides (view online)
Overview of Windows 10 for Enterprises
Jeremy Chapman, Dustin Ingalls
https://channel9.msdn.com/Events/Ignite/2015/THR0342
Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!
Chris Hallum, Dustin Ingalls
https://channel9.msdn.com/Events/Ignite/2015/BRK2306
Slides (view online)
A New Era of Threat Resistance for the Windows 10 Platform
Chris Hallum, Dustin Ingalls
https://channel9.msdn.com/Events/Ignite/2015/BRK2325
Slides (view online)
Next Generation Malware Detection with Windows Defender
Dustin Ingalls, Deepak Manohar
https://channel9.msdn.com/Events/Ignite/2015/BRK2327
Slides (view online)
Misc:
Sysinternals Primer: Ignite 2015 Edition
Aaron Margosis
https://channel9.msdn.com/Events/Ignite/2015/BRK3337
Active Directory Security Presentations (DerbyCon 2014 Videos):
- Abusing Active Directory in Post Exploitation – Carlos Perez
- Et tu Kerberos – Christopher Campbell
- Active Directory Real Defense for Domain Admins – Jason Lang
- Attacking Microsoft Kerberos Kicking the Guard Dog of Hades – Tim Medin
- DerbyCon 2013: The InfoSec Revival – Scriptjunkie
Active Directory Security Presentations (Black Hat USA 2014 Videos):
- Abusing Microsoft Kerberos Sorry You Guys Don’t Get It (aka the Mimikatz Golden Ticket Presentation) – Skip Duckwall & Benjamin Delpy
- Forensics Investigating: PowerShell Attacks – Ryan Kazanciyan & Whitepaper (PDF download)
Active Directory Security Presentations (TechEd USA 2014 Videos & Presentation files):
- TWC: Pass-the-Hash: How Attackers Spread and How to Stop Them
Date: May 13, 2014 from 1:30PM to 2:45PM
DCIM-B359
Speakers: Nathan Ide, Mark Russinovich
Download Mp4
PPTX Slides - TWC: Pass-the-Hash and Credential Theft Mitigation Architectures
Date: May 14, 2014 from 1:30PM to 2:45PM
DCIM-B213
Speakers: Nicholas DiCola, Mark Simos
Download Mp4
PPTX Slides
Pass-the-Hash & Kerberos Attack Resources:
- BlueHat 2014 Slides: Reality Bites: The Attacker’s View of Windows Authentication and Post-exploitation – Chris Campbell, Benjamin Delpy, & Skip Duckwall
- BlackHat USA 2013 Slides: Microsoft’s Credential Problem – Skip Duckwall & Chris Campbell
- Abusing Kerberos (aka the Mimikatz Golden Ticket Presentation) BlackHat USA 2014 Presentation Video – Skip Duckwall & Benjamin Delpy
- Mimikatz and Golden Tickets… What’s the BFD? BlackHat USA 2014 Redux part 1
- Why We Don’t Get It and Why We Shouldn’t (blog post)
- Let’s talk about Pass-the-Hash (blog post)
- Pass The Golden Ticket Protection from Kerberos – Golden Ticket Mitigating pass the ticket on Active Directory (CERT EU Whitepaper)
- NSA whitepaper: Reducing the Effectiveness of Pass-the-Hash (published November 2013)
- RSA Conference 2014 Video: Pass-the-Hash: How Attackers Spread and How to Stop Them (Mark Russinovich & Nathan Ide)
General Hacking Videos:
Advanced Threat Tactics Course and Notes – Great coverage of attack methodology and tactics.
Hacking History:
- History Of Hacking Part 1 (SecurityTube)
- History Of Hacking Part 2 (SecurityTube)
- History Of Hacking Part 3 (SecurityTube)
- History Of Hacking Part 4 (SecurityTube)
- History Of Hacking Part 5 (SecurityTube)
Networking:
- Packet Sniffing Using Wireshark (SecurityTube)
- Wireless Lan Security Megaprimer Part 1: Getting Started (SecurityTube)
- Wireless Lan Security Megaprimer Part 2: Bands, Channels And Sniffing (SecurityTube)
- Wireless Lan Security Megaprimer Part 3: Pwning Beacon Frames (SecurityTube)
- Wireless Lan Security Megaprimer Part 4: Dissecting Ap-Client Connections (SecurityTube)
- Wireless Lan Security Megaprimer Part 6: Pwning Hidden Ssids (SecurityTube)
- Wireless Lan Security Megaprimer Part 8: Hacking Wlan Authentication (SecurityTube)
- Wireless Lan Security Megaprimer Part 9: Hotspot Attacks (SecurityTube)
- Wireless Lan Security Megaprimer Part 11:Alfa Card Kung-Fu (SecurityTube)
- Wireless Lan Security Megaprimer Part 12: Man-In-The-Middle Attack (SecurityTube)
- Cracking Wep And Breaking Into The Wireless Router (SecurityTube)
- Cracking Wpa Psk With Aircrackng (SecurityTube)
- Cracking Wifi Wpa/Wps Easily Using Reaver 1.1 (SecurityTube)
- Router Hacking Part 1 (The Basics) (SecurityTube)
- Router Hacking Part 2 (Service Enumeration, Fingerprinting And Default Accounts) (SecurityTube)
- Router Hacking Part 3 (Bruteforcing And Dictionary Attacks With Hydra) (SecurityTube)
- Router Hacking Part 4 (Snmp Attacks Using Snmpcheck) (SecurityTube)
- Router Hacking Part 6 (Dictionary Attack Using Metasploit On Snmp) (SecurityTube)
- Bypass Hotspot Login Page For Accessing Internet (SecurityTube)
MetaSploit:
- Metasploit Megaprimer (Exploitation Basics And Need For Metasploit) Part 1 (SecurityTube)
- Metasploit Megaprimer (Getting Started With Metasploit) Part 2 (SecurityTube)
- Metasploit Megaprimer Part 3 (Meterpreter Basics And Using Stdapi) (SecurityTube)
- Metasploit Meterpreter Reverse Tcp Basics (SecurityTube)
- Hacking Through The Windows Firewall Using Metasploit (SecurityTube)
- Metasploit Framework Expert Part 1 (Exploitation Basics) (SecurityTube)
- Metasploit Framework Expert Part 2 ( Why Metasploit?) (SecurityTube)
- Metasploit Framework Expert Part 3 ( Meterpreter Basics ) (SecurityTube)
- Metasploit Framework Expert ( Armitage ) (SecurityTube)
Services:
- Dns Zone Transfer Using Dig (SecurityTube)
- Ssl Man-IN-The-Middle (MITM) Attack Over Wireless (SecurityTube)
-
Defeating Ssl Using Sslstrip (Marlinspike Blackhat) (SecurityTube)
- Sql Injection On Steroids With Sqlmap (SecurityTube)
Programming:
- Python Programming Language Lectures From MIT (SecurityTube)
- Offensive Python For Web Hackers (Blackhat) (SecurityTube)
- Securitytube Python Scripting Expert (Spse) Course And Certification (SecurityTube)
Wireshark:
- Analyze A Bot Infected Host With Wireshark (SecurityTube)
Other:
- Scenario Based Hacking Part 1 (No Patches, No Av, Direct Access) (SecurityTube)
- Buffer Overflow Primer Part 1 (Smashing The Stack) (SecurityTube)
- Ten Cool Things You Did Not Know About Your Hard Drive (SecurityTube)
- Exploit Research Megaprimer Part 1 Topic Introduction By Vivek (SecurityTube)
- How To Make Files Undetectable By Anti Virus (SecurityTube)
Security (Hack) Tools:
- Kali Linux OS with integrated hacking tools
- WireShark Packet Sniffing Tool
- NTDSXtract – A framework for offline forensic analysis of NTDS.DIT
- Windows Credential Editor (WCE)
- Mimikatz – tool to extract password data from LSASS & create silver and golden tickets
- The Social Engineer Toolkit (SE Toolkit) [included in Kali]
- MetaSploit – pentesting tool [included in Kali]
- nmap – best network scanning tool [included in Kali]
- HashCat – password cracker
- Armitage – simple front end for Metasploit
- WiFite – WiFi wireless cracking
Defense Tools:
General Disclaimer:
This information is for educational purposes only. Using this information to attack systems you don’t own may result in law enforcement knocking down your door. Use your own lab for testing and don’t hack your neighbor or your workplace.
1 comments
The link for Best Practices for Securing Active Directory is broken. I did a search, and found the following article. Haven’t had time to read it yet, but hopefully this is an updated version.
https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory