Detecting Kerberoasting Activity


Kerberoasting can be an effective method for extracting service account credentials from Active Directory as a regular user without sending any packets to the target system. This attack is effective since people tend to create poor passwords. The reason why this attack is successful is that most service account passwords are the same length as the domain password minimum (often 10 or 12 characters long) meaning that even brute force cracking doesn’t likely take longer than the password maximum password age (expiration). Most service accounts don’t have passwords set to expire, so it’s likely the same password will be in effect for months if not years. Furthermore, most service accounts are over-permissioned and are often members of Domain Admins providing full admin rights to Active Directory (even when the service account only needs to modify an attribute on certain object types or admin rights on specific servers).

Tim Medin presented on this at DerbyCon 2014 in his “Attacking Microsoft Kerberos Kicking the Guard Dog of Hades” presentation (slides & video) where he released the Kerberoast Python TGS cracker.

This is a topic we have covered in the past in the posts “Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain” & “Sneaky Persistence Active Directory Trick #18: Dropping SPNs on Admin Accounts for Later Kerberoasting.”
Also Will Schroeder, aka Will Harmjoy (@harmj0y), and I spoke at DerbyCon 2016 about how to Kerberoast to escalate privileges.

Note: This attack will not be successful when targeting services hosted by the Windows system since these services are mapped to the computer account in Active Directory which has an associated 128 character password which won’t be cracked anytime soon.

Let’s quickly cover how Kerberos authentication works before diving into how Kerberoasting works and how to detect Kerberoast type activity.

Continue reading

Sneaky Persistence Active Directory Trick #18: Dropping SPNs on Admin Accounts for Later Kerberoasting

The content in this post describes a method through which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for about 5 minutes.

Complete list of Sneaky Active Directory Persistence Tricks posts

This post explores how an attacker could leverage existing admin rights and/or over-permissive delegation to gain persistence on an admin account or accounts..

Any account with a Service Principal Name can be Kerberoasted. It’s possible with the appropriate rights to add SPNs to accounts, including admin accounts, to discover the password for those accounts in order to gain/re-gain access to the account.

Continue reading

Securing Domain Controllers to Improve Active Directory Security

Active Directory security effectively begins with ensuring Domain Controllers (DCs) are configured securely. At BlackHat USA this past Summer, I spoke about AD for the security professional and provided tips on how to best secure Active Directory. This post focuses on Domain Controller security with some cross-over into Active Directory security. The blog is called ADSecurity after all… 😉

This post covers some of the best methods to secure Active Directory by securing Domain Controllers in the following sections:

  • Default Domain & Domain Controller Policies
  • Creating Domain & Domain Controller Security Baseline GPOs
  • Patching Domain Controllers
  • Protecting Domain Controllers
  • Domain Controller Recommended Group Policy Settings
  • Configuring Domain Controller Auditing (Event Logs)
  • Domain Controller Events to Monitor (Event Logs)
  • Key Domain Controller Security Items

As with any major change to infrastructure, please test before deploying changes.

Continue reading

BSides DC (2016) Talk – PowerShell Security: Defending the Enterprise from the Latest Attack Platform

This Saturday at BSides DC, I am presenting on the current state of PowerShell security in a talk called, “PowerShell Security: Defending the Enterprise from the Latest Attack Platform.”

I cover some of the information I’ve posted here before:

On Saturday, October 21st, 2016, I am speaking at BSides DC in Track 2 (“Grand Central”) at 1:30pm.

Here’s the talk description from the BSides DC website:

PowerShell is a boon to administrators, providing command consistency and the ability to quickly gather system data and set configuration settings. However, what can be used to help, can also be used for less altruistic activities. Attackers have recently learned that leveraging PowerShell provides simple bypass methods for most defenses and a platform for initial compromise, recon, exploitation, privilege escalation, data exfiltration, and persistence.

With the industry shift to an “Assume Breach” mentality, it’s important to understand the impact of defending against an attacker on the internal network since this is a major shift from the traditional defensive paradigm. In its default configuration, there’s minimal PowerShell logging and nothing to slow an attacker’s activities. Many organizations seek to block the PowerShell executable to stop attacks. However, blocking PowerShell.exe does not stop PowerShell execution and can provide a false sense of security. Simply put, don’t block PowerShell, embrace it. The key is monitoring PowerShell usage to enable detection of recon and attack activity. As attack tools like PowerSploit (Invoke-Mimikatz) and the recently released PowerShell Empire become more prevalent (and more commonly used), it’s more important than ever to understand the full capabilities of PowerShell as an attack platform as well as how to effectively detect and mitigate a variety of PowerShell attack methods.

The presentation walks the audience through the evolution of PowerShell as an attack platform and shows why a new approach to PowerShell attack defense is required. PowerShell recon & attack techniques are shown as well as methods of detection & mitigation. Also covered are the latest methods to bypass and subvert PowerShell security measures including PowerShell v5 logging, constrained language mode, and Windows 10’s AMSI anti-malware for scanning PowerShell code in memory.The final part of the presentation explains why PowerShell version 5 should be every organization’s new baseline version of PowerShell due to new and enhanced defensive capability.

This talk is recommended for anyone tasked with defending and testing the defenses for an organization as well as system administrators/engineers.

This presentation outlines that capability of the current PowerShell version and how current attacks are leveraging PowerShell, including how current PowerShell security (& logging) can be bypassed!
The talk wraps up with a summary of the defensive recommendations provided throughout the presentation.

For the curious, here’s an outline of the talk*:

Continue reading

Some Favorite DerbyCon 6 Talks (2016)

This post is a collection of my favorite and interesting talks from DerbyCon 6 (2016). There were a lot of great talks and as I discover them, I’ll add them here. My goal is to collect and provide the talk videos and slides together for a single, easy reference. I’m sure I missed a few.
To read about the DerbyCon 6 presentations visit the DerbyCon 6 Schedule page and the DerbyCon 6 presentation videos are on YouTube.

Continue reading

DerbyCon 6 (2016) Talk – Attacking EvilCorp: Anatomy of a Corporate Hack

Next week at DerbyCon 6, Will Schroeder (aka Will Harmjoy, @Harmj0y) & I are presenting on enterprise security, “Attacking EvilCorp: Anatomy of a Corporate Hack.”
We call this one the “How You Got Hacked” presentation.

The company and events are fictional.

The techniques are real.

On Saturday, September 24th, 2016, Will & I are speaking at DerbyCon Track 1 (Break Me) in the Regency North room from 10:00am to 10:50am.

Here’s the talk description from the DerbyCon website:

With the millions of dollars invested in defensive solutions, how are attackers still effective?
Why do defensive techniques seem to rarely stop or slow down even mid-tier adversaries?
And is there anything the underfunded admin can do to stop the carnage?
Join us in a shift to “assume breach” and see how an attacker can easily move from a single machine compromise to a complete domain take over.
Instead of “death by PowerPoint,” see first-hand how a fictional corporation suffers “death by a thousand cuts”. The fictional EvilCorp presents their top defensive tools and practically dares someone to attack the network. The battle of Red vs. Blue unfolds showing EvilCorp’s network submit to the unrelenting attacks by an experienced adversary.
When the dust settles, the Red Team looks victorious. But what, if anything, could have tipped the scales in the other direction?
In this demo-heavy session (several demos are shown to demonstrate modern attack effectiveness), we showcase the latest attack techniques and ineffective defenses still used to protect companies. Defense evasion tools and techniques are detailed as well as attack detection methods. Effective mitigation strategies are highlighted and the Blue Team is provided a roadmap to properly shore up defenses that can stop all but the most determined attacker.

This presentation is not a standard conference talk with lots of slides. In fact, there are only a handful of slides, mostly to highlight how to mitigate the demonstrated attacks. Over the course of the 45 minute presentation, we show several attack demonstrations highlighting typical phases of how a company could be hacked and talk through the issues in the environment and real world mitigations. Instead of walking through the attacks and showing slides, we present this as a “skit”.

During the talk, Sean assumes the role of E Corp CIO who is on stage at a conference presenting about their perfect security. He effectively challenges the world to hack his company.

Will takes up this challenge and explains the problems with E Corp’s security posture by showing several demos how he can pwn them in about 25 minutes.

After this “skit”, we switch back to more traditional presentation to cover real-world mitigations.

For the curious, here’s an outline of our talk at DerbyCon next week:

Continue reading

Microsoft LAPS Security & Active Directory LAPS Configuration Recon

Over the years, there have been several methods attempted for managing local Administrator accounts:

  1. Scripted password change – Don’t do this. The password is exposed in SYSVOL.
  2. Group Policy Preferences. The credentials are exposed in SYSVOL.
  3. Password vault/safe product (Thycotic, CyberArk, Lieberman, Quest, Exceedium, etc).
  4. Microsoft Local Administrator Password Solution (LAPS).


LAPS Overview

Microsoft’s LAPS is a useful tool for automatically managing Windows computer local Administrator passwords. It’s important to ensure every computer changes their local Administrator password regularly, that it’s unique for every computer, there’s a way to track when it gets changed, and there’s a way to force password changes. I cover LAPS in an earlier post, including deployment, pros & cons, among other information.

Here’s a quick overview of LAPS:

  • Initial install which includes schema extensions – adds ms-mcs-AdmPwd (clear-text password) & ms-mcs-AdmPwdExpirationTime (date/time when password expires which forces the LAPS client to reset the password) attributes to computer objects.
  • Deploy the LAPS client to all computers to manage their local Administrator account password.
  • Delegate all computers access to update the ms-mcs-AdmPwd & ms-mcs-AdmPwdExpirationTime LAPS attributes on their own computer account (SELF write access).
  • Delegate the LAPS computer attributes so the appropriate users have access to view the LAPS password and/or force a reset of the LAPS password (clearing the value of ms-mcs-AdmPwdExpirationTime forces the LAPS client to change the local Administrator password).
  • Configure a new Group Policy Object (GPO) to enable & configure LAPS management of local Administrator account password management.

Note that the LAPS GPO setting “Do not allow password expiration time longer than required by policy” is set to Enabled. This is important as you’ll see at the end of this post.

Continue reading

PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection

This post is a follow-up of sorts from my earlier posts on PowerShell, my PowerShell presentation at BSides Baltimore, and my presentation at DEF CON 24.
Hopefully this post provides current information on PowerShell usage for both Blue and Red teams.

Related posts:

The Evolution of PowerShell as an attack tool

PowerShell is a built-in command shell available on every supported version of Microsoft Windows (Windows 7 / Windows 2008 R2 and newer) and provides incredible flexibility and functionality to manage Windows systems. This power makes PowerShell an enticing tool for attackers. Once an attacker can get code to run on a computer, they often invoke PowerShell code since it can be run in memory where antivirus can’t see it. Attackers may also drop PowerShell script files (.ps1) to disk, but since PowerShell can download code from a website and run it in memory, that’s often not necessary.


Dave Kennedy & Josh Kelley presented at DEF CON 18 (2010) on how PowerShell could be leveraged by attackers. Matt Graeber developed PowerSploit and blogged at on why PowerShell is a great attack platform. Offensive PowerShell usage has been on the rise since the release of “PowerSploit” in 2012, though it wasn’t until Mimikatz was PowerShell-enabled (aka Invoke-Mimikatz) about a year later that PowerShell usage in attacks became more prevalent. PowerShell provides tremendous capability since it can run .Net code and execute dynamic code downloaded from another system (or the internet) and execute it in memory without ever touching disk. These features make PowerShell a preferred method for gaining and maintaining access to systems since they can move around using PowerShell without being seen. PowerShell Version 5 (v5) greatly improves the defensive posture of PowerShell and when run on a Windows 10 system, PowerShell attack capability is greatly reduced.

Continue reading

DEF CON 24 (2016) Talk “Beyond the MCSE: Red Teaming Active Directory” Presentation Slides Posted

On Thursday, August 4th, I presented “Beyond the MCSE: Red Teaming Active Directory” at DEF CON 24 (2016).

Here are the slides for this talk:  DEFCON24-2016-Metcalf-BeyondTheMCSE-RedTeamingActiveDirectory

Here’s my talk description from the DEF CON website:

Active Directory (AD) is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and management capabilities, so why do red teams barely scratch the surface when it comes to leveraging the data it contains? This talk skips over the standard intro to Active Directory fluff and dives right into the compelling offensive information useful to a Red Teamer, such as quickly identifying target systems and accounts. AD can yield a wealth of information if you know the right questions to ask. This presentation ventures into areas many didn’t know existed and leverages capability to quietly identify interesting accounts & systems, identify organizations the target company does business with regularly, build target lists without making a sound, abuse misconfigurations/existing trusts, and quickly discover the most interesting shares and their location. PowerShell examples and AD defense evasion techniques are provided throughout the talk.

Let’s go beyond the MCSE and take a different perspective on the standard AD recon and attack tactics.