Sneaky Active Directory Persistence #17: Group Policy

The content in this post describes a method through which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for about 5 minutes.

Complete list of Sneaky Active Directory Persistence Tricks posts

This post explores how an attacker could leverage the built-in Active Directory management capability called Group Policy and how to mitigate potential security issues.

Continue reading

Sneaky Active Directory Persistence #16: Computer Accounts & Domain Controller Silver Tickets

The content in this post describes a method by which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for about 5 minutes.

All posts in my Sneaky Active Directory Persistence Tricks series

This post explores how an attacker could leverage computer account credentials to persist in an enterprise and how to mitigate potential security issues.

Continue reading’s Unofficial Guide to Mimikatz & Command Reference Updated for Mimikatz v2.1 alpha 20160229’s Unofficial Guide to Mimikatz & Command Reference page is updated for the new modules/features in Mimikatz v2.1 alpha 20160229.

According to Mimikatz author, Benjamin Delpy, the following updates are included in the most recent Mimikatz version(s):

Mimikatz Release Date: 2/29/2016
2.1 alpha 20160229 (oe.eo) edition
System Environment Variables & other stuff
[new] System Environment Variables user module
[new] System Environment Variables kernel IOCTL for Set
[enhancement] privilege::sysenv
[enhancement] Busylight
[enhancement] misc::skeleton can avoid anti-AES patching for aware clients with /letaes

2.1 alpha 20160217 (oe.eo) edition
[new] crypto::certificates /silent & /nokey flags
[new] crypto::keys /silent flag
[new] kull_m_busylight module now support protocol for new devices

Visit the Unofficial Guide to Mimikatz & Command Reference page Now Sponsored by Trimarc!

Sean has founded a new security company called Trimarc focused on providing enterprise security solutions. Launching today, Trimarc’s mission is to identify ways to better protect organizations from modern threats not effectively stopped by traditional security measures. will continue thanks to Trimarc!

Check out Trimarc’s capabilities at

PowerShell Version 5 is Available for Download (again)

After about two months of Microsoft PowerShell developers working around the clock (probably), the bug that wound up causing the WMF 5.0 RTM installer to be pulled is now fixed. There was an issue with the original release dealing with PSModulePath ($Env:PSModulePath) which was reset to default after installation of the original PowerShell v5 installer.

The Windows Management Framework (WMF) 5.0 RTM packages for Windows 2008 R2 SP1/2012 R2/2012 and Windows 7 SP1/8.1 are available for download in the Microsoft Download Center.

As I’ve stated before, due to the security enhancements including logging, updating to PowerShell v5 is highly recommended. More details on the advantages of enabling PowerShell logging and attack detection, including PowerShell v5 security enhancements are in two posts:

Download PowerShell version 5 aka “Windows Management Framework (WMF) 5.0 RTM”

Continue reading

Building an Effective Active Directory Lab Environment for Testing

This post is not meant to describe the ultimate lab configuration. Instead the focus is on a lab environment that can be stood up quickly and easily as a learning tool. The best way to learn about computer networking and security is to have a home lab. The great thing is that a home lab no longer requires several physical computers as it did in the past. Virtualization enables anyone to take a computer with a decent processor and enough RAM to create a lab environment without being overly complex. Furthermore, it’s possible to build a Windows environment at minimal cost for testing.

Hosting The Lab

The Cloud:

Amazon AWS, Microsoft Azure, and others provide capability to install and configure VMs in the cloud which is helpful when traveling since the lab is available and accessible from anywhere (perhaps saving power at home).

The Server:

I have friends that buy older servers from various internet sources (ebay, etc) at a tremendous discount and run those with (potentially) massive hard drive arrays. The big drawback is the power consumption (and associated power bill). The associated components are usually more expensive, though they do last longer.

The Workstation:

This is my preference – build/buy a hefty workstation-class system with a Core i7 processor. I highly recommend using an SSD as the primary OS drive. Also highly recommended is using a separate SSD for the Virtual Machine files. SSDs are exponentially faster than traditional hard drives and the difference is obvious when running a lab on them. For example, my lab computer has 2 SSDs: a C: drive and a D: drive. I can build a new VM in ~7 minutes. Installing a new Windows Server from an ISO file on the C: drive (SSD) takes ~12 minutes. Also, the server VMs boot almost instantly! It’s extremely fast! 🙂

The key is to outfit the lab computer with as much RAM as possible. My recommendation is 16GB at a minimum, 32GB preferred, with more than that even better!
What matters in the system:

  • Processor: Does the work for the virtualization host as well as all VMs. Core i7 (or better) preferred.
  • Hard Drive: SSD all the way! Recommend at least 128GB for system drive and at least 256GB for the drive holding the VM files (preferably more!). I also use a traditional hard drive 1-3TBs in size for VM backups. I really like the Samsung EVO SSDs since they are fast and reliable. A 500GB Samsung EVO SSD runs around $300 online (possibly cheaper by the time you read this).
  • Memory: This is the one you want to put your money into. Personally, I would rather spend a little bit more upfront and have the ability to put 64GB (or more) into a system, then go cheap and have the computer max out at 16GB. The more memory you have, the more VMs you can run which means you can run more involved (& interesting!) scenarios.

I also attach external traditional hard drives (1.5TB and larger) for lab VM backups, though I tend to keep the operating system ISO files and OS template VM files (Sysprep’d operating system VMs) on a SSD for maximum install speed.

Continue reading

Detecting Offensive PowerShell Attack Tools

At DerbyCon V (2015), I presented on Active Directory Attack & Defense and part of this included how to detect & defend against PowerShell attacks.

Update: I presented at BSides Charm (Baltimore) on PowerShell attack & defense in April 2016.
More information on PowerShell Security: PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection

The most important take-away from this post: you want to log all PowerShell activity and get that data into a central logging system to monitor for suspicious and anomalous activity.

The Evolution of PowerShell as an attack tool

PowerShell is a built-in command shell available on every supported version of Microsoft Windows (Windows 7 / Windows 2008 R2 and newer) and provides incredible flexibility and functionality to manage Windows systems. This power makes PowerShell an enticing tool for attackers. Once an attacker can get code to run on a computer, they often invoke PowerShell code since it can be run in memory where antivirus can’t see it. Attackers may also drop PowerShell script files (.ps1) to disk, but since PowerShell can download code from a website and run it in memory, that’s often not necessary.

Dave Kennedy & Josh Kelley presented at DEF CON 18 (2010) on how PowerShell could be leveraged by attackers. Matt Graeber developed PowerSploit and blogged at on why PowerShell is a great attack platform. Offensive PowerShell usage has been on the rise since the release of “PowerSploit” in 2012, though it wasn’t until Mimikatz was PowerShell-enabled (aka Invoke-Mimikatz) about a year later that PowerShell usage in attacks became more prevalent. PowerShell provides tremendous capability since it can run .Net code and execute dynamic code downloaded from another system (or the internet) and execute it in memory without ever touching disk. These features make PowerShell a preferred method for gaining and maintaining access to systems since they can move around using PowerShell without being seen. PowerShell Version 5 (v5) greatly improves the defensive posture of PowerShell and when run on a Windows 10 system, PowerShell attack capability is greatly reduced.

Continue reading

PowerShell Version 5 Security Enhancements

PowerShell version 5 is RTM (As of 12/18/2015). Prior to this there was a “production preview” available since August which means it was supported, but not final. With the final release of PowerShell v5 now available, I highly recommend you download PowerShell v5 and start testing to prepare for production deployment.

While the PowerShell v5 download was pulled previously due to an issue with PSModule Path, the Windows Management Framework (WMF) 5.0 RTM is available for download once again.

PowerShell provides extensive management capability for administrators, though this capability can also be used by attackers to exploit and persist in an enterprise. There are ways to detect offensive PowerShell attack tools and PowerShell v5 extends this capability further.

Microsoft provides the following PowerShell v5 benefits and updates on the download site:

Windows Management Framework (WMF) 5.0 brings functionality that has been updated from WMF 4.0. WMF 5.0 is available for installation only on Windows Server 2012 R2, Windows Server 2012, Windows 2008 R2, Windows 8.1, and Windows 7 SP1. Some of the new and updated features in this release include:

  • Develop with classes in Windows PowerShell
  • Just Enough Administration (JEA)
  • Extract and parse structured object out of string content
  • More control in Windows PowerShell Remote Debugging
  • PowerShell Information Stream
  • New and updated cmdlets based on community feedback
  • Generate Windows PowerShell cmdlets based on an OData endpoint with ODataUtils
  • Manage .ZIP archives through new cmdlets
  • Interact with symbolic links using improved Item cmdlets
  • DSC authoring improvements in Windows PowerShell ISE
  • 32-bit support for the configuration keyword in DSC
  • Audit Windows PowerShell usage by transcription and logging
  • Configure DSC’s Local Configuration Manager with the meta-configuration attribute
  • Configure piece by piece with partial configurations in DSC
  • Manage with cross-computer dependencies in DSC
  • More control over configurations in DSC
  • Find more detail about configuration status in DSC
  • Support for -? during DSC configuration compilation
  • Support for DSC RunAsCredential
  • Rich information for DSC LCM State
  • Side-by-Side installation of DSC Resources and PowerShell Modules
  • PSDesiredStateConfiguration Module version updated to 1.1
  • Report configuration status from DSC to a central location
  • Discover and install software with PackageManagement
  • Discover PowerShell Modules, PowerShell Scripts and DSC resources with PowerShellGet
  • Network Switch management with Windows PowerShell
  • Software Inventory Logging (SIL)

There are several compelling PowerShell v5 security features that make it a must deploy (IMHO). I presented on several of these at security conferences in 2015.

Continue reading

Microsoft EMET 5.5 Released – Benefits, New Features, Protection, Logging, & GPO Config

Microsoft recently released Enhanced Mitigation Experience Toolkit (EMET) version 5.5 (it jumped from 5.2 to 5.5) which includes Windows 10 compatibility and better GPO support (among others). I’ve included information from a variety of Microsoft sources in this post so that others don’t have to search for the data separately. The resources/references are listed at the bottom of this post.

Update: I have received reports of problems with IE 11 with EMET 5.5.

Continue reading

Active Directory Recon Without Admin Rights

A fact that is often forgotten (or misunderstood), is that most objects and their attributes can be viewed (read) by authenticated users (most often, domain users). The challenge is that admins may think that since this data is most easily accessible via admin tools such as “Active Directory User and Computers” (dsa.msc) or “Active Directory Administrative Center” (dsac.msc), that others can’t see user data (beyond what is exposed in Outlook’s GAL). This often leads to password data being placed in user object attributes or in SYSVOL.

There is a lot of data that can be gathered from Active Directory which can be used to update documentation or to recon the environment for the next attack stages. It’s important for defenders to understand the different types of data accessible in AD with a regular user account.

Attacks frequently start with a spear-phishing email to one or more users enabling the attacker to get their code running on a computer inside the target network. Once the attacker has their code running inside the enterprise, the first step is performing reconnaissance to discover useful resources to escalate permissions, persist, and of course, plunder information (often the “crown jewels” of an organization).

This post shows how an attacker can recon the Active Directory environment with just domain user rights. Many people are surprised when they learn how much information can be gathered from AD without elevated rights.

Note: Most of the examples in this post use the Active Directory PowerShell module cmdlets. A good alternative is HarmJ0y’s PowerView (now part of PowerSploit).

I spoke about some of these techniques at several security conferences in 2015 (BSides, Shakacon, Black Hat, DEF CON, & DerbyCon). I also covered some of these issues in the post “The Most Common Active Directory Security Issues and What You Can Do to Fix Them“.

Continue reading