SlideShare a Scribd company logo

Creating a fortress in your active directory environment

D
David Rowe

The document discusses the importance of securing Active Directory environments, focusing on access control, privilege creep, and cached credentials vulnerabilities. It introduces Microsoft’s Enhanced Security Administrative Environment (ESAE) and outlines steps to limit administrative access and manage shadow admins effectively. Key strategies involve separating admin accounts, using privileged access workstations, and employing robust monitoring and audit practices.

Technology
1 of 47
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Creating a Fortress in Your Active Directory Environment 1 David Rowe @customes david [@] secframe.com #infosec #blueteam #security ©2019
Creating a fortress in your active directory environment
Creating a fortress in your active directory environment
What is Active Directory? Active Directory is a hierarchical structure that stores information about objects on a network • Users • Computers • Groups Dictates security through object ownership and group membership
Why access is important Active directory is set up as a discretionary access control model • Based on the individual • Each person has an account • Accounts have access to objects
Why access is important RBAC • As administrators shift and rotate roles, they create different role groups with different access across the domain(s) • Ex: Helpdesk – reset passwords • Ex: Server Team – log on to servers Privilege creep • Over time accounts gain more and more to objects. • The rights are often overlooked and unknown by owners of AD
Why access is important With users gaining more and more access to objects; computers, groups and other users, attackers have more areas to exploit
For this Presentation - Keep in mind There is a greater number of users on every domain that have privileged access than you can guess User rights, once granted, sit idle and can be used by anyone with access to that account, group, or computer
Cached Creds Defined Computer level setting: Interactive logon: Number of previous logons to cache [store in memory] (in case domain controller is not available) 1 Value indicates stored users credentials on device – (10) Default stored as RC4 hash on system2
Cached Creds Vulnerabilities Targeted Pass-the-hash -If you can’t crack it, encapsulate and pass it RC4 Nomore – one type of RC4 Exploit – 52 Hrs to crack Rainbow tables –When I was in one incident response team I observed evidence a plaintext password 9 minutes after the hash was compromised
Kerberos • Provides the default authentication services and the authorization data • Necessary for a user to access a resource
Kerberos Policy Encryption Type Server 2000 Win XP Server 2003 Vista Server 2008 Windows 7 Server 2008 R2 DES_CBC_C RC O O O O X X X DES_CBC_M D5 O O O O O X X RC4_HMAC_ MD5 O O O O O O O AES128_HM AC_SHA1 X X X O O O O AES256_HM AC_SHA1 X X X O O O O Ref: https://goo.gl/UebQPs
Microsoft’s Solution – ESAE Enhanced Security Administrative Environment • Helps prevent compromise of administrative credentials from cyber-attacks • Thwart attacks by limiting exposure of admin credentials (Cached Credentials) Source: https://goo.gl/UqHTJA
Microsoft’s Solution – 3 Stages, 14 steps Stage # Step Imp. Cost/Ops Maint Cost 1**** Separate Admin accounts for Workstations $/$ 1**** Separate Admin accounts for Servers $/$ 1**** Separate Admin accounts for Domain Controllers $/$ 2 Privileged Access Workstations for Admins $$/$$$ 2**** Unique Local Passwords for Servers & Workstations $/$ 2 Time Bound Privileges $$/$$$ 2 Just Enough Administration $/$$ 2**** Lower Attack Surfaces of DCs – Limit Admin Count $/$ 2**** Attack Detection $$/$$
Microsoft’s Solution – 3 Stages Stage # Step Imp. Cost/Ops Maint Cost 3* Modernize roles and delegation model to be compliant with the tiers $$/$$ 3 Smartcard authentication for all admins $$$/$ 3 Admin Forest for AD admins $$/$$ 3 Windows Defender Device Guard $$/$$ 3 Shielded VMs $$/$$
Creating a fortress in your active directory environment
1 Day Security Solution
The Breach • An unpatched public facing web server was compromised • An attacker exploited a vulnerability, granting admin access to the server (#5!) • The attacker dumped the cached credentials on the server, finding a local administrator password identical across machines (#4! & #3!) • Attacker moved laterally across the domain probing servers until he/she finds a computer where a domain administrator (DA) credential was stored (#2! & #1!) • Attacker dumps DA hash from machine and cracks it • The attacker now as full administrative access on the domain
#1 Limit Admins – Quick Win
Simple Deploy – 1. Boot People
Built-in Groups’ Rights Overview • Account Operators: Read LAPS attribute, administer domain user and group accounts • Administrators: Complete and unrestricted access • Backup Operators: Override security restrictions for the sole purpose of backing up or restoring files. Allow Logon Locally, log on as batch job, shut down the system • Domain Admins: member of every domain-joined computer’s local Admin group • Enterprise Admins: permissions to change forest-wide configuration settings. Member of every domain’s Administrator group • Group Policy Creator Owners: Can create and modify GPOs on the domain
Built-in Groups’ Rights Overview • Schema Admins: make modifications to the AD Schema • Server Operators: can administer domain servers • Remote Desktop Users: Members of this group can remotely log on to domain controllers in the domain. This group has no default members • Organization Management: This is a RBAC group for MS Exchange Server. Members have admin access to the entire Exchange organization, including modifying membership of other exchange groups
What is a Shadow Admin? shadow admin sensitive privileges. granted directly using ACLs on AD objects. • Attacker steals Field Tech’s Groups where stolen credential has access to modify other objects • Attacker hijacks those objects • Attacker continues to elevate privileges to Tier 0
Finding Shadow Admins
Why find and limit # of admins
#2 Admins – Quick Win
Simple Deploy – 2. Block Admins
Tiered Guidelines Accounts which have the ability to manage identity and permissions enterprise-wide. Objects: Domain Controllers and systems that manage DCs Tier 0 Domain Admins Tier 1 Server Admins Accounts with control over resources or that manage critical data and applications. Objects: Servers Tier 2 Workstation Admins Accounts with administrative privileges over standard user accounts and standard-user devices. Objects: Workstations
Block Admins: The GPO: Servers
Simple Deploy – 3. Cached Creds GPO
Cached Creds: The GPO: Servers
Cached Creds: The GPO: Desktops
Common tools to exploit Cached Creds Mimikatz JtR Hashcat Ophcrack Taskmanager… + lsass.exe Pwdumpx + passwordPro
Report on your domain’s cache settings Find machines on the domain that have cached creds enabled *AD_Computer_CachedCredsFind Computers without Cached Cred GPO.ps1
Report on your domain’s cache settings
Simple Deploy – 4. LAPS
LAPS
LAPS: Reqs #1 and #2
LAPS: Reqs #3 and #4
Simple Deploy – 5. Audit and Alert
Audit https://goo.gl/uGUL4a
Alert
Security Tools https://goo.gl/NgWuGK
Groups with ACL permissions on Domain *DOMAINIT USERS *DOMAINHR USER MANAGEMENT *DOMAINIT - HELP DESK *DOMAINACCOUNT MANAGEMENT *DOMAINIT Exchange *DOMAINIT User Password Resets *DOMAINIT SERVER ADMINS *DOMAINEnterprise Services *DOMAINOffice dept Admins *DOMAINBase Admins *DOMAINComp Management *DOMAINEMAIL ADMINS *DOMAINCONTACT CREATOR *DOMAINContactManagement *DOMAINCredit_SUPPORT *DOMAINWeb Administration *DOMAINMAILBOX MGMT *DOMAINService Desk *DOMAINO ADMINS *DOMAINVPN Administrators *DOMAINAD User Cleanup *DOMAINRESEARCH ADMINS *DOMAINEpsilon Admins *DOMAINZone ADMINS *DOMAINADWRITERS Admins *DOMAINFile Share ADMINS *DOMAINR drive ADMINS *DOMAINO drive ADMINS *DOMAINSAN Admins *DOMAINAPPLICATION ADMINS *DOMAINSERVICE NOW ADMINS *DOMAINSERVICE NOW OU ADMINS *DOMAINSERVICE NOW Group ADMINS *DOMAINIT OU ADMINS *DOMAINNetwork Team *DOMAINCluster2 Admins *DOMAINDatabase Disk Admins *DOMAINCluster Admins
Excessive Group Membership Example: Epic Sunflower
More presentations available at secframe.com https://github.com/davidprowe/AD_Sec_Tools @customes david [@] secframe.com
Creating a fortress in your active directory environment

More Related Content

PPTX
Is the door to your active directory wide open and unsecure
David Rowe
 
PPTX
Escalation defenses ad guardrails every company should deploy
David Rowe
 
PPTX
Secure Active Directory in one Day Without Spending a Single Dollar
David Rowe
 
PDF
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
BeyondTrust
 
PPTX
5 Ways To Fight A DDoS Attack
RedZone Technologies
 
PDF
Ddos- distributed denial of service
laxmi chandolia
 
PDF
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Professor Lili Saghafi
 
PDF
DDoS Attacks
Vitor Jesus
 
Is the door to your active directory wide open and unsecure
David Rowe
 
Escalation defenses ad guardrails every company should deploy
David Rowe
 
Secure Active Directory in one Day Without Spending a Single Dollar
David Rowe
 
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
BeyondTrust
 
5 Ways To Fight A DDoS Attack
RedZone Technologies
 
Ddos- distributed denial of service
laxmi chandolia
 
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Professor Lili Saghafi
 
DDoS Attacks
Vitor Jesus
 

What's hot (19)

PDF
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Jennifer Nichols
 
PPT
DDoS Attacks
Jignesh Patel
 
PDF
2016 state of the internet threat advisory dnssec ddos amplification attacks
Andrey Apuhtin
 
PDF
3. APTs Presentation
isc2-hellenic
 
PDF
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE - ATT&CKcon
 
PDF
Detection of Distributed Denial of Service Attacks
ijdmtaiir
 
PDF
How to measure your security response readiness?
Tomasz Jakubowski
 
PPTX
System hacking
CAS
 
PDF
Addios!
Chong-Kuan Chen
 
PDF
Windows server hardening 1
Frank Avila Zapata
 
PPT
Network security
Greater Noida Institute Of Technology
 
PPT
hacking and crecjing
parth jasani
 
PPTX
Time-based DDoS Detection and Mitigation for SDN Controller
Lippo Group Digital
 
PDF
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
PPT
DNS Security Threats and Solutions
InnoTech
 
PPTX
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PROIDEA
 
PDF
CTM360 adv-0317-01 dns messenger
Migin Vincent
 
PDF
Understanding Windows Lateral Movements
Daniel López Jiménez
 
PDF
DDoS Threat Landscape - Ron Winward CHINOG16
Radware
 
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Jennifer Nichols
 
DDoS Attacks
Jignesh Patel
 
2016 state of the internet threat advisory dnssec ddos amplification attacks
Andrey Apuhtin
 
3. APTs Presentation
isc2-hellenic
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE - ATT&CKcon
 
Detection of Distributed Denial of Service Attacks
ijdmtaiir
 
How to measure your security response readiness?
Tomasz Jakubowski
 
System hacking
CAS
 
Addios!
Chong-Kuan Chen
 
Windows server hardening 1
Frank Avila Zapata
 
Network security
Greater Noida Institute Of Technology
 
hacking and crecjing
parth jasani
 
Time-based DDoS Detection and Mitigation for SDN Controller
Lippo Group Digital
 
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
DNS Security Threats and Solutions
InnoTech
 
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PROIDEA
 
CTM360 adv-0317-01 dns messenger
Migin Vincent
 
Understanding Windows Lateral Movements
Daniel López Jiménez
 
DDoS Threat Landscape - Ron Winward CHINOG16
Radware
 
Ad

Similar to Creating a fortress in your active directory environment (20)

PPTX
Secure active directory in one day without spending a single dollar
David Rowe
 
PPTX
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
PPTX
7 Ways To Cyberattack And Hack Azure
Abdul Khan
 
PPTX
Protecting Windows Passwords and Preventing Windows Computer / Password Attacks
Zoho Corporation
 
PDF
Exploiting Active Directory Administrator Insecurities
Priyanka Aash
 
PPTX
Lecture 8 permissions
Wiliam Ferraciolli
 
PDF
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
PPTX
Securing Your MongoDB Deployment
MongoDB
 
PPTX
AZ-801T00A Configuring Windows Server Hybrid Advanced Services.pptx
joolyvivi
 
PDF
Active directory 101
Utkarsh Agrawal
 
PPTX
Lecture 7 naming and structuring objects
Wiliam Ferraciolli
 
PDF
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
Vincent Giersch
 
PDF
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
eightbit
 
PPTX
ORACLE OCI - Identity and Access Management Service
exposie1
 
PDF
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
PPT
Active directoryfinal
Rafał Kucharski
 
PDF
Hive contributors meetup apache sentry
Brock Noland
 
PDF
Ch 8: Desktop and Server OS Vulnerabilites
Sam Bowne
 
PPTX
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax
 
PPTX
Lannguyen-Detecting Cyber Attacks
Security Bootcamp
 
Secure active directory in one day without spending a single dollar
David Rowe
 
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
7 Ways To Cyberattack And Hack Azure
Abdul Khan
 
Protecting Windows Passwords and Preventing Windows Computer / Password Attacks
Zoho Corporation
 
Exploiting Active Directory Administrator Insecurities
Priyanka Aash
 
Lecture 8 permissions
Wiliam Ferraciolli
 
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
Securing Your MongoDB Deployment
MongoDB
 
AZ-801T00A Configuring Windows Server Hybrid Advanced Services.pptx
joolyvivi
 
Active directory 101
Utkarsh Agrawal
 
Lecture 7 naming and structuring objects
Wiliam Ferraciolli
 
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
Vincent Giersch
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
eightbit
 
ORACLE OCI - Identity and Access Management Service
exposie1
 
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Active directoryfinal
Rafał Kucharski
 
Hive contributors meetup apache sentry
Brock Noland
 
Ch 8: Desktop and Server OS Vulnerabilites
Sam Bowne
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax
 
Lannguyen-Detecting Cyber Attacks
Security Bootcamp
 
Ad

Recently uploaded (20)

PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PDF
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
PDF
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PDF
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PDF
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
PDF
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
PDF
The Future of Artificial Intelligence (AI)
Mukul
 
PDF
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
PPTX
The Future of AI & Machine Learning.pptx
pritsen4700
 
PDF
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
PDF
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
PDF
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
PPTX
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
PDF
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
PDF
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
The Future of Artificial Intelligence (AI)
Mukul
 
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
The Future of AI & Machine Learning.pptx
pritsen4700
 
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 

Creating a fortress in your active directory environment

  • 1. Creating a Fortress in Your Active Directory Environment 1 David Rowe @customes david [@] secframe.com #infosec #blueteam #security ©2019
  • 4. What is Active Directory? Active Directory is a hierarchical structure that stores information about objects on a network • Users • Computers • Groups Dictates security through object ownership and group membership
  • 5. Why access is important Active directory is set up as a discretionary access control model • Based on the individual • Each person has an account • Accounts have access to objects
  • 6. Why access is important RBAC • As administrators shift and rotate roles, they create different role groups with different access across the domain(s) • Ex: Helpdesk – reset passwords • Ex: Server Team – log on to servers Privilege creep • Over time accounts gain more and more to objects. • The rights are often overlooked and unknown by owners of AD
  • 7. Why access is important With users gaining more and more access to objects; computers, groups and other users, attackers have more areas to exploit
  • 8. For this Presentation - Keep in mind There is a greater number of users on every domain that have privileged access than you can guess User rights, once granted, sit idle and can be used by anyone with access to that account, group, or computer
  • 9. Cached Creds Defined Computer level setting: Interactive logon: Number of previous logons to cache [store in memory] (in case domain controller is not available) 1 Value indicates stored users credentials on device – (10) Default stored as RC4 hash on system2
  • 10. Cached Creds Vulnerabilities Targeted Pass-the-hash -If you can’t crack it, encapsulate and pass it RC4 Nomore – one type of RC4 Exploit – 52 Hrs to crack Rainbow tables –When I was in one incident response team I observed evidence a plaintext password 9 minutes after the hash was compromised
  • 11. Kerberos • Provides the default authentication services and the authorization data • Necessary for a user to access a resource
  • 12. Kerberos Policy Encryption Type Server 2000 Win XP Server 2003 Vista Server 2008 Windows 7 Server 2008 R2 DES_CBC_C RC O O O O X X X DES_CBC_M D5 O O O O O X X RC4_HMAC_ MD5 O O O O O O O AES128_HM AC_SHA1 X X X O O O O AES256_HM AC_SHA1 X X X O O O O Ref: https://goo.gl/UebQPs
  • 13. Microsoft’s Solution – ESAE Enhanced Security Administrative Environment • Helps prevent compromise of administrative credentials from cyber-attacks • Thwart attacks by limiting exposure of admin credentials (Cached Credentials) Source: https://goo.gl/UqHTJA
  • 14. Microsoft’s Solution – 3 Stages, 14 steps Stage # Step Imp. Cost/Ops Maint Cost 1**** Separate Admin accounts for Workstations $/$ 1**** Separate Admin accounts for Servers $/$ 1**** Separate Admin accounts for Domain Controllers $/$ 2 Privileged Access Workstations for Admins $$/$$$ 2**** Unique Local Passwords for Servers & Workstations $/$ 2 Time Bound Privileges $$/$$$ 2 Just Enough Administration $/$$ 2**** Lower Attack Surfaces of DCs – Limit Admin Count $/$ 2**** Attack Detection $$/$$
  • 15. Microsoft’s Solution – 3 Stages Stage # Step Imp. Cost/Ops Maint Cost 3* Modernize roles and delegation model to be compliant with the tiers $$/$$ 3 Smartcard authentication for all admins $$$/$ 3 Admin Forest for AD admins $$/$$ 3 Windows Defender Device Guard $$/$$ 3 Shielded VMs $$/$$
  • 17. 1 Day Security Solution
  • 18. The Breach • An unpatched public facing web server was compromised • An attacker exploited a vulnerability, granting admin access to the server (#5!) • The attacker dumped the cached credentials on the server, finding a local administrator password identical across machines (#4! & #3!) • Attacker moved laterally across the domain probing servers until he/she finds a computer where a domain administrator (DA) credential was stored (#2! & #1!) • Attacker dumps DA hash from machine and cracks it • The attacker now as full administrative access on the domain
  • 19. #1 Limit Admins – Quick Win
  • 20. Simple Deploy – 1. Boot People
  • 21. Built-in Groups’ Rights Overview • Account Operators: Read LAPS attribute, administer domain user and group accounts • Administrators: Complete and unrestricted access • Backup Operators: Override security restrictions for the sole purpose of backing up or restoring files. Allow Logon Locally, log on as batch job, shut down the system • Domain Admins: member of every domain-joined computer’s local Admin group • Enterprise Admins: permissions to change forest-wide configuration settings. Member of every domain’s Administrator group • Group Policy Creator Owners: Can create and modify GPOs on the domain
  • 22. Built-in Groups’ Rights Overview • Schema Admins: make modifications to the AD Schema • Server Operators: can administer domain servers • Remote Desktop Users: Members of this group can remotely log on to domain controllers in the domain. This group has no default members • Organization Management: This is a RBAC group for MS Exchange Server. Members have admin access to the entire Exchange organization, including modifying membership of other exchange groups
  • 23. What is a Shadow Admin? shadow admin sensitive privileges. granted directly using ACLs on AD objects. • Attacker steals Field Tech’s Groups where stolen credential has access to modify other objects • Attacker hijacks those objects • Attacker continues to elevate privileges to Tier 0
  • 25. Why find and limit # of admins
  • 26. #2 Admins – Quick Win
  • 27. Simple Deploy – 2. Block Admins
  • 28. Tiered Guidelines Accounts which have the ability to manage identity and permissions enterprise-wide. Objects: Domain Controllers and systems that manage DCs Tier 0 Domain Admins Tier 1 Server Admins Accounts with control over resources or that manage critical data and applications. Objects: Servers Tier 2 Workstation Admins Accounts with administrative privileges over standard user accounts and standard-user devices. Objects: Workstations
  • 29. Block Admins: The GPO: Servers
  • 30. Simple Deploy – 3. Cached Creds GPO
  • 31. Cached Creds: The GPO: Servers
  • 32. Cached Creds: The GPO: Desktops
  • 33. Common tools to exploit Cached Creds Mimikatz JtR Hashcat Ophcrack Taskmanager… + lsass.exe Pwdumpx + passwordPro
  • 34. Report on your domain’s cache settings Find machines on the domain that have cached creds enabled *AD_Computer_CachedCredsFind Computers without Cached Cred GPO.ps1
  • 35. Report on your domain’s cache settings
  • 36. Simple Deploy – 4. LAPS
  • 37. LAPS
  • 38. LAPS: Reqs #1 and #2
  • 39. LAPS: Reqs #3 and #4
  • 40. Simple Deploy – 5. Audit and Alert
  • 42. Alert
  • 44. Groups with ACL permissions on Domain *DOMAINIT USERS *DOMAINHR USER MANAGEMENT *DOMAINIT - HELP DESK *DOMAINACCOUNT MANAGEMENT *DOMAINIT Exchange *DOMAINIT User Password Resets *DOMAINIT SERVER ADMINS *DOMAINEnterprise Services *DOMAINOffice dept Admins *DOMAINBase Admins *DOMAINComp Management *DOMAINEMAIL ADMINS *DOMAINCONTACT CREATOR *DOMAINContactManagement *DOMAINCredit_SUPPORT *DOMAINWeb Administration *DOMAINMAILBOX MGMT *DOMAINService Desk *DOMAINO ADMINS *DOMAINVPN Administrators *DOMAINAD User Cleanup *DOMAINRESEARCH ADMINS *DOMAINEpsilon Admins *DOMAINZone ADMINS *DOMAINADWRITERS Admins *DOMAINFile Share ADMINS *DOMAINR drive ADMINS *DOMAINO drive ADMINS *DOMAINSAN Admins *DOMAINAPPLICATION ADMINS *DOMAINSERVICE NOW ADMINS *DOMAINSERVICE NOW OU ADMINS *DOMAINSERVICE NOW Group ADMINS *DOMAINIT OU ADMINS *DOMAINNetwork Team *DOMAINCluster2 Admins *DOMAINDatabase Disk Admins *DOMAINCluster Admins
  • 45. Excessive Group Membership Example: Epic Sunflower
  • 46. More presentations available at secframe.com https://github.com/davidprowe/AD_Sec_Tools @customes david [@] secframe.com

Editor's Notes

  • #3: The thing that bothers me, is that I logged into a computer… years ago. It remembered my password. I logged into it with an old password, like really old. The computer wasn’t even on the network. I.T. asked me to log into it because they needed to get something off of it. Who can use this password? Who can pretend to be me?
  • #6: Discretionary access control: Each user has an account. Each User is a member of groups Groups access objects; Computers, Groups and users
  • #7: Discretionary access control: Each user has an account. Each User is a member of groups Groups access objects; Computers, Groups and users
  • #8: Discretionary access control: Each user has an account. Each User is a member of groups Groups access objects; Computers, Groups and users
  • #9: Discretionary access control: Each user has an account. Each User is a member of groups Groups access objects; Computers, Groups and users
  • #12: Add three and label with correct stuff
  • #13: Add three and label with correct stuff
  • #14: Enhanced Security Administrative Environment (ESAE) Attack detection – logging, ATA https://adsecurity.org/wp-content/uploads/2017/11/BlueHat-2017-Metcalf-ActiveDirectorySecurityTheJourney-Final.pdf https://github.com/clong/DetectionLab
  • #15: Enhanced Security Administrative Environment (ESAE) Attack detection – logging, ATA https://adsecurity.org/wp-content/uploads/2017/11/BlueHat-2017-Metcalf-ActiveDirectorySecurityTheJourney-Final.pdf https://github.com/clong/DetectionLab
  • #17: 100% of stage 1 50% of stage 2 Removing cached credentials Separate admin accounts for DA, admins and workstation admins Unique local computer passwords Limit number of administrators Audit and alert! - powershell
  • #19: Add three and label with correct stuff
  • #22: Add three and label with correct stuff
  • #23: Add three and label with correct stuff
  • #24: Add three and label with correct stuff
  • #25: Add three and label with correct stuff
  • #26: Add three and label with correct stuff
  • #32: Implement, REBOOT
  • #33: Implement, REBOOT
  • #34: Dump clear-text passwords from memory using mimikatz and the Windows Task Manager to dump the LSASS process. To do this, dump the lsass.exe process to a file using Windows built-in Task Manager with right-clicking “lsass.exe” then selecting “Create Dump File”
  • #35: Dump clear-text passwords from memory using mimikatz and the Windows Task Manager to dump the LSASS process. To do this, dump the lsass.exe process to a file using Windows built-in Task Manager with right-clicking “lsass.exe” then selecting “Create Dump File”
  • #36: Dump clear-text passwords from memory using mimikatz and the Windows Task Manager to dump the LSASS process. To do this, dump the lsass.exe process to a file using Windows built-in Task Manager with right-clicking “lsass.exe” then selecting “Create Dump File”
  • #41: There are ways around the vss copy, but those methods include another form of elevation on the computer. Typically elevating to system. If you have auditing and alerting turned on for special logons, this should trigger an alert.
  • #43: There are ways around the vss copy, but those methods include another form of elevation on the computer. Typically elevating to system. If you have auditing and alerting turned on for special logons, this should trigger an alert. Event ID 8193 – vss started
  • #44: There are ways around the vss copy, but those methods include another form of elevation on the computer. Typically elevating to system. If you have auditing and alerting turned on for special logons, this should trigger an alert.
  • #46: Add three and label with correct stuff
  • #47: Add three and label with correct stuff