/AD-Attack-Defense

Active Directory Security For Red & Blue Team

Active Directory Kill Chain Attack & Defense

Summary

This document was designed to be a useful, informational asset for those looking to understand the specific tactics, techniques, and procedures (TTPs) attackers are leveraging to compromise active directory and guidance to mitigation, detection, and prevention. And understand Active Directory Kill Chain Attack and Modern Post Exploitation Adversary Tradecraft Activity.

Table of Contents


Discovery

SPN Scanning

Data Mining

User Hunting

LAPS


Privilege Escalation

Passwords in SYSVOL & Group Policy Preferences

MS14-068 Kerberos Vulnerability

DNSAdmins

Unconstrained Delegation

Constrained Delegation

Insecure Group Policy Object Permission Rights

Insecure ACLs Permission Rights

Domain Trusts

DCShadow

RID

Microsoft SQL Server

Red Forest


Lateral Movement

Microsoft SQL Server Database links

Pass The Hash

System Center Configuration Manager (SCCM)

WSUS

Password Spraying


Defense Evasion

In-Memory Evasion

Endpoint Detection and Response (EDR) Evasion

OPSEC

Microsoft ATA & ATP Evasion

PowerShell ScriptBlock Logging Bypass

PowerShell Anti-Malware Scan Interface (AMSI) Bypass

AppLocker & Device Guard Bypass

Sysmon Evasion

HoneyTokens Evasion


Credential Dumping

NTDS.DIT Password Extraction

Kerberoasting

Kerberos AP-REP Roasting

Windows Credential Manager/Vault

DCSync

LLMNR/NBT-NS Poisoning


Persistence

Golden Ticket

SID History

Silver Ticket

DCShadow

AdminSDHolder

Group Policy Object

Skeleton Keys

SeEnableDelegationPrivilege

Security Support Provider

Directory Services Restore Mode

ACLs & Security Descriptors

Tools & Scripts

  • PowerView - Situational Awareness PowerShell framework
  • BloodHound - Six Degrees of Domain Admin
  • CrackMapExec - A swiss army knife for pentesting networks
  • ADACLScanner - A tool with GUI or command linte used to create reports of access control lists (DACLs) and system access control lists (SACLs) in Active Directory
  • PowerUpSQL - A PowerShell Toolkit for Attacking SQL Server
  • Rubeus - Rubeus is a C# toolset for raw Kerberos interaction and abuses
  • ADRecon - A tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment
  • Mimikatz - Utility to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory but also perform pass-the-hash, pass-the-ticket or build Golden tickets
  • Grouper - A PowerShell script for helping to find vulnerable settings in AD Group Policy.

Ebooks

Cheat Sheets


Defense & Detection

Tools & Scripts

  • SAMRi10 - Hardening SAM Remote Access in Windows 10/Server 2016
  • Net Cease - Hardening Net Session Enumeration
  • PingCastle - A tool designed to assess quickly the Active Directory security level with a methodology based on risk assessment and a maturity framework
  • Aorato Skeleton Key Malware Remote DC Scanner - Remotely scans for the existence of the Skeleton Key Malware
  • Reset the krbtgt account password/keys - This script will enable you to reset the krbtgt account password and related keys while minimizing the likelihood of Kerberos authentication issues being caused by the operation
  • Deploy-Deception - A PowerShell module to deploy active directory decoy objects
  • dcept - A tool for deploying and detecting use of Active Directory honeytokens
  • LogonTracer - Investigate malicious Windows logon by visualizing and analyzing Windows event log
  • DCSYNCMonitor - Monitors for DCSYNC and DCSHADOW attacks and create custom Windows Events for these events

Detection

Attack Event ID
Account and Group Enumeration 4798: A user's local group membership was enumerated
4799: A security-enabled local group membership was enumerated
AdminSDHolder 4780: The ACL was set on accounts which are members of administrators groups
Kekeo 4624: Account Logon
4672: Admin Logon
4768: Kerberos TGS Request
Silver Ticket 4624: Account Logon
4634: Account Logoff
4672: Admin Logon
Golden Ticket 4624: Account Logon
4672: Admin Logon
PowerShell 4103: Script Block Logging
400: Engine Lifecycle
403: Engine Lifecycle
4103: Module Logging
600: Provider Lifecycle
DCShadow 4742: A computer account was changed
5137: A directory service object was created
5141: A directory service object was deleted
4929: An Active Directory replica source naming context was removed
Skeleton Keys 4673: A privileged service was called
4611: A trusted logon process has been registered with the Local Security Authority
4688: A new process has been created
4689: A new process has exited
PYKEK MS14-068 4672: Admin Logon
4624: Account Logon
4768: Kerberos TGS Request
Kerberoasting 4769: A Kerberos ticket was requested
Lateral Movement 4688: A new process has been created
4689: A process has exited
4624: An account was successfully logged on
4625: An account failed to log on
DNSAdmin 770: DNS Server plugin DLL has been loaded
541: The setting serverlevelplugindll on scope . has been set to <dll path>
150: DNS Server could not load or initialize the plug-in DLL
DCSync 4662: An operation was performed on an object
Password Spraying 4625: An account failed to log on
4771: Kerberos pre-authentication failed
4648: A logon was attempted using explicit credentials

Resources

License

CC0

To the extent possible under law, Rahmat Nurfauzi "@infosecn1nja" has waived all copyright and related or neighboring rights to this work.