Beyond the MCSE Red Teaming Active Directory

More documents

Recommendations

Info

Kerberos Au<strong>the</strong>ntication | @PryoTek3 | sean @ adsecurity.org |
Kerberos Key Points • NTLM password hash for Kerberos RC4 encryption. • Logon Ticket (TGT) provides user auth to DC. • Kerberos policy only checked when TGT is created. • DC validates user account when TGT > 20 mins. • Service Ticket (TGS) PAC validation optional & rare. • Server LSASS lsends PAC Validation request to DC’s netlogon service (NRPC). • If it runs as a service, PAC validation is optional (disabled) • If a service runs as System, it performs server signature verification on <strong>the</strong> PAC (computer LTK). | @PryoTek3 | sean @ adsecurity.org |
Page 1 and 2: Beyond the MCSE: Red Teaming Active
Page 3 and 4: Agenda Key AD Security components O
Page 5 and 6: | @PryoTek3 | sean @ adsecurity.org
Page 7 and 8: https://www.carbonblack.com/2016/03
Page 9 and 10: Differing Views of Active Directory
Page 11 and 12: Forests & Domains •Forest • Sin
Page 13 and 14: Trusts • Connection between domai
Page 15 and 16: Sites & Subnets • Map AD to physi
Page 17 and 18: Read-Only Domain Controllers • Re
Page 19 and 20: DC Discovery (ADSI) | @PryoTek3 | s
Page 21 and 22: Group Policy Capability • Configu
Page 23: NTLM Authentication • Most aren
Page 27 and 28: Quick PowerShell Attack History •
Page 33 and 34: Bypassing Windows 10 AMSI • DLL h
Page 37 and 38: PowerShell v5 Security Log Data? |
Page 39 and 40: PowerShell for AD Recon • MS Acti
Page 41 and 42: Active Directory Domain Info | @Pry
Page 43 and 44: Digging for Gold in AD • Default/
Page 45 and 46: Useful AD User Properties • Creat
Page 47 and 48: Fun with User Attributes: SID Histo
Page 49 and 50: Discover Computers & Services witho
Page 51 and 52: SPN Scanning | @PryoTek3 | sean @ a
Page 53 and 54: Discover Admin Accounts: Group Enum
Page 55 and 56: Discover Admin Accounts - AdminCoun
Page 57 and 58: Discover AD Groups with Local Admin
Page 59 and 60: Discover Users with Admin Rights |
Page 61 and 62: Follow the Delegation… | @PryoTek
Page 63 and 64: Discover Admin Accounts: Group Poli
Page 65 and 66: Identify Partner Organizations via
Page 67 and 68: Identify Fine-Grained Password Poli
Page 69 and 70: Identify AppLocker Whitelisting Set
Page 71 and 72: Identify Microsoft LAPS Delegation
Page 73 and 74: AD Defenses & Bypasses | @PryoTek3
Page 75 and 76:
HoneyTokens, HoneyCredentials…
Page 77 and 78:
Network Segmentation • “High Va
Page 79 and 80:
Privileged Admin Workstation (PAW)
Page 81 and 82:
AD Admin Tiers https://technet.micr
Page 83 and 84:
ESAE Admin Forest (aka “Red Fores
Page 85 and 86:
Universal Bypass for Most Defenses
Page 87 and 88:
Interesting AD Facts: •Standard u
Page 89 and 90:
PowerView AD Recon Cheat Sheet •
Page 91 and 92:
Questions? Sean Metcalf (@Pyrotek3)
Page 93 and 94:
References • Mining Active Direct
Page 95 and 96:
| @PryoTek3 | sean @ adsecurity.org
Page 97:
Detecting EXEs Hosting PowerShell
show all

Beyond the MCSE Red Teaming Active Directory

Create successful ePaper yourself

Delete template?

Save as template?