Beyond the MCSE Red Teaming Active Directory
DEFCON-24-Sean-Metcalf-Beyond-The-MCSE-Red-Teaming-Active-Directory DEFCON-24-Sean-Metcalf-Beyond-The-MCSE-Red-Teaming-Active-Directory
PowerShell as an Attack Platform | @PryoTek3 | sean @ adsecurity.org |
Quick PowerShell Attack History • Summer 2010 - DEF CON 18: Dave Kennedy & Josh Kelly “PowerShell OMFG!” https://www.youtube.com/watch?v=JKlVONfD53w • Describes many of the PowerShell attack techniques used today (Bypass exec policy, -Enc, & IE). • Released PowerDump to dump SAM database via PowerShell. • 2012 – PowerSploit, a GitHub repo started by Matt Graeber, launched with Invoke- Shellcode. • “Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process.” • 2013 - Invoke-Mimkatz released by Joe Bialek which leverages Invoke-ReflectivePEInjection. | @PryoTek3 | sean @ adsecurity.org |
- Page 1 and 2: Beyond the MCSE: Red Teaming Active
- Page 3 and 4: Agenda Key AD Security components O
- Page 5 and 6: | @PryoTek3 | sean @ adsecurity.org
- Page 7 and 8: https://www.carbonblack.com/2016/03
- Page 9 and 10: Differing Views of Active Directory
- Page 11 and 12: Forests & Domains •Forest • Sin
- Page 13 and 14: Trusts • Connection between domai
- Page 15 and 16: Sites & Subnets • Map AD to physi
- Page 17 and 18: Read-Only Domain Controllers • Re
- Page 19 and 20: DC Discovery (ADSI) | @PryoTek3 | s
- Page 21 and 22: Group Policy Capability • Configu
- Page 23 and 24: NTLM Authentication • Most aren
- Page 25: Kerberos Key Points • NTLM passwo
- Page 29 and 30: | @PryoTek3 | sean @ adsecurity.org
- Page 31 and 32: | @PryoTek3 | sean @ adsecurity.org
- Page 33 and 34: Bypassing Windows 10 AMSI • DLL h
- Page 35 and 36: | @PryoTek3 | sean @ adsecurity.org
- Page 37 and 38: PowerShell v5 Security Log Data? |
- Page 39 and 40: PowerShell for AD Recon • MS Acti
- Page 41 and 42: Active Directory Domain Info | @Pry
- Page 43 and 44: Digging for Gold in AD • Default/
- Page 45 and 46: Useful AD User Properties • Creat
- Page 47 and 48: Fun with User Attributes: SID Histo
- Page 49 and 50: Discover Computers & Services witho
- Page 51 and 52: SPN Scanning | @PryoTek3 | sean @ a
- Page 53 and 54: Discover Admin Accounts: Group Enum
- Page 55 and 56: Discover Admin Accounts - AdminCoun
- Page 57 and 58: Discover AD Groups with Local Admin
- Page 59 and 60: Discover Users with Admin Rights |
- Page 61 and 62: Follow the Delegation… | @PryoTek
- Page 63 and 64: Discover Admin Accounts: Group Poli
- Page 65 and 66: Identify Partner Organizations via
- Page 67 and 68: Identify Fine-Grained Password Poli
- Page 69 and 70: Identify AppLocker Whitelisting Set
- Page 71 and 72: Identify Microsoft LAPS Delegation
- Page 73 and 74: AD Defenses & Bypasses | @PryoTek3
- Page 75 and 76: HoneyTokens, HoneyCredentials…
PowerShell<br />
as an<br />
Attack<br />
Platform<br />
| @PryoTek3 | sean @ adsecurity.org |