Beyond the MCSE Red Teaming Active Directory

06.08.2016 Views
A Security Pro’s AD Checklist • Identify who has AD admin rights (domain/forest). • Identify DC logon rights. • Identify virtual host admins (virtual DCs). • Scan Active Directory Domains, OUs, AdminSDHolder, & GPOs for inappropriate custom permissions. • Ensure AD admins protect their credentials by not logging into untrusted systems (workstations). • Limit service account rights that are currently DA (or equivalent). | @PryoTek3 | sean @ adsecurity.org |

PowerView AD Recon Cheat Sheet • Get-NetForest • Get-NetDomain • Get-NetForestTrust • Get-NetDomainTrust • Invoke-MapDomainTrust • Get-NetDomainController • Get-DomainPolicy • Get-NetGroup • Get-NetGroupMember • Get-NetGPO • Get-NetGPOGroup • Get-NetUser • Invoke-ACLScanner | @PryoTek3 | sean @ adsecurity.org |

Page 1 and 2: Beyond the MCSE: Red Teaming Active

Page 3 and 4: Agenda Key AD Security components O

Page 5 and 6: | @PryoTek3 | sean @ adsecurity.org

Page 7 and 8: https://www.carbonblack.com/2016/03

Page 9 and 10: Differing Views of Active Directory

Page 11 and 12: Forests & Domains •Forest • Sin

Page 13 and 14: Trusts • Connection between domai

Page 15 and 16: Sites & Subnets • Map AD to physi

Page 17 and 18: Read-Only Domain Controllers • Re

Page 19 and 20: DC Discovery (ADSI) | @PryoTek3 | s

Page 21 and 22: Group Policy Capability • Configu

Page 23 and 24: NTLM Authentication • Most aren

Page 25 and 26: Kerberos Key Points • NTLM passwo

Page 27 and 28: Quick PowerShell Attack History •



Page 33 and 34: Bypassing Windows 10 AMSI • DLL h


Page 37 and 38: PowerShell v5 Security Log Data? |

Page 39 and 40: PowerShell for AD Recon • MS Acti

Page 41 and 42: Active Directory Domain Info | @Pry

Page 43 and 44: Digging for Gold in AD • Default/

Page 45 and 46: Useful AD User Properties • Creat

Page 47 and 48: Fun with User Attributes: SID Histo

Page 49 and 50: Discover Computers & Services witho

Page 51 and 52: SPN Scanning | @PryoTek3 | sean @ a

Page 53 and 54: Discover Admin Accounts: Group Enum

Page 55 and 56: Discover Admin Accounts - AdminCoun

Page 57 and 58: Discover AD Groups with Local Admin

Page 59 and 60: Discover Users with Admin Rights |

Page 61 and 62: Follow the Delegation… | @PryoTek

Page 63 and 64: Discover Admin Accounts: Group Poli

Page 65 and 66: Identify Partner Organizations via

Page 67 and 68: Identify Fine-Grained Password Poli

Page 69 and 70: Identify AppLocker Whitelisting Set

Page 71 and 72: Identify Microsoft LAPS Delegation

Page 73 and 74: AD Defenses & Bypasses | @PryoTek3

Page 75 and 76: HoneyTokens, HoneyCredentials…

Page 77 and 78: Network Segmentation • “High Va

Page 79 and 80: Privileged Admin Workstation (PAW)

Page 81 and 82: AD Admin Tiers https://technet.micr

Page 83 and 84: ESAE Admin Forest (aka “Red Fores

Page 85 and 86: Universal Bypass for Most Defenses

Page 87: Interesting AD Facts: •Standard u

Page 91 and 92: Questions? Sean Metcalf (@Pyrotek3)

Page 93 and 94: References • Mining Active Direct


Page 97: Detecting EXEs Hosting PowerShell

admin

powershell

directory

active

domain

microsoft

admins

kerberos

password

ntlm

mcse

teaming

Beyond the MCSE Red Teaming Active Directory

DEFCON-24-Sean-Metcalf-Beyond-The-MCSE-Red-Teaming-Active-Directory ... View more DEFCON-24-Sean-Metcalf-Beyond-The-MCSE-Red-Teaming-Active-Directory

Delete template?

Save as template ?

DEFCON-24-Sean-Metcalf-Beyond-The-MCSE-Red-Teaming-Active-Directory DEFCON-24-Sean-Metcalf-Beyond-The-MCSE-Red-Teaming-Active-Directory