Beyond the MCSE Red Teaming Active Directory
DEFCON-24-Sean-Metcalf-Beyond-The-MCSE-Red-Teaming-Active-Directory DEFCON-24-Sean-Metcalf-Beyond-The-MCSE-Red-Teaming-Active-Directory
A Security Pro’s AD Checklist • Identify who has AD admin rights (domain/forest). • Identify DC logon rights. • Identify virtual host admins (virtual DCs). • Scan Active Directory Domains, OUs, AdminSDHolder, & GPOs for inappropriate custom permissions. • Ensure AD admins protect their credentials by not logging into untrusted systems (workstations). • Limit service account rights that are currently DA (or equivalent). | @PryoTek3 | sean @ adsecurity.org |
PowerView AD Recon Cheat Sheet • Get-NetForest • Get-NetDomain • Get-NetForestTrust • Get-NetDomainTrust • Invoke-MapDomainTrust • Get-NetDomainController • Get-DomainPolicy • Get-NetGroup • Get-NetGroupMember • Get-NetGPO • Get-NetGPOGroup • Get-NetUser • Invoke-ACLScanner | @PryoTek3 | sean @ adsecurity.org |
- Page 37 and 38: PowerShell v5 Security Log Data? |
- Page 39 and 40: PowerShell for AD Recon • MS Acti
- Page 41 and 42: Active Directory Domain Info | @Pry
- Page 43 and 44: Digging for Gold in AD • Default/
- Page 45 and 46: Useful AD User Properties • Creat
- Page 47 and 48: Fun with User Attributes: SID Histo
- Page 49 and 50: Discover Computers & Services witho
- Page 51 and 52: SPN Scanning | @PryoTek3 | sean @ a
- Page 53 and 54: Discover Admin Accounts: Group Enum
- Page 55 and 56: Discover Admin Accounts - AdminCoun
- Page 57 and 58: Discover AD Groups with Local Admin
- Page 59 and 60: Discover Users with Admin Rights |
- Page 61 and 62: Follow the Delegation… | @PryoTek
- Page 63 and 64: Discover Admin Accounts: Group Poli
- Page 65 and 66: Identify Partner Organizations via
- Page 67 and 68: Identify Fine-Grained Password Poli
- Page 69 and 70: Identify AppLocker Whitelisting Set
- Page 71 and 72: Identify Microsoft LAPS Delegation
- Page 73 and 74: AD Defenses & Bypasses | @PryoTek3
- Page 75 and 76: HoneyTokens, HoneyCredentials…
- Page 77 and 78: Network Segmentation • “High Va
- Page 79 and 80: Privileged Admin Workstation (PAW)
- Page 81 and 82: AD Admin Tiers https://technet.micr
- Page 83 and 84: ESAE Admin Forest (aka “Red Fores
- Page 85 and 86: Universal Bypass for Most Defenses
- Page 87: Interesting AD Facts: •Standard u
- Page 91 and 92: Questions? Sean Metcalf (@Pyrotek3)
- Page 93 and 94: References • Mining Active Direct
- Page 95 and 96: | @PryoTek3 | sean @ adsecurity.org
- Page 97: Detecting EXEs Hosting PowerShell
A Security Pro’s AD Checklist<br />
• Identify who has AD admin rights (domain/forest).<br />
• Identify DC logon rights.<br />
• Identify virtual host admins (virtual DCs).<br />
• Scan <strong>Active</strong> <strong>Directory</strong> Domains, OUs,<br />
AdminSDHolder, & GPOs for inappropriate custom<br />
permissions.<br />
• Ensure AD admins protect <strong>the</strong>ir credentials by not<br />
logging into untrusted systems (workstations).<br />
• Limit service account rights that are currently DA (or<br />
equivalent).<br />
| @PryoTek3 | sean @ adsecurity.org |