Home

Awesome

Active Directory Kill Chain Attack & Defense

image

Summary

This document was designed to be a useful, informational asset for those looking to understand the specific tactics, techniques, and procedures (TTPs) attackers are leveraging to compromise active directory and guidance to mitigation, detection, and prevention. And understand Active Directory Kill Chain Attack and Modern Post Exploitation Adversary Tradecraft Activity.

Table of Contents


Discovery

SPN Scanning

Data Mining

User Hunting

LAPS

AppLocker

Active Directory Federation Services


Privilege Escalation

sAMAccountName Spoofing

Abusing Active Directory Certificate Services

PetitPotam

Zerologon

Passwords in SYSVOL & Group Policy Preferences

MS14-068 Kerberos Vulnerability

DNSAdmins

Kerberos Delegation

Unconstrained Delegation

Constrained Delegation

Resource-Based Constrained Delegation

Insecure Group Policy Object Permission Rights

Insecure ACLs Permission Rights

Domain Trusts

DCShadow

RID

Microsoft SQL Server

Red Forest

Exchange

NTLM Relay & LLMNR/NBNS


Lateral Movement

Microsoft SQL Server Database links

Pass The Hash

System Center Configuration Manager (SCCM)

WSUS

Password Spraying

Automated Lateral Movement


Defense Evasion

In-Memory Evasion

Endpoint Detection and Response (EDR) Evasion

OPSEC

Microsoft ATA & ATP Evasion

PowerShell ScriptBlock Logging Bypass

PowerShell Anti-Malware Scan Interface (AMSI) Bypass

Loading .NET Assemblies Anti-Malware Scan Interface (AMSI) Bypass

AppLocker & Device Guard Bypass

Sysmon Evasion

HoneyTokens Evasion

Disabling Security Tools


Credential Dumping

NTDS.DIT Password Extraction

SAM (Security Accounts Manager)

Kerberoasting

Kerberos AP-REP Roasting

Windows Credential Manager/Vault

DCSync

LLMNR/NBT-NS Poisoning

Others


Persistence

Diamond Ticket

Golden Ticket

SID History

Silver Ticket

DCShadow

AdminSDHolder

Group Policy Object

Skeleton Keys

SeEnableDelegationPrivilege

Security Support Provider

Directory Services Restore Mode

ACLs & Security Descriptors

Tools & Scripts

Ebooks

Cheat Sheets

Other Resources

Azure Active Directory


Defense & Detection

Tools & Scripts

Sysmon Configuration

Active Directory Security Checks (by Sean Metcalf - @Pyrotek3)

General Recommendations

Protect Admin Credentials

Protect AD Admin Credentials

Protect Service Account Credentials

Protect Resources

Protect Domain Controllers

Protect Workstations (& Servers)

Logging

Security Pro’s Checks

Important Security Updates

CVETitleDescriptionLink
CVE-2020-1472Netlogon Elevation of Privilege VulnerabilityAn elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
CVE-2019-1040Windows NTLM Tampering VulnerabilityA tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection, aka 'Windows NTLM Tampering Vulnerability'.https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1040
CVE-2019-0683Active Directory Elevation of Privilege VulnerabilityAn elevation of privilege vulnerability exists in Active Directory Forest trusts due to a default setting that lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest, aka 'Active Directory Elevation of Privilege Vulnerability'.https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0683
CVE-2019-0708Remote Desktop Services Remote Code Execution VulnerabilityA remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
CVE-2018-8581Microsoft Exchange Server Elevation of Privilege VulnerabilityAn elevation of privilege vulnerability exists in Microsoft Exchange Server, aka "Microsoft Exchange Server Elevation of Privilege Vulnerability." This affects Microsoft Exchange Server.https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8518
CVE-2017-0143Windows SMB Remote Code Execution VulnerabilityThe SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143
CVE-2016-0128Windows SAM and LSAD Downgrade VulnerabilityThe SAM and LSAD protocol implementations in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 do not properly establish an RPC channel, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka "Windows SAM and LSAD Downgrade Vulnerability" or "BADLOCK."https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-0128
CVE-2014-6324Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780)The Kerberos Key Distribution Center (KDC) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote authenticated domain users to obtain domain administrator privileges via a forged signature in a ticket, as exploited in the wild in November 2014, aka "Kerberos Checksum Vulnerability."https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-068
CVE-2014-1812Vulnerability in Group Policy Preferences could allow elevation of privilegeThe Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly handle distribution of passwords, which allows remote authenticated users to obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share, as exploited in the wild in May 2014, aka "Group Policy Preferences Password Elevation of Privilege Vulnerability."https://support.microsoft.com/en-us/help/2962486/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevati

Detection

AttackEvent ID
Account and Group Enumeration4798: A user's local group membership was enumerated<br>4799: A security-enabled local group membership was enumerated
AdminSDHolder4780: The ACL was set on accounts which are members of administrators groups
Kekeo4624: Account Logon<br>4672: Admin Logon<br>4768: Kerberos TGS Request
Silver Ticket4624: Account Logon<br>4634: Account Logoff<br>4672: Admin Logon
Golden Ticket4624: Account Logon<br>4672: Admin Logon
PowerShell4103: Script Block Logging<br>400: Engine Lifecycle<br>403: Engine Lifecycle<br>4103: Module Logging<br>600: Provider Lifecycle<br>
DCShadow4742: A computer account was changed<br>5137: A directory service object was created<br>5141: A directory service object was deleted<br>4929: An Active Directory replica source naming context was removed
Skeleton Keys4673: A privileged service was called<br>4611: A trusted logon process has been registered with the Local Security Authority<br>4688: A new process has been created<br>4689: A new process has exited
PYKEK MS14-0684672: Admin Logon<br>4624: Account Logon<br>4768: Kerberos TGS Request
Kerberoasting4769: A Kerberos ticket was requested
S4U2Proxy4769: A Kerberos ticket was requested
Lateral Movement4688: A new process has been created<br>4689: A process has exited<br>4624: An account was successfully logged on<br>4625: An account failed to log on
DNSAdmin770: DNS Server plugin DLL has been loaded<br>541: The setting serverlevelplugindll on scope . has been set to <dll path><br>150: DNS Server could not load or initialize the plug-in DLL
DCSync4662: An operation was performed on an object
Password Spraying4625: An account failed to log on<br>4771: Kerberos pre-authentication failed<br>4648: A logon was attempted using explicit credentials

Resources

License

CC0

To the extent possible under law, Rahmat Nurfauzi "@infosecn1nja" has waived all copyright and related or neighboring rights to this work.