1 Red vs. Blue: Modern Active Directory Attacks, Detection, & Protection Sean Metcalf CTO, DAn Solutions sean dansolutions _._com DAnSolutions.com ADSecurity.org
2 ABOUT Chief Technology Officer - DAn Solutions Microsoft Certified Master (MCM) Directory Services Security Researcher / Purple Team Security Info -> ADSecurity.org
3 AGENDA Red Team (Recon, Escalate, Persist) Blue Team (Detect, Mitigate, Prevent)
5 Perimeter Defenses Are Easily Bypassed
6 Source: KrebsonSecurity.com
7 Verizon DBIR: 2014 Breach Statistics 60% ATTACKERS ARE ABLE TO COMPROMISE AN ORGANIZATION WITHIN MINUTES. 23% / 11% OPEN PHISHING MESSAGES / CLICK ON ATTACHMENTS. 50% OPEN S AND CLICK ON PHISHING LINKS WITHIN THE FIRST HOUR. 20% Incidents related to insider threat 99.9% EXPLOITED VULNERABILITIES WERE COMPROMISED MORE THAN A YEAR AFTER THE CVE WAS PUBLISHED. About half of CVEs had PoCs in <1 month 95% MALWARE TYPES SHOWED UP FOR LESS THAN A MONTH, 70-90% MALWARE SAMPLES ARE UNIQUE TO AN ORGANIZATION. Source: Verizon Data Breach Investigation Report 2015
8 Red Team (Offense)
9 Attacker Goals Data Access Exfiltration Persistence Privilege escalation if needed
10 PowerShell Overview Dave Kennedy: Bash for Windows PowerShell.exe only an entry point into PowerShell PowerShell Desktop OS Server OS Version 2 Windows 7 Windows 2008 R2 Version 3 Windows 8 Windows 2012 Version 4 Windows 8.1 Windows 2012 R2 Version 5 Windows 10 Windows 2016
12 SPN Scanning Service Discovery SQL servers, instances, ports, etc. MSSQLSvc/adsmsSQLAP01.adsecurity.org:1433 Exchange Client Access Servers RDP exchangemdb/adsmsexcas01.adsecurity.org TERMSERV/adsmsEXCAS01.adsecurity.org WSMan/WinRM/PS Remoting WSMAN/adsmsEXCAS01.adsecurity.org Hyper-V Host Microsoft Virtual Console Service/adsmsHV01.adsecurity.org VMWare VCenter STS/adsmsVC01.adsecurity.org
13 SPN Scanning for MS SQL Servers Discover-PSMSSQLServers https://github.com/pyrotek3/powershell-ad-recon/blob/master/discover-psmssqlservers
14 SPN Scanning for Service Accounts Find-PSServiceAccounts https://github.com/pyrotek3/powershell-ad-recon/blob/master/find-psserviceaccounts SPN Directory:
15 Cracking Service Account Passwords (Kerberoast) Request/Save TGS service tickets & crack offline. Kerberoast python-based TGS password cracker. No elevated rights required. No traffic sent to target.
16 Kerberoast: Request TGS Service Ticket
17 Kerberoast: Save & Crack TGS Service Ticket
18 Detection (noisy): Blue Team Response: TGS Password Cracking Event ID 4769: A Kerberos service ticket was requested Mitigation: Service Account passwords >25 characters Use (Group) Managed Service Accounts
19 Group Policy Preferences Credential Storage The private key is publicly available on MSDN https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx
20 Exploiting Group Policy Preferences \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\
21 Blue Team Response: Exploiting GPP Detection: XML Permission Denied Checks Place xml file in SYSVOL & set Everyone:Deny Audit Access Denied errors GPO doesn t exist, no legit reason for access Mitigation: Install KB on every computer used to manage GPOs Delete existing GPP xml files in SYSVOL containing passwords
22 Pivoting with Local Admin Using GPP Credentials Connect to other computers using ADSAdmin account Compromise Local Admin creds = Admin rights on all Always RID 500 doesn t matter if renamed. Mimikatz for more credentials!
23 Detection: Blue Team Response: Local Admin Local admin account logon Mitigation: Use Microsoft LAPS (or similar) for automatic local admin password change. Deploy KB on all systems & disallow local account logon across network via GPO. Limit workstation to workstation communication. Implement network segmentation.
24 Mimikatz: The Credential Multi-tool Dump credentials Windows protected memory (LSASS). * Active Directory Domain Controller database. * Dump Kerberos tickets for all users. * for current user. Credential Injection Password hash (pass-the-hash) Kerberos ticket (pass-the-ticket) Generate Silver and/or Golden tickets And so much more!
25 Dump Credentials with Mimikatz User Service Account
26 Kerberos Double Hop Issue
27 Kerberos Unconstrained Delegation
28 Discover Servers Configured with Delegation
29 Kerberos Unconstrained Delegation
31 Exploiting Kerberos Delegation
32 Blue Team Response: Kerberos Delegation Detection: Delegation events Mitigation: Only use Kerberos Constrained Delegation Disable delegation for admin accounts
33 Dumping AD Domain Credentials Get access to the NTDS.dit file & extract data. Copy AD database from remote DC. Grab AD database copy from backup. Get Virtual DC data. Dump credentials on DC (local or remote). Run Mimikatz (WCE, etc) on DC. Invoke-Mimikatz on DC via PS Remoting.
34 Finding NTDS.dit on the Network Are your DC backups properly secured? Domain Controller storage? Who administers the virtual server hosting virtual DCs? Are your VMWare/Hyper-V host admins considered Domain Admins? Hint: They should be.
35 Dump LSASS Process Memory
36 Dump AD Credentials with Mimikatz
38 Dump Password Hashes from NTDS.dit
39 Over Pass the Hash Use the NTLM password hash to get Kerberos ticket(s)
40 Kekeo Tool: DCSync
42 Blue Team Response: Credential Theft Detection: Difficult Mitigation: Protect DC backups & storage Protect admin credentials Admins only logon to specific systems Limit Service Account rights/permissions Set all admin accounts to sensitive & cannot be delegated Separate Admin workstations for administrators (lockeddown & no internet).
43 MS14-068: (Microsoft) Kerberos Vulnerability MS (CVE ) Patch released 11/18/2014 Domain Controller Kerberos Service (KDC) didn t correctly validate the PAC checksum. Effectively re-write user ticket to be a Domain Admin. Own AD in 5 minutes
44 MS (PyKEK 12/5/2014)
45 MS Kekeo Exploit
46 User to Admin in 5 Minutes?
47 Blue Team Response: MS Detection: IDS Signature for Kerberos AS-REQ & TGS-REQ both containing Include PAC: False Mitigation: Patch servers with KB before running DCPromo patch the server build. Check patch status before running DCPromo
48 Golden Ticket (Forged TGT) Communication
49 Golden Ticket Limitation Admin rights limited to current domain. Doesn t work across domains in Forest unless in EA domain.
50 Golden Ticket More Golden! Mimikatz now supports SID History in Golden Tickets
51 Silver Ticket (Forged TGS) Communication
52 Silver Ticket: Domain Controller Exploitation Attacker dumped AD & has all domain creds. Corp IT changed all user, admin, and service account passwords (and KRBTGT pw 2x). Attacker still has Domain Controller computer account password hashes. What is possible with these?
53 Silver Ticket: Domain Controller Exploitation
54 Silver Ticket: Domain Controller Exploitation
55 Silver Ticket: Domain Controller Exploitation
56 Silver Ticket: Domain Controller Exploitation
57 Silver Ticket: Domain Controller Exploitation
58 Forging Kerberos Trust Tickets
59 Blue Team Response: Forged Kerberos Tickets Detection: Difficult Mitigation: Protect AD Admins
60 Detecting Forged Kerberos: Golden & Silver Tickets Normal, valid account logon event data structure: Security ID: DOMAIN\AccountID Account Name: AccountID Account Domain: DOMAIN Golden & Silver Ticket events may have one of these issues: The Account Domain field is blank when it should contain DOMAIN. The Account Domain field is DOMAIN FQDN when it should contain DOMAIN. The Account Domain field contains eo.oe.kiwi :) Event IDs: 4624 (logon), 4672 (admin logon), 4634 (logoff)
67 Windows 10 PowerShell Security: Antimalware Integration
68 Mitigation Level One (Low) Minimize the groups (& users) with DC admin/logon rights Separate user & admin accounts (JoeUser & AdminJoeUser) No user accounts in admin groups Set all admin accounts to sensitive & cannot be delegated Deploy Security Back-port patch (KB ) Set GPO to prevent local accounts from connecting over network to computers (KB ). Use long, complex (>25 characters) passwords for SAs. Delete (or secure) GPP policies and files with creds. Patch server image (and servers) before running DCPromo Implement RDP Restricted Admin mode
69 Mitigation Level Two (Moderate) Microsoft LAPS (or similar) to randomize computer local admin account passwords. Service Accounts (SAs): Leverage (Group) Managed Service Accounts. Implement Fine-Grained Password Policies (DFL >2008). Limit SAs to systems of the same security level, not shared between workstations & servers (for example). Remove Windows 2003 from the network. Separate Admin workstations for administrators (locked-down & no internet). PowerShell logging
70 Mitigation Level Three ( It s Complicated ) New Admin Model Number of Domain Admins = 0 Complete separation of administration ADAs use SmartCard auth w/ rotating pw ADAs never logon to other security tiers. ADAs should only logon to a DC (or admin workstation or server). Time-based, temporary group membership. No Domain Admin service accounts running on non-dcs. Disable default local admin account & delete all other local accounts. Implement network segmentation. CMD Process logging & enhancement (KB ).
71 Credential Theft Protection (Future)
72 Attack Detection Paradigm Shift Microsoft Advanced Threat Analytics (ATA, formerly Aorato) Monitors all network traffic to Domain Controllers Baselines normal activity for each user (computers, resources, etc) Alerts on suspicious activity by user Natively detects recon & attack activity without writing rules ATA Detection Capability: Credential theft & use: Pass the hash, Pass the ticket, Over-Pass the hash, etc MS exploits Golden Ticket usage DNS Reconnaissance Password brute forcing Domain Controller Skeleton Key Malware
73 Microsoft Advanced Threat Analytics (ATA)
74 ATA Detection: Suspicious Activity
75 ATA Detection: Credential Theft Pass the Hash
76 ATA Detection: Credential Theft Pass the Ticket
77 ATA Detection: Credential Theft OverPass the Hash
78 ATA Detection: MS Exploit
79 ATA Detection: Golden Ticket
80 ATA Detection: Skeleton Key
81 Additional Mitigations Monitor scheduled tasks on sensitive systems (DCs, etc) Block internet access to DCs & servers. Monitor security event logs on all servers for known forged Kerberos & backup events. Include computer account password changes as part of domain-wide password change scenario (set to 1 day) Change the KRBTGT account password (twice) every year & when an AD admin leaves. Incorporate Threat Intelligence in your process and model defenses against real, current threats.
82 Summary Attackers will get code running on a target network. The extent of attacker access is based on defensive posture. Advanced attacks with forged tickets can be detected. Protect AD Admins or a full domain compromise is likely! My research into Active Directory attack, defense, & detection is ongoing. This is only the beginning
83 Thanks! Alva Skip Duckwall Benjamin Delpy Casey Smith Chris Campbell Joe Bialek https://clymb3r.wordpress.com Matt Graeber Rob Fuller Will The Microsoft ATA Product Team (Tal, Michael, & Idan) Many others in the security community! My wife & family for putting up with me being on the computer every night! CONTACT: Sean sean dansolutions. com https://www.adsecurity.org
Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques Mitigating the risk of lateral movement and privilege escalation Mitigating Pass-the-Hash (PtH) Attacks and Other Credential
BEST PRACTICES FOR SCSP POCS Best Practices for Critical System Protection Proof of Concepts Version 1.0 1 1. UNDERSTANDING SERVER RISK... 4 1.1. HOW TO PROTECT YOURSELF: DEVELOPING SERVER HARDENING CONFIGURATIONS...
Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...
Best Practice Guide for Securing Active Directory Installations Microsoft Corporation First published: October 2005 Updated and republished: January 2009 Abstract This guide contains recommendations for
PassTest Bessere Qualität, bessere Dienstleistungen! Q&A Exam : 70-640 Title : Windows Server 2008 Active Directory. Configuring Version : Demo 1 / 28 1.You have a single Active Directory domain. All domain
E-mail Filter SurfControl E-mail Filter 5.0 for SMTP Getting Started Guide www.surfcontrol.com The World s #1 Web & E-mail Filtering Company CONTENTS CONTENTS INTRODUCTION About This Document...2 Product
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Windows Firewall with Advanced Security Design Guide and Deployment Guide Microsoft Corporation Published: October 2008 Author: Dave Bishop Editor: Allyson Adley Reviewers: Bilal Aijazi, Boyd Benson, Shalaka
Trend Micro Deep Security Server Security Protecting the Dynamic Datacenter A Trend Micro White Paper August 2009 I. SECURITY IN THE DYNAMIC DATACENTER The purpose of IT security is to enable your business,
Best Practices for Securing Privileged Accounts 2015 Hitachi ID Systems, Inc. All rights reserved. Contents 1 Introduction 1 2 Risk management 2 2.1 Baseline risks............................................
Chapter 3 Controls and Safeguards Solutions in this chapter: Data Security Program Security Controls Technical Safeguards Access Control Activity Logging and Monitoring Software Assurance Change Management
Knowlton Project Analysis Study: Examining Trends in Cyber Security: Merging Network Defense and Analysis March 2013 Security is a journey, not a destination www.praescientanalytics.com INTRODUCTION Somewhere
MCAFEE APPLICATION CONTROL / CHANGE CONTROL BEST PRACTICES GUIDE Version 0.4 20 December 2011 About This Guide The purpose of this guide is to provide best practices for initial usage of the three main
ESET Remote Administrator Installation Manual and User Guide we protect your digital worlds contents Contents 1. Introduction... 4 2. ERA client/server architecture... 5 2.1 ERA Server (ERAS)...5 2.1.1
Splunk and the SANS Top 20 Critical Security Controls Mapping Splunk Software to the SANS Top 20 CSC Version 4.1 Copyright 2014 by Splunk Inc. All rights reserved. Splunk, Splunk>, Listen to Your Data,
A Websense White Paper ADVANCED PERSISTENT THREATS AND OTHER ADVANCED ATTACKS: THREAT ANALYSIS AND DEFENSE STRATEGIES FOR SMB, MID-SIZE, AND ENTERPRISE ORGANIZATIONS REV 2 ADVANCED PERSISTENT THREATS AND
Chapter 5 MCTS/MCITP Exam 648 Maintaining an Active Directory Environment Exam objectives in this chapter: Backup and Recovery Offline Maintenance Monitoring Active Directory Exam objectives review: Summary
About this guide Deep Security provides a single platform for server security to protect physical, virtual, and cloud servers as well as hypervisors and virtual desktops. Tightly integrated modules easily
Sponsored by McAfee Protecting Virtual Endpoints with McAfee Server Security Suite Essentials December 2013 A SANS Analyst Whitepaper Written by Dave Shackleford Capability Sets for Virtualization Security
CDM Software Asset Management (SWAM) Capability Department of Homeland Security Office of Cybersecurity and Communications Federal Network Resilience Table of Contents 1 PURPOSE AND SCOPE... 2 2 THREAT
ProfileUnity with FlexApp Technology Help Manual Introduction This guide has been authored by experts at Liquidware Labs in order to provide information and guidance concerning ProfileUnity with FlexApp.
Continuous Compliance for Energy and Nuclear Facility Cyber Security Regulations Leveraging Configuration and Vulnerability Analysis for Critical Assets and Infrastructure May 2015 (Revision 2) Table of