ACTIVE DIRECTORY BACKDOORS: Myth or Reality BTA: an open source framework to analyse AD Workshop

Similar documents
ACTIVE DIRECTORY BACKDOORS: Myth or Reality BTA: an open source framework to analyse AD

Microsoft Virtual Labs. Active Directory New User Interface

How to Audit the 5 Most Important Active Directory Changes

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Who DIT It? Detecting and Mitigating Privilege Escalation Attacks on the Active Directory Data Store

CONFIGURING TARGET ACTIVE DIRECTORY DOMAIN FOR AUDIT BY NETWRIX AUDITOR

6425C - Windows Server 2008 R2 Active Directory Domain Services

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Delegate Resolver. Delegate Resolver? How it works. Priasoft

How To Understand The History Of Anntds.Dntd.Dt.Dotnetdt Database On A Pc Or Macbook (Windows) With A Password Key (For A Macbook) And Password History (For Annt

Active Directory Objectives

MS-6425C - Configuring Windows Server 2008 Active Directory Domain Services

Configuring and Troubleshooting Windows 2008 Active Directory Domain Services

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Dell Recovery Manager for Active Directory 8.6. Deployment Guide

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Outline SSC Configuring and Troubleshooting Windows Server 2008 Active Directory

NE-6425C Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Active Directory Restoration

FastPass Password Manager Version 3.5.1

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain MOC 6425

6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

NTDS.DIT Forensics. Csaba Barta December 2011

How the Active Directory Installation Wizard Works

Advanced Configuration Steps

Avatier Identity Management Suite

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Understanding and Configuring Password Manager for Maximum Benefits

Microsoft. Jump Start. M11: Implementing Active Directory Domain Services

How to monitor AD security with MOM

Managing Users and Identity Stores

Integrating LANGuardian with Active Directory

Step by Step Guide to Deploy Microsoft LAPS

EPM Performance Suite Profitability Administration & Security Guide

QAD Enterprise Applications. Training Guide Demand Management 6.1 Technical Training

R4: Configuring Windows Server 2008 Active Directory

Table of Contents Introduction... 2 Azure ADSync Requirements/Prerequisites:... 2 Software Requirements... 2 Hardware Requirements...

Course 6425C: Five days

NetIQ Advanced Authentication Framework. Maintenance Guide. Version 5.1.0

Table of Contents WELCOME TO ADAUDIT PLUS Release Notes... 4 Contact ZOHO Corp... 5 ADAUDIT PLUS TERMINOLOGIES... 7 GETTING STARTED...

P-Synch by M-Tech Information Technology, Inc. ID-Synch by M-Tech Information Technology, Inc.

Module 4. Managing Groups. Contents: Lesson 1: Overview of Groups 4-3. Lesson 2: Administer Groups Lab A: Administer Groups 4-36

Security Explorer 9.5. User Guide

LT Auditor Windows Assessment SP1 Installation & Configuration Guide

Setup and configuration for Intelicode. SQL Server Express

Windows Logging Configuration: Audit Policy Configuration

Designing a Windows Server 2008 Active Directory Infrastructure and Services

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

Windows Server 2003 Logon Scripts Paul Flynn

Central Security Server

qliqdirect Active Directory Guide

Active Directory Disaster Recovery Workshop. Lab Manual Revision 1.7

Active Directory Friday: All Articles. Jaap Brasser

Installing Samsung SDS CellWe EMM cloud connectors and administrator consoles

How To Set Up An Openfire With Libap On A Cdd (Dns) On A Pc Or Mac Or Ipad (Dnt) On An Ipad Or Ipa (Dn) On Your Pc Or Ipo (D

Dell Recovery Manager for Active Directory 8.6.0

User Management Guide

Using LDAP Authentication in a PowerCenter Domain

Content Filtering Client Policy & Reporting Administrator s Guide

Table of Contents SQL Server Option

Modular Messaging. Release 3.0 / 3.1. Diminished Permissions for Exchange.

Configuring Sponsor Authentication

Active Directory Change Notifier Quick Start Guide

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

RSA Authentication Manager 7.1 Basic Exercises

Enterprise Self Service Quick start Guide

Course 6425B: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Backing Up and Restoring Data

Service Desk R11.2 Upgrade Procedure - Resetting USD passwords and unlocking accounts in etrust Web Admin

PriveonLabs Research. Cisco Security Agent Protection Series:

Installation Guide: Migrating Report~Pro v18

JiJi Active Directory Reports JiJi Active Directory Reports User Manual

What s New Guide. Active Administrator 6.0

ITCertMaster. Safe, simple and fast. 100% Pass guarantee! IT Certification Guaranteed, The Easy Way!

How To Set Up Safetica Insight 9 (Safetica) For A Safetrica Management Service (Sms) For An Ipad Or Ipad (Smb) (Sbc) (For A Safetaica) (

VMware Identity Manager Administration

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

NetIQ Advanced Authentication Framework - Client. User's Guide. Version 5.1.0

Installing, Configuring, and Managing a Microsoft Active Directory

Lepide Active Directory Self Service. Configuration Guide. Follow the simple steps given in this document to start working with

About Recovery Manager for Active

Pass-the-Hash II: Admin s Revenge. Skip Duckwall & Chris Campbell

70-412: Configuring Advanced Windows Server 2012 Services

Requirements & Install. Module 2 Single Engine Installation

Active Directory Forest Recovery

Windows.NET Beta 3 Active Directory New Features

Windows Server 2012 / Windows 8 Audit Fundamentals

Installation Guide. Novell Storage Manager for Active Directory. Novell Storage Manager for Active Directory Installation Guide

Troubleshooting Active Directory Server

Administrators Help Manual

WatchDox Administrator's Guide. Application Version 3.7.5

How To Install Powerpoint 6 On A Windows Server With A Powerpoint 2.5 (Powerpoint) And Powerpoint On A Microsoft Powerpoint 4.5 Powerpoint (Powerpoints) And A Powerpoints 2

Dell InTrust 11.0 Best Practices Report Pack

Virto Password Reset Web Part for SharePoint. Release Installation and User Guide

Transcription:

ACTIVE DIRECTORY BACKDOORS: Myth or Reality BTA: an open source framework to analyse AD Workshop Joffrey Czarny, Xavier Mehrenberger Airbus Group Innovations Univershell 4 2016-03-24

Summary 1 Intro Context Some backdoors Needs 2 BTA Introduction Backdoors Hunting 3 BTA in practice 4 Feedback Univershell 4 2016-03-24 2

Summary 1 Intro Context Some backdoors Needs 2 BTA Introduction Backdoors Hunting 3 BTA in practice 4 Feedback Univershell 4 2016-03-24 3

Context Active Directory Manage authentication and authorization for users and computers Security policies Baseline = Corner stone for Microsoft information system = Target of choice for intruder = Pain to secure... Auditors, Incident handlers, Admins need to audit Active Directory Find bad practices (admins are sometimes lazy?) Hunting (Searching for a needle in a haystack!) Incident response (what has changed in timeframe?) Univershell 4 2016-03-24 4

Two case study Now, let s start hunting. I ll show you two backdoors, and we ll try to find them. Backdoor 1 - Domain Admins members Administrator: "It seems someone can manipulate Domain Admins group and users!" Backdoor 2 - AdminSDHolder Administrator: "I removed some permissions but they came back!" Univershell 4 2016-03-24 5

Backdoor 1 description - Domain Admins members Who is (or could become) Domain admin? Can I justify membership for every one of them? Who has permission on this group? Who can add members? Who manage members? Who has permission on these members? Who can reset their passwords? Can I know when a member has been removed? Let s try to find it using Microsoft-provided tools : AD explorer Univershell 4 2016-03-24 6

AD explorer

Members of Domain Admins

User properties

Backdoor 1 (Domain Admins members) hunting using AD Explorer: results Problems Several clicks to obtain this information with AD explorer or MS GUI tools Ok, it kind of works, but it s way too complicated. Moreover not all information is obtained. Let s try using powershell! Univershell 4 2016-03-24 12

PowerShell request for AD

Backdoor 1 - hunting using PowerShell Problems Powershell Cmdlets required, run on the host or via network, sometimes complex PS requests Univershell 4 2016-03-24 14

Backdoor 2 description: AdminSDHolder AdminSDHolder Some users / groups can be "protected" (admincount=1 attribute) AdminSDHolder is a Master Security Descriptor (list of permissions) Every 60 minutes, LSASS applies these permissions to protected users Checks: Which groups/users are protected? ACL template has been changed? Let s try to find it using Microsoft-provided tools: AD explorer & Powershell Univershell 4 2016-03-24 15

AdminSDHolder

Backdoor 2 (AdminSDHolder) hunting using PowerShell Univershell 4 2016-03-24 17

Backdoor 2 (AdminSDHolder) hunting using AD Explorer Problems AdminSDHolder ACEs have been changed: Raven account has been added Univershell 4 2016-03-24 18

How can I proceed? Currently Manual checks using a GUI is inefficient Powershell requires one-shot commands for each control; little re-use Online tools need admins credential over network connection Wishlist for a perfect tool Do multiple checks on several objects Easy way to identify bad practices Help to clean up regularly Find anomalies or backdoors So, we decided to develop a tool that will help us and find backdoors in AD. Univershell 4 2016-03-24 19

BTA: an open source framework to analyze Active Directory State of the project No Logo! No Press release! No fees for use! But Functional and tested in real life :) Could help you to improve your AD security! = Why? Univershell 4 2016-03-24 20

Summary 1 Intro Context Some backdoors Needs 2 BTA Introduction Backdoors Hunting 3 BTA in practice 4 Feedback Univershell 4 2016-03-24 21

BTA BTA Airbus {Group {CERT Innovations} DS CyberSecurity} Open Source (GPLv2) https://bitbucket.org/iwseclabs/bta BTA can help solve the following issues: Quick access, without filtering, to all Active Directory data Works offline Set of controls points ( exploratory tool) Determinism Periodic review of AD (reproductibility) Modularity Univershell 4 2016-03-24 22

Global view of BTA operation BTA architecture, global view extraction btaimport AD ntds.dit DB Report miners btaimport NTDS.dit Mongo + postprocessing btamanage Manage imported NTDS bases btaminer Call miners btadiff Diff between two states of imported AD Univershell 4 2016-03-24 23

Import Overview of MongoDB data: a field of datatable { "cn" : "ACS-Enable-ACS-Service", "ldapdisplayname" : "acsenableacsservice", "name" : "ACS-Enable-ACS-Service", "admindescription" : "ACS-Enable-ACS-Service", "admindisplayname" : "ACS-Enable-ACS-Service", "isvisibleinab" : 42, "objectclass" : [ 196622, 65536 ], "schemaidguid" : "7f561287-5301-11d1-a9c5-0000f80367c1", "objectguid" : "925af73d-e447-40c0-9655-b5a8603fb49f", "time_col" : ISODate("2009-02-11T18:37:08Z"), "distinguishedname" : 23, "systemflags" : 16, "attributeid" : 590594, "ntsecuritydescriptor" : 7, "cnt_col" : 1, "RDNtyp_col" : 3, "attributesyntax" : 524296, "issinglevalued" : 1, "showinadvancedviewonly" : 1, "instancetype" : 4, "DNT_col" : 23, "omsyntax" : 1, "OBJ_col" : 1, "usncreated" : 15, "recycle_time_col" : NumberLong("3038287259199220266"), "whencreated" : ISODate("2009-02-11T18:37:08Z"), "replpropertymetadata" : BinData(0,"AQAAAAAAAAATAAAAAAAAAAAAAAABAAAAC+mLCAMAAAAvmvLtKEtaQqTKmYSWdi8vDwAAAAAAAAAPAAAAAAAAAAM... "whenchanged" : ISODate("2009-02-11T18:37:08Z"), "PDNT_col" : 1811, "objectcategory" : 14, "Ancestors_col" : BinData(0,"AgAAAPsGAAD8BgAA/QYAABMHAAAXAAAA"), "NCDNT_col" : 1811, "usnchanged" : 15 } Univershell 4 2016-03-24 24

Backdoor 1: Domain Admins ListGroup miner $ btaminer -t ReST -C ::mabase ListGroup --match "Domain Admins" +----------------+---------------------+------------------------------------+---------------+ Name Deletion Flags Recursive +======================================+====================================+===============+ xavier normalaccount, dontexpirepassword srv-grp-admin svc-mcafee 2014-02-23 14:10:11 normalaccount, accountdisable svc-oracle normalaccount, dontexpirepassword Sqladmin 2014-08-15 04:45:04 normalaccount, dontexpirepassword svc-security normalaccount, accountdisable +----------------+---------------------+------------------------------------+---------------+ Results: in 10s All accounts are listed recursively Deletion information is provided by link_table with a retention of 180 days Sqladmin has been removed at a supicious time! Easier than with MS tools Univershell 4 2016-03-24 25

Backdoor 1: Domain Admins ListGroup miner $ btaminer -C::snktest -t ReST ListGroup --match "Admins du domaine" Analysis by miner [ListGroup] ============================= List of groups matching [Admins du domaine] Group Admins du domaine ----------------------- sid = S-1-5-21-1154669122-758131934-2550385761-512 guid = 8bff35e5-87ff-4d9f-b979-122adf32cdd9 dn =.intra.secu.labz.users.admins du domaine +====================+==========+===============+===========+ snorky normalaccount Administrateur normalaccount +--------------------+----------+---------------+-----------+ User snorky (S-1-5-21-1154669122-758131934-2550385761-1154) +-------------------+---------+---------------------+-----------------------+ Trustee Member ACE Type Object type +===================+=========+=====================+=======================+ Admins du domaine snorky AccessAllowedObject (none) [...] Everyone snorky AccessAllowedObject User-Change-Password Jean Dupond snorky AccessAllowedObject (none) = Self snorky AccessAllowedObject User-Change-Password Self snorky AccessAllowedObject Private-Information Admins du domaine snorky AccessAllowed (none) Administrateurs snorky AccessAllowed (none) System snorky AccessAllowed (none) Everyone snorky SystemAudit (none) Everyone snorky SystemAuditObject GP-Link Everyone snorky SystemAuditObject GP-Options +-------------------+---------+---------------------+-----------------------+

Backdoor 2: AdminSDHolder List objects protected by AdminSDHolder $ btaminer -C::snktest SDProp --list Analysis by miner: [SDProp] =========================== +------------------------------+-------+-----------------------------------------------+ cn type SID +==============================+=======+===============================================+ Account Operators Group S-1-5-32-548 Administrators Group S-1-5-32-544 Backup Operators Group S-1-5-32-551 Domain Admins Group S-1-5-21-479843640-2764029434-1057171661-512 Domain Controllers Group S-1-5-21-479843640-2764029434-1057171661-516 Print Operators Group S-1-5-32-550 Read-only Domain Controllers Group S-1-5-21-479843640-2764029434-1057171661-521 Replicator Group S-1-5-32-552 Server Operators Group S-1-5-32-549 Administrator User S-1-5-21-479843640-2764029434-1057171661-500 da5id User S-1-5-21-479843640-2764029434-1057171661-1107 Hiro Protagonist User S-1-5-21-479843640-2764029434-1057171661-1110 krbtgt User S-1-5-21-479843640-2764029434-1057171661-502 raven User S-1-5-21-479843640-2764029434-1057171661-1106 <== snorky User S-1-5-21-479843640-2764029434-1057171661-1000 +------------------------------+-------+-----------------------------------------------+

Backdoor 2: AdminSDHolder Check ACEs linked to AdminSDHolder $ btaminer -C ::snktest SDProp --checkace Analysis by miner: [SDProp] =========================== +------------------------------------+---------------------+-----------------------------------+ cn type SID +====================================+=====================+===================================+ Administrators AccessAllowed ALL Authenticated Users AccessAllowed ALL Cert Publishers AccessAllowedObject X509-Cert Domain Admins AccessAllowed ALL Enterprise Admins AccessAllowed ALL Everyone AccessAllowedObject User-Change-Password Everyone SystemAudit ALL Everyone SystemAuditObject Organizational-Unit Everyone SystemAuditObject Organizational-Unit Pre-Windows 2000 Compatible Access AccessAllowed ALL raven AccessAllowedObject Group <== Self AccessAllowedObject User-Change-Password Self AccessAllowedObject Private-Information System AccessAllowed ALL Terminal Server License Servers AccessAllowedObject Terminal-Server Terminal Server License Servers AccessAllowedObject Terminal-Server-License-Server Windows Authorization Access Group AccessAllowedObject Token-Groups-Global-And-Universal +------------------------------------+---------------------+-----------------------------------+

Summary 1 Intro Context Some backdoors Needs 2 BTA Introduction Backdoors Hunting 3 BTA in practice 4 Feedback Univershell 4 2016-03-24 29

The main stages NTDS.dit file domain controller extraction Via ntdsutil under 2008 infrastructure Via vssadmin under 2003 infrastructure Import of NTDS.dit file btaimport is responsible for importing the data into mongodb database Preprocessing of basic data and adding new collections Queries execution in base and correlation of results btaminer allows querying the data in base Check results with an Active Directory administrator Univershell 4 2016-03-24 30

Miners List of miners $ btaminer -h usage: btaminer [-h] [-C CNX] [-B mongo,ldap] [ force-consistency] [ live-output] [-t csvzip,excel,rest] [-o FILENAME] [-e ENCODING] [ ignore-version-mismatch] [ module MODULE]... positional arguments: [...] [...] Audit_UAC Audit_Schema Domains DNGrep DNTree ListACE CanCreate Miners Run all analyses on User Account Control Run all analyses on schemas Display Informations about domains DN grepper DN Tree List ACE matching criteria This miner list all user who possess the right to create or delete objects Univershell 4 2016-03-24 31

Report Example: Excel output btaminer -C ::mabase -t excel -o my_report.xlsx Audit_Full Univershell 4 2016-03-24 32

Some control points btaminer Check extended rights btaminer -C ::snktest ListACE type 00299570-246d-11d0-a768-00aa006e0529 List accounts which never logged on Active Directory btaminer -C ::snktest passwords never-logged List accounts which have not authenticated on AD since 6 months btaminer -C ::snktest passwords last-logon 182 Number of unsuccessful login attempts per account btaminer -C ::snktest passwords bad-password-count List accounts which have a specific UserAccountControl flag btaminer -C ::snktest CheckUAC check passwdcantchange Univershell 4 2016-03-24 33

SIDhistory control points Exploiting the SIDHistory attribute Modify SIDHistory attribute in order to elevate its privileges. Control the Forest from a domain via Enterprise Admin SID. Check SIDHistory attribute $ btaminer -C::snktest SIDHistory --list RESA, Micheline S-1-5-21-45967694-1012334923-556814060-21624 GAUCI, Sandro S-1-5-21-45967694-1012334923-556814060-16537 VIGNON, Georgette S-1-5-21-45967694-1012334923-556814060-4438 ABOUHALI, Mouad S-1-5-21-45967694-1012334923-556814060-4733 BIONDI, Philippe S-1-5-21-45967694-1012334923-556814060-2139 Sqladmin S-1-5-21-9778442445-3353794244-6340767225-519 <=== RIGO, Raphael S-1-5-21-45967694-1012334923-556814060-4981

Control extended rights ListACE miner Objectives List users which have specific extended rights: User-Force-Change-Password (type 00299570-246d-11d0-a768-00aa006e0529) Self-Membership (type bf9679c0-0de6-11d0-a285-00aa003049e2)... btaminer ListACE $ btaminer -C::snktest -t ReST ListACE \ --type 00299570-246d-11d0-a768-00aa006e0529 Analysis by miner [ListACE] =========================== +-------------+----------------+----------------------------+ Trustee Subjects Object type +=============+================+============================+ jean dupond Administrateur User-Force-Change-Password +-------------+----------------+----------------------------+ Univershell 4 2016-03-24 35

Miners miner: passwords $ btaminer -t ReST -C ::mabase passwords --never-logged Analysis by miner: [passwords] ============================== +-------------------//-------------+----------------------//---------------+----------------------+ name \\ \\ useraccountcontrol +===================//=============+======================//===============+======================+ guest \\ GUEST of labz (s-1-5-\\ accountdisable:true intru // intru (s-1-5-21-11546// accountdisable:false krbtgt \\ KRBTGT of labz (s-1-5\\ accountdisable:true SystemMailbox{1f05//7} SystemMailbox{1f05a92//121) accountdisable:true SystemMailbox{e0dc\\9} SystemMailbox{e0dc1c2\\122) accountdisable:true DiscoverySearchMai//E09334BB852} DiscoverySearchMailbo//50385761-1123) accountdisable:true FederatedEmail.4c1\\42 FederatedEmail.4c1f4d\\125) accountdisable:true auditor // auditor (s-1-5-21-115// accountdisable:false +-------------------\\-------------+----------------------\\---------------+----------------------+ Univershell 4 2016-03-24 36

Check collected informations Exchange with Active Directory teams Active Directory system is lively daily changes Review elements with AD administrators could explain some bad practices Univershell 4 2016-03-24 37

Differential between two instances of AD Differential with btadiff Allows to compare AD at two points in time = Allows to monitor an objet in time = Allows to check suspicious changes $ btadiff --CA ::clean --CB ::backdoor1 --ignore-defaults =============== Starting diffing sd_table --------------- AB, 101: [] *sd_refcount[ 14 => 15 ] AB, 108: [] *sd_refcount[ 39 => 41 ] A, 229: [] A, 372: [] AB, 423: [] *sd_refcount[ 3 => 2 ] B, 424: [] B, 425: [] B, 428: [] --------------- Table [sd_table]: 160 records checked, 2 disappeared, 3 appeared, 3 changed Univershell =============== 4 2016-03-24 38

Differential between two instances of AD datatable =============== Starting diffing datatable --------------- AB, 3586: [DC001] *logoncount[ 116 => 117 ], *lastlogon[ datetime.datetime(20 => datetime.datetime(20 ] AB, 3639: [RID Set] *ridnextrid[ 1153 => 1154 ] AB, 8784: [A:[gc]/B:[gc DEL:346bf199-8567-4375-ac15-79ec4b42b270]] -showinadvancedviewonly, -objectcategory, +lastknownparent, +isrecycled, +isdeleted, *name["u gc "=>"u gc\\ndel:346bf199-8"], *dc["u gc "=>"u gc\\ndel:346bf199-8"] AB, 8785: [A:[DomainDnsZones]/B:[DomainDnsZones DEL:58b2962b-708c-4c93-99ff-0b7e163131f9]] -showinadvancedviewonly, -objectcategory, +lastknownparent, +isrecycled, +isdeleted, *name["u DomainDnsZones "=>"u DomainDnsZones\\nDE"], *dc["u DomainDnsZones "=>"u DomainDnsZones\\nDE"] AB, 8786: [A:[ForestDnsZones]/B:[ForestDnsZones DEL:87f7d8a2-4d05-48d0-8283-9ab084584470]] -showinadvancedviewonly, -objectcategory, +lastknownparent, +isrecycled, +isdeleted, *name["u ForestDnsZones "=>"u ForestDnsZones\\nDE"], *dc["u ForestDnsZones "=>"u ForestDnsZones\\nDE"] B, 8789: [snorky insomnihack] B, 8790: [gc] B, 8791: [DomainDnsZones] B, 8792: [ForestDnsZones] --------------- Table [datatable]: 7636 records checked, 0 disappeared, 4 appeared, 5 changed ===============

Summary 1 Intro Context Some backdoors Needs 2 BTA Introduction Backdoors Hunting 3 BTA in practice 4 Feedback Univershell 4 2016-03-24 40

Hardware requirements Computer for analysis it could be run on a good laptop Xeon 3GHz 4 cores 12GB RAM SSD drive Import performance 8 GB NTDS base (831121 Objects / 76778 ACEs) Imported in MongoDB: 26 GB 8h30 Analysis performance Generally negligible time analysis Univershell 4 2016-03-24 41

Problems encountered in real life NTDS.dit import Bad extraction of NTDS.dit file Extraction methodology provided not followed by administrators Consistency of objects Objects always referenced in an ACE but not anymore present in AD Migrating a French language environment to English Univershell 4 2016-03-24 42

Audit results Feedback from the field After receiving the NTDS.dit file, the auditor is autonomous - little interaction is required Once the NTDS.dit file has been provided Organizations work in different ways; the auditor has to adapt to each AD s peculiarities Unable to prejudge the rightness/legitimacy of assigned rights in AD = it is important to check information with administrators Univershell 4 2016-03-24 43

Audit results Common results between different audits Often bad practices Too many generic admin accounts Many accounts whose password never expires... Lack of homogeneity on creation templates, e.g.: user... Active accounts that have never been used Univershell 4 2016-03-24 44

Conclusion BTA Provides in time constrained deterministic results Helps to cleanup AD bad practices Allow a recurring audit reproducibility comparing results of 2 audits Next developments LDAP acces Unit tests on miners Improved differential analysis Univershell 4 2016-03-24 45

Thanks for your attention Questions???? Don t forget it is open source https://bitbucket.org/iwseclabs/bta Greetings Joachim Metz for the awesome Libesedb Of course Philippe Biondi for lots of things Xavier & Raphael for their reviews My Wife and my kids :) Univershell 4 2016-03-24 46

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information