2. WhoAmI
• InfoSec Researcher; H@כk3r (1nTh35h311)
• Red mind, Blue heart
• Co-Founder @
• Consulting in 4 continents (Banks/gov/F100)
• 30+ years of keyboard access – Code, IT Sec, Net Comms.
• ~25 years of AD expertise; Ex-Javelin Networks (Acquired by Symantec)
• Ex-Technology Group Manager @ Microsoft (Coded Windows Server Tools)
• Aviator; Volunteer (Youth at risk); Oriental Rock Bouzoukitarist
3. ChatGPT was Not used in the making of this
presentation, code & content
6. • ‘Hacktive Directory’ 101
• Sources of “Truth” in AD
• A set of tools for Pre, During and Post AD Breach
• Attributes of interest: Blue Team tips
What we’ll talk about
8. Why hack AD? Why is AD so ‘Hackable’?
• a bit like what happened with TCP/IP…
– Great success, super popular
– …Yet architecture & design goals very far from modern
landscape and threats
• Involved in every huge breach (as well as smaller ones ☺)
– Lion (2020), NTT (2020), Baltimore (2019), Norsk Hydro (2019), Singhealth
(2018), MAERSK (2017), SONY (2014), Target (2013), many others..
• “The Microsoft Mainframe” – It’s not going away!
• Compromising your AD means GAME OVER.
9.
10. Windows/AD 101
• AuthN protocols (NTLM, Kerberos, LDAP/S)
and “Secrets” (Hashes/ntlm, Tickets, caching, certificates…)
• Logon vs. Authentication (Local vs. Domain, logon types…)
• Security Principals (Users, Computers, Groups)
• Authorization / ACLs – going beyond group membership(s)
• e.g. direct SID assignment, ObjectAccess types etc
• Process, Threads, handles, access tokens, logon sessions etc’
15. 15
Protocol and Port AD and AD DS Usage Type of traffic
TCP 25 Replication SMTP
TCP 42 If using WINS in a domain trust scenario offering NetBIOS resolution WINS
TCP 135 Replication RPC, EPM
TCP 137 NetBIOS Name resolution NetBIOS Name resolution
TCP 139 User and Computer Authentication, Replication
DFSN, NetBIOS Session Service,
NetLogon
TCP and UDP 389 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP
TCP 636 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP SSL
TCP 3268 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC
TCP 3269 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC SSL
TCP and UDP 88 User and Computer Authentication, Forest Level Trusts Kerberos
TCP and UDP 53 User and Computer Authentication, Name Resolution, Trusts DNS
TCP and UDP 445 Replication, User and Computer Authentication, Group Policy, Trusts
SMBv1/2/3, CIFS, DFSN, LSARPC,
NbtSS, NetLogonR, SamR, SrvSvc
TCP 9389 AD DS Web Services SOAP
TCP 5722 File Replication RPC, DFSR (SYSVOL)
TCP and UDP 464 Replication, User and Computer Authentication, Trusts Kerberos change/set password
UDP 123 Windows Time, Trusts Windows Time
UDP 137 User and Computer Authentication
NetLogon, NetBIOS Name
Resolution
UDP 138 DFS, Group Policy, NetBIOS Netlogon, Browsing
DFSN, NetLogon, NetBIOS
Datagram Service
UDP 67 and UDP 2535
DHCP (Note: DHCP is not a core AD DS service, but these ports may be
necessary for other functions besides DHCP, such as WDS)
DHCP, MADCAP, PXE
TCP & UDP 1024-5000;
49152-65535
Ongoing (RPC etc’) RPC / DCOM / WMI...
TCP 593 DCOM/Messaging/Exchange RPC over HTTP
16. “Confusing” architectural recommendations
• 90’s (The NT4 days): The more Domains – the better!
• NT4 to NT5 -> Your opportunity to Consolidate domains!
• Domain is NOT a security boundary! –> Separate into Forests,
with trusts.
• Trusts are bad as well (one/bi-directional, FPs, SidFiltering,
sidHistory…)
• ESAE, aka “Red Forest” (Costly! & doesn’t play well with cloud) *
• Admin Tier Model
• Forget the costly & complex ‘Red Forest’ -> Privileged Access
* Still useful for isolated environments, e.g., offline R&D or disconnected OT/Scada environments
18. • Sysvol/Files vs. ETW/Event Logs vs. pcap/”hooks”
• Possible Scenarios –
– No logs (Not collected/Not enough retention/Wiped by ransom)
– No Online DCs (encrypted/offline VMs -> Just backups…)
• Still, we want to know who did what & when
• NTDS.dit
• replPropertyMetadata
HacKtive Directory: Sources of “Truth”
26. Get-LDAPperformance
Identifying Unusual and/or Large LDAP Queries
• Collects LDAP Query Performance Events and analyzes them
to CSV & Grid (relays on event ID 1644)
• Helps in identifying large or unusual LDAP queries, either for
Threat Hunting or IT optimization
• No Dependencies, No modules required. Requires ‘Event Log
Readers’ permission or equivalent (to 'directory Services' log)
• Some pre-requisites needed from AD side, enable relevant
auditing and set registry key
31. Golden Ticket = Game Over
•krbtgt password hash compromise ->
Privileged Persistence via Offline TGT forging
•Krbtgt hash can be obtained in several ways:
• Unauthorized AD Replication (DCSync/DCShadow)
• Copy of AD Database or Backup (NTDS.dit + system registry)
• Stolen from lsass/DC Memory (any RW DC, Not RODC)
•Attack can occur in multiple ways & tools (e.g. mimikatz,
with AES 256-bit hash, for 10 hours only etc’)
32. Invoke-PostKrbtgtResetMonitor
• Centralized detection of Golden Tickets via anomalous
kerberos tickets detection AFTER resetting the krbtgt
password TWICE
• No Dependencies/modules. Requires ‘Event Log Readers’
or equivalent
34. GoldFinger
• Collects, Analyzes & Hunts for Suspicious TGTs
• Detects suspicious TGTs on domain EndPoints in real-time
• Potential Pass-The-Hash
• Potential Golden ticket
• No agent – works with WinRM or SMB (PaExec)
• No dependencies, no external modules (just .ps1)
• Research done to handle multiple anomalies
• Logon Session User != Ticket Client Name <Strong indication>, Ticket Lifetime != Expected Lifetime
<Default 10 hours>, Ticket Renewal Length != Expected Renewal Length <Default 7 days>, KDC called is
empty, and DNSHostName is different than the current computer name, Encryption Type !=
aes256_cts_hmac_sha1_96 <rc4 is common for inter-forest/domain tickets>, Endcoded Ticket Size,
Session Logon Type is CachedInterative <potential to some False Positive>, etc’
35. GoldFinger (Cont.)
•Requires Local Admin permissions on EndPoints
•Supports running against different domains
•Supports running on entire domain (default), or just a
specific computer(s), or Exclude specific computer(s)
•Can optionally enable PSRemoting (and try to start WinRM
on EndPoints)
•Fixes clock skew issues, while at it
•.. And more ☺
• Collector script heavily based on work by Jared Atkinson
(@jaredcatkinson) & Matthew Graeber (@mattifestation)
39. Invoke-TgsMonitor
• Monitor TGS requests (All, or just Failed ones, with Error Code
reasons)
• Useful during a live IR without other central threat hunting log
solution, or in general, to monitor access & failure reasons
• No Dependencies, no modules
• Can also generate a 'real-time monitor' with a table containing
the TGS events for a specific user or computer, or status/category:
while ($true) {$x=cat .TGSMonitor.csv | ConvertFrom-Csv;
cls;$x| ? account -like "*yossis*" | ft -AutoSize; sleep 1}
45. “Small step for IT, Giant step against Lateral Movement”
• No EDR
• No segmentation
• No firwewalls config
• No MFA
• All the misconfigurations you can think of …
• No proper auditing/SIEM/SOC
… and yet ☺
47. TimeLineGenerator
• AD account timeline generator - parse DC security logs &
export activity timeline
• Can run directly on Domain Controllers (Live, through
WinRM), OR - specify Path to Evtx files
• Can run a Full/Longer report, or a Focused/Quicker one, with a
select set of events to filter. Default: "Focused-Quicker"
• Can set the Max Events to fetch Per DC (limit to the last X
events from the log, for performance). Default: gets all events
51. Key Takeaways
• ‘Hacktive Directory’ is here to stay! In-depth knowledge is key
• Invest in a “living off the land” mindset – a simple configuration
can go further than few expensive vendor products ☺
• Understand the Sources of “Truth" in AD
• ‘Hacktive Directory’ forensics are a part of a wider picture
– Event correlation & Threat hunting with high-fidelity alerts
• Practice a Before, During & After approach
• Check out hacktivedirectory.com or github.com/YossiSassi for
code & scripts - Comments and improvements are welcome!