SlideShare a Scribd company logo

Hacktive Directory Forensics - HackCon18, Oslo

Yossi Sassi
Yossi Sassi

Slides from the session 'Hacktive Directory Forensics - a toolset for understanding who|what|when on your domain - HACKCON 2023 by Yossi Sassi

Technology
1 of 53
Download to read offline
hAcktive Directory Forensics: a toolkit for understanding who|what|when in your domain Yossi Sassi
WhoAmI • InfoSec Researcher; H@‫כ‬k3r (1nTh35h311) • Red mind, Blue heart • Co-Founder @ • Consulting in 4 continents (Banks/gov/F100) • 30+ years of keyboard access – Code, IT Sec, Net Comms. • ~25 years of AD expertise; Ex-Javelin Networks (Acquired by Symantec) • Ex-Technology Group Manager @ Microsoft (Coded Windows Server Tools) • Aviator; Volunteer (Youth at risk); Oriental Rock Bouzoukitarist
ChatGPT was Not used in the making of this presentation, code & content
Incorrect
2nd attempt, after feedback: again, still – Incorrect
• ‘Hacktive Directory’ 101 • Sources of “Truth” in AD • A set of tools for Pre, During and Post AD Breach • Attributes of interest: Blue Team tips What we’ll talk about
‘Hacktive Directory’ 101
Why hack AD? Why is AD so ‘Hackable’? • a bit like what happened with TCP/IP… – Great success, super popular – …Yet architecture & design goals very far from modern landscape and threats • Involved in every huge breach (as well as smaller ones ☺) – Lion (2020), NTT (2020), Baltimore (2019), Norsk Hydro (2019), Singhealth (2018), MAERSK (2017), SONY (2014), Target (2013), many others.. • “The Microsoft Mainframe” – It’s not going away! • Compromising your AD means GAME OVER.
Windows/AD 101 • AuthN protocols (NTLM, Kerberos, LDAP/S) and “Secrets” (Hashes/ntlm, Tickets, caching, certificates…) • Logon vs. Authentication (Local vs. Domain, logon types…) • Security Principals (Users, Computers, Groups) • Authorization / ACLs – going beyond group membership(s) • e.g. direct SID assignment, ObjectAccess types etc • Process, Threads, handles, access tokens, logon sessions etc’
11 PAC
12 AdminSDHolder
15 Protocol and Port AD and AD DS Usage Type of traffic TCP 25 Replication SMTP TCP 42 If using WINS in a domain trust scenario offering NetBIOS resolution WINS TCP 135 Replication RPC, EPM TCP 137 NetBIOS Name resolution NetBIOS Name resolution TCP 139 User and Computer Authentication, Replication DFSN, NetBIOS Session Service, NetLogon TCP and UDP 389 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP TCP 636 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP SSL TCP 3268 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC TCP 3269 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC SSL TCP and UDP 88 User and Computer Authentication, Forest Level Trusts Kerberos TCP and UDP 53 User and Computer Authentication, Name Resolution, Trusts DNS TCP and UDP 445 Replication, User and Computer Authentication, Group Policy, Trusts SMBv1/2/3, CIFS, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc TCP 9389 AD DS Web Services SOAP TCP 5722 File Replication RPC, DFSR (SYSVOL) TCP and UDP 464 Replication, User and Computer Authentication, Trusts Kerberos change/set password UDP 123 Windows Time, Trusts Windows Time UDP 137 User and Computer Authentication NetLogon, NetBIOS Name Resolution UDP 138 DFS, Group Policy, NetBIOS Netlogon, Browsing DFSN, NetLogon, NetBIOS Datagram Service UDP 67 and UDP 2535 DHCP (Note: DHCP is not a core AD DS service, but these ports may be necessary for other functions besides DHCP, such as WDS) DHCP, MADCAP, PXE TCP & UDP 1024-5000; 49152-65535 Ongoing (RPC etc’) RPC / DCOM / WMI... TCP 593 DCOM/Messaging/Exchange RPC over HTTP
“Confusing” architectural recommendations • 90’s (The NT4 days): The more Domains – the better! • NT4 to NT5 -> Your opportunity to Consolidate domains! • Domain is NOT a security boundary! –> Separate into Forests, with trusts. • Trusts are bad as well (one/bi-directional, FPs, SidFiltering, sidHistory…) • ESAE, aka “Red Forest” (Costly! & doesn’t play well with cloud) * • Admin Tier Model • Forget the costly & complex ‘Red Forest’ -> Privileged Access * Still useful for isolated environments, e.g., offline R&D or disconnected OT/Scada environments
Sources of “Truth” in AD
• Sysvol/Files vs. ETW/Event Logs vs. pcap/”hooks” • Possible Scenarios – – No logs (Not collected/Not enough retention/Wiped by ransom) – No Online DCs (encrypted/offline VMs -> Just backups…) • Still, we want to know who did what & when • NTDS.dit • replPropertyMetadata HacKtive Directory: Sources of “Truth”
NTDS.dit
single-value attribute: msDS-ReplAttributeMetaData multi-value attribute: msDS-ReplValueMetaData
Where is this msds-Repl* ??!
Wouldn’t it be nice…
More Tools for Pre, During & Post AD Breach
Get-LDAPperformance Identifying Unusual and/or Large LDAP Queries • Collects LDAP Query Performance Events and analyzes them to CSV & Grid (relays on event ID 1644) • Helps in identifying large or unusual LDAP queries, either for Threat Hunting or IT optimization • No Dependencies, No modules required. Requires ‘Event Log Readers’ permission or equivalent (to 'directory Services' log) • Some pre-requisites needed from AD side, enable relevant auditing and set registry key
LDAP performance
Domain Privilege Escalation Pass the hash, golden ticket etc.
Kerberos ‘refresher’
Golden Ticket = Game Over •krbtgt password hash compromise -> Privileged Persistence via Offline TGT forging •Krbtgt hash can be obtained in several ways: • Unauthorized AD Replication (DCSync/DCShadow) • Copy of AD Database or Backup (NTDS.dit + system registry) • Stolen from lsass/DC Memory (any RW DC, Not RODC) •Attack can occur in multiple ways & tools (e.g. mimikatz, with AES 256-bit hash, for 10 hours only etc’)
Invoke-PostKrbtgtResetMonitor • Centralized detection of Golden Tickets via anomalous kerberos tickets detection AFTER resetting the krbtgt password TWICE • No Dependencies/modules. Requires ‘Event Log Readers’ or equivalent
Golden Ticket Monitor
GoldFinger • Collects, Analyzes & Hunts for Suspicious TGTs • Detects suspicious TGTs on domain EndPoints in real-time • Potential Pass-The-Hash • Potential Golden ticket • No agent – works with WinRM or SMB (PaExec) • No dependencies, no external modules (just .ps1) • Research done to handle multiple anomalies • Logon Session User != Ticket Client Name <Strong indication>, Ticket Lifetime != Expected Lifetime <Default 10 hours>, Ticket Renewal Length != Expected Renewal Length <Default 7 days>, KDC called is empty, and DNSHostName is different than the current computer name, Encryption Type != aes256_cts_hmac_sha1_96 <rc4 is common for inter-forest/domain tickets>, Endcoded Ticket Size, Session Logon Type is CachedInterative <potential to some False Positive>, etc’
GoldFinger (Cont.) •Requires Local Admin permissions on EndPoints •Supports running against different domains •Supports running on entire domain (default), or just a specific computer(s), or Exclude specific computer(s) •Can optionally enable PSRemoting (and try to start WinRM on EndPoints) •Fixes clock skew issues, while at it •.. And more ☺ • Collector script heavily based on work by Jared Atkinson (@jaredcatkinson) & Matthew Graeber (@mattifestation)
Hunting for PTH/Golden Tickets
Possible ‘detections’ by EPP
Invoke-TgsMonitor • Monitor TGS requests (All, or just Failed ones, with Error Code reasons) • Useful during a live IR without other central threat hunting log solution, or in general, to monitor access & failure reasons • No Dependencies, no modules • Can also generate a 'real-time monitor' with a table containing the TGS events for a specific user or computer, or status/category: while ($true) {$x=cat .TGSMonitor.csv | ConvertFrom-Csv; cls;$x| ? account -like "*yossis*" | ft -AutoSize; sleep 1}
TGS Monitor
Attributes of interest: Blue Team tips
Attributes of interest - Examples • Counter attributes: LogonCount, badPwdCount… • “Per DC” attributes, e.g. LastLogon • LogonWorkstations
Why “living off the land” is important for Defenders
“Small step for IT, Giant step against Lateral Movement” • No EDR • No segmentation • No firwewalls config • No MFA • All the misconfigurations you can think of … • No proper auditing/SIEM/SOC … and yet ☺
LogonWorkstations
TimeLineGenerator • AD account timeline generator - parse DC security logs & export activity timeline • Can run directly on Domain Controllers (Live, through WinRM), OR - specify Path to Evtx files • Can run a Full/Longer report, or a Focused/Quicker one, with a select set of events to filter. Default: "Focused-Quicker" • Can set the Max Events to fetch Per DC (limit to the last X events from the log, for performance). Default: gets all events
48 TimeLine Generator
LogonWorkstations reflected through TimeLine Generator
Open Source Tools & Scripts HacktiveDirectory.com
Key Takeaways • ‘Hacktive Directory’ is here to stay! In-depth knowledge is key • Invest in a “living off the land” mindset – a simple configuration can go further than few expensive vendor products ☺ • Understand the Sources of “Truth" in AD • ‘Hacktive Directory’ forensics are a part of a wider picture – Event correlation & Threat hunting with high-fidelity alerts • Practice a Before, During & After approach • Check out hacktivedirectory.com or github.com/YossiSassi for code & scripts - Comments and improvements are welcome!
Everything is a set of nested ‘if’ statements
Takk! Yossi_Sassi yossis@protonmail.com

Recommended

Introduction to google hacking database
Introduction to google hacking databaseIntroduction to google hacking database
Introduction to google hacking databaseimthebeginner
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have MissedWill Schroeder
 
How to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagHow to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagBeau Bullock
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applicationsDaniel Garcia (a.k.a cr0hn)
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team FrameworkAdrian Sanabria
 
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNoSuchCon
 

Recommended

Introduction to google hacking database
Introduction to google hacking databaseIntroduction to google hacking database
Introduction to google hacking databaseimthebeginner
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have MissedWill Schroeder
 
How to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagHow to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagBeau Bullock
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applicationsDaniel Garcia (a.k.a cr0hn)
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team FrameworkAdrian Sanabria
 
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNoSuchCon
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawShakacon
 
NTLM
NTLMNTLM
NTLMGuang Ying Yuan
 
Ctf del upload
Ctf del uploadCtf del upload
Ctf del uploadSetia Juli Irzal Ismail
 
LFI to RCE
LFI to RCELFI to RCE
LFI to RCEn|u - The Open Security Community
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
(SEC308) Wrangling Security Events In The Cloud
(SEC308) Wrangling Security Events In The Cloud(SEC308) Wrangling Security Events In The Cloud
(SEC308) Wrangling Security Events In The CloudAmazon Web Services
 
On building FX Volatility surface - The Vanna Volga method
On building FX Volatility surface - The Vanna Volga methodOn building FX Volatility surface - The Vanna Volga method
On building FX Volatility surface - The Vanna Volga methodQuasar Chunawala
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Quant trading with artificial intelligence
Quant trading with artificial intelligenceQuant trading with artificial intelligence
Quant trading with artificial intelligenceRoger Lee, CFA
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Sql injection
Sql injectionSql injection
Sql injectionNuruzzaman Milon
 
White box crytography in an insecure enviroment
White box crytography in an insecure enviromentWhite box crytography in an insecure enviroment
White box crytography in an insecure enviromentIqra khalil
 
Red Team Apocalypse
Red Team ApocalypseRed Team Apocalypse
Red Team ApocalypseBeau Bullock
 
Dangerous google dorks
Dangerous google dorksDangerous google dorks
Dangerous google dorksWitgie Solutions
 
Jim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for CybersecurityJim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for Cybersecurityidsecconf
 
Emv chip software Writer/Reader ( CHIPSO EMV)
Emv chip software Writer/Reader ( CHIPSO EMV)Emv chip software Writer/Reader ( CHIPSO EMV)
Emv chip software Writer/Reader ( CHIPSO EMV)chipso emv
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key loggerPatel Mit
 
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxJasonOstrom1
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseFelipe Prado
 

More Related Content

What's hot

Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawShakacon
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
(SEC308) Wrangling Security Events In The Cloud
(SEC308) Wrangling Security Events In The Cloud(SEC308) Wrangling Security Events In The Cloud
(SEC308) Wrangling Security Events In The CloudAmazon Web Services
 
On building FX Volatility surface - The Vanna Volga method
On building FX Volatility surface - The Vanna Volga methodOn building FX Volatility surface - The Vanna Volga method
On building FX Volatility surface - The Vanna Volga methodQuasar Chunawala
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Quant trading with artificial intelligence
Quant trading with artificial intelligenceQuant trading with artificial intelligence
Quant trading with artificial intelligenceRoger Lee, CFA
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
White box crytography in an insecure enviroment
White box crytography in an insecure enviromentWhite box crytography in an insecure enviroment
White box crytography in an insecure enviromentIqra khalil
 
Red Team Apocalypse
Red Team ApocalypseRed Team Apocalypse
Red Team ApocalypseBeau Bullock
 
Jim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for CybersecurityJim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for Cybersecurityidsecconf
 
Emv chip software Writer/Reader ( CHIPSO EMV)
Emv chip software Writer/Reader ( CHIPSO EMV)Emv chip software Writer/Reader ( CHIPSO EMV)
Emv chip software Writer/Reader ( CHIPSO EMV)chipso emv
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key loggerPatel Mit
 
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxJasonOstrom1
 

What's hot (20)

Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
 
NTLM
NTLMNTLM
NTLM
 
Ctf del upload
Ctf del uploadCtf del upload
Ctf del upload
 
LFI to RCE
LFI to RCELFI to RCE
LFI to RCE
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
(SEC308) Wrangling Security Events In The Cloud
(SEC308) Wrangling Security Events In The Cloud(SEC308) Wrangling Security Events In The Cloud
(SEC308) Wrangling Security Events In The Cloud
 
On building FX Volatility surface - The Vanna Volga method
On building FX Volatility surface - The Vanna Volga methodOn building FX Volatility surface - The Vanna Volga method
On building FX Volatility surface - The Vanna Volga method
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
Quant trading with artificial intelligence
Quant trading with artificial intelligenceQuant trading with artificial intelligence
Quant trading with artificial intelligence
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Sql injection
Sql injectionSql injection
Sql injection
 
White box crytography in an insecure enviroment
White box crytography in an insecure enviromentWhite box crytography in an insecure enviroment
White box crytography in an insecure enviroment
 
Red Team Apocalypse
Red Team ApocalypseRed Team Apocalypse
Red Team Apocalypse
 
Dangerous google dorks
Dangerous google dorksDangerous google dorks
Dangerous google dorks
 
Jim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for CybersecurityJim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for Cybersecurity
 
Emv chip software Writer/Reader ( CHIPSO EMV)
Emv chip software Writer/Reader ( CHIPSO EMV)Emv chip software Writer/Reader ( CHIPSO EMV)
Emv chip software Writer/Reader ( CHIPSO EMV)
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key logger
 
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
 

Similar to Hacktive Directory Forensics - HackCon18, Oslo

InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseFelipe Prado
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Toni de la Fuente
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...RootedCON
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
from source to solution - building a system for event-oriented data
from source to solution - building a system for event-oriented datafrom source to solution - building a system for event-oriented data
from source to solution - building a system for event-oriented dataEric Sammer
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksYossi Sassi
 
HAcktive Directory - Microsoft Meetup July 2020
HAcktive Directory - Microsoft Meetup July 2020HAcktive Directory - Microsoft Meetup July 2020
HAcktive Directory - Microsoft Meetup July 2020Yossi Sassi
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX SecurityHelpSystems
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSCody Thomas
 
Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Jared Atkinson
 
Real time monitoring-alerting: storing 2Tb of logs a day in Elasticsearch
Real time monitoring-alerting: storing 2Tb of logs a day in ElasticsearchReal time monitoring-alerting: storing 2Tb of logs a day in Elasticsearch
Real time monitoring-alerting: storing 2Tb of logs a day in ElasticsearchAli Kheyrollahi
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authenticationshytikov
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeAman Kohli
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.pptajajkhan16
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory EnumerationDaniel López Jiménez
 
Fluturas presentation @ Big Data Conclave
Fluturas presentation @ Big Data ConclaveFluturas presentation @ Big Data Conclave
Fluturas presentation @ Big Data Conclavefluturads
 

Similar to Hacktive Directory Forensics - HackCon18, Oslo (20)

InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
from source to solution - building a system for event-oriented data
from source to solution - building a system for event-oriented datafrom source to solution - building a system for event-oriented data
from source to solution - building a system for event-oriented data
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
 
HAcktive Directory - Microsoft Meetup July 2020
HAcktive Directory - Microsoft Meetup July 2020HAcktive Directory - Microsoft Meetup July 2020
HAcktive Directory - Microsoft Meetup July 2020
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
 
Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
 
Real time monitoring-alerting: storing 2Tb of logs a day in Elasticsearch
Real time monitoring-alerting: storing 2Tb of logs a day in ElasticsearchReal time monitoring-alerting: storing 2Tb of logs a day in Elasticsearch
Real time monitoring-alerting: storing 2Tb of logs a day in Elasticsearch
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authentication
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.ppt
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
 
Coporate Espionage
Coporate EspionageCoporate Espionage
Coporate Espionage
 
Fluturas presentation @ Big Data Conclave
Fluturas presentation @ Big Data ConclaveFluturas presentation @ Big Data Conclave
Fluturas presentation @ Big Data Conclave
 

Recently uploaded

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 

Recently uploaded (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 

Hacktive Directory Forensics - HackCon18, Oslo

  • 1. hAcktive Directory Forensics: a toolkit for understanding who|what|when in your domain Yossi Sassi
  • 2. WhoAmI • InfoSec Researcher; H@‫כ‬k3r (1nTh35h311) • Red mind, Blue heart • Co-Founder @ • Consulting in 4 continents (Banks/gov/F100) • 30+ years of keyboard access – Code, IT Sec, Net Comms. • ~25 years of AD expertise; Ex-Javelin Networks (Acquired by Symantec) • Ex-Technology Group Manager @ Microsoft (Coded Windows Server Tools) • Aviator; Volunteer (Youth at risk); Oriental Rock Bouzoukitarist
  • 3. ChatGPT was Not used in the making of this presentation, code & content
  • 6. • ‘Hacktive Directory’ 101 • Sources of “Truth” in AD • A set of tools for Pre, During and Post AD Breach • Attributes of interest: Blue Team tips What we’ll talk about
  • 8. Why hack AD? Why is AD so ‘Hackable’? • a bit like what happened with TCP/IP… – Great success, super popular – …Yet architecture & design goals very far from modern landscape and threats • Involved in every huge breach (as well as smaller ones ☺) – Lion (2020), NTT (2020), Baltimore (2019), Norsk Hydro (2019), Singhealth (2018), MAERSK (2017), SONY (2014), Target (2013), many others.. • “The Microsoft Mainframe” – It’s not going away! • Compromising your AD means GAME OVER.
  • 9.
  • 10. Windows/AD 101 • AuthN protocols (NTLM, Kerberos, LDAP/S) and “Secrets” (Hashes/ntlm, Tickets, caching, certificates…) • Logon vs. Authentication (Local vs. Domain, logon types…) • Security Principals (Users, Computers, Groups) • Authorization / ACLs – going beyond group membership(s) • e.g. direct SID assignment, ObjectAccess types etc • Process, Threads, handles, access tokens, logon sessions etc’
  • 13.
  • 14.
  • 15. 15 Protocol and Port AD and AD DS Usage Type of traffic TCP 25 Replication SMTP TCP 42 If using WINS in a domain trust scenario offering NetBIOS resolution WINS TCP 135 Replication RPC, EPM TCP 137 NetBIOS Name resolution NetBIOS Name resolution TCP 139 User and Computer Authentication, Replication DFSN, NetBIOS Session Service, NetLogon TCP and UDP 389 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP TCP 636 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP SSL TCP 3268 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC TCP 3269 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC SSL TCP and UDP 88 User and Computer Authentication, Forest Level Trusts Kerberos TCP and UDP 53 User and Computer Authentication, Name Resolution, Trusts DNS TCP and UDP 445 Replication, User and Computer Authentication, Group Policy, Trusts SMBv1/2/3, CIFS, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc TCP 9389 AD DS Web Services SOAP TCP 5722 File Replication RPC, DFSR (SYSVOL) TCP and UDP 464 Replication, User and Computer Authentication, Trusts Kerberos change/set password UDP 123 Windows Time, Trusts Windows Time UDP 137 User and Computer Authentication NetLogon, NetBIOS Name Resolution UDP 138 DFS, Group Policy, NetBIOS Netlogon, Browsing DFSN, NetLogon, NetBIOS Datagram Service UDP 67 and UDP 2535 DHCP (Note: DHCP is not a core AD DS service, but these ports may be necessary for other functions besides DHCP, such as WDS) DHCP, MADCAP, PXE TCP & UDP 1024-5000; 49152-65535 Ongoing (RPC etc’) RPC / DCOM / WMI... TCP 593 DCOM/Messaging/Exchange RPC over HTTP
  • 16. “Confusing” architectural recommendations • 90’s (The NT4 days): The more Domains – the better! • NT4 to NT5 -> Your opportunity to Consolidate domains! • Domain is NOT a security boundary! –> Separate into Forests, with trusts. • Trusts are bad as well (one/bi-directional, FPs, SidFiltering, sidHistory…) • ESAE, aka “Red Forest” (Costly! & doesn’t play well with cloud) * • Admin Tier Model • Forget the costly & complex ‘Red Forest’ -> Privileged Access * Still useful for isolated environments, e.g., offline R&D or disconnected OT/Scada environments
  • 18. • Sysvol/Files vs. ETW/Event Logs vs. pcap/”hooks” • Possible Scenarios – – No logs (Not collected/Not enough retention/Wiped by ransom) – No Online DCs (encrypted/offline VMs -> Just backups…) • Still, we want to know who did what & when • NTDS.dit • replPropertyMetadata HacKtive Directory: Sources of “Truth”
  • 21. Where is this msds-Repl* ??!
  • 22. Wouldn’t it be nice…
  • 23.
  • 24.
  • 25. More Tools for Pre, During & Post AD Breach
  • 26. Get-LDAPperformance Identifying Unusual and/or Large LDAP Queries • Collects LDAP Query Performance Events and analyzes them to CSV & Grid (relays on event ID 1644) • Helps in identifying large or unusual LDAP queries, either for Threat Hunting or IT optimization • No Dependencies, No modules required. Requires ‘Event Log Readers’ permission or equivalent (to 'directory Services' log) • Some pre-requisites needed from AD side, enable relevant auditing and set registry key
  • 28.
  • 29. Domain Privilege Escalation Pass the hash, golden ticket etc.
  • 31. Golden Ticket = Game Over •krbtgt password hash compromise -> Privileged Persistence via Offline TGT forging •Krbtgt hash can be obtained in several ways: • Unauthorized AD Replication (DCSync/DCShadow) • Copy of AD Database or Backup (NTDS.dit + system registry) • Stolen from lsass/DC Memory (any RW DC, Not RODC) •Attack can occur in multiple ways & tools (e.g. mimikatz, with AES 256-bit hash, for 10 hours only etc’)
  • 32. Invoke-PostKrbtgtResetMonitor • Centralized detection of Golden Tickets via anomalous kerberos tickets detection AFTER resetting the krbtgt password TWICE • No Dependencies/modules. Requires ‘Event Log Readers’ or equivalent
  • 34. GoldFinger • Collects, Analyzes & Hunts for Suspicious TGTs • Detects suspicious TGTs on domain EndPoints in real-time • Potential Pass-The-Hash • Potential Golden ticket • No agent – works with WinRM or SMB (PaExec) • No dependencies, no external modules (just .ps1) • Research done to handle multiple anomalies • Logon Session User != Ticket Client Name <Strong indication>, Ticket Lifetime != Expected Lifetime <Default 10 hours>, Ticket Renewal Length != Expected Renewal Length <Default 7 days>, KDC called is empty, and DNSHostName is different than the current computer name, Encryption Type != aes256_cts_hmac_sha1_96 <rc4 is common for inter-forest/domain tickets>, Endcoded Ticket Size, Session Logon Type is CachedInterative <potential to some False Positive>, etc’
  • 35. GoldFinger (Cont.) •Requires Local Admin permissions on EndPoints •Supports running against different domains •Supports running on entire domain (default), or just a specific computer(s), or Exclude specific computer(s) •Can optionally enable PSRemoting (and try to start WinRM on EndPoints) •Fixes clock skew issues, while at it •.. And more ☺ • Collector script heavily based on work by Jared Atkinson (@jaredcatkinson) & Matthew Graeber (@mattifestation)
  • 38.
  • 39. Invoke-TgsMonitor • Monitor TGS requests (All, or just Failed ones, with Error Code reasons) • Useful during a live IR without other central threat hunting log solution, or in general, to monitor access & failure reasons • No Dependencies, no modules • Can also generate a 'real-time monitor' with a table containing the TGS events for a specific user or computer, or status/category: while ($true) {$x=cat .TGSMonitor.csv | ConvertFrom-Csv; cls;$x| ? account -like "*yossis*" | ft -AutoSize; sleep 1}
  • 41.
  • 43. Attributes of interest - Examples • Counter attributes: LogonCount, badPwdCount… • “Per DC” attributes, e.g. LastLogon • LogonWorkstations
  • 44. Why “living off the land” is important for Defenders
  • 45. “Small step for IT, Giant step against Lateral Movement” • No EDR • No segmentation • No firwewalls config • No MFA • All the misconfigurations you can think of … • No proper auditing/SIEM/SOC … and yet ☺
  • 47. TimeLineGenerator • AD account timeline generator - parse DC security logs & export activity timeline • Can run directly on Domain Controllers (Live, through WinRM), OR - specify Path to Evtx files • Can run a Full/Longer report, or a Focused/Quicker one, with a select set of events to filter. Default: "Focused-Quicker" • Can set the Max Events to fetch Per DC (limit to the last X events from the log, for performance). Default: gets all events
  • 50. Open Source Tools & Scripts HacktiveDirectory.com
  • 51. Key Takeaways • ‘Hacktive Directory’ is here to stay! In-depth knowledge is key • Invest in a “living off the land” mindset – a simple configuration can go further than few expensive vendor products ☺ • Understand the Sources of “Truth" in AD • ‘Hacktive Directory’ forensics are a part of a wider picture – Event correlation & Threat hunting with high-fidelity alerts • Practice a Before, During & After approach • Check out hacktivedirectory.com or github.com/YossiSassi for code & scripts - Comments and improvements are welcome!
  • 52. Everything is a set of nested ‘if’ statements