Discover and read the best of Twitter Threads about #ActiveDirectory
Most recents (20)
1/ Number #10 of the #ActiveDirectory hardening measures:
Easy Wins (for Attackers)
🧵 #CyberSecurity
Easy Wins (for Attackers)
🧵 #CyberSecurity
This is the last thread in this AD hardening measure series, but there would still be so much to discuss 😅
Here are more points you should focus on to defend your networks even better.
Here are more points you should focus on to defend your networks even better.
"Administrative accounts should never be enabled for delegation.
You can prevent these privileged accounts from being targeted by enabling the ‘Account is sensitive and cannot be delegated’ flag on them. You can optionally add these accounts to the ‘Protected Users’ group.
You can prevent these privileged accounts from being targeted by enabling the ‘Account is sensitive and cannot be delegated’ flag on them. You can optionally add these accounts to the ‘Protected Users’ group.
2/ There exists a ton of different techniques of how attackers can relaying credentials to another host in order to raise their privileges or get a shell on the target server.
3/ @TrustedSec has written an excellent blog post about the different relaying techniques, how they work and which prerequisites have to be in place that the attack is successful. [1]
2/ A running print spooler service on domain controllers is still a relatively common finding in our AD assessments, even though an attack path via spooler service and unconstrained delegations have been known for years. [1]
Screenshot below from #PingCastle (@mysmartlogon)
Screenshot below from #PingCastle (@mysmartlogon)
3/ Apart from the (older) attack technique with unconstrained delegations (see above), the printer spooler has had various critical vulnerabilities over the last two years. [3]
2/ To raise the bar again, add critical accounts to the Protected Users Security Group.
"This group provides protections over and above just preventing delegation and makes them even more secure; however, it may cause operational issues, so it is worth testing in your env." [2]
"This group provides protections over and above just preventing delegation and makes them even more secure; however, it may cause operational issues, so it is worth testing in your env." [2]
3/ Benefits:
1⃣ Credential delegation (CredSSP) will not cache the user's plain text credentials [..]
2⃣ Beginning with Windows 8.1 and Windows Server 2012 R2, Windows Digest will not cache the user's plain text credentials even when Windows Digest is enabled.
1⃣ Credential delegation (CredSSP) will not cache the user's plain text credentials [..]
2⃣ Beginning with Windows 8.1 and Windows Server 2012 R2, Windows Digest will not cache the user's plain text credentials even when Windows Digest is enabled.
1/ Number #6 of the #ActiveDirectory hardening measures:
Privileges and Permissions
🧵 #CyberSecurity
Privileges and Permissions
🧵 #CyberSecurity
2/ #PingCastle lists, among many other things, the privileges assigned to domain users via GPOs.
The screenshot shows that the Default Notebook Policy grants Domain Users the SeLoadDriverPrivilege privilege.
Why is this bad?
The screenshot shows that the Default Notebook Policy grants Domain Users the SeLoadDriverPrivilege privilege.
Why is this bad?
3/ As @0xdf put it:
"If I can load a driver, I can load a vulnerable driver, and then exploit it." [1]
I know that some EDR's raise an alert when a vulnerable driver is loaded or dropped to disk, as such a driver could be exploited for a LPE.
"If I can load a driver, I can load a vulnerable driver, and then exploit it." [1]
I know that some EDR's raise an alert when a vulnerable driver is loaded or dropped to disk, as such a driver could be exploited for a LPE.
1/ Number #5 of the #ActiveDirectory hardening measures:
Add Computers to the Domain
🧵 #CyberSecurity
Add Computers to the Domain
🧵 #CyberSecurity
2/ The following case is still worth mentioning:
A customer called us because he discovered two new computers within his computer objects that did not match his naming scheme.
A customer called us because he discovered two new computers within his computer objects that did not match his naming scheme.
3/ During the detailed investigation of the incident, it turned out that these SAMTHEADMIN objects were part of an exploit code that (if successful) would give administrative rights to a standard domain user.
A more in-depth write-up here:
A more in-depth write-up here:
1/ Number #4 of the #ActiveDirectory hardening measures:
PowerShell Script Block Logging
🧵 #CyberSecurity
PowerShell Script Block Logging
🧵 #CyberSecurity
2/ Strictly speaking not part of a guide about hardening AD, but I must stress once again the importance of logging executed PowerShell code on clients and servers:
And here with several examples from our Incident Response cases:
And here with several examples from our Incident Response cases:
3/ There are other opinions about PowerShell Script Block logging because, potentially, passwords or other sensitive data could end up in event logs, and authenticated users on the workstation or server could read these logs, thus giving away the sensitive data. [1]
2/ We talked about passwords in SYSVOL before:
3/ And here:
2/ In our AD assessments or IR cases, we repeatedly see that service accounts are highly privileged, often also part of the domain administrators group.
This can be disastrous, especially with a weak password for the service account:
This can be disastrous, especially with a weak password for the service account:
3/ @Synacktiv took a closer look at the detection capabilities of Defender for Identity, including whether and how Kerberoasting could be detected. [1]
1/ I presented 10 #ActiveDirectory hardening measures a few weeks ago, and I will tweet my recommendations in the next ten days.
The list is neither prioritised nor complete, but it might give companies and administrators good input on improving (AD) security.
🧵 #CyberSecurity
The list is neither prioritised nor complete, but it might give companies and administrators good input on improving (AD) security.
🧵 #CyberSecurity
2/ Number #1 of the Active Directory hardening measures:
#ADCS (Active Directory Certificate Services)
#ADCS (Active Directory Certificate Services)
3/ The whitepaper Certified Pre-Owned: Abusing Active Directory Certificate Services by Will Schroeder and Lee Christensen showcased new possibilities and attack vectors to gain domain administrative rights as an attacker. [1]
#OrganizationalUnits (OU) are a way to assign permissions to only certain parts of the organization in onprem #ActiveDirectory. Very often it is unwanted for admins to have permissions over the entire organization. But how to achieve this in Azure AD? [1/4]
For a long time, this was not possible, and companies wanted some equivalent of OUs. That's why in Azure AD we have #AdministrativeUnits (AU), which is the equivalent of organizational units from Active Directory. [2/4]
Unlike onprem AD, administrative units are not containers that house the objects themselves. They are objects to which we can assign other objects. So, we can create an AU called Czech Republic and put users from the Czech Republic in it and delegate an administrators. [3/4]
ACTIVE DIRECTORY PENTEST 🔥
Need to practice ?
Here is a list of resources 👇
-> Set up and AD home lab: blog.spookysec.net/ad-lab-1/
-> Script to set up a Vulnerable AD lab: github.com/WazeHell/vulne…
#cybersecurity #infosec #hacking #activedirectory
Need to practice ?
Here is a list of resources 👇
-> Set up and AD home lab: blog.spookysec.net/ad-lab-1/
-> Script to set up a Vulnerable AD lab: github.com/WazeHell/vulne…
#cybersecurity #infosec #hacking #activedirectory
-> Collection of various common attack scenarios on Azure Active Directory: github.com/Cloud-Architek…
-> A great document full of resources here: linkedin.com/posts/julienpr…
-> Active Directory Exploitation Cheat Sheet: github.com/Integration-IT…
Retweet to lets other know 😊
-> A great document full of resources here: linkedin.com/posts/julienpr…
-> Active Directory Exploitation Cheat Sheet: github.com/Integration-IT…
Retweet to lets other know 😊
Join here to get more stuffs and resources on Tech & Cybersecurity 👇🏻
telegram.me/h4ckerinthehou…
telegram.me/h4ckerinthehou…
Got some fantastic resources for Active Directory Penetration Testing,
Let's learn together [Thread]🧵👇
Let's learn together [Thread]🧵👇
[1]
Do Active Directory Penetration Testing in a practical way, step by step guide
Part_1:Reconnaissance and scan
mayfly277.github.io/posts/GOADv2-p…
Part_2: Find users
mayfly277.github.io/posts/GOADv2-p…
Part_3:Enumeration with user
mayfly277.github.io/posts/GOADv2-p…
Do Active Directory Penetration Testing in a practical way, step by step guide
Part_1:Reconnaissance and scan
mayfly277.github.io/posts/GOADv2-p…
Part_2: Find users
mayfly277.github.io/posts/GOADv2-p…
Part_3:Enumeration with user
mayfly277.github.io/posts/GOADv2-p…
[2]
Part_4:Poison and relay
mayfly277.github.io/posts/GOADv2-p…
Part_5:Exploit with user
mayfly277.github.io/posts/GOADv2-p…
Part_6:ADCS
mayfly277.github.io/posts/GOADv2-p…
Part_7:MSSQL
mayfly277.github.io/posts/GOADv2-p…
Part_8:Privilege escalation
mayfly277.github.io/posts/GOADv2-p…
Part_9:Lateral move
mayfly277.github.io/posts/GOADv2-p…
Part_4:Poison and relay
mayfly277.github.io/posts/GOADv2-p…
Part_5:Exploit with user
mayfly277.github.io/posts/GOADv2-p…
Part_6:ADCS
mayfly277.github.io/posts/GOADv2-p…
Part_7:MSSQL
mayfly277.github.io/posts/GOADv2-p…
Part_8:Privilege escalation
mayfly277.github.io/posts/GOADv2-p…
Part_9:Lateral move
mayfly277.github.io/posts/GOADv2-p…
1/3
📚 Excellent article on #ADSecurity, and more particularly Security Bastions (#PAM) in the context of #ActiveDirectory tiering👍 It is not easy to make it simple on this topic, and it's the case here! lnkd.in/eJ3Kz7Bq
📚 Excellent article on #ADSecurity, and more particularly Security Bastions (#PAM) in the context of #ActiveDirectory tiering👍 It is not easy to make it simple on this topic, and it's the case here! lnkd.in/eJ3Kz7Bq
Active directory rooms, machines, walkthroughs, labs, and cheat sheet🧵👇
#activedirectory #Hacking #CyberSecurity
#activedirectory #Hacking #CyberSecurity
by @hackthebox_eu
Intro to AD:
academy.hackthebox.com/module/details…
ACTIVE DIRECTORY ENUMERATION & ATTACKS:
academy.hackthebox.com/module/details…
LDAP:
academy.hackthebox.com/module/details…
PowerView:
academy.hackthebox.com/module/details…
Bloodhound:
academy.hackthebox.com/module/details…
Active Directory machines:
app.hackthebox.com/tracks/Active-…
Intro to AD:
academy.hackthebox.com/module/details…
ACTIVE DIRECTORY ENUMERATION & ATTACKS:
academy.hackthebox.com/module/details…
LDAP:
academy.hackthebox.com/module/details…
PowerView:
academy.hackthebox.com/module/details…
Bloodhound:
academy.hackthebox.com/module/details…
Active Directory machines:
app.hackthebox.com/tracks/Active-…
Dante:
app.hackthebox.com/tracks/Intro-t…
Offshore:
app.hackthebox.com/prolabs/overvi…
by @RealTryHackMe
tryhackme.com/network/throwb…
tryhackme.com/room/hololive
tryhackme.com/room/breaching…
tryhackme.com/room/wreath
tryhackme.com/room/attacking…
tryhackme.com/room/enterprise
tryhackme.com/module/hacking…
app.hackthebox.com/tracks/Intro-t…
Offshore:
app.hackthebox.com/prolabs/overvi…
by @RealTryHackMe
tryhackme.com/network/throwb…
tryhackme.com/room/hololive
tryhackme.com/room/breaching…
tryhackme.com/room/wreath
tryhackme.com/room/attacking…
tryhackme.com/room/enterprise
tryhackme.com/module/hacking…
Una herramienta que permite explorar las relaciones entre usuarios/grupos (ACL) en un #ActiveDirectory para saber si hay algo mal configurado:
Adalanche by @lkarlslund
github.com/lkarlslund/ada…
No tenía ni idea que se pudiesen dibujar estas cosas :-/
#CiberSeguridad
Adalanche by @lkarlslund
github.com/lkarlslund/ada…
No tenía ni idea que se pudiesen dibujar estas cosas :-/
#CiberSeguridad
A partir de aquí, se puede revisar la información sobre ataques a un #ActiveDirectory recopilados por @pentest_swissky en su repositorio de GitHub:
github.com/swisskyrepo/Pa…
#CiberSeguridad
github.com/swisskyrepo/Pa…
#CiberSeguridad
Otra herramienta similar a #Adalanche es #BloodHound que también utiliza la teoría de grafos para establecer las relaciones entre los objetos (usuarios, grupos, etc.) en un #ActiveDirectory:
github.com/BloodHoundAD/B…
#CiberSeguridad
github.com/BloodHoundAD/B…
#CiberSeguridad
Real-World #PingCastle Finding #8: Non-admin users can add computers to a domain. A customer called us because he discovered two new computer objects. Such new computer objects can be a sign of more targeted attacks against the #ActiveDirectory.
1/8
#CyberSecurity #dfir
1/8
#CyberSecurity #dfir
The computer names are relatively unique, and one quickly finds a GitHub repository with corresponding exploit code.
The code tries to exploit the two vulnerabilities CVE-2021-42278 and CVE-2021-42287 (from an authenticated user directly to DA).
2/8
github.com/WazeHell/sam-t…
The code tries to exploit the two vulnerabilities CVE-2021-42278 and CVE-2021-42287 (from an authenticated user directly to DA).
2/8
github.com/WazeHell/sam-t…
Inside the exploit code, a new computer name is generated following the pattern SAMTHEADMIN-(random number from 1 to 100), precisely the naming scheme we see in the client's AD.
3/8
3/8
A hat tip to repadmin.exe (thread🧵).
Commonly used for a quick view of replication health with: “repadmin /replsum” which will inspect the Repsfrom multi-valued attribute stored at the root of each directory partition on each DC; bubbling up the summary 🪄 (#ActiveDirectory)
Commonly used for a quick view of replication health with: “repadmin /replsum” which will inspect the Repsfrom multi-valued attribute stored at the root of each directory partition on each DC; bubbling up the summary 🪄 (#ActiveDirectory)
If your output from replsum is more interesting than the example above and you want to take a closer look at replication health "showrepl" is the way. If you want to quickly see ALL partitions from ALL domain controllers in an easy view: “repadmin /showrepl * /csv > allrepl.csv”
Maybe one domain controller stands out as a troublemaker or victim and we want to quickly see who it is replicating with and the status for each partition? “repadmin /showrepl dc1”.
PSA: @HiSolutions #BCM News sind wieder am Start.
Yay! 🤘
Mit Inhalten zu:
@BBK_Bund #Warntag2020 @liquidebleiben #ActiveDirectory #Resilienz #Krisenmanagement #KRITIS #Notfallplanung @BSI_Bund Orientierungshilfe zu § 8a Abs 3 BSIG #COVID19 #BaFin #BCI #Stromausfall @enisa_eu..
Yay! 🤘
Mit Inhalten zu:
@BBK_Bund #Warntag2020 @liquidebleiben #ActiveDirectory #Resilienz #Krisenmanagement #KRITIS #Notfallplanung @BSI_Bund Orientierungshilfe zu § 8a Abs 3 BSIG #COVID19 #BaFin #BCI #Stromausfall @enisa_eu..
Ja okay, und natürlich mit Verweis auf den @legal_bits Podcast zu Ursachen für Schwachstellen im Finanzsektor mit @ra_stiegler und mir 😘
stiegler-legal.com/blog/blog-podc…
stiegler-legal.com/blog/blog-podc…
Und der Vollständigkeit halber gab es auch schon einen ersten #KRITIS Podcast zusammen mit @ra_stiegler im @legal_bits:
"KRITIS Teil 1: Was und warum sie so kritisch sind"
stiegler-legal.com/blog/blog-podc…
"KRITIS Teil 1: Was und warum sie so kritisch sind"
stiegler-legal.com/blog/blog-podc…
[PL] Porządkując starocie wypchnąłem workbook ze szkolenia o replikacji #ActiveDirectory na github - sprzed dobrych kilku lat i powinien dostać "referesh' ale podstawy są te same. Bierzcie i czytajcie - github.com/tonyszko/Archi…
FunFact #1 - to jest dokument napisany do mojego pierwszego komercyjnego projektu po odejściu z MS
Fun Fact #2 - sam nie wierzę, ale napisałem go chyba w 3 dni :)
Fun Fact #3 - robiłem szkolenia zanim to było modne :)
Fun Fact #2 - sam nie wierzę, ale napisałem go chyba w 3 dni :)
Fun Fact #3 - robiłem szkolenia zanim to było modne :)
@DebugPrivilege - no way you read it so fast :) (it is in Polish and it is 130 pages :) ) - BTW: it is AD replication training workbook. Do you think it is worth to translate it to English and update to current version?
