Discover and read the best of Twitter Threads about #ActiveDirectory

Most recents (20)

1/ Number #10 of the #ActiveDirectory hardening measures:

Easy Wins (for Attackers)

🧵 #CyberSecurity
This is the last thread in this AD hardening measure series, but there would still be so much to discuss 😅

Here are more points you should focus on to defend your networks even better.
"Administrative accounts should never be enabled for delegation.

You can prevent these privileged accounts from being targeted by enabling the ‘Account is sensitive and cannot be delegated’ flag on them. You can optionally add these accounts to the ‘Protected Users’ group.
Read 11 tweets
1/ Number #9 of the #ActiveDirectory hardening measures:


🧵 #CyberSecurity
2/ There exists a ton of different techniques of how attackers can relaying credentials to another host in order to raise their privileges or get a shell on the target server.
3/ @TrustedSec has written an excellent blog post about the different relaying techniques, how they work and which prerequisites have to be in place that the attack is successful. [1]
Read 8 tweets
1/ Number #8 of the #ActiveDirectory hardening measures:

Print Spooler Service

🧵 #CyberSecurity
2/ A running print spooler service on domain controllers is still a relatively common finding in our AD assessments, even though an attack path via spooler service and unconstrained delegations have been known for years. [1]

Screenshot below from #PingCastle (@mysmartlogon)
3/ Apart from the (older) attack technique with unconstrained delegations (see above), the printer spooler has had various critical vulnerabilities over the last two years. [3]
Read 8 tweets
1/ Number #7 of the #ActiveDirectory hardening measures:

Harden critical accounts

🧵 #CyberSecurity
2/ To raise the bar again, add critical accounts to the Protected Users Security Group.

"This group provides protections over and above just preventing delegation and makes them even more secure; however, it may cause operational issues, so it is worth testing in your env." [2]
3/ Benefits:

1⃣ Credential delegation (CredSSP) will not cache the user's plain text credentials [..]

2⃣ Beginning with Windows 8.1 and Windows Server 2012 R2, Windows Digest will not cache the user's plain text credentials even when Windows Digest is enabled.
Read 8 tweets
1/ Number #6 of the #ActiveDirectory hardening measures:

Privileges and Permissions

🧵 #CyberSecurity
2/ #PingCastle lists, among many other things, the privileges assigned to domain users via GPOs.

The screenshot shows that the Default Notebook Policy grants Domain Users the SeLoadDriverPrivilege privilege.

Why is this bad?
3/ As @0xdf put it:

"If I can load a driver, I can load a vulnerable driver, and then exploit it." [1]

I know that some EDR's raise an alert when a vulnerable driver is loaded or dropped to disk, as such a driver could be exploited for a LPE.
Read 13 tweets
1/ Number #5 of the #ActiveDirectory hardening measures:

Add Computers to the Domain

🧵 #CyberSecurity Image
2/ The following case is still worth mentioning:

A customer called us because he discovered two new computers within his computer objects that did not match his naming scheme. Image
3/ During the detailed investigation of the incident, it turned out that these SAMTHEADMIN objects were part of an exploit code that (if successful) would give administrative rights to a standard domain user.

A more in-depth write-up here:

Read 6 tweets
1/ Number #4 of the #ActiveDirectory hardening measures:

PowerShell Script Block Logging

🧵 #CyberSecurity
2/ Strictly speaking not part of a guide about hardening AD, but I must stress once again the importance of logging executed PowerShell code on clients and servers:

And here with several examples from our Incident Response cases:

3/ There are other opinions about PowerShell Script Block logging because, potentially, passwords or other sensitive data could end up in event logs, and authenticated users on the workstation or server could read these logs, thus giving away the sensitive data. [1]
Read 6 tweets
1/ Number #3 of the #ActiveDirectory hardening measures:


🧵 #CyberSecurity
2/ We talked about passwords in SYSVOL before:

Read 7 tweets
1/ Number #2 of the #ActiveDirectory hardening measures:

Service Accounts

🧵 #CyberSecurity
2/ In our AD assessments or IR cases, we repeatedly see that service accounts are highly privileged, often also part of the domain administrators group.

This can be disastrous, especially with a weak password for the service account:

3/ @Synacktiv took a closer look at the detection capabilities of Defender for Identity, including whether and how Kerberoasting could be detected. [1]
Read 7 tweets
1/ I presented 10 #ActiveDirectory hardening measures a few weeks ago, and I will tweet my recommendations in the next ten days.

The list is neither prioritised nor complete, but it might give companies and administrators good input on improving (AD) security.

🧵 #CyberSecurity
2/ Number #1 of the Active Directory hardening measures:

#ADCS (Active Directory Certificate Services)
3/ The whitepaper Certified Pre-Owned: Abusing Active Directory Certificate Services by Will Schroeder and Lee Christensen showcased new possibilities and attack vectors to gain domain administrative rights as an attacker. [1]
Read 14 tweets
#OrganizationalUnits (OU) are a way to assign permissions to only certain parts of the organization in onprem #ActiveDirectory. Very often it is unwanted for admins to have permissions over the entire organization. But how to achieve this in Azure AD? [1/4] Image
For a long time, this was not possible, and companies wanted some equivalent of OUs. That's why in Azure AD we have #AdministrativeUnits (AU), which is the equivalent of organizational units from Active Directory. [2/4]
Unlike onprem AD, administrative units are not containers that house the objects themselves. They are objects to which we can assign other objects. So, we can create an AU called Czech Republic and put users from the Czech Republic in it and delegate an administrators. [3/4]
Read 4 tweets

Need to practice ?
Here is a list of resources 👇

-> Set up and AD home lab:

-> Script to set up a Vulnerable AD lab:…

#cybersecurity #infosec #hacking #activedirectory
-> Collection of various common attack scenarios on Azure Active Directory:…

-> A great document full of resources here:…

-> Active Directory Exploitation Cheat Sheet:…

Retweet to lets other know 😊
Join here to get more stuffs and resources on Tech & Cybersecurity 👇🏻…
Read 3 tweets
Got some fantastic resources for Active Directory Penetration Testing,

Let's learn together [Thread]🧵👇
Do Active Directory Penetration Testing in a practical way, step by step guide

Part_1:Reconnaissance and scan…

Part_2: Find users…

Part_3:Enumeration with user…
Read 4 tweets
📚 Excellent article on #ADSecurity, and more particularly Security Bastions (#PAM) in the context of #ActiveDirectory tiering👍 It is not easy to make it simple on this topic, and it's the case here!
1️⃣ In theory, there should be an instance of a bastion in each Tier
2️⃣ In reality, very few companies have a bastion on #Tier2 💻
3️⃣ First choice is to deploy a bastion on #Tier1 (large number of machines and accounts 👥️️)
4️⃣ #Tier0 can be more simply managed by #VPN + #PAWs (dedicated and hardened admin workstations)
5️⃣ Most importantly is to ensure the #PAM does not interfere with the principles of tiering... you can easily break the silos when you start playing with the functionalities 🌐
Read 3 tweets
Una herramienta que permite explorar las relaciones entre usuarios/grupos (ACL) en un #ActiveDirectory para saber si hay algo mal configurado:

Adalanche by @lkarlslund…

No tenía ni idea que se pudiesen dibujar estas cosas :-/

A partir de aquí, se puede revisar la información sobre ataques a un #ActiveDirectory recopilados por @pentest_swissky en su repositorio de GitHub:…

Otra herramienta similar a #Adalanche es #BloodHound que también utiliza la teoría de grafos para establecer las relaciones entre los objetos (usuarios, grupos, etc.) en un #ActiveDirectory:…

Read 4 tweets
Real-World #PingCastle Finding #8: Non-admin users can add computers to a domain. A customer called us because he discovered two new computer objects. Such new computer objects can be a sign of more targeted attacks against the #ActiveDirectory.

#CyberSecurity #dfir
The computer names are relatively unique, and one quickly finds a GitHub repository with corresponding exploit code.

The code tries to exploit the two vulnerabilities CVE-2021-42278 and CVE-2021-42287 (from an authenticated user directly to DA).
Inside the exploit code, a new computer name is generated following the pattern SAMTHEADMIN-(random number from 1 to 100), precisely the naming scheme we see in the client's AD.
Read 8 tweets
A hat tip to repadmin.exe (thread🧵).

Commonly used for a quick view of replication health with: “repadmin /replsum” which will inspect the Repsfrom multi-valued attribute stored at the root of each directory partition on each DC; bubbling up the summary 🪄 (#ActiveDirectory) repadmin replsum example
If your output from replsum is more interesting than the example above and you want to take a closer look at replication health "showrepl" is the way. If you want to quickly see ALL partitions from ALL domain controllers in an easy view: “repadmin /showrepl * /csv > allrepl.csv” repadmin /showrepl csv file in excel
Maybe one domain controller stands out as a troublemaker or victim and we want to quickly see who it is replicating with and the status for each partition? “repadmin /showrepl dc1”. repadmin showreps detailed view for one domain controller
Read 8 tweets
Ja okay, und natürlich mit Verweis auf den @legal_bits Podcast zu Ursachen für Schwachstellen im Finanzsektor mit @ra_stiegler und mir 😘…
Und der Vollständigkeit halber gab es auch schon einen ersten #KRITIS Podcast zusammen mit @ra_stiegler im @legal_bits:

"KRITIS Teil 1: Was und warum sie so kritisch sind"…
Read 3 tweets
[PL] Porządkując starocie wypchnąłem workbook ze szkolenia o replikacji #ActiveDirectory na github - sprzed dobrych kilku lat i powinien dostać "referesh' ale podstawy są te same. Bierzcie i czytajcie -…
FunFact #1 - to jest dokument napisany do mojego pierwszego komercyjnego projektu po odejściu z MS

Fun Fact #2 - sam nie wierzę, ale napisałem go chyba w 3 dni :)

Fun Fact #3 - robiłem szkolenia zanim to było modne :)
@DebugPrivilege - no way you read it so fast :) (it is in Polish and it is 130 pages :) ) - BTW: it is AD replication training workbook. Do you think it is worth to translate it to English and update to current version?
Read 3 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!