xct's notes
Search…
Introduction
Red Team
Active Directory
Host Enum
Payloads
Passwords
Privilege Escalation
Evasion & Bypasses
Concepts & Research
Binary Exploitation
Web
Cloud
Mobile
Hardware
Crypto
Templates
Misc
Blue Team
Active Directory
Malware Analysis
SIEM
Misc
Labs
Keys & Signing
Language & Framwork Specifics
Misc
HackTheBox
Crossfit
Luanne
APT
Attended
Delivery
Cereal
Powered By GitBook
Active Directory

Best Practices

  • limit login of DAs to DCs only
  • never run a service with DA privileges
  • check out temporary group memberships (Can have TTL)
  • disable account delegation for sensitive accounts (in ad usersettings)

Windows events

Golden Ticket

  • 4624: Account Logon
  • 4634: Account Logoff
  • 4672: Admin Logon (should be monitored on the dc)
1
Get-WinEvent -FilterHashtable @{Logname='Security';ID=4672} -MaxEvents 1 |Format-List -Property *
Copied!

Skeleton Key

  • 7045: A Service was installed in the system.
  • 4673: Sensitive Privilege user (requires audit privileges)
  • 4611: Trusted logon process has been registered with the Local Security Authority (requires audit privileges)
1
Get-WinEvent -FilterHashtable @{Logname='System';ID=7045} | ?{$_.message -like "*Kernel Mode Driver*"}
Copied!

DSRM

  • 4657: Audit creating/Change of HKLM:\System\CurrentControlSet\Control\Lsa\DsrmAdminLogonBehaviour

Malcious SSP

  • 4657: Audit/creation of HKLM:\System\CurrentControlSet\Control\Lsa\SecurityPackages

Kerberoast

There are no mitigations for kerberoasting so make sure the service accounts that have an spn associated have strong passwords and are changed regularly.
  • 4769: A Kerberos ticket as requested, Filter: Name != krbtgt, does not end with $, not [email protected], Failure code is 0x0 (success), ticket encryption is 0x17 (rc4-hmac)

ACL Scan

  • 4662: Operation was performed on an object
  • 5136: directory service object was modified
  • 4670: permissions on an object were changed

Forest Trust Attacks

  • Enable SID Filtering
  • Enable Selective Authentication (access between forests not automated)

Advanced Threat Analytics

  • Traffic for DCs is mirrored to ATA Sensors (or installed on dc as service), activity profile is build
  • Collects 4776 (credential validation of a user) to detect replay attacks, detects behavioral anomalies
  • Detects: account enumeration, netsession enumeration, Brute Force, exposed cleartext credentials, honey tokens, unusual protocols, credential attacks (pth,ptt,ticket replay)
  • Will NOT detect non existent users for golden ticket
  • Detects DCSync, but not DCShadow

LAPS

  • Centralized password storage with periodic randomization, stored in computer objects in fields mc-mcsAdmPwd (cleartext), ms-mcs-AdmPwdExperiationTime

Device Guard

  • Hardens against malware
  • Run trusted code only, enforced in Kernel and Userspace (CCI, UMCI, KMCI)
  • UEFI SEcure Boot protects bios and firmware

Procted Users Group

  • Cannot use CredSSP & Wdigest (no more cleartext creds)
  • NTLM Hash not cached
  • Kerberos does not use DES or RC4
  • Requires at least server 2008, need to test impact, no offline sign-on (no caching), useless for computers and service accounts

Privileged Administrative Workstations

  • Use hardened workstation for performing sensitive tasks

Layered architecture

  • Tier0: Domain Admins/Enterprise Admins
  • Tier1: Significant Resource Access
  • Tier2: Administrator for Workstations / Support etc.

Red Forest

  • ESAE Enhanced Security Admin Environment
  • Dedicated administrative forest for managing critical assets (forests are security boundaries)
Previous
Other
Next - Blue Team
Malware Analysis
Last modified 1yr ago
Copy link
Contents
Best Practices
Windows events
Forest Trust Attacks
Advanced Threat Analytics
LAPS
Device Guard
Procted Users Group
Privileged Administrative Workstations
Layered architecture
Red Forest