Attacking and Defending Active Directory
The importance of Active Directory in an enterprise cannot be stressed enough. Used by more than 90% of Fortune 1000 companies, the all-pervasive AD is the focal point for adversaries. Still, when it comes to AD security, there is a large gap of knowledge, which security professionals and administrators struggle to fill. Over the years, we have taught numerous professionals in real world trainings on AD security and always found that there is a lack of quality material, which can take students from basics of Active Directory security, and teach them how to attack and defend it.
Attacking and Defending Active Directory is beginner friendly course designed for security professionals who would like to enhance their AD security knowledge and want to understand practical threats and attacks in a modern Active Directory environment. The course is based on our years of experience of making and breaking Windows and AD environments and teaching security professionals.
We cover topics like AD enumeration, trusts mapping, domain privilege escalation, domain persistence, Kerberos based attacks (Golden ticket, Silver ticket and more), ACL issues, SQL server trusts, Defenses and bypasses of defenses.
You can either create your own Active Directory lab and follow along, or subscribe to one of our premium labs.
A non-exhasutive list of topics to be covered include:
- Active Directory Enumeration. Use scripts, built-in tools and MS ActiveDirectory module to enumerate the target domain.
- Understand how useful information like users, groups, group memberships, computers, user properties etc. from the domain controller is available to even a normal user.
- Understand and enumerate intra-forest and inter-forest trusts. Practice how to extract information from the trusts.
- Enumerate Group policies.
- Enumerate ACLs and learn to find out ‘interesting rights on ACLs in the target domain to carry out attacks.
- Local Privilege Escalation
- Learn different local privilege escalation techniques on a Windows machine.
- Hunt for local admin privileges on machines in the target domain using multiple methods.
- Abuse enterprise applications to execute complex attack paths that involve bypassing antivirus and pivoting to different machines.
- Domain Privilege Escalation
- Learn to find credentials and sessions of high privileges domain accounts like Domain Administrators, extracting their credentials and then using credential replay attacks to escalate privileges, all of this with just using built-in protocols for pivoting.
- Learn to extract credentials from a restricted environment where application whitelisting is enforced. Abuse derivative local admin privileges and pivot to other machines to escalate privileges to domain level.
- Understand the classic Kerberoast and its variants to escalate privileges.
- Enumerate the domain for objects with unconstrained delegation and abuse it to escalate privileges.
- Find domain objects with constrained delegation enabled. Understand and execute the attacks against such objects to escalate privileges to a single service on a machine and to the domain administrator using alternate tickets.
- Learn how to abuse privileges of Protected Groups to escalate privileges.
- Domain Persistence and Dominance
- Abuse Kerberos functionality to persist with DA privileges. Forge tickets to execute attacks like Golden ticket and Silver ticket to persist.
- Subvert the authentication on the domain level with Skeleton key and custom SSP.
- Abuse the DC safe mode Administrator for persistence.
- Abuse the protection mechanism like AdminSDHolder for persistence.
- Abuse minimal rights required for attacks like DCSync by modifying ACLs of domain objects.
- Learn to modify the host security descriptors of the domain controller to persist and execute commands without needing DA privileges.
- Cross trust attacks
- Learn to elevate privileges from Domain Admin of a child domain to Enterprise Admin on the forest root by abusing Trust keys and krbtgt account.
- Execute intra-forest trust attacks to access resources across forest.
- Abuse database links to achieve code execution across forest by just using the databases.
- Forest persistence and dominance
- Understand forest persistence technique like DCShadow. Execute it to modify objects in the forest root without leaving change logs. Learn minimal permissions required to use DCShadow and avoid change logs for minimal permissions using Shadowception.
- Defenses – Monitoring
- Learn about useful events logged when the discussed attacks are executed.
- Defenses and bypass – Architecture and Work culture Changes
- Learn briefly about architecture and work culture changes required in an organization to avoid the discussed attacks. We discuss Temporal group membership, ACL Auditing, LAPS, SID Filtering, Selective Authentication, credential guard, device guard, Protected Users Group, PAW, Tiered Administration and ESAE or Red Forest.
- Learn how Microsoft’s Advanced Threat Analytics and other similar tools detect domain attacks and the ways to avoid and bypass such tools.
- Defenses and bypass – Deception
- Understand how Deception can be effective deployed as a defense mechanism in AD. Deploy decoy user objects, which have interesting properties set, which have ACL rights over other users and have high privilege access in the domain along with available protections. Deploy computer objects and Group objects to deceive an adversary. Learn how adversaries can identify decoy objects and how defenders can avoid the detection.
- Defenses and bypass – PowerShell
- Learn about various improvements in Windows PowerShell v5 and their significance in detecting attacks. We will discuess System Wide Transcription, Enhance logging, Constrained Language Mode, AMSI etc. Learn how JEA helps in secure administration. Execute bypasses against the discussed defenses and the detection of bypasses.
He specializes in assessing security risks at secure environments which require novel attack vectors and “out of the box” approach. He has worked extensively on using Human Interface Device in Penetration Tests and PowerShell for post exploitation. He is creator of Kautilya, a toolkit which makes it easy to use HIDs in penetration tests and Nishang, a post exploitation framework in PowerShell. In his spare time, Nikhil researches on new attack methodologies and updates his tools and frameworks.
Nikhil has held trainings and boot camps for various corporate clients (in US, Europe and SE Asia), and at the world’s top information security conferences.He has spoken at conferences like Defcon, BlackHat USA, BlackHat Europe, RSA China, Troopers, DeepSec, PHDays, BlackHat Abu Dhabi, Hackfest, ClubHack, EuSecWest and more. He blogs at Lab of Penetration Tester.