SlideShare une entreprise Scribd logo

Hacktive Directory Forensics - HackCon18, Oslo

Yossi Sassi
Yossi Sassi

Slides from the session 'Hacktive Directory Forensics - a toolset for understanding who|what|when on your domain - HACKCON 2023 by Yossi Sassi

Technologie
1  sur  53
Télécharger pour lire hors ligne
hAcktive Directory Forensics: a toolkit for understanding who|what|when in your domain Yossi Sassi
WhoAmI • InfoSec Researcher; H@‫כ‬k3r (1nTh35h311) • Red mind, Blue heart • Co-Founder @ • Consulting in 4 continents (Banks/gov/F100) • 30+ years of keyboard access – Code, IT Sec, Net Comms. • ~25 years of AD expertise; Ex-Javelin Networks (Acquired by Symantec) • Ex-Technology Group Manager @ Microsoft (Coded Windows Server Tools) • Aviator; Volunteer (Youth at risk); Oriental Rock Bouzoukitarist
ChatGPT was Not used in the making of this presentation, code & content
Incorrect
2nd attempt, after feedback: again, still – Incorrect
• ‘Hacktive Directory’ 101 • Sources of “Truth” in AD • A set of tools for Pre, During and Post AD Breach • Attributes of interest: Blue Team tips What we’ll talk about
‘Hacktive Directory’ 101
Why hack AD? Why is AD so ‘Hackable’? • a bit like what happened with TCP/IP… – Great success, super popular – …Yet architecture & design goals very far from modern landscape and threats • Involved in every huge breach (as well as smaller ones ☺) – Lion (2020), NTT (2020), Baltimore (2019), Norsk Hydro (2019), Singhealth (2018), MAERSK (2017), SONY (2014), Target (2013), many others.. • “The Microsoft Mainframe” – It’s not going away! • Compromising your AD means GAME OVER.
Windows/AD 101 • AuthN protocols (NTLM, Kerberos, LDAP/S) and “Secrets” (Hashes/ntlm, Tickets, caching, certificates…) • Logon vs. Authentication (Local vs. Domain, logon types…) • Security Principals (Users, Computers, Groups) • Authorization / ACLs – going beyond group membership(s) • e.g. direct SID assignment, ObjectAccess types etc • Process, Threads, handles, access tokens, logon sessions etc’
11 PAC
12 AdminSDHolder
15 Protocol and Port AD and AD DS Usage Type of traffic TCP 25 Replication SMTP TCP 42 If using WINS in a domain trust scenario offering NetBIOS resolution WINS TCP 135 Replication RPC, EPM TCP 137 NetBIOS Name resolution NetBIOS Name resolution TCP 139 User and Computer Authentication, Replication DFSN, NetBIOS Session Service, NetLogon TCP and UDP 389 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP TCP 636 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP SSL TCP 3268 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC TCP 3269 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC SSL TCP and UDP 88 User and Computer Authentication, Forest Level Trusts Kerberos TCP and UDP 53 User and Computer Authentication, Name Resolution, Trusts DNS TCP and UDP 445 Replication, User and Computer Authentication, Group Policy, Trusts SMBv1/2/3, CIFS, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc TCP 9389 AD DS Web Services SOAP TCP 5722 File Replication RPC, DFSR (SYSVOL) TCP and UDP 464 Replication, User and Computer Authentication, Trusts Kerberos change/set password UDP 123 Windows Time, Trusts Windows Time UDP 137 User and Computer Authentication NetLogon, NetBIOS Name Resolution UDP 138 DFS, Group Policy, NetBIOS Netlogon, Browsing DFSN, NetLogon, NetBIOS Datagram Service UDP 67 and UDP 2535 DHCP (Note: DHCP is not a core AD DS service, but these ports may be necessary for other functions besides DHCP, such as WDS) DHCP, MADCAP, PXE TCP & UDP 1024-5000; 49152-65535 Ongoing (RPC etc’) RPC / DCOM / WMI... TCP 593 DCOM/Messaging/Exchange RPC over HTTP
“Confusing” architectural recommendations • 90’s (The NT4 days): The more Domains – the better! • NT4 to NT5 -> Your opportunity to Consolidate domains! • Domain is NOT a security boundary! –> Separate into Forests, with trusts. • Trusts are bad as well (one/bi-directional, FPs, SidFiltering, sidHistory…) • ESAE, aka “Red Forest” (Costly! & doesn’t play well with cloud) * • Admin Tier Model • Forget the costly & complex ‘Red Forest’ -> Privileged Access * Still useful for isolated environments, e.g., offline R&D or disconnected OT/Scada environments
Sources of “Truth” in AD
• Sysvol/Files vs. ETW/Event Logs vs. pcap/”hooks” • Possible Scenarios – – No logs (Not collected/Not enough retention/Wiped by ransom) – No Online DCs (encrypted/offline VMs -> Just backups…) • Still, we want to know who did what & when • NTDS.dit • replPropertyMetadata HacKtive Directory: Sources of “Truth”
NTDS.dit
single-value attribute: msDS-ReplAttributeMetaData multi-value attribute: msDS-ReplValueMetaData
Where is this msds-Repl* ??!
Wouldn’t it be nice…
More Tools for Pre, During & Post AD Breach
Get-LDAPperformance Identifying Unusual and/or Large LDAP Queries • Collects LDAP Query Performance Events and analyzes them to CSV & Grid (relays on event ID 1644) • Helps in identifying large or unusual LDAP queries, either for Threat Hunting or IT optimization • No Dependencies, No modules required. Requires ‘Event Log Readers’ permission or equivalent (to 'directory Services' log) • Some pre-requisites needed from AD side, enable relevant auditing and set registry key
LDAP performance
Domain Privilege Escalation Pass the hash, golden ticket etc.
Kerberos ‘refresher’
Golden Ticket = Game Over •krbtgt password hash compromise -> Privileged Persistence via Offline TGT forging •Krbtgt hash can be obtained in several ways: • Unauthorized AD Replication (DCSync/DCShadow) • Copy of AD Database or Backup (NTDS.dit + system registry) • Stolen from lsass/DC Memory (any RW DC, Not RODC) •Attack can occur in multiple ways & tools (e.g. mimikatz, with AES 256-bit hash, for 10 hours only etc’)
Invoke-PostKrbtgtResetMonitor • Centralized detection of Golden Tickets via anomalous kerberos tickets detection AFTER resetting the krbtgt password TWICE • No Dependencies/modules. Requires ‘Event Log Readers’ or equivalent
Golden Ticket Monitor
GoldFinger • Collects, Analyzes & Hunts for Suspicious TGTs • Detects suspicious TGTs on domain EndPoints in real-time • Potential Pass-The-Hash • Potential Golden ticket • No agent – works with WinRM or SMB (PaExec) • No dependencies, no external modules (just .ps1) • Research done to handle multiple anomalies • Logon Session User != Ticket Client Name <Strong indication>, Ticket Lifetime != Expected Lifetime <Default 10 hours>, Ticket Renewal Length != Expected Renewal Length <Default 7 days>, KDC called is empty, and DNSHostName is different than the current computer name, Encryption Type != aes256_cts_hmac_sha1_96 <rc4 is common for inter-forest/domain tickets>, Endcoded Ticket Size, Session Logon Type is CachedInterative <potential to some False Positive>, etc’
GoldFinger (Cont.) •Requires Local Admin permissions on EndPoints •Supports running against different domains •Supports running on entire domain (default), or just a specific computer(s), or Exclude specific computer(s) •Can optionally enable PSRemoting (and try to start WinRM on EndPoints) •Fixes clock skew issues, while at it •.. And more ☺ • Collector script heavily based on work by Jared Atkinson (@jaredcatkinson) & Matthew Graeber (@mattifestation)
Hunting for PTH/Golden Tickets
Possible ‘detections’ by EPP
Invoke-TgsMonitor • Monitor TGS requests (All, or just Failed ones, with Error Code reasons) • Useful during a live IR without other central threat hunting log solution, or in general, to monitor access & failure reasons • No Dependencies, no modules • Can also generate a 'real-time monitor' with a table containing the TGS events for a specific user or computer, or status/category: while ($true) {$x=cat .TGSMonitor.csv | ConvertFrom-Csv; cls;$x| ? account -like "*yossis*" | ft -AutoSize; sleep 1}
TGS Monitor
Attributes of interest: Blue Team tips
Attributes of interest - Examples • Counter attributes: LogonCount, badPwdCount… • “Per DC” attributes, e.g. LastLogon • LogonWorkstations
Why “living off the land” is important for Defenders
“Small step for IT, Giant step against Lateral Movement” • No EDR • No segmentation • No firwewalls config • No MFA • All the misconfigurations you can think of … • No proper auditing/SIEM/SOC … and yet ☺
LogonWorkstations
TimeLineGenerator • AD account timeline generator - parse DC security logs & export activity timeline • Can run directly on Domain Controllers (Live, through WinRM), OR - specify Path to Evtx files • Can run a Full/Longer report, or a Focused/Quicker one, with a select set of events to filter. Default: "Focused-Quicker" • Can set the Max Events to fetch Per DC (limit to the last X events from the log, for performance). Default: gets all events
48 TimeLine Generator
LogonWorkstations reflected through TimeLine Generator
Open Source Tools & Scripts HacktiveDirectory.com
Key Takeaways • ‘Hacktive Directory’ is here to stay! In-depth knowledge is key • Invest in a “living off the land” mindset – a simple configuration can go further than few expensive vendor products ☺ • Understand the Sources of “Truth" in AD • ‘Hacktive Directory’ forensics are a part of a wider picture – Event correlation & Threat hunting with high-fidelity alerts • Practice a Before, During & After approach • Check out hacktivedirectory.com or github.com/YossiSassi for code & scripts - Comments and improvements are welcome!
Everything is a set of nested ‘if’ statements
Takk! Yossi_Sassi yossis@protonmail.com

Recommandé

Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 
Advanced Cryptography for Cloud Security
Advanced Cryptography for Cloud SecurityAdvanced Cryptography for Cloud Security
Advanced Cryptography for Cloud SecurityNeel Chakraborty
 
IBM License Metric Tool 9.2.x (edcom 2017)
IBM License Metric Tool 9.2.x (edcom 2017)IBM License Metric Tool 9.2.x (edcom 2017)
IBM License Metric Tool 9.2.x (edcom 2017)Novakenstein
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesSecret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesAn Nguyen
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsSam Bowne
 
CNIT 141: 12. Elliptic Curves
CNIT 141: 12. Elliptic CurvesCNIT 141: 12. Elliptic Curves
CNIT 141: 12. Elliptic CurvesSam Bowne
 
Transparent Encryption in HDFS
Transparent Encryption in HDFSTransparent Encryption in HDFS
Transparent Encryption in HDFSDataWorks Summit
 

Recommandé

Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 
Advanced Cryptography for Cloud Security
Advanced Cryptography for Cloud SecurityAdvanced Cryptography for Cloud Security
Advanced Cryptography for Cloud SecurityNeel Chakraborty
 
IBM License Metric Tool 9.2.x (edcom 2017)
IBM License Metric Tool 9.2.x (edcom 2017)IBM License Metric Tool 9.2.x (edcom 2017)
IBM License Metric Tool 9.2.x (edcom 2017)Novakenstein
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesSecret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesAn Nguyen
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsSam Bowne
 
CNIT 141: 12. Elliptic Curves
CNIT 141: 12. Elliptic CurvesCNIT 141: 12. Elliptic Curves
CNIT 141: 12. Elliptic CurvesSam Bowne
 
Transparent Encryption in HDFS
Transparent Encryption in HDFSTransparent Encryption in HDFS
Transparent Encryption in HDFSDataWorks Summit
 
NTLM
NTLMNTLM
NTLMGuang Ying Yuan
 
The View - Lotusscript coding best practices
The View - Lotusscript coding best practicesThe View - Lotusscript coding best practices
The View - Lotusscript coding best practicesBill Buchan
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSMNarudom Roongsiriwong, CISSP
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
MES102 - Verse on Premises 2.0 Best Practices
MES102 - Verse on Premises 2.0 Best PracticesMES102 - Verse on Premises 2.0 Best Practices
MES102 - Verse on Premises 2.0 Best PracticesDylan Redfield
 
Domino Administration Wizardry - Dark Arts Edition
Domino Administration Wizardry - Dark Arts EditionDomino Administration Wizardry - Dark Arts Edition
Domino Administration Wizardry - Dark Arts EditionKeith Brooks
 
How to set up outlook account
How to set up outlook accountHow to set up outlook account
How to set up outlook accountPA College of Health Sciences
 
Building Responsive Applications Using XPages
Building Responsive Applications Using XPagesBuilding Responsive Applications Using XPages
Building Responsive Applications Using XPagesTeamstudio
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructurevimal kumar
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing VaultRamit Surana
 
Red Hat Certified engineer course
Red Hat Certified engineer course Red Hat Certified engineer course
Red Hat Certified engineer course Ali Abdo
 
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )The WAF book (Web App Firewall )
The WAF book (Web App Firewall )Lior Rotkovitch
 
Mcse 2012
Mcse 2012Mcse 2012
Mcse 2012Mohammed Zainul Abiddin
 
Yes, It's Number One it's TOTP!
Yes, It's Number One it's TOTP!Yes, It's Number One it's TOTP!
Yes, It's Number One it's TOTP!Keith Brooks
 
Daos
DaosDaos
DaosUlrich Krause
 
Cryptography and network security Nit701
Cryptography and network security Nit701Cryptography and network security Nit701
Cryptography and network security Nit701Amit Pathak
 
분산저장시스템 개발에 대한 12가지 이야기
분산저장시스템 개발에 대한 12가지 이야기분산저장시스템 개발에 대한 12가지 이야기
분산저장시스템 개발에 대한 12가지 이야기NAVER D2
 
IP Security
IP SecurityIP Security
IP Securitysahilshah200
 
Domain name system
Domain name systemDomain name system
Domain name systemfordcoppenz
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsGabriella Davis
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseFelipe Prado
 

Contenu connexe

Tendances

The View - Lotusscript coding best practices
The View - Lotusscript coding best practicesThe View - Lotusscript coding best practices
The View - Lotusscript coding best practicesBill Buchan
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
MES102 - Verse on Premises 2.0 Best Practices
MES102 - Verse on Premises 2.0 Best PracticesMES102 - Verse on Premises 2.0 Best Practices
MES102 - Verse on Premises 2.0 Best PracticesDylan Redfield
 
Domino Administration Wizardry - Dark Arts Edition
Domino Administration Wizardry - Dark Arts EditionDomino Administration Wizardry - Dark Arts Edition
Domino Administration Wizardry - Dark Arts EditionKeith Brooks
 
Building Responsive Applications Using XPages
Building Responsive Applications Using XPagesBuilding Responsive Applications Using XPages
Building Responsive Applications Using XPagesTeamstudio
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructurevimal kumar
 
Red Hat Certified engineer course
Red Hat Certified engineer course Red Hat Certified engineer course
Red Hat Certified engineer course Ali Abdo
 
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )The WAF book (Web App Firewall )
The WAF book (Web App Firewall )Lior Rotkovitch
 
Yes, It's Number One it's TOTP!
Yes, It's Number One it's TOTP!Yes, It's Number One it's TOTP!
Yes, It's Number One it's TOTP!Keith Brooks
 
Cryptography and network security Nit701
Cryptography and network security Nit701Cryptography and network security Nit701
Cryptography and network security Nit701Amit Pathak
 
분산저장시스템 개발에 대한 12가지 이야기
분산저장시스템 개발에 대한 12가지 이야기분산저장시스템 개발에 대한 12가지 이야기
분산저장시스템 개발에 대한 12가지 이야기NAVER D2
 
Domain name system
Domain name systemDomain name system
Domain name systemfordcoppenz
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsGabriella Davis
 

Tendances (20)

NTLM
NTLMNTLM
NTLM
 
The View - Lotusscript coding best practices
The View - Lotusscript coding best practicesThe View - Lotusscript coding best practices
The View - Lotusscript coding best practices
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSM
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
MES102 - Verse on Premises 2.0 Best Practices
MES102 - Verse on Premises 2.0 Best PracticesMES102 - Verse on Premises 2.0 Best Practices
MES102 - Verse on Premises 2.0 Best Practices
 
Domino Administration Wizardry - Dark Arts Edition
Domino Administration Wizardry - Dark Arts EditionDomino Administration Wizardry - Dark Arts Edition
Domino Administration Wizardry - Dark Arts Edition
 
How to set up outlook account
How to set up outlook accountHow to set up outlook account
How to set up outlook account
 
Building Responsive Applications Using XPages
Building Responsive Applications Using XPagesBuilding Responsive Applications Using XPages
Building Responsive Applications Using XPages
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructure
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
 
Red Hat Certified engineer course
Red Hat Certified engineer course Red Hat Certified engineer course
Red Hat Certified engineer course
 
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )The WAF book (Web App Firewall )
The WAF book (Web App Firewall )
 
Mcse 2012
Mcse 2012Mcse 2012
Mcse 2012
 
Yes, It's Number One it's TOTP!
Yes, It's Number One it's TOTP!Yes, It's Number One it's TOTP!
Yes, It's Number One it's TOTP!
 
Daos
DaosDaos
Daos
 
Cryptography and network security Nit701
Cryptography and network security Nit701Cryptography and network security Nit701
Cryptography and network security Nit701
 
분산저장시스템 개발에 대한 12가지 이야기
분산저장시스템 개발에 대한 12가지 이야기분산저장시스템 개발에 대한 12가지 이야기
분산저장시스템 개발에 대한 12가지 이야기
 
IP Security
IP SecurityIP Security
IP Security
 
Domain name system
Domain name systemDomain name system
Domain name system
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation Requirements
 

Similaire à Hacktive Directory Forensics - HackCon18, Oslo

InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseFelipe Prado
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Toni de la Fuente
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...RootedCON
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
from source to solution - building a system for event-oriented data
from source to solution - building a system for event-oriented datafrom source to solution - building a system for event-oriented data
from source to solution - building a system for event-oriented dataEric Sammer
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksYossi Sassi
 
HAcktive Directory - Microsoft Meetup July 2020
HAcktive Directory - Microsoft Meetup July 2020HAcktive Directory - Microsoft Meetup July 2020
HAcktive Directory - Microsoft Meetup July 2020Yossi Sassi
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX SecurityHelpSystems
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSCody Thomas
 
Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Jared Atkinson
 
Real time monitoring-alerting: storing 2Tb of logs a day in Elasticsearch
Real time monitoring-alerting: storing 2Tb of logs a day in ElasticsearchReal time monitoring-alerting: storing 2Tb of logs a day in Elasticsearch
Real time monitoring-alerting: storing 2Tb of logs a day in ElasticsearchAli Kheyrollahi
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authenticationshytikov
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeAman Kohli
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.pptajajkhan16
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory EnumerationDaniel López Jiménez
 
Fluturas presentation @ Big Data Conclave
Fluturas presentation @ Big Data ConclaveFluturas presentation @ Big Data Conclave
Fluturas presentation @ Big Data Conclavefluturads
 

Similaire à Hacktive Directory Forensics - HackCon18, Oslo (20)

InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
from source to solution - building a system for event-oriented data
from source to solution - building a system for event-oriented datafrom source to solution - building a system for event-oriented data
from source to solution - building a system for event-oriented data
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
 
HAcktive Directory - Microsoft Meetup July 2020
HAcktive Directory - Microsoft Meetup July 2020HAcktive Directory - Microsoft Meetup July 2020
HAcktive Directory - Microsoft Meetup July 2020
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
 
Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
 
Real time monitoring-alerting: storing 2Tb of logs a day in Elasticsearch
Real time monitoring-alerting: storing 2Tb of logs a day in ElasticsearchReal time monitoring-alerting: storing 2Tb of logs a day in Elasticsearch
Real time monitoring-alerting: storing 2Tb of logs a day in Elasticsearch
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authentication
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.ppt
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
 
Coporate Espionage
Coporate EspionageCoporate Espionage
Coporate Espionage
 
Fluturas presentation @ Big Data Conclave
Fluturas presentation @ Big Data ConclaveFluturas presentation @ Big Data Conclave
Fluturas presentation @ Big Data Conclave
 

Dernier

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

Dernier (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

Hacktive Directory Forensics - HackCon18, Oslo

  • 1. hAcktive Directory Forensics: a toolkit for understanding who|what|when in your domain Yossi Sassi
  • 2. WhoAmI • InfoSec Researcher; H@‫כ‬k3r (1nTh35h311) • Red mind, Blue heart • Co-Founder @ • Consulting in 4 continents (Banks/gov/F100) • 30+ years of keyboard access – Code, IT Sec, Net Comms. • ~25 years of AD expertise; Ex-Javelin Networks (Acquired by Symantec) • Ex-Technology Group Manager @ Microsoft (Coded Windows Server Tools) • Aviator; Volunteer (Youth at risk); Oriental Rock Bouzoukitarist
  • 3. ChatGPT was Not used in the making of this presentation, code & content
  • 6. • ‘Hacktive Directory’ 101 • Sources of “Truth” in AD • A set of tools for Pre, During and Post AD Breach • Attributes of interest: Blue Team tips What we’ll talk about
  • 8. Why hack AD? Why is AD so ‘Hackable’? • a bit like what happened with TCP/IP… – Great success, super popular – …Yet architecture & design goals very far from modern landscape and threats • Involved in every huge breach (as well as smaller ones ☺) – Lion (2020), NTT (2020), Baltimore (2019), Norsk Hydro (2019), Singhealth (2018), MAERSK (2017), SONY (2014), Target (2013), many others.. • “The Microsoft Mainframe” – It’s not going away! • Compromising your AD means GAME OVER.
  • 9.
  • 10. Windows/AD 101 • AuthN protocols (NTLM, Kerberos, LDAP/S) and “Secrets” (Hashes/ntlm, Tickets, caching, certificates…) • Logon vs. Authentication (Local vs. Domain, logon types…) • Security Principals (Users, Computers, Groups) • Authorization / ACLs – going beyond group membership(s) • e.g. direct SID assignment, ObjectAccess types etc • Process, Threads, handles, access tokens, logon sessions etc’
  • 13.
  • 14.
  • 15. 15 Protocol and Port AD and AD DS Usage Type of traffic TCP 25 Replication SMTP TCP 42 If using WINS in a domain trust scenario offering NetBIOS resolution WINS TCP 135 Replication RPC, EPM TCP 137 NetBIOS Name resolution NetBIOS Name resolution TCP 139 User and Computer Authentication, Replication DFSN, NetBIOS Session Service, NetLogon TCP and UDP 389 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP TCP 636 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP SSL TCP 3268 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC TCP 3269 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC SSL TCP and UDP 88 User and Computer Authentication, Forest Level Trusts Kerberos TCP and UDP 53 User and Computer Authentication, Name Resolution, Trusts DNS TCP and UDP 445 Replication, User and Computer Authentication, Group Policy, Trusts SMBv1/2/3, CIFS, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc TCP 9389 AD DS Web Services SOAP TCP 5722 File Replication RPC, DFSR (SYSVOL) TCP and UDP 464 Replication, User and Computer Authentication, Trusts Kerberos change/set password UDP 123 Windows Time, Trusts Windows Time UDP 137 User and Computer Authentication NetLogon, NetBIOS Name Resolution UDP 138 DFS, Group Policy, NetBIOS Netlogon, Browsing DFSN, NetLogon, NetBIOS Datagram Service UDP 67 and UDP 2535 DHCP (Note: DHCP is not a core AD DS service, but these ports may be necessary for other functions besides DHCP, such as WDS) DHCP, MADCAP, PXE TCP & UDP 1024-5000; 49152-65535 Ongoing (RPC etc’) RPC / DCOM / WMI... TCP 593 DCOM/Messaging/Exchange RPC over HTTP
  • 16. “Confusing” architectural recommendations • 90’s (The NT4 days): The more Domains – the better! • NT4 to NT5 -> Your opportunity to Consolidate domains! • Domain is NOT a security boundary! –> Separate into Forests, with trusts. • Trusts are bad as well (one/bi-directional, FPs, SidFiltering, sidHistory…) • ESAE, aka “Red Forest” (Costly! & doesn’t play well with cloud) * • Admin Tier Model • Forget the costly & complex ‘Red Forest’ -> Privileged Access * Still useful for isolated environments, e.g., offline R&D or disconnected OT/Scada environments
  • 18. • Sysvol/Files vs. ETW/Event Logs vs. pcap/”hooks” • Possible Scenarios – – No logs (Not collected/Not enough retention/Wiped by ransom) – No Online DCs (encrypted/offline VMs -> Just backups…) • Still, we want to know who did what & when • NTDS.dit • replPropertyMetadata HacKtive Directory: Sources of “Truth”
  • 21. Where is this msds-Repl* ??!
  • 22. Wouldn’t it be nice…
  • 23.
  • 24.
  • 25. More Tools for Pre, During & Post AD Breach
  • 26. Get-LDAPperformance Identifying Unusual and/or Large LDAP Queries • Collects LDAP Query Performance Events and analyzes them to CSV & Grid (relays on event ID 1644) • Helps in identifying large or unusual LDAP queries, either for Threat Hunting or IT optimization • No Dependencies, No modules required. Requires ‘Event Log Readers’ permission or equivalent (to 'directory Services' log) • Some pre-requisites needed from AD side, enable relevant auditing and set registry key
  • 28.
  • 29. Domain Privilege Escalation Pass the hash, golden ticket etc.
  • 31. Golden Ticket = Game Over •krbtgt password hash compromise -> Privileged Persistence via Offline TGT forging •Krbtgt hash can be obtained in several ways: • Unauthorized AD Replication (DCSync/DCShadow) • Copy of AD Database or Backup (NTDS.dit + system registry) • Stolen from lsass/DC Memory (any RW DC, Not RODC) •Attack can occur in multiple ways & tools (e.g. mimikatz, with AES 256-bit hash, for 10 hours only etc’)
  • 32. Invoke-PostKrbtgtResetMonitor • Centralized detection of Golden Tickets via anomalous kerberos tickets detection AFTER resetting the krbtgt password TWICE • No Dependencies/modules. Requires ‘Event Log Readers’ or equivalent
  • 34. GoldFinger • Collects, Analyzes & Hunts for Suspicious TGTs • Detects suspicious TGTs on domain EndPoints in real-time • Potential Pass-The-Hash • Potential Golden ticket • No agent – works with WinRM or SMB (PaExec) • No dependencies, no external modules (just .ps1) • Research done to handle multiple anomalies • Logon Session User != Ticket Client Name <Strong indication>, Ticket Lifetime != Expected Lifetime <Default 10 hours>, Ticket Renewal Length != Expected Renewal Length <Default 7 days>, KDC called is empty, and DNSHostName is different than the current computer name, Encryption Type != aes256_cts_hmac_sha1_96 <rc4 is common for inter-forest/domain tickets>, Endcoded Ticket Size, Session Logon Type is CachedInterative <potential to some False Positive>, etc’
  • 35. GoldFinger (Cont.) •Requires Local Admin permissions on EndPoints •Supports running against different domains •Supports running on entire domain (default), or just a specific computer(s), or Exclude specific computer(s) •Can optionally enable PSRemoting (and try to start WinRM on EndPoints) •Fixes clock skew issues, while at it •.. And more ☺ • Collector script heavily based on work by Jared Atkinson (@jaredcatkinson) & Matthew Graeber (@mattifestation)
  • 38.
  • 39. Invoke-TgsMonitor • Monitor TGS requests (All, or just Failed ones, with Error Code reasons) • Useful during a live IR without other central threat hunting log solution, or in general, to monitor access & failure reasons • No Dependencies, no modules • Can also generate a 'real-time monitor' with a table containing the TGS events for a specific user or computer, or status/category: while ($true) {$x=cat .TGSMonitor.csv | ConvertFrom-Csv; cls;$x| ? account -like "*yossis*" | ft -AutoSize; sleep 1}
  • 41.
  • 43. Attributes of interest - Examples • Counter attributes: LogonCount, badPwdCount… • “Per DC” attributes, e.g. LastLogon • LogonWorkstations
  • 44. Why “living off the land” is important for Defenders
  • 45. “Small step for IT, Giant step against Lateral Movement” • No EDR • No segmentation • No firwewalls config • No MFA • All the misconfigurations you can think of … • No proper auditing/SIEM/SOC … and yet ☺
  • 47. TimeLineGenerator • AD account timeline generator - parse DC security logs & export activity timeline • Can run directly on Domain Controllers (Live, through WinRM), OR - specify Path to Evtx files • Can run a Full/Longer report, or a Focused/Quicker one, with a select set of events to filter. Default: "Focused-Quicker" • Can set the Max Events to fetch Per DC (limit to the last X events from the log, for performance). Default: gets all events
  • 50. Open Source Tools & Scripts HacktiveDirectory.com
  • 51. Key Takeaways • ‘Hacktive Directory’ is here to stay! In-depth knowledge is key • Invest in a “living off the land” mindset – a simple configuration can go further than few expensive vendor products ☺ • Understand the Sources of “Truth" in AD • ‘Hacktive Directory’ forensics are a part of a wider picture – Event correlation & Threat hunting with high-fidelity alerts • Practice a Before, During & After approach • Check out hacktivedirectory.com or github.com/YossiSassi for code & scripts - Comments and improvements are welcome!
  • 52. Everything is a set of nested ‘if’ statements