Task 21, Day 15 Active Directory Be it ever so heinous, there’s no place like Domain Controller.

This may or may not be a short post of mostly just notes.

Common Active Directory Attacks

Golden Ticket Attack

Allows attackers to exploit Kerberos and impersonate any account in AD by forging a Ticket Granting Ticket (TGT). Compromising the krbtgt account and password hash allows complete control over the domain for as long as the forged ticket is valid. Attack requires four things to be successful:

  • FQDN of the domain
  • SID of the domain
  • Username of an account to impersonate
  • KRBTGT account password hash

Detection of this type of attack involves monitoring for unusal activity involving krbtgt, such as:

  • Event ID 4768: Look for TGT requests for high-privilege accounts.
  • Event ID 4672: Logs when special privileges (like SeTcbPrivilege) are assigned to users.

Pass-the-Hash

Attack that steals the hash of a password and can be used to authenticate to services without the actual password. Possible because NTLM allows authentication based on password hashes. Key ways to mitigate:

  • Enforce strong password policies
  • Regularly audit account privileges
  • Implement MFA across the domain

Kerberoasting

Kerberos attack where the attacker requests service tickets for accounts with Service Principal Names (SPNs), extracts the tickets and password hashes, and attempts to crack them offline into plaintext passwords. Mitigation involves implementing strong password policies to make sure service accounts have strong passwords.

Pass-the-Ticket

Attackers steal the Kerberos tickets from a compromised machine and use them to authenticate as the user or service whose ticket was stolen. Detection involves monitoring for:

  • Event ID 4768: TGT request, especially if the user is logging in from an unusual location or device.
  • Event ID 4624: Successful login reveals tickets used for suthentication.

Malicious GPOs

Abusing GPs to create persistent, privileged accounts and distribute and execute malware across the whole domain by mimicing software deployment and desired state policies. Can also use to disable core security items and schedule tasks to execute malicious scripts or exfiltrate data. Mitigation involves regular GPO audits for unauthorised changes, and requiring strict permissions and proceedures for GPO modifications.

Skeleton Key Attack

Installing a malware backdoor to log into any account with a master password. The legitimate password remains unchanged, but the skeleton key password bypasses it.

Investigating an AD Breach

GPO

PS C:\Users\<Admin_User>> Get-GPO -All to list all GPOs installed on a DC to look for any out of place ones. Can also export to HTML file for futher investigation with Get-GPOReport -Name "<GPO_Name>" -ReportType HTML -Path "<Desired\Path\Filename.html>". From html file can see:

  • Policy creation/modification time
  • Devices or users applied to
  • Permissions over GPO
  • User or computer configurations it enforces

Can also list GPOs modified after a certain time with Get-GPO -All | Where-Object { $_.ModificationTime } | Select-Object DisplayName, ModificationTime.

Event Viewer

Notable Event IDs to look for:

  • 4624: User account has logged on
  • 4625: User account failed to log on
  • 4672: Special privileges have been assigned to a user
  • 4768: A TGT ticket was requested for a high-privileged account

User Auditing

Some attacks lead to user accounts being locked out. Can use Search-ADAccount with filters to show things like the last time a user logged in successfuly. I.e. Search-ADAccount -LockedOut | Select-Object Name, SamAccountName, LockedOut, LastLogonDate, DistinguishedName.

Can also quickly review all users present on a domain and their group membership with Get-ADUser and filters a la Get-ADUser -Filter * -Properties MemberOf | Select-Object Name, SamAccountName, @{Name="Groups";Expression={$_.MemberOf}}.

Reviewing PowerShell History and Logs

On Windows Server, history file is located at %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt. Can also look at Event Viewer logs under Application and Services Logs>Microsoft>Windows>PowerShell>Operational or Application and Services Logs>Windows PowerShell.

The Task

Investigate the breach with the tools talked about. Messed up and cleared an Event Viewer log instead of the filter and had to relaunch the VM.

Recommeded Stuff

Active Directory Hardening Room