Active Directory Kill Chain Attack 101

Attack active directory using modern post exploitation adversary trade craft activity

Discovery

SPN Scanning

Data Mining

User Hunting

LAPS

AppLocker

Azure

Active Directory Federation Services


Privilege Escalation

Passwords in SYSVOL & Group Policy Preferences

MS14-068 Kerberos Vulnerability

DNSAdmins

Kerberos Delegation

Unconstrained Delegation

Constrained Delegation

Resource-Based Constrained Delegation

Insecure Group Policy Object Permission Rights

Insecure ACLs Permission Rights

Domain Trusts

DCShadow

RID

Microsoft SQL Server

Red Forest

Exchange

LLMNR/NBNS


Lateral Movement

Microsoft SQL Server Database links

Pass The Hash

System Center Configuration Manager (SCCM)

WSUS

Password Spraying

Automated Lateral Movement


Defense Evasion

In-Memory Evasion

Endpoint Detection and Response (EDR) Evasion

OPSEC

Microsoft ATA & ATP Evasion

PowerShell ScriptBlock Logging Bypass

PowerShell Anti-Malware Scan Interface (AMSI) Bypass

Loading .NET Assemblies Anti-Malware Scan Interface (AMSI) Bypass

AppLocker & Device Guard Bypass

Sysmon Evasion

HoneyTokens Evasion

Disabling Security Tools


Credential Dumping

NTDS.DIT Password Extraction

SAM (Security Accounts Manager)

Kerberoasting

Kerberos AP-REP Roasting

Windows Credential Manager/Vault

DCSync

LLMNR/NBT-NS Poisoning

Others


Persistence

Golden Ticket

SID History

Silver Ticket

DCShadow

AdminSDHolder

Group Policy Object

Skeleton Keys

SeEnableDelegationPrivilege

Security Support Provider

Directory Services Restore Mode

ACLs & Security Descriptors

Tools & Scripts

  • PowerView – Situational Awareness PowerShell framework
  • BloodHound – Six Degrees of Domain Admin
  • Impacket – Impacket is a collection of Python classes for working with network protocols
  • aclpwn.py – Active Directory ACL exploitation with BloodHound
  • CrackMapExec – A swiss army knife for pentesting networks
  • ADACLScanner – A tool with GUI or command linte used to create reports of access control lists (DACLs) and system access control lists (SACLs) in Active Directory
  • zBang – zBang is a risk assessment tool that detects potential privileged account threats
  • SafetyKatz – SafetyKatz is a combination of slightly modified version of @gentilkiwi’s Mimikatz project and @subTee’s .NET PE Loader.
  • SharpDump – SharpDump is a C# port of PowerSploit’s Out-Minidump.ps1 functionality.
  • PowerUpSQL – A PowerShell Toolkit for Attacking SQL Server
  • Rubeus – Rubeus is a C# toolset for raw Kerberos interaction and abuses
  • ADRecon – A tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment
  • Mimikatz – Utility to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory but also perform pass-the-hash, pass-the-ticket or build Golden tickets
  • Grouper – A PowerShell script for helping to find vulnerable settings in AD Group Policy.
  • Powermad – PowerShell MachineAccountQuota and DNS exploit tools
  • RACE – RACE is a PowerShell module for executing ACL attacks against Windows targets.
  • DomainPasswordSpray – DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain.
  • MailSniper – MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.)
  • LAPSToolkit – Tool to audit and attack LAPS environments.
  • CredDefense – Credential and Red Teaming Defense for Windows Environments

Ebooks

Cheat Sheets

Other Resources


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s