Scribd
Upload
49 views

Attacking and Defending ActiveDirectory SlidesNotes V1.2

Uploaded by

Vigneshwar DK
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
49 views

Attacking and Defending ActiveDirectory SlidesNotes V1.2

Uploaded by

Vigneshwar DK
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 332

1

2
3
4
5
6
7
8
https://technet.microsoft.com/en-us/library/cc780036(v=ws.10).aspx

9
10
11
12
13
15 ways to bypass PowerShell execution policy
https://www.netspi.com/blog/entryid/238/15-ways-to-bypass-the-powershell-
execution-policy

21
Check out Invoke-CradleCrafter:
https://github.com/danielbohannon/Invoke-CradleCrafter

23
24
Microsoft Cloud Red Teaming Paper: https://gallery.technet.microsoft.com/Cloud-
Red-Teaming-b837392

25
26
27
28
29
https://janikvonrotz.ch/2015/09/09/deploy-powershell-activedirectory-module-
without-installing-the-remote-server-tools/

30
42
47
Active Directory Rights: https://msdn.microsoft.com/en-
us/library/system.directoryservices.activedirectoryrights(v=vs.110).aspx
Extended Rights: https://technet.microsoft.com/en-us/library/ff405676.aspx
53
Reference: https://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx
70
79
80
81
82
http://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/

83
86
87
http://www.labofapenetrationtester.com/2014/06/hacking-jenkins-servers.html

88
See more at http://www.labofapenetrationtester.com/2014/08/script-execution-and-
privilege-esc-jenkins.html
http://www.labofapenetrationtester.com/2015/11/week-of-continuous-intrusion-
day-1.html

89
90
91
92
93
http://technet.microsoft.com/en-us/magazine/ff700227.aspx

94
97
Unofficial mimikatz guide:
https://adsecurity.org/?p=2207
105
108
Above taken from "Red vs. Blue: Modern Active Directory Attacks, Detection, &
Protection" by Sean Metcalf at BSides Charm
http://adsecurity.org/?p=483

109
http://passing-the-hash.blogspot.com/2014/09/pac-validation-20-minute-rule-
and.html

110
111
Krbtgt hash could also be dumped from NTDS.di.

112
113
114
115
116
117
List of SPNs: https://adsecurity.org/?page_id=183

119
120
121
124
http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-
malware-analysis/
129
https://adsecurity.org/?p=1785
https://adsecurity.org/?p=1714
135
https://msdn.microsoft.com/en-
us/library/windows/desktop/aa380502(v=vs.85).aspx
https://attack.mitre.org/wiki/Technique/T1101
https://technet.microsoft.com/en-us/library/2009.09.sdadminholder.aspx
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-
practices/appendix-c--protected-accounts-and-groups-in-active-directory
https://adsecurity.org/?p=1906
https://www.ossir.org/paris/supports/2017/2017-04-11/2017-04-
11_Active_directory_v2.5.pdf
Ref for PowerView command: http://www.harmj0y.net/blog/redteaming/abusing-
active-directory-permissions-with-powerview/
https://gallery.technet.microsoft.com/Invoke-SDPropagator-to-c99ae41c
153
154
Reference: https://msdn.microsoft.com/en-
us/library/windows/desktop/aa374928(v=vs.85).aspx

155
https://github.com/samratashok/nishang/tree/master/Backdoors
https://blogs.msdn.microsoft.com/wmi/2009/07/20/scripting-wmi-namespace-
security-part-1-of-3/

156
Note: Ignore the 'I/O operation' error.
https://github.com/samratashok/nishang/tree/master/Backdoors

157
https://github.com/HarmJ0y/DAMP
https://posts.specterops.io/remote-hash-extraction-on-demand-via-host-security-
descriptor-modification-2cf505ec5c40

158
159
https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%
20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-
%20Tim%20Medin%281%29.pdf

160
161
http://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
https://github.com/nidem/kerberoast/blob/master/tgsrepcrack.py

165
166
Reference: http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/

167
168
169
170
https://github.com/HarmJ0y/ASREPRoast

171
https://github.com/magnumripper/JohnTheRipper/blob/bleeding-
jumbo/doc/INSTALL

172
173
Reference: http://www.harmj0y.net/blog/activedirectory/targeted-kerberoasting/

174
175
https://room362.com/post/2016/kerberoast-pt3/

176
https://room362.com/post/2016/kerberoast-pt3/

177
179
https://labs.mwrinfosecurity.com/blog/trust-years-to-earn-seconds-to-break/
http://www.labofapenetrationtester.com/2016/02/getting-domain-admin-with-
kerberos-unconstrained-delegation.html
https://adsecurity.org/?p=1667
http://blogs.msdn.com/b/autz_auth_stuff/archive/2011/05/03/kerberos-
delegation.aspx
https://technet.microsoft.com/en-us/library/dn466518.aspx
184
187
https://labs.mwrinfosecurity.com/blog/trust-years-to-earn-seconds-to-break/
https://msdn.microsoft.com/en-us/library/cc246071.aspx
https://labs.mwrinfosecurity.com/blog/trust-years-to-earn-seconds-to-break/
https://www.coresecurity.com/blog/kerberos-delegation-spns-and-more
200
https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-
one-line-a0f779b8dc83
http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-
escalation-in-active-directory.html
To install DNS RSAT tools: Install-WindowsFeature DNS -IncludeManagementTools -
Verbose
205
206
207
208
https://adsecurity.org/?p=1588

209
210
211
List of Active Directory SPNs https://adsecurity.org/?page_id=183

212
213
214
215
216
http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-
my/

217
218
219
220
https://adsecurity.org/?p=1588

221
222
List Active Directory SPNs https://adsecurity.org/?page_id=183

223
224
225
226
227
More at: https://msdn.microsoft.com/en-IN/library/ms188279.aspx

228
229
230
231
232
233
234
https://www.dcshadow.com/
http://www.labofapenetrationtester.com/2018/04/dcshadow.html
244
245
246
247
248
249
250
Configuring Additional LSA Protection: https://docs.microsoft.com/en-us/windows-
server/security/credentials-protection-and-management/configuring-additional-lsa-
protection
https://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx
https://blogs.technet.microsoft.com/cbernier/2015/10/06/microsoft-advanced-
threat-analytics/
https://docs.microsoft.com/en-us/advanced-threat-analytics/understand-
explore/ata-threats
https://www.blackhat.com/docs/us-17/thursday/us-17-Mittal-Evading-MicrosoftATA-
for-ActiveDirectory-Domination.pdf
https://technet.microsoft.com/en-us/mt227395.aspx
https://rastamouse.me/2018/03/laps---part-1/
https://www.blackhat.com/docs/us-15/materials/us-15-Moore-Defeating%20Pass-
the-Hash-Separation-Of-Powers-wp.pdf

268
https://www.cyberark.com/blog/cyberark-labs-research-stealing-service-credentials-
achieve-full-domain-compromise/

269
270
https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-
and-management/protected-users-security-group
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-
configure-protected-accounts#BKMK_AddtoProtectedUsers

272
273
274
275
276
277
https://technet.microsoft.com/en-us/windows-server-docs/security/securing-
privileged-access/securing-privileged-access-reference-material#ESAE_BM

278
279
280
281
282
283
284
285
286
287
288
See http://dcshadow.com/ for details about the DCShadow attack by Benjamin and
Vincent

289
290
291
Configuration|Windows Settings|Security Settings|Advanced Audit Policy
Configuration|Audit Policies|Account Logon | Audit Kerberos Authentication Service
-> Success and Failure

292
293
294
295
296
https://i.dailymail.co.uk/i/pix/2011/07/20/article-2017058-0D12DD6500000578-
789_634x454.jpg

297
298
299
300
301
http://blogs.msdn.com/b/powershell/archive/2015/06/09/powershell-the-blue-
team.aspx
https://docs.microsoft.com/en-
us/powershell/module/microsoft.powershell.core/about/about_language_modes?vi
ew=powershell-5.1
https://github.com/api0cradle/UltimateAppLockerByPassList
https://github.com/api0cradle/LOLBAS
306
307
308
309
310
311
312
313
314
315
316
317
318
https://msdn.microsoft.com/en-us/library/dn896648.aspx

319
320
321
Reference: http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-
powershell-downgrade-attacks/

322
323
324
325
326
327
328
329
330
331
332

You might also like