Active directory :

How to change a weak point into a

leverage for security monitoring
Vincent LE TOUX – ENGIE – France
First Conference 2017 – San Juan (Puerto Rico)
June 12th (Monday) 12:00—12:45
CONTENTS

Chapter 1 Why focusing on Active Directory ?

Chapter 2 Focusing on AD vulnerabilities

Chapter 3 Monitoring the domains (that we don’t control)

Chapter 4 How to secure the domains ?

About the ENGIE Context

A critical infrastructure operator (Thermic,

gas, hydro, nuclear) under regulations
(NERC/NIS, …)

A complex history & a decentralized culture

The group is present in 70 countries

1822 1858 1880 1895 1946 1990 1997 2000 2001 2008 2015
Société Générale Compagnie Société Lyonnaise Compagnie Mutuelle Gaz de Electrabel Suez Lyonnaise International Power SUEZ GDF SUEZ ENGIE
des Universelle des Eaux de Tramways France des Eaux
Pays-Bas du Canal Maritime et de l’Éclairage
de Suez

2017-06-12 First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 3
Why focusing on Active
Directory ?
Does it remind something to you ?

We are secured. We have big

walls.
Leave us alone

Your organization

2017-06-12 First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 5
 Not castles from fairy tales
Trust everyone
forgot …

Corporate AD
Reorganization
(never completed)

Active
Directory Critical
inside application
connected to
Company bought AD
Merger
External companies

Active Directory
Active inside
Directory
inside

Join Venture
Business as usual
The reality

2017-06-12 First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 6
Quizz: Who can become the domain admins (or more) ?

Built-in Administrators
net group "Domain Admins" %username% /DOMAIN /ADD

Server Operators
C:\>sc config browser binpath= "C:\Windows\System32\cmd.exe /c net group \" Domain Admins\"
%username% /DOMAIN /ADD" type= "share" group= "" depend= ""
[SC] ChangeServiceConfig SUCCESS
C:\>sc start browser
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.
Print operators (well, it has the right to logon to DC and discover
password in batches or copy ntdis.dit backup)
Account operators
net group “badgroup" %username% /DOMAIN /ADD => see slide after for the choice of the group

Backup operators
Backup C:\Windows\SYSVOL\domain\Policies\{*}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
Restore: with [Group Membership]
*S-1-5-32-544__Members = <etc etc etc>,*S-1-5-21-my-sid

Then DCSync krbtgt => Golden ticket => Enterprise admins (see later)

2017-06-12 First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 7
Focusing on AD
vulnerabilities
Extended rights
Where are your admins ?

 Extended rights can reset the password of  Delegation model

accounts, reanimate tombstone, … take control
of accounts indirectly
Root
(Allowed-To-Authenticate, User-Force-Change-Password,
Reanimate-Tombstones, Unexpire-Password, Update-
Password-Not-Required-Bit, Apply-Group-Policy, Self- OU-1
Membership, Migrate SID History, Unexpire Password, DS- I got a
Replication-Get-Changes-All ) delegation on
OU-1

admin1

Users
Domain
Administrators

=> Users (helpdesk, …) can become domain admins instantly

2017-06-12 First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 9
Pass the hash / over pass the hash / pass the ticket / golden ticket / silver
ticket …

Lsass.exe

NTLM
Pass the HASH NTLM:123456789

Password TGS Silver ticket

same (KDC account)

Pass the ticket TGT Golden ticket

KDC
Kerberos (krbtgt)
Over Pass the HASH Rc4_hmac_nt: 123456789
Aes_128: 123456789
Aes_256: 123456789
KDC

2017-06-12 First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 10
Silver ticket + DCSync : being compromise without knowing it

 Detecting silver tickets requires to collect all kerberos events on ALL computers

 Silver / Golden tickets still valid if created with the old password (to avoid replication problem)

DCSync = export secrets needed to build silver

tickets

Mimikatz = create / import golden / silver ticket

Old or current password

kerberos::golden /domain:lab.local /sid:S-1-5-21-xxx

/target: explicitdc.lab.local /service:ldap /rc4:currkey
/user:explicitdc$ /id:xxx /groups:516 /sids:S-1-5-9
/ticket:explicitdc.silver.kirbi

 You do not need anymore an account to access the AD.

The attack is invisible using classic account supervision
2017-06-12 First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 11
Active Directory trusts

 One kerberos ticket can have a field containing a « SID History » record. Used for migration but
not only (used to contain forest group membership)

 One golden / silver ticket can have a field« SID History » forged (example: forest admin SID)

 Without SID Filtering, these tickets works on other domains

No SID Filtering inside a forest…

=> One domain can compromise other domains

2017-06-12 First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 12
 You can
Account enumeration without domain access enumerate all the
users of your
bastion using SID
enumeration
if there is a trust

 Abuse kerberos error code (test: Krbguess, Nmap krb5-enum-users)

100% of the domains vulnerable, few % of users enumerated

 Null session: authenticating to a domain with user=« » password=« » (test: rpcclient)

— Allowed by default on Windows 2003 via MS-LSAT
2 methods:
— Check Anonymous and everyone are in the group Pre-Windows 2000 Compatible Access MS-SAMR
— Check DsHeuristics has fLDAPBlockAnonOps enabled (forest wide setting) MS-LSAT
— Check the registry key TurnOffAnonymousBlock is set

10-30% of domains vulnerable, 100% of the users, including trusted domains enumerated

Consequences:
Block all the accounts if a locking policy is in place (including those in trusted domains)
Locate weak accounts and bruteforce passwords
2017-06-12 First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 13
Monitoring the domains
(that we don’t control)
Our recipe

1) Build an « audit script » with

minimal requirements (no
domain admin rights, no need
to run on a DC, run only once,
…)

2) Easy to understand KPI

3) Sell it to the top management

as « it is a 5 minute job »

4) Wait for the result and follow

the deployment
Run an audit script …
… is a « 5 minutes job »
2017-06-12 First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 15
What’s look like

=Max (all scores)

2017-06-12 First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 16
The script: example of rules

 Stale objects  Trusts

— User / computer not used (and never used) — SID Filtering
— Check for ms-DS-MachineAccountQuota = 0 — Login script from another domain
— Presence of SID History  Anomalies
— Duplicate accounts ($DUPLICATE …) — Krbtgt password change
 Privileged accounts — Presence of admincount=1 for non admins
— Check for flag « this account is sensitive and cannot — GPP password
be delegated »
— Password change for Smart cards
— Account « domain administrator » used
— Root certificate weak module or algorithm
— Owner of domain controller objects

More than 50 rules in the audit script

V1: powershell ; 5 minutes per run
V2: c# ; less than 1 minute per run

2017-06-12 First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 17
 Abusing trusts to discover domains

What you can

access
What you
can discover

Your domain Your forest

Technics:
Kerberos clients can traverse a maximum of 10 trust links to locate a 1) Object type « trustedDomains »
requested resource in another domain (source) 2) msDS-TrustForestTrustInfo
Limit is on UPN routing. Not trusts ! 3) CN=partitions,CN=Configuration
(netdom
2017-06-12 trust kz.com /domain:spat.com
First Conference /namesuffixes:spat.com
2017 - First Conference - source)
2017 - Active directory : How to change a weak point into a leverage for security monitoring
4) SID in FSP+LsaLookupSid+DSGetDC
18
Domain discovery in practice

Trusts without SID Filtering

Forest 1
Trusts with SID Filtering
Internal forest trust
Inactive trusts

 With only 2 reports:

— More than 2 forests discovered

— 36 additional domains found

Admin
bastion — Link between the 2 forests discovered

— Admin bastion discovered (without any direct

trust)

Forest 2
Golden rule:
Assign the « discovered
domains » to the AD owning the
trust (and then to the BU)
2017-06-12 First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 19
Management vision about AD

Before: 90 domains After: 300 domains

Simplified view …

No trust with external companies

Trust with 10 unknown companies,
including 2 multinationals
2017-06-12 First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 20
Management findings

 Running AD audit script is not a 5

minutes job (a 3 then 6 months project)

 Several AD (30%) without formal

identified owner

 Multiply by 3 the number of AD owned

 Several trusts with external companies

(without SID Filtering)

 Several GPP passwords or OU with

delegation to everyone or NULL
SESSION domain controllers

If one AD is compromised, it can lead to the compromise of several others

SID Filtering is a quick remediate, but works only if the corporate put pressure.
2017-06-12 First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 21
How to secure the
domains ?
First glance risk approach

Group risks Local risks

A local domain can compromise Domain is not available (down)

another domain (mitigation: SID
Filtering) Domain is compromised

Domains without identified owner –

nobody to manage security incidents
(mitigation: request script results)
« Secure the domain » is here
Trust with an entity that we don’t
control (external companies, …)
(mitigation: trust removal)

Group risks are easier to mitigate (and they have the higher impact)

2017-06-12 First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 23
ENGIE strategy about securing Active Directory

Assessment Run the “audit tool” (PingCastle) on all domains weekly

Monitoring Build / Deploy monitoring solution

We talked
about this
Hardening Access Securisation study

A 3 years securisation project included in the « One Security » program

2017-06-12 First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 24
3 priorities for BU CIO and CISO defined in 2017

Enable SID Filtering on all trusts

(except migration)
Deploy the audit script on
100% of the domains

Then
Improve the score (min: 50/100)

4th May2016 Restricted - One security WOSM 25

Top 5 Active directory vulnerabilities
Check Rationale Vulnerable
Domains
A User (including from trusted domains) can introduce
Non admin users can add up
to 10 computers to a domain
an unsupervised workstation in the network and bypass 46%
all security policies

Exploitability / Remediation facility

The « administrator » account
Password is well known and/or stored in the registry. It
is used at least once per can be retrieved & used as a backdoor 34%
month

It should be changed twice per month to avoid silent

The krbtgt password is
unchanged for at least 40 days
compromise or silent compromise using Golden ticket 69%
attacks

This NT4 settings can be used to enumerate all accounts

Null session is enabled in at without an account and bruteforce them or use this
least one domain controller information to lock every account in the domain AND in 28%
the trusting domains.
At least 2 accounts are in the
domain admin groups and Service accounts are far too over privileged and their
have a password which password can be captured with minimal privileges 66%
doesn’t expire.

2017-06-12 First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 26
Market orientation
AD Specific solutions

Monitoring
Gap

With what login is

associated that IP ?

Change monitoring Attack detection

Generic solutions

2017-06-12 First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 27
Monitoring gap: no vulnerability analysis
Normal admins Personal account
owner of the
provisionning service
account

Normal domain admins

Personal admin
account put in domain
admins

Helpdesk

Users owning GPO

applied to admins

 https://github.com/ANSSI-FR/AD-control-paths - bloodhound
Bonus: who can owns the CEO
2017-06-12
account ?
First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 28
A possible strategy based on risks

Group User accounts Others

Bastion AD application AD
AD
Mitigate
configuration
risks

Mitigate
hackers’ risk

Focus (and limit the budget) to high value AD – accept the risk for ohers

2017-06-12 First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 29
Hackers’ roadmap

Already (almost) well known

@gentilkiwi mimiktaz Golden ticket DCSync

PowerSploit
Powershell Powershell empire (Python) Responder
(Invoke-mimiktaz)

Not well known Password change with

only kerberos key Smart card logon
DoS on kerberos
with authentication
authentication
in the future

Kekeo NetSync Aoratopw PKINIT Mustiness KerbStrom

RDP attacks
DCSync with MakeMeEnterpriseAdmin
« Mimikatz 2 »
Netlogon RPC
DCSync / Golden
ticket in
c#/powershell
Bypassing SID Filtering with forest trust
by abusing non removed SID History
2017-06-12 First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 30
Hardening roadmap

 What AD Guys think:  What the security thinks:

Priority #1
Credential guard
Red forest Control the number of
Admin bastion administrators
2 factor authentication

“Enabling Credential Guard on domain

More than xxx users can become
controllers is not supported” (source) domain admin (150,000 users)

Google PIV /
GIDS smart
card

Hardening is not always a technical measure.

How much administrators have signed the admin charter ?

2017-06-12 First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 31
Conclusion
Lessons learned

You can “infiltrate” a castle:

- Internally using the Active Directory
- Externally using Threat Intelligence (compromised
emails or blacklist registers of internet ip)

You can quickly build a big picture:

- How much AD, the map and their risks
- Get support to remove old domains / OS

Building a « monitoring » process can be achieved at a relatively low cost

2017-06-12 First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 33
Conclusion

Many services rely on Active Directory,

lots of vulnerabilities and few security.

Active Directory is an efficient way to get

top management support
There is a lot of quick wins to be
perceived as a solver and not a blocker
by the management

It can be linked with the SOC for better

Krásna Hôrka castle 2012 monitoring of AD vulnerabilities.

2017-06-12 First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 34
Questions ?

How much ponies did you see ? (including this one)

Tool: http://www.pingcastle.com
Bonus slide: Some KPI

Domain cleaning
Switch to continuous auditing
Initial deadline
mode at 87% and after 9
months

95% of the total domains known in 2 months

Scripts submission flows only on management pressure

SID Filtering KPI was changed from “enabled only” to “not enable” (3 states: Yes, No, Not applicable). SID Filtering evolution is
most of the time related to a direct order of the corporate.

2017-06-12 First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 36
Bonus slide: Owning trusted domain
(Bypassing SID Filtering - and unidirectional trust)

1) Installing a backdoor and wait for connections

Minikatz after a login or installing a rogue security package (Note: password in clear text for
RDP)

2) Enumerate users of Inbound trusts via LsaLookupSids

3) Deciphering a TGS with Kerberoast

Most vulnerable: service account with no password expiration => +20 characters
recommended !
See this. 200MH/s with hashcat+GTX1080. From 6 months to 1 day, offline, with a 8 char
password.

4) Exploring domain configuration for vulnerabilities

 GPP Password (almost in clear text)

 Login script hosted in other domains

 Restricted group (local admin) with Everyone or Authenticated Users or NTAUTHORITY\INTERACTIVE

 OU/container with write access to Everyone / Authenticated Users

2017-06-12 First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 37
Bonus slide: SID Filtering

Algorithm to know if it is active:

 SID Filtering = NA => Inbound trust or Intra forest trust

 SID Filtering Active => If forest trust and not inter forest trust => Yes ; else if quarantined domain => Yes

Enabling it:
 Forest trust: enabled by default => netdom /enableSIDHistory = NO

 Domain trust: disabled by default => netdom /quarantine = YES

 Do not enable Quarantine on a forest trust !!! (users from child domains in the forest won’t be
authenticated anymore)

2017-06-12 First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 38