Scribd
Upload
30 views339 pages

Attacking and Defending ActiveDirectory SildesNotes v1.3

The document contains a collection of links and references related to PowerShell, Active Directory security, and various techniques for bypassing security measures. It includes resources for red teaming, penetration testing, and security best practices. Additionally, it provides information on tools and methods for exploiting vulnerabilities within Microsoft environments.

Uploaded by

n.c.t.2899
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
30 views339 pages

Attacking and Defending ActiveDirectory SildesNotes v1.3

The document contains a collection of links and references related to PowerShell, Active Directory security, and various techniques for bypassing security measures. It includes resources for red teaming, penetration testing, and security best practices. Additionally, it provides information on tools and methods for exploiting vulnerabilities within Microsoft environments.

Uploaded by

n.c.t.2899
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 339

1

2
3
4
5
6
7
8
https://technet.microsoft.com/en-us/library/cc780036(v=ws.10).aspx

9
10
11
12
13
15 ways to bypass PowerShell execution policy
https://www.netspi.com/blog/entryid/238/15-ways-to-bypass-the-powershell-
execution-policy

21
Check out Invoke-CradleCrafter:
https://github.com/danielbohannon/Invoke-CradleCrafter

23
24
Microsoft Cloud Red Teaming Paper: https://gallery.technet.microsoft.com/Cloud-
Red-Teaming-b837392e

25
26
27
28
29
https://janikvonrotz.ch/2015/09/09/deploy-powershell-activedirectory-module-
without-installing-the-remote-server-tools/

30
42
47
Active Directory Rights: https://docs.microsoft.com/en-
us/dotnet/api/system.directoryservices.activedirectoryrights1
Extended Rights: https://docs.microsoft.com/en-us/previous-versions/tn-
archive/ff405676(v=msdn.10)
53
Reference: https://docs.microsoft.com/en-us/previous-versions/windows/it-
pro/windows-server-2003/cc773178(v=ws.10)
70
79
80
81
82
http://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/

83
86
87
http://www.labofapenetrationtester.com/2014/06/hacking-jenkins-servers.html

88
See more at http://www.labofapenetrationtester.com/2014/08/script-execution-and-
privilege-esc-jenkins.html
http://www.labofapenetrationtester.com/2015/11/week-of-continuous-intrusion-
day-1.html

89
90
91
92
93
https://docs.microsoft.com/en-us/previous-versions/technet-
magazine/ff700227(v=msdn.10)

94
97
Unofficial mimikatz guide:
https://adsecurity.org/?p=2207
105
108
Above taken from "Red vs. Blue: Modern Active Directory Attacks, Detection, &
Protection" by Sean Metcalf at BSides Charm
http://adsecurity.org/?p=483

109
http://passing-the-hash.blogspot.com/2014/09/pac-validation-20-minute-rule-
and.html

110
111
Krbtgt hash could also be dumped from NTDS.di.

112
113
114
115
116
117
List of SPNs: https://adsecurity.org/?page_id=183

119
120
121
124
http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-
malware-analysis/
129
https://adsecurity.org/?p=1785
https://adsecurity.org/?p=1714
135
https://docs.microsoft.com/en-us/windows/win32/secauthn/ssp-packages-provided-
by-Microsoft
https://attack.mitre.org/wiki/Technique/T1101
https://docs.microsoft.com/en-us/previous-versions/technet-
magazine/ee361593(v=msdn.10)
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-
practices/appendix-c--protected-accounts-and-groups-in-active-directory
https://adsecurity.org/?p=1906
https://www.ossir.org/paris/supports/2017/2017-04-11/2017-04-
11_Active_directory_v2.5.pdf
Ref for PowerView command: http://www.harmj0y.net/blog/redteaming/abusing-
active-directory-permissions-with-powerview/
https://gallery.technet.microsoft.com/Invoke-SDPropagator-to-c99ae41c
153
154
Reference: https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings

155
https://github.com/samratashok/nishang/tree/master/Backdoors
https://docs.microsoft.com/en-us/archive/blogs/wmi/scripting-wmi-namespace-
security-part-1-of-3

156
Note: Ignore the 'I/O operation' error.
https://github.com/samratashok/nishang/tree/master/Backdoors

157
https://github.com/HarmJ0y/DAMP
https://posts.specterops.io/remote-hash-extraction-on-demand-via-host-security-
descriptor-modification-2cf505ec5c40

158
159
https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%
20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-
%20Tim%20Medin%281%29.pdf

160
161
http://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
https://github.com/nidem/kerberoast/blob/master/tgsrepcrack.py

165
166
Reference: http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/

167
168
169
170
https://github.com/HarmJ0y/ASREPRoast

171
https://github.com/magnumripper/JohnTheRipper/blob/bleeding-
jumbo/doc/INSTALL

172
173
Reference: http://www.harmj0y.net/blog/activedirectory/targeted-kerberoasting/

174
175
https://room362.com/post/2016/kerberoast-pt3/

176
https://room362.com/post/2016/kerberoast-pt3/

177
179
https://labs.f-secure.com/archive/trust-years-to-earn-seconds-to-break/
http://www.labofapenetrationtester.com/2016/02/getting-domain-admin-with-
kerberos-unconstrained-delegation.html
https://adsecurity.org/?p=1667
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-
server-2012-R2-and-2012/dn466518(v=ws.11)
184
https://www.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-
active-directory/
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-
rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1
http://www.harmj0y.net/blog/redteaming/not-a-security-boundary-breaking-forest-
trusts/
190
https://labs.f-secure.com/archive/trust-years-to-earn-seconds-to-break/
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/3bff5864-
8135-400e-bdd9-33b552051d94
https://labs.f-secure.com/archive/trust-years-to-earn-seconds-to-break/
https://www.secureauth.com/blog/kerberos-delegation-spns-and-more
205
https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-
one-line-a0f779b8dc83
http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-
escalation-in-active-directory.html
To install DNS RSAT tools: Install-WindowsFeature DNS -IncludeManagementTools -
Verbose
210
211
212
213
https://adsecurity.org/?p=1588

214
215
216
List of Active Directory SPNs https://adsecurity.org/?page_id=183

217
218
219
220
221
222
http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-
my/

223
224
225
226
https://adsecurity.org/?p=1588

227
228
List Active Directory SPNs https://adsecurity.org/?page_id=183

229
230
231
232
233
234
More at: https://docs.microsoft.com/en-us/sql/relational-databases/linked-
servers/linked-servers-database-engine

235
236
237
238
239
240
241
https://www.dcshadow.com/
http://www.labofapenetrationtester.com/2018/04/dcshadow.html
251
252
253
254
255
256
257
Configuring Additional LSA Protection: https://docs.microsoft.com/en-us/windows-
server/security/credentials-protection-and-management/configuring-additional-lsa-
protection
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-
server-2003/cc755321(v=ws.10)
https://docs.microsoft.com/en-us/archive/blogs/cbernier/microsoft-advanced-
threat-analytics
https://docs.microsoft.com/en-us/advanced-threat-analytics/understand-
explore/ata-threats
https://www.blackhat.com/docs/us-17/thursday/us-17-Mittal-Evading-MicrosoftATA-
for-ActiveDirectory-Domination.pdf
https://docs.microsoft.com/en-us/previous-versions/mt227395(v=msdn.10)
https://rastamouse.me/2018/03/laps---part-1/
https://www.blackhat.com/docs/us-15/materials/us-15-Moore-Defeating%20Pass-
the-Hash-Separation-Of-Powers-wp.pdf

275
https://www.cyberark.com/blog/cyberark-labs-research-stealing-service-credentials-
achieve-full-domain-compromise/

276
277
https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-
and-management/protected-users-security-group
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-
configure-protected-accounts#BKMK_AddtoProtectedUsers

279
280
281
282
283
284
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-
access/securing-privileged-access-reference-material#ESAE_BM

285
286
287
288
289
290
291
292
293
294
295
See http://dcshadow.com/ for details about the DCShadow attack by Benjamin and
Vincent

296
297
298
Configuration|Windows Settings|Security Settings|Advanced Audit Policy
Configuration|Audit Policies|Account Logon | Audit Kerberos Authentication Service
-> Success and Failure

299
300
301
302
303
https://i.dailymail.co.uk/i/pix/2011/07/20/article-2017058-0D12DD6500000578-
789_634x454.jpg

304
305
306
307
308
https://devblogs.microsoft.com/powershell/powershell-the-blue-team/
https://docs.microsoft.com/en-
us/powershell/module/microsoft.powershell.core/about/about_language_modes?vi
ew=powershell-5.1
https://github.com/api0cradle/UltimateAppLockerByPassList
https://github.com/api0cradle/LOLBAS
313
314
315
316
317
318
319
320
321
322
323
324
325
https://docs.microsoft.com/en-us/previous-versions//dn896648(v=technet.10)

326
327
328
Reference: http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-
powershell-downgrade-attacks/

329
330
331
332
333
334
335
336
337
338
339

You might also like