AD Attack Paths

Lateral Movement

• Offensive Lateral Movement The difficulty with lateral movement is doing it with good operational security (OpSec) which means generating the least amount of logs as possible, or generating logs that look normal. The purpose of this blog post is to not only show the techniques, but to show what is happening under the hood and any high-level indicators associated with them.

• Kerberosity Killed the Domain: An Offensive Kerberos Overview This article is intended to give an overview of how Kerberos works and some of the more common attacks associated with it.

  • Roasting
  • Silver Ticket
  • Golden Ticket
  • Delegation attacks (out of scope)

• The L in Linux Stands for Lateral Movement Only one protocol comes to mind — SSH. In this blog post, we’ll look at other protocols in Linux that can be used to achieve (or to help achieve) lateral movement.

• Administrative tools and logon types A nightmare of variant and details. Practically important for understanding which network operations leave credentials in memory of the remote node.

Discovery

The Discovery Tactic is almost always used in conjunction with Lateral Movement.

Discovery is often called enumeration.

Tools for Windows machines

• Manual Enumeration – Juggernaut Pentesting Academy Basic commands for user enumeration, system enumeration, software enumeration, network enumeration, anti-virus and firewall enumeration.

Bloodhound

"The" Discovery tool for Windows Active Directory: a game changer.

• Here Be Dragons The Unexplored Land of Active Directory ACLs The original 45-minutes video at DerbyCon 2017 that introduced this tool.
• BloodHound – Sniffing Out the Path Through Windows Domains One of the many tutorials available.
• BloodHound: Six Degrees of Domain Admin The official site.

BloodHound-related tools;

• Dealing with large BloodHound datasets. Discusses other tools similar to BloodHound, including BlueHound.

• BloodHound tools.

  • ShotHound: Validate practical paths discovered by BloodHound.
  • Ransomulator: Simulate ransomware-like infection in your dataset.
  • DBCreator: Simulate BloodHound dataset, along with "Open" network access edges and unpatched vulnerabilities information.
  • CustomQueries: A list of common queries that reflect the network dimension, if it is integrated into the dataset.
  • VulnerabilitiesDataImport: Parse Vulnerability Scanners reports and enrich host nodes with information about unpatched vulnerabilities

• FoxTerrier : On the trail of vulnerable Active Directory objects and a report. You use Sharphound/Bloodhound to collect data/audit your AD and you would like to generate report of vulnerable objects in your AD? You should give a look to FoxTerrier!

BloodHound-like tools:

• BlueHound Very similar to BloodHound. It collects metrics similar to some of those available only in the paid version of BloodHound.
• Adalanche
• Introducing Slinky Cat - Living off the AD Land Help security and IT teams reduce their AD exposures and uncover quick wins and fixes designed for pen-testers and defenders alike.

Other tools for Active Directory environments

• LDAP Queries for Offensive and Defensive Operations Basic queries for targeted Active Directory information gathering used in penetration testing (“low and slow” approach without BloodHound).
• User Enumeration Techniques and Tactics In an Active Directory Pentesting Engagement A blog post describing several techniques for finding valid accounts in Active Directory.
• Snaffler it takes a list of Windows computers from Active Directory as input; it figures out which ones have file shares, and whether you can read them. It also enumerates the files in these shares and searches passwords (that should not be stored there) with some heuristics.
• Scraping kit Tools for scraping services, domain controllers, Outlook email client based on a provided list of keywords.
• There’s Something About Service Accounts Discover (SPN scanning) Without port scanning.

AD Attack paths

This is a huge topic.

• The Phantom Menace: Exposing hidden risks through ACLs in Active Directory (Part 1) An excellent and concise description of ACLs in Active Directory (starting from what a Securable Object is) from an offensive point of view.

• BloodHound Edges Perhaps the best way for understanding the breadth and depth of AD Attack paths is looking at how many edge types exist in BloodHound. This page is very interesting because it describes how the edge could be abused, the associated technical difficulty and some operational security (OpSec) consideration.

• Internal All The Things Active Directory and Internal Pentest Cheatsheets. Lots of useful step-by-step examples.

• Attacking Active Directory: 0 to 0. Nice description of many Windows topics, including Active Directory, Access Rights and so on.

Certified Pre-Owned

This is just one of the many families of AD Attack Paths.

• Trello From the Other Side: Tracking APT29 Phishing Campaigns APT29 is a Russian espionage group. Very interesting and detailed analysis of a phishing campaigns targeting diplomatic organizations in Europe, the Americas, and Asia. Based on misconfigured certificate templates.

• Exploiting Outlook CVE-2023-23397 to Relay Credentials Based on a coerced authentication vulnerability of Outlook. It uses PKINIT and credential relay. "I exploit Outlook to relay credentials to NTLMrelayx, get a certificate of a domain admin, and fully take over a domain. It only takes a meeting invite and a user simply opening outlook to exploit this vulnerability." Nice and focussed video.

• Certified Pre-Owned By those that discovered this path. Abusing Actice Directory Certificate Services (8 insecure certificate templates). Accompanied by a +140-pages report including some prevention and detection guidance.

• ADCS + PetitPotam NTLM Relay: Obtaining krbtgt Hash with Domain Controller Machine Certificate This is a quick lab to familiarize with an Active Directory Certificate Services (ADCS) + NLTM Relay. Step-by-step examples and screenshots.
• Attacking AD Certificate Services – Part 1 Another of the many step-by-step tutorials in this area.
• Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover Very interesting attack path based on PKINIT, with considerations on detection and prevention. Not very easy.

Demo video

Demo of four different AD attack paths, with considerations about their OPSEC (i.e., ability to remain undetected). Slides and one hour video.

1. Kerberoasting, Pass the ticket, Dump ticket from Logon session and other
2. Certificate Template Abuse, PKINIT authentication, Unconstrained delegation (this step out of scope), DCSync that is domain controller replication
3. Password spray, Overprivilege + Shadow credential, UnPAC the hash + Silver Ticket, Golden Ticket
4. Coerced authentication, NTLM Relay + Shadow credentials, DCSync + Diamond Ticket, SID-history infection (last steps out of scope)

Relaying

• A guide to relaying credentials everywhere in 2022 Including Shadow Credentials and Certificate Services (ADCS)
• How to Exploit Active Directory ACL Attack Paths Through LDAP Relaying Attacks

APPENDIX - AD Defense guidance

In my modest opinion, a lost battle.

Look for example at the blog post presenting the Microsoft Digital Defense Report 2022: "This chart shows the percentage of impacted customers missing basic security controls which are critical to increasing organizational cyber resilience. Findings are based on Microsoft engagements over the past year.". You will see that 90% of customers have an insecure AD configuration, 98% of customers do not use a tiered model, and the like. To me, this means that defending AD is a losing battle from the start.

• Best Practices for Securing Active Directory from Microsoft Learn.
• Top 10 ways of securing AD. List of most common misconfigurations that can be exploited and how to fix them.
• Total Identity Compromise: Microsoft Incident Response lessons on securing Active Directory Across all industry verticals, Microsoft Incident Response often finds similar issues within Active Directory environments. In this blog, we will be highlighting some of the most common issues seen in on-premises Active Directory environments and provide guidance on how to secure those weaknesses.

Tools for checking common AD misconfigurations and obtain synthetic reports.

• PingCastle
• Trimarc ADChecks
• Checklist A self-assessment checklist by CERT France.

APPENDIX - Kerberos Delegation Abuses

Out of scope (but very, very interesting...)

• Exploring S4U Kerberos Extensions in Windows Server 2003 Microsoft explanation of S4U.
• Krbrelayup A 30-sec video showing usage of the DavRelayUp tool.
• Detecting and preventing privilege escalation attacks leveraging Kerberos relaying (KrbRelayUp) Description and recommendations by Microsoft.
• Kerberosity Killed the Domain: An Offensive Kerberos Overview Kerberos delegation attacks.