Professional Documents
Culture Documents
Attacking and Defending Active Directory
Attacking and Defending Active Directory
Attacking and Defending Active Directory
Active Directory
Hacks and Countermeasures
Andrei Pusoiu
Cyber Security Engineer
Table of contents
● Introduction to Active Directory
● Ways of attacks
○ Ways of Defence
● Conclusion
Andrei Pusoiu
● Cyber Security Engineer
● 6+ years in penetration Testing
● Web, mobile, secure development
● Co-Founder of Cyber Threat Defense
● Email: andrei.pusoiu@ctdefense.com
Introduction
Active Directory
● Tool installed on a Windows Server (DC)
● Database: NTDS.dit
○ Users
○ Computers
○ Printers
○ File Shares
○ Security Groups
● Handle Security Authentication
● Centralized Management of Windows networks
Most common tasks with AD
● Reset passwords
● Create / delete user accounts
● Setting permission (groups)
Attacking
Active Directory
Goal
○ Domain admins
○ Enterprise admins
○ Built-in administrators
○ Backup Operators
○ ….
● Second Goal
○ Exchange email
○ Sharepoint documents
○ Skype messages
○ Azure apps
○ Secret data
○ ...
Attacking Kill Chain
Classic intrusion scheme
Next Steps
● Persistence
● Reconnaissance
● Privilege escalation
● Persistence (admin)
● Lateral and vertical movement
● Grab and exfiltrate
COMMON ATTACKS from Domain User to Admin Domain
● Mimikatz
○ Dumps passwords from memory, hashes, PINs and Kerberos tickets
○ Enables multiple lateral movement techniques
Mimikatz Attacks
● A bit old
● But still present in networks with low security maturity
● SYSVOL is the domain-wide share in Active Directory to which all
authenticated users have read access.
● SYSVOL contains logon scripts, group policy data, and other domain-wide
data
● Any group policy file that need to use a local or domain password
○ stores the password in the XML file
○ stored in the SYSVOL path
○ usually \\DOMAIN\SYSVOL
○ Stored encrypted (AES256) but…
○ Encryption key is public on Microsoft website
Passwords in SYSVOL & Group Policy Preferences
Passwords in SYSVOL & Group Policy Preferences
https://gist.github.com/andreafortuna/6dc38f84f07fdadd1c90c41db7cd35e0
Group Policy Preference
Exploitation Mitigation:
Group Policy Preference Exploitation Mitigation:
● Using Mimikatz
● Golden tickets can be created for valid domain accounts, or for accounts that do not exist
Golden Tickets
● Compromise of just one Domain Admin account in the Active Directory exposes the entire
organization to risk. The attacker would have unrestricted access to all resources managed
by the domain, all users, servers, workstations and data.
● Moreover, the attacker could instantly establish persistence in the Active Directory
environment, which is difficult to notice and cannot be efficiently remediated with
guarantees.