Professional Documents
Culture Documents
2019 07 15 - AATPWebinar - Detections Part2of2
2019 07 15 - AATPWebinar - Detections Part2of2
Protection Webinar
We will start at 2-3 minutes after the scheduled time to accommodate
those still connecting.
Questions? Feel free to type them in the instant message window at any time. Note that any
questions you post will be public. You have the option to post questions anonymously.
This webinar is being recorded. We’ll post the recordings to our community forums at
https://aka.ms/AATPRecordings.
Reconnaissance Domain
Dominance
Pass-the-Ticket
Brute force attempts Pass-the-Hash
Suspicious VPN connection Overpass-the-Hash
Honey Token account suspicious activities NTLM relay attack (Exchange)
What is Active Directory?
Interesting attributes:
• Group membership
• Password never expires
• Empty password allowed
• Service principal name (SPN)
• Trusted for delegation
Directory structure
Schema
Configuration
Domain
Domain’s SID
RID (relative identifier)
S-1-5-21-1411547893-2725445261-4116970666-1234
Well-Known RIDs
S-1-5-domain-500 Administrator
S-1-5-domain-501 Guest
S-1-5-domain-512 Domain Admins
4. Request changes
5. Send changes
6. Apply changes to local DB
Source DC Destination DC
The classic use case for DCSync is to replicate the KRBTGT account in order to execute Golden Ticket attack.
Permissions Required
• High privileged permissions:
• Replicating Directory Changes
• Replicating Directory Changes All
• Replicating Directory Changes In Filtered Set
• Generally Administrators, Domain Admins, Enterprise
Admins have required permissions
• Attack Flow:
1. Registering the "DC" by creating 2 objects in the
CN=Configuration partition and altering the SPN of the computer used.
2. Pushing the data (triggered using DrsReplicaAdd)
3. Removing the object previously created to demote the DC
Demo
• DCSync attack
• DCShadow attack
Summary
https://aka.ms/AatpWebinarFeedback
Thank You for Joining Us!