ADRecon - Detection CHCON 2018

Transcript

1. Sydney Level 8, 59 Goulburn Street Sydney NSW 2000 Melbourne

   Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290 4444 www.senseofsecurity.com.au Sense of Security Pty Ltd ABN 14 098 237 908 @ITSecurityAU Compliance, Protection & Business Confidence 27/10/18 ADRecon: Active Directory Recon Detection Detection Prashant Mahajan

2. net user Prashant 27/10/18 net user Prashant Full Name Prashant

   Mahajan Job Title Senior Security Consultant Company Sense of Security Founder Member null – The Open Security Community (https://null.co.in) Project Manager null Jobs (https://jobs.null.co.in) Developer ADRecon (https://github.com/sense-of-security/ADRecon)

3. Agenda 27/10/18 • ADRecon • Detection • Detection

4. • ADRecon provides a holistic picture of the current state

   of AD environment. • Extracts & combines various artefacts from an Active Directory environment • The information is presented in specially formatted Excel report (optional) • Summary views with metrics to facilitate analysis (Excel Only) • Can be run by normal unprivileged domain user* from • a domain-member or • a standalone workstation * some features require privileged user account. 27/10/18 Sense of Security What is ADRecon ?

5. 27/10/18 Sense of Security Output Formats Supported

6. • Blue Team • Purple Team • Red Team •

   System administrators • Security professionals Friendly plug • Making Pentesters Sad: Low-hanging Fruit For Enterprise Defenders by Mike Loss at purplecon (15 November) • ADVANCED INFRASTRUCTURE HACKING - 2018 EDITION Training – NotSoSecure at BlackHat Europe 2018 (3 - 6 December) 27/10/18 Sense of Security Who uses ADRecon ?

7. 1. User credentials and access to a Windows host with

   network access to the Domain Controller • TCP 9389 for ADWS or • TCP 389 for LDAP 2. Windows Host Prerequisites • .NET Framework 3.0 or later (Windows 7 includes 3.0) • PowerShell 2.0 or later (Windows 7 includes 2.0) 3. Optional • Microsoft Excel (to generate the report) • Remote Server Administration Tools (RSAT): • Windows 10 (https://www.microsoft.com/en-au/download/details.aspx?id=45520) • Windows 7 (https://www.microsoft.com/en-au/download/details.aspx?id=7887) 27/10/18 Sense of Security Prerequisites

8. 27/10/18 Sense of Security Modules • Forest, Domain, Trusts, Sites,

   Subnets, • Default and Fine Grained* Password Policy (if implemented), • Domain Controllers, SMB versions, whether SMB Signing is supported and FSMO roles, • Users and their attributes, • Service Principal Names (SPNs), • Groups and memberships, • Organizational Units (OUs), • ACLs for the Domain, OUs, Root Containers and GroupPolicy objects, • GroupPolicy objects and gPLink details, • DNS Zones and Records, Printers, • Computers and their attributes, • LAPS passwords* (if implemented), • BitLocker Recovery Keys* (if implemented), • GPOReport (requires RSAT), and • Kerberoast (not included in the default collection method). * require privileged user account

9. 27/10/18 Sense of Security Kerberoast Module

10. • You can generate the GPO report using the following

    command*: ./ADRecon –Collect GPOReport • This command will generate html and xml GPOReports using the Get-GPOReport PowerShell module. • The xml file can be analysed using Grouper by Mike Loss (https://github.com/l0ss/Grouper) * can be executed from a standalone workstation by executing ADRecon using RUNAS runas /user:<Domain FQDN>\<Username> /netonly powershell.exe 27/10/18 Sense of Security GPOReport

11. 27/10/18 Sense of Security Demo Time https://pbs.twimg.com/media/DOn3sLsXUAAiW57.jpg

12. 27/10/18 Sense of Security Detection https://www.organicfacts.net/wp-content/uploads/cancatseathoney.jpg

13. • User and groups are directory objects and can be

    audited just like files/folders giving valuable audit information. • Group Policy: Windows Settings --> Security Settings --> Advanced Audit Policy Configuration --> DS Access --> Audit Directory Service Access. 27/10/18 Sense of Security Audit Directory Service Access https://community.softwaregrp.com/t5/Security-Research/Where-s-wald0-Sniffing-out-the-Bloodhound/ba-p/228770

14. 27/10/18 Sense of Security Audit Rules

15. • Event ID 4662 will be generated every time one

    of these objects is enumerated. 27/10/18 Sense of Security Event ID 4662

16. 27/10/18 Sense of Security Event ID 4662

17. 27/10/18 Sense of Security Too Many Logs ? http://tomstockton.us/pictures/062/too_many_logs.jpg

18. • Event ID 4662 will also be generated by normal/admin

    activity such as: • net user /domain • Get-WmiObject -Class Win32_UserAccount • Get-ADUser -Filter * (MS ActiveDirectory module) • Get-NetUser (PowerView) • Find Users, Contacts and Groups GUI • How to differentiate between attacker enumeration from normal activity? 27/10/18 Sense of Security What is normal ? http://www.labofapenetrationtester.com/2018/10/deploy-deception.html

19. • Deploy-Deception by Nikhil Mittal • A simple PowerShell module

    (uses the ActiveDirectory module cmdlets) which can be used to create decoy objects, set interesting attributes, turn on auditing for different Active Directory objects. • https://github.com/samratashok/Deploy-Deception • Automates deploying ”Deception Objects” • Turns on auditing for an uncommon attribute that only aggressive enumeration triggers the logging. 27/10/18 Sense of Security Deploy-Deception

20. • Can we enumerate all System Access Control List (SACL)

    ? 27/10/18 Sense of Security Detection

21. • Updated to enumerate SACLs for • Domain • OU

    • Root Containers • GPO • Users • Computers • Groups • Updated to enumerate DACLs Users, Computers and Groups. 27/10/18 Sense of Security ACL Module Update Release at CHCON18

22. 27/10/18 Sense of Security Demo Time https://memegenerator.net/img/instances/74674149.jpg

23. • Can we enumerate all System Access Control List (SACL)?

    27/10/18 Sense of Security Detection https://docs.microsoft.com/en-us/windows/desktop/ad/retrieving-an-objectampaposs-sacl

24. • Can we enumerate all System Access Control List (SACL)?

    “To set or get the SACL from an object security descriptor, the SE_SECURITY_NAME privilege must be enabled in the access token of the requesting thread. The administrators group has this privilege by default, and it can be assigned to other users or groups.” 27/10/18 Sense of Security Detection https://docs.microsoft.com/en-us/windows/desktop/ad/retrieving-an-objectampaposs-sacl

25. • Updated to enumerate SACLs* for • Domain • OU

    • Root Containers • GPO • Users • Computers • Groups • Updated to enumerate DACLs Users, Computers and Groups. * requires privileged user account. 27/10/18 Sense of Security ACL Module Update Release at CHCON18

26. 27/10/18 Sense of Security Github: https://github.com/sense-of-security/ADRecon Twitter: ADRecon @ad_recon Author:

    @prashant3535

27. Sydney Level 8, 59 Goulburn Street Sydney NSW 2000 Melbourne

    Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290 4444 www.senseofsecurity.com.au Sense of Security Pty Ltd ABN 14 098 237 908 @ITSecurityAU Security, it’s all we do. Knowledge, Experience & Trust. Questions? Github: https://github.com/sense-of- security/ADRecon Twitter: ADRecon @ad_recon Author: @prashant3535 27/10/18

28. Sydney Level 8, 59 Goulburn Street Sydney NSW 2000 Melbourne

    Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290 4444 www.senseofsecurity.com.au Sense of Security Pty Ltd ABN 14 098 237 908 @ITSecurityAU Security, it’s all we do. Knowledge, Experience & Trust. Thank You! © 2002 – 2018 Sense of Security Pty Limited. All rights reserved. Some images used under license from Shutterstock.com or with permission from respective trademark owners. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher. Github: https://github.com/sense-of-security/ADRecon Twitter: ADRecon @ad_recon Author: @prashant3535

29. • What Are Active Directory Functional Levels? (https://technet.microsoft.com/en-us/library/cc787290(v=ws.10).aspx) • The

    KRBTGT Account – What is it ? (https://blogs.technet.microsoft.com/janelewis/2006/12/19/the-krbtgt-account-what-is-it/) • Active Directory Service Principal Names (SPNs) Descriptions (https://adsecurity.org/?page_id=183) • Privileged Accounts and Groups in Active Directory (https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/security-best- practices/Appendix-B--Privileged-Accounts-and-Groups-in-Active-Directory.md) • How to use the UserAccountControl flags to manipulate user account properties (https://support.microsoft.com/en- au/kb/305144) • All Active Directory Attributes (https://msdn.microsoft.com/en-us/library/ms675090(v=vs.85).aspx) • Infrastructure FSMO Role (https://msdn.microsoft.com/en-us/library/cc223753.aspx) • Active Directory: Password Policies (https://social.technet.microsoft.com/wiki/contents/articles/24159.active-directory- password-policies.aspx) • Active Directory-Integrated DNS Zone (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/active-directory- integrated-dns-zones) • PowerView (https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView) • BloodHound (https://github.com/BloodHoundAD/BloodHound) • Grouper (https://github.com/l0ss/Grouper) • Get-LAPSPasswords (https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1) • PowerShell Code: ADSI Convert Domain Distinguished Name to Fully Qualified Domain Name (https://adsecurity.org/?p=440) • Active Directory OU Permissions Report (https://gallery.technet.microsoft.com/Active-Directory-OU-1d09f989) • Active Directory password attribute selection (https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.security/ad_password_attribute_selection.htm) • unicodePwd (https://msdn.microsoft.com/en-us/library/cc223248.aspx) • userPassword (https://msdn.microsoft.com/en-us/library/cc223249.aspx) 27/10/18 Sense of Security Resources

30. Building your own AD Lab • Building an Effective Active

    Directory Lab Environment for Testing (https://adsecurity.org/?p=2653) • Setting up an Active Directory Lab (https://www.psattack.com/articles/20160718/setting-up-an-active- directory-lab-part-1/) • Detection Lab (https://github.com/clong/DetectionLab) • AutomatedLab (https://github.com/AutomatedLab/AutomatedLab) • Invoke-ADLabDeployer (https://github.com/outflanknl/Invoke- ADLabDeployer) • Creating Real Looking User Accounts in AD Lab (https://www.darkoperator.com/blog/2016/7/30/creating-real-looking- user-accounts-in-ad-lab) • Create Lab User Accounts 2.0 (https://gallery.technet.microsoft.com/Create-Lab-User-Accounts- 844f7ba1)