adsecurity.orgActive Directory Security – Active Directory & Enterprise

Active Directory Security – Active Directory & Enterprise Security, Methods to Secure Active Directory, Attack Methods & Effective Defenses, PowerShell, Tech Notes, & Geek Trivia… Toggle search form Toggle navigation Active Directory Security Active Directory & Enterprise Security, Methods to Secure Active Directory, Attack Methods & Effective Defenses, PowerShell, Tech Notes, & Geek Trivia… Home About AD Resources Attack Defense & Detection Contact Mimikatz Presentations Schema Versions Security Resources SPNs Top Posts What is Azure Active Directory? Many are familiar with Active Directory, the on-premises directory and authentication system that is available with Windows Server, but exactly what is Azure Active Directory? Azure Active Directory (Azure AD or AAD) is a multi-tenant … Slides Posted for Black Hat USA 2019 Talk: Attacking & Defending the Microsoft Cloud Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD) Sean Metcalf (Trimarc) & Mark Morowczynski (Principal Program Manager, Microsoft) The allure of the “Cloud” is indisputable. Organizations are moving into the cloud at … AD Reading: Windows Server 2019 Active Directory Features Windows Server 2019 has several new features, though nothing in this list is related to AD. Note that there is no Windows Server 2019 AD Forest/Domain Functional Level. There are no new features for Active … There’s Something About Service Accounts Service accounts are that gray area between regular user accounts and admin accounts that are often highly privileged. They are almost always over-privileged due to documented vendor requirements or because of operational challenges (“just make … Mitigating Exchange Permission Paths to Domain Admins in Active Directory This article is a cross-post from TrimarcSecurity.comOriginal article: https://www.trimarcsecurity.com/single-post/2019/02/12/Mitigating-Exchange-Permission-Paths-to-Domain-Admins-in-Active-Directory The Issue Recently a blog post was published by Dirk-jan Mollema titled “Abusing Exchange: One API call away from Domain Admin ” (https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/)which highlighted several issues with … Previous Next Jan 01 2016 Attack Methods for Gaining Domain Admin Rights in Active Directory By Sean Metcalf in ActiveDirectorySecurity , Microsoft Security , Technical Reference There are many ways an attacker can gain Domain Admin rights in Active Directory. This post is meant to describe some of the more popular ones in current use. The techniques described here “assume breach” where an attacker already has a foothold on an internal system and has gained domain user credentials (aka post-exploitation). The unfortunate reality for most enterprises, is that it often does not take long from an attacker to go from domain user to domain admin. The question on defenders’ minds is “how does this happen?”. The attack frequently starts with a spear-phishing email to one or more users enabling the attacker to get their code running on a computer inside the target network. Once the attacker has their code running inside the enterprise, the first step is performing reconnaissance to discover useful resources to escalate permissions, persist, and of course, plunder information (often the “crown jewels” of an organization). While the overall process detail varies, the overall theme remains: Malware Injection (Spear-Phish, Web Exploits, etc) Reconnaissance (Internal) Credential Theft Exploitation & Privilege Escalation Data Access & Exfiltration Persistence (retaining access) We start with the attacker having a foothold inside the enterprise, since this is often not difficult in modern networks. Furthermore, it is also typically not difficult for the attacker to escalate from having user rights on the workstation to having local administrator rights. This escalation can occur by either exploiting an unpatched privilege escalation vulnerability on the system or more frequently, finding local admin passwords in SYSVOL, such as Group Policy Preferences. I spoke about most of these techniques when at several security conferences in 2015 (BSides, Shakacon, Black Hat, DEF CON, & DerbyCon) . I also covered some of these issues in the post “ The Most Common Active Directory Security Issues and What You Can Do to Fix Them “. Continue reading ActiveDirectory , administratorpassword , AESprivatekey , AESsharedsecret , cpassword , CredentialTheft , CredentialTheftShuffle , DomainAdmins , DomainController , DumpCredentiasls , DumpLSASS , EnterpriseAdmins , Get-GPPPassword , GoldenTickets , GPP , GroupPolicyPreferences , groups.xml , IFM , InstallFromMedia , KB2962486 , KB3011780 , Kekeo , Kerberoast , Kerberos , KerberosHacking , LAPS , lateralmovement , localadministratoraccountpassword , LSASS , LSASSDumpFile , MicrosoftLAPS , mimikatz , MS14068 , ms14068.exe , MS14068Exploit , MSDN , ntds.dit , PAWS , Persistence , PowerSploit , PyKEK , RC4_HMAC_MD5 , RDP , RunAs , scheduledtasks.xml , separateAdminWorkstation , ServicePrincipalName , Services.xml , SPN , systemcompromise , SYSVOL , TGS , TGSCracking , TGT , xml 2 comments Oct 14 2015 The Most Common Active Directory Security Issues and What You Can Do to Fix Them By Sean Metcalf in ActiveDirectorySecurity , Microsoft Security , Technical Reference The past couple of years of meeting with customers is enlightening since every environment, though unique, often has the same issues. These issues often boil down to legacy management of the enterprise Microsoft platform going back a decade or more. I spoke about Active Directory attack and defense at several security conferences this year including BSides, Shakacon, Black Hat, DEF CON, and DerbyCon. These talks include information about how to best protect the Active Directory enterprise from the latest, and most successful, attack vectors . While the threats have changed over the past decade, the way systems and networks are managed often have not. We continue with the same operations and support paradigm despite the fact that internal systems are compromised regularly. We must embrace the new reality of “ Assume Breach .” Assume breach means that we must assume that an attacker has control of a computer on the internal network and can access the same resources the users who have recently logged on to that computer has access to. Note that when I describe risks and mitigations of Active Directory,this includes overall enterprise configuration. Here are some of the biggest AD security issues (as I see them). This list is not complete, but reflects common enterprise issues. I continue to find many of these issues when I perform Active Directory Security Assessments for organizations. Continue reading ActiveDirectoryAttack , ActiveDirectoryDefense , ActiveDirectorySecurity , CommonSecurityIssues , DomainControllerSecurity , EnterpriseSecurity Jan 12 2020 What is Azure Active Directory? By Sean Metcalf in Technical Reference Many are familiar with Active Directory, the on-premises directory and authentication system that is available with Windows Server, but exactly what is Azure Active Directory ? Azure Active Directory (Azure AD or AAD) is a multi-tenant cloud directory and authentication service. Azure AD is the directory service that Office 365 (and Azure) leverages for account, groups, and roles. It is also an Identity Provider (IPD) and supports federation (SAML, etc). Note: given how rapidly the cloud changes, elements of this post may become out of date soon after the original post date. Azure AD is highly available and globally deployed. Azure AD is deployed in over 30 datacenters around the world leveraging Azure Availability Zones where present. This number is growing rapidly as additional Azure Regions are deployed. For durability, any piece of data written to Azure AD is replicated to at least 4 and up to 13 datacenters depending on your tenant configuration. Within...