Dentist: "Have you been flossing?"
Me: ..........
Dentist: ..........
Me: "Do you ensure all of your web account passwords are unique, especially for things like bank websites?"
Dentist: ..........
Me: ..........
Dentist: "So, see you in 6 months?"
Me: "Sure"
Due to breaches involving MFA bombing (attacker keeps sending MFA requests until accepted) now is the time for organizations with Office 365 to enable MFA number matching in Microsoft Authenticator. You can deploy to a group before configuring for all.
1/3
Patch your Domain Controllers running DNS (typical config, so most orgs) ASAP.
DNS remote code execution vulnerability which runs as LocalSystem on Windows DNS server (usually a DC).
Updated ADSecurity posts w/ event IDs to focus on when enabling logging & why they matter.
Securing Windows Workstations:
Securing Domain Controllers:
I'll work on getting this into a consolidated post on recommended event auditing.
Reason
#317
why Admin workstations are now required for secure AD administration.
RDP from a standard user workstation to a server using DA creds is not secure, even when using MFA (once DA username & pw are discovered, attacker can connect via LDAP which won’t require MFA).
I wrote up a quick POC, RemoteViewing, to demo RDP credential theft (adapted from
@0x09AL
post => ) using EasyHook and Donut ☠️🖥️. More details on GitHub =>
New post: "Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory"
Provides some attack scenarios and mitigation.
If you have RODCs in your
#ActiveDirectory
environment, you should read this.
Slides from my Blue Hat talk today on "Active Directory Security: The Journey" now posted on .
I cover history of AD security features, enterprise application AD permission issues, and discuss Microsoft's AD security guidance.
Keyboard walking or pattern passwords are easily guessed. Attackers include these types of password since admins use them (they certainly look random and complex) and are often used as service account passwords.
Image reference article:
"TLDR: You can sniff BitLocker keys in the default config, ... TPM1.2 or TPM2.0 device, using a dirt cheap FPGA (~$40NZD) and now publicly available code,.... After sniffing, you can decrypt the drive. Don’t want to be vulnerable ...? Enable additional pre-boot authentication."
I recently taught my kids to reply "ACK" when I tell them something & I need to know they heard me.
"We're leaving in 10 minutes"
"ACK" "ACK"
I haven't told my wife to expect this or what it means 😄
Lot going on this week, so let's focus on some positive.
Review Active Directory security posture
Detect Kerberoasting
Detect Password Spraying
Configuring AD Honeypot Accounts
Hi, I’m Sean.
I don’t have a degree.
I have learned everything I know by reading, on the job experience, studying for industry certifications, & playing around in lab environments. And a bunch of guesswork.
Don’t let the lack of a degree hold you back.
It's sad to me the number of super talented people that I know and meet that are scared away from a career in
#CyberSecurity
just because they don't have a degree.
My
#BSidesCharm
talk "You Moved to Office 365, Now What?" slides & video posted. I cover key Microsoft Cloud (Azure AD & Office 365) security controls and recommendations.
Slides (& other presentations):
Video:
After an extended delay, the ADSecurity unofficial Mimikatz guide is now current & updated for
#Mimikatz
version 2.1.1 (November 28, 2017). Includes all modules & commands.
Tweet Thread on Resumes & Interviewing & things I look for (IT/Infosec focused).
I have likely seen hundreds of resumes (aka CVs) and interviewed many dozens of people in various positions. Here's what I've learned.
Please share in this thread some defensive techniques that are relatively simple to configure/deploy that has a high success rate (low false positives).
I'll start:
* Detect Kerberoasting:
* Detect PW Spraying:
#BlueTeam
Your occasional reminder that the following do not require AD admin (DA, etc) rights:
* Cisco
* Exchange
* LDAP Bind
* SQL
* VMWare (& related)
* Accounts need local admin on workstations (use Workstation Admins)
* Accounts need local admin on servers (use Server Admins)
New post on how to detect Password Spraying using Domain Controller logging (4625 & 4771), domain computer logging (4648), & Active Directory attributes.
Enjoy!
Trimarc Research recently published how to detect Password Spraying. Includes Domain Controllers & domain-joined computers logging configuration with event ID correlation rules. We also include a PowerShell command to detect in Active Directory (LDAP).
Slides for my
@BlackHatEvents
talk "From Workstation to Domain Admin: Why Secure Administration isn't Secure and How to Fix it" from earlier today are now uploaded to .
Enjoy!
#BlackHat2018
Even better, remove Authenticated Users from "Add workstations to domain" rights as set in the Default Domain Controllers Policy GPO (default).
Note: anyone with the ability to create computer objects in OUs can still "pre-create" the object & join a computer with the same name.
One of the smallest changes with huge effect you can make to Active Directory to help secure it against a LOT of attack paths is changing the attribute ms-DS-MachineAccountQuota = 0. Do this now, do it on Monday, but adds a pretty decent barrier to many attack paths.
If you followed me for tech, stay for the human related content that is my current focus. I can't tech right now.
I didn't join Twitter for followers, but learn tech/infosec & connect with amazing people
Take this time to learn about others & their struggle & be empathetic
My take: Many Azure AD (AAD) environments are repeating same mistakes as they did with Active Directory.
Improve AAD Security:
1. Use PIM to control AAD roles (limit permanent members)
2. Only admin accounts in AAD roles
3. Ensure cloud admins use admin systems
Thread 1/3
Here's the list of Blue Team folks to follow on Twitter.
I am putting this together as a reference slide for my
@BlueTeamCon
keynote on Saturday.
I created a Twitter list with these names also (updating now).
I will update these references when possible
#ActiveDirectorySecurityTips
Run this AD module cmd:
Get-ADGroupMember 'Administrators' -Recursive | % {Get-ADUser $_ -prop ServicePrincipalName} | Where {$_.ServicePrincipalName}
Investigate & remove any SPNs on 'people' accounts. Determine why service accounts are AD admins.
Ransomware & the recent SolarWinds attacks take advantage of environment misconfigurations & over-privileged systems.
We published 20 Active Directory security checks you can perform (& include a PowerShell script to collect data) to improve AD security.
Faking an AD account password change is possible (including on the krbtgt account), but detectable.
Check "User must change password at next logon", Apply, uncheck, Apply.
Boom, password last set date is changed, but the actual password is not.
UnicodePWD = password attribute
Calling all vendors that "require" their service account to be in Domain Admins.
Cisco updated their process and documentation to show customers how a product can work without elevated AD rights. Your move.
@HeyCisco
Thank you very much Cisco!
This is how you help organizations become more secure. Update documentation to enable customers to shift way from service accounts in Domain Admins.
Your occasional reminder that the following do not require AD admin (DA, etc) rights:
* Cisco
* Exchange
* LDAP Bind
* SQL
* VMWare (& related)
* Accounts need local admin on workstations (use Workstation Admins)
* Accounts need local admin on servers (use Server Admins)
After over a year of battling with serious health issues, my Dad passed away this evening.
It’s been rough the past few months watching him decline and see his sharp mind disappear.
In lieu of flowers, please be awesome to each other & tell your loved ones how you feel.
My kid is interested in how visible things posted on the internet are.
So please do me a favor & if you see this, reply where in the world you are.
Retweet for reach.
#DinnerConversation
Slides & Video for my
#DerbyCon
talk on advanced
#ActiveDirectorySecurity
topics now posted.
I cover:
* Most common AD Security issues
* Offline DC attacks that aren't logged (thanks
@MGrafnetter
!)
* Detecting & Breaking AD Recon
Slides & Video Link:
Fresh off the press!
Trimarc providing a free PowerShell script to gather data to identify potential AD security issues. Article includes some Trimarc recommendations as well:
Here's the webcast where I walked through these items:
Trimarc just released a free PowerShell script "Invoke-TrimarcADChecks" that Sean Metcalf (
@PyroTek3
) covered in his recent Webcast
Download the script along with what it gathers, what to review, & Trimarc recommendations
Kerberos delegation = AD Account impersonation.
Convert accounts configured with unconstrained delegation to constrained.
Configure AD admin accounts (pref all admin accounts) with "Account is Sensitive and cannot be delegated" to protect them against Kerberos delegation attacks.
Exploit code is public
You must patch all Domain Controllers (Dec 8th patch) AND set following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc
Set NonForwardableDelegation to 0
Test before setting
Regkey is set in Feb 2021 patch
Just merged
@jakekarnes42
implementation CVE-2020-17049 (aka Kerberos Bronze Bit Attack). Great stuff and thorough explanations in the blogposts. Great research Jake! Enjoy!
"If [Kerberos] preauthentication isn’t enabled, an attacker can send an AS-REQ for any user that doesn’t have preauth required and receive a bit of encrypted material back that can be cracked offline to reveal the target user’s password."
Would you be interested in an end of year wrap-up that highlights the biggest issues we see in Active Directory, Azure AD environments?
Sort of a “State of Identity Security” year in review - biggest issues. What’s trending, etc.
What sort of information would you want to see?
Since moving away from AD is likely years away (Azure AD, etc), run Bloodhound.
Also run this free PowerShell script I published with key AD security items to review/fix. Follow the recommendations in this post & level up your AD security posture!
If you are on a Blue Team, or IT Team, and you aren't running BloodHound REGULARLY, you are doing yourself a disservice. As a CTO I would either get rid of AD, or have BloodHound statistics be a top KPI/OKR for my org.
This morning in BloodHoundGang Slack () somebody asked how to stop BloodHound data gathering.
Our answer? Don't focus on specific tools, focus on 1) gathering attack path info as a defender, *AND* 2) stop users from running arbitrary EXE's
(1/2)
Advice to a younger me:
* Travel & see new places
* Save $1,000 in the bank & don't touch it. When you need it, you'll REALLY need it.
* Learn to code. Something. Anything. Python, PowerShell, etc.
* Have an idea? Start a business (start on side).
* Fail. And learn from it.
Active Directory continues to be targeted by attackers.
Improve AD security in just weeks
1. Check your AD for common security issues
2. Review & implement recommendations in this free paper on how to quickly level up AD security
We find accounts with passwords in AD account attributes about 15% of the time during assessments. Admins have assumed that the attributes were only visible through AD admin tools.
Sometimes these accounts are privileged.
@pamelarosiedee
@PyroTek3
Recently I did work for a company who made all their service accounts domain admins. “It’s safer that way” they said.
They also put the password in the description field. You know, the one that domain users have read access to?
“Yea but we’re the only ones with ADUC”
Today at Black Hat
@markmorow
& I presented on "Attacking & Defending the Microsoft Cloud."
Slides are now available to download:
We covered several attacks (& defense): password spray, token theft, password reuse, on-prem cloud integration, & more!
I recently was asked for some good reasons why users should not have local admin rights to the workstation. The attached image includes my initial response.
Admin accounts should not have local admin to their workstations either - separate account(s) should be used to manage
Just posted how to escalate to Domain Admin in Azure AD Domain Services (Microsoft’s hosted Active Directory) leveraging Shay Ber’s DNSAdmin trick.
Interesting thing about this is customers are not supposed to have or be able to get Domain Admin rights
If your Active Directory minimum password length is less than 10 characters (AD default is 7), this is the perfect time to work to get that increased.
Password spraying is a real threat, as is Kerberoasting. Small password lengths are dangerous on modern networks.
I am really excited about my Active Directory security talk tomorrow at 11am (
#DerbyCon
Track 1)
I am covering:
* Top 15 Most Common AD Security Issues Trimarc Discovers
* Tracking/Breaking AD Recon
* Offline Domain Controller Attacks
* Securing AD must do's
This past weekend, I gave a non-tech talk
@BSidesCharm
called "FailTime: Failing Towards Success". Many topics covered - my failures, what I've learned & advice. Also includes my Life Tips.
Slides include talk notes.
Slides:
Video:
How many user accounts should be in Global Administrator in Azure AD?
The answer is NONE.
Create new admin accounts in your tenant "onmicrosoft" account & require MFA (Security Defaults/Conditional Access/etc).
Add Azure AD P2 licenses for admin accounts & enable Azure AD PIM.
How many SQL service accounts should be in Domain Admins?
The answer is NONE.
Check Domain Admins, Administrators, & Enterprise Admins membership & remove the following from these groups:
* Exch (Exchange)
* SQL
* VMAdmin (VMWare)
* Azure/Azure AD
* VPN
Microsoft has recreated the Active Directory Forest in the cloud 😆
Tenants (domains) now can be joined together (in a cloud forest)
(and remember, it’s Entra ID, not Azure Active Directory)
New blog post on the Microsoft Cloud:
What is Azure Active Directory?
Post covers what Azure AD is, how it compares to on-prem Active Directory, connecting via PowerShell, and password spraying attacks, mitigation, & detection.
We see passwords in SYSVOL on Active Directory Security Assessments about 15% of the time. They have usually been set & forgotten.
Impact ranges from server admin to DA to full compromise of sensitive databases.
There is no reason for passwords in SYSVOL (in GPP or scripts).
SolarWinds is only the latest system attack that results in a large scale compromise. Attackers target these systems because they have widespread and long-standing access.
Any system that has some level of admin rights across your environment is vulnerable.
THREAD follows
Microsoft recently reached out to get my perspective of identity security (Active Directory & Azure AD).
Here's the interview:
TLDR:
Many of the issues we have seen with Active Directory are in Azure AD as well from a customer perspective.
This is a good time to remind people to replace old tech language:
* master to Primary
* slave to Secondary
* blacklist to Block list
* whitelist to Allow list
Language we use matters.
If you question why "blacklist" is there, it's based on definitions of the word "black"...
What are your first 5 Active Directory post access techniques in a red team?
Starting list no particular order:
1. Password Spraying
2. Kerberoasting
3. File search (passwords, backups, etc.)
4. LLMNR/mDNS/NBNS
5. Insecure mailbox search
Yours?
Slides from my
@nola_con
presentation on
#ActiveDirectory
security are on :
Covers common AD Security issues & how to fix them, discovering problematic AD ACL permissions, & some attack detection (kerberoasting & password spray).
PSA:
Review installed software on your Domain Controllers.
DCs don't need Chrome/Firefox installed, run management software (for agents), run SQL, run ADFS, run AAD Connect, etc.
DCs should only be Active Directory servers. That's it. Anything else adds attack surface & risk.
#ActiveDirectorySecurityTips
Run this AD module cmd:
get-adgroupmember Administrators -Recursive | select DistinguishedName
Ask Why? for:
* Service accounts
* Accounts/groups from another forest
* Computer accounts (remove)
* Normal users
* Accounts with SPNs (work to remove)
.
@darkpawH
& I spoke about the danger of not protecting Federation Servers (ADFS, etc) like Domain Controllers
@defcon
this year.
CyberArk just published tools to do this with SAML (aka "Golden SAML"):
Thrilled to speak today at the 1st Active Directory track at the Troopers conference in Germany.
Slides for my "Active Directory Security: The Journey" talk now posted on (version 2 of this talk).
Thank you
@WEareTROOPERS
!
Just posted my Azure AD to Azure "unanticipated" attack path leveraging "Elevate Access".
Describes how a compromised Global Administrator (O365) account could compromise any/all Azure VMs, (including hosted Domain Controllers) with minimal/no logging.
Based on what we have seen during Active Directory security assessments, if you have Active Directory Certificate Services (ADCS) in your environment, you want to download and run Locksmith to scan for ADCS security issues.
Locksmith provides remediation as well!
New tool release!
Locksmith from
@dotdotdotHorse
. Jake recently gave a talk
@WWHackinFest
where he released a tool to identify and remediate common misconfigurations in Active Directory Certificate Services.
#NCSAM
Check out his slides and blog here:
This Wednesday I’m presenting how to best secure your Microsoft Office 365 tenant (& Azure AD).
I’m also including an “unanticipated” attack path based on cloud research I’ve been working on for the past 9+ months.
Webcast covers Attack & Defense & blog posts will follow.
Trimarc Webcast series continues with Trimarc Founder, Sean Metcalf (
@PyroTek3
), this time focusing on Office365 & Azure AD Security
Join us for "Securing Office 365 & Azure AD - Defending Your Tenant"
May 27, 2020 from 1pm - 2pm (Eastern)
Registration:
My DEFCON Safe Mode talk on "Hacking the Hybrid Cloud" is recorded and submitted!
Talk video & slides are scheduled for release on Thursday, August 6th & I will host a live Q&A on the 6th at 12:30pm (Pacific).
Visit the DEFCON website for more info:
I've been pushing for this for years (others too).
I know it's been tough for Microsoft to break beyond 16.
Passwords can now be 256 characters in the Microsoft Cloud (Azure AD)!
Kudos to those within Microsoft that got this done!
#ThankYou
Microsoft recently released an installable Exchange Online PowerShell Module!
Install-Module ExchangeOnlineManagement
Update:
Update-Module -Name ExchangeOnlineManagement -AcceptLicense -Force
Not all cmdlets are fully updated yet (still in beta)
Looking forward to presenting Quick Wins to help improve Active Directory security.
Current agenda covers Kerberoast, Password Spray, ADCS, Kerberos Delegation, Dangerous Defaults, DC security, etc.
Presentation is technically dense, prepare to take notes/screenshots!
Want to learn about the "Top 10 Ways to Improve Active Directory Security Quickly"?
Sean Metcalf
@PyroTek3
, Tyler Robinson
@tyler_robinson
, & Darryl Baker
@DFIRdeferred
cover AD attacks & improving AD security
June 23rd
3pm-4:15pm (ET)
Register here:
New article on Active Directory service accounts that are typically in privileged AD groups & guidance on how to get them out of Domain Admins.
We find service accounts that shouldn't require privileged AD rights while performing AD Security Assessments.
#ActiveDirectorySecurityTips
Run this AD module cmd:
get-aduser krbtgt -prop Created,PasswordLastSet,msDS-KeyVersionNumber
* PW should change 2x every year.
* If Created = PWLastSet, then work to change soon.
* KeyVersionNum typically identifies how many times PW changed (n-1).
Interested in learning more about Active Directory?
has an entire reference section covering core AD concepts (including the MCM reading list):
There's a Security section too!
If you are looking to deploy Windows 10 & need security configuration guidance, the Microsoft Windows 10 security baseline is a great start.
Link is to the Win10 v1803 security baseline:
Thanks
@AaronMargosis
for continuing to put this guidance together!
Pentesters, Red Teams, & Blue Teams:
If you are only looking at Domain Admins & Enterprise Admins group membership, you are missing a lot. Query the domain Administrators group to get a more complete understanding of Active Directory administrators.
If you were attempting to use GPO to control file extension association in Windows 10, v1709 prevents that from working. The following article describes how to generate an XML file & deploy via GPO to force files like .js, .wsh, .vbs, to open in notepad.
I finally merged all my updates to the Kerberos Service Principal Name (SPN) type list on . I'm tracking over 150 SPNs (mostly enterprise apps).
SPN Reference List:
Kerberos Info:
Next month at Black Hat, I will show why most current Active Directory admin methods are insecure and how to securely perform administration in the real world.
Sean Metcalf (
@PyroTek3
) will explore how common methods of domain administration fail, an attackers approach to exploit flaws, and ways to ensure a secure administration during his Briefing at
#BHUSA