In this series, we’ve learned about DCShadow and covered attack scenarios to demonstrate how this can be used for an attacker to create persistence as well as elevate privileges across forests. Now that we know the risks involved with DCShadow, let’s cover what you can do to detect this in your environment. First, let’s recap the basics: The purpose of DCShadow is to make changes that will not be detected by event logs, so you will not be able to…
So far we’ve covered how DCShadow works as well as ways this can enable attackers to create persistence within a domain without detection once they’ve obtained admin credentials. DCShadow can enable attack scenarios beyond just creating persistence, and can actually be used to elevate access for an attacker. How can a Domain Admin elevate their access even higher? By obtaining admin rights in other forests. Leveraging SID History, an attacker can add administrative SIDs to their user account and obtain…
Now that we understand the basics of the DCShadow feature, let’s look at some ways in which attackers can leverage DCShadow in a real world attack scenario. As we learned, DCShadow requires elevated rights such as Domain Admin, so you can assume an attacker leveraging this already has complete control of your environment. So why would an attacker want to or need to use DCShadow? One real world scenario would be for an attacker to create persistence within the domain…
If you’re familiar with Mimikatz, you’ve already seen some of the ways it exposes weaknesses in Active Directory security (if you’re not, read up!). Recently, a new feature was added to Mimikatz titled DCShadow and was presented by its authors Benjamin Delpy and Vincent LeToux at the Bluehat IL 2018 conference. DCShadow enables Mimikatz to make changes to Active Directory by simulating a domain controller. We’ve seen this in the past from Mimikatz, with the DCSync feature, which allows you…
So far in this series, we’ve learned how attackers can target weak domain passwords in Active Directory. To complete the story, we need to look beyond domain accounts and understand the ways to attack local accounts on Windows servers and desktops. For this post, we will focus on the most important local account: Administrator. The Administrator account is built into every Windows operating system and provides full control over the system, including the ability to compromise domain accounts through pass-the-hash…
In our last post, we learned about password spraying and how effective this can be to compromise AD accounts with weak and commonly used passwords. Now let’s take a look at how an attacker could take this approach and put it into practice to compromise your domain. For that, we are going to use BloodHound, a very useful open-source application for penetration testing AD security and planning attack paths to compromise high value accounts. We’ve covered BloodHound in our permission…
So far in this series we’ve looked at how plain text passwords can be exposed within Active Directory, which represents a major vulnerability for most AD environments. However, even if you have proper controls to prevent plain text passwords in your network, attackers can still get them pretty efficiently. How do they do this? They guess. And you’d be surprised how well guessing works at cracking passwords. As we covered in the introductory post for this series, guessing can be…
A lot of attention gets paid to preventing pass-the-hash and pass-the-ticket attacks, but imagine what an attacker could do with the actual passwords of privileged user accounts rather than just the hashes. Pass-the-hash gives attackers access to what can be performed from a command line, but plain text passwords give an attacker unlimited access to an account. This may include access to web applications, VPN, and email. If you need a primer on the difference between plain text passwords and…
Active Directory Password Attacks So far in our travels through Active Directory security, we’ve looked at attacks against permissions, credentials, service accounts, and many of the open-source toolkits available for getting more hands-on exposure to these techniques. Inside each scenario, an attacker is attempting to increase their privileges and compromise sensitive information. Some techniques like Pass-the-Hash and Golden Tickets are designed to compromise accounts without ever knowing their actual password. However, Active Directory can be compromised much more quickly if…
Bypassing PowerShell Protections Now that we have explored various protections against malicious PowerShell, let’s look at how to get around every one of these PowerShell protections! Don’t worry, these PowerShell protections are still worth doing, and they will still make things harder on attackers and easier to detect. However, we need to be aware that they cannot stop everything. If an attacker wants to run Mimikatz and access your credentials, they will find a way. The more you know about…
