AD Attack #3 – Ntds.dit Extraction
With so much attention paid to detecting credential-based attacks such as Pass-the-Hash (PtH) and Pass-the-Ticket (PtT), other more serious and effective attacks are often overlooked. One such attack is focused on exfiltrating the Ntds.dit file from Active Directory Domain Controllers. Let’s take a look at what this threat entails and how it can be performed. Then we can review some mitigating controls to be sure you are protecting your own…
AD Attack #1 – LDAP Reconnaissance
The first thing any attacker will do once he gains a foothold within an Active Directory domain is to try to elevate his access. It is surprisingly easy to perform domain reconnaissance using PowerShell, and often without any elevated privileges required. In this post, we will cover a few of the different ways that PowerShell can be used by attackers to map out your environment and chose their targets.
The Basics of Reconnaissance using PowerShell
First, let…
There’s been a lot of talk recently about the “Pass the hash” and “Pass the ticket” threats. In this blog post, I’ll talk a bit about what these threats are, how real they are, and what you can do to protect yourself.
So first, what is it? These are two variations of the same threat. Pass the Hash and Pass the Ticket both work by impersonating a user on the network and spread to other systems by leveraging cached credentials. Let’s step back a bit first and discuss the basics.
At the ri…