infosecn1nja / AD-Attack-Defense

Active Directory Kill Chain Attack & Defense Summary This document was designed to be a useful, informational asset for those looking to understand the specific tactics, techniques, and procedures (TTPs) attackers are leveraging to compromise active directory and guidance to mitigation, detection, and prevention. And understand Active Directory Kill Chain Attack and Modern Post Exploitation Adversary Tradecraft Activity. Table of Contents • Discovery • Privilege Escalation • Defense Evasion • Credential Dumping • Lateral Movement • Persistence • Defense & Detection ------ Discovery SPN Scanning • SPN Scanning – Service Discovery without Network Port Scanning • Active Directory: PowerShell script to list all SPNs used • Discovering Service Accounts Without Using Privileges Data Mining • A Data Hunting Overview • Push it, Push it Real Good • Finding Sensitive Data on Domain SQL Servers using PowerUpSQL • Sensitive Data Discovery in Email with MailSniper • Remotely Searching for Sensitive Files • I Hunt Sysadmins - harmj0y User Hunting • Hidden Administrative Accounts: BloodHound to the Rescue • Active Directory Recon Without Admin Rights • Gathering AD Data with the Active Directory PowerShell Module • Using ActiveDirectory module for Domain Enumeration from PowerShell Constrained Language Mode • PowerUpSQL Active Directory Recon Functions • Derivative Local Admin • Automated Derivative Administrator Search • Dumping Active Directory Domain Info – with PowerUpSQL! • Local Group Enumeration • Attack Mapping With Bloodhound • Situational Awareness • Commands for Domain Network Compromise • A Pentester’s Guide to Group Scoping LAPS • Microsoft LAPS Security & Active Directory LAPS Configuration Recon • Running LAPS with PowerView • RastaMouse LAPS Part 1 & 2 AppLocker • Enumerating AppLocker Config Active Directory Federation Services • 118 Attacking ADFS Endpoints with PowerShell Karl Fosaaen • Using PowerShell to Identify Federated Domains • LyncSniper: A tool for penetration testing Skype for Business and Lync deployments • Troopers 19 - I am AD FS and So Can You ------ Privilege Escalation BadSuccessor • BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory • Operationalizing the BadSuccessor: Abusing dMSA for Domain Privilege Escalation sAMAccountName Spoofing • sAMAccountName spoofing • CVE-2021-42287/CVE-2021-42278 Weaponisation Abusing Active Directory Certificate Services • Certified Pre-Owned • AD CS Domain Escalation PetitPotam • PetitPotam • From Stranger to DA // Using PetitPotam to NTLM relay to Domain Administrator Zerologon • Cobalt Strike ZeroLogon-BOF • CVE-2020-1472 POC • Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472) Passwords in SYSVOL & Group Policy Preferences • Finding Passwords in SYSVOL & Exploiting Group Policy Preferences • Pentesting in the Real World: Group Policy Pwnage MS14-068 Kerberos Vulnerability • MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of Privilege • Digging into MS14-068, Exploitation and Defence • From MS14-068 to Full Compromise – Step by Step DNSAdmins • Abusing DNSAdmins privilege for escalation in Active Directory • From DNSAdmins to Domain Admin, When DNSAdmins is More than Just DNS Administration Kerberos Delegation • Constructing Kerberos Attacks with Delegation Primitives • No Shells Required - a Walkthrough on Using Impacket and Kerberos to Delegate Your Way to DA • CVE-2020-17049: Kerberos Bronze Bit Attack – Overview Unconstrained Delegation • Domain Controller Print Server + Unconstrained Kerberos Delegation = Pwned Active Directory Forest • Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain) • Unconstrained Delegation Permissions • Trust? Years to earn, seconds to break • Hunting in Active Directory: Unconstrained Delegation & Forests Trusts • Exploiting Unconstrained Delegation Constrained Delegation • Another Word on Delegation • From Kekeo to Rubeus • S4U2Pwnage • Kerberos Delegation, Spns And More... Resource-Based Constrained Delegation • Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory • Kerberos Resource-based Constrained Delegation: Computer Object Take Over • Resource Based Constrained Delegation • A Case Study in Wagging the Dog: Computer Takeover • BloodHound 2.1's New Computer Takeover Attack Insecure Group Policy Object Permission Rights • Abusing GPO Permissions • A Red Teamer’s Guide to GPOs and OUs • File templates for GPO Abuse • GPO Abuse - Part 1 • GPO Abuse - Part 2 • SharpGPOAbuse Insecure ACLs Permission Rights • Exploiting Weak Active Directory Permissions With Powersploit • Escalating privileges with ACLs in Active Directory • Abusing Active Directory Permissions with PowerView • BloodHound 1.3 – The ACL Attack Path Update • Scanning for Active Directory Privileges & Privileged Accounts • Active Directory Access Control List – Attacks and Defense • aclpwn - Active Directory ACL exploitation with BloodHound Domain Trusts • A Guide to Attacking Domain Trusts • It's All About Trust – Forging Kerberos Trust Tickets to Spoof Access across Active Directory Trusts • Active Directory forest trusts part 1 - How does SID filtering work? • The Forest Is Under Control. Taking over the entire Active Directory forest • Not A Security Boundary: Breaking Forest Trusts • The Trustpocalypse • Pentesting Active Directory Forests • Security Considerations for Active Directory (AD) Trusts • Kerberos Golden Tickets are Now More Golden DCShadow • Privilege Escalation With DCShadow • DCShadow • DCShadow explained: A technical deep dive into the latest AD attack technique • DCShadow - Silently turn off Active Directory Auditing • DCShadow - Minimal permissions, Active Directory Deception, Shadowception and more RID • Rid Hijacking: When Guests Become Admins Microsoft SQL Server • How to get SQL…