Active Directory防衛ガイド&ツール / Active Directory Kill Chain Attack & Defense – A Complete Guide & Tools

ここでは、攻撃者がActive Directoryを侵害するために利用している戦術、技術、手順(TTPs)、および緩和、検出、予防のためのガイダンスを詳しく説明します。


SPN Scanning

Data Mining

User Hunting



Active Directory Federation Services


Abusing Active Directory Certificate Services



Passwords in SYSVOL & Group Policy Preferences

MS14-068 Kerberos Vulnerability


Kerberos Delegation

Unconstrained Delegation

Constrained Delegation

Resource-Based Constrained Delegation

Insecure Group Policy Object Permission Rights

Insecure ACLs Permission Rights

Domain Trusts



Microsoft SQL Server

Red Forest




Microsoft SQL Server Database links

Pass The Hash

System Center Configuration Manager (SCCM)


Password Spraying

Automated Lateral Movement


In-Memory Evasion

Endpoint Detection and Response (EDR) Evasion


Microsoft ATA & ATP Evasion

PowerShell ScriptBlock Logging Bypass

PowerShell Anti-Malware Scan Interface (AMSI) Bypass

Loading .NET Assemblies Anti-Malware Scan Interface (AMSI) Bypass

AppLocker & Device Guard Bypass

Sysmon Evasion

HoneyTokens Evasion

Disabling Security Tools

Credential Dumping

NTDS.DIT Password Extraction

SAM (Security Accounts Manager)


Kerberos AP-REP Roasting

Windows Credential Manager/Vault


LLMNR/NBT-NS Poisoning



Golden Ticket

SID History

Silver Ticket



Group Policy Object

Skeleton Keys


Security Support Provider

Directory Services Restore Mode

ACLs & Security Descriptors

Tools & Scripts

  • Certify – Certify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).
  • PSPKIAudit – PowerShell toolkit for auditing Active Directory Certificate Services (AD CS).
  • PowerView – Situational Awareness PowerShell framework
  • BloodHound – Six Degrees of Domain Admin
  • Impacket – Impacket is a collection of Python classes for working with network protocols
  • – Active Directory ACL exploitation with BloodHound
  • CrackMapExec – A swiss army knife for pentesting networks
  • ADACLScanner – A tool with GUI or command linte used to create reports of access control lists (DACLs) and system access control lists (SACLs) in Active Directory
  • zBang – zBang is a risk assessment tool that detects potential privileged account threats
  • SafetyKatz – SafetyKatz is a combination of slightly modified version of @gentilkiwi’s Mimikatz project and @subTee’s .NET PE Loader.
  • SharpDump – SharpDump is a C# port of PowerSploit’s Out-Minidump.ps1 functionality.
  • PowerUpSQL – A PowerShell Toolkit for Attacking SQL Server
  • Rubeus – Rubeus is a C# toolset for raw Kerberos interaction and abuses
  • ADRecon – A tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment
  • Mimikatz – Utility to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory but also perform pass-the-hash, pass-the-ticket or build Golden tickets
  • Grouper – A PowerShell script for helping to find vulnerable settings in AD Group Policy.
  • Powermad – PowerShell MachineAccountQuota and DNS exploit tools
  • RACE – RACE is a PowerShell module for executing ACL attacks against Windows targets.
  • DomainPasswordSpray – DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain.
  • MailSniper – MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.)
  • LAPSToolkit – Tool to audit and attack LAPS environments.
  • CredDefense – Credential and Red Teaming Defense for Windows Environments
  • ldapdomaindump – Active Directory information dumper via LDAP
  • SpoolSample – PoC tool to coerce Windows hosts authenticate to other machines via the MS-RPRN RPC interface
  • adconnectdump – Azure AD Connect password extraction
  • o365recon – Script to retrieve information via O365 with a valid cred
  • ROADtools – ROADtools is a framework to interact with Azure AD. I
  • Stormspotter – Stormspotter creates an “attack graph” of the resources in an Azure subscription.
  • AADInternals – AADInternals is PowerShell module for administering Azure AD and Office 365
  • MicroBurst: A PowerShell Toolkit for Attacking Azure – MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping.


Cheat Sheets

Other Resources

Azure Active Directory

Defense & Detection

Tools & Scripts

  • Invoke-TrimarcADChecks – Invoke-TrimarcADChecks.ps1 PowerShellスクリプトは、Active Directoryセキュリティアセスメント(ADSA)を実行するために、単一ドメインのADフォレストからデータを収集するように設計されています。
  • Create-Tiers in AD – プロジェクト名 Active Directory あらゆる環境におけるTierの自動配置を行います。
  • SAMRi10 – Hardening SAM Remote Access in Windows 10/Server 2016
  • Net Cease – Hardening Net Session Enumeration
  • PingCastle – A tool designed to assess quickly the Active Directory security level with a methodology based on risk assessment and a maturity framework
  • Aorato Skeleton Key Malware Remote DC Scanner – Remotely scans for the existence of the Skeleton Key Malware
  • Reset the krbtgt account password/keys – This script will enable you to reset the krbtgt account password and related keys while minimizing the likelihood of Kerberos authentication issues being caused by the operation
  • Reset The KrbTgt Account Password/Keys For RWDCs/RODCs
  • RiskySPN – RiskySPNs is a collection of PowerShell scripts focused on detecting and abusing accounts associated with SPNs (Service Principal Name).
  • Deploy-Deception – A PowerShell module to deploy active directory decoy objects
  • SpoolerScanner – Check if MS-RPRN is remotely available with powershell/c#
  • dcept – A tool for deploying and detecting use of Active Directory honeytokens
  • LogonTracer – Investigate malicious Windows logon by visualizing and analyzing Windows event log
  • DCSYNCMonitor – Monitors for DCSYNC and DCSHADOW attacks and create custom Windows Events for these events
  • Sigma – Generic Signature Format for SIEM Systems
  • Sysmon – System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log.
  • SysmonSearch – Investigate suspicious activity by visualizing Sysmon’s event log
  • ClrGuard – ClrGuard is a proof of concept project to explore instrumenting the Common Language Runtime (CLR) for security purposes.
  • Get-ClrReflection – Detects memory-only CLR (.NET) modules.
  • Get-InjectedThread – Get-InjectedThread looks at each running thread to determine if it is the result of memory injection.
  • SilkETW – SilkETW & SilkService are flexible C# wrappers for ETW, they are meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection.
  • WatchAD – AD Security Intrusion Detection System
  • Sparrow – Sparrow.ps1 was created by CISA’s Cloud Forensics team to help detect possible compromised accounts and applications in the Azure/m365 environment.
  • DFIR-O365RC – The DFIR-O365RC PowerShell module is a set of functions that allow the DFIR analyst to collect logs relevant for Office 365 Business Email Compromise investigations.
  • AzureADIncidentResponse – Tooling to assist in Azure AD incident response
  • ADTimeline – The ADTimeline script generates a timeline based on Active Directory replication metadata for objects considered of interest.

Sysmon Configuration

  • sysmon-modular – A Sysmon configuration repository for everybody to customise
  • sysmon-dfir – Sources, configuration and how to detect evil things utilizing Microsoft Sysmon.
  • sysmon-config – Sysmon configuration file template with default high-quality event tracing

Active Directory Security Checks (by Sean Metcalf – @Pyrotek3)

General Recommendations

  • Manage local Administrator passwords (LAPS).
  • Implement RDP Restricted Admin mode (as needed).
  • Remove unsupported OSs from the network.
  • Monitor scheduled tasks on sensitive systems (DCs, etc.).
  • Ensure that OOB management passwords (DSRM) are changed regularly & securely stored.
  • Use SMB v2/v3+
  • Default domain Administrator & KRBTGT password should be changed every year & when an AD admin leaves.
  • Remove trusts that are no longer necessary & enable SID filtering as appropriate.
  • All domain authentications should be set (when possible) to: “Send NTLMv2 response onlyrefuse LM & NTLM.”
  • Block internet access for DCs, servers, & all administration systems.

Protect Admin Credentials

  • No “user” or computer accounts in admin groups.
  • Ensure all admin accounts are “sensitive & cannot be delegated”.
  • Add admin accounts to “Protected Users” group (requires Windows Server 2012 R2 Domain Controllers, 2012R2 DFL for domain protection).
  • Disable all inactive admin accounts and remove from privileged groups.

Protect AD Admin Credentials

  • Limit AD admin membership (DA, EA, Schema Admins, etc.) & only use custom delegation groups.
  • ‘Tiered’ Administration mitigating credential theft impact.
  • Ensure admins only logon to approved admin workstations & servers.
  • Leverage time-based, temporary group membership for all admin accounts

Protect Service Account Credentials

  • Limit to systems of the same security level.
  • Leverage “(Group) Managed Service Accounts” (or PW >20 characters) to mitigate credential theft (kerberoast).
  • Implement FGPP (DFL =>2008) to increase PW requirements for SAs and administrators.
  • Logon restrictions – prevent interactive logon & limit logon capability to specific computers.
  • Disable inactive SAs & remove from privileged groups.

Protect Resources

  • Segment network to protect admin & critical systems.
  • Deploy IDS to monitor the internal corporate network.
  • Network device & OOB management on separate network.

Protect Domain Controller

  • Only run software & services to support AD.
  • Minimal groups (& users) with DC admin/logon rights.
  • Ensure patches are applied before running DCPromo (especially MS14-068 and other critical patches).
  • Validate scheduled tasks & scripts.

Protect Workstations (& Servers)

  • Patch quickly, especially privilege escalation vulnerabilities.
  • Deploy security back-port patch (KB2871997).
  • Set Wdigest reg key to 0 (KB2871997/Windows 8.1/2012R2+): HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersWdigest
  • Deploy workstation whitelisting (Microsoft AppLocker) to block code exec in user folders – home dir & profile path.
  • Deploy workstation app sandboxing technology (EMET) to mitigate application memory exploits (0-days).


  • Enable enhanced auditing
  • “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings”
  • Enable PowerShell module logging (“*”) & forward logs to central log server (WEF or other method).
  • Enable CMD Process logging & enhancement (KB3004375) and forward logs to central log server.
  • SIEM or equivalent to centralize as much log data as possible.
  • User Behavioural Analysis system for enhanced knowledge of user activity (such as Microsoft ATA).

Security Pro’s Checks

  • Identify who has AD admin rights (domain/forest).
  • Identify who can logon to Domain Controllers (& admin rights to virtual environment hosting virtual DCs).
  • Scan Active Directory Domains, OUs, AdminSDHolder, & GPOs for inappropriate custom permissions.
  • Ensure AD admins (aka Domain Admins) protect their credentials by not logging into untrusted systems (workstations).
  • Limit service account rights that are currently DA (or equivalent).