ここでは、攻撃者がActive Directoryを侵害するために利用している戦術、技術、手順(TTPs)、および緩和、検出、予防のためのガイダンスを詳しく説明します。
探索
SPN Scanning
Data Mining
User Hunting
LAPS
AppLocker
Active Directory Federation Services
特権昇格
Abusing Active Directory Certificate Services
PetitPotam
Zerologon
Passwords in SYSVOL & Group Policy Preferences
MS14-068 Kerberos Vulnerability
DNSAdmins
Kerberos Delegation
Unconstrained Delegation
Constrained Delegation
Resource-Based Constrained Delegation
Insecure Group Policy Object Permission Rights
Insecure ACLs Permission Rights
Domain Trusts
DCShadow
RID
Microsoft SQL Server
Red Forest
Exchange
NTLM Relay & LLMNR/NBNS
ラテラルムーブメント
Microsoft SQL Server Database links
Pass The Hash
System Center Configuration Manager (SCCM)
WSUS
Password Spraying
Automated Lateral Movement
防衛回避
In-Memory Evasion
Endpoint Detection and Response (EDR) Evasion
OPSEC
Microsoft ATA & ATP Evasion
PowerShell ScriptBlock Logging Bypass
PowerShell Anti-Malware Scan Interface (AMSI) Bypass
Loading .NET Assemblies Anti-Malware Scan Interface (AMSI) Bypass
AppLocker & Device Guard Bypass
Sysmon Evasion
HoneyTokens Evasion
Disabling Security Tools
Credential Dumping
NTDS.DIT Password Extraction
SAM (Security Accounts Manager)
Kerberoasting
Kerberos AP-REP Roasting
Windows Credential Manager/Vault
DCSync
LLMNR/NBT-NS Poisoning
Others
持続性
Golden Ticket
SID History
Silver Ticket
DCShadow
AdminSDHolder
Group Policy Object
Skeleton Keys
SeEnableDelegationPrivilege
Security Support Provider
Directory Services Restore Mode
ACLs & Security Descriptors
Tools & Scripts
- Certify – Certify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).
- PSPKIAudit – PowerShell toolkit for auditing Active Directory Certificate Services (AD CS).
- PowerView – Situational Awareness PowerShell framework
- BloodHound – Six Degrees of Domain Admin
- Impacket – Impacket is a collection of Python classes for working with network protocols
- aclpwn.py – Active Directory ACL exploitation with BloodHound
- CrackMapExec – A swiss army knife for pentesting networks
- ADACLScanner – A tool with GUI or command linte used to create reports of access control lists (DACLs) and system access control lists (SACLs) in Active Directory
- zBang – zBang is a risk assessment tool that detects potential privileged account threats
- SafetyKatz – SafetyKatz is a combination of slightly modified version of @gentilkiwi’s Mimikatz project and @subTee’s .NET PE Loader.
- SharpDump – SharpDump is a C# port of PowerSploit’s Out-Minidump.ps1 functionality.
- PowerUpSQL – A PowerShell Toolkit for Attacking SQL Server
- Rubeus – Rubeus is a C# toolset for raw Kerberos interaction and abuses
- ADRecon – A tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment
- Mimikatz – Utility to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory but also perform pass-the-hash, pass-the-ticket or build Golden tickets
- Grouper – A PowerShell script for helping to find vulnerable settings in AD Group Policy.
- Powermad – PowerShell MachineAccountQuota and DNS exploit tools
- RACE – RACE is a PowerShell module for executing ACL attacks against Windows targets.
- DomainPasswordSpray – DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain.
- MailSniper – MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.)
- LAPSToolkit – Tool to audit and attack LAPS environments.
- CredDefense – Credential and Red Teaming Defense for Windows Environments
- ldapdomaindump – Active Directory information dumper via LDAP
- SpoolSample – PoC tool to coerce Windows hosts authenticate to other machines via the MS-RPRN RPC interface
- adconnectdump – Azure AD Connect password extraction
- o365recon – Script to retrieve information via O365 with a valid cred
- ROADtools – ROADtools is a framework to interact with Azure AD. I
- Stormspotter – Stormspotter creates an “attack graph” of the resources in an Azure subscription.
- AADInternals – AADInternals is PowerShell module for administering Azure AD and Office 365
- MicroBurst: A PowerShell Toolkit for Attacking Azure – MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping.
Ebooks
Cheat Sheets
Other Resources
Azure Active Directory
Defense & Detection
Tools & Scripts
- Invoke-TrimarcADChecks – Invoke-TrimarcADChecks.ps1 PowerShellスクリプトは、Active Directoryセキュリティアセスメント(ADSA)を実行するために、単一ドメインのADフォレストからデータを収集するように設計されています。
- Create-Tiers in AD – プロジェクト名 Active Directory あらゆる環境におけるTierの自動配置を行います。
- SAMRi10 – Hardening SAM Remote Access in Windows 10/Server 2016
- Net Cease – Hardening Net Session Enumeration
- PingCastle – A tool designed to assess quickly the Active Directory security level with a methodology based on risk assessment and a maturity framework
- Aorato Skeleton Key Malware Remote DC Scanner – Remotely scans for the existence of the Skeleton Key Malware
- Reset the krbtgt account password/keys – This script will enable you to reset the krbtgt account password and related keys while minimizing the likelihood of Kerberos authentication issues being caused by the operation
- Reset The KrbTgt Account Password/Keys For RWDCs/RODCs
- RiskySPN – RiskySPNs is a collection of PowerShell scripts focused on detecting and abusing accounts associated with SPNs (Service Principal Name).
- Deploy-Deception – A PowerShell module to deploy active directory decoy objects
- SpoolerScanner – Check if MS-RPRN is remotely available with powershell/c#
- dcept – A tool for deploying and detecting use of Active Directory honeytokens
- LogonTracer – Investigate malicious Windows logon by visualizing and analyzing Windows event log
- DCSYNCMonitor – Monitors for DCSYNC and DCSHADOW attacks and create custom Windows Events for these events
- Sigma – Generic Signature Format for SIEM Systems
- Sysmon – System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log.
- SysmonSearch – Investigate suspicious activity by visualizing Sysmon’s event log
- ClrGuard – ClrGuard is a proof of concept project to explore instrumenting the Common Language Runtime (CLR) for security purposes.
- Get-ClrReflection – Detects memory-only CLR (.NET) modules.
- Get-InjectedThread – Get-InjectedThread looks at each running thread to determine if it is the result of memory injection.
- SilkETW – SilkETW & SilkService are flexible C# wrappers for ETW, they are meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection.
- WatchAD – AD Security Intrusion Detection System
- Sparrow – Sparrow.ps1 was created by CISA’s Cloud Forensics team to help detect possible compromised accounts and applications in the Azure/m365 environment.
- DFIR-O365RC – The DFIR-O365RC PowerShell module is a set of functions that allow the DFIR analyst to collect logs relevant for Office 365 Business Email Compromise investigations.
- AzureADIncidentResponse – Tooling to assist in Azure AD incident response
- ADTimeline – The ADTimeline script generates a timeline based on Active Directory replication metadata for objects considered of interest.
Sysmon Configuration
- sysmon-modular – A Sysmon configuration repository for everybody to customise
- sysmon-dfir – Sources, configuration and how to detect evil things utilizing Microsoft Sysmon.
- sysmon-config – Sysmon configuration file template with default high-quality event tracing
Active Directory Security Checks (by Sean Metcalf – @Pyrotek3)
General Recommendations
- Manage local Administrator passwords (LAPS).
- Implement RDP Restricted Admin mode (as needed).
- Remove unsupported OSs from the network.
- Monitor scheduled tasks on sensitive systems (DCs, etc.).
- Ensure that OOB management passwords (DSRM) are changed regularly & securely stored.
- Use SMB v2/v3+
- Default domain Administrator & KRBTGT password should be changed every year & when an AD admin leaves.
- Remove trusts that are no longer necessary & enable SID filtering as appropriate.
- All domain authentications should be set (when possible) to: “Send NTLMv2 response onlyrefuse LM & NTLM.”
- Block internet access for DCs, servers, & all administration systems.
Protect Admin Credentials
- No “user” or computer accounts in admin groups.
- Ensure all admin accounts are “sensitive & cannot be delegated”.
- Add admin accounts to “Protected Users” group (requires Windows Server 2012 R2 Domain Controllers, 2012R2 DFL for domain protection).
- Disable all inactive admin accounts and remove from privileged groups.
Protect AD Admin Credentials
- Limit AD admin membership (DA, EA, Schema Admins, etc.) & only use custom delegation groups.
- ‘Tiered’ Administration mitigating credential theft impact.
- Ensure admins only logon to approved admin workstations & servers.
- Leverage time-based, temporary group membership for all admin accounts
Protect Service Account Credentials
- Limit to systems of the same security level.
- Leverage “(Group) Managed Service Accounts” (or PW >20 characters) to mitigate credential theft (kerberoast).
- Implement FGPP (DFL =>2008) to increase PW requirements for SAs and administrators.
- Logon restrictions – prevent interactive logon & limit logon capability to specific computers.
- Disable inactive SAs & remove from privileged groups.
Protect Resources
- Segment network to protect admin & critical systems.
- Deploy IDS to monitor the internal corporate network.
- Network device & OOB management on separate network.
Protect Domain Controller
- Only run software & services to support AD.
- Minimal groups (& users) with DC admin/logon rights.
- Ensure patches are applied before running DCPromo (especially MS14-068 and other critical patches).
- Validate scheduled tasks & scripts.
Protect Workstations (& Servers)
- Patch quickly, especially privilege escalation vulnerabilities.
- Deploy security back-port patch (KB2871997).
- Set Wdigest reg key to 0 (KB2871997/Windows 8.1/2012R2+): HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersWdigest
- Deploy workstation whitelisting (Microsoft AppLocker) to block code exec in user folders – home dir & profile path.
- Deploy workstation app sandboxing technology (EMET) to mitigate application memory exploits (0-days).
Logging
- Enable enhanced auditing
- “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings”
- Enable PowerShell module logging (“*”) & forward logs to central log server (WEF or other method).
- Enable CMD Process logging & enhancement (KB3004375) and forward logs to central log server.
- SIEM or equivalent to centralize as much log data as possible.
- User Behavioural Analysis system for enhanced knowledge of user activity (such as Microsoft ATA).
Security Pro’s Checks
- Identify who has AD admin rights (domain/forest).
- Identify who can logon to Domain Controllers (& admin rights to virtual environment hosting virtual DCs).
- Scan Active Directory Domains, OUs, AdminSDHolder, & GPOs for inappropriate custom permissions.
- Ensure AD admins (aka Domain Admins) protect their credentials by not logging into untrusted systems (workstations).
- Limit service account rights that are currently DA (or equivalent).
