Offensive Active Directory

Will Schroeder (@harmj0y)

With PowerShell!

Agenda• Offensive Active Directory 101• Hunting for Users• Local Administrator Enumeration• GPO Enumeration and Abuse• Active Directory ACLs• Domain Trusts

Offensive AD 101• Red teams and ‘real’ bad guys have been abusing AD for years, but not much offensive AD information has existed publicly (until recently)• See http://adsecurity.org/

• A lot of what we do on a red team is essentially just (authorized) domain administration• We find misconfigurations and chain access/trust relationships to turn one machine compromise into achieving our objective

PowerView• A pure PowerShell domain/network situational awareness tool• Version 2.0 compliant• Fully self-contained and loadable in memory

• Now part of PowerSploit™ (not really trademarked)

• Many modules are implemented in Empire

• Built to automate large components of the tradecraft on our red team engagements

Sidenote

“The best tool these days for understanding windows networks is Powerview [1].”

-Phineas Fisherhttp://pastebin.com/raw/0SNSvyjJ

Hunting for Users• On nearly every engagement, we end up wanting to know where specific users are logged in

• We break this down into:• Pre-elevated access, where we have regular domain user privileges. This is out “lateral spread” phase

• Post-elevated access, where we have some type of elevated (e.g. Domain Admin) access. This is usually our ‘demonstrate impact’ phase

Win32 API Access• Several techniques we rely on for user-hunting depend on various Windows API calls• Specifically NetWkstaUserEnum and NetSessionEnum

• There are several methods to access these API calls through PowerShell• C# Add-Type, straight reflection, PSReflect

• See Matt Graeber’s US PowerShell Summit talk on Win32 API access for more details

• Windows allows any domain-authenticated user to enumerate the members of a local group on a remote machine• Either through the NetLocalGroupGetMembers Win32 API call or the WinNT service provider

• “Derivative Local Admin”• Alice is (effectively) an admin on Bob’s machine, and Bob is (effectively) an admin on Eve’s machine

• Alice can derive Eve’s rights though compromising and leveraging Bob’s credentials

Local Administrator Enumeration

• Machines obviously have to somehow determine what users have administrative rights• Usually set through restricted groups or group policy preferences

• These GPO policies are accessible by anyone on the domain

• From of offensive perspective, we can often query a domain controller, and determine who has administrative rights to what machines

GPO Enumeration and Abuse

• Very few organizations properly audit AD ACLs or alert on their alteration

• Almost every organization has some kind of misconfiguration SOMEWHERE in the object access rights in their domain structure

• This is also a great candidate place for ‘sneaky’ persistence!

Active Directory ACLs

• Trusts allow separate domains to form inter-connected relationships• Often utilized during acquisitions (i.e. forest trusts or cross-link trusts)

• A trust just links up the authentication systems of two domains and allows authentication traffic to flow between them• Allows for the possibility of privileged access between domains, but doesn’t guarantee it*

Domain Trusts

• Mimikatz Golden Tickets now accept SidHistories though the new /sids:<X> argument

• If you compromise a DC in a child domain, you can create a golden ticket with the “Enterprise Admins” in the SID history

• This can let you compromise the parent domain!• The FOREST is the trust boundary, not the domain!

Sidenote: The Mimikatz Trustpocalypse

Summary• There’s a lot of overlap between offensive engagements and legitimate domain administration

• You can find where users are logged in WITHOUT elevated domain privileges

• You can enumerate the local users of a remote machine WITHOUT elevated domain privileges

• Domain trusts can easily be enumerated, visualized, and abused with PowerView

Questions?

• Will Schroeder (@harmj0y)• http://blog.harmj0y.net | will [at] harmj0y.net

• Security researcher and red teamer for Veris Group‘s Adaptive Threat Division

• Offensive open-source developer:• Veil-Evasion, Empire, PowerSploit

• Recent Microsoft CDM/PowerShell MVP

About_Author

• The Mimikatz Trustpocalypse brought to you by:• Benjamin Delpy (@gentilkiwi)• Sean Metacalf (@pyrotek3) - http://adsecurity.org

• My Active Directory background brought to you by:• Carlos Perez (@darkoperator)• Sean Metcalf (@pyrotek3) - http://adsecurity.org

• Get PowerView:• https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

• Cheat sheets: https://github.com/harmj0y/cheatsheets/

About_References