Cracking the Vault: Defending Against Modern Active Directory Exploits - Peter Morin

then let's get going uh so Peter Moren uh here from multiple organizations um and uh yes yes so uh so again I asked everybody things that uh that he uh may not know about that so um if you've if you've gone to the um now on Hiatus Esa Atlantic conference you organized that for many years um Peter's also received uh some global awards from Asaka as well and he tells me that will be the global president of the htcia the high tech crime investigation Association got it they have a table upstairs so if you're interested in what's going on there uh and you're involved with uh things like forensics investigations um then you can learn a

lot uh from from that there are a lot of people from law enforcement who were there so go and and see myON who is the current uh president of the Atlantic chapter and and a good friend ofers um I told people I was going to shut up so I would give it over to be here so just a precursor and yeah Chris is always good at making me feel really nervous about things uh just a little while ago I had mostly so I run out the door I'm not dying it makes people uncomfortable when somebody starts to believe out their nose for no reason and he's like oh that's serious you like that like that oh no you just I'm gonna close the

L you gota talk about it I only have 108 slides so it's funny I worked for a defense contractor and I went into a meeting one day with the was with the US Army on a project we were doing and uh and I had like 10 slides and my plan must have talked for about an hour and I remember that that the officer in charge me up to he's like do you have your slides I yeah and he's like you only have 10 slides it's like yeah he go D you slides so you can't comp with 10 slides and I'm looking at people in the audience that I have see like do they look like they want like three every 300

slides and they're just clicking and reading over slides pretty pretty s so um so I'm gonna talk today about active director I'm not going to bore you with this um so I work mostly in the operational technology space so the ad stuff is quite interesting for me because where everybody is going to like Azure in the cloud and they're going to ad and they're they're you know connecting it to the cloud or they're moving everything to the cloud and the OT space in many cases we have on Prem ad and we don't have a choice because a lot of the critical infrastructure is not doing to the Cloud yet so I have to deal with the limitations uh of the

security ad and the threats that are there because I have no way of migrating those threats out so that's I'm going to talk to you a little bit about those um so first off uh just to give you an idea who here like does like super mainstream uh Ed management who's like an ed person Ed expert does anybody know what Ed is not here for basket hear right so the one thing to talk about I want to talk to you a little bit about like some of the problems that we have within active directory and these are issues that stem all the way back to the beginning of Windows time so I started with Windows

back in Windows NT 351 back yeah really long time ago back in the mid mid mid 1990s back in the day when there was no Boogle so when you had a problem and you would call Microsoft and they'd be like yeah if you figure that out call us back and tell us what you did there's nowhere to look right so these problems have been around for a while so from an authentication perspective you're going to see a of like land manager if you ever heard of the term ntlm NT land manager NT land manager so that steps back to Windows NT and prior to Windows NT when there was just land manager and then we've had iterations like nln

version two and with active directory since Windows 2000 we've introduced Kerberos and everybody knows that Kerberos solved the problems that there's no security issues at all right well we know that's not true so um couple things to understand um even though we are using Cerros there you know ntlm is still used it's the backbone of of AD and and of Windows authentication so when you want to join a domain you want to authenticate between 80 forests you want to authenticate to The Domain based on an earlier version of the Windows operating system um you know log on authentication to non-domain controllers systems configured as members of a work group all this stuff all uses ntlm so even if

you want to go 100% Cur you're still going to have to deal with NL in some some way shape or form right um so again it's still used a lot even though curos is there um and uh ntlm allows various comp service to conduct what they call Mutual authentication I'm going to talk about that a little bit more um so the differences between the two NM is challenge response so we're basically communicating back and forth with the machine we want to connect to and we're basically doing a challenge response type of communication whereas ceros is a ticket based uh authentication that uses a more of a trusted model but I'm going to talk about them both in a little bit

more detail so ntlm is going to use pass hashing everybody's familiar with hashing have you ever heard of the term pass the hash not that pass the hash the pass the hash so essentially there is a hashing algorithm that is still used with ntlm and essentially it's there to take a password and transform it into uh um a string of characters that is not legible now as you know with you know versus other ways of encrypting things a hash is one way right so we can't go backwards the hash right so the only way to validate the password is to basically say I'm the word password and I hash it I have to take the word password hash it

and if the hashes match I know that's password's password right um and we do that today when we're doing all kinds of pen testing and we're trying to break passwords in that well this works very similar right so if you look here and I know this is a little small uh I have Nick's client here and I have a domain control everybody can you hear me okay um so basically what's going to happen with ntlm is Nick is going to send an authentication request okay then domain controll is going to send an ntlm challenge okay which is basically a random number um Nick's going to send uh Nick answers with his hash password and then Nick's granted access in a response

right now the the reason that this seems really simple but is a problem is because I'm just sharing hashes if somebody's able to get that hash there's nothing validating that that hash came from Nick so if I'm able to steal that hash I can essentially take that hash and I can pass it around to other machines and if that machine has a hashed password of Nick already it gets validated there's nothing there's no trustworthiness in this right um and we'll get into that a little bit more um so where are the hashes stored this is important because it's going to lead into some of the vulnerabilities I'm going to talk about there's two places we find this on the domain controller

it's in a directory called in C windows ntbs and the file is called the ntds.dit file it's a password it's a an encrypted file and if you're on a local Windows machine like a Windows 10 machine Windows 11 machine it's stored in what we call the Sam or the security account manager and that is in Windows system to config um it's all encrypted and the hashes are also stored as a copy in the registry because we know that's even more safe right so when we're looking at hashes we can either intercept or we can try to steal them off the machine themselves so why is ntlm bad well it's bad because it relies on challenge

response it does not natively support m u multifunction uh multiactor authentication so if you want MF you've got to kind of Bolt it on because of the fact that use this challenge response it's not part of it natively uh it's very simple form of password hashing makes it vulnerable to things like pass the hash and Ro forcing um and because it's old there's it's not really getting it's not really advancing at all like they're not saying well we're going to use something more complicated we're going to come up with a new version of ntlm it's not really moving anywhere from where it is today now keros on the other hand again it's it's better it's

not perfect but it's better um so essentially Kerberos uh is one that uses tickets as opposed to challenge response um it's been around since Windows 2000 most people don't know that they think it's just recently been in there it does replace ntlm to a certain uh to a certain extent however if you want to replace ntlm you have to actively configure your systems to replace it with Heros and most people don't do that at least on the OT side we don't um so instead of passing the user's credentials over the network in a hash we use a session key that's created and that's used basically to uh authenticate the person and it's it's um uh it's for fixed time right so if we

look at that as you remember how nlm worked this case Nick spinner request a TGT or a TI gry ticket from the authentication server that's attached to the active directory um the authentication Service going to send back an encrypted session Fey and ticket gr new tickets ni request access to a SQL Server from the TGs the TI Bring server um the TGs sends an encrypted session key back and then Nick sends that over to the SQL Server to get access so in no time are you actually sending fion passwords around we're using tickets to do this so the authentication is still happening at the Active Directory level using ntl L but we're actually not passing around um

passord passes anymore right so there's no interception of passord passes there's no pass the hatch anymore now uh Windows uses Cur Ro version five uh the initial use authenication is integrated into L log s sign on architecture so there is still authenication that's happening once and then there's this passing back and forth of tickets right uh there's infrastructure called the cose key Distribution Center that's integrated with other windows uh Security Service Services running on the domain controller and the KDC uses the domains ad directory service database to house all of the account information so it's a little bit more distributed although I'm going to show you cero still has its problems right does anybody know here if

they're if they're still like are you guys anybody here having problems still combating nlm type things like ask that and things like that anybody have have witnessed that in an incident or anything kind of tricky but you gave it up now so with keros the user never directly authenticates themselves to the services they need so if I want to connect to a file server I'm never going to pass my password in a hash format the key distribution center uh which runs on every D SE issues a t ticket Grant ticket which um uh which includes a unique session key it's time stamp either 8 to 10 hours and that's what's passed around to give access to these

various systems that are on the domain any questions so far make sense okay so then we get into the problems of all this that's what I'm sure you all are here for so the first one and this one is is kind of weird so the enumeration which shocks me a little bit of how active directory gives up information so who here has used end map for who here doesn't know what end map is wants to admit they don't know what map is this so map is a a tool use to probe other machines right I know this is a little small uh but with nmap we can we can basically run a really quick nmap scan um and if you use the minus a

option that basically pulls back a b bunch of information about the system it's automatically going to tell you it's the domain controller you're going to see things like you know you're going to see all the all the DC Services you're going to see like the domain the DNS computer name uh theet bias computer name you're going to see all this DC stuff so identifying a domain controller and a network reallyy map right you don't have to worry about that um secondly um being able to pull up a lot of information about the the the domain itself the forest name um if it's a subdomain um um there's all kinds of information that'll get pulled back when

you actually probe that system there's also a lot of curos information that will come back as well so a good example here and this was something a test we had done I've changed the names in the The Domain but essentially uh we do some ens uh we're doing a pen test at a company let's say and we go on the internet we find out who all the executives are right uh so I've got their names here I've got you know CFO CIO and some people interest you know director of it Senior Systems admin most probably you'll have a domain admin password a domain admin account CEO CIO and so on uh and then what we do is we

guess a bunch of potential user uh user accounts so you know Becky Clark be B Clark Becky could be Clark B becky. Clark so on and so forth well the cool thing you can do with this is you can actually what I've done here is I'm running n map I'm specifying for 88 which is Kos right a scrip called kb5 which is the C Kos 5 uh cose 5 database cose 5 enum users and what I'm doing is I'm passing it the domain which I know and then I'm passing it in x file called usernames txt and in that file I've got all my potential username combinations right and then when you run that it'll

actually return back what it's considered a user as not a user so it actually probes keros and it says is Becky a user no is p Clark user yes and it notes that so you can see here right off the bat I'm getting half of what I need so if I want to do anything like a pass to hatch is even with Kos we're still running nlm on the network I've got half the solution here I have usernames you can either do this with um NB and in this case I'm using met spit as well so being able to probe in the curos database and get those that information very easy right and I can

bet you right now that it's very very rare that people are going to be able to pick this up in their Sim or in their monitoring it's going to go by so fast they're not going to really see that it happen now there are other tools you can use as well um I just put them up here you guys want to try these power viiew at ad repell these are power scripting packages um they are used very very very often uh by attackers in massive campaigns so what I'd like to tell people is if you're uh if you've been hit with a ransomware attack when the ransomware gets clocked off at the end there's most probably weeks of lead off

time before that actually happened there's a lot of reconnaissance where they steal your data and they get access and Beach they you know establish a beach head on your network a lot of this is happening so you'll see stuff like power viiew ad80 Recon tools like rubius rubius is a a brute forcing um cose tool so it's really good to be on the look at and I'm going to show you how to detect some of this later on um there's blood hound and sharp Hound they'll actually build these nice little diagrams of which your your ad Forest looks like so these are a lot of tools that are used by attackers uh to do a lot of the uh the reconnaissance

work prior than really try stealing in your data question so far I've had a lot of coffee today too that's and it doesn't put me to sleep but it just it does energize me so uh okay so uh so with that we get into like the initial access part so what can we do from an initial access perspective well we've got SB relay anybody heard that term before SB relay you probably have yeah no no what's ever heard of it so um this is an interesting one and nine times out of 10 when I look at a Network they allow SB relay which is really really bad and P testers usually like within the first 30 minutes they're

going to look for this and if they find it they're be like I'm done I go home now I've figured it all out so essentially we know that uh when we're going to communicate uh file sharing protocols so if I want to connect to T's machine for example and I want to download some files from this machine um unless I've gone the route of really really locking things down I'm going to use ntlm and what what does ntlm use hash passwords uses hash right right so when the client wants to access specific Service uh the service is going to set a challenge to the client the client is asked to encrypt it with a client's password hash once the

encryption is done the client sends back the encrypted challenge of service and then you've got the communication so we want to intercept that right um so I'm going to skip over this but basically what what causes to happen is what we call a lack of SMB signing and this is the common thing that P that pentesters will look for um it's it's not a default setting so if you haven't specifically gone and turned on SMB signing in your network it's not turned on today and you're susceptible to this so what happens is when you have SB signing turned on the server requires that all SB packets sent by clients are signed by digital signature that is what gets by

so if I legitimately Peter talking to legitimately Terk if you stole my hash you're not legitimately me anymore and this is there to validate that it is not me doing it and it's supposed to stop things this is not turned on by default and and and it's it's crazy I I think like said nine times out of 10 that I've gone to clients they are not running SMD signing um so basically this would prevent that attack from happening right uh so to validate that it's another end map scan you end map scan machine you're going to see this thing that says message signing enabled which is very very throws you off a little bit message

signing enabled but not required so if you see message signing enabl not required means that SM signing is turned off okay and then you're off to the RAC to that point so at that point you can do all kinds of cool things so the first thing you do is when we call an SMB relay attack via DNS fallback abuse big big thing to say so when you're in an active directory how do we look things up in active directory what is usually a service that we have to run on our domain controller DNX right well what if I'm going to connect to T's machine and T machine's called T but by mistake I forget the

T right what's going to happen when I hit the DNS DNS is going to say that doesn't exist right but there are fallback mechanisms to that okay there's a few of them okay there's what we call llmnr uh there's ntns which is old net bias stuff there's mdns so on and so forth okay so what we can do is we can intercept that fallback traffic we can poison it and a lot of people will say well you know how often does this happen like how often does something not type like a a share improperly if you're on a network work with thousands of people it happens regularly and typically this is where that beach head is happening we're

setting up the machine we're listening for this garbage and when it comes out then we log it so I'm using a tool here called responder and I know that uh I think Julian mentioned responder a few times in his in this talk this morning it's a very good tool but essentially what it allows me to do is it allows me to listen for llmnr and and things like ntns traffic and poison that okay so entually if you're looking for server01 and I've spelled it misspelled it we're going to when it when goes to the DNS and it fails on the DNS I'm gonna I'm going to get it on the llmnr which is the fallback protocol from DNS right so

give you an example here uh Beth here's looking up does an look up for server1 doesn't exist and when she tries to go to it it's still going to pop up this this pop popup is coming from my poison Ser my poisoning server right now once this happens what do we normally pass to connect to the machine anyone Chris got prizes for you what are we passing to connect to a machine we're passing a hatch right so get this you try to get to a machine you type the wrong thing in BS says that doesn't exist it falls back to llmnr I'm poisoning it so you now connect to me and what do I do I capture your

hash and it's easy L dude I've set this up put it on a network on a Raspberry Pi plug it into a network go away come back two days later I've got like pages and pages and pages of hashes okay and not only that these are not complicated hashes these are old ntlm hashes so from there you can see here look poison Daner poison Daner poison or poison and then I've got my client's acne Beth and I've got Beth and I've got her nlm has okay here's another way you can do this you can run a tool called impact it okay impact it will allow you to do the same thing this is really cool so I go to

connect to T machine but by mistake I type in something wrong uh then it does a look up on the DNS it falls back to me not only do I get the hash but I go ahead and I pass that hash back to Tera and now I have access to his machine and I can actually do an interactive console to his machine does that make sense so not only am I going to get his hash and I'm going to pass it on Sumer impact is going to do that automatically it's going to grab his hash it's going to send it back to him and because he's got a hash on his machine because it's his it's going to

now give me an interactive command so look I now have full command prompt to his machine this is all because of limitations in nlm okay this is my favorite one and I've done this a few times so much fun okay everybody know what a rubber ducky is ha five so if you don't know what a rubber ducky is it's a USB stick but inside it's actually got a a microprocessor and it's got storage and all kinds of things and you can run scrips on it okay so this is one we do that's a lot of fun okay so what I do is um I actually scrips uh if you can probably can't see here but it actually scripts in the

rubber ducky and what that rubber ducky does is the minut you plug it into your machine it pops up a window I have a picture of it it pops up a window and basically grabs your hash from there and as you can see as the top here basically it sends it back to my impact server and it happens it like I have like all kinds of delays and in there so it happens so fast you don't see it like you know when you go you type run and you type backback slash Terr and then it fails well it does that by the script and it does it so quickly you don't see the popup up and then what

it does is it sets does what I just showed you a minute ago but it does it physically so if I don't have if I don't have access to do this to oison your your El L lmnr traffic I can't po it because I'm not on your network because there's segmentation or whatever it is is I just walk up to the machine I plug this guy in it pops up and it basically does that does backbacks server with an incorrect name it goes to my impact server and it does the same thing so I can actually start it from a different way through that du script really cool yeah yeah and it's you don't even

see it like I've got up to like CFOs Des plug it in I I plug it walk away it takes like a microsc to work

and then you can see here there's there's where it's coming back to my impact server see my my uh and then once you have those hashes you can either do the uh the impacket thing where you automatically redirect to T's machine or what have you or you can take them and you can run them through something like a hashad or uh crack crack Matt Z or John as long as you specify like for example in hashcat you specify 5600 which is the module for ntlm hashes bre them and then depending on what kind of machine you have like I know our pentesters have like these huge servers of big g in them and they can

crack this stuff really really quickly and you've got passwords what's that yeah you're matching the back right to a to a dictionary right yeah yeah depending again depending on how big the GPU you have in your machine so if you got you got big gpus in there it could it could and depending on how complicated the password is it could be really really short it could be really really off you're G to get like if you have if you've got a 100 hashes you're not going to you know the chance you're going to crack all 100 in like the first day or slim but you may crack if you crack three or four it's all you what's

that that's a success yeah all you need right or you don't want to crack them at all you can use them and pass them to Runa so you've got options right have yeah exactly a pass if you a table you don't have to get original correct yeah um so that that's kind of the ntlm side now if you get into um the curo side of things we get into things like uh dealing with the the the um tickets that are being sent back and forth so this one is what we call as bre roasting um so this is what what they refer to as a pre-authentication attack so um pre-authentication is something that is turned on by default now again you're

going to notice some of these things you're going be like oh come on that's very improbable that happened like there's certain things that have to be turned off or turned on for some of these attacks to work and I wouldn't be showing you these if I haven't been in the wild and seen those things having been turned on or turned off so that's why I bring them up and these are legit taxs that that are out there so pre-authentication um essentially is uh what it's turned on which is by default uh the user user initiates a process by transmitting an authentication server request to the domain controller and the message includes a time stamp encrypted

using the hash the user password as an encryption key this is to validate that the requests are legitimate at the end of the day um so basically there is a setting in here you can see here's uh my user DG Chambers there's a setting in there that says do not require keros authentic pre-authentication now again you're like if that's not typically checked off like why would somebody go and check it off and make their machines honorable I have seen this turned on and in a lot of cases on the OT side we have a lot of Legacy applications that don't support heros pre-authentication or that you go to a vendor and the vendor's like do you

have pre-authentication turn on you're like yeah well we think that's their problem so go turn it and then what'll happen is the engineers not that I want to wrap on the engineers they'll just go all that we turn it off they don't call anybody they're like they don't even know what it is they're like like some guy told me to check this off so I'm just going to do it and it's going to work so you end up going you find the stuff you're like oh thank you you end up finding this up you wonder why so I got to speed we got 15 minutes so I'm G to speed through a little bit of this so

um so again what you can do with this is you can do things like run impacket do what they call a get andp users against the domain and and the domain controller and basically you can actually pull their their uh ticket gring ticket and we know those ticket graning tickets have been created using the hash so once you've got that you can actually uh process it through something like John John the Ripper and you can actually yank the hash out of it out of the actual ticket granting ticket now mind you that's only going to work if you have pre-authentication turned off which is probably like less than 5% of the time but it is

something to look at and it is something you have in your you know your box of Tricks right anybody ever heard of K roasting so ker roasting is another one um and that's used to obtain passwords for 18 accounts that have been set the service principal name or nspn value and th for specifically for service accounts um so with that for example fast forward a little bit basically what you're going to have is within your and I've got like a SQL service account for SQL Server here um there's a specified SPN there um so the first step is to enumerate all the accounts that are have SPN Set uh this works with a username or a hash and if

they have an SPN tied to them then we can request the Ty graning ticket for that SPN um so in a lot of cases what I've seen in this is you create a service account and it's not working so what do they do they add it to the domain administrators account because that just makes everything work and now you have you basically are ble to enumerate um an account pull back their information and they're part of the domain account so you can see here uh I was able to pull it back I was able to get the ticket gring ticket and crack the password so again curb roasting another way another way you're able to pull that

that hash up uh lateral movement so we got our good old pass to Hash so again you do not need a password to do this all you need is the hash itself so really easy to do uh now the one thing with pass the hash and does anybody know that the common tool that we use to do pass the hatch starts with an M ends with a z cats what is everybody know about me cats today anything will pick it up right so right off the bat like you know Defender Crouch strike when Crouch strike's working uh you know you could be running a free tool they're all going to pick up Mei cats it's so common that doesn't

mean you can't run Mei cats there are ways of running M cats even though it'll be picked up one of the most interesting ways of doing it is using tools like uh Ms build and actually building it into an XML and then uh basically running it through Ms build when you're going to run it as opposed to running on its own it basically gets optic stated to the point where you're I mean we've tried it with the fender for example won't pick it up so there are ways to officiate amcats out of its raw form which allow you to do things like pass the hash I'm running it here and I've got Defender running on

that machine so that test machine and you can see here basically what you want to do is me catch you do a what we call a privilege debug which allow you to access uh anything going to Elsas which is the memory space where password passes are being kept and then basically dumping the login passwords from the machine and then once you have it good all in packet there I've got impacket W ex hashes I take the hash take the domain the user the machine I want to get to and pass it that hash over and you can see I'm now connected to Pho one and logged in as best didn't need to authenticate just you to pass your hash

over to the machine the other machine doesn't know it for all it knows it's that's legitimately passing that hash over to get access to that machine

that's what I'm saying there're wayte to offis like like and if you come see me afterwards I'll show you using tools like Ms build you actually build it into another executable and those um those tools won't be able to pick it up there's a number of ways we can do that to actually obate now from a persistence perspective we've got things like a DC sync attack and what that is is when your machines are doing replication they're setting stuff between each other thank you so much they're setting things between each other um so again very much like the pre-authentication you have to have things turned on for DC sync attack to work um and it's typically those two

settings we replicate directory changes replicate directory changes all they have to be set now typically where I see this since system in accounts where a system is administrator makes a change to schema and wants to replicate it wants to force it need those settings to do it so when you've got a large organization and they make changes they don't want to wait the time it takes to replicate it they want to force it so that's typically where I've seen that setting mid turn on and it's typically set on domain or domain ad mids and administrators so that they can force replication right so it does it does happen right um and then basically what you do

is again you R un cats can't probably can't see that uh but you're basically able to do uh intercept those hashes as they're sinking between the main controllers and what that allows you to do is it allows you to do things like a Golden Ticket attack so golden ticket attack is another attack against Heros this what you need to do this is you need a couple things you need the domain which we can get you need the Sid you have user found that domain it's easy to get what you need to get is the hash from the care bgt that's the account that actually is created when you when you create your domain it's what basically runs your your Heros

ticketing service um you need that hash and that's that hash that you pull from that DC sync account ATT you do a DC sync for the ceral account you get the hash once you have all those pieces okay what you're able to do is you're actually able to use that that ticket that you can create so in this case I have a user called Beth again you can see Beth I did a who am I at under groups she's not a domain in Min see she's not in there I tried to access the domain controller using the uh C dollar shine share she had no access to that so she's a regular user right well what I do is with MIM cats I

do a keros golden ticket I put the domain in I put the Sid okay uh I put the hash I put ID 500 for administrator I put a fictitious user I created a user okay and what the Cur service is going to do is it's going to dump a ticket dump a ticket called ticket. curvy okay now that ticket you save it to a file okay once that ticket is saved to a file you attach it to your user and then you basically have all the access that is that is associated with that ticket and that's like large access right now the great thing about it is is typical ticket lifetime when you create it through uh something like mini cats

is 10 years so that golden ticket I've created myself that I've assigned to my user which gives me privilege basically gives me privileges for 10 years no matter what so again these are ways of persisting access these are ways of gaining initial access these are persistence mechanisms so my attacker has access to the network I want to keep that network access even if they remove him from groups I could do that through a Golden Ticket account a gold ticket account um admin SD holder attack is another interesting one the admin SD holder uh that is a container in active directory that's used to populate new groups that are created so it's a template that has all the permissions uh

for protected users in groups so groups like your domain admins your Enterprise admins your uh reppel admins all those when I create um when I create new groups that's basically what they're assigned so if your access is removed from one of those groups uh basically when I read it it propagates all of that those settings back so for example I've got my account here Chambers there and basically what happens is every 60 Minutes even if somebody deletes the account it's going to rewrite all those rights back over to my Doug Chambers account because it's set up in the template to force that to happen every 16 dayss again it's a persistence mechanism right I had to get

Doug the access to be able to do the bad things but I want to keep it there on from persistence perspective um I mentioned earlier the NTS n uh n ntds.dit file that is the uh the file that contains thank you that's the file that contains all the passwords uh all the password information in the active directory so this is another way of actually extracting that um who's familiar with BSS admin here Shadow copies right so basically what you can do with this uh this is really interesting you can actually do a shattered copy of uh here you can do a shadow copy of the C drive and basically EXT the problem is the ntds.dit file is

in use touch it and copy it out and modify it to use by active directory as long as machine's running so by doing a shadow copy I take a copy of that file and I can actually extract the ntds.dit file Out of The Shadow poopy see at the bottom there uh I'm copying it Out of The Shadow copy I'm copying it to a directory in C um I also need a couple other bits of information I do things like the system registry Hive and so on and so forth then from there I do a repair to the file because it was in use and I can actually start cracking cracking out a yes duct file see the extraction

there think we're almost out of time I'll go through this a little bit there's things you can do to obviously enable SB signing on all your devices that if you do SMB signing you never have to worry about password pass the hash anymore that's a done deal uh disable smbv1 and V2 if you can but at least go to V2 there's a lot of vulnerabilities I mean if you guys remember W to cry it was all perpetrated through snbd uh disable L llmnr and NBT NS they're garbage protocols they serve nothing turn them off so you have no fall back errors right um there are a number of things you can do and I'm not going to go through this

because I'm almost out of time but um I've got all the

the so your your pre authentication attack there's a couple things to look for uh unusual tgp requests and again U there are use cases and if anybody's interested I can give you those that you can build into your sim basically look for those things if you're running something like Sison even EV vent monitor will give you some of this information uh ticket encryption downgrades so if you're looking at the events you're going to see this thing called ticket encryption type it's a hex it's 0 time 17 0 time 21 so basically what you're looking for is they should always say 0 time 12 that means you're using strong encryption if somebody's lowering the encryption of uh of those

uh tickets then you know there's something not right happening so looking for a lower uh level of encryption abnormal number of unique accounts offica from a single end point so why is like why are there 50 accounts trying to edicate for one laptop these are all things that are out of the or um enable Cur Cur R pre-authentication so make sure that that pre-authentication thing um is not checked off U there are ways to find that out there there are ways to audit the machine to look for that active directory enforce strong passwords for accounts enforce these of strong encryption so again uh supporting encryption types attributes to 0 time 18 those are all based to um avoid the

possibility of pre-authentication impact uh Cur roting um there is a setting you can set called Cur roast armoring in Windows 2012 and further uh it is a GPO setting it actually shows up as cose client support for claes PO on authentication and Cur Rose armoring turn that on it will help you uh it protects the channel between the client and the key distribution server uh eliminating use of insecure protocols so again that's your encryption bule and adopting p p those are all things that will help you to protect against Heros uh DC sake um there are ways to monitor traffic if you are doing be packet inspection looking for traffic uh which comes from DRS uapi RPC

requests which are usually uh um and specifically looking for this operation yes NC NC changes uh these are normally um indications that something's happening From perspective uh looking for a v 4662 which is audit directory service access um and uh when you see this event uh looking for when a user exercises a repli directory changes so you're looking for users that should not be forcing directory replication that possibly be a that I mean obviously turn don't turn reputation on don't give them that right if they really shouldn't have it and and obviously use it CHR is giving me minutes okay friends I know him I know him uh golden ticket analyze tickets for subid manipulation usernames that don't

exist in active directory when I showed you the golden ticket in t t the last thing I put in there was like a fictitious username that I just need to have something in there look for like usernames like like they'll be stupid it'll be like I've been ped or I've hacked you like stuff like that that should make sense right modifi group memberships uh usernames and and rid mismatches Le normal encryption and ticket lifetimes they should not be more than 10 hours 8 to 10 hours is typically the ticket duration if you see 10 years 10 years is Meats that's the defaulted me cat so if you see a ticket that lasts 10 years it's a mini fats

ticket right and there events at the bottom there uh minimize elevated Privileges and change the password for the prbt GT account regular schedu any questions there's a lot and like I said you guys get the slides there's a lot of need in the slides that you can use like specific event IDs to look for and things like that and obviously if anybody wants to ask any questions after this um I'm a consultant but I'm not sales vent so I probably do myself very bad in Justice by answering a lot of questions and not like signing people up for business we just don't do that so uh so feel free that's why I don't put any of my work stuff here reach out

to me if you want to H me great if you don't want to H me I'll still answer your questions

so let relief now go it's [Applause] time thank you just don't know to

do better have snacks or something we need it right now thank you