Domain Persistence- Detection, Triage, and Recovery - Joshua Prager

there it is okay

[Music]

[Music]

I [Music]

all right we ready okay all right good evening everyone uh thank you for coming out to my talk uh called domain persistence detection triage and Recovery um I am Joshua Prager I am the service principal for our defensive services at Spector Ops been with Spectre Ops for 5 and a half years um I got my start as a humble help desk technician in the United States Navy um enlisted worked my way up for seven years until I left as a navy red team member um I'm one of those actor Duty Personnel who left in a uniform and walked right back in in a suit and tie um I did that for a little while then eventually I just did a

complete change of career and instead of going red team I went uh blue team after I left the Navy completely um I went threat hunting and detection engineering I worked with in-game systems Accenture Federal Services wo for those of youall that are in here part of that um and eventually I found my way at Spectre Ops and I've been there for about half a decade now all right um this talk was also made with nicoo shine um he is also a prior Navy guy we didn't do that on purpose all right we're just friends um but we built this this talk together however he lives all the way out in Alexandria Virginia he couldn't make it

out here to San Antonio so I will be giv the talk solo right okay so the purpose of this presentation was because I did a compromise assessment for a client that was severely compromised um we had identified uh evidence of credential dumping on the domain controllers we s we found proof of compromised um certificate authorities it was like you know you know that keep Cal burn down the whole Forest kind of meme that's basically it's the scenario and in this compromise report the client was like hey what do I do and I'm like whoa this is really bad I don't even know where to start um so I kind of made this presentation as a a a a a form at

least a boilerplate starting point for the community out there because when I was trying to find um resources and recommendations for this client I really couldn't find much other than very high level Microsoft documentation that was a little bit unrealistic okay so um starting off we want to make sure that we can detect certain techniques um from there we want to make sure that we are understanding the different caveats and evasion operational guidance so if you are a penetration tester you're an adversary simulation person this is also going to pertain to you as well we'll talk about those operational caveats that operational flow of these different techniques and then how to remediate uh if we see any of these techniques in our

environment okay all right so domain persistence doesn't equal some minor attack technique ID there's not a domain persistence thing out there I think there's one where it talks about a domain account persistence but that's not really the same thing all right what we're talking about specifically is anywhere elevated uh access to the environment is maintained in such a way that it would it's very difficult to root out the adversary okay um the United Health Group uh attack recently um in that letter that is public that the FTC sent to the Biden Administration like the very first complaint was uhg got ransomware and what they did was start from scratch that's that's what you're supposed to do most companies

most organizations don't have the money and the resources to start from scratch we're going to talk a little bit about what happens when you don't have the money and the resources to start from scratch okay all right so we're going to talk about credential teal domain controller we're going to talk about ntds access DC sync golden ticket Diamond ticket adcs certificate ATT tax um and seccm or config manager site takeover okay all right so starting off with credential theft on domain controller okay um a lot of red teamers even a lot of Defenders who've been trained by Red teamers um we we we tend to get this bias right that the adversary is either going to start from a low privileged

fished user or they're going to start with like you know a rogue access point or rogue rogue device in the environment they're essentially going to be constrained in their operation and they have to go through this narrative and attack path to eventually find their way to domain admin where they can do credential dumping to gain things like the golden the carab TGT to get the golden ticket things like that the truth is a lot of actual criminal adversaries are just doing spray and prey methods across entire industry verticals they just there's you know 2019 whatever whatever SharePoint vulnerability for all forward- facing SharePoint and they just spray this attack at the entire industry vertical and if you happen to

work for Government Federal whatever whatever you get hit with this right they get that access this is let's consider it for a second if we're talking about a vulnerable web server that's forward- facing okay what is the service that operates most of our forward- facing web servers usually we're talking about things like the IIs worker service what happens when an adversary abuses a vulnerable service what access do they gain immediately system right because all services execute under the context of system so a lot of these real Attack passs don't start with a low privileged user working their way up to domain admin a lot of them start with they got system access on a web server they dumped credentials

on that web server and they literally Ed those credentials to laterally move to a domain controller a two-step process two-step process they're immediately elevated permissions on the domain controller where they can dump credentials okay some operational caveats when it comes to domain CR uh domain controller credential dumping um ideally operationally it's the same okay the the caveat actually is that on a domain controller credential guard is not usually turned on in fact Microsoft actually commends it against turning on credential guard because if you turn if you turn on credential guard on a domain controller in your average environment that inhibits the use of um using Kerberos that inhibits the use of using nlm you broke your whole domain okay so

in most situations you can't turn on credential guard that means if an adversary is able to get local admin access on the domain controller at that point like there's really nothing stopping them from doing credential dumping the good news is that if an adversary does credential dumping on the domain controller usually it's any interactive domain admin accounts they'd be targeting they can't actually get things like the krbtgt from credential dumping on the domain controller and the reason for that is that the krbtgt it's a service account but it's not like an interactive account in that context you can't just dump the domain controller with mimik cats and see the krbtgt you'd have to use something like DC sync okay

which we'll talk about here in a second from a detection perspective right we have process creation events we can use as Telemetry we have a process requested a handle with a vent ID 4656 or uh we can set a sacle as well to 4663 um we can also use sysmon event ID 10 most of the event IDs I'm going to use are going to be Windows native event IDs or sysmon um and this one context in this one slide I promise it has Defender for end points read process memory Telemetry um you're not going to have that in every scenario though at the very top you might be wondering yourself we're talking about credential dumping usually

we're talking about process access why do you have process creation up there um in that case we're talking about uh process snapshotting so it's a way to evade that process attempt I can create a snapshot of the Elsas process so you'll see Elsas with a child process of Elsas super suspicious okay okay so moving on into ntds.dit access all right the actor directory users and computers database lives in a file called ntds.dit on the domain controller um you can abuse as as an adversary you can abuse the volume the volume Shadow Copy Service to go and create a snapshot um a shadow copy of the domain controller itself which then allows you to go after

the ntds.dit file because normally ntds.dit is a hard locked file or or deadlocked file you'll produce an error code like a kernel error code if you try to manipulate it while actor directory users and computers is using it which of course it's always using it in a pretty much constant ad domain right um we can set a sackle on the ntds.dit file uh by default there isn't like a ntds.dit sackle that's just immediately turned on there are some default saes um and that's not one of them so you would have to go in there you'd have to modify that to be read file attribute read file extended attribute and read file data that way when that volume Shadow uh snapshot

service is started and it does do that read of the uh the C drive for the domain controller it will catch that ntds.dit file being accessed um we can also use the volume Shadow Copy Service starting itself if you have a reoccurring schedule task or reoccurring persistent job on your domain controller to do volume shadow happy service and all of a sudden you're seeing one execute at an abnormal time a day or just completely out of the blue that would be a dead giveaway that something suspicious is going on okay all right so moving into DC sync DC sync is super welln there is a ton of event IDs out there for it uh well not a

vent idea there's a ton of um detection uh uh blog posts and stuff like that for it um the idea here is that we're using the RPC methods get Inc changes to request a copy of any changes to the domain control er um it's really really a a a critical attack path um for a lot of red teams because it allows us to in a in a um in a simulated way grab a very high-profile service account such as the krbtgt account which is whose inlm has is used to sign every Kerberos ticket in the environment so it's it's it's it's often abused from that case a long time ago um red teams would try to go after

ntds.dit or they would try some other method of getting the krbtgt account but it was kind of a um kind of a gray ethical area there because ideally according to defensive guidance if the ntds.dit file is like copied or or taken in any way the dpapi master key is also copied and that's kind of an unchangeable thing which we'll talk about here in a little bit um there are some caveats to DC sync I want to talk about real quick um I don't really pull it out here in these slides um okay so if you are on client one and you commit a DC sync to domain controller one that will go over the wire it'll be it'll be

like Network traffic right um and we'll see those get RPC or get NC changes requests over dce RPC Telemetry okay and if you're not super familiar with this too long didn't read there's Network logs that will tell you when someone's doing DC sync there are a lot of vendor tools like stealth intercept um I can't think of some other ones but there are these vendor tools who are looking for that traffic a pal Alto firewalls they'll look for that traffic and they'll be like hey DC sync alert if I'm a red teamer if I'm on your domain controller and if have privilege access to your domain controller if I'm on the domain controller that I want a DC sync

I will just Target itself it will not go over the external interface it will go over the local loop back and I promise you most vendor tools are not looking at the local loop back okay so keep that in mind all right so moving on to Golden Ticket so the way golden ticket works is essentially an adversary is going to request a TGT um or they're going to request a TGs they're going to take that TGs they're going to uh try to get the carab TGT has from it or they're going to do something like DC sync and they're going to get that inlm hash of the uh the krbtgt account the krbtgt account is

a service account whose sole purpose is to validate authenticate and sign all tgts all ticket grining tickets throughout your entire Kerberos environment when this account is abused um that's called a Golden Ticket attack and it allows a adversary to sign their own tgts remember this is the account that is used for authenticating everything right so if I am the account that authenticates everything I'm authenticating to myself and there's nothing stopping me from accessing any resource in my environment right so it's a very very dangerous attack path unfortunately there's not a whole lot of telemetry for it there's not a whole lot of um defensive guidance for it um Defender for inpoint uh does have a

couple of like suspicious use of golden ticket alerts they also have um a pass the ticket alert as well unfortunately you don't really get to get good insight into what the logic behind those alerts are they don't reveal that um and then a lot of them are really based on C roasting the the KB TGT account uh for example the suspicious I think it's like suspicious use of golden ticket it's actually looking for rc4 hmac request for the krbtgt service account so it's it's it's not quite what it appears it's it's a bit difficult to figure out um there are some caveats to it though uh we can look for anywhere a 4769 was requested but there's not a

corresponding 4768 I have worked with some clients who have developed a custom in-house version of this alert kind of works kind of not um but it gets a bit tricky also the uh you can monitor group membership if you have users who um who you you've done a good job of kind of segregating group membership um and all of a sudden you're seeing users with a event ID 46 4627 um if you see in that 4627 for a user that belongs to a group that does not contain things like the domain admin SIDS things like that that's obviously super suspicious but you'd be surprised a lot of clients have not actually generated an a detection

like a custom detection that'll monitor group membership changes like that um but if you do a good job of making sure your your users are in the correct groups and alert upon any deviation of those group usage that 40 4627 event ID is actually really really important for detecting like someone taking a golden ticket and essentially attributing it to a to a user that doesn't that shouldn't have those permissions okay all right this is just kind of a quick attack map of how everything works um so normally they're trying to go over here and they will try to excuse me they will try to DC sync if they have domain admin cred credentials they'll get the

uh nlm hash of the caribbe TGT account after that they're going to attribute that that nlm hash they're going to uh Forge a TGT for that inm hash of the KB TGT account they're going to apply it to a user that they've that they've compromised or they will make a new user with their elevated credentials and then that's how they're going to propagate through your environment okay all right diamond ticket all we're going to like this is as deep as we're going into like the Pokemon name varieties of the ticket attacks all right um with diamond ticket we're essentially doing the same thing as a Golden Ticket the only difference is we are going to modify um the the the

the pack I'm trying to remember what pack stands for and I can't remember off the top of my head [Music] um yeah I don't think we have it on there either um okay but essentially within a TGT okay you have this area of the TGT called the pack it contains authentication Header information it contains credential information it contains um essentially the things that would attribute that TGT belonging to that specific caribbe TGT account um but adversaries can then go and modify the pack luckily for us as Defenders uh there are some really really good ways of detecting it um the pack itself uh you can when you modify it from even like an adversary perspective you can't

modify it the same way that Microsoft does if I remember correctly they encrypted a certain way that hasn't been broken yet and that that particular form of encryption you can essentially copy the pack or Forge the pack but you can't actually go in there and modify it to make it look exactly like Microsoft did it um within the ad environment so you can look for that there are some um there are some ticket based tooling out there that will look for that modification of that pack and that came out very very uh suddenly after that diamond ticket attack was revealed um one of the other things is we can detect that anomalies with the group

memberships just like we did for golden ticket if you're seeing you know Josh Prager who's a a lowly user you know who has no business with domain admin rights all thisly have like a 46 uh what was it 46 uh 4627 so if you see that 4627 event ID um attributed to Josh frager the low user who is all of a sudden has SIDS related to domain admins like that's that stands out super suspicious okay all right again this is just kind of the going through the attack path here same kind of process we're going to use something like DC sync to get the nlm hash um of the krbtgt account password we're to use that hash um and

we're going to decrypt the ticket modify the uh the pack and then we are going to apply that to a user by re-encrypting it and creating that diamond ticket which allows us to propagate all right so let's get in quickly to adcs all right um doing pretty good on time so I'll slow down just a little bit so for adcs um active directory certificate Services abuse okay um typically these are aimed at abusing the certificate Authority now uh will Schroeder and Lee Christensen um are co-workers of mine over spectr Ops they came out with their certified pre-owned um uh white paper that was designed to list out all the different attack paths for adcs a lot of folks

have read the attack path portion a lot of folks haven't read the detection portion yet there's a lot of really good defensive guidance in that paper um just about every attack path scenario they list like two to three different defensive guidance which are either preventative controls or detective controls which Defenders can then use to prevent these ad CS attack pass from being abused the one that I'm going to talk about here is really just focused on um kind of like local admin access to a certificate Authority or a um a uh uh what's it called um a certificate Authority or the uh try remember what they're called like the the sub certificate authorities I don't think I

have it in here though subordinate there you go the subordinate certificate authorities okay so if an adversary is able to gain local admin access to a certificate Authority or a subordinate certificate Authority um which honestly isn't that hard a lot of times uh what we found doing a lot of our uh our red teaming is that CA and subordinate Casas they're usually not um okay for example a domain controller normally the only one who can laterally move to a domain controller would be a domain admin right and that's pretty typical in almost every environment in fact I think you have to go and nowadays have to reconfigure your ad environment to make that an attack path available because by

default only local admin only domain admins can do that lateral movement it's not the same when it comes to certificate authorities a lot of times we'll see that power users are allowed to laterally move to certificate authorities that opens up a whole new depth of users that we can abuse and compromise to gain access to a certificate Authority or a subordinate CA okay once we have access to those subordinate CA um or the certificate Authority once we can gain local admin access on them we can enumerate the private keys of the certificate Authority we can obtain a decrypted DP API master key um and then with that we can decrypt the certificate Authority private Keys once we have the private

Keys we can then begin uh forging certificates laterally moving throughout the environment okay um one things that we can do to kind of uh prevent this from happening in the first place when it comes to our certificate authorities that contain our private Keys um we need to offline our certificate authorities the amount of times I have been in discussions with clients and I say do you have an online certificate Authority and they say yes and I'm like you know you should probably Offline that and they go well we can't because of excuse Excuse excuse it's a very very dangerous attack Vector I'm going to go over remediation here in just a little bit that's kind of why I'm rushing a little

bit um but when I go into remediation you're going to be like okay I got to rotate this I got to rotate that cool when we get to the certificate Authority portion of the remediation that is 99% of the hardest part of the effort okay uh it takes a lot to recover from certificate Authority abuse all right so keep that in mind um we can set sackless on uh our our private Keys um setting those saes will allow us to identify any suspicious processes accessing um the the private key on there in a situation where our private key is not being stored on a CA that's offlined okay so it's kind of like the the remediation

and defensive guidance I can give for folks who who do have those caveats and reasons they can't offline their CA additionally that certified pre-owned white paper like I talked about contains a lot of these event IDs um that I have listed up here we can look for things like 5058 that will uh display an operation on a key file um we can look for Anytime an account a user opened a key file we can look for anytime I a user exported a key file essentially there's a ton of event idas in simetry that a lot of users or um a lot of clients are not ingesting that contain all the necessary information to let you

know hey someone's stealing her keys like to the whole Kingdom it's it's kind of a bad thing all right so keep that in mind like I said if you haven't read that certified pre-owned white paper highly recommend you go through at least look at the defensive guidance um and and and and and definitely bolster your defensive capacity all right so this last technique that I'm going to talk about is SCCM uh site takeover or configuration manager takeover um I I am a principal over here at Spectre Ops so it has been a while since I've been able to do any kind of like really cool red teaming but I did jump into a red team

pretty recently um where we did uh secm or configuration manager site takeover and this was a really fun one because the client was uh we had we we we frequently do right teams for this client and you know at the beginning of the op they were telling uh the assessment lead they were like hey uh it's really really cool we added all these new defensive products in here we're not going to tell you what they are but we're feeling pretty confident about it you know you give it give it your best shot and and so we were like all right we'll do our best um and so we went into this and we got uh we got site

takeover for stcm within five hours uh the the the assessment lead uh kicked off the internal assessment with a bang um and the uh the PO was the client they were very upset and and he literally said I'm not upset at you but I am very upset um so configuration manager is a a a super big attack path that um when when when when leveraged um essentially the red team or the criminal actors can gain administrative control over your entire environment because you need administrative control to manage your entire environment which is the whole reason we have SCCM or configuration manager right and abusing those privileges is significantly easier than you realize especially if you've never

looked into configuration manager abuse uh before um before I jump into this uh there is a project by uh Dwayne Michael and Chris Thompson um and then I did the defensive detection guidance in there I need to go back through and add some more in there um but this project is called misconfiguration manager um and it's it's its whole uh purpose is to enumerate all these different attack paths and uh we published it and windows even went in and made some new change that remediated the very first attack path so good on Windows for for good on Microsoft for listening and making making that change all right so let's talk about how easy this is to do okay

I'm going to talk about coercion and relay show of hands who has heard of coercion and relay attacks recently right it's it's it's it's been making a lot of cybercity news lately it's it's it's significantly easier to do than you than from a defensive perspective you would realize okay um from a uh a a coercion perspective um I can have access to to let's just say client a I compromised client a as a red teamer okay the SCCM site server I enumerated it I know it exists I know exactly what its IP address is I can coers I can say hey give me your nlm authentication I can coer that nlm authentication it's going to give me that nlm authentication

to my compromised host and then I'm going to set up what's called a relay and that relay is going to catch that authentication and pass it on to Target Two or or or client two okay essentially if I if I commit this attack from a stcm or configuration manager site server I am authenticating to client 2 as secm because I'm just simply passing the creds along and now I have control as secm over client or Target 2 okay so that's like super bad right um everything that configuration manager does it does so in the capacity of um a local administrator access right so essentially my coercing and relaying credentials from the seccm site server I

am giving myself local admin access on whatever Target machine I want ideally I'm going to Target something like an SQL database I'm going to give myself access to like arbac admins and then from there I'm going to gain full administrative control over the domain environment okay 5 hours tops in a massive like 60k inpoint environment you can do this and it and it's crazy how easy it is um when I saw our assessment lead do it I was like oh my God I gota like write a blog about this or or tell somebody this is super bad all right luckily there are some ways that we can detect it as Defenders okay so typically there's only two locations you'll ever

see that SCCM machine account logging in okay it's going to log in to itself or it's going to log into the domain controller you're going to see a event ID 464 successful log on event um for the seccm site server account machine account all right if at any point you see the stcm site server account logging into something other than itself or the domain controller that is highly suspicious and probably an indicator of coercion and relay if you look at that picture right there we have a log on type 3 with 4624 the username is the secm site server and it's logging into server 2 not the secm server okay all right um and this is just kind of

reiterating what I said uh from an enumeration perspective if you want to protect um yourself from an adversary trying to enumerate what your secm site servers are you can set sackless on the actor directory systems uh system management container and actor directory um and that's going to set a sacle on there to let you know any like suspicious processor account that is enumerating your secm site server accounts because that's where when you establish secm and set it up in your environment that's the part of actor directory gets tossed into okay all right so we got remediation we're cutting it close we got we got a little bit of time left all right okay so I talked about a lot of

different um techniques out there right gave you some offensive caveats some defensive caveats gave you de detection guidance like I said please don't try to like absorb and take notes as fast as I talked it's not going to work out just like I said go to GitHub Spectre Ops and look up domain persistence or whatever and you can you can get all these event IDs and all these data models those data models I showed you with those event IDs that's exactly what I give to clients um you're seeing my day-to-day job um okay so when I originally made this I made this as a Blog series and my manager was like Hey it'd be really cool if you did

remediation guidance for each technique right and I was like that would be cool unfortunately if I see any of these techniques I'm going to want to still go down the same path so it it it doesn't matter like it's it's the same steps if we see any of these techniques all right um you know barring you know you de-conflicted and found out as was a red team if this is a real compromise event and you saw any of those detections fire this is like oh no burn down the forest what do I do this is what you do okay now this is going to be high level everybody's domain is different everybody's environment is different and

now we got hybrid everywhere um it there are a ton of caveats there are a ton of like gotas you got to come up with your own scenarios but what I find um by doing a lot of program development a lot of defensive program development clients is that even though they know they should do this and even though they know they should have these plans they don't always go and test these plans or most of the time they don't even have these plans okay so this is that that encouragement to like um make sure we have a oh no burn down the forest scenario plan okay all right um so what we're going to talk about is determining

the scope replacing or reprovision domain controllers rotating accounts and object Secrets rotating certificates and then uh enabling additional auditing right um so after that domain compromise scenario with that client I went to all my other clients that I do defensive program Dev with and I said hey let me see your run books for when you get compromised I want to say like only one of them was actually able to produce a run book and then I asked them when the last time they tested it was was and they were like not never cuz it's too expensive to test it or we don't have the expertise or we would actually just call someone to do it for us um most of

my clients and uh most clients period most V like most uh companies period they don't have the resources to really test and validate these things a lot of them will do tabletops a lot of them will do like simulated exercises um but what I find is clients who go and purchase red team vendors and they say hey I want you to Red Team us I want you to really act like a real criminal adversary blackbox testing I'm not going to tell my blue team I'm not going to tell my defensive team about it and I want you to try to get administrative control of my environment we'll do it right and then they'll catch us they'll

deconflict us and then what they'll say is all right let them let them keep having access though like don't don't remediate them don't evict them right we paid for this we paid a lot of money for this red team we don't want to limit the scope of what they're available to do as Spectre Ops we actually encourage clients to try to remediate us we encourage clients to try to evict us um because we're pretty confident we can get around that like we're we we automate as much of our attack infrastructure as possible so like we know we never going to have the same ioc hash twice we're never going to say have any of the same ioc's twice we're pretty

good at getting around Defenders so if you do find us we encourage you to try to evict us test out those run books test out those remediation procedures because you don't want to be in this compromised situation and be like I I thought it worked but it doesn't okay all right so um we're going to get to kind of like how to scope this we're going to start normally with the things that we know were the alerts that were on the systems um uh and then of those systems we're going to see which of these were tier zero assets this is another piece we have to know what our tier zero assets are in our environment

okay um from there we're going to consider the potentially affected systems this is kind of a really important one so I talked about a hybrid environment right most organizations nowadays are hybrid environments if you are an active directory on Prim environment but you just use M365 guess what you're still hybrid environment whether you realize it or not um so when we're when we're talking about things like hybrid environments we have to also consider the scope of Highly Prov uh highly provisioned intra ID or Azure ID whatever they want to call themselves today accounts right because if it is highly privileged on uh Azure it's also highly privileged with an actor directory most of the time as well

okay all right so when we're talking about on Prim specifically um we need to take a look at replacing or re-provisioning our domain controllers you can take an already existing server that you know was not part of that scope or not part of that compromise and you can simply uh elevate it to a domain controller I say simply that's kind of like a an overstatement um or we can reprovision like a completely new domain controller okay um there's some there's some there's some uh reasons behind this okay there is the uh data protection API or DP API master key there's a domain specific one that every user's data is encrypted with okay now we had some

researchers at spectr Ops figure out a way to actually um rotate the domain DP API backup key even though Microsoft says there's no way to rotate it it's not really that there's no way to rotate it there's just not a really safe way to do it if you if something gets borked you AC you accidentally just ransomware your entire domain so no one's actually going to go through with trying to rotate this um but it can be rotated uh but according to Microsoft uh there is no way to rotate the domain dpapi master key so if you don't start from scratch remember I talked about that United Health Group compromise and they got ransomware and they said we had to start

from scratch people were complaining about that in that FTC letter however like that's that is probably the most secure and and risk um like the best risk decision they could have made because had they not started from scratch they would have had to accept the risk that the domain dpapi master key is compromised no matter what and there's no way to rotate that and if the adversary was able to steal a copy of the ntds.dit or they were able to compromise the domain DP API master key in some way there's no way to get that back there's no way to change that you can go through all these remediation steps I'm about to give you and it won't

matter if the adversary still has that key because they can decrypt all that data anyways okay but if you can't afford to start from scratch and I would say 99.9% of the world cannot afford to start from scratch um we're going to go through these steps instead okay so here's how we replace our domain controllers um like I said I'm we don't have the time to kind of go through all of these I only got like 10 minutes left um but the the important parts of this that I want you to keep in mind is when you're going through this and you're making runbooks based off this boiler plate you have to keep in mind that you

have to have checks that's what these are DC uh DCd iig rep admin rep admin these are these checks you have to make sure that replication has successfully occurred across your your whole domain before you make these changes and as you make these changes incrementally if something occurs where you made a change you didn't validate the replication occurred in your domain and then you made that second change you could completely lock yourself out of your entire domain environment um clients have done it all right um so we we got to be really really careful about this uh luckily uh Microsoft does have a a a robust tool dedicated to remediation and uh domain rotation um and there are uh

checks like already input in there that will go and make sure that rep admin is being uh executed uh successfully all right so then we got to get to our user accounts we need to rotate our user accounts we're going to start with uh the user accounts that were identified within domain compromise um any t tier zero admin accounts that we identified we're going to immediately rotate them as soon as possible um like the SLA on that bad boy is like five minutes like we got to get those immediately rotated um or if we can it's even better if we can disable them and then give reprovision new domain admin accounts or or or tier zero accounts um

that way if we if we try to see signs of abuse of those disabled accounts we know the adversary is still out there um and then we have to do uh making sure that we identify and disable all the accounts that would have any interactive sessions on a tier zero host post okay um now when we get to service accounts service accounts are a little bit more tricky service accounts uh I haven't met a client yet that doesn't have at least you know two or three different service accounts out there that are uh temperamental or or Legacy right um and you know the entire domain rests on the shoulders of these like service accounts built in like the 1990s

and if if you turn it off all of production incorporation just like falls short so highly recommend that before any sort of defensive team goes and starts trying to rotate service accounts that they pair with security engineering security engineering usually has a pretty good oversight of what accounts need to exist and where they need to exist at um and there are some accounts that will not be able to be rotated there's some service accounts that have weak passwords that cannot be rotated and we'll have to consider each one of these caveats as we go but we need to make sure we document what each of those caveats are okay uh this is just kind of

talking about collaborating with security engineering okay probably the most important one is uh rotating the kbtt account all right I like you know every time I I talk about this there's always someone from the back who's like yeah rotate the carab TGT twice uh it's a little bit more tricky than that all right um we do have to consider replication uh all throughout the environment just like we did for repr provisioning domain controllers um so when we when we when we uh rotate that kgt account we have to rotate it twice because it does contain a historical password of what previous set all right um but we we change it we make sure the domain replicates it we change it again

we make sure it replicates right machine accounts are pretty tricky machine accounts um there there is the reset computer machine account it will like take the machine off the domain you have to rejoin it um keep in mind though it will not remediate uh coercion and relay okay um there is a hot fix for uh nlm relay that came out a couple years ago um that will remediate ntlm relay rotating the machine account uh password won't right and then we get to trust real objects so in a active directory forest with multiple domains um there's a shared secured password um that converts and uh encrypts this key called the inrm trust key all right if an

adversary abuses that essentially you have to consider both the domain that the compromise was identified in and any like joined domains compromised as well there is some funky forward and backward uh inrm trust key rotation that has to occur to make sure that that trust key can't be reused in the future okay and then we get to certificate authorities so certificate authorities if you have a root a um this I you know it's it's summed up in two little boxes on a single slide however I promise this is like the bulk of your effort in a remediation okay um because you have to go to Every endpoint and you have to like de off that that you have to you

have to update the endpoint with the with the latest uh certificate revocation list and you have to make sure that it accepted the latest certificate revocation list change you have to make a whole new root CA you have to push the new root CA certificate public certificate to each endpoint then you have to go and offline it but it's it's it's a it's a real pain okay um all right and so you know kind of summarizing everything just in the nick of time uh we get to additional auditing so I always get asked this question and I did get ask this question with that compromise event what event ID should we turn on so we make sure this

doesn't happen again and like that's not really the answer like there's there's I'm not going to give you a laundry list of log providers out there and be like yeah ingest all these bad boys cuz I don't even know if you can afford the the resources to do that um and the ingestion rates might blow your your sim out of the water and you never see any of these attack IDs right so instead I say start with use cases identify the use cases that you need for your environment I gave you a laundry list of attack techniques that if you identify any of these in your environment it's a it's you know immediate bad right so

take these techniques let these be your starter use cases of the Telemetry that you do or do not have in your environment make sure it pairs up with some of these attack techniques come up with new use cases begin a detection engineering development if you're not already doing so in your environment and turn on the necessary Telemetry for those use cases don't just turn on a laundry list of auditing and hope for the best okay because that particular client that got compromised they had all the auditing in the world too and they didn't see any of this right all right so uh in conclusion okay many organizations do not have custom detections but we need to make sure that

they do um and if they are going to have detections definitely have detections for those those real critical attack techniques that I just showed you okay um and then recovery the recovery process is very timec consuming and it's very money consuming and I promise you nobody has a budget for it we need to be planning now we need to be doing tabletops we need to be doing exercises and when you hire a red team and your blue team is going to execute against that red team you need to make sure that the blue team is practicing the remediation their eviction and their triage procedures and not just like oh we we we we detected them so that's good

enough if you don't know your remediation procedures work you're going to be in a world of hurt if your organization is actually compromised okay here's kind of where you can follow if you want to find the original slides I definitely highly recommend download the original slides use them um I always have a couple slide Decks that I always use over and over when I go do Consulting for clients um so highly recommend you you you you try to get some of those all right and I think that's just a little bit short any questions I got like five five six minutes for questions what's up is adcs and use a hard module does that mate

some of the situation like with like a TP module or something like that yeah or like USB based HSM that does the actual signing okay I'm not going to lie maybe I don't know I had to look into it I haven't looked into that yet I I don't remember the white paper talking about it though did did you see that in the white paper no okay I I haven't I don't remember seeing that in the white paper but maybe um it might be a good idea to look into it any other questions yeah I'll be super honest if I don't know something I'm going just say like I don't know I I got to look it up

ntlm off and gets passed to the Target is that on the compromise P they they get local admin to do that to pass that nlm off off to the to the Target yeah usually usually you need some kind of elevated permission on that host on the host on the original compromised host yes not the one you're not the one you're coercing all you need is local admin to pass that nlm on yeah I'm not even sure you need local admin because you're just coercing in authentication I don't think you you're just abusing the uh it's uh it's the ESF like the ESF method um if I remember correctly it's a way that windows natively will secure um encryption for

folders within windows and so you're using that ESF method to coers the nlm authentication and there's multiple coercion as well not just inlm um and there's like uh there's a there's a whole bunch of different relay modules set up to just like grab it and toss it to wherever you want so you can just those pass right like like there's a whole bunch of hot fixes and a whole bunch of ways to stop coersion and relay from being successful and those those were good the the whole oh my God behind configuration manager abuse is that because seccm does everything as local admin if I am successful at coercing that authentication I can essentially pass it to whatever Target I want and be

a local admin acting in the capacity of secm wow God thank you yeah the look up misconfiguration manager abuse I wrote like two or three different detection methods in there I plan to go back in there and finish them out um but but look up misconfiguration manager abuse there's like seven or maybe eight different attack paths that Chris Thompson and um and uh Dwayne Michael wrote up that are that are just aimed at like here's how here's how red teamers can go about doing this here's how adversaries can do it as well what's up how often do you find that ECS Abus is involv how often do I see adcs abuse um like one of every three clients uh we

actually have clients that just contract us to show up and be like can you find out if I have this attack path and we're like sure um so we have like a whole attack path Management Service that's just dedicated on like automatically and programmatically enumerating those type of attack paths so we it'll go through all of them and we like we throw like little parties every time we add like a new adcs attack path to the laundry list that we got going so far and to our like blood hound product any other questions okay I know that was a lot of information and I'm sorry like I said this is an hourong talk I try to

truncate it as much as possible take the slides use them um look at those event IDs that way you have it anytime someone's talking about DC sync or someone's talking about hey do you know if you can detect a golden ticket it's like eh let me go look at this this this talk I looked up one time and and look at that data model use those data models on your own defenses if you already have a detection engineering team or a threat hunting team compare their use cases and their run books for detection uh for those attack techniques to the ones I gave you not every event ID I gave you will be operationally useful some of them are

just kind of a nice to have but it it contains a lot of context that you'll need to put the whole picture together okay all right thanks everybody

[Music]