Attacking & Securing Active Directory

Looking for Azure? Check the Cloud page
101
- What is Active Directory Domain Services and how does it work?
- The Most Common Active Directory Security Issues and What You Can Do to Fix Them - Sean Metcalf
- What is Active Directory Red Forest Design? - social.technet.ms
- Presentations by Sean Metcalf(ADSecurity.org)
- Top 16 Active Directory Vulnerabilities - InfosecMatter(2020)
- Service overview and network port requirements for Windows - docs.ms
- Paid Courses
  - Attacking and Defending Active Directory - Nikhil Mittal
- Cheat-Sheets
  - Active Directory Cheat Sheet
    - Domain Demolition with Frank Castle and Powershell.
  - Active Directory Exploitation Cheat Sheet - buftas
    - A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.
  - Orange Cyberdefense mindmaps
- Articles/Blogposts/Writeups
  - Beyond Domain Admins – Domain Controller & AD Administration - ADSecurity.org
    - This post provides information on how Active Directory is typically administered and the associated roles & rights.
  - Setting up Samba as a Domain Member
  - DS Restore Mode Password Maintenance - techcommunity.microsoft(2009)
- Talks/Videos
  - Beyond the MCSE: Active Directory for the Security Professional - Sean Metcalf(BHUSA 2016)
    - Active Directory (AD) is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and management capabilities. This means tSMBhat both Red and Blue teams need to have a better understanding of Active Directory, it's security, how it's attacked, and how best to align defenses. This presentation covers key Active Directory components which are critical for security professionals to know in order to defend AD. Properly securing the enterprise means identifying and leveraging appropriate defensive technologies. The provided information is immediately useful and actionable in order to help organizations better secure their enterprise resources against attackers. Highlighted are areas attackers go after including some recently patched vulnerabilities and the exploited weaknesses. This includes the critical Kerberos vulnerability (MS14-068), Group Policy Man-in-the-Middle (MS15-011 & MS15-014) and how they take advantages of AD communication.
- Attacking101
  - Articles/Blogposts/Writeups
    - Active Directory Security Workshop: A Red and Blue Guide to Popular AD Attacks - @_theViVi(AfricaHackon2019)
    - Active Directory Kill Chain Attack & Defense - infosecn1nja
      - This document was designed to be a useful, informational asset for those looking to understand the specific tactics, techniques, and procedures (TTPs) attackers are leveraging to compromise active directory and guidance to mitigation, detection, and prevention. And understand Active Directory Kill Chain Attack and Modern Post Exploitation Adversary Tradecraft Activity.
    - Penetration Testing Active Directory, Part I - Hausec
      - Part II
    - Active Directory Attacks - PayloadsAllTheThings
    - Pen Testing Active Directory Series - Andy Green
    - Active Directory Fundamentals (Part 1)- Basic Concepts - Scarred Monk(2021)
  - Talks/Videos
    - Abusing Active Directory in Post-Exploitation - Carlos Perez(Derbycon4)
      - Windows APIs are often a blackbox with poor documentation, taking input and spewing output with little visibility on what actually happens in the background. By reverse engineering (and abusing) some of these seemingly benign APIs, we can effectively manipulate Windows into performing stealthy custom attacks using previously unknown persistent and injection techniques. In this talk, we’ll get Windows to play with itself nonstop while revealing 0day persistence, previously unknown DLL injection techniques, and Windows API tips and tricks. To top it all off, a custom HTTP beaconing backdoor will be released leveraging the newly released persistence and injection techniques. So much Windows abuse, so little time.
    - Red vs Blue: Modern Active Directory Attacks & Defense - Sean Metcalf(Defcon23)
      - Kerberos “Golden Tickets” were unveiled by Alva “Skip” Duckwall & Benjamin Delpy in 2014 during their Black Hat USA presentation. Around this time, Active Directory (AD) admins all over the world felt a great disturbance in the Force. Golden Tickets are the ultimate method for persistent, forever AD admin rights to a network since they are valid Kerberos tickets and can’t be detected, right? This talk explores the latest Active Directory attack vectors and describes how Golden Ticket usage can be detected. When forged Kerberos tickets are used in AD, there are some interesting artifacts that can be identified. Yes, despite what you may have read on the internet, there are ways to detect Golden & Silver Ticket usage. Skip the fluff and dive right into the technical detail describing the latest methods for gaining and maintaining administrative access in Active Directory, including some sneaky AD persistence methods. Also covered are traditional security measures that work (and ones that don’t) as well as the mitigation strategies that disrupts the attacker’s preferred game-plan. Prepare to go beyond “Pass-the-Hash” and down the rabbit hole.
    - Red Vs. Blue: Modern Active Directory Attacks, Detection, And Protection - Sean Metcalf(BHUSA15)
      - Kerberos "Golden Tickets" were unveiled by Alva "Skip" Duckwall & Benjamin Delpy in 2014 during their Black Hat USA presentation. Around this time, Active Directory (AD) admins all over the world felt a great disturbance in the Force. Golden Tickets are the ultimate method for persistent, forever AD admin rights to a network since they are valid Kerberos tickets and can't be detected, right? The news is filled with reports of breached companies and government agencies with little detail on the attack vectors and mitigation. This briefing discusses in detail the latest attack methods for gaining and maintaining administrative access in Active Directory. Also covered are traditional defensive security measures that work (and ones that don't) as well as the mitigation strategies that can keep your company's name off the front page. Prepare to go beyond "Pass-the-Hash" and down the rabbit hole. This talk explores the latest Active Directory attack vectors and describes how Golden Ticket usage can be detected. When forged Kerberos tickets are used in AD, there are some interesting artifacts that can be identified. Yes, despite what you may have read on the internet, there are ways to detect Golden & Silver Ticket usage!
    - Beyond the MCSE: Red Teaming Active Directory - Sean Metcalf(Defcon24)
      - Active Directory (AD) is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and management capabilities, so why do red teams barely scratch the surface when it comes to leveraging the data it contains? This talk skips over the standard intro to Active Directory fluff and dives right into the compelling offensive information useful to a Red Teamer, such as quickly identifying target systems and accounts. AD can yield a wealth of information if you know the right questions to ask. This presentation ventures into areas many didn't know existed and leverages capability to quietly identify interesting accounts & systems, identify organizations the target company does business with regularly, build target lists without making a sound, abuse misconfigurations/existing trusts, and quickly discover the most interesting shares and their location. PowerShell examples and AD defense evasion techniques are provided throughout the talk.Let's go beyond the MCSE and take a different perspective on the standard AD recon and attack tactics.
    - Offensive Active Directory with Powershell - harmj0y(Troopers2016)
    - Hacking without Domain Admin - Tim Medin, Mike Saunders(2019)
      - Tim and Mike will show you tools and techniques to find vulnerabilities and demonstrate risk, without using Domain Administrator (DA) access. DA access is the goal for many penetration tests and red teams, but it is misguided. DA is a tool, not a destination. Sometimes, a penetration tester or red team will be unable to obtain this access, but it does not mean that the test is without value.
    - Demystifying Common Active Directory Attacks - Venkatraman K(BSides Delhi2020)
      - Slides
      - #ActiveDirectory is used by more than 90% of Fortune 1000 companies, the all-pervasive #AD is the focal point for adversaries. This paper would demonstrate the common attack scenarios in an Active Directory environment that can be witnessed in an #Infrastructure Assessment. Some of the attacks would be briefed along with #wireshark, to understand the packet flow.The presentation begins with briefing basics of #Kerberos Authentication such Key Distribution Center, Ticket Granting Ticket , Ticket Granting Service etc. and their role in authentication flow. This presentation would give insights about the active directory attacks which include: AS-REP Roasting attack; Kerberoasting attack; Kerberos Golden Ticket attack; Kerberos Silver Ticket attack; DCSync Attack; DCShadow Attack
Active Directory Attributes & Technologies
- Active Directory Service Interaces
  - 101
    - Active Directory Service Interfaces - docs.ms
  - Articles/Blogposts/Writeups
  - Talks/Videos
  - Tools
    - AdsiPS
      - PowerShell module to interact with Active Directory using ADSI and the System.DirectoryServices namespace (.NET Framework).
- AD Permissions/Rights
  - 101
    - Extended Rights Reference - docs.ms
      - This page lists all the extended rights available for delegation in Active Directory. These rights have been categorized according to the object (such as the user account object) that the right applies to; each listing includes the extended right name, a brief description, and the object GUID required when writing a script to delegate that right.
- Account Logon History
  - Get All AD Users Logon History with their Logged on Computers (with IPs)& OUs
    - This script will list the AD users logon information with their logged on computers by inspecting the Kerberos TGT Request Events(EventID 4768) from domain controllers. Not Only User account Name is fetched, but also users OU path and Computer Accounts are retrieved. You can also list the history of last logged on users. In Environment where Exchange Servers are used, the exchange servers authentication request for users will also be logged since it also uses EventID (4768) to for TGT Request. You can also export the result to CSV file format. Powershell version 3.0 is needed to use the script.
- AD Certificate Services
  - Articles/Blogposts/Writeups
    - Active Directory Domain Services - Learning.MS
  - Tools
    - Detection
      - Invoke-Leghorn
        
        Standalone powershell script to detect potential PKI abuse
      - PSPKIAudit
        
        PowerShell toolkit for auditing Active Directory Certificate Services (AD CS).
- ADFS
  - 101
    - Active Directory Federation Services - docs.ms
      - This document contains a list of all of the documentation areas for AD FS for Windows Server 2016, 2012 R2, and 2012.
    - Active Directory Federation Services - Wikipedia
    - What is ADFS (Active Directory Federation Services)? - Serverfault.com(2017)
  - Articles/Blogposts/Writeups
    - Using PowerShell to Identify Federated Domains
    - Sniffing and replaying ADFS claims with Fiddler! - Paula Januszkiewicz
  - Talks/Presentations/Videos
    - Attacking ADFS Endpoints with PowerShell - Karl Fosaaen(Derbycon 2016)
      - Active Directory Federation Services (ADFS) has become increasingly popular in the last few years. As a penetration tester, I'm seeing organizations opening themselves up to attacks on ADFS endpoints across the Internet. Manually completing attacks against these endpoints can be tedious. The current native Microsoft management tools are handy, but what if we weaponized them. During this talk, I will show you how to identify domains that support ADFS, confirm email addresses for users of the domain, and help you guess passwords for those users. We'll cover how you can set up your own hosted ADFS domain (on the cheap), and use it to attack other federated domains. On top of that, we'll show you how you can wrap all of the native functionality with PowerShell to automate your attacks. This talk should give penetration testers an overview on how they can start leveraging ADFS endpoints during a penetration test.
- AdminSDHolder
  - 101
  - Articles/Blogposts/Writeups
    - Sneaky Active Directory Persistence #15: Leverage AdminSDHolder & SDProp to (Re)Gain Domain Admin Rights
    - Persistence Using Adminsdholder And Sdprop
- ATA/ATP
  - ATA Suspicious Activity Playbook - technet.ms
- AutoDiscover
  - Autodiscover for Exchange - docs.ms
  - All your emails belong to us: exploiting vulnerable email clients via domain name collision - Ilya Nesterov, Maxim Goncharov(BlackHatAsia2017)
    - The Autodiscover HTTP Service Protocol provides a way for Autodiscover clients to find Autodiscover servers. This protocol extends the Domain Name System (DNS) and directory services to make the location and settings of mail servers available to clients. In this paper, we take a closer look at the Autodiscover protocol and identify its threat model. We analyse Autodiscover client implementations in two mobile built-in email clients to discover flaws which allow remote attackers to collect user credentials through domain name collision. We discover how many clients have vulnerable implementations by collecting and analysing HTTP request information received by our servers, registered with specially crafted domain names. We make our analysis based on on data we collect from 25 different domains. Our dataset contains information on about 11,720,559 requests and we observe 9,726,028 requests containing authentication information. We identify 2473 different email clients which use vulnerable Autodiscover client implementation. Finally we propose different mitigation techniques for users, enterprises, and application developers to improve their email clients.
  - Autodiscovering the Great Leak - Amit Serper(2021)
- (Discretionary)Access Control Lists
  - 101
    - Active Directory Access Control List – Attacks and Defense - Microsoft Advanced Threat Analytics Team(2018)
    - Permissions: A Primer, or: DACL, SACL, Owner, SID and ACE Explained - Helge Klein(2021)
  - Articles/Blogposts/Writeups
    - Abusing Active Directory ACLs/ACEs - ired.team
    - An ACE Up the Sleeve: Designing Active Directory DACL Backdoors
    - Shadow Admins – The Stealthy Accounts That You Should Fear The Most
    - Viewing Service ACLs - rohnspowershellblog(2013)
    - Modifying Service ACLs - rohnspowershellblog(2014)
      - In my last post, I showed an early version of a function to get the Discretionary Access Control List (DACL) of a Windows service. In this post, I’m going to show a newer version of that function, along with a function to change the DACL, and a helper function to create Access Control Entries (ACEs). The source code is quite a bit longer, so I’m not going to walk through each bit of code. What I will do is give a brief overview of each of the three functions, along with some examples of how to use them. I’ll also mention where I plan to take the functions in the future. I’ll include the source code of the functions as they currently stand at the end of the post. Included in the source code is comment based help for each of the three functions.
    - The Unintended Risks of Trusting Active Directory - harmj0y
    - Exploiting Weak Active Directory Permissions With Powersploit - Jeff Warren(2017
    - BloodHound 1.3 – The ACL Attack Path Update
    - Scanning for Active Directory Privileges & Privileged Accounts - Sean Metcalf(2017)
    - Active Directory Access Control List – Attacks and Defense
    - Escalating privileges with ACLs in Active Directory - Rindert Kramer and Dirk-jan Mollema(2018)
      - During internal penetration tests, it happens quite often that we manage to obtain Domain Administrative access within a few hours. Contributing to this are insufficient system hardening and the use of insecure Active Directory defaults. In such scenarios publicly available tools help in finding and exploiting these issues and often result in obtaining domain administrative privileges. This blogpost describes a scenario where our standard attack methods did not work and where we had to dig deeper in order to gain high privileges in the domain. We describe more advanced privilege escalation attacks using Access Control Lists and introduce a new tool called Invoke-Aclpwn and an extension to ntlmrelayx that automate the steps for this advanced attack.
    - AD Privilege Escalation Exploit: The Overlooked ACL - David Rowe
    - ACE to RCE - Justin Perdok(2020)
      - "tl;dr: In this writeup I am going to describe how to abuse a GenericWrite ACE misconfiguration in Active Directory to run arbitrary executables."
    - How to Exploit Active Directory ACL Attack Paths Through LDAP Relaying Attacks - Adam Crosser(2021)
  - Talks & Presentations
    - aclpwn - Active Directory ACL exploitation with BloodHound
    - Here Be Dragons: The Unexplored Land of Active Directory ACLs - Andy Robbins & Will Schroeder & Rohan Vazarkar(Derbycon2017)
      - During internal penetration tests and red team assessments, Active Directory remains a key arena for gaining initial access, performing lateral movement, escalating rights, and accessing/exfiltrating sensitive data. Over the years, a completely untapped landscape has existed just below the surface in the form of Active Directory object control relationships. Organizational staff come and go, applications deploy and alter Access Control Entries (ACEs), eventually creating an entire ecosystem of policy exceptions and forgotten privileges. Historically, Access Control Lists (ACLs) have been notoriously difficult and frustrating to analyze both defensively and offensively, something we hope to change. In this talk, we will clearly define the Active Directory ACL attack taxonomy, demonstrate analysis using BloodHound, and explain how to abuse misconfigured ACEs with several new PowerView cmdlets. We will cover real world examples of ACL-only attack paths we have identified on real assessments, discuss opsec considerations associated with these attacks, and provide statistics regarding the immense number of attack paths that open up once you introduce object control relations in the BloodHound attack graph (spoiler alert: it's a LOT). We hope you will leave this talk inspired and ready to add ACL-based attacks to your arsenal, and to defensively audit ACLs at scale in your AD domain.
  - Tools
    - Invoke-ACLpwn
      - Invoke-ACLpwn is a tool that automates the discovery and pwnage of ACLs in Active Directory that are unsafe configured.
    - Windows DACL Enum Project
      - A collection of tools to enumerate and analyse Windows DACLs
    - DAMP - The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification.
      - This project contains several files that implement host-based security descriptor "backdoors" that facilitate the abuse of various remotely accessible services for arbitrary trustees/security principals. tl;dr - this grants users/groups (local, domain, or 'well-known' like 'Everyone') of an attacker's choosing the ability to perform specific administrative actions on a modified host without needing membership in the local administrators group. Note: to implement these backdoors, you need the right to change the security descriptor information for the targeted service, which in stock configurations nearly always means membership in the local administrators group.
    - AD ACL Scanner
      - Repo for ADACLScan.ps1 - Your number one script for ACL's in Active Directory
    - Adalanche: Active Directory ACL Visualizer and Explorer
      - Adalanche gives instant results, showing you what permissions users and groups have in an Active Directory. It is useful for visualizing and exploring who can take over accounts, machines or the entire domain, and can be used to find and show misconfigurations.
    - Aced
      - Aced is a tool to parse and resolve a single targeted Active Directory principal's DACL. Aced will identify interesting inbound access allowed privileges against the targeted account, resolve the SIDS of the inbound permissions, and present that data to the operator. Additionally, the logging features of pyldapsearch have been integrated with Aced to log the targeted principal's LDAP attributes locally which can then be parsed by pyldapsearch's companion tool BOFHound to ingest the collected data into BloodHound.
- DNS
  - Articles/Blogposts/Writeups
    - AD Zone Transfers as a user - mubix(2013)
    - Abusing DNSAdmins privilege for escalation in Active Directory(2017
    - Feature, not bug: DNSAdmin to DC compromise in one line - Shay Ber(2017)
    - Feature, not bug: DNSAdmin to DC compromise in one line - Shay Ber(2017)
    - Abusing DNSAdmins privilege for escalation in Active Directory - Nikil Mittal(2017)
    - From DNSAdmins to Domain Admin, When DNSAdmins is More than Just DNS Administration - ADSecurity(2018)
    - Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS - Kevin Robertson(2018)
    - ADIDNS Revisited – WPAD, GQBL, and More - Kevin Robertson(2018)
    - Getting in the Zone: dumping Active Directory DNS using adidnsdump - Dirk-jan Mollema(2019)
      - Zone transfers are a classical way of performing reconnaissance in networks (or even from the internet). They require an insecurely configured DNS server that allows anonymous users to transfer all records and gather information about host in the network. What not many people know however is that if Active Directory integrated DNS is used, any user can query all the DNS records by default. This blog introduces a tool to do this and describes a method to do this even for records normal users don’t have read rights for.
    - Compiling a DLL using MingGW - mubix
      - Compiling a DLL using MingGW to pull of the DNSAdmins attack
    - DNS Peer-to-Peer Command and Control with ADIDNS - Elad Shamir(2020)
  - Tools
    - DnsCache
      - This is a reference example for how to call the Windows API to enumerate cached DNS records in the Windows resolver. Proof of concept or pattern only.
    - adidnsdump
      - By default any user in Active Directory can enumerate all DNS records in the Domain or Forest DNS zones, similar to a zone transfer. This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks.
      - Blogpost
- Domain Trusts
  - 101
  - Articles/Blogposts/Writeups
  - Presentations/Talks/Videos
    - Auditing Domain Trust Relationships - Will Schroeder(PowerShell ConferenceEU 2018)
  - Tools

Fax & Printer Stuff
- Articles/Blogposts/Writeups
  - AD information in printers - HackTricks
- Faxhell
  - Faxing Your Way to SYSTEM — Part Two - Yarden Shafir & Alex Ionescu(2020)
  - faxhell ("Fax Shell")
    - A Bind Shell Using the Fax Service and a DLL Hijack
- LDAP-based https://medium.com/r3d-buck3t/pwning-printers-with-ldap-pass-back-attack-a0d8fa495210
- NetNTLM to Silver Ticket
  - From Printers to Silver Tickets - EvilMog(DefconSafeMode)
  - NetNTLMtoSilverTicket writeup
- PrinterBug
- PrintDemon
  - PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth (CVE-2020-1048 & more) - Yarden Shafir & Alex Ionescu(2020)
  - PrintDemon (CVE-2020-1048)
    - PrintDemon is a PoC for a series of issues in the Windows Print Spooler service, as well as potetial misuses of the functionality.
  - Invoke-PrintDemon
    - This is an PowerShell Empire launcher PoC using PrintDemon and Faxhell. The module has the Faxhell DLL already embedded which leverages CVE-2020-1048 for privilege escalation. The vulnerability allows an unprivileged user to gain system-level privileges and is based on @ionescu007 PoC.
- PrinterNightmare
  - Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-1675 - msrc.ms
  - Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 - msrc.ms
  - Demystifying The PrintNightmare Vulnerability - shlomo Zarinkhou, Haim Nachmias, Oren Biderman, Doron Vazgiel(2022)
  - DeployPrinterNightmare
    - C# tool for installing a shared network printer abusing the PrinterNightmare bug to allow other network machines easy privesc!
- Talks/Presentations/Videos
Forests
- 101
  - How Domain and Forest Trusts Work - docs.ms
- Articles/Blogposts/Writeups
- Presentations/Talks/Videos
Groups
- 101
  - Active Directory Security Groups - docs.ms
    - "Learn about default Active Directory security groups, group scope, and group functions."
  - Active Directory Security Groups - docs.ms
    - This reference topic for the IT professional describes the default Active Directory security groups.
  - How-to: Understand the different types of Active Directory group. - SS64
- Articles/Blogposts/Writeups
  - Active Directory security groups: What they are and how they improve security - Matthew Vinton(2022)
  - Top 6 Active Directory Security Groups Best Practices - DNSStuff(2019)
Group Managed Service Accounts(GMSA)
- 101
  - Group Managed Service Accounts Overview - docs.ms
- Articles/Blogposts/Writeups
- Tools
  - GMSAPasswordReader
    - Reads the password blob from a GMSA account using LDAP, and parses the values into hashes for re-use.
Group Policy
- 101
- Articles/Blogposts/Writeups
- Talks & Presentations
  - Get-GPTrashFire - Mike Loss(BSides Canberra2018)
    - Identifying and Abusing Vulnerable Configurations in MS AD Group Policy
    - Slides
- Tools
  - Grouper
    - Grouper is a slightly wobbly PowerShell module designed for pentesters and redteamers (although probably also useful for sysadmins) which sifts through the (usually very noisy) XML output from the Get-GPOReport cmdlet (part of Microsoft's Group Policy module) and identifies all the settings defined in Group Policy Objects (GPOs) that might prove useful to someone trying to do something fun/evil.
  - Grouper2
    - Grouper2 is a tool for pentesters to help find security-related misconfigurations in Active Directory Group Policy. It might also be useful for other people doing other stuff, but it is explicitly NOT meant to be an audit tool. If you want to check your policy configs against some particular standard, you probably want Microsoft's Security and Compliance Toolkit, not Grouper or Grouper2.
  - SharpGPO-RemoteAccessPolicies
    - A C# tool for enumerating remote access policies through group policy.
  - Get-GPTrashFire
    - Identifiying and Abusing Vulnerable Configuraitons in MS AD Group Policy
  - SharpGPOAbuse
    - Blogpost
    - SharpGPOAbuse is a .NET application written in C# that can be used to take advantage of a user's edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO. Blogpost
  - PowerGPOAbuse
    - Powershell version of SharpGPOAbuse for those who can't compile or if their C2 can't execute .NET Assembly straightly from memory. Highly inspired by the original C# version and the amazing PowerView.
  - GetVulnerableGPO
    - PowerShell script to find 'vulnerable' security-related GPOs that should be hardended
  - Policy Plus
    - Local Group Policy Editor plus more, for all Windows editions.
IPv6
- Guidance for configuring IPv6 in Windows for advanced users - docs.ms
Kerberos
- 101
  - Kerberos (I): How does Kerberos work? – Theory - Eloy Perez
  - Kerberos (II): How to attack Kerberos? - Eloy Perez
    - In this article about Kerberos, a few attacks against the protocol will be shown. In order to refresh the concepts behind the following attacks, it is recommended to check the first part of this series which covers Kerberos theory. * Kerberos Attacks Questions - social.technet.ms
  - Explain like I’m 5: Kerberos - Lynn Roots
  - Abusing Microsoft Kerberos: Sorry You Guys Don't Get It - Alva Duckwall, Benjamin Delpy(BHUSA 2015)
    - Microsoft Active Directory uses Kerberos to handle authentication requests by default. However, if the domain is compromised, how bad can it really be? With the loss of the right hash, Kerberos can be completely compromised for years after the attacker gained access. Yes, it really is that bad. In this presentation Skip Duckwall, @passingthehash on twitter and Benjamin Delpy, @gentilkiwi on twitter and the author of Mimikatz, will demonstrate just how thoroughly compromised Kerberos can be under real world conditions.
  - Kerberos Attacks Questions - social.technet.ms
  - Kerberos and Windows Security: Kerberos on Windows - Robert Broeckelman(2018)
  - Kerberos and Attacks 101 - Tim Medin(WWHF2019)
    - Want to understand how Kerberos works? Would you like to understand modern Kerberos attacks? If so, then join Tim Medin as he walks you through how to attack Kerberos with ticket attacks and Kerberoasting. We'll cover the basics of Kerberos authentication and then show you how the trust model can be exploited for persistence, pivoting, and privilege escalation.
  - Why is krbtgt a thing? - Chad Duffey(2019)
  - Kerberos & Attacks 101 - Tim Medin & BHIS(2020)
  - Understanding how Kerberos works, but also WHY it works the way it does - ATTL4S(2021)
  - Why is Kerberos Terrible? - Steve Syfuhs(2018)
  - (Ab)using Kerberos from Linux - Calum Boal(2020)
    - This post aims to provide an overview of tooling available to perform common Kerberos abuse techniques from Linux. While this blog will not go into great detail about how the attacks which utilize these techniques work, references will be provided to high-quality blog posts detailing common Kerberos attacks.
- Overviews
  - Kerberos & Attacks 101 - Tim Medin(2020)
    - Want to understand how Kerberos works? Would you like to understand modern Kerberos attacks? If so, then join Tim Medin as he walks you through how to attack Kerberos with ticket attacks and Kerberoasting. We'll cover the basics of Kerberos authentication and then show you how the trust model can be exploited for persistence, pivoting, and privilege escalation.
  - Kerberos Survival Guide - MS Technet
  - Kerberosity Killed the Domain: An Offensive Kerberos Overview - Ryan Hausknecht(2020)
- Articles/Blogposts/Writeups
  - How To Attack Kerberos 101 - m0chan
  - Kerberos, Active Directory’s Secret Decoder Ring - Sean Metcalf
  - Credential cache - MIT Kerberos Documentation
  - Kerberos Authentication problems – Service Principal Name (SPN) issues – Part 1 - blogs.technet
  - Security Focus: Analysing 'Account is sensitive and cannot be delegated' for Privileged Accounts - Ian Fann(2015)
  - Delegating like a boss: Abusing Kerberos Delegation in Active Directory - Kevin Murphy
    - I wanted to write a post that could serve as a (relatively) quick reference for how to abuse the various types of Kerberos delegation that you may find in an Active Directory environment during a penetration test or red team engagement.
  - Kerberos Tickets on Linux Red Teams - Trevor Haskell(2020)
  - Kerberos Double-Hop Workarounds - slayerlabs.com(2020)
- Talks/Presentations/Videos
  - Abusing Microsoft Kerberos: Sorry You Guys Don't Get It - Alva Duckwall and Benjamin Delpy(BHUSA 2014)
    - "Microsoft Active Directory uses Kerberos to handle authentication requests by default. However, if the domain is compromised, how bad can it really be? With the loss of the right hash, Kerberos can be completely compromised for years after the attacker gained access. Yes, it really is that bad. In this presentation Skip Duckwall, @passingthehash on twitter and Benjamin Delpy, @gentilkiwi on twitter and the author of Mimikatz, will demonstrate just how thoroughly compromised Kerberos can be under real world conditions. Prepare to have all your assumptions about Kerberos challenged!"
    - Slides
  - Et tu - Kerberos? - Christopher Campbell(Derbycon2014)
    - For over a decade we have been told that Kerberos is the answer to Microsoft’s authentication woes and now we know that isn’t the case. The problems with LM and NTLM are widely known- but the problems with Kerberos have only recently surfaced. In this talk we will look back at previous failures in order to look forward. We will take a look at what recent problems in Kerberos mean to your enterprise and ways you could possibly mitigate them. Attacks such as Spoofed-PAC- Pass-the-Hash- Golden Ticket- Pass-the-Ticket and Over-Pass-the-Ticket will be explained. Unfortunately- we don’t really know what is next – only that what we have now is broken.
  - Attacking Microsoft Kerberos: Kicking the Guard Dog of Hades - Tim Medin(Derbycon2014)
    - Kerberos- besides having three heads and guarding the gates of hell- protects services on Microsoft Windows Domains. Its use is increasing due to the growing number of attacks targeting NTLM authentication. Attacking Kerberos to access Windows resources represents the next generation of attacks on Windows authentication.In this talk Tim will discuss his research on new attacks against Kerberos- including a way to attack the credentials of a remote service without sending traffic to the service as well as rewriting tickets to access systems.He will also examine potential countermeasures against Kerberos attacks with suggestions for mitigating the most common weaknesses in Windows Kerberos deployments.
    - [Attacking Kerberos: Kicking the Guard Dog of Hades - Tim Medin(2014)https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-%20Tim%20Medin(1).pdf1
  - Kerberos Party Tricks: Weaponizing Kerberos Protocol Flaws - Exumbraops.com(2016)
    - Slides
  - Return From The Underworld - The Future Of Red Team Kerberos - Jim Shaver, Mitchell Hennigan(Derbycon2017)
    - This talk discusses Kerberos Key derivation, cracking and the future of Kerberos, kerberoasting and NTLM. Also discusses the possibilities for increased knowledge around Kerberos in the security community.
  - Return From The Underworld - The Future Of Red Team Kerberos - Jim Shaver & Mitchell Hennigan(Derbycon2017)
LDAP
- 101
  - Everything I wanted to know about #ActiveDirectory LDAP - Podalirius(2022)
    - Most of modern enterprise networks heavily rely on Microsoft Windows Active Directory to create managed domains of machines. These AD domains take advantage of network protocols and services to work properly, such as Kerberos, SMB, DNS, LDAP, etc … In this talk, we will deep dive into Microsoft’s Active Directory LDAP to give you an overview of concepts, exploitation techniques and tools to interact with it.
- General
- C2
  - LDAPFragger: Command and Control over LDAP attributes - Rindert Kramer(2020)
  - LDAPFragger
    - LDAPFragger is a Command and Control tool that enables attackers to route Cobalt Strike beacon data over LDAP using user attributes.
  - LDAP shell
  - LDAPShell
- Injection
- LDAP Recon
  - 101
    - An Introduction to Manual Active Directory Querying with Dsquery and Ldapsearch - Hope Walker(2021)
    - LDAPSearch Reference - mubix(2022)
  - Queries
    - Useful LDAP queries for Windows Active Directory pentesting - Podalirius(2021)
    - Fortalice BOFHound Release - Granularize Your Active Directory Reconnaissance Game - Adam Brown(2022)
  - Filters
  - Tools
    - LDAP Nom Nom
      - Anonymously bruteforce Active Directory usernames from Domain Controllers by abusing LDAP Ping requests (cLDAP)
      - 6.3.3.2 Domain Controller Response to an LDAP Ping - docs.ms
    - SharpLdapWhoami
    - msldap
    - SilentHound
      - Quietly enumerate an Active Directory Domain via LDAP parsing users, admins, groups, etc.
    - pyladpsearch
      - This is designed to be a python "port" of the ldapsearch BOF by TrustedSec, which is a part of this repo. pyldapsearch allows you to execute LDAP queries from Linux in a fashion similar to that of the aforementioned BOF. Its output format closely mimics that of the BOF and all query output will automatically be logged to the user's home directory in .pyldapsearch/logs, which can ingested by bofhound.
    - ADE - ActiveDirectoryEnum
      - Enumerate AD through LDAP with a collection of helpfull scripts being bundled
    - ldsview
      - Offline search tool for LDAP directory dumps in LDIF format.
    - LDAP Password Hunter
      - LDAP Password Hunter is a tool which wraps features of getTGT.py (Impacket) and ldapsearch in order to look up for password stored in LDAP database. Impacket getTGT.py script is used in order to authenticate the domain account used for enumeration and save its TGT kerberos ticket. TGT ticket is then exported in KRB5CCNAME variable which is used by ldapsearch script to authenticate and obtain TGS kerberos tickets for each domain/DC LDAP-Password-Hunter is ran for. Basing on the CN=Schema,CN=Configuration export results a custom list of attributes is built and filtered in order to identify a big query which might contains interesting results. Results are shown and saved in a sqlite3 database.
    - TruffleSnout
      - Iterative AD discovery toolkit for offensive operators. Situational awareness and targeted low noise enumeration. Preference for OpSec.
    - Domain Enumeration Tool
      - Blogpost
      - Perform Windows domain enumeration via LDAP
    - ADReaper
      - ADReaper is a tool written in Golang which enumerates an Active Directory environment with LDAP queries within few seconds
    - Get-UserSession
      - Queries user sessions for the entire domain (Interactive/RDP etc), allowing you to query a user and see all his logged on sessions, whether Active or Disconnected
    - ADHuntTool
      - official report for the AdHuntTool. C# Script used for Red Team. It can be used by Cobalt Strike execute-assembly or as standalone executable.
    - go-windapsearch
      - windapsearch is a tool to assist in Active Directory Domain enumeration through LDAP queries. It contains several modules to enumerate users, groups, computers, as well as perform searching and unauthenticated information gathering.
- LDAP Relaying
  - Articles
    - LDAP relays for initial foothold in dire situations - @SAERXCIT(2022)
      - "This article will present 3 “new” LDAP relays implemented in Impacket's ntlmrelayx.py tool, “new” in quotation marks because none of the techniques presented here are new, all are based on the work of other researchers who found the techniques/vulnerabilities, but a domain account was needed to exploit them. The "new" part is their implementation in the context of an LDAP relay so that they're exploitable from a black box situation without an account, with the ultimate goal of making it easier for the pentester to obtain the first domain account in a hardened environment. "
    - Bypassing LDAP Channel Binding with StartTLS - @lowercase_drm(2022)
    - LDAP Relay - PentestEverything
    - Obtaining LAPS Passwords Through LDAP Relaying Attacks - Adam Crosser(2020)
    - I’m bringing relaying back: A comprehensive guide on relaying anno 2022 - Jean-Francois Maes(2022)
    - We Love Relaying Credentials: A Technical Guide to Relaying Credentials Everywhere - Leandro Cuozzo(2022)
  - Tools
    - Impacket
    - ntlmrelayx
    - LDAP Relay Scan
      - A tool to check Domain Controllers for LDAP server protections regarding the relay of NTLM authentication. If you're interested in the specifics of the error-based enumeration, see below. For details regarding what can be done when you identify a lack of LDAP protections, see the references section.
- Request Signing
  - Articles/Blogposts/Writeups
  - Tools
    - LdapSignCheck
      - Beacon Object File to scan a Domain Controller to see if LdapEnforceChannelBinding or LdapServerIntegrity has been modified to mitigate against relaying attacks.
    - ldap-scanner
      - Checks for signature requirements over LDAP. The script will establish a connection to the target host(s) and request authentication without signature capability. If this is accepted, it means that the target hosts allows unsigned LDAP sessions and NTLM relay attacks are possible to this LDAP service (whenever signing is not requested by the client).
- Talks & Presentations
  - Fun with LDAP and Kerberos: Attacking AD from non-Windows machines - Ronnie Flathers(Troopers19)
    - Slides
    - You don’t need Windows to talk to Windows. This talk will explain and walk through various techniques to (ab)use LDAP and Kerberos from non-Windows machines to perform reconnaissance, gain footholds, and maintain persistence, with an emphasis on explaining how the attacks and protocols work. This talk will walk through some lesser known tools and techniques for doing reconnaissance and enumeration in AD environments, as well as gaining an initial foothold, and using credentials in different, stealthier ways (i.e. Kerberos). While tools like Bloodhound, CrackMapExec and Deathstar have made footholds and paths to DA very easy and automated, this talk will instead discuss how tools like this work “under-the-hood” and will stress living off the land with default tools and manual recon and exploitation. After discussing some of the technologies and protocols that make up Active Directory Domain Services, I’ll explain how to interact with these using Linux tools and Python. You don’t need a Windows foothold to talk Windows - everything will be done straight from Linux using DNS, LDAP, Heimdal Kerberos, Samba and Python Impacket.
- Tools
  - eLdap-Ldap-Search-and-Filter
    - eLdap is a tool that helps users searching and filtering queries in Ldap environment.
  - ADCollector
    - ADCollector is a lightweight tool that enumerates the Active Directory environment to identify possible attack vectors. It will give you a basic understanding of the configuration/deployment of the environment as a starting point.
  - DumpLDAP
    - DumpLDAP dumps an LDAP server to json. This allows for offline exploration and better network opsec.
  - ldap2json
    - The ldap2json script allows you to extract the whole LDAP content of a Windows domain into a JSON file.
  - LDAP Monitor
    - Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!
  - LDAPDomainDump
    - In an Active Directory domain, a lot of interesting information can be retrieved via LDAP by any authenticated user (or machine). This makes LDAP an interesting protocol for gathering information in the recon phase of a pentest of an internal network. A problem is that data from LDAP often is not available in an easy to read format. ldapdomaindump is a tool which aims to solve this problem, by collecting and parsing information available via LDAP and outputting it in a human readable HTML format, as well as machine readable json and csv/tsv/greppable files.
  - windapsearch
    - windapsearch is a Python script to help enumerate users, groups and computers from a Windows domain through LDAP queries. By default, Windows Domain Controllers support basic LDAP operations through port 389/tcp. With any valid domain account (regardless of privileges), it is possible to perform LDAP queries against a domain controller for any AD related information. You can always use a tool like ldapsearch to perform custom LDAP queries against a Domain Controller. I found myself running different LDAP commands over and over again, and it was difficult to memorize all the custom LDAP queries. So this tool was born to help automate some of the most useful LDAP queries a pentester would want to perform in an AD environment.
  - msldap
    - Documentation
    - LDAP library for MS AD
KMS
- Tools
  - py-kms
    - py-kms is a port of node-kms created by cyrozap, which is a port of either the C#, C++, or .NET implementations of KMS Emulator. The original version was written by CODYQX4 and is derived from the reverse-engineered code of Microsoft's official KMS.
LAPS
- 101
  - Local Administrator Password Solution - docs.ms
- Articles/Blogposts/Writeups
- Tools
  - LAPSToolkit
    - Tool to audit and attack LAPS environments
  - Crackmapexec-LAPS
Lync
- LyncSniper
  - A tool for penetration testing Skype for Business and Lync deployments
  - Blogpost/Writeup
- LyncSmash
  - a collection of tools to enumerate and attack self-hosted Skype for Business and Microsoft Lync installations
  - Talk
  - Slides
MachineAccountQuota
- 101
  - MS-DS-Machine-Account-Quota attribute - docs.ms
- Articles/Blogposts/Writeups
  - The number of computer accounts that a user is allowed to create in a domain.
  - MachineAccountQuota is USEFUL Sometimes: Exploiting One of Active Directory’s Oddest Settings - Kevin Robertson(2019)
  - MachineAccountQuota Transitive Quota: 110 Accounts and Beyond - Kevin Robertson(2019)
  - PowerMAD
    - PowerShell MachineAccountQuota and DNS exploit tools
    - Blogpost
MS-SAMR
- [MS-SAMR]: Security Account Manager (SAM) Remote Protocol (Client-to-Server) - docs.ms
  - Specifies the Security Account Manager (SAM) Remote Protocol, which supports management functionality for an account store or directory containing users and groups. The goal of the protocol is to enable IT administrators and users to manage users, groups, and computers.
- [MS-WKST]: Workstation Service Remote Protocol - docs.ms
  - Specifies the Workstation Service Remote Protocol, which remotely queries and configures certain aspects of a Server Message Block network redirector on a remote computer.
MS SQL Server
- Articles/Blogposts/Writeups
Read-Only Domain Controllers
- 101
  - Read-Only DCs and the Active Directory Schema - docs.ms
    - Windows Server 2008 introduces a new type of domain controller, the Read-only Domain Controller (RODC). This provides a domain controller for use at branch offices where a full domain controller cannot be placed. The intent is to allow users in the branch offices to logon and perform tasks like file/printer sharing even when there is no network connectivity to hub sites.
- Articles/Blogposts/Writeups
  - Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory
Red Forest
- 101
  - Improving security by protecting elevated-privilege accounts at Microsoft - microsoft.com(2019)
  - Active Directory Red Forest Design aka Enhanced Security Administrative Environment (ESAE) - social.technet
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
  - From Workstation to Domain Admin: Why Secure Administration Isn't Secure and How to Fix It - Sean Metcalf(BHUSA2018)
    - Slides
  - Attack and defend Microsoft Enhanced Security Administrative Environment - Hao Wang, Yothin Rodanant(Troopers2018)
    - Slides
    - Microsoft Enhanced Security Administrative Environment (ESAE) known as “Red Forest” has become a very popular architecture solution to enhance the security of Active Directory. Can ESAE be used to completely prevent cyber attackers from compromising Active Directory? In this talk, we will demonstrate the commonly overlooked techniques that can be used to obtain domain dominance within ESAE.
  - Tiered Administrative Model - ESAE - Active Directory Red Forest Architecture - Russel Smith(2018)
  - Understanding “Red Forest”: The 3-Tier Enhanced Security Admin Environment (ESAE) and Alternative Ways to Protect Privileged Credentials - ultimatewindowsecurity.com
Security Identifiers
- Security Identifiers - docs.ms
  - This article describes how security identifiers (SIDs) work with accounts and groups in the Windows Server operating system.
Service Principal Names
- 101
- Articles/Blogposts/Writeups
  - Active Directory Pentest Recon Part 1: SPN Scanning aka Mining Kerberos Service Principal Names - Sean Metcalf
  - SPN Discovery - pentestlab.blog
  - Service Principal Name (SPN) - hackndo
  - SPNs - adsecurity.org
    - This page is a comprehensive reference (as comprehensive as possible) for Active Directory Service Principal Names (SPNs). As I discover more SPNs, they will be added.
  - Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe - social.technet.ms.com)
  - See: Kerberoasting
System Center Configuration Manager
- Targeted Workstation Compromise with SCCM - enigma0x3(2015)
  - LM Hash and NT Hash - AD Shot Gyan(2012)
- Using SCCM to violate best practices - cr0n1c(2016)

Attack Active Directory/Specific Techniques

Attack Path Writeups/Samples
- Articles/Blogposts/Writeups
  - Cisco Call Manager
- Talks/Presentations/Videos
  - Building the DeathStar: getting Domain Admin with a push of a button (a.k.a. how I almost automated myself out of a job) - Marcello Salvati(Derbycon2017)
    - Ever since the advent of tools like PowerSploit, Empire, Bloodhound and CrackMapExec pentesting Active Directory has become a pretty straight forward and repetitive process for 95% of all the environments that I get dropped into. This begs the question: can the process of going from an unprivileged domain user to Domain Admin be automated? Well obviously, since this talk is a thing, the answer is yes! Introducing the DeathStar: a Python script that leverages Empire 2.0's RESTful API to automate the entire AD pentesting process from elevating domain rights, spreading laterally and hunting down those pesky Domain Admins! This talk will mainly focus on how DeathStar works under the hood, how to properly defend against it and the most common AD misconfigurations/vulnerabilities that I see in almost every environment which allow for this script to be so effective. It will then conclude with live demos of the tool in action (which hopefully will not fail miserably) and some final considerations from yours truly.
  - Icebreaker - From internal jumpbox to domain admin in one command - Dan McInerney(BSidesSLC2018)
    - Icebreaker automates 5 different internal network attacks to gain access to plaintext and hashed credentials from Active Directory environments. Whenever hashed credentials are found Icebreaker will automatically attempt to crack them. After successfully performing the network attacks Icebreaker can kick off the tools Empire and DeathStar to automate the process of escalating privileges all the way to domain admin without any user interaction. This talk will discuss how and why all 5 of these network attacks work as well as how DeathStar uses the found credentials to escalate privileges.
  - [Attack]tive Directory: Compromising a Network in 20 Minutes Through Active Directory - Ryan Hausnecht(2021)
Abusing ACEs & ACLs
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Tools
Across Trusts and Domains
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Tools
Certificate Services (Attacking)
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
  - Abusing Active Directory Certificate Services as a beacon operator - Flangvik(2021)
  - AD CS means “Active Directory is Cheese (Swiss)” - Jake Hildreth(BSidesCharm(2022)
- Tools
  - Attacking
    - https://github.com/SammyKrosoft/CertReq.Inf
    - Certipy
      - Certipy 2.0: BloodHound, New Escalations, Shadow Credentials, Golden Certificates, and more! - Oliver Lyak(2022)
      - Certipy is an offensive tool for enumerating and abusing Active Directory Certificate Services (AD CS).
    - PetitPotam
      - PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function.
    - Certify
    - Certipy
    - ForgeCert
    - pyForgeCert
      - pyForgeCert is a Python equivalent of the ForgeCert.
    - PKINITtools
      - Tools for Kerberos PKINIT and relaying to AD CS
    - ADCSPwn
      - A tool to escalate privileges in an active directory network by coercing authenticate from machine accounts (Petitpotam) and relaying to the certificate service.
    - EfsPotaot
      - Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability).
    - LoLBin to trigger relayable NTLM auth over RPC: (Antonio Cocomazzi)
      - rpcping -s 10.0.0.35 -e 9997 /a connect /u NTLM
    - WebClient Service Scanner
      - Python tool to Check running WebClient services on multiple targets based on @leechristensen
  - Detection
    - Invoke-Leghorn
      - Standalone powershell script to detect potential PKI abuse
    - PSPKIAudit
      - PowerShell toolkit for auditing Active Directory Certificate Services (AD CS).
Coerced Authentication
- Microsoft does not consider coerced authentications as security vulnerability.
- Articles/Blogposts/Writeups
  - Starting WebClient Service Programmatically - James Forshaw(2015)
  - Windows Coerced Authentication Methods
    - This repository contains a list of many methods to coerce a windows machine to authenticate to an attacker-controlled machine.
  - Coercing NTLM Authentication from SCCM - Chris Thompson(2022)
  - MS-FSRVP abuse (ShadowCoerce) - TheHackerRecipes
  - From RpcView to PetitPotam - itm4n(2021)
  - Chasing the Silver Petit Potam to Domain Admin - Andy Gil(2022)
  - Dropping Files on a Domain Controller Using CVE-2021-43893 - Jake Baines(2022)
  - From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure - gladiatx0r
- Talks/Presentations/Videos
  - Coercions and Relays - The First Cred is the Deepest with Gabriel Prud'homme(BHIS2022)
    - "In this 1.5-HOUR, Black Hills Information Security (BHIS) webcast, Gabriel Prud'homme will cover network protocol poisoning, relays, and abuses. Learn how to use Responder, Ntlmrelayx, and Mitm6. From PetitPotam to WebDAV remote and local privilege escalation, and much more. "
- Tools
  - Coercer
  - PetitPotam
  - Server Service Authentication Coerce Vulnerability
    - CVE-2022-30216 - Authentication coercion of the Windows “Server” service - Akamai Security Research(2022
    - This is the git repository for the PoC of the srvsvc auth coerce vulnerability (CVE-2022-30216).
  - CheeseOunce
    - This Simple POC make windows machines auth to another via MS-EVEN.
  - PetitPotam Python
  - SharpSystemTriggers
    - Collection of remote authentication triggers coded in C# using MIDL compiler for avoiding 3rd party dependencies.
  - MSSQL Analysis Services - Coerced Authentication
  - ShadowCoerce
    - MS-FSRVP coercion abuse PoC
  - DFSCoerce
    - PoC for MS-DFSNM coerce authentication using NetrDfsRemoveStdRoot and NetrDfsAddStdRoot (found by @xct_de) methods.
  - cornershot
    - ID network accessibility using RPC Co-erced auth
  - SpoolSample
Credential Attacks
- 101
  - Cached and Stored Credentials Technical Overview - docs.ms
    - This topic for the IT professional describes how credentials are formed in Windows and how the operating system manages them. Applies To: Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8
  - Credentials Processes in Windows Authentication - docs.ms
    - This reference topic for the IT professional describes how Windows authentication processes credentials. Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016
  - Cached Credentials: Important Facts That You Cannot Miss - CQURE
  - Security Focus: Analysing 'Account is sensitive and cannot be delegated' for Privileged Accounts - Ian Farr(MSFT2015)
    - There are a number of configuration options we recommend for securing high privileged accounts. One of them, enabling 'Account is sensitive and cannot be delegated', ensures that an account’s credentials cannot be forwarded to other computers or services on the network by a trusted application.
  - Protected Users Security Group - docs.ms
  - AD DS: Fine-Grained Password Policies - docs.ms - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770394(v=ws.10)
  - Clearing cached/saved Windows credentials - University of Waterloo
  - Protect derived domain credentials with Windows Defender Credential Guard - docs.ms
  - KB2871997 and Wdigest - Part 1 - docs.ms
  - Network security: LAN Manager authentication level - docs.ms
    - Describes the best practices, location, values, policy management and security considerations for the Network security: LAN Manager authentication level security policy setting. This policy setting determines which challenge or response authentication protocol is used for network logons.
- General Articles
  - Windows authentication attacks part 2 – kerberos - Ahmed Sultan(2020
  - Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY - Dray Agha(2022)
  - Auto-Dumping Domain Credentials using SPNs, PowerShell Remoting, and Mimikatz - Scott Sutherland
  - Password Hunting with Machine Learning in Active Directory - HunniCyber
    - tdlr: Situation: - Passwords embedded in files on fileshares lead to compromise. Complication: - It is hard to tell what is a password. Resolution: - Use SharpML to scan.
- Auth Providers
  - Network Provider: Sneaky alternative to extract credentials - Michael Schneider(2022)
- Brute-Force Attacks
  - Security Advisory: Targeting AD FS With External Brute-Force Attacks - Yaron Zinar
- Cached Credentials
  - Cached Credentials: Important Facts That You Cannot Miss - Paula@Cqure
- Dumping NTDS.dit
  - 101
    - How the Data Store Works - docs.ms
  - Articles/Blogposts/Writeups
  - Tools
    - adXtract
    - DIT Snapshot Viewer
      - DIT Snapshot Viewer is an inspection tool for Active Directory database, ntds.dit. This tool connects to ESE (Extensible Storage Engine) and reads tables/records including hidden objects by low level C API. The tool can extract ntds.dit file without stopping lsass.exe. When Active Directory Service is running, lsass.exe locks the file and does not allow to access to it. The snapshot wizard copies ntds.dit using VSS (Volume Shadow Copy Service) even if the file is exclusively locked. As copying ntds.dit may cause data inconsistency in ESE DB, the wizard automatically runs esentutil /repair command to fix the inconsistency.
    - NTDSXtract - Active Directory Forensics Framework
      - This framework was developed by the author in order to provide the community with a solution to extract forensically important information from the main database of Microsoft Active Directory (NTDS.DIT).
    - NTDSDumpEx
      - NTDS.dit offline dumper with non-elevated
    - NTDS-Extraction-Tools
      - Automated scripts that use an older version of libesedb (2014-04-06) to extract large NTDS.dit files
    - gosecretsdump
      - This is a conversion of the impacket secretsdump module into golang. It's not very good, but it is quite fast. Please let me know if you find bugs, I'll try and fix where I can - bonus points if you can provide sample .dit files for me to bash against.
- Empty Passwords
  - Abusing empty passwords during your next red teaming engagement - Tijme Gommers, Jules Adriaens
- Internal Monologue
  - see "Internal Monologue" from main ToC.
- Local Account Passwords
  - Attacking Local Account Passwords - Jeff Warren(2017)
  - Brute Forcing Admin Passwords with UAC - Mark Mo(2019)
- MSCACHE
  - Credential Dumping: Domain Cache Credential - Raj Chandel(2020)
  - mscache
    - a tool to manipulate dcc(domain cached credentials) in windows registry, based mainly on the work of mimikatz and impacket
- MFA-Related
  - Multi-Factor Mixup: Who Were You Again? - Okta
    - A weakness in the Microsoft ADFS protocol for integration with MFA products allows a second factor for one account to be used for second-factor authentication to all other accounts in an organization.
- Net-NTLM
  - Places of Interest in Stealing NetNTLM Hashes - osandamalith.com
  - Live off the Land and Crack the NTLMSSP Protocol - Mike Gualteieri(2020)
- NetNTLMtoSilverTicket
  - SpoolSample -> NetNTLMv1 -> NTLM -> Silver Ticket
    - This technique has been alluded to by others, but I haven't seen anything cohesive out there. Below we'll walk through the steps of obtaining NetNTLMv1 Challenge/Response authentication, cracking those to NTLM Hashes, and using that NTLM Hash to sign a Kerberos Silver ticket. This will work on networks where "LAN Manager authentication level" is set to 2 or less. This is a fairly common scenario in older, larger Windows deployments. It should not work on Windows 10 / Server 2016 or newer.
- NPLogonNotify function
  - NPLogonNotify function - docs.ms
  - NPPSpy
    - Simple (but fully working) code for NPLogonNotify(). The function obtains logon data, including cleartext password.
- Offline-based
  - Active Directory Offline Hash Dump and Forensic Analysis - Csaba Barta(2011)
  - Offline Attacks on Active Directory - Michael Grafnetter
    - This lab will guide you through some of the most interesting features of the DSInternals PowerShell Module, which was featured at Black Hat Europe 2019 and is also included in FireEye’s Commando VM. This open-source toolset exposes many internal and undocumented security-related features of Active Directory (AD), but we will primarily focus on its state-of-the-art offline database access capabilities. In the course of this lab, you will learn how to perform Active Directory password audits, offline password resets and group membership changes, or SID history injection.
- Password Spraying
  - Articles/Blogposts/Writeups
  - Talks/Presentations/Videos
    - Quietly Password Spraying ADFS using FireProx | Mike Fletch(2022)
      - Microsoft Active Directory Federation Services is a great authentication portal that is commonly overlooked by defenders. By rotating IP addresses with FireProx, you can quietly password spray ADFS to gain access to a Microsoft tenant and maybe even the configured Relying Party trusts!
  - Tools
    - smartbrute
      - The smart password spraying and bruteforcing tool for Active Directory Domain Services.
    - keimpx
      - keimpx is an open source tool, released under the Apache License 2.0. It can be used to quickly check for valid credentials across a network over SMB. C
    - Invoke-CleverSpray
      - Password Spraying Script detecting current and previous passwords of Active Directory User by @flelievre
    - Talon
      - Talon is a tool designed to perform automated password guessing attacks while remaining undetected. Talon can enumerate a list of users to identify which users are valid, using Kerberos. Talon can also perform a password guessing attack against the Kerberos and LDAPS (LDAP Secure) services. Talon can either use a single domain controller or multiple ones to perform these attacks, randomizing each attempt, between the domain controllers and services (LDAP or Kerberos).
    - aad-sso-enum-brute-spray
      - POC of SecureWorks' recent Azure Active Directory password brute-forcing vuln
    - msprobe
      - The tool will used a list of common subdomains associated with your target apex domain to attempt to discover valid instances of on-prem Microsoft solutions. Screenshots of the tool in action are below:
    - ADFSpray
      - ADFSpray is a python3 tool to perform password spray attack against Microsoft ADFS. ALWAYS VERIFY THE LOCKOUT POLICY TO PREVENT LOCKING USERS.
    - ShadowSpray
      - A tool to spray Shadow Credentials across an entire domain in hopes of abusing long forgotten GenericWrite/GenericAll DACLs over other objects in the domain.
- RDP
  - Abusing RDP’s Remote Credential Guard with Rubeus PTT - Ceri Coburn(2020)
- Relayed Credentials
  - See NTLM Relay
  - Playing with Relayed Credentials - SecureAuth
- Reversible Encryption/Fine Grained Password Policies
  - Targeted Plaintext Downgrades with PowerView - harmj0y
- SCCM
  - Exploring SCCM by Unobfuscating Network Access Accounts - Adam Chester(2022)
  - SCCMwtf
  - The Phantom Credentials of SCCM: Why the NAA Won’t Die - Duane Michael(2022)
- Tickets
  - Stop Touching Lsass!!- Joshua Prager(2019
  - Credential theft without admin or touching LSASS with Kekeo by abusing CredSSP / TSPKG (RDP SSO) - Clement Notin(2019)
    - If you have compromised a Windows host, and cannot or do not want to, dump clear-text passwords using traditional techniques (e.g. mimikatz’s sekurlsa::logonpasswords, or LSASS dumping), you should check out the credential delegations settings. If enabled, it allows to obtain clear-text passwords without touching the LSASS process or even without having administrator rights (limited to the current user’s password then)!
- Presentations/Talks/Videos
  - Credential Assessment: Mapping Privilege Escalation at Scale - Matt Weeks(Hack.lu 2016)
    - In countless intrusions from large retail giants to oil companies, attackers have progressed from initial access to complete network compromise. In the aftermath, much ink is spilt and products are sold on how the attackers first obtained access and how the malware they used could or could not have been detected, while little attention is given to the credentials they found that turned their access on a single-system into thousands more. This process, while critical for offensive operations, is often complex, involving many links in the escalation chain composed of obtaining credentials on system A that grant access to system B and credentials later used on system B that grant further access, etc. We’ll show how to identify and combat such credential exposure at scale with the framework we developed. We comprehensively identify exposed credentials and automatically construct the compromise chains to identify maximal access and privileges gained, useful for either offensive or defensive purposes.
  - When Everyone's Dog is Named Fluffy: Abusing the Brand New Security Questions in Windows 10 to Gain Domain-Wide Persistence - Magal Baz, Tom Sela(BHEU18)
    - Slides
- Tools
  - Fake Logon Screens
    - FakeLogonScreen
      - FakeLogonScreen is a utility to fake the Windows logon screen in order to obtain the user's password. The password entered is validated against the Active Directory or local machine to make sure it is correct and is then displayed to the console or saved to disk.
    - SharpLocker
      - SharpLocker helps get current user credentials by popping a fake Windows lock screen, all output is sent to Console which works perfect for Cobalt Strike. It is written in C# to allow for direct execution via memory injection using techniques such as execute-assembly found in Cobalt Strike or others, this method prevents the executable from ever touching disk. It is NOT intended to be compilled and run locally on a device.
  - Gosecretsdump
    - This is a conversion of the impacket secretsdump module into golang. It's not very good, but it is quite fast. Please let me know if you find bugs, I'll try and fix where I can - bonus points if you can provide sample .dit files for me to bash against.
  - DomainPasswordTest
    - Tests AD passwords while respecting Bad Password Count
  - serviceFu
    - Automates credential skimming from service accounts in Windows Registry using Mimikatz lsadump::secrets. The use case for this tool is when you have administrative rights across certain computers in a domain but do not have any clear-text credentials. ServiceFu will remotely connect to target computers, check if any credentialed services are present, download the system and security registry hive, and decrypt clear-text credentials for the domain service account.
DCShadow
- 101
  - Active Directory: What can make your million dollar SIEM go blind? - Vincent Le Toux, Benjamin Delpy
    - Slides]
  - DCShadow
    - DCShadow is a new feature in mimikatz located in the lsadump module. It simulates the behavior of a Domain Controller (using protocols like RPC used only by DC) to inject its own data, bypassing most of the common security controls and including your SIEM. It shares some similarities with the DCSync attack (already present in the lsadump module of mimikatz).
  - DCShadow explained: A technical deep dive into the latest AD attack technique - Luc Delsalle
  - What is DCShadow? - Stealthbits
- Articles/Blogposts/Writeups
- Tools
  - Mimikatz
DCSync Attack
- 101
- Articles/Blogposts/Writeups
- Tools
  - Mimikatz
NetSync Attack
- 101
Defense Evasion
- Evading Microsoft ATA for Active Directory Domination - Nikhil Mittal
  - Microsoft Advanced Threat Analytics (ATA) is a defense platform which reads information from multiple sources like traffic for certain protocols to the Domain Controller, Windows Event Logs and SIEM events. The information thus collected is used to detect Reconnaissance, Credentials replay, Lateral movement, Persistence attacks etc. Well known attacks like Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, Golden Ticket, Directory services replication, Brute-force, Skeleton key etc. can be detected using ATA.
- [Red Team Techniques for Evading, Bypassing & Disabling MS - Chris Thompson]
  - Windows Defender Advanced Threat Protection is now available for all Blue Teams to utilize within Windows 10 Enterprise and Server 2012/16, which includes detection of post breach tools, tactics and techniques commonly used by Red Teams, as well as behavior analytics.
  - Slides
Discovery & Reconnaissance
- Articles/Blogposts/Writeups
  - adcli
    - adcli info - Fedora documentation
    - adcli info forest - Fedora documentation
  - ADModule
    - Using ActiveDirectory module for Domain Enumeration from PowerShell Constrained Language Mode - Nikhil Mittal
  - DNS
    - AD Zone Transfers as a user - mubix
  - File Shares
    - Accessing Internal Fileshares through Exchange ActiveSync - Adam Rutherford and David Chismon
  - GPOs
    - Enumerating remote access policies through GPO - William Knowles, Jon Cave
  - Hunting Users
    - Articles/Blogposts/Writeups
      - Scanning for Active Directory Privileges & Privileged Accounts - Sean Metcalf(2017)
      - Derivative Local Admin - sixdub
      - Active Directory Control Paths
        
        Control paths in Active Directory are an aggregation of "control relations" between entities of the domain (users, computers, groups, GPO, containers, etc.) which can be visualized as graphs (such as above) and whose purpose is to answer questions like "Who can get 'Domain Admins' privileges ?" or "What resources can a user control ?" and even "Who can read the CEO's emails ?".
      - 5 Ways to Find Systems Running Domain Admin Processes - Scott Sutherland
      - Attack Methods for Gaining Domain Admin Rights in Active Directory
      - Nodal Analysis of Domain Trusts – Maximizing the Win!
      - Derivative Local Admin - sixdub
      - Abusing DNSAdmins privilege for escalation in Active Directory
      - How Attackers Dump Active Directory Database Credentials
      - “I Hunt Sys Admins”
      - Gaining Domain Admin from Outside Active Directory - markitzeroday
    - Talks/Videos
      - I Hunt Sys Admins - Will Schroeder/@harmj0y(Shmoocon 2015)
      - I Hunt Sysadmins 2.0 - slides
        
        It covers various ways to hunt for users in Windows domains, including using PowerView.
      - Requiem For An Admin, Walter Legowski (@SadProcessor) - BSides Amsterdam 2017
        
        Orchestrating BloodHound and Empire for Automated AD Post-Exploitation. Lateral Movement and Privilege Escalation are two of the main steps in the Active Directory attacker kill- chain. Applying the 'assume breach' mentality, more and more companies are asking for red-teaming type of assessments, and security researcher have therefor developed a wide range of open-source tools to assist them during these engagements. Out of these, two have quickly gained a solid reputation: PowerShell Empire and BloodHound (Both by @Harmj0y & ex-ATD Crew). In this Session, I will be presenting DogStrike, a new tool (PowerShell Modules) made to interface Empire & BloodHound, allowing penetration testers to merge their Empire infrastructure into the bloodhound graph database. Doing so allows the operator to request a bloodhound path that is 'Agent Aware', and makes it possible to automate the entire kill chain, from initial foothold to DA - or any desired part of an attacker's routine. Presentation will be demo-driven. Code for the module will be made public after the presentation. Automation of Active Directory post-exploitation is going to happen sooner than you might think. (Other tools are being released with the same goal). Is it a good thing? Is it a bad thing? If I do not run out of time, I would like to finish the presentation by opening the discussion with the audience and see what the consequences of automated post- exploitation could mean, from the red, the blue or any other point of view... : DeathStar by @Byt3Bl33d3r | GoFetch by @TalTheMaor.
    - Tools
      - Check-LocalAdminHash
        
        Check-LocalAdminHash is a PowerShell tool that attempts to authenticate to multiple hosts over either WMI or SMB using a password hash to determine if the provided credential is a local administrator. It's useful if you obtain a password hash for a user and want to see where they are local admin on a network.
        
        Blogpost
      - hunter
        
        (l)user hunter using WinAPI calls only
      - icebreaker
        
        Automates network attacks against Active Directory to deliver you piping hot plaintext credentials when you're inside the network but outside of the Active Directory environment. Performs 5 different network attacks for plaintext credentials as well as hashes. Autocracks hashes found with JohnTheRipper and the top 10 million most common passwords.
      - Invoke-HostRecon
        
        This function runs a number of checks on a system to help provide situational awareness to a penetration tester during the reconnaissance phase. It gathers information about the local system, users, and domain information. It does not use any 'net', 'ipconfig', 'whoami', 'netstat', or other system commands to help avoid detection.
      - DeathStar
        
        DeathStar is a Python script that uses Empire's RESTful API to automate gaining Domain Admin rights in Active Directory environments using a variety of techinques.
      - ANGRYPUPPY
        
        Bloodhound Attack Path Execution for Cobalt Strike
      - GoFetch
        
        GoFetch is a tool to automatically exercise an attack plan generated by the BloodHound application. GoFetch first loads a path of local admin users and computers generated by BloodHound and converts it to its own attack plan format. Once the attack plan is ready, GoFetch advances towards the destination according to plan step by step, by successively applying remote code execution techniques and compromising credentials with Mimikatz.
      - DogWhisperer - BloodHound Cypher Cheat Sheet (v2)
      - DomainTrustExplorer
        
        Python script for analyis of the "Trust.csv" file generated by Veil PowerView. Provides graph based analysis and output.
      - SharpSniper
        
        Find specific users in active directory via their username and logon IP address
      - Get-UserSession
        
        Queries user sessions for the entire domain (Interactive/RDP etc), allowing you to query a user and see all his logged on sessions, whether Active or Disconnected
      - SamrSearch
        
        SamrSearch can get user info and group info with MS-SAMR.like net user aaa /domain and net group aaa /domain
  - LDAP
    - Gathering AD Data with the Active Directory PowerShell Module - ADSecurity.com
    - Low Privilege Active Directory Enumeration from a non-Domain Joined Host - matt](https://www.attackdebris.com/?p=470)
    - LDAPFragger: Bypassing network restrictions using LDAP attributes - Rindert Kramer
    - Domain Goodness – How I Learned to LOVE AD Explorer - Sally Vandeven
    - Getting around Active Directory search size limit via ldapsearch - Fabio Martelli
  - Local Machine
    - HostEnum
      - A PowerShell v2.0 compatible script comprised of multiple system enumeration / situational awareness techniques collected over time. If system is a member of a Windows domain, it can also perform limited domain enumeration with the -Domain switch. However, domain enumeration is significantly limited with the intention that PowerView or BoodHound could also be used.
  - Passwords
    - NtdsAudit
      - NtdsAudit is an application to assist in auditing Active Directory databases. It provides some useful statistics relating to accounts and passwords. It can also be used to dump password hashes for later cracking.
  - PowerShell
    - Active Directory Enumeration with PowerShell - Haboob Team
    - Active Directory Enumeration with PowerShell - Haboob
      - Nowadays, most of the environments are using Active Directory to manage their networks and resources. And over the past years, the attackers have been focused to abuse and attack the Active Directory environments using different techniques and methodologies. So in this research paper, we are going to use the power of the PowerShell to enumerate the resources of the Active Directory, like enumerating the domains, users, groups, ACL, GPOs, domain trusts also hunting the users and the domain admins. With this valuable information, we can increase our attack surface to abuse the AD like Privilege escalation, lateral movements and persistence and so on.
  - SMB
  - SPNs
    - Service Principal Names - docs.ms
    - SPNs - adsecurity.org
      - This page is a comprehensive reference (as comprehensive as possible) for Active Directory Service Principal Names (SPNs). As I discover more SPNs, they will be added.
    - Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe - social.technet.ms.com)
    - Service Principal Name (SPN) - hackndo
    - SPN Discovery - NetbiosX(2018)
    - Discovering Service Accounts Without Using Privileges - Jeff Warren
  - User Enum
    - Kerberos Domain Username Enumeration - matt
    - New Metasploit Module: Microsoft Remote Desktop Web Access Authentication Timing Attack - Matt Mathur
- Talks
  - Vibing Your Way Through an Enterprise: How Attackers are Becoming More Sneaky - Matthew Eidelberg(GrrCon2018)
  - Vibe
    - Vibe is a tool designed to preform post-ex lateral movement techniques while remaining undetected by network detection tools including Threat Hunting appliances. Vibe works by pulling down all information about a domain, allowing users to perform the same domain net commands offline. Vibe also enumerates additional information that is not typically shown in these queries. Vibe also provides the ability to scan systems to see what shares are available and what privileges the account used, has access to. Vibe also provides the ability to enumerate user’s currently logged into systems, as well as, who has been logged in, while remaining undetected.
- Tools
  - Lolbins
    - ADModule
      - Microsoft signed DLL for the ActiveDirectory PowerShell module
  - 3rd-Party All-in-Ones/Multi-Purpose
    - EDD
      - Meet EDD - He Helps Enumerate Domain Data - FortyNorth(2021)
      - Enumerate Domain Data is designed to be similar to PowerView but in .NET. PowerView is essentially the ultimate domain enumeration tool, and we wanted a .NET implementation that we worked on ourselves. This tool was largely put together by viewing implementations of different functionality across a wide range of existing projects and combining them into EDD.
  - BloodHound
    - 101
      - Introducing BloodHound
      - Bloodhound 2.2 - A Tool for Many Tradecrafts - Andy Gill
      - BloodHound
        
        BloodHound is a single page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a PowerShell ingestor. BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.
    - Articles/Blogposts/Writeups
    - Historical Posts
    - Talks/Presentations/Videos
      - Six Degrees of Global Admin – Andy Robbins & Rohan Vazarkar (SO-CON 2020)
        
        In 2016 we released BloodHound, which helps attackers and defenders alike identify and execute or eliminate attack paths in Active Directory. Since then, BloodHound's collection and analysis capabilities have been limited to Active Directory and domain-joined Windows systems. Now, we are proud to announce the release of BloodHound 4.0, which expands BloodHound's capabilities outside on-prem Active Directory into Azure. In this talk, we will demonstrate real attack paths we've observed in customer environments, go over BloodHound's updated GUI, and explain Azure attack primitives now tracked by BloodHound.
    - Using
      - BloodHound: Intro to Cypher - CptJesus
      - The Dog Whisperer's Handbook: A Hacker's Guide to the BloodHound Galaxy - @SadProcessor
        
        Blogpost
      - My First Go with BloodHound
      - Lay of the Land with BloodHound
      - Bloodhound walkthrough. A Tool for Many Tradecrafts - Andy Gill
        
        A walkthrough on how to set up and use BloodHound
      - BloodHound From Red to Blue - Mathieu Saulnier(BSides Charm2019)
      - BloodHound Tips and Tricks - Riccardo Ancarani
      - Advanced BloodHound Usage
        
        This project contains: Custom BloodHound Queries we often use to see important things in BloodHound; Custom Neo4j Queries we use to extract data directly from the Neo4j browser console; BloodHoundLoader script, which allows to make batch modifications to the BloodHound data
    - Internals
    - Neo4j
      - Neo4j Cypher Refcard 3.5
    - Ingestors
      - BloodHound.py
        
        A Python based ingestor for BloodHound
      - SharpHound
        
        Official Ingestor.
      - ADExplorerSnapshot.py
        
        ADExplorerSnapshot.py is an AD Explorer snapshot parser. It is made as an ingestor for BloodHound, and also supports full-object dumping to NDJSON.
    - Custom Queries
      - Articles/Blogposts/Writeups
        
        BloodHound Part II - gkourgkoutas.net(2021)
        
        BloodHound Cypher Cheatsheet - Hausec(2019)
        
        Bloodhound Cheatsheet – Custom Queries, Neo4j, etc. - Harley(2022)
      - Collections
        
        BloodHound-Tools Custom Queries
        
        BloodHound Custom Queries - Hausec
        
        BloodHound Custom Queries - ZephrFish
        
        Handy-BloodHound-Cypher-Queries - mgeeky
    - API
      - CypherDog
        
        PowerShell Cmdlets to interact with BloodHound Data via Neo4j REST API
    - Large Datasets
      - ChopHound
        
        Some scripts for dealing with any challenges that might arise when importing (large) JSON datasets into BloodHound.
        
        Dealing with large BloodHound datasets - bitsadmin(2022)
    - Extension
      - Visualizing BloodHound Data with PowerBI — Part 1 - Andy Robbins
        
        Visualizing BloodHound Data with PowerBI — Part 2 - Andy Robbins
      - Extending BloodHound: Track and Visualize Your Compromise
        
        Customizing BloodHound's UI and taking advantage of Custom Queries to document a compromise, find collateral spread of owned nodes, and visualize deltas in privilege gains.
      - Extending BloodHound Part 1 - GPOs and User Right Assignment - Riccardo Ancarani
      - Cypheroth
        
        Automated, extensible toolset that runs cypher queries against Bloodhound's Neo4j backend and saves output to spreadsheets.
      - Plumhound
        
        Released as Proof of Concept for Blue and Purple teams to more effectively use BloodHoundAD in continual security life-cycles by utilizing the BloodHoundAD pathfinding engine to identify Active Directory security vulnerabilities resulting from business operations, procedures, policies and legacy service operations. PlumHound operates by wrapping BloodHoundAD's powerhouse graphical Neo4J backend cypher queries into operations-consumable reports. Analyzing the output of PlumHound can steer security teams in identifying and hardening common Active Directory configuration vulnerabilities and oversights.
      - GoodHound
        
        GoodHound operationalises Bloodhound by determining the busiest paths to high value targets and creating actionable output to prioritise remediation of attack paths.
      - Bloodhound-Portable
        
        BloodHound Portable for Windows (You can run this without local admin. No Administrator required)
      - CrackHound
        
        CrackHound is a way to introduce plain-text passwords into BloodHound. This allows you to upload all your cracked hashes to the Neo4j database and use it for reporting purposes (csv exports) or path finding in BloodHound using custom queries.
      - MacHound
        
        Introducing MacHound: A Solution to MacOS Active Directory-Based Attacks - Rony Munitz(2020)
        
        MacHound is an extension to the Bloodhound audting tool allowing collecting and ingesting of Active Directory relationships on MacOS hosts. MacHound collects information about logged-in users, and administrative group members on Mac machines and ingest the information into the Bloodhound database. In addition to using the HasSession and AdminTo edges, MacHound adds three new edges to the Bloodhound database: CanSSH - entity allowed to SSH to host; CanVNC - entity allowed to VNC to host; CanAE - entity allowed to execute AppleEvent scripts on host
        
        Introducing MacHound: A Solution to MacOS Active Directory based Attacks - Rony Munitz(2021)
      - ImproHound
        
        ImproHound is a dotnet standalone win x64 exe with GUI. To use ImproHound, you must run SharpHound to collect the necessary data from the AD. You will then upload the data to your BloodHound installation. ImproHound will connect to the underlying Neo4j database of BloodHound. In ImproHound, you will categorize the AD into tiers via the OU structure, and ImproHound will identify the AD relations that enable AD objects to compromise an object of a higher (closer to zero) tier and save the tiering violations in a csv file.
        
        ImproHound - Identify AD tiering violations - Jonas Bülow Knudsen
        
        DC 29 Adversary Village - Jonas - Tool Demo ImproHound - Identify AD tiering violations
      - BloodHound-Tools
        
        Bloodhound is the defacto standard that both blue and red security teams use to find lateral movement and privilege escalation paths that can potentially be exploited inside an enterprise environment. A typical environment can yield millions of paths, representing almost endless opportunities for red teams to attack and creating a seemingly insurmountable number of attack vectors for blue teams to tackle. However, a critical dimension that Bloodhound ignores, namely network access, could hold the key to shutting down excessive lateral movement. This repository contains tools that integrate with Bloodhound’s database in order to reflect network access, for the benefit of both red and blue teams.
      - ShotHound
        
        ShotHound is a standalone script that integrates with BloodHound's Neo4j database and CornerShot. It allows security teams to validate logical paths discovered by BloodHound against physical network access.
      - Fox and the Hound
        
        A companion tool for BloodHound offering Active Directory statistics and number crunching
      - FoxTerrier
        
        FoxTerrier : On the trail of vulnerable Active Directory objects and a report - Alice Climent-Pommeret(2021)
        
        Python tool to find vulnerable AD object and generate a csv report
      - Max
        
        Intro Blogpost
        
        Max2(blogpost)
        
        Maximizing BloodHound with a simple suite of tools
      - Ransomulator
        
        "Ransomulator is a ransom simulator for BloodHound database. It can be used to measure a network resilience for ransomare infections, and identify "weak links" in the network."
  - ADFS
    - Carnivore
      - Tool Release – Carnivore: Microsoft External Assessment Tool - Chris Nevin(2020)
  - File Shares
    - FindUncommonShares.py
      - FindUncommonShares.py is a Python equivalent of PowerView's Invoke-ShareFinder.ps1 allowing to quickly find uncommon shares in vast Windows Domains.
    - Snaffler
      - Snaffler is a tool for pentesters and red teamers to help find delicious candy needles (creds mostly, but it's flexible) in a bunch of horrible boring haystacks (a massive Windows/AD environment).
    - SharpML
      - SharpML is C# and Python based tool that performs a number of operations with a view to mining file shares, querying Active Directory for users, dropping an ML model and associated rules, perfoming Active Directory authentication checks, with a view to automating the process of hunting for passwords in file shares by feeding the mined data into the ML model.
    - PowerHuntShares
      - PowerHuntShares is an audit script designed in inventory, analyze, and report excessive privileges configured on Active Directory domains.
    - MAN-SPIDER
      - Spider entire networks for juicy files sitting on SMB shares. Search filenames or file content - regex supported!
  - Kebreros Username Identification
    - Kerberos Domain Username Enumeration - matt
  - LDAP
    - See "LDAP Recon"
  - PowerShell
    - AdEnumerator
      - Active Directory enumeration from non-domain system. Powershell script
    - PowerShell-AD-Recon
      - AD PowerShell Recon Scripts
    - AdsiPS
      - PowerShell module to interact with Active Directory using ADSI and the System.DirectoryServices namespace (.NET Framework).
    - Check-LocalAdminHash & Exfiltrating All PowerShell History - Beau Bullock
      - Check-LocalAdminHash is a new PowerShell script that can check a password hash against multiple hosts to determine if it’s a valid administrative credential. It also has the ability to exfiltrate all PowerShell PSReadline console history files from every profile on every system that the credential provided is an administrator of.
    - Check-LocalAdminHash
      - Check-LocalAdminHash is a PowerShell tool that attempts to authenticate to multiple hosts over either WMI or SMB using a password hash to determine if the provided credential is a local administrator. It's useful if you obtain a password hash for a user and want to see where they are local admin on a network. It is essentially a Frankenstein of two of my favorite tools along with some of my own code. It utilizes Kevin Robertson's (@kevin_robertson) Invoke-TheHash project for the credential checking portion. Additionally, the script utilizes modules from PowerView by Will Schroeder (@harmj0y) and Matt Graeber (@mattifestation) to enumerate domain computers to find targets for testing admin access against.
  - RPC
    - RpcGetWinVersion.py
  - LDAP/RPC
    - PowerView.ps1
    - PywerView
      - A (partial) Python rewriting of PowerSploit's PowerView.
    - Powerview.py
      - This repository has nothing related to the existing PowerView.py project that is already publicly available. This is only meant for my personal learning purpose and would like to share the efforts with everyone interested. This project will be supported by the collaborators from time to time, so don't worry.
    - The PowerView PowerUsage Series #1 - harmjoy
      - Part #2
      - Part #3
      - Part #4
      - Part #5
  - Miscellaneous Tools(unsorted)
    - ActiveReign
      - A Network Enumeration and Attack Toolset
    - CrackMapExec
      - A swiss army knife for pentesting networks
    - Windows Vault Password Dumper
      - The following code shows how to use native undocumented functions of Windows Vault API to enumerate and extract credentials stored by Microsoft Windows Vault. The code has been successfully tested on Windows7 and Windows8 operating systems.
    - knit_brute.sh
      - A quick tool to bruteforce an AD user's password by requesting TGTs from the Domain Controller with 'kinit'
    - BTA
      - BTA is an open-source Active Directory security a5udit framework.
    - WinPwn
      - Automation for internal Windows Penetrationtest / AD-Security
    - Wireless_Query
      - Query Active Directory for Workstations and then Pull their Wireless Network Passwords. This tool is designed to pull a list of machines from AD and then use psexec to pull their wireless network passwords. This should be run with either a DOMAIN or WORKSTATION Admin account.
    - Find AD users with empty password using PowerShell
    - ACLight
      - The tool queries the Active Directory (AD) for its objects' ACLs and then filters and analyzes the sensitive permissions of each one. The result is a list of domain privileged accounts in the network (from the advanced ACLs perspective of the AD). You can run the scan with just any regular user (could be non-privileged user) and it automatically scans all the domains of the scanned network forest.
    - zBang
      - zBang is a special risk assessment tool that detects potential privileged account threats in the scanned network.
      - Blogpost
    - ADCollector
      - A lightweight tool that enumerates the Active Directory environment to identify possible attack vectors
    - jackdaw
      - Jackdaw is here to collect all information in your domain, store it in a SQL database and show you nice graphs on how your domain objects interact with each-other an how a potential attacker may exploit these interactions. It also comes with a handy feature to help you in a password-cracking project by storing/looking up/reporting hashes/passowrds/users.
FreeIPA
- Building a FreeIPA Lab - n0pe_sled(2019
- Attacking FreeIPA: Part I Authentication - n0pe_sled(2019-2020)
Forest Attacks
- Articles/Blogposts/Writeups
  - How NOT to use the PAM trust - Leveraging Shadow Principals for Cross Forest Attacks - Nikhil Mittal
Group Managed Service Account Attacks
- Introducing the Golden GMSA Attack - Yuval Gordon(2022)
- GoldenGMSA
  - GolenGMSA tool for working with GMSA passwords
Group Membership Abuse
- Articles/Blogposts/Writeups
  - A Pentester’s Guide to Group Scoping - harmj0y
  - Poc’ing Beyond Domain Admin - Part 1 - cube0x0
Group Policies
- Group Policies Going Rogue - Eran Shimony(2020)
  - "GPSVC exposes all domain-joined Windows machines to an escalation of privileges (EoP) vulnerability. By running gpudate.exe, you can escalate into a privileged user via a file-manipulation attack."
Internal Monologue
- 101
  - Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS
    - In secure environments, where Mimikatz should not be executed, an adversary can perform an Internal Monologue Attack, in which they invoke a local procedure call to the NTLM authentication package (MSV1_0) from a user-mode application through SSPI to calculate a NetNTLM response in the context of the logged on user, after performing an extended NetNTLM downgrade.
- Articles/Blogposts/Writeups
- Tools
  - selfhash
    - Selfhash allows you to get password hashes of the current user. This tool doesn't requere high privileges i.e. SYSTEM, but on another hand it returns NTLM Challenge Response, so you could crack it later.
Kerberos-based Attacks
- Talks/Presentations/Videos
  - Attacking Microsoft Kerberos: Kicking the Guard Dog of Hades - Tim Medin(DerbyCon4)
- ASREPRoast
  - 101
    - Roasting AS-REPs - harmj0y
      - tl;dr – if you can enumerate any accounts in a Windows domain that don’t require Kerberos preauthentication, you can now easily request a piece of encrypted information for said accounts and efficiently crack the material offline, revealing the user’s password.
    - LayerOne2016 - Kerberos Party Tricks (Geoffrey Janjua) (No sound!)
      - Slides
      - Toolkit
    - Kerberos Party Tricks: Weaponizing Kerberos Protocol Flaws - Geoffrey Janjua(2016)
    - Attacking Active Directory - AS-REP Roasting - Conda(2020)
  - Informational * Roasting AS-REPs - harmj0y * IOC differences between Kerberoasting and AS-REP Roasting - Jonathan Johnson(2019) * AS_REP Roasting - hackndo(2020) * Roasting your way to DA - Build-Break-Defend-Fix - Andy Gill(2020) * Dive into both Kerberoasting and ASREP Roasting, looking at how they work, how to introduce them into an environment and how to fix them or where possible monitor and defend against them. * Everything about Service Principals, Applications, and API Permissions - m365guy(2021)
    - How-Tos
    - Tools
      - Rubeus
        
        Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpy's Kekeo project (CC BY-NC-SA 4.0 license) and Vincent LE TOUX's MakeMeEnterpriseAdmin project (GPL v3.0 license). Full credit goes to Benjamin and Vincent for working out the hard components of weaponization- without their prior work this project would not exist.
- AS-REQ Roasting
  - 101
    - ASREQRoast - From MITM to hash - Magnus Stubman(2019)
  - Articles
    - New Attack Paths? AS Requested Service Tickets - Charlie Clark(2022)
  - Tools
    - RoastInTheMiddle
      - Roast in the Middle is a rough proof of concept (not attack-ready) that implements a man-in-the-middle ARP spoof to intercept AS-REQ's to modify and replay to perform a Kerberoast attack.
    - RITM
      - This is a Python implementation of the man-in-the-middle attack described by Charlie Clark (@exploitph) in his post, New Attack Paths? AS Requested Service Tickets, and demonstrated in his proof-of-concept, Roast in the Middle.
Delegation
- You Do (Not) Understand Kerberos Delegation
  - Slides - https://attl4s.github.io/assets/pdf/You_do_(not)_Understand_Kerberos.pdf
- Constrained-Delegation
  - 101
    - Kerberos Constrained Delegation Overview - docs.ms
      - This overview topic for the IT professional describes new capabilities for Kerberos constrained delegation in Windows Server 2012 R2 and Windows Server 2012. Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016
    - What is Kerberos Delegation? An Overview of Kerberos Delegation - Kevin Joyce(2020)
    - Kerberos Constrained Delegation - AWS
  - Articles/Blogposts/Writeups
    - Another Word on Delegation
    - From Kekeo to Rubeus
    - S4U2Pwnage
    - Kerberos Delegation, Spns And More...
    - Kerberos Authentication: A Wrap Up - 0xcsandker(2017)
    - Kerberos Delegation: A Wrap Up - 0xcsandker(2020)
    - Kerberos Delegation: A Reference Overview - 0xcsandker(2020)
    - Kerberos Delegation - hackndo(2020)
    - SPN-jacking: An Edge Case in WriteSPN Abuse - Elad Shamir(2022)
      - Suppose an attacker compromises an account set for Constrained Delegation but doesn’t have the SeEnableDelegation privilege. The attacker won’t be able to change the constraints (msDS-AllowedToDelegateTo). However, if the attacker has WriteSPN rights over the account associated with the target SPN, as well as over another computer/service account, the attacker can temporarily hijack the SPN (a technique called SPN-jacking), assign it to the other computer/server, and perform a full S4U attack to compromise it.
    - Abusing Kerberos Constrained Delegation without Protocol Transition - snovvcrash(2022)
    - Constrained Delegation Considerations for Lateral Movement - Sergio Lazaro(2022)
    - Active Directory – Delegation Based Attacks - floreaiulian(2022)
    - Delegate to KRBTGT service - skyblue.team(2022)
  - Talks & Presentations
    - Delegate to the Top Abusing Kerberos for Arbitrary Impersonations and RCE - Matan Hart(BHASIA 17)
    - Delegating Kerberos To Bypass Kerberos Delegation Limitation by Charlie Bromberg(InsomniHack2022)
  - Tools
    - Blank Space
      - Proof of Concept for EFSRPC Arbitrary File Upload (CVE-2021-43893)
    - Lab S4U2Self Abuse
      - This lab aims to provide a safe environment to test the S4U2Self abuse exploit
- Resource Based Constrained-Delegation
  - Articles/Blogposts/Writeups
    - Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory - Elad Shamir(2019)
      - Back in March 2018, I embarked on an arguably pointless crusade to prove that the TrustedToAuthForDelegation attribute was meaningless, and that “protocol transition” can be achieved without it. I believed that security wise, once constrained delegation was enabled (msDS-AllowedToDelegateTo was not null), it did not matter whether it was configured to use “Kerberos only” or “any authentication protocol”. I started the journey with Benjamin Delpy’s (@gentilkiwi) help modifying Kekeo to support a certain attack that involved invoking S4U2Proxy with a silver ticket without a PAC, and we had partial success, but the final TGS turned out to be unusable. Ever since then, I kept coming back to it, trying to solve the problem with different approaches but did not have much success. Until I finally accepted defeat, and ironically then the solution came up, along with several other interesting abuse cases and new attack techniques.
    - A Case Study in Wagging the Dog: Computer Takeover - harmj0y
    - Kerberos Delegation, SPNs and More... - Alberto Solino(2017)
      - In this blog post, I will cover some findings (and still remaining open questions) around the Kerberos Constrained Delegation feature in Windows as well as Service Principal Name (SPN) filtering that might be useful when considering using/testing this technology.
    - The worst of both worlds: Combining NTLM Relaying and Kerberos delegation - Dirk-jan Mollema
      - After my in-depth post last month about unconstrained delegation, this post will discuss a different type of Kerberos delegation: resource-based constrained delegation. The content in this post is based on Elad Shamir’s Kerberos research and combined with my own NTLM research to present an attack that can get code execution as SYSTEM on any Windows computer in Active Directory without any credentials, if you are in the same network segment. This is another example of insecure Active Directory default abuse, and not any kind of new exploit.
    - Kerberos Resource-Based Constrained Delegation: When an Image Change Leads to a Privilege Escalation - Matt Lewis(2019)
      - Change-Lockscreen
    - Kerberos Resource-Based Constrained Delegation: When an Image Change Leads to a Privilege Escalation - Daniel López Jiménez and Simone Salucci(2019)
    - DirectAccess and Kerberos Resource-based Constrained Delegation - Paul van der Haas(2020)
    - From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure - gladiatx0r
    - Chaining multiple techniques and tools for domain takeover using RBCD - Sergio Lazaro(2020)
    - Abusing Kerberos Resource-Based Constrained Delegation
      - This repo is about a practical attack against Kerberos Resource-Based Constrained Delegation in a Windows Active Directory Domain.
    - Resource Based Constrained Delegation - PentestLabBlog(2021)
    - Exploiting RBCD Using a Normal User Account* - James Forshaw(2022)
  - Tools
    - Get-RBCD-Threaded
      - Tool to discover Resource-Based Constrained Delegation attack paths in Active Directory Environments
    - SharpAllowedToAct
      - Computer object takeover through Resource-Based Constrained Delegation (msDS-AllowedToActOnBehalfOfOtherIdentity)
    - PowerMAD
      - PowerShell MachineAccountQuota and DNS exploit tools
      - Blogpost
- Unconstrained Delegation
  - 101
    - Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain) - Sean Metcalf(2015)
  - Articles/Blogposts/Writeups
  - Talks & Presentations
    - Red vs Blue: Modern Active Directory Attacks Detection and Protection - Sean Metcalf(BHUSA2015)
      - Slides
      - Paper
    - The Unintended Risks of Trusting Active Directory - Lee Christensen, Will Schroeder, Matt Nel(Derbycon 2018)
      - Your crown jewels are locked in a database, the system is patched, utilizes modern endpoint security software, and permissions are carefully controlled and locked down. Once this system is joined to Active Directory, however, does that static trust model remain the same? Or has the number of attack paths to your data increased by an order of magnitude? We’ve spent the last year exploring the access control model of Active Directory and recently broadened our focus to include security descriptor misconfigurations/backdoor opportunities at the host level. We soon realized that the post-exploitation “attack surface” of Windows hosts spans well beyond what we originally realized, and that host misconfigurations can sometimes have a profound effect on the security of every other host in the forest. This talk will explore a number of lesser-known Active Directory and host-based permission settings that can be abused in concert for remote access, privilege escalation, or persistence. We will show how targeted host modifications (or existing misconfigurations) can facilitate complex Active Directory attack chains with far-reaching effects on other systems and services in the forest, and can allow new AD attack paths to be built without modifying Active Directory itself.
    - Slides
  - Tools
    - SpoolSample -> NetNTLMv1 -> NTLM -> Silver Ticket
      - This technique has been alluded to by others, but I haven't seen anything cohesive out there. Below we'll walk through the steps of obtaining NetNTLMv1 Challenge/Response authentication, cracking those to NTLM Hashes, and using that NTLM Hash to sign a Kerberos Silver ticket. This will work on networks where "LAN Manager authentication level" is set to 2 or less. This is a fairly common scenario in older, larger Windows deployments. It should not work on Windows 10 / Server 2016 or newer.
    - SpoolerScanner
      - Check if the spooler (MS-RPRN) is remotely available with powershell/c#
    - SpoolSample
      - PoC tool to coerce Windows hosts authenticate to other machines via the MS-RPRN RPC interface. This is possible via other protocols as well.
    - krbrelayx
      - Kerberos unconstrained delegation abuse toolkit
  - Mitigation
    - ADV190006 | Guidance to mitigate unconstrained delegation vulnerabilities portal.msrc
- Encryption Downgrade
  - Downgrading Kerberos Encryption & Why It Doesn’t Work In Server 2019 - vbsscrub(2021)
- FAST
  - Kerberos Armoring (Flexible Authentication Secure Tunneling (FAST)) - docs.ms - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831747(v=ws.11)#kerberos-armoring-flexible-authentication-secure-tunneling-fast
    - Flexible Authentication Secure Tunneling (FAST) provides a protected channel between the Kerberos client and the KDC. FAST is implemented as Kerberos armoring in Windows Server 2012, and it is only available for authentication service (AS) and ticket-granting service (TGS) exchanges.
  - I Wanna Go Fast, Really Fast, like (Kerberos) FAST - Andrew Schwartz(2022)
- Kerberoasting
  - 101
    - Deep Dive into Kerberoasting Attack - Raj Chandel(2020)
  - Articles/Blogposts/Writeups
    - Kerberoasting - Part 1 - mubix(2016
    - Kerberoasting - Part 2 - mubix
    - Kerberoasting - Part 3 - mubix
    - Kerberoasting - Pixis
    - Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain - adsecurity.org
    - Kerberoasting Without Mimikatz - Will Schroeder
    - Mimikatz 2.0 - Brute-Forcing Service Account Passwords
    - If everything about that ticket-generation operation is valid except for the NTLM hash, then accessing the web application will result in a failure. However, this will not cause a failed logon to appear in the Windows® event log. It will also not increment the count of failed logon attempts for the service account. Therefore, the result is an ability to perform brute-force (or, more realistically, dictionary-based) password checks for such a service account, without locking it out or generating suspicious event log entries.
    - kerberos, kerberoast and golden tickets - leonjza
    - Extracting Service Account Passwords with Kerberoasting - Jeff Warren
    - Cracking Service Account Passwords with Kerberoasting
    - Targeted Kerberoasting - harmj0y
    - Kerberoast PW list for cracking passwords with complexity requirements
    - kerberos, kerberoast and golden tickets - leonzja
    - Kerberoast - pentestlab.blog
    - A Toast to Kerberoast - Derek Banks
    - Kerberoasting, exploiting unpatched systems – a day in the life of a Red Teamer - Chetan Nayak
    - Discovering Service Accounts Without Using Privileges - Jeff Warren
    - Kerberoasting and SharpRoast output parsing! - grumpy-sec
    - AS_REP Roasting vs Kerberoasting - LuemmelSec(2020)
    - Kerberoasting without SPNs - Arseniy Sharoglazov(2020)
    - Kerberoasting and Pass the Ticket Attack Using Linux - Raj Chandel(2020)
    - Kerberoast with OpSec - m365guy(2021)
    - Lessons in Disabling RC4 in Active Directory - Steve Syfuhs(2022
  - Talks/Presentations/Videos
    - Attacking Kerberos: Kicking the Guard Dog of Hades - Tim Medin
      - Kerberos, besides having three heads and guarding the gates of hell, protects services on Microsoft Windows Domains. Its use is increasing due to the growing number of attacks targeting NTLM authentication. Attacking Kerberos to access Windows resources represents the next generation of attacks on Windows authentication.In this talk Tim will discuss his research on new attacks against Kerberos- including a way to attack the credentials of a remote service without sending traffic to the service as well as rewriting tickets to access systems.He will also examine potential countermeasures against Kerberos attacks with suggestions for mitigating the most common weaknesses in Windows Kerberos deployments.
    - Demo of kerberoasting on EvilCorp Derbycon6
    - Attacking EvilCorp Anatomy of a Corporate Hack - Sean Metcalf, Will Schroeder
      - Slides
    - Kerberos & Attacks 101 - Tim Medin(SANS Webcast)
      - Want to understand how Kerberos works? Would you like to understand modern Kerberos attacks? If so, then join Tim Medin as he walks you through how to attack Kerberos with ticket attacks and Kerberoasting. Well cover the basics of Kerberos authentication and then show you how the trust model can be exploited for persistence, pivoting, and privilege escalation.
    - Kerberoasting Revisited - Will Schroeder(Derbycon2019)
      - Kerberoasting has become the red team'?'s best friend over the past several years, with various tools being built to support this technique. However, by failing to understand a fundamental detail concerning account encryption support, we haven'?'t understood the entire picture. This talk will revisit our favorite TTP, bringing a deeper understanding to how the attack works, what we?ve been missing, and what new tooling and approaches to kerberoasting exist.
  - Tools
    - kerberoast
      - Kerberos attack toolkit -pure python-
    - KerberOPSEC](https://github.com/Luct0r/KerberOPSEC)
      - OPSEC safe Kerberoasting in C#
    - targetedKerberoast
      - targetedKerberoast is a Python script that can, like many others (e.g. GetUserSPNs.py), print "kerberoast" hashes for user accounts that have a SPN set. This tool brings the following additional feature: for each user without SPNs, it tries to set one (abuse of a write permission on the servicePrincipalName attribute), print the "kerberoast" hash, and delete the temporary SPN set for that operation. This is called targeted Kerberoasting. This tool can be used against all users of a domain, or supplied in a list, or one user supplied in the CLI.
    - kerberoast
      - Kerberoast is a series of tools for attacking MS Kerberos implementations.
    - tgscrack
      - Kerberos TGS_REP cracker written in Golang
- Krbtgt
  - KRBTGT Account Password Reset Scripts now available for customers - Tim Rains(2015)
  - The Secret Life of Krbtgt - Christopher Campbell(Defcon24)
    - Slides
- noPAC
  - Articles/Blogposts/Writeups
    - CVE-2021-42287/CVE-2021-42278 Weaponisation - exploit.ph(2021)
    - Domain Escalation – sAMAccountName Spoofing - pentestlab.blog(2022)
  - Tools
    - noPac - Ridter
      - Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user
    - noPac - cube0x0
      - CVE-2021-42287/CVE-2021-42278 Scanner & Exploiter. Yet another low effort domain user to domain admin exploit.
    - Invoke-noPac.ps1
    - noPac - ricardojba
    - Invoke-noPac
- Relaying Kerberos
  - Articles/Blogposts/Writeups
    - Using Kerberos for Authentication Relay Attacks - James Forshaw(2021)
      - "This blog post is a summary of some research I've been doing into relaying Kerberos authentication in Windows domain environments. To keep this blog shorter I am going to assume you have a working knowledge of Windows network authentication, and specifically Kerberos and NTLM. For a quick primer on Kerberos see this page which is part of Microsoft's Kerberos extension documentation or you can always read RFC4120."
    - Windows Exploitation Tricks: Relaying DCOM Authentication - James Forshaw(2021)
      - "In my previous blog post I discussed the possibility of relaying Kerberos authentication from a DCOM connection. I was originally going to provide a more in-depth explanation of how that works, but as it's quite involved I thought it was worthy of its own blog post. This is primarily a technique to get relay authentication from another user on the same machine and forward that to a network service such as LDAP. You could use this to escalate privileges on a host using a technique similar to a blog post from Shenanigans Labs but removing the requirement for the WebDAV service. Let's get straight to it."
    - Relaying Kerberos over DNS using krbrelayx and mitm6 - Dirk-jan Mollema(2022)
    - Defending the Three Headed Relay - Andrew Schwartz, Charlie Clark, Jonny Johnson(2022)
      - "During this blog post we will take a look into Kerberos Relay, break out the different attack paths one could take, and talk about the different defensive opportunities tied to this activity and other activities leading up to Kerberos Relay or after."
  - Talks/Presentations/Videos
    - Taking Kerberos To The Next Level - James Forshaw(BlackHat2022)
    - These are my Principals... if you don't like them, I have others - James Forshaw(OffensiveCon2022)
  - Tools
    - KrbRelay
      - Framework for Kerberos relaying
    - Negoexrelayx
      - Toolkit for abusing Kerberos PKU2U and NegoEx. Requires impacket It is recommended to install impacket from git directly to have the latest version available.
- Tickets
  - Silver Tickets
    - 101
      - Silver ticket (in short) - Chad Duffey(2019)
      - How Attackers Use Kerberos Silver Tickets to Exploit Systems - ADSecurity.org(2011)
    - Articles/Blogposts/Writeups
    - Talks/Presentations/Videos
  - Gold Tickets
    - 101
    - Articles/Blogposts/Writeups
    - Talks/Presentations/Videos
      - Abusing Microsoft Kerberos: Sorry You Guys Don't Get It - Alva Duckwall, Benjamin Delpy(BHUSA 2015)
        
        Microsoft Active Directory uses Kerberos to handle authentication requests by default. However, if the domain is compromised, how bad can it really be? With the loss of the right hash, Kerberos can be completely compromised for years after the attacker gained access. Yes, it really is that bad. In this presentation Skip Duckwall, @passingthehash on twitter and Benjamin Delpy, @gentilkiwi on twitter and the author of Mimikatz, will demonstrate just how thoroughly compromised Kerberos can be under real world conditions.
      - Advanced Targeted Attack. PoC Golden Ticket Attack - BSides Tampa 17
  - Diamond Tickets
    - A Diamond (Ticket) in the Ruff - Charlie Clark, Andrew Schwartz(2022)
    - Diamond Ticket - HackTricks
    - Diamond Tickets - thehacker.recipes
      - Golden and Silver Tickets can usually be detected by probes that monitor the service ticket requests (KRB_TGS_REQ) that have no corresponding TGT requests (KRB_AS_REQ). Those types of tickets also feature forged PACs that sometimes fail at mimicking real ones, thus increasing their detection rates. Diamond tickets can be a useful alternative in the way they simply request a normal ticket, decrypt the PAC, modify it, recalculate the signatures and encrypt it again. It requires knowledge of the target service long-term key (can be the krbtgt for a TGT, or a target service for a Service Ticket).
  - Saphire Tickets
    - Saphire Tickets - thehacker.recipes(2022)
      - Sapphire tickets are similar to Diamond Tickets in the way the ticket is not forged, but instead based on a legitimate one obtained after a request. The difference lays in how the PAC is modified. The Diamond Ticket approach modifies the legitimate PAC to add some privileged groups (or replace it with a fully-forged one). In the Sapphire ticket approach, the PAC of another powerful user is obtained through an S4U2Self+u2u trick. This PAC then replaces the one featured in the legitimate ticket. The resulting ticket is an assembly of legitimate elements, and follows a standard ticket request, which makes it then most difficult silver/golden ticket variant to detect.
- Tools
  - Rubeus
  - Cerbero
    - Kerberos protocol attacker. Tool to perform several tasks related with Kerberos protocol in an Active Directory pentest. (Written in Rust)
  - kekeo
    - A little toolbox to play with Microsoft Kerberos in C
  - PyKEK
    - PyKEK (Python Kerberos Exploitation Kit), a python library to manipulate KRB5-related data. (Still in development)
  - Kerberom
    - Kerberom is a tool aimed to retrieve ARC4-HMAC'ed encrypted Tickets Granting Service (TGS) of accounts having a Service Principal Name (SPN) within an Active Directory
  - Kerbrute - ropnop
    - A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication
  - kerbrute - Tarlogic
    - An script to perform kerberos bruteforcing by using the Impacket library.
  - ticketConverter.py
    - This script will convert kirbi files (commonly used by mimikatz) into ccache files used by impacket, and vice-versa.
Lateral Movement
- Articles/Blogposts/Writeups
- DCOM
- Internal Phishing
- GPO
- MS-SQL
  - MSSQL Lateral Movement - David Cash(2021)
    - Squeak
- Pass-the-*
  - 101
  - Cache
    - Tweet by Benjamin Delpy(2014)
    - Pass-the-Cache to Domain Compromise - Jamie Shaw
      - This post is going to go over a very quick domain compromise by abusing cached Kerberos tickets discovered on a Linux-based jump-box within a Windows domain environment. In essence, we were able to steal cached credentials from a Linux host and use them on a Window-based system to escalate our privileges to domain administrator level.
  - Hash
    - For this kind of attack and related ones, check out the Network Attacks page, under Pass-the-Hash.
    - Pass-the-Hash Web Style - SANS(2013)
    - Pass the Hash - hackndo
    - Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy - harmj0y
    - Windows Credential Guard & Mimikatz - nviso(2018)
    - Wendel's Small Hacking Tricks - The Annoying NT_STATUS_INVALID_WORKSTATION
    - Passing the hash with native RDP client (mstsc.exe) - Michael Eder(2018)
      - TL;DR: If the remote server allows Restricted Admin login, it is possible to login via RDP by passing the hash using the native Windows RDP client mstsc.exe. (You’ll need mimikatz or something else to inject the hash into the process)
    - Pass-The-Hash with RDP in 2019 - shellz.club
    - Alternative ways to Pass the Hash (PtH) - n00py(2020)
    - Invoke-TheHash
      - Invoke-TheHash contains PowerShell functions for performing pass the hash WMI and SMB tasks. WMI and SMB services are accessed through .NET TCPClient connections. Authentication is performed by passing an NTLM hash into the NTLMv2 authentication protocol. Local administrator privilege is not required client-side.
  - Over-Pass-the-Hash
    - Articles/Blogposts/Writeups
    - Articles/Blogposts/Writeups
      - Overpass the hash - Chad Duffey(2019)
      - Lateral Movement: Over Pass the Hash - Pavandeep Singh(2020)
  - Tickets
    - Silver
      - See 'Silver-Tickets'
    - Golden
      - See 'Golden-Tickets'
- RDP
- RPC
- SCCM
- Scheduled Tasks
- Service Creation/Modification
- SMB
- SSH
- WinRM
- WMI
  - Lateral Movement: WMI - Pavandeep Singh(2020)
- Tools
  - CrackMapExec
    - CrackMapExec
      - Lateral Moment on Active Directory: CrackMapExec - Yashika Dhir(2020)
  - Impacket
    - Impacket Deep Dives Vol. 1: Command Execution - Kyle Mistele(2021)
(Attacking the) Machine-Account Quota
- 101
  - MS-DS-Machine-Account-Quota attribute - docs.ms
    - The number of computer accounts that a user is allowed to create in a domain.
- Articles/Blogposts/Writeups
  - MachineAccountQuota is USEFUL Sometimes: Exploiting One of Active Directory’s Oddest Settings - Kevin Robertson(2019)
MS-Cache
- 101
  - Interactive logon: Number of previous logons to cache (in case domain controller is not available) - docs.ms
    - This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. Applies To: Windows Server 2003, Windows Vista, Windows XP, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8
  - (Win10)Interactive logon: Number of previous logons to cache (in case domain controller is not available) - docs.ms
    - Describes the best practices, location, values, policy management and security considerations for the Interactive logon: Number of previous logons to cache (in case domain controller is not available) security policy setting. Applies To: Win10
  - Cached domain logon information - support.ms
- Articles/Blogposts/Writeups
- Tools
  - passlib.hash.msdcc2 - Windows’ Domain Cached Credentials v2
    - This class implements the DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer to cache and verify remote credentials when the relevant server is unavailable. It is known by a number of other names, including “mscache2” and “mscash2” (Microsoft CAched haSH). It replaces the weaker msdcc v1 hash used by previous releases of Windows. Security wise it is not particularly weak, but due to its use of the username as a salt, it should probably not be used for anything but verifying existing cached credentials.
NTLM-focused Attacks
- Overview of attacks against NTLM
  - Practical Attacks against NTLMv1 - Esteban Rodriguez(2022)
- NTLM Downgrade
- NTLM Reflection
  - 101
    - Windows: DCOM DCE/RPC Local NTLM Reflection Elevation of Privilege
    - Windows: Local WebDAV NTLM Reflection Elevation of Privilege
  - Articles/Blogposts/Writeups
- NTLM over QUIC
  - NTLMquic - Adam Chester(2022)
- NTLM Relay
  - See Coerced Auth
  - 101
  - Articles/Blogposts/Writeups
    - Server Message Block: SMB Relay Attack (Attack That Always Works) - CQURE Academy
    - An SMB Relay Race – How To Exploit LLMNR and SMB Message Signing for Fun and Profit - Jordan Drysdale
    - Effective NTLM / SMB Relaying - mubix(2014)
    - SMB Relay with Snarf - Jeff Dimmock(2016)
    - Pwning with Responder – A Pentester’s Guide
    - Relaying credentials everywhere with ntlmrelayx
    - Responder with NTLM relay and Empire - chryzsh
    - Playing with Relayed Credentials - @agsolino(2018)
    - Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin - Dirk-jan Mollema
      - Earlier this week, Microsoft issued patches for CVE-2019-1040, which is a vulnerability that allows for bypassing of NTLM relay mitigations. The vulnerability was discovered by Marina Simakov and Yaron Zinar (as well as several others credited in the Microsoft advisory), and they published a technical write-up about the vulnerability here. The short version is that this vulnerability allows for bypassing of the Message Integrity Code in NTLM authentication. The impact of this however, is quite big if combined with the Printer Bug discovered by Lee Christensen and some of my own research that builds forth on the Kerberos research of Elad Shamir. Using a combination of these vulnerabilities, it is possible to relay SMB authentication to LDAP. This allows for Remote code execution as SYSTEM on any unpatched Windows server or workstation (even those that are in different Active Directory forests), and for instant escalation to Domain Admin via any unpatched Exchange server (unless Exchange permissions were reduced in the domain). The most important takeaway of this post is that you should apply the June 2019 patches as soon as possible.
      - CVE-2019-1040 scanner
    - What is old is new again: The Relay Attack - @0xdeaddood, @agsolino(2020)
      - The purpose of this blog post is to present a new approach to ntlmrelayx.py allowing multi-relay attacks, that means, using just a single connection to attack several targets. On top of this, we added the capability of relaying connections for specific target users.
    - SMB Relay - cheatsheet(2019)
      - This page deals with gaining code execution relaying NTLMv1/2 hashes in a very effective manner.
    - NTLM relay of ADWS (WCF) connections with Impacket - Clement Notin(2020)
    - Relaying Potatoes: Another Unexpected Privilege Escalation Vulnerability in Windows RPC Protocol - Antonio Cocomazzi(2021)
    - NTLMRelay2Self
      - "Just a walkthrough of how to escalate privileges locally by forcing the system you landed initial access on to reflectively authenticate over HTTP to itself and forward the received connection to an HTTP listener (ntlmrelayx) configured to relay to DC servers over LDAP/LDAPs for either setting shadow credentials or configuring RBCD. This would result in a valid kerberos TGT ticket that can be used to obtain a TGS for a service (HOST/CIFS) using S4U2Self by impersonating a user with local administrator access to the host (domain admin ..etc), or alternatively, it's also possible to retrieve the machine account's NTLM hash with getnthash.py and then create a silver ticket. Lastly, use the TGS or silver ticket to spawn a system (session 0) process, this can be achieved by simply using WMIExec or alternatively using SCMUACBypass script to rely on kerberos for auth to interact with the SCM and create a service in the context of SYSTEM."
    - Relaying to ADFS Attacks - Michael Crosser(2022)
  - Talks
    - Relaying Credentials has Never Been Easier - Marina Simakov(DEFCON27)
      - Active Directory has always been a popular target for attackers, with a constant rise in attack tools attempting to compromise and abuse the main secrets storage of the organization. One of the weakest spots in Active Directory environments lies in the design of one of the oldest authentication protocols – NTLM, which is a constant source of newly discovered vulnerabilities. From CVE-2015-0005, to the recent LDAPS Relay vulnerability, it is clear why this protocol is one of the attackers’ favorites. Although there are offered mitigations such as server signing, protecting the entire domain from NTLM relay is virtually impossible. If it weren’t bad enough already, we will present several new ways to abuse this infamous authentication protocol, including a new critical zero-day vulnerability we have discovered which enables to perform NTLM Relay and take over any machine in the domain, even with the strictest security configuration, while bypassing all of today's offered mitigations. Furthermore, we will present why the risks of this protocol are not limited to the boundaries of the on-premises environment and show another vulnerability which allows to bypass various AD-FS restrictions in order to take over cloud resources as well.
    - Relaying to Greatness: Windows Privilege Escalation by abusing the RPC/DCOM protocols - Antonio Cocomazzi, Andrea Pierini(BlueHatIL2022)
      - NTLM “Relaying” is a well known replay attack for Windows systems in which the attacker performs a man in the middle and acts on behalf of the victim while communicating with a remote server by altering the network packets. In recent years, all of the research and mitigations have been done on the most used protocols which use NTLM as an authentication mechanism like SMB, LDAP, HTTP... What about RPC? RPC is a protocol heavily used internally by Windows systems for inter process communication and to support all the COM/DCOM protocol. In this talk, we will uncover this unexplored attack surface and demonstrate a novel way of performing NTLM relay attacks based on the RPC/DCOM protocols. Within this talk, we will show our tool to exploit this vulnerability and enable further scenarios of exploitation especially in Active Directory environments: the RemotePotato0. This changes the approach of attacking Windows servers in which multiple users are logged on. RemotePotato0 will allow stealing and relaying authentications to remote privileged resources even from an unprivileged user thus allowing to achieve privilege escalation and to break the multi-user security model of Windows systems.
  - Tools
    - Responder
      - IPv6/IPv4 LLMNR/NBT-NS/mDNS Poisoner and NTLMv1/2 Relay.
    - Inveigh
      - .NET IPv4/IPv6 machine-in-the-middle tool for penetration testers
    - pretender
      - pretender is a tool developed by RedTeam Pentesting to obtain machine-in-the-middle positions via spoofed local name resolution and DHCPv6 DNS takeover attacks. pretender primarily targets Windows hosts, as it is intended to be used for relaying attacks but can be deployed on Linux, Windows and all other platforms Go supports. Name resolution queries can be answered with arbitrary IPs for situations where the relaying tool runs on a different host than pretender. It is designed to work with tools such as Impacket's ntlmrelayx.py and krbrelayx that handle the incoming connections for relaying attacks or hash dumping.
    - ADFSRelay
      - This repository includes two utilities NTLMParse and ADFSRelay. NTLMParse is a utility for decoding base64-encoded NTLM messages and printing information about the underlying properties and fields within the message. Examining these NTLM messages is helpful when researching the behavior of a particular NTLM implementation. ADFSRelay is a proof of concept utility developed while researching the feasibility of NTLM relaying attacks targeting the ADFS service. This utility can be leveraged to perform NTLM relaying attacks targeting ADFS. We have also released a blog post discussing ADFS relaying attacks in more detail.
    - RemotePotato0
      - "It abuses the DCOM activation service and trigger an NTLM authentication of any user currently logged on in the target machine. It is required that a privileged user is logged on the same machine (e.g. a Domain Admin user). Once the NTLM type1 is triggered we setup a cross protocol relay server that receive the privileged type1 message and relay it to a third resource by unpacking the RPC protocol and packing the authentication over HTTP. On the receiving end you can setup a further relay node (eg. ntlmrelayx) or relay directly to a privileged resource."
  - Mitigation
    - Enforce SMB Signing.
    - How to enable SMB signing in Windows NT - support.ms
    - All You Need To Know About Windows SMB Signing - Lavanya Rathnam(2018)
(OUs) Attacking
- Articles/Blogposts/Writeups
  - OU having a laugh? - Petros Koutroumpis
    - tl;dr When we have permission to modify an OU, we can modify its gpLink attribute in order to compromise any computer or user that belongs to that OU or its child OUs.
- Talks/Presentations/Videos
  - OU having a laugh? - Petros Koutroumpis(RedTeamVillage2020)
Persistence
- Articles/Blogposts/Writeups
  - Command and Control Using Active Directory - harmj0y
  - Sneaky Active Directory Persistence #12: Malicious Security Support Provider (SSP) - adsecurity.org
- Presentations/Talks/Videos
  - Catch Me if You Can - Eduardo Arriols(DefconSafeMode RTV2020
    - The presentation will show, from a technical point of view, how to deploy backdoors to guarantee access to an organization. Initially, a brief review about types of persistance, locations where it can be deploy and common aspects to be taken into account will be carried out, to then go on to describe all the details that allow a Red Team to guarantee access to the entity without the organization being able to detect it or being able to expel the attacker before the attacker re-enters using another alternative persistence.
  - The Active Directory Botnet - Ty Miller, Paul Kalinin(BHUSA 17)
- ACLs & Security Descriptors
  - An ACE in the Hole: Stealthy Host Persistence via Security Descriptors - Lee Christensen & Matt Nelson & Will Schroeder(Derbycon2017)
    - Attackers and information security professionals are increasingly looking at security descriptors and their ACLs, but most previous work has focused on escalation opportunities based on ACL implementation flaws and misconfigurations. However, the nefarious use of security descriptors as a persistence mechanism is rarely mentioned. Just like with Active Directory ACLs, it's often difficult to determine whether a specific security descriptor was set intentionally by an IT administrator, intentionally set by an attacker, or inadvertently set by an IT administrator via a third-party installation program. This uncertainty decreases the likelihood of attackers being discovered, granting attackers a great opportunity to persist on a host and in a network. We’ll dive deep into ACLs/DACLs/SACLs/ACEs/Security Descriptors and more, giving you the background to grasp the capabilities we’re talking about. Then we’ll describe dive into several case studies that demonstrate how attackers can use securable object takeover primitives to maliciously backdoor host-based security descriptors for the purposes of persistence, including, “gold image” backdooring, subverting DCOM application permissions, and more. We’ll conclude with an exhaustive overview of the deployment and detections of host-based security descriptor backdoors. All along the way we’ll be releasing new tooling to enumerate, exploit, and analyze host-based security descriptors.
  - An ACE Up the Sleeve: Designing Active Directory DACL Backdoors - Andy Robbins, Will Schroeder(BHUSA2017)
    - Slides
    - Paper
    - Active Directory (AD) object discretionary access control lists (DACLs) are an untapped offensive landscape, often overlooked by attackers and defenders alike. The control relationships between AD objects align perfectly with the "attackers think in graphs" philosophy and expose an entire class of previously unseen control edges, dramatically expanding the number of paths to complete domain compromise.
- AdminSDHolder
- DCShadow
  - Creating Persistence With Dcshadow
  - Domain Persistence: DC Shadow Attack - Raj Chandel(2020)
- Directory Services Restore Mode
  - Sneaky Active Directory Persistence #11: Directory Service Restore Mode (DSRM)
  - Sneaky Active Directory Persistence #13: DSRM Persistence v2
- gMSA-related
  - Active Directory persistence through userAccountControl manipulation - Joe Dibley(2020)
- Group Policy Object
  - Sneaky Active Directory Persistence #17: Group Policy
- Machine Accounts
  - Domain Persistence – Machine Account - NetbiosX(2022)
- Managed By
  - Hiding in the shadows at Members attribute - thesecurityblogger.com(2019)
- msDS-KeyCredentialLink/Shadow Creds
  - Shadow Credentials - NetbiosX(2022)
- SeEnableDelegationPrivilege
  - The Most Dangerous User Right You (Probably) Have Never Heard Of
  - SeEnableDelegationPrivilege Active Directory Backdoor
- Security Support Provider
  - Sneaky Active Directory Persistence #12: Malicious Security Support Provider (SSP)
- SID History
  - Sneaky Active Directory Persistence #14: SID History
- Tickets
  - 101
  - Silver Ticket
    - See 'Silver Tickets'
  - Golden Tickets
    - See 'Saphire Tickets'
  - Diamond Tickets
    - See 'Diamond Tickets'
  - Saphire Tickets
    - See 'Saphire Tickets'
- Skeleton Keys
- SPNs/Kerberoast
  - Sneaky Persistence Active Directory Trick #18: Dropping SPNs on Admin Accounts for Later Kerberoasting - Sean Metcalf(2017)
Printers & Faxes (Attacking)
- Articles/Blogposts/Writeups
  - Hacking Printers Wiki
    - This is the Hacking Printers Wiki, an open approach to share knowledge on printer (in)security.
- Talks/Presentations/Videos
  - From Printer to Pwned: Leveraging Multifunction Printers During Penetration Testing - Deral Heiland(Defcon18)
    - BSides Cleveland Version
    - Slides
    - In this presentation we go beyond the common printer issues and focus on harvesting data from multifunction printer (MFP) that can be leveraged to gain access to other core network systems. By taking advantage of poor printer security and vulnerabilities during penetration testing we are able to harvest a wealth of information from MFP devices including usernames, email addresses, and authentication information including SMB, Email, LDAP passwords. Leveraging this information we have successful gained administrative access into core systems including email servers, file servers and Active directory domains on multiple occasions. We will also explore MFP device vulnerabilities including authentication bypass, information leakage flaws. Tying this altogether we will discuss the development of an automated process for harvesting the information from MFP devices with the updated release of our tool 'PRAEDA'.
- BYoVPD
  - Bring Your Own Print Driver Vulnerability - Jacob Baines(Defcon29)
    - What can you do, as an attacker, when you find yourself as a low privileged Windows user with no path to SYSTEM? Install a vulnerable print driver! In this talk, you'll learn how to introduce vulnerable print drivers to a fully patched system. Then, using three examples, you'll learn how to use the vulnerable drivers to escalate to SYSTEM.
  - Concealed Position
    - Concealed Position is a local privilege escalation attack against Windows using the concept of "Bring Your Own Vulnerability". Specifically, Concealed Position (CP) uses the as designed package point and print logic in Windows that allows a low privilege user to stage and install printer drivers. CP specifically installs drivers with known vulnerabilities which are then exploited to escalate to SYSTEM. Concealed Position was first presented at DEF CON 29.
- Evil Printer
  - Evil Printer: How to Hack Windows Machines with Printing Protocol - Zhipeng Huo, Chuanda Ding(Defcon28)
  - Slides
    - In this talk, we will walk you through an incredibly fun bug we have discovered in printer spooler service. It can be exploited both locally and remotely, escapes sandbox, executes arbitrary code, and also elevates to SYSTEM. While Microsoft managed to develop the most restrictive sandbox for Microsoft Edge, this bug easily goes through it like it's a sieve. We will talk in detail the implementation of this ancient service, the method we used to discover and exploit the bug, and also throw in some tips and tricks for logic bugs in between.
- 'Passback' attack
- Persistence
  - printjacker
    - Printjacker is a post-exploitation tool that creates a persistence mechanism by overwriting Printconfig.dll with a shellcode injector. The persistence mechanism can be invoked via executing wmic printer list command with any user. The shellcode will be executed with SYSTEM privileges.
- PrintNightmare
  - Articles
  - Tools
    - PrintNightmare exploit
      - Reflective Dll implementation of the PrintNightmare PoC by Cornelis de Plaa (@Cneelis). The exploit was originally created by Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370).
    - CVE-2021-1675(PrintNightmare)
      - system shell poc for CVE-2021-1675 (Windows Print Spooler Elevation of Privilege)
    - ItWasAllADream
      - A PrintNightmare (CVE-2021-34527) Python Scanner. Scan entire subnets for hosts vulnerable to the PrintNightmare RCE
    - PrintNightmare
      - Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket.
    - PrintNightmare - Windows Print Spooler RCE/LPE Vulnerability (CVE-2021-34527, CVE-2021-1675)
    - CVE-2021-34527 - PrintNightmare LPE (PowerShell)
    - https://github.com/AndrewTrube/CVE-2021-1675
- PrintSpoofer
  - Articles
    - PrintSpoofer - Abusing Impersonation Privileges on Windows 10 and Server 2019 - itm4n(2020)
  - Tools
    - PrintSpoofer
- PrintSpooler
  - Articles
    - Windows Print Spooler Patch Bypass Re-Enables Persistent Backdoor - Simon Zuckerbraun(2020)
    - PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth (CVE-2020-1048 & more) - Yarden Shafir, Alex Ionescu(2020)
    - PrintDemon
      - PrintDemon is a PoC for a series of issues in the Windows Print Spooler service, as well as potetial misuses of the functionality.
    - CVE-2020-1337 – PrintDemon is dead, long live PrintDemon! - voidsec(2020)
      - Security Advisory: MSRPC Printer Spooler Relay (CVE-2021-1678) - Eyal Karni, Alex Ionescu(2021)
      - Spooler Service Abuse - HackTricks
  - Tools
    - Print Spooler Research Tools
      - The repository contains the tools we developed during our Print Spooler research which we presented in Black Hat USA 2020 and DEFCON28 Safe Mode ("A Decade After Stuxnet's Printer Vulnerability: Printing is still the Stairway to Heaven".)
- SpoolFool / CVE-2022-21999
  - SpoolFool: Windows Print Spooler Privilege Escalation (CVE-2022-21999) - Oliver Lyak(2022)
- Tools
  - SpoolSploit
    - A collection of Windows print spooler exploits containerized with other utilities for practical exploitation.
Privilege Escalation
- Collections
  - A Years Worth of Active Directory Privilege Escalation - Felix Aeppli(2021)
- Aiming for DA
  - Windows Privilege Escalation Part 2: Domain Admin Privileges - Scott Sutherland(2009)
  - Post-Exploitation in Windows: From Local Admin To Domain Admin (efficiently) - pentestmonkey)
  - Scenario-based pen-testing: From zero to domain admin with no missing patches required - Georgia Weidman
  - Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher
  - Exploiting Active Directory Administrator Insecurities - Sean Metcalf(Defcon26)
  - Attack Methods for Gaining Domain Admin Rights in Active Directory - adsecurity
  - Gaining Domain Admin from Outside Active Directory - markitzeroday.com
  - Paving The Way to DA - Complete Post (Pt 1,2 & 3) - Andy Gil(2021)
- Aiming for Enterprise Admin
  - Elevated Domain Admins to Enterprise Admins - Vincent Letoux
- ACEs/ACLs/DACLs
  - DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) - Nabeel Ahmed(2019)
    - This vulnerability allows low privileged users to hijack file that are owned by NT AUTHORITY\SYSTEM by overwriting permissions on the targeted file. Successful exploitation results in "Full Control" permissions for the low privileged user.
  - Microsoft Exchange – ACL - NetbiosX
  - RACE Minimal Rights and ACE for Active Directory Dominance - Nikhil Mittal(Defcon27)
    - Slides
    - Blogpost
    - 'It is possible to execute interesting persistence and on-demand privilege escalation attacks against Windows machines by only modifying ACLs of various objects. We will need administrator privileges initially. '
- Airstrike
  - Airstrike Attack - FDE bypass and EoP on domain joined Windows workstations (CVE-2021-28316) - Matthew Johnson(2021)
- BackupOperatorToDA
  - The Backup Operators Guide to the Galaxy - Dave Mayer(2019)
  - From Backup Operator To Domain Admin
    - From an account member of the group Backup Operators to Domain Admin without RDP or WinRM on the Domain Controller
- Certificates
  - Certifried: Active Directory Domain Privilege Escalation (CVE-2022–26923) - Oliver Lyak(2022)
- DNSAdmins / CVE-2021-40469
  - Windows DNS Server Remote Code Execution Vulnerability - CVE-2021-40469
  - Feature, not bug: DNSAdmin to DC compromise in one line - Shay Ber(2017)
  - Abusing DNSAdmins privilege for escalation in Active Directory - Nikhil Mittal(2017)
  - Windows Privilege Escalation: DNSAdmins to Domain Admins - Server Level DLL Injection - Abhinav Gyawali(2019)
  - Escalating Privileges with DNSAdmins Group - Nairuz Abulhul(2021)
  - From DnsAdmins to SYSTEM to Domain Compromise - spotheplanet(2021)
  - dns-exe-persistance
    - sample plugin dll for windows DNS server: ServerLevelPluginDll
- Exploits
  - Gone to the Dogs - Elad Shamir
    - Win10 PrivEsc Domain Joined
  - CVE-2018-8340: Multi-Factor Mixup: Who Were You Again? - Andrew Lee
    - A weakness in the Microsoft ADFS protocol for integration with MFA products allows a second factor for one account to be used for second-factor authentication to all other accounts in an organization.
  - MS CVE-2018-8340
  - CVE-2020-0665 | Active Directory Elevation of Privilege Vulnerability - portal.msrc
  - WSUS Attacks Part 2: CVE-2020-1013 a Windows 10 Local Privilege Escalation 1-Day - Maxime Nadeau(2020)
  - CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability - msrc
    - An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
- Forced Prompt
  - SharpLoginPrompt - Success and a Curious Case - Intruder()
  - Sharp Login Prompt
    - This Program creates a login prompt to gather username and password of the current user. This project allows red team to phish username and password of the current user without touching lsass and having adminitrator credentials on the system.
- Group Policy * How to own any windows network with group policy hijacking attacks
- IIS Passwords
  - Decrypting IIS Passwords to Break Out of the DMZ: Part 1 - Scott Sutherland(2014)
    - Part 2
- KrbRelayUp
  - KrbRelayUp
    - .. a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).
  - KrbRelay with RBCD Privilege Escalation HOWTO - tothi
- LDAP-based https://cravaterouge.github.io/ad/privesc/2022/05/11/bloodyad-and-CVE-2022-26923.html
  - BloodyAD
    - This tool can perform specific LDAP/SAMR calls to a domain controller in order to perform AD privesc. bloodyAD supports authentication using cleartext passwords, pass-the-hash, pass-the-ticket or certificates and binds to LDAP services of a domain controller to perform AD privesc. It is designed to be used transparently with a SOCKS proxy.
- Machine-Accounts
  - Pass the Hash with Machine$ Accounts - spotheplanet(2019
    - This lab looks at leveraging machine account NTLM password hashes or more specifically - how they can be used in pass the hash attacks to gain additional privileges, depending on which groups the machine is a member of (ideally administrators/domain administrators).
  - Domain Escalation – Machine Accounts - NetbiosX(2022)
- SAMAccountName Spoofing / CVE-2021-42278/2021-42287
  - Active Directory Domain Services Elevation of Privilege Vulnerability - CVE-2021-42278
  - Active Directory Domain Services Elevation of Privilege Vulnerability - CVE-2021-42287
  - KB5008102—Active Directory Security Accounts Manager hardening changes (CVE-2021-42278) - support.ms
  - Exploit samAccountName spoofing with Kerberos - Fabian Bader(2021)
  - CVE-2021-42287/CVE-2021-42278 Weaponisation - exploit.ph(2021)
  - Exploiting the CVE-2021-42278 (sAMAccountName spoofing) and CVE-2021-42287 (deceiving the KDC) Active Directory vulnerabilities - Krishnamoorthi Gopal(2022)
  - sAMAccountName Spoofing - NetbiosX(2022)
  - sAMAccountName spoofing - thehacker.recipes
  - noPac
    - CVE-2021-42287/CVE-2021-42278 Scanner & Exploiter. Yet another low effort domain user to domain admin exploit.
  - sam-the-admin
- Printer-related
  - See 'Fax & Printer'
- NetNTLM->Silver Ticket
  - From Printers to Silver Tickets - EvilMog(DefconSafeMode)
  - NetNTLMtoSilverTicket writeup
- NTLM Relay
  - See 'NTLM Relay'
- PKINITMustiness
  - pkinitmustiness - kekeo github wiki
    - "PKINIT Mustiness is the opposite of PKINIT Freshness (https://datatracker.ietf.org/doc/draft-ietf-kitten-pkinit-freshness). It abuses the way Kerberos authenticates users with smartcard/token, by generating AS-REQ challenges for future usages... without needing access to the user secret in this future to decrypt AS-REP."
  - You (dis)liked mimikatz? Wait for kekeo - Benjamin Delpy(BlueHat IL 2019)
    - Slides - https://msrnd-cdn-stor.azureedge.net/bluehat/bluehatil/2019/assets/doc/You%20(dis)iked%20mimikatz%20Wait%20for%20kekeo.pdf
    - For years, you’ve tried to fight mimikatz, first to understand it, and maybe fight it again. This little kiwi fruit shaped program has given you a hard time, extracted your password, stolen your credentials, played with your nerves and certificates... But our friends in New Zealand know it best: there are many different kiwis... and perhaps the fruit is the most lucrative, but it's not the most sadistic. The kiwi animal may not fly, and it remains complex to build it from source, its effects are not less devastating...I will introduce "kekeo", the little animal brother of mimikatz. If you enjoyed playing with Kerberos, ASN1, security providers..., then you'll love adopting this furry, sweet animal. From its birth with MS14-068 to cleartext passwords without local administrator rights, you'll know everything about this animal. This talk will embed CredSSP and TSSP with cleartext credential, explore a little bit about PKINITMustiness and the RSA-on-the-fly for Kerberos with PKI!
- (Priv)Exchange
  - Issue 2186: Exchange: AD Schema Misconfiguration Elevation of Privilege - James Forshaw
    - "The msExchStorageGroup schema class added during Exchange installation can be used to create almost any AD object including users, groups or domain trusts leading to elevation of privilege."
  - PrivExchange : One Hop away from Domain Admin -
  - Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema(2019)
  - PrivExchange
    - Exchange your privileges for Domain Admin privs by abusing Exchange
  - Exchange-AD-Privesc
    - This repository provides a few techniques and scripts regarding the impact of Microsoft Exchange deployment on Active Directory security.
  - Exploiting PrivExchange - chryzsh
    - expansion and demo of how to use the PrivExchange exploit
  - PowerPriv
    - A powershell implementation of PrivExchange by @_dirkjan (original code found here: https://github.com/dirkjanm/PrivExchange/blob/master/privexchange.py) Useful for environments on which you cannot run python-based applications, have user credentials, or do not want to drop files to disk. Will cause the target exchange server system account to attempt to authenticate to a system of your choice.
- Shadow Credentials
  - No-Fix Local Privilege Escalation Using KrbRelay With Shadow Credentials - Matthew David(2022)
  - Tools
    - ADAPE-Script
      - Active Directory Assessment and Privilege Escalation Script
- Shadow Admins(ACLs)
  - Shadow Admins – The Stealthy Accounts That You Should Fear The Most - Asaf Hecht
  - ACLight
    - ACLight is a tool for discovering privileged accounts through advanced ACLs analysis (objects’ ACLs - Access Lists, aka DACL\ACEs). It includes the discovery of Shadow Admins in the scanned network.
- (NTLM)SMB Relay
  - See Network_Attacks.md
  - Redirect to SMB - Cylance SPEAR
- Skeleton Key
  - See 'Skeleton Key Attack'
- Specific Vulnerabilities
RDP
- Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more - Gabriel Sztejnworcel(2022)
Volume Shadow Service (Attacking)
- Vshadow: Abusing the Volume Shadow Service for Evasion, Persistence, and Active Directory Database Extraction - BOHOPS(2018)
Sharepoint (Attacking
- Articles/Blogposts/Writeups
Skeleton Key Attack
- 101
- Articles/Blogposts/Writeups
  - Unlocking All The Doors To Active Directory With The Skeleton Key Attack
  - Skeleton Key
SQL Server (Attacking)
- 101
- Articles/Blogposts/Writeups
  - Pentesting MSSQL - Microsoft SQL Server - HackTricks
  - MSSQL Lateral Movement - David Cash(2021)
  - Attacking SQL Server CLR Assemblies Webinar - NetSPI
    - During this webinar we’ll review how to create, import, export, and modify CLR assemblies in SQL Server with the goal of privilege escalation, OS command execution, and persistence. Scott will also share a few PowerUpSQL functions that can be used to execute the CLR attacks on a larger scale in Active Directory environments.
  - Attacking Modern Environments with MS-SQL Servers - Firestone65(2021)
  - SQL Server UNC Path Injection Cheatsheet
- Tools
  - SQLRecon
    - A C# MS-SQL toolkit designed for offensive reconnaissance and post-exploitation. For detailed usage information on each technique, refer to the wiki.
  - Squeak
  - msdat
    - MSDAT (Microsoft SQL Database Attacking Tool) is an open source penetration testing tool that tests the security of Microsoft SQL Databases remotely.
  - PowerUpSQL
Trusts
- 101
  - Primary and Trusted Domains - docs.ms
- Articles/Blogposts/Writeups
  - A Guide to Attacking Domain Trusts
  - It's All About Trust – Forging Kerberos Trust Tickets to Spoof Access across Active Directory Trusts
  - Active Directory forest trusts part 1 - How does SID filtering work?
  - The Forest Is Under Control. Taking over the entire Active Directory forest
  - [Not A Security Bou* Read-Only Domain Controllers
  - Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory
  - Not a Security Boundary: Breaking Forest Trusts](https://posts.specterops.io/not-a-security-boundary-breaking-forest-trusts-cd125829518d)
  - Pentesting Active Directory Forests
  - Active Directory forest trusts part 1 - How does SID filtering work? - Dirk-jan Mollema(2018)
  - Active Directory forest trusts part 2 - Trust transitivity and finding a trust bypass - Dirk-jan Mollema(2021)
  - The Trustpocalypse
- Talks/Presentations/Videos
  - Trusts you might have missed - Will Schroeder(44con2019)
    - Red teams have been abusing Windows domain trusts for years with great success, but the topic is still under-represented in public infosec discussions. While the community has started to talk more about Active Directory exploitation, there isn’t much information out there discussing domain trusts from an offensive perspective. This talk aims to demystify domain trusts and show how they can be enumerated and abused during the course of an engagement. I’ll conclude with a complex demo showing how to enumerate, visualize, and abuse the trust relationships in an example environment, leading to total domain takeover without throwing a single exploit.
- Tools
  - Forest Trust Tools
    - These are Proof of Concept tools for playing with forest trusts and cross-realm kerberos tickets. For getftST.py you will need to apply the kerberosv5.patch to your local impacket install (I recommend running this in a virtualenv or pipenv).
WSUS
- Articles/Blogposts/Writeups
  - Leveraging WSUS – Part One - @cpl3h(2018)
  - WSUS Attacks Part 1: Introducing PyWSUS - Julien Pineault(2020)
- Tools
  - PyWSUS
    - Standalone implementation of a part of the WSUS spec. Built for offensive security purposes.
- WSUSPect
  - WSUSPect - Compromising the Windows Enterprise via Windows Update - Paul Stone, Alex Chapman - BHUS15
    - Blogpost)
    - Slides
  - WSuspect Proxy
    - WSUSpect Proxy - a tool for MITM'ing insecure WSUS connections
- WSUSpendu
  - WSUSpendu: How to Hang WSUS Clients - Romain Coltel & Yves Le Provost(BHUSA2017)
    - Slides
    - Paper
    - SSTIC 2017 Version of the Talk
    - We will present a new approach, allowing you to circumvent limitations and control the targeted network from the very WSUS server you own. By extension, this approach may serve as a basis for an air gap attack for disconnected networks.
  - WSUSpendu
    - Implement WSUSpendu attack

Email/Microsoft Exchange

Look at the phishing page
- Link to the Phishing page - Markdown
- Link to the Phishing page - HTML
Articles/Blogposts/Writeups
Privilege Escalation (ab)using
- Abusing Exchange: One API call away from Domain Admin - dirkjanm.io
- Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv - RedXORBlue
Tools
- Exchange-AD-Privesc
  - This repository provides a few techniques and scripts regarding the impact of Microsoft Exchange deployment on Active Directory security. This is a side project of AD-Control-Paths, an AD permissions auditing project to which I recently added some Exchange-related modules.
- PrivExchange
- Exploiting PrivExchange - chryzsh
  - expansion and demo of how to use the PrivExchange exploit
- MailSniper
  - MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an Exchange administrator to search the mailboxes of every user in a domain. MailSniper also includes additional modules for password spraying, enumerating users/domains, gathering the Global Address List from OWA and EWS, and checking mailbox permissions for every Exchange user at an organization.
- PowerPriv
  - A powershell implementation of PrivExchange by @_dirkjan (original code found here: https://github.com/dirkjanm/PrivExchange/blob/master/privexchange.py) Useful for environments on which you cannot run python-based applications, have user credentials, or do not want to drop files to disk. Will cause the target exchange server system account to attempt to authenticate to a system of your choice.
- exchange_hunter2
  - This script uses a valid credential, a DC IP and Hostname to log into the DC over LDAP and query the LDAP server for the wherabouts of the Microsoft Exchange servers in the environment.

properly sort out

Hardening & Securing Active Directory

101
- Ping Castle Methodology
  - Here is exposed the 4 steps of the PingCastle methodology which has been designed based on our experience putting hundreds of domains under control.
- What would a real hacker do to your Active Directory
- Securing Microsoft Active Directory Federation Server (ADFS)
- Awesome Windows Domain Hardening
- The Most Common Active Directory Security Issues and What You Can Do to Fix Them - adsecurity
- Beyond Domain Admins – Domain Controller & AD Administration - ADSecurity.org
  - This post provides information on how Active Directory is typically administered and the associated roles & rights.
Adversary Resilience Methodology
Awareness
- NtdsAudit
  - NtdsAudit is an application to assist in auditing Active Directory databases. It provides some useful statistics relating to accounts and passwords. It can also be used to dump password hashes for later cracking.
- Grouper
  - Grouper is a slightly wobbly PowerShell module designed for pentesters and redteamers (although probably also useful for sysadmins) which sifts through the (usually very noisy) XML output from the Get-GPOReport cmdlet (part of Microsoft's Group Policy module) and identifies all the settings defined in Group Policy Objects (GPOs) that might prove useful to someone trying to do something fun/evil.
Bloodhound
- 101
  - A walkthrough on how to set up and use BloodHound - Andy Gill(2019)
- Articles/Blogposts/Writeups
  - Blue Hands On Bloodhound - SadProcessor
- Talks/Presentations/Videos
  - BloodHound From Red to Blue - Mathieu Saulnier(BSides Charm2019)
- Tools
  - Cypheroth
    - Automated, extensible toolset that runs cypher queries against Bloodhound's Neo4j backend and saves output to spreadsheets.
Building/Designing Infrastructure
- How to Build Super Secure Active Directory Infrastructur* - BlackHills
- Active Directory Design Best Practices
Deceiving Attackers
- Weaponizing Active Directory - David Fletcher
  - This webcast covers basic techniques to catch attackers attempting lateral movement and privilege escalation within your environment with the goal of reducing that Mean Time to Detect (MTTD) metric. Using tactical deception, we will lay out strategies to increase the odds that an attacker will give away their presence early after initial compromise.
  - Creating Honey Credentials with LSA Secrets - Scot Berner
Domain Controllers/Admins
- Securing Domain Controllers to Improve Active Directory Security - adsecurity.org
- Protecting Privileged Domain Accounts: Network Authentication In-Depth
- Active Directory: Real Defense for Domain Admins
  - Did your AD recently get owned on a pentest? It’s always fun to see an unknown entry show up in your Domain Admins group (#fail). Come learn how to truly protect your organization’s IT crown jewels from some of the most popular AD attacks. If you’re stuck trying to figure out what to do with null sessions, pass the hash techniques, or protecting your Domain Admins, then you will want to be here.
- Security WatchLock Up Your Domain Controllers - Steve Riley - docs.ms
- Securing Active Directory Administrative Groups and Accounts - docs.ms(2009)
- Designing RODCs in the Perimeter Network - docs.ms(2012)
Enhanced Security Administrative Environment(ESAE)/Red Foreset
- ESAE
  - Understanding “Red Forest”: The 3-Tier Enhanced Security Admin Environment (ESAE) and Alternative Ways to Protect Privileged Credentials - ultimatewindowsecurity
  - Active Directory - ESAE Model - Huy Kha
- Red Forest
AppLocker
- 101
  - AppLocker - docs.ms
    - This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
  - What Is AppLocker? - docs.ms
  - AppLocker design guide - docs.ms
  - AppLocker deployment guide - docs.ms
  - AppLocker technical reference - docs.ms
  - Security considerations for AppLocker - docs.ms
  - Requirements to use AppLocker - docs.ms
  - Administer AppLocker - docs.ms
  - How AppLocker works - docs.ms
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
Auditing Account Passwords/Privileges
- Account lockout threshold - technet
- Password Policy - technet
- AccessChk
  - As a part of ensuring that they've created a secure environment Windows administrators often need to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output.
Guarded Fabric/Shielded VMs
Group Policy
Hardening
- Awesome Windows Domain Hardening
  - A curated list of awesome Security Hardening techniques for Windows.
- Threats and Countermeasures Guide: Security Settings in Windows Server 2008 R2 and Windows 7 - technet
- Harden windows IP Stack
- Secure Host Baseline
  - Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. iadgov
- Second section good resource for hardening windows
- Secure-Host-Baseline
  - Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. iadgov
- Network access: Restrict clients allowed to make remote calls to SAM - docs.ms
  - The Network access: Restrict clients allowed to make remote calls to SAM security policy setting controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database and Active Directory. The setting was first supported by Windows 10 version 1607 and Windows Server 2016 (RTM) and can be configured on earlier Windows client and server operating systems by installing updates from the KB articles listed in Applies to section of this topic.
- SAMRi10 - Hardening SAM Remote Access in Windows 10/Server 2016
  - "SAMRi10" tool is a short PowerShell (PS) script which alters remote SAM access default permissions on Windows 10 & Windows Server 2016. This hardening process prevents attackers from easily getting some valuable recon information to move laterally within their victim's network.
- Enable Attack surface reduction - docs.ms
  - Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
- Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware
- LogonTracer
  - Investigate malicious Windows logon by visualizing and analyzing Windows event log
- Software Restriction Policies - docs.ms
  - This topic for the IT professional describes Software Restriction Policies (SRP) in Windows Server 2012 and Windows 8, and provides links to technical information about SRP beginning with Windows Server 2003.
- Detecting Lateral Movement through Tracking Event Logs - JPCERTCC
- Detecting Lateral Movements in Windows Infrastructure - CERT-EU
- Designing a Multilayered, In-Depth Defense Approach to AD Security - Quest.com
  - There are a number of configuration options we recommend for securing high privileged accounts. One of them, enabling 'Account is sensitive and cannot be delegated', ensures that an account’s credentials cannot be forwarded to other computers or services on the network by a trusted application.
- New features in Active Directory Domain Services in Windows Server 2012, Part 11: Kerberos Armoring (FAST) - Sander Berkouwer
- Protect your enterprise data using Windows Information Protection (WIP) - docs.ms
Just Enough Administration (JEA)
- Just Enough Administration - docs.ms
- Just Enough Administration: Windows PowerShell security controls help protect enterprise data - msdn
- JEA Pre-requisites
- JEA Role Capabilities
- JEA Session Configurations
- Registering JEA Configurations
- Using JEA
- JEA Security Considerations
- Auditing and Reporting on JEA
- Just Enough Administration Samples and Resources
  - Just Enough Administration (JEA) is a PowerShell security technology that provides a role based access control platform for anything that can be managed with PowerShell. It enables authorized users to run specific commands in an elevated context on a remote machine, complete with full PowerShell transcription and logging. JEA is included in PowerShell version 5 and higher on Windows 10 and Windows Server 2016, and older OSes with the Windows Management Framework updates.
KRBTGT
LLMNR/NBNS
- Conveigh
  - Conveigh is a Windows PowerShell LLMNR/NBNS spoofer detection tool. LLMNR/NBNS requests sent by Conveigh are not legitimate requests to any enabled LLMNR/NBNS services. The requests will not result in name resolution in the event that a spoofer is present.
- Respounder
  - Respounder sends LLMNR name resolution requests for made-up hostnames that do not exist. In a normal non-adversarial network we do not expect such names to resolve. However, a responder, if present in the network, will resolve such queries and therefore will be forced to reveal itself.
- asker
  - This tool takes a list of known-bogus local hostnames, and sends out LLMNR requests for them every 5-25 legitimate LLMNR requests from other hosts. This is intended for use by a blue team who wants to catch a red team or attacker using Responder, who either does not target-select carefully enough, or falls for the bogus hostnames which should be tailored to the environment (e.g. if there is a DC named "addc1", you might want to add "adddc1" to the list.
Local Administrator Password Solution
- 101
  - Local Administrator Password Solution - technet
    - The "Local Administrator Password Solution" (LAPS) provides a centralized storage of secrets/passwords in Active Directory (AD) - without additional computers. Each organization’s domain administrators determine which users, such as helpdesk admins, are authorized to read the passwords.
  - Introduction to Microsoft LAPS (Local Administrator Password Solution) - 4sysops)
- Articles/Blogposts/Writeups
  - Auditing Access to LAPS Passwords in Active Directory - Russell Smith
  - Microsoft security advisory: Local Administrator Password Solution
  - [Set up Microsoft LAPS (Local Administrator Password Solution) in Active Directory]((https://4sysops.com/archives/set-up-microsoft-laps-local-administrator-password-solution-in-active-directory/)
  - FAQs for Microsoft Local Administrator Password Solution (LAPS) - Part 1 - 4sysops
    - Part 2
- Talks/Presentations/Videos
NTLM
- 101
- Articles/Blogposts/Writeups
  - Using security policies to restrict NTLM traffic - docs.ms

Organizational Units
- Creating an Organizational Unit Design - docs.ms
- About organizational units in Active Directory - kb.iu.edu

Office Documents/Macros/DDE/Flavor-of-the-week
- Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields
- Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016
- New feature in Office 2016 can block macros and help prevent infection (2016)
- Block or unblock external content in Office documents - support.office
- CIRClean
  - CIRCLean is an independent hardware solution to clean documents from untrusted (obtained) USB keys / USB sticks. The device automatically converts untrusted documents into a readable but disarmed format and stores these clean files on a trusted (user owned) USB key/stick.
  - Github
- Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields - docs.ms
Passwords
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Tools
  - Domain Password Audit Tool (DPAT)
    - This is a python script that will generate password use statistics from password hashes dumped from a domain controller and a password crack file such as hashcat.potfile generated from the Hashcat tool during password cracking. The report is an HTML report with clickable links.
    - Tutorial Video & Demo
Privileged Access Workstation
- What Is
  - Privileged Access Workstation(PAW) - blogs.technet
  - How Microsoft IT used Windows 10 and Windows Server 2016 to implement privileged access workstations
    - As part of the security strategy to protect administrative privilege, Microsoft recommends using a dedicated machine, referred to as PAW (privileged access workstation), for administrative tasks; and using a separate device for the usual productivity tasks such as Outlook and Internet browsing. This can be costly for the company to acquire machines just for server administrative tasks, and inconvenient for the admins to carry multiple machines. In this session, we show you how MSIT uses shielded VMs on the new release of Windows client to implement a PAW.
- Documentation
  - The Active Directory 2016 PAM Trust: how it works, and why it should come with a safety advisory
- Setup
- Reference
  - Securing Privileged Access Reference Material - docs.ms
  - Securing Privileged Access Reference Material - MS(github)
PowerShell
- Articles/Blogposts/Writeups
  - PowerShell ♥ the Blue Team
  - Powershell Security at Enterprise Customers - blogs.msdn
  - More Detecting Obfuscated PowerShell
  - Detecting and Preventing PowerShell Downgrade Attacks - leeholmes
  - Creating a Secure Environment using PowerShell Desired State Configuration - blogs.ms
  - Securing PowerShell in the Enterprise - Australian Cyber Security Center(2020)
    - This document describes a maturity framework for PowerShell in a way that balances the security and business requirements of organisations. This maturity framework will enable organisations to take incremental steps towards securing PowerShell across their environment.
- Talks & Presentations
  - Hijacking .NET to Defend PowerShell - Amanda Rousseau(BSidesSF 2017)
  - Automating security with PowerShell, Jaap Brasser (@Jaap_Brasser)
    - There is no doubt that security has been in the spotlight over the last few years, recent events have been responsible for the increased demand for better and more secure systems. Security was often treated as an afterthought or something that could be implemented ‘later’. In this session, we will go over some best practices, using existing tools and frameworks to help you set up a more secure environment and to get a grasp of what is happening in your environment. We will leverage your existing automation skills to secure and automate these workflows. Expect a session with a lot of demos and resources that can directly be implemented.
- Tools
  - Revoke-Obfuscation - tool
    - PowerShell v3.0+ compatible PowerShell obfuscation detection framework.
  - Revoke Obfuscation PowerShell Obfuscation Detection And Evasion Using Science Lee Holmes Daniel - Derbycon7 - talk
  - PSRecon
    - PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.
Services
- How to Allow Non-Admin Users to Start/Stop Windows Service - woshub.com
SMB
- SMB Security Best Practices - US CERT
- SMB Packet Signing
- Secure SMB Connections
- Microsoft Security Advisory: Update to improve credentials protection and management: May 13, 2014 * Require SMB Security Signatures - technet.ms
- SMB 3.0 (Because 3 > 2) - David Kruse
Unwanted Admins
- Where have all the Domain Admins gone? Rooting out Unwanted Domain Administrators - Rob VandenBrink
USB Detection
- BEAMGUN
  - A rogue-USB-device defeat program for Windows.
- How to Analyze USB Device History in Windows - magnetforensics.com
- How to track down USB flash drive usage with Windows 10's Event Viewer - techrepublic
Tools
- Artillery
  - Artillery is a combination of a honeypot, monitoring tool, and alerting system. Eventually this will evolve into a hardening monitoring platform as well to detect insecure configurations from nix systems.
- zBang
  - zBang is a special risk assessment tool that detects potential privileged account threats in the scanned network.
  - Blogpost
Visualization/Tracking/Reporting
- General
  - Userline
    - This tool automates the process of creating logon relations from MS Windows Security Events by showing a graphical relation among users domains, source and destination logons as well as session duration.
  - VOYEUR
    - VOYEUR's main purpose is to automate several tasks of an Active Directory build review or security assessment. Also, the tool is able to create a fast (and pretty) Active Directory report. The tool is developed entirely in PowerShell (a powerful scripting language) without dependencies like Microsoft Remote Administration tools. (Just .Net Framework 2.0 and Office Excel if you want a useful and pretty report). The generated report is a perfect starting point for well-established forensic, incident response team, security consultants or security researchers who want to quickly analyze threats in Active Directory Services.
WMI
- General
- Tools
  - Uproot
    - Uproot is a Host Based Intrusion Detection System (HIDS) that leverages Permanent Windows Management Instrumentation (WMI) Event Susbcriptions to detect malicious activity on a network. For more details on WMI Event Subscriptions please see the WMIEventing Module
  - WMIEvent
    - A PowerShell module to abstract the complexities of Permanent WMI Event Subscriptions
Advanced Threat Analytics
- 101
  - ATA Architecture - docs.ms(2019)
  - ATA readiness roadmap - docs.ms
- Articles/Blogposts/Writeups
  - Working with Suspicious Activities - docs.ms(2018)
    - This article explains the basics of how to work with Advanced Threat Analytics.
  - Advanced Threat Analytics suspicious activity guide - docs.ms(2019)
  - ATA Console: Sensitive Groups
    - The following list of groups are considered Sensitive by ATA. Any entity that is a member of these groups is considered sensitive:
  - Best Practices for Securing Advanced Threat Analytics - techcommunity.ms
  - Microsoft Advanced Threat Analytics – My best practices - Oddvar Moe
- Talks/Presentations/Videos
Advanced Threat Protection
- 101
  - What's new in Windows Server 2019 - docs.ms
  - Microsoft Defender Advanced Threat Protection - ms
    - Microsoft Defender Advanced Threat Protection (ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
- Articles/Blogposts/Writeups
  - Detecting reflective DLL loading with Windows Defender ATP - cloudblogs.ms
  - WindowsDefenderATP-Hunting-Queries - MS's Github
  - Sample queries for Advanced hunting in Windows Defender ATP
  - WindowsDefenderATP-Hunting-Queries
    - This repo contains sample queries for Advanced hunting on Windows Defender Advanced Threat Protection. With these sample queries, you can start to experience Advanced hunting, including the types of data that it covers and the query language it supports. You can also explore a variety of attack techniques and how they may be surfaced through Advanced hunting.
  - Onboard non-Windows machines(ATP) - docs.ms
- Talks/Presentations/Videos
Auditing Processes
- Know your Windows Processes or Die Trying - sysforensics
- TaskExplorer
  - Explore all the tasks (processes) running on your Mac with TaskExplorer.
Baselining
- Measure Boot Performance with the Windows Assessment and Deployment Toolkit
- Securing Windows Workstations: Developing a Secure Baseline
- Evaluate Fast Startup Using the Assessment Toolkit
- Windows Performance Toolkit Reference
- The Malware Management Framework
- Securing Windows Workstations: Developing a Secure Baselineadsecurity.org
- ADRecon
  - ADRecon is a tool which extracts various artifacts (as highlighted below) out of an AD environment in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis. The report can provide a holistic picture of the current state of the target AD environment. It can be run from any workstation that is connected to the environment, even hosts that are not domain members. Furthermore, the tool can be executed in the context of a non-privileged (i.e. standard domain user) accounts. Fine Grained Password Policy, LAPS and BitLocker may require Privileged user accounts. The tool will use Microsoft Remote Server Administration Tools (RSAT) if available, otherwise it will communicate with the Domain Controller using LDAP.
CMD.exe Analysis
- Invoke-DOSfuscation
  - Cmd.exe Command Obfuscation Generator & Detection Test Harness
Credential Guard
- Protect derived domain credentials with Windows Defender Credential Guard
- Using a hypervisor to secure your desktop – Credential Guard in Windows 10 - blogs.msdn
- Credential Guard lab companion - blogs.technet
Device Guard
- Device Guard and Credential Guard hardware readiness tool
- Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control - docs.ms
- Requirements and deployment planning guidelines for Windows Defender Device Guard - docs.ms
- Driver compatibility with Device Guard in Windows 10 - docs.ms
Defender Application Control
- Planning and getting started on the Windows Defender Application Control deployment process - docs.ms
  - This topic provides a roadmap for planning and getting started on the Windows Defender Application Control (WDAC) deployment process, with links to topics that provide additional detail. Planning for WDAC deployment involves looking at both the end-user and the IT pro impact of your choices.
Event Log & Monitoring
- General
- Event Forwarding
  - Windows Event Forwarding Guidance
    - Over the past few years, Palantir has a maintained an internal Windows Event Forwarding (WEF) pipeline for generating and centrally collecting logs of forensic and security value from Microsoft Windows hosts. Once these events are collected and indexed, alerting and detection strategies (ADS) can be constructed not only on high-fidelity security events (e.g. log deletion), but also for deviations from normalcy, such as unusual service account access, access to sensitive filesystem or registry locations, or installation of malware persistence. The goal of this project is to provide the necessary building blocks for organizations to rapidly evaluate and deploy WEF to a production environment, and centralize public efforts to improve WEF subscriptions and encourage adoption. While WEF has become more popular in recent years, it is still dramatically underrepresented in the community, and it is our hope that this project may encourage others to adopt it for incident detection and response purposes. We acknowledge the efforts that Microsoft, IAD, and other contributors have made to this space and wish to thank them for providing many of the subscriptions, ideas, and techniques that will be covered in this post.
- Tools
  - DCSYNCMonitor
    - Monitors for DCSYNC and DCSHADOW attacks and create custom Windows Events for these events.
  - EventLogParser
    - Parse PowerShell and Security event logs for sensitive information.
Firewall
- Articles/Blogposts/Writeups
  - Endpoint Isolation with the Windows Firewall - Dane Stuckey
- Talks/Presentations/Videos
  - Demystifying the Windows Firewall – Learn how to irritate attackers without crippling your network - Jessica Payne(MSDN)
General Hardening
- General
  - Awesome Windows Domain Hardening
    - A curated list of awesome Security Hardening techniques for Windows.
- Documentation
  - Introducing the security configuration framework: A prioritized guide to hardening Windows 10 - Chris Jackson(MS)
  - Windows security baselines - docs.ms
- Guides
  - Enable Attack surface reduction(Win10)- docs.ms
  - Harden windows IP Stack
  - Secure Host Baseline
    - Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. iadgov
  - Windows Server guidance to protect against speculative execution side-channel vulnerabilities
  - End user device (EUD) security guidance - NCSC.gov.uk
    - Guidance for organisations deploying a range of end user device platforms as part of a remote working solution
- Educational/Informative
.NET Instrumentation
- ClrGuard
  - ClrGuard is a proof of concept project to explore instrumenting the Common Language Runtime (CLR) for security purposes. ClrGuard leverages a simple appInit DLL (ClrHook32/64.dll) in order to load into all CLR/.NET processes. From there, it performs an in-line hook of security critical functions. Currently, the only implemented hook is on the native LoadImage() function. When events are observed, they are sent over a named pipe to a monitoring process for further introspection and mitigation decision.
Powershell
- Analysis
- Logging
- Talks/Presentations
  - Defending against PowerShell attacks - in theory, and in practice by Lee holmes
Service Accounts
- Service Account best practices Part 1: Choosing a Service Account
  - In this article you will learn the fundamentals of Windows service accounts. Specifically, we discover the options and best practices concerning the selection of a service account for a particular service application.
- Service Account best practices - Part 2: Least Privilege implementation
  - In this article you will learn some best-practice suggestions for using service applications according to the IT security rule of least privilege.
- Best Practice: Securing Windows Service Accounts and Privileged Access – Part 1 - SecurIT360
- Best Practice: Securing Windows Service Accounts and Privileged Access – Part 2 - SecurIT360
- Securing Windows Service Accounts (Part 1) - Derek Meiber(2013)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Active_Directory.md

Active_Directory.md

Attacking & Securing Active Directory

Table of Contents

Active Directory

Attack Active Directory/Specific Techniques

Email/Microsoft Exchange

properly sort out

Hardening & Securing Active Directory

Files

Active_Directory.md

Latest commit

History

Active_Directory.md

File metadata and controls

Attacking & Securing Active Directory

Table of Contents

Active Directory

Attack Active Directory/Specific Techniques

Email/Microsoft Exchange

properly sort out

Hardening & Securing Active Directory