For years Microsoft has stated that the forest was the security boundary in Active Directory. For example, Microsoft’s “What Are Domains and Forests?” document (last updated in 2014) has a “Forests as Security Boundaries” section which states (emphasis added): Each forest is a single instance of the directory, the top-level Active Directory container, and a …
This is the long overdue follow-up to the “An ACE in the Hole: Stealthy Host Persistence via Security Descriptors” presentation (slides and video) that @tifkin_, @enigma0x3, and I gave at DerbyCon last year. This past weekend we gave a talk at @Sp4rkCon titled “The Unintended Risks of Trusting Active Directory” that explored combining our host-based …
Remote Hash Extraction On Demand Via Host Security Descriptor Modification Read More »
With the recent release of BloodHound’s ACL Attack Path Update as well as the work on Active Directory DACL backdooring by @_wald0 and myself (whitepaper here), I started to investigate ACL-based attack paths from a defensive perspective. Sean Metcalf has done some great work concerning Active Directory threat hunting (see his 2017 BSides Charm “Detecting …
Hunting With Active Directory Replication Metadata Read More »
Scopes for Active Directory groups were always a bit murky for me. For anyone with an AD sysadmin background, this topic is probably second nature, but it wasn’t until I read this SS64 entry that everything started to fall into place. I wanted to document some relevant notes on the topic (as I understand it) …
‘Exotic’ command and control (C2) channels always interest me. As defenses start to get more sophisticated, standard channels that have been stealthy before (like DNS) may start to lose their efficacy. I’m always on the lookout for non-obvious, one-way (or ideally two-way) communication methods. This post will cover a proof of concept for an internal C2 approach that uses standard …
