Tenable Identity Exposure

The privilege of running the Kerberos service account

Use brute force of high privilege account Kerberos service principal name

Kerberom

Privilege promotion, lateral movement and persistence

Dangerous Kerberos delegation

Check dangerous without authorization delegate (without constraint, protocol conversion, etc.)

Nishang

Privilege promotion, lateral movement and persistence

In the Active Directory PKI use weak encryption algorithm

Deployed on the Active Directory within PKI weak passwords shall be used for the root certificate of the algorithm

ANSSI - ADCP

Persistent, privilege promotion, lateral movement

Aiming at the key access to the danger of objects

Found some allow illegal users access control key objects

BloodHound

Leak, lateral movement, command and control, the credentials to access and privilege promotion

There are multiple issues in the password policy

In certain account, the current password policy is insufficient, can't ensure that provide reliable proof for protection

Patator

Defensive avoidance, lateral movement and the credentials to access and privilege promotion

Dangerous RODC management account

Be responsible for the management of the read-only domain controller group contains abnormal account

Impacket

Credentials to access, defensive avoidance and privilege promotion

Has been linked to the key object of sensitive GPO

Certain by the management account GPO link to the sensitive Active Directory objects (for example KDC account, the domain controller and management groups, etc.).

ANSSI - ADCP

Command and control, the credentials to access privileges, persistence, ascension

Has allowed to connect to other systems outside of the domain controller management account

On the monitoring infrastructure deployment of security policies will not prevent management account connected to a DC outside resources, resulting in the sensitive credential exposure

CrackMapExec

Defensive avoidance, credentials to access

Dangerous trust relationship

Wrong configuration of trust property reduces directory infrastructure security

Kekeo

Lateral movement, the credentials to access and privilege promotion, defensive avoidance

In the GPO reversible password

Verify the GPO does not contain the password stored in reversible format

SMB password crawler

The credentials to access and privilege promotion

Run out of the operating system computer

Supplier no longer support the outdated system, which greatly increased the infrastructure vulnerability

Metasploit

Lateral movement, command and control

Using compatible with Windows 2000 previous versions of access control of the account

Windows 2000 compatible with access group member account before can bypass specific safety measures

Impacket

Lateral movement, defensive avoidance

Local management account management

Make sure you use LAPS concentration and safety management of local management account

CrackMapExec

Defensive avoidance, credentials to access, lateral movement

Dangerous anonymous user configuration

Activation on the monitoring of the Active Directory infrastructure anonymous access to sensitive data leakage

Impacket

Let the cat out of the

Abnormal RODC filtering properties

In some read-only domain controller filtering strategy may lead to sensitive information on the application of cache, causing the privilege to upgrade

Mimikatz (DCShadow)

Privilege to ascend, defensive avoidance

Lack of restrictions on lateral movement attack scenario

On the monitoring of the Active Directory infrastructure has not yet been activated lateral movement restrictions, so that the attacker can at the same privilege level access a range of computer

CrackMapExec

Lateral movement

DC Shared stored in plaintext password

DC on sharing some files (can be any authenticated user access) may contain text passwords, causing privilege promotion

SMBSpider

The credentials to access, privilege promotion, persistence

The danger of login script on access control permissions

Computer or during certain script has the danger of the user login access, resulting in the privilege

Metasploit

Lateral movement, privilege promotion, persistence

Use the risk parameters in GPO

GPO to setting up the risk parameters (such as limited group, LM hash calculation, NTLM authentication level, sensitive parameters, etc.), resulting in security vulnerabilities

Responder

Found, the credentials to access, executing, persistence, privilege promotion, defensive avoidance

The user account control configuration defined in the risk parameters

Some user accounts "user account control" attribute defines the risk parameters (such as PASSWD_NOTREQD or PARTIAL_SECRETS_ACCOUNT), it will endanger the security of the account

Mimikatz (LSADump)

Sustainability, privilege, defensive avoidance

The lack of the application of security patches

Recently has not registered in the Active Directory server application security updates

Metasploit

Command and control rights, defensive avoidance

In view of the user account to brute force to try

Some user account has been the focus of brute force

Patator

The credentials to access

The user account Kerberos configuration

Some account use weak Kerberos configuration

Mimikatz (Silver Ticket)

The credentials to access and privilege promotion

Abnormal DC on sharing and storing files

Some of the domain controller for hosting unnecessary files or network share

SMBSpider

Detection, leak

The back door technology

instructions

The known attack tools

Mitre attack array

Ensure SDProp persistence

Control adminSDHolder object in a harmless state

Mimikatz (Golden Ticket)

Privilege to ascend, persistence

Ensure SDProp persistence

Verify the user's primary group has not changed

BloodHound

Privilege to ascend, persistence

Verify the root domain object permissions

Ensure that set the permissions on the root domain object is correct

BloodHound

Privilege to ascend, persistence

Validation of sensitive GPO objects and file permissions

Make sure the link to the sensitive containers (for example, the domain controller OU) GPO object and file permissions set is correct

BloodHound

Execution, privilege promotion, persistence

The danger of the RODC KDC account access

Some read-only domain controller with KDC account can by illegal user account control, resulting in the leakage of the credential

Mimikatz (DCSync)

Privilege to ascend, persistence

Sensitive certificate is mapped to a user account

Some X509 certificates are stored in altSecurityIdentities user account attributes, allowing the certificate the private key of the owner to the user identity authentication

Command and control, the credentials to access and privilege promotion, persistence

In conventional account set up dangerous Krbtgt SPN

The KDC service principal name exists in some normal user account, resulting in the Kerberos ticket forgery

Mimikatz (Golden Ticket)

Privilege to ascend, persistence

KDC password password change last time

KDC account password must be changed regularly

Mimikatz (Golden Ticket)

The credentials to access, privilege promotion, persistence

Account with dangerous SID history attributes

Check the SID history attributes used in privilege SID users or computers

DeathStar

Privilege to ascend, persistence

Malicious domain controller

To ensure that only legitimate registered to the Active Directory domain controller server infrastructure

Mimikatz (DCShadow)

Execution, defensive avoidance, privilege promotion, persistence

Illegal Bitlocker key access control

In addition to the administrator and link the computer, the others can access the Active Directory stored in some of the Bitlocker recovery key

ANSSI - ADCP

The credentials to access, privilege promotion, persistence

Abnormal structure security descriptor entries

The Active Directory schema has been modified, leading to the new standard access or may endanger the infrastructure of the monitored objects

BloodHound

Privilege to ascend, persistence

DSRM account has been activated

The Active Directory recovery account has been activated, resulting in the credential may be stolen

Mimikatz (LSADump)

The credentials to access, disclosure, defensive avoidance, privilege promotion, persistence

Don't update authentication hash when using a smart card

Some use a smart card authentication of user account not regularly updates its credentials hash

Mimikatz (LSADump)

persistence

Reversible password of user accounts

Verify no parameters in reversible format stored password

Mimikatz (DC Sync)

The credentials to access

Use clear access denied on the container

Some Active Directory container or OU defines clear access denied, leading to the back door of the hidden potential

BloodHound

Defensive avoidance, persistence