Basic cybersecurity audit of a Microsoft domain

The Active Directory (Active Directory) is a critical component in the infrastructure of many organizations, used to manage resources and users in environments Windows. The Active Directory audit is essential to ensure the network security and data integrity. Next, starting from assumed commitment that a domain user has been breached, we will explore the main attack vectors that we must identify:

1. Privilege Escalation Local

But not is always necessary, it is highly recommended to start with permissions administration on the attacking machine. In this way the use of tools It will be much more comfortable. To do this you can use tools such as PowerUp, WinPeas or SeatBelt among others, to identify paths that allow a escalation to local administrator.

2. Password Policies

A politic weak password can be useful for carrying out passwordspraying attacks (this must be done carefully so as not to block accounts) or for the subsequent cracking of identified hashes. Furthermore, if there is no blocking policy after failed attempts, it would be possible to brute force against the entire domain without fear of blocking user accounts.

3. Identify secrets in shared folders.

Once If you have a domain user, it is recommended to list the folders shared files that you have access to (for example, with smbclient). In Occasionally, documents can be identified that contain some type of credential, which may be valid or serve as a starting point for guess other passwords.

4. Identification of systems obsolete operations

Must be verify that out of support operating systems are not being used and/or outdated. This type of equipment can be very useful, since it is highly likely to have exploitable vulnerabilities with exploits public. Even if they are not relevant objectives, accessing them can be interesting to obtain the credentials they have stored. Is very It is important to notify the IT manager that you are going to use exploits, in case these could cause a drop in the company's service.

5. Account identification privileged

Is very interesting to carry out an initial enumeration process in which identify the target accounts that allow the entire amount to be committed domain. During this enumeration phase, not only the accounts of Domain admin, but it is also important to identify accounts with permissions special ones that allow movements to be carried out in the domain. In points Next we will see why this is important.

6. Identification and Abuse accounts with Constrained Delegation

At a point Previously it was indicated that it was necessary to identify accounts with permissions high, as this is a specific type of privileged account. These can have delegated to them the power to impersonate any user of the domain for a series of specific services. Thanks to this, if it is achieved compromise an account with constrained delegation, it is possible to impersonate to any user for Windows services like host, RPCSS, http, wsman, cifs, ldap, krbtgt or winrm.

8. Identification and Abuse ofUnconstrained Delegation

This is another type of high-interest privileged account. These accounts are authorized to receive and store TGT (Ticket Granting Ticket) of kerberos of any account. That is why, by accessing them, it would be possible to extract the tickets stored in them. On the other hand, it is also possible to forced authentication attacks on this machine, that is, forcing any domino machine to authenticate against the unconstrained machine engaged. In this way, the new victim (the domain controller, for example) example) would send a copy of your TGT to the unconstrained machine, being possible interception.

9. Identify and Abuse DCSync permissions

We continue with interesting privileged accounts. In this case it is necessary to identify accounts with DCSync permissions, that is, accounts that have DS-Replication-Get-Changes-All permissions and DS-Replication-Get-Changes. If we manage to compromise a credential With these permissions, we can carry out a DCSync attack, or what is same, pretend that we are a domain controller that wants to synchronize its database (ntds.dit) with that of the real domain controller. This way All domain hashes would be obtained, including those of the Domain Admin.

10. Identify and AbuseResource-Based Constrained Delegation

Yes like Attackers can identify an account with “GenericWrite” permissions or “GenericAll” over “ActiveDirectoryRights”, will mean that this account has the ability to grant constrained delegation permissions to any domain account. This means that, if we compromise this account, We can indicate that any account on the domain can request TGSs (Ticket Guarantee Service) for services on any machine in the domain, including our main target: the domain controller.

11. Identify and Abuse Vulnerable Certificate Templates

This type of attack is based on using tools like certify or certipy to identify vulnerable certificate templates in the CA (certificate corporate authority. There are a number of vulnerable scenarios possible, which allow an attacker to request certificates on behalf of others users, for example, from a Domain Admin or from any account privileged.