STEALTHbits’ Active Directory Attacks Video Training Series

  • Jeff Warren - Senior Vice President, Product Marketing

    Jeff Warren
    SVP, Technical Product Management

    Updated: 9/6/2017

    Updated:

    Active Directory (AD) plays a pivotal role in an attacker’s ability to progress through the attack kill chain, from a single compromised machine to full domain dominance.

    In this 4-part video training series, STEALTHbits’ Active Directory security experts will guide you through critical AD security concepts as well as three AD attack categories:

    • Overview – Active Directory Security
    • Attack 1 – Credential Theft & Domain Compromise
    • Attack 2 – Service Accounts
    • Attack 3 – Active Directory Permissions

    Upon completion, you we understand how these attacks work and what you can do to mitigate them.

    1hr 13m

    Duration

    1 CPE Credits

  • Kill Chain Attack Blocking Detection Mitigation
    Recon Querying for Sensitive Accounts (SPN) N/A LDAP Monitoring Service Accounts in AD
    Recon Querying for privileged accounts N/A LDAP Monitoring for group enumeration Sensitive Security Groups
    Domain Controller Logon Groups
    Recon Querying for Sensitive Servers (SPN) N/A LDAP Monitoring Service Accounts in AD
    Lateral Movement Pass the Hash N/A Honey Token auth monitoring Local Admins
    PowerShell Monitoring
    Application Blocking
    Lateral Movement Overpass the Hash N/A Honey Token auth monitoring Local Admins
    PowerShell Monitoring
    Application Blocking
    Lateral Movement Pass the Ticket N/A Creation of .kirbi files
    Honey Token auth monitoring
    Local Admins
    PowerShell Monitoring
    Application Blocking
    Privilege Escalation DCSync Credential Gathering Block Unauthorized Attempts Detect non DCs requesting replication
    Detect changes to permissions
    SMP: Report and fix Replication Permissions
    Audit domain admin membership
    Block Sync Permission Changes
    Privilege Escalation Brute Force Password Attacks Lockout policies Brute force analytic SMP discover weak passwords and force a reset on next logon
    Privilege Escalation User Password Spraying Authentication blocking policy Impersonation Logins Analytic Prevent people from using bad passwords, and identify groups of bad passwords
    Privilege Escalation Kerberoasting Block and/or roll back any SPN change to accounts Detect SPN ticket requests with RC4
    Service Account Honeypot
    SPN Changes
    Service Account in AD
    AD Permissions Reporting in AD
    Privilege Escalation Extracting passwords in plain-text Block GPO changes (Fine grained password policies, GPO settings)
    Block changes to UAC
    Detect GPO changes (Fine grained password policies, GPO settings)
    Detect changes to UAC
    Detect legacy GPOs in SMP with plaintext passwords
    Report on password issues in SMP (AD Inventory and new weak passwords)
    Force password reset on next logon
    Wdigest
    Privilege Escalation Add Privileges with SID History Block SID History Changes
    Block SID::Patch
    Alert on SID History modifications
    Alert on SID::Patch
    SID Filtering
    SID History
    Privilege Escalation Malicious Security Support Provider (SSP) Block creation of malicious SSPs Detect registration of SSP
    Detect existence of password logs
    Local Admins
    Sensitive Security Groups
    DC Logon Groups
    Privilege Escalation Manipulating User Passwords Block password resets of admin accounts Detect password resets/changes AD Permissions - Reset Password
    Privilege Escalation Diamond PACs N/A N/A Verify PAC validation enabled on endpoints
    Act as part of operating System
    Privilege Escalation Password Extraction from NTDS.dit Block abnormal VSS activity which attempts to circumvent standard ACLs Detect abnormal VSS activity DC Logon Rights
    Sensitive Security Groups
    Persistence ADMINSDHolder Modification Block changes to permissions Detect changes to permissions Reporting
    Persistence Golden Tickets Block auth by Golden Tickets Golden Ticket Analytic Restricting logon rights to DCs
    Audit privileged group membership in SMP
    Persistence Trust Tickets Block auth by Trust Tickets Golden Ticket Analytic Restricting logon rights to DCs
    Audit privileged group membership in SMP
    Persistence Skeleton Key Block injection attempts Detect injection attempts Restricting logon rights to DCs
    Audit privileged group membership in SMP