STEALTHbits Active Directory Attacks Video Training Series

Author

Senior Vice President, Product Marketing

Jeff Warren
SVP, Technical Product Management

Updated:
9/6/2017
Released:

Active Directory (AD) plays a pivotal role in an attacker’s ability to progress through the attack kill chain, from a single compromised machine to full domain dominance.

In this 4-part video training series, STEALTHbits’ Active Directory security experts will guide you through critical AD security concepts as well as three AD attack categories:

  • Overview – Active Directory Security
  • Attack 1 – Credential Theft & Domain Compromise
  • Attack 2 – Service Accounts
  • Attack 3 – Active Directory Permissions

Upon completion, you we understand how these attacks work and what you can do to mitigate them.

1hr 13m

Duration

1 CPE Credits

Kill Chain Attack Blocking Detection Mitigation
Recon Querying for Sensitive Accounts (SPN) N/A LDAP Monitoring Service Accounts in AD
Recon Querying for privileged accounts N/A LDAP Monitoring for group enumeration Sensitive Security Groups
Domain Controller Logon Groups
Recon Querying for Sensitive Servers (SPN) N/A LDAP Monitoring Service Accounts in AD
Lateral Movement Pass the Hash N/A Honey Token auth monitoring Local Admins
PowerShell Monitoring
Application Blocking
Lateral Movement Overpass the Hash N/A Honey Token auth monitoring Local Admins
PowerShell Monitoring
Application Blocking
Lateral Movement Pass the Ticket N/A Creation of .kirbi files
Honey Token auth monitoring
Local Admins
PowerShell Monitoring
Application Blocking
Privilege Escalation DCSync Credential Gathering Block Unauthorized Attempts Detect non DCs requesting replication
Detect changes to permissions
SMP: Report and fix Replication Permissions
Audit domain admin membership
Block Sync Permission Changes
Privilege Escalation Brute Force Password Attacks Lockout policies Brute force analytic SMP discover weak passwords and force a reset on next logon
Privilege Escalation User Password Spraying Authentication blocking policy Impersonation Logins Analytic Prevent people from using bad passwords, and identify groups of bad passwords
Privilege Escalation Kerberoasting Block and/or roll back any SPN change to accounts Detect SPN ticket requests with RC4
Service Account Honeypot
SPN Changes
Service Account in AD
AD Permissions Reporting in AD
Privilege Escalation Extracting passwords in plain-text Block GPO changes (Fine grained password policies, GPO settings)
Block changes to UAC
Detect GPO changes (Fine grained password policies, GPO settings)
Detect changes to UAC
Detect legacy GPOs in SMP with plaintext passwords
Report on password issues in SMP (AD Inventory and new weak passwords)
Force password reset on next logon
Wdigest
Privilege Escalation Add Privileges with SID History Block SID History Changes
Block SID::Patch
Alert on SID History modifications
Alert on SID::Patch
SID Filtering
SID History
Privilege Escalation Malicious Security Support Provider (SSP) Block creation of malicious SSPs Detect registration of SSP
Detect existence of password logs
Local Admins
Sensitive Security Groups
DC Logon Groups
Privilege Escalation Manipulating User Passwords Block password resets of admin accounts Detect password resets/changes AD Permissions - Reset Password
Privilege Escalation Diamond PACs N/A N/A Verify PAC validation enabled on endpoints
Act as part of operating System
Privilege Escalation Password Extraction from NTDS.dit Block abnormal VSS activity which attempts to circumvent standard ACLs Detect abnormal VSS activity DC Logon Rights
Sensitive Security Groups
Persistence ADMINSDHolder Modification Block changes to permissions Detect changes to permissions Reporting
Persistence Golden Tickets Block auth by Golden Tickets Golden Ticket Analytic Restricting logon rights to DCs
Audit privileged group membership in SMP
Persistence Trust Tickets Block auth by Trust Tickets Golden Ticket Analytic Restricting logon rights to DCs
Audit privileged group membership in SMP
Persistence Skeleton Key Block injection attempts Detect injection attempts Restricting logon rights to DCs
Audit privileged group membership in SMP