how to impress your management
play

How to impress your management when you are an Active Directory - PowerPoint PPT Presentation

Sep 24, 2023 •217 likes •584 views

How to impress your management when you are an Active Directory noob? Vincent LE TOUX 15:15 -> 16:00 #RomHack2019 28th of September 2019 in Rome Whoami Vincent LE TOUX https://www.pingcastle.com / @mysmartlogon Management (Architect,

  1. How to impress your management when you are an Active Directory noob? Vincent LE TOUX – 15:15 -> 16:00 #RomHack2019 28th of September 2019 in Rome

  2. Whoami Vincent LE TOUX https://www.pingcastle.com / @mysmartlogon Management (Architect, Blue team, CISO) • Former AD Newbie (not an admin) • Write code (GIDS applet, OpenPGP card • driver, OpenSC, mimikatz, PingCastle , …) Now Speaker (blackhat, bluehat, troopers, • hackinParis , first, …)

  3. So you want to impress Jean-Luc? Jean- Luc (it’s so French) is your manager He somewhat knows that AD is important for security (because he types his password to log on) But as a manager, he has 100+ subjects to cover You’re the security guy: fix it without additional budget!

  4. But… What happens when you talk security in general Mimikatz extract You need to fix the password in clear text. Active Directory before You can build golden a new NotPetya ! ticket with krbtgt hash.

  5. THE BASICS BECAUSE JEAN-PIERRE ASKS FOR « BASIC » QUESTIONS

  6. Where is the 101 AD course? Framework Focused General I just wanted to answer the stupid question « How much domains do I have ? » Tools

  7. Starting with simple questions: How much users do I have in my domain? Fast (2 minutes), but require RSAT versus Slow (> 40 minutes), but no prerequisite

  8. Starting with simple questions: How much domains are connected? Trust dialog => requires RSAT Get-ADTrust or netdom => Requires RSAT PowerView => part of Empire Need the Admin! (but he has other things to do) The 2 top pages of google search for « list active directory trust » return inapplicable links

  9. Goal: provide a global overview Objective: Build a AD map and identify the major vulnerabilities Inspired from: Previous audit (ex: ADSA, …) + best practices Idea: Bind each problem to the team accountable for it

  10. Powershell: Challenge of a scripting language Easy to modify But Hard to debug (remotely) Output: NULL / an object / an array Enumerate group when a member is a FSP Few expertise locally

  11. And as a consequence so many versions # history: # 2015-07 proof of concept made after the AD security workshop # 2015-09 bug fixing & adaptation for GSIT # 2015-10 first POC after adaptation made # 2015-11 POC finalization after comments from corporate security Feedback from AD expert « challenging » (a newbie coming to them) About 6 months of trial & error process before getting Difficulties to share technical something stable information vs KPI

  12. Demo

  13. IT’S HARD TO FIX THINGS BECAUSE THERE IS NO MAGIC

  14. 102: the Vulnerability scanner Scan systems and report vulnerabilities Run every month/quarter Provide list of fixes to apply Forward to the admin, Right ?

  15. Testing if the problem has been fixed Because you don’t want to wait for 1 month Require Linux, admin right, or mixed environment And … Not 100% reliable https://sensepost.com/blog/2018/a-new-look-at-null-sessions-and-user-enumeration/ https://www.adampalmer.me/iodigitalsec/2013/08/10/windows-null-session-enumeration/

  16. Real null session enumeration MS-SAMR MS-LSAT Well known null session « Just » translate SID from « S-1-5-2345-34876-345- Aka: connect and 500 » to « administrator » enumerate users with the user named « » Then S-1-5-2345-34876-345-501 Then S-1-5-2345-34876-345-502 Then S-1-5-2345-34876-345-503 …

  17. « Secret » Root causes Windows 2003 DC installed 15 years ago Sharepoint SPN missing (*) You can modify the AD behavior with the special attribute dSHeuristics Not obvious. How can you be 100% sure of a remediation?

  18. IMPRESS THE AD GUY BECAUSE THE AD GUY WILL DO 80% OF THE JOB AND YOU DID A BAD JOB WILL VULNERABILITIES

  19. Detect unpatched computers With normal authentication net time \\domaincontroller1.corp.local No public Windows Update info. But if a server is unpatched, it is Without any authentication! not rebooted for a while … https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/63abf97c-0d09-47e2-88d6-6bfa552949a5

  20. Trust creation time / is active whenCreated=trust creation If whenChanged + 30 days < today, then trust is inactive

  21. Meta « data » 1/2 Help to answer many questions Retrieved by ldp.exe or ADSIEdit with computed attributes (not ADExplorer) unicodePwd https://github.com/vletoux/ADSecrets/blob/master/AttdIDToAttribute

  22. Meta « data » 2/2 Answer question such as: Number of time the krbtgt password has been changed and when is the last time (reset clears pwdlastset) See MS-ADTS 3.1.1.2.1 Schema NC: Last time the schema has been changed Number of changes since the creation of the forest Backup time & strategy via dSASignature

  23. Demo Enumerate users of the bastion Check if Sysmon / AV is installed https://github.com/vletoux/TestAntivirus/blob/ master/testAV.ps1

  24. LESSONS LEARNED DEALING WITH « MANAGEMENT »

  25. Management ❤ simplicity Make Actions Simple enough To be understood By the Management

  26. Do not waste the management’s energy The more domains… the more you discover Tieredness if the discovery is too slow Published research on AD discovery (up to a depth of 5 levels) https://www.bluehatil.com/2018/files/Active%20Directory%20 What%20Can%20Make%20Your%20Million%20Dollar%20SIEM %20Go%20Blind.pdf

  27. READY? HOW TO IMPRESS YOUR MANAGEMENT?

  28. 1. Ask to run PingCastle Ask Jean-Luc To make ALL AD Owner run PingCaslte ONCE this quarter To evaluate the budget for NEXT YEAR And it costs no money

  29. 2. PingCastle Magic

  30. 3. Explain to the lower management Happy Jean-Luc Angry Jean-Luc

  31. 4. Go back to Jean-Luc Thanks to Jean- Luc’s decision: There is a NEW security indicator Jean-Luc can demonstrate to its management that the security subject is his own Jean- Luc can demonstrate measurable results … and get budget to get faster, or make its management accountable

  32. This is called « maturity » Mix management & technical topics by calling « maturity » Inspired from CMMI (from Carnegie Mellon which designed also CERT)

  33. Full PingCastle methodology https://www.pingcastle.com/methodology/

  34. CONCLUSION

  35. PingCastle do not stop mimikatz Vendors are selling big houses … without any foundation. As a consequence, it collapses. You got no mimikatz detection! PingCastle focuses on building the foundation. Then, it’s up to you to build the PingCastle’s responsibility mimikatz detection you want. No more excuse, just run PingCastle as Jean- Luc ordered https://www.pingcastle.com/download Your responsibility

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Management of the ImprESS Project 586410-EPP-1-2017-1- RS-EPPKA2-CBHE-JP

Management of the ImprESS Project 586410-EPP-1-2017-1- RS-EPPKA2-CBHE-JP

Improving Academic and Professional Education Capacity in Serbia in the Area of Safety &amp; Security (by Means of Strategic Partnership with the EU) - IMPRESS Management of the ImprESS Project 586410-EPP-1-2017-1- RS-EPPKA2-CBHE-JP

424 views • 25 slides
Kragujevac R-tech KG ImprESS Kick-off meeting BELGRADE, December 20 th 2017 IMPROVING ACADEMIC

Kragujevac R-tech KG ImprESS Kick-off meeting BELGRADE, December 20 th 2017 IMPROVING ACADEMIC

Improving Academic and Professional Education Capacity in Serbia in the Area of Safety &amp; Security (by Means of Strategic Partnership with the EU) - IMPRESS Steinbeis advanced risk technologies institute doo Kragujevac R-tech KG ImprESS

398 views • 11 slides
Using Open Office Impress Starting off Open Impress. If a new presentation is not already open

Using Open Office Impress Starting off Open Impress. If a new presentation is not already open

Open Office Impress Page 1 Using Open Office Impress Starting off Open Impress. If a new presentation is not already open for you, choose to create a Empty Presentation and click Create. Do not go to Next, this is what we will be doing later!

371 views • 8 slides
3D Models in Impress Tams Zolnai &lt;tamas.zolnai@collabora.com&gt; ztamas, #libreoffice-dev,

3D Models in Impress Tams Zolnai &lt;tamas.zolnai@collabora.com&gt; ztamas, #libreoffice-dev,

3D Models in Impress Tams Zolnai &lt;tamas.zolnai@collabora.com&gt; ztamas, #libreoffice-dev, irc.freenode.net What is it all about? Inserting models in open format of COLLADA / glTF / KMZ to Impress Insert-&gt;Object-&gt;3D Model...

502 views • 12 slides
What is the truth? Okay, 600,000 years of ice data doesnt impress me much Why should I

What is the truth? Okay, 600,000 years of ice data doesnt impress me much Why should I

What is the truth? Okay, 600,000 years of ice data doesnt impress me much Why should I bother? Because all levels of government say so. And It makes great business sense. What can you expect today at no extra cost &amp; no

606 views • 36 slides
CRAFT A PRESENTATION THAT WILL IMPRESS YOUR AUDIENCE AND ADD VALUE TO THE MEETING Practical

CRAFT A PRESENTATION THAT WILL IMPRESS YOUR AUDIENCE AND ADD VALUE TO THE MEETING Practical

CRAFT A PRESENTATION THAT WILL IMPRESS YOUR AUDIENCE AND ADD VALUE TO THE MEETING Practical exercises and professional tips that will help you frame your next presentation to a board, your team, a potential client or an industry group.

289 views • 12 slides
Want to impress your boy friend / girl friend? SAT Modulo Ordinary Differential Equations An

Want to impress your boy friend / girl friend? SAT Modulo Ordinary Differential Equations An

Want to impress your boy friend / girl friend? SAT Modulo Ordinary Differential Equations An Analysis Method for Hybrid Systems Martin Frnzle 1 with slides, L A T EX souce, etc., by Andreas Eggers 1 Christian Herde 1 Nacim Ramdani 2

889 views • 39 slides
Why not impress your guests with a delicious Veal Shank Frenched naturally from cooking

Why not impress your guests with a delicious Veal Shank Frenched naturally from cooking

Why not impress your guests with a delicious Veal Shank Frenched naturally from cooking Montpaks Tower of Pisa Serves 4-6 people Beforehand: Defrost the frozen veal shanks in the fridge overnight. Step 1 . Preheat oven at 400 F .

194 views • 4 slides
One page, one point Presentations to Impress Learn Do A presentation with Delete paragraph 2

One page, one point Presentations to Impress Learn Do A presentation with Delete paragraph 2

One page, one point Presentations to Impress Learn Do A presentation with Delete paragraph 2 and 3. Then, increase the type size of paragraph 1. endless pages of text will put your audience to 1. Helps you hydrate sleep. So simplify your

198 views • 7 slides
This presentation was created in OpenOffice 2.0 Impress and later converted to Powerpoint

This presentation was created in OpenOffice 2.0 Impress and later converted to Powerpoint

A note on these slides: A note on these slides: This presentation was created in OpenOffice 2.0 Impress and later converted to Powerpoint format. Some slides and fonts may look slightly funky as a result. You can download the original .odp

649 views • 47 slides
ABSTRACT THEMED POWERPOINT TEMPLATE Content Slide Your Content Here You can simply impress

ABSTRACT THEMED POWERPOINT TEMPLATE Content Slide Your Content Here You can simply impress

ABSTRACT THEMED POWERPOINT TEMPLATE Content Slide Your Content Here You can simply impress your audience and add a unique zing and appeal to your Presentations. I hope and I believe that this Template will your Time, Money and Reputation.

244 views • 10 slides
Courtesy to Impress 1/27/2017 Agenda B1. Job Interview Courtesies B2. Making

Courtesy to Impress 1/27/2017 Agenda B1. Job Interview Courtesies B2. Making

California Cadet Corps Curriculum on Military Courtesy Courtesy to Impress 1/27/2017 Agenda B1. Job Interview Courtesies B2. Making Introductions B3. Formal Introductions B4. Informal Introductions B5.

915 views • 75 slides
Dress to Impress Who Costume Designers Are and How They Create Masterpieces By Sydney Enthoven

Dress to Impress Who Costume Designers Are and How They Create Masterpieces By Sydney Enthoven

Dress to Impress Who Costume Designers Are and How They Create Masterpieces By Sydney Enthoven June 2019 Achievement in Costume Design (2019) Ruth E. Carter Cowry shells What is a costume designer? Famous Designers Edith Head (1897-1981)

736 views • 29 slides
Dress to Impress Who Costume Designers Are and How They Create Masterpieces By Sydney Enthoven

Dress to Impress Who Costume Designers Are and How They Create Masterpieces By Sydney Enthoven

Dress to Impress Who Costume Designers Are and How They Create Masterpieces By Sydney Enthoven June 2019 Achievement in Costume Design (2019) Ruth E. Carter Cowry shells What is a costume designer? Famous Designers Edith Head (1897-1981)

320 views • 28 slides
TITLE INSERT THE TITLE OF YOUR PRESENTATION HERE Contents You can simply impress your audience

TITLE INSERT THE TITLE OF YOUR PRESENTATION HERE Contents You can simply impress your audience

TITLE INSERT THE TITLE OF YOUR PRESENTATION HERE Contents You can simply impress your audience 01 Your Text Here and add a unique zing. You can simply impress your audience 02 Your Text Here and add a unique zing. You can simply

656 views • 16 slides
HOW TO LEVERAGE VIDEO MARKETING TO IMPRESS YOUR BUYERS INTRO VIDEO CONTENT CONTINUES TO

HOW TO LEVERAGE VIDEO MARKETING TO IMPRESS YOUR BUYERS INTRO VIDEO CONTENT CONTINUES TO

WEBINAR / / HOW TO LEVERAGE VIDEO MARKETING TO IMPRESS YOUR BUYERS INTRO VIDEO CONTENT CONTINUES TO DOMINATE ONLINE HERES WHAT YOULL LEARN PART ONE PART TWO PART THREE PART FOUR Video: Its like Youre Appear More

433 views • 16 slides
CSCI 699: Machine Learning for Knowledge Extraction and Reasoning Instructor: Xiang Ren

CSCI 699: Machine Learning for Knowledge Extraction and Reasoning Instructor: Xiang Ren

CSCI 699: Machine Learning for Knowledge Extraction and Reasoning Instructor: Xiang Ren www-bcf.usc.edu/~xiangren/ml4know19spring USC Computer Science About the Instructor Asst. Professor of Computer Science, affiliated faculty at ISI,

1.03k views • 101 slides
Single Source Since 1989 Proprietary : Smt. Praveena Kanunga Wife of S.L.Kanunga (GPA Holder)

Single Source Since 1989 Proprietary : Smt. Praveena Kanunga Wife of S.L.Kanunga (GPA Holder)

Single Source Since 1989 Proprietary : Smt. Praveena Kanunga Wife of S.L.Kanunga (GPA Holder) PRODUCT RANGE multishrink HEAT SHRINKING KITS FOR POWER CABLES (XLPE / PILC / PVC) 33/22/11 KV + LT 1.1 KV GRADE + ABC Cables IS-13573 .

566 views • 45 slides
Open Quantum Systems Maison Jean Kuntzmann - 29 novembre au 02 d ecembre 2010 Lieb-Robinson

Open Quantum Systems Maison Jean Kuntzmann - 29 novembre au 02 d ecembre 2010 Lieb-Robinson

Institut Fourier - UFR de Math ematiques (Grenoble UI) Open Quantum Systems Maison Jean Kuntzmann - 29 novembre au 02 d ecembre 2010 Lieb-Robinson Bounds and Construction of Dynamics Valentin A. ZAGREBNOV Universit e de la M

630 views • 15 slides
11/15/2012 Public Health Quality Improvement 101 Public Health Quality Improvement 101 Learning,

11/15/2012 Public Health Quality Improvement 101 Public Health Quality Improvement 101 Learning,

11/15/2012 Public Health Quality Improvement 101 Public Health Quality Improvement 101 Learning, Experiencing, &amp; Doing Quality Improvement Workshop 2 November 15 th , 2012 Good Morning! Good Morning! 2 Public Health Quality Improvement 101

440 views • 15 slides
AMP: Program-Context Specific Buffer Caching Feng Zhou, Rob von Behren, Eric Brewer University

AMP: Program-Context Specific Buffer Caching Feng Zhou, Rob von Behren, Eric Brewer University

AMP: Program-Context Specific Buffer Caching Feng Zhou, Rob von Behren, Eric Brewer University of California, Berkeley Usenix tech conf 2005, April 14, 2005 Buffer caching beyond LRU Buffer cache speeds up file reads by caching file

357 views • 14 slides
Operational amplifiers ENGR 40M lecture notes August 7, 2017 Chuan-Zheng Lee, Stanford

Operational amplifiers ENGR 40M lecture notes August 7, 2017 Chuan-Zheng Lee, Stanford

Operational amplifiers ENGR 40M lecture notes August 7, 2017 Chuan-Zheng Lee, Stanford University V DD v n i n v o v p + i p V DD An operational amplifier , or op-amp , is a device that outputs the difference between its two inputs, v

312 views • 4 slides
Transistor Amplifiers Lecture notes: Sec. 6 Sedra &amp; Smith (6 th Ed): Sec. 5.6, 5.8, 6.6 &amp;

Transistor Amplifiers Lecture notes: Sec. 6 Sedra &amp; Smith (6 th Ed): Sec. 5.6, 5.8, 6.6 &amp;

Transistor Amplifiers Lecture notes: Sec. 6 Sedra &amp; Smith (6 th Ed): Sec. 5.6, 5.8, 6.6 &amp; 6.8 Sedra &amp; Smith (5 th Ed): Sec. 4.6, 4.8, 5.6 &amp; 5.8 F. Najmabadi, ECE65, Winter 2012 How to add signal to the bias Bias &amp; Signal

927 views • 61 slides
Cloud Gateways Suli Yang, Kiran Srinivasan, Kishore Udayashankar, Swetha Krishnan, Jingxin Feng,

Cloud Gateways Suli Yang, Kiran Srinivasan, Kishore Udayashankar, Swetha Krishnan, Jingxin Feng,

Tombolo: Performance Enhancements for Cloud Gateways Suli Yang, Kiran Srinivasan, Kishore Udayashankar, Swetha Krishnan, Jingxin Feng, Yupu Zhang, Andrea C. Arpaci-Dusseau, Remzi H. Arpaci-Dusseau 1 Storage is Moving to the Cloud Clients

618 views • 47 slides

More recommend