Notes:
- Abusing AD permissions for standard user.
- DS Replication permissions (DC Sync attack)
- DS-Replication-Get-Changes
- DS-Replication-Get-Changes-All
- Alows a principal to retrieve NT hashes remotely via the MS-DRSR protocol for any security principal (krbgt a/c or domain admin)
- Detection: event ID 4662
- Hunting: DS Replication permission
- Send as Permission
- Can be configured in AD or Exchange Admin Center
- Detection: Event ID 1
- Hunting: SendAs permission
- Commonly targeted AD permission
- GenericAll, Generic Write, WriteDACL, WiteOwner, User Force change password
- Valuable AD attributes
- ms-mcs-admpwd, msDS-Key-CredentialLink, msDS-AllowedToActOnBehalfOfOtheridentity
- Added backdoor to access to ADFS Token Signing Certificate (TSC)
- Golden SAML token attack
- Bypass MFA and access cloud services
- considered the bedrock of security
- ADFS service account and local administrators can access the container
- Hunting: review authentication policy for backdoor access to Token Signing Certificate
- Admin SD Holder and SDProp
- Hunting: review DACL templates of AdminSD Holder container
- Detection: directory service access event ID 4662
- Credential harvesting via AAD with PTA agent
- PTA - pass thru authentication
- Hunting: suspicious DLL at PTA agent
- Detection: PTA spy
- Machine$ Account
- Steal hash and create silver ticket.
- password rotated every 30 days
- Hunting: suspicious registry value (MaximumPasswordAge)
- Detection: un-approved changes
- Creating malicious GPO
- delegation right to edit GPO
- push ransomware via logon script
- schedule malicious task
- enable weak LANMAN hash authentication
- create restricted group
- Hunting: review GPOPermissions and the DACL for sysvol folder
- Detection: event ID 5136, 5137
Links:
- https://www.youtube.com/watch?v=xeCCYmE4bZM