how to impress your management
play

How to impress your management when you are an Active Directory - PowerPoint PPT Presentation

Sep 24, 2023 •217 likes •584 views

How to impress your management when you are an Active Directory noob? Vincent LE TOUX 15:15 -> 16:00 #RomHack2019 28th of September 2019 in Rome Whoami Vincent LE TOUX https://www.pingcastle.com / @mysmartlogon Management (Architect,

  1. How to impress your management when you are an Active Directory noob? Vincent LE TOUX – 15:15 -> 16:00 #RomHack2019 28th of September 2019 in Rome

  2. Whoami Vincent LE TOUX https://www.pingcastle.com / @mysmartlogon Management (Architect, Blue team, CISO) • Former AD Newbie (not an admin) • Write code (GIDS applet, OpenPGP card • driver, OpenSC, mimikatz, PingCastle , …) Now Speaker (blackhat, bluehat, troopers, • hackinParis , first, …)

  3. So you want to impress Jean-Luc? Jean- Luc (it’s so French) is your manager He somewhat knows that AD is important for security (because he types his password to log on) But as a manager, he has 100+ subjects to cover You’re the security guy: fix it without additional budget!

  4. But… What happens when you talk security in general Mimikatz extract You need to fix the password in clear text. Active Directory before You can build golden a new NotPetya ! ticket with krbtgt hash.

  5. THE BASICS BECAUSE JEAN-PIERRE ASKS FOR « BASIC » QUESTIONS

  6. Where is the 101 AD course? Framework Focused General I just wanted to answer the stupid question « How much domains do I have ? » Tools

  7. Starting with simple questions: How much users do I have in my domain? Fast (2 minutes), but require RSAT versus Slow (> 40 minutes), but no prerequisite

  8. Starting with simple questions: How much domains are connected? Trust dialog => requires RSAT Get-ADTrust or netdom => Requires RSAT PowerView => part of Empire Need the Admin! (but he has other things to do) The 2 top pages of google search for « list active directory trust » return inapplicable links

  9. Goal: provide a global overview Objective: Build a AD map and identify the major vulnerabilities Inspired from: Previous audit (ex: ADSA, …) + best practices Idea: Bind each problem to the team accountable for it

  10. Powershell: Challenge of a scripting language Easy to modify But Hard to debug (remotely) Output: NULL / an object / an array Enumerate group when a member is a FSP Few expertise locally

  11. And as a consequence so many versions # history: # 2015-07 proof of concept made after the AD security workshop # 2015-09 bug fixing & adaptation for GSIT # 2015-10 first POC after adaptation made # 2015-11 POC finalization after comments from corporate security Feedback from AD expert « challenging » (a newbie coming to them) About 6 months of trial & error process before getting Difficulties to share technical something stable information vs KPI

  12. Demo

  13. IT’S HARD TO FIX THINGS BECAUSE THERE IS NO MAGIC

  14. 102: the Vulnerability scanner Scan systems and report vulnerabilities Run every month/quarter Provide list of fixes to apply Forward to the admin, Right ?

  15. Testing if the problem has been fixed Because you don’t want to wait for 1 month Require Linux, admin right, or mixed environment And … Not 100% reliable https://sensepost.com/blog/2018/a-new-look-at-null-sessions-and-user-enumeration/ https://www.adampalmer.me/iodigitalsec/2013/08/10/windows-null-session-enumeration/

  16. Real null session enumeration MS-SAMR MS-LSAT Well known null session « Just » translate SID from « S-1-5-2345-34876-345- Aka: connect and 500 » to « administrator » enumerate users with the user named « » Then S-1-5-2345-34876-345-501 Then S-1-5-2345-34876-345-502 Then S-1-5-2345-34876-345-503 …

  17. « Secret » Root causes Windows 2003 DC installed 15 years ago Sharepoint SPN missing (*) You can modify the AD behavior with the special attribute dSHeuristics Not obvious. How can you be 100% sure of a remediation?

  18. IMPRESS THE AD GUY BECAUSE THE AD GUY WILL DO 80% OF THE JOB AND YOU DID A BAD JOB WILL VULNERABILITIES

  19. Detect unpatched computers With normal authentication net time \\domaincontroller1.corp.local No public Windows Update info. But if a server is unpatched, it is Without any authentication! not rebooted for a while … https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/63abf97c-0d09-47e2-88d6-6bfa552949a5

  20. Trust creation time / is active whenCreated=trust creation If whenChanged + 30 days < today, then trust is inactive

  21. Meta « data » 1/2 Help to answer many questions Retrieved by ldp.exe or ADSIEdit with computed attributes (not ADExplorer) unicodePwd https://github.com/vletoux/ADSecrets/blob/master/AttdIDToAttribute

  22. Meta « data » 2/2 Answer question such as: Number of time the krbtgt password has been changed and when is the last time (reset clears pwdlastset) See MS-ADTS 3.1.1.2.1 Schema NC: Last time the schema has been changed Number of changes since the creation of the forest Backup time & strategy via dSASignature

  23. Demo Enumerate users of the bastion Check if Sysmon / AV is installed https://github.com/vletoux/TestAntivirus/blob/ master/testAV.ps1

  24. LESSONS LEARNED DEALING WITH « MANAGEMENT »

  25. Management ❤ simplicity Make Actions Simple enough To be understood By the Management

  26. Do not waste the management’s energy The more domains… the more you discover Tieredness if the discovery is too slow Published research on AD discovery (up to a depth of 5 levels) https://www.bluehatil.com/2018/files/Active%20Directory%20 What%20Can%20Make%20Your%20Million%20Dollar%20SIEM %20Go%20Blind.pdf

  27. READY? HOW TO IMPRESS YOUR MANAGEMENT?

  28. 1. Ask to run PingCastle Ask Jean-Luc To make ALL AD Owner run PingCaslte ONCE this quarter To evaluate the budget for NEXT YEAR And it costs no money

  29. 2. PingCastle Magic

  30. 3. Explain to the lower management Happy Jean-Luc Angry Jean-Luc

  31. 4. Go back to Jean-Luc Thanks to Jean- Luc’s decision: There is a NEW security indicator Jean-Luc can demonstrate to its management that the security subject is his own Jean- Luc can demonstrate measurable results … and get budget to get faster, or make its management accountable

  32. This is called « maturity » Mix management & technical topics by calling « maturity » Inspired from CMMI (from Carnegie Mellon which designed also CERT)

  33. Full PingCastle methodology https://www.pingcastle.com/methodology/

  34. CONCLUSION

  35. PingCastle do not stop mimikatz Vendors are selling big houses … without any foundation. As a consequence, it collapses. You got no mimikatz detection! PingCastle focuses on building the foundation. Then, it’s up to you to build the PingCastle’s responsibility mimikatz detection you want. No more excuse, just run PingCastle as Jean- Luc ordered https://www.pingcastle.com/download Your responsibility

Recommend

Management of the ImprESS Project 586410-EPP-1-2017-1- RS-EPPKA2-CBHE-JP

Management of the ImprESS Project 586410-EPP-1-2017-1- RS-EPPKA2-CBHE-JP

Improving Academic and Professional Education Capacity in Serbia in the Area of Safety &amp; Security (by Means of Strategic Partnership with the EU) - IMPRESS Management of the ImprESS Project 586410-EPP-1-2017-1- RS-EPPKA2-CBHE-JP

424 views • 25 slides
Kragujevac R-tech KG ImprESS Kick-off meeting BELGRADE, December 20 th 2017 IMPROVING ACADEMIC

Kragujevac R-tech KG ImprESS Kick-off meeting BELGRADE, December 20 th 2017 IMPROVING ACADEMIC

Improving Academic and Professional Education Capacity in Serbia in the Area of Safety &amp; Security (by Means of Strategic Partnership with the EU) - IMPRESS Steinbeis advanced risk technologies institute doo Kragujevac R-tech KG ImprESS

398 views • 11 slides
Using Open Office Impress Starting off Open Impress. If a new presentation is not already open

Using Open Office Impress Starting off Open Impress. If a new presentation is not already open

Open Office Impress Page 1 Using Open Office Impress Starting off Open Impress. If a new presentation is not already open for you, choose to create a Empty Presentation and click Create. Do not go to Next, this is what we will be doing later!

371 views • 8 slides
3D Models in Impress Tams Zolnai &lt;tamas.zolnai@collabora.com&gt; ztamas, #libreoffice-dev,

3D Models in Impress Tams Zolnai &lt;tamas.zolnai@collabora.com&gt; ztamas, #libreoffice-dev,

3D Models in Impress Tams Zolnai &lt;tamas.zolnai@collabora.com&gt; ztamas, #libreoffice-dev, irc.freenode.net What is it all about? Inserting models in open format of COLLADA / glTF / KMZ to Impress Insert-&gt;Object-&gt;3D Model...

502 views • 12 slides
What is the truth? Okay, 600,000 years of ice data doesnt impress me much Why should I

What is the truth? Okay, 600,000 years of ice data doesnt impress me much Why should I

What is the truth? Okay, 600,000 years of ice data doesnt impress me much Why should I bother? Because all levels of government say so. And It makes great business sense. What can you expect today at no extra cost &amp; no

606 views • 36 slides
CRAFT A PRESENTATION THAT WILL IMPRESS YOUR AUDIENCE AND ADD VALUE TO THE MEETING Practical

CRAFT A PRESENTATION THAT WILL IMPRESS YOUR AUDIENCE AND ADD VALUE TO THE MEETING Practical

CRAFT A PRESENTATION THAT WILL IMPRESS YOUR AUDIENCE AND ADD VALUE TO THE MEETING Practical exercises and professional tips that will help you frame your next presentation to a board, your team, a potential client or an industry group.

289 views • 12 slides
Want to impress your boy friend / girl friend? SAT Modulo Ordinary Differential Equations An

Want to impress your boy friend / girl friend? SAT Modulo Ordinary Differential Equations An

Want to impress your boy friend / girl friend? SAT Modulo Ordinary Differential Equations An Analysis Method for Hybrid Systems Martin Frnzle 1 with slides, L A T EX souce, etc., by Andreas Eggers 1 Christian Herde 1 Nacim Ramdani 2

889 views • 39 slides
Why not impress your guests with a delicious Veal Shank Frenched naturally from cooking

Why not impress your guests with a delicious Veal Shank Frenched naturally from cooking

Why not impress your guests with a delicious Veal Shank Frenched naturally from cooking Montpaks Tower of Pisa Serves 4-6 people Beforehand: Defrost the frozen veal shanks in the fridge overnight. Step 1 . Preheat oven at 400 F .

194 views • 4 slides
One page, one point Presentations to Impress Learn Do A presentation with Delete paragraph 2

One page, one point Presentations to Impress Learn Do A presentation with Delete paragraph 2

One page, one point Presentations to Impress Learn Do A presentation with Delete paragraph 2 and 3. Then, increase the type size of paragraph 1. endless pages of text will put your audience to 1. Helps you hydrate sleep. So simplify your

198 views • 7 slides
This presentation was created in OpenOffice 2.0 Impress and later converted to Powerpoint

This presentation was created in OpenOffice 2.0 Impress and later converted to Powerpoint

A note on these slides: A note on these slides: This presentation was created in OpenOffice 2.0 Impress and later converted to Powerpoint format. Some slides and fonts may look slightly funky as a result. You can download the original .odp

649 views • 47 slides
ABSTRACT THEMED POWERPOINT TEMPLATE Content Slide Your Content Here You can simply impress

ABSTRACT THEMED POWERPOINT TEMPLATE Content Slide Your Content Here You can simply impress

ABSTRACT THEMED POWERPOINT TEMPLATE Content Slide Your Content Here You can simply impress your audience and add a unique zing and appeal to your Presentations. I hope and I believe that this Template will your Time, Money and Reputation.

244 views • 10 slides
Courtesy to Impress 1/27/2017 Agenda B1. Job Interview Courtesies B2. Making

Courtesy to Impress 1/27/2017 Agenda B1. Job Interview Courtesies B2. Making

California Cadet Corps Curriculum on Military Courtesy Courtesy to Impress 1/27/2017 Agenda B1. Job Interview Courtesies B2. Making Introductions B3. Formal Introductions B4. Informal Introductions B5.

915 views • 75 slides
Dress to Impress Who Costume Designers Are and How They Create Masterpieces By Sydney Enthoven

Dress to Impress Who Costume Designers Are and How They Create Masterpieces By Sydney Enthoven

Dress to Impress Who Costume Designers Are and How They Create Masterpieces By Sydney Enthoven June 2019 Achievement in Costume Design (2019) Ruth E. Carter Cowry shells What is a costume designer? Famous Designers Edith Head (1897-1981)

736 views • 29 slides
Dress to Impress Who Costume Designers Are and How They Create Masterpieces By Sydney Enthoven

Dress to Impress Who Costume Designers Are and How They Create Masterpieces By Sydney Enthoven

Dress to Impress Who Costume Designers Are and How They Create Masterpieces By Sydney Enthoven June 2019 Achievement in Costume Design (2019) Ruth E. Carter Cowry shells What is a costume designer? Famous Designers Edith Head (1897-1981)

320 views • 28 slides
TITLE INSERT THE TITLE OF YOUR PRESENTATION HERE Contents You can simply impress your audience

TITLE INSERT THE TITLE OF YOUR PRESENTATION HERE Contents You can simply impress your audience

TITLE INSERT THE TITLE OF YOUR PRESENTATION HERE Contents You can simply impress your audience 01 Your Text Here and add a unique zing. You can simply impress your audience 02 Your Text Here and add a unique zing. You can simply

656 views • 16 slides
HOW TO LEVERAGE VIDEO MARKETING TO IMPRESS YOUR BUYERS INTRO VIDEO CONTENT CONTINUES TO

HOW TO LEVERAGE VIDEO MARKETING TO IMPRESS YOUR BUYERS INTRO VIDEO CONTENT CONTINUES TO

WEBINAR / / HOW TO LEVERAGE VIDEO MARKETING TO IMPRESS YOUR BUYERS INTRO VIDEO CONTENT CONTINUES TO DOMINATE ONLINE HERES WHAT YOULL LEARN PART ONE PART TWO PART THREE PART FOUR Video: Its like Youre Appear More

433 views • 16 slides
http://www.free-powerpoint-templates-design.com @ @ : @ @ 01 03 04

http://www.free-powerpoint-templates-design.com @ @ : @ @ 01 03 04

http://www.free-powerpoint-templates-design.com @ @ : @ @ 01 03 04 Your Text Here Your Text Here 01 You can simply impress your 04 You can simply impress your audience and add a unique zing and audience and

493 views • 30 slides
Scripting Apache OpenOffice Introductory Nutshell Programs (Writer, Calc, Impress) Rony G.

Scripting Apache OpenOffice Introductory Nutshell Programs (Writer, Calc, Impress) Rony G.

Scripting Apache OpenOffice Introductory Nutshell Programs (Writer, Calc, Impress) Rony G. Flatscher Overview Overview of AOO Bird eye's view of AOO's architecture Scripting AOO Nutshell examples swriter (word

1.07k views • 84 slides
Business Proposal Infographic Style Your Text Here Your Text Here Your Text Here Your Text

Business Proposal Infographic Style Your Text Here Your Text Here Your Text Here Your Text

Business Proposal Infographic Style Your Text Here Your Text Here Your Text Here Your Text Here Your Text Here You can simply You can simply You can simply You can simply You can simply impress your impress your impress

392 views • 23 slides
Introduction to StarOffice 7 Presentations (Impress) Table of Contents Opening

Introduction to StarOffice 7 Presentations (Impress) Table of Contents Opening

SO7002 Introduction to StarOffice Presentations 1 Introduction to StarOffice 7 Presentations (Impress) Table of Contents Opening

841 views • 7 slides
SHB: Introduction &amp; involvement in ImprESS Project Kick-off Meeting Belgrade, Dec. 20, 2017

SHB: Introduction &amp; involvement in ImprESS Project Kick-off Meeting Belgrade, Dec. 20, 2017

Impr Improving Ac Acad ademic and and Prof rofessio ional Educ ducatio ion Cap Capacity in n Se Serbia in n the Area rea of of Saf Safety &amp; Sec Security (b (by y Means of of St Strategic Par artnership ip wit ith the EU)

217 views • 7 slides
Knights Dress Code Knights Dress Code Knights Dress Code Knights Dress Code Presented by

Knights Dress Code Knights Dress Code Knights Dress Code Knights Dress Code Presented by

Knights Dress Code Knights Dress Code Knights Dress Code Knights Dress Code Presented by Student Council A A A A Knight Knight Knight is always Knight is always is always is always dressed to impress! dressed to impress! dressed to

797 views • 12 slides
MANUFACTURING MANAGEMENT CAPACITY MANAGEMENT What is Capacity management The management of

MANUFACTURING MANAGEMENT CAPACITY MANAGEMENT What is Capacity management The management of

MANUFACTURING MANAGEMENT CAPACITY MANAGEMENT What is Capacity management The management of the limits of an organization's resources, such as its labor force, manufacturing and office space, technology and equipment, raw materials, and

617 views • 26 slides
Resource Resource Management Management RESOURCE MANAGEMENT RESOURCE MANAGEMENT We have a

Resource Resource Management Management RESOURCE MANAGEMENT RESOURCE MANAGEMENT We have a

Moreno Baricevic Stefano Cozzini CNR-IOM DEMOCRITOS Trieste, ITALY Resource Resource Management Management RESOURCE MANAGEMENT RESOURCE MANAGEMENT We have a pool of users and a pool of resources, then what? some software that controls

538 views • 22 slides

More recommend