1
00:00:00,000 --> 00:00:02,040
Hey there, ready to dive deep.

2
00:00:02,040 --> 00:00:05,480
Today, we're going to tackle active directory security.

3
00:00:05,480 --> 00:00:08,640
It's kind of like the VIP list for your company's network,

4
00:00:08,640 --> 00:00:10,600
like who gets in, what they can access.

5
00:00:10,600 --> 00:00:12,680
It's all controlled through active directory.

6
00:00:12,680 --> 00:00:14,680
And you give us a ton of great material for this,

7
00:00:14,680 --> 00:00:17,280
a whole handbook on active directory security,

8
00:00:17,280 --> 00:00:19,640
exploitation, and mitigation techniques.

9
00:00:19,640 --> 00:00:22,440
So we're going to walk through the most common attack techniques,

10
00:00:22,440 --> 00:00:25,200
how to spot them, and of course, how to protect yourself.

11
00:00:25,200 --> 00:00:26,160
That's right.

12
00:00:26,160 --> 00:00:28,040
Active directory is powerful, no doubt,

13
00:00:28,040 --> 00:00:30,840
but it's also a prime target for attackers.

14
00:00:30,840 --> 00:00:33,320
It can be a complex topic, but we're going to try to break it

15
00:00:33,320 --> 00:00:36,280
down in a way that makes sense no matter your tech level.

16
00:00:36,280 --> 00:00:39,080
By the end of this deep dive, you'll understand why securing

17
00:00:39,080 --> 00:00:41,360
your active directory is non-negotiable.

18
00:00:41,360 --> 00:00:43,080
OK, so let's unpack this a little bit.

19
00:00:43,080 --> 00:00:45,800
What exactly IS active directory?

20
00:00:45,800 --> 00:00:47,480
And why should we be so worried about it?

21
00:00:47,480 --> 00:00:50,160
So active directory, or AD, as it's often called,

22
00:00:50,160 --> 00:00:52,920
it's like the brains of most organizations networks.

23
00:00:52,920 --> 00:00:56,840
It manages users, computers, permissions, security policies,

24
00:00:56,840 --> 00:00:59,200
really everything runs through AD.

25
00:00:59,200 --> 00:01:01,760
So if someone gains control of AB, they essentially

26
00:01:01,760 --> 00:01:02,920
control the whole network.

27
00:01:02,920 --> 00:01:03,800
Exactly.

28
00:01:03,800 --> 00:01:05,240
And that's what makes it so dangerous.

29
00:01:05,240 --> 00:01:08,360
We're talking complete system take over data breaches,

30
00:01:08,360 --> 00:01:10,240
ransomware attacks you name it.

31
00:01:10,240 --> 00:01:12,680
OK, I'm starting to see why this is a big deal.

32
00:01:12,680 --> 00:01:16,160
So let's say an attacker is targeting AD.

33
00:01:16,160 --> 00:01:17,760
How would they even go about it?

34
00:01:17,760 --> 00:01:20,000
Well, think of it like a classic high-st movie.

35
00:01:20,000 --> 00:01:23,080
There are basically three main stages to an AD attack,

36
00:01:23,080 --> 00:01:25,840
discovery, privilege, escalation, and lateral movement.

37
00:01:25,840 --> 00:01:27,040
All right, walk me through those stages.

38
00:01:27,040 --> 00:01:28,120
What happens in each one?

39
00:01:28,120 --> 00:01:29,560
First, you have discovery.

40
00:01:29,560 --> 00:01:31,960
This is where the attackers are gathering intel,

41
00:01:31,960 --> 00:01:34,520
figuring out the layout of your network, right?

42
00:01:34,520 --> 00:01:37,480
Identifying any valuable targets and spotting weaknesses

43
00:01:37,480 --> 00:01:38,360
they can exploit.

44
00:01:38,360 --> 00:01:40,880
So they're doing reconnaissance, casing the joint.

45
00:01:40,880 --> 00:01:41,560
Precisely.

46
00:01:41,560 --> 00:01:44,800
They're looking for user accounts, domain controllers,

47
00:01:44,800 --> 00:01:47,800
vulnerable systems, anything that can give them a foothold.

48
00:01:47,800 --> 00:01:50,080
OK, so they've scoped out the place.

49
00:01:50,080 --> 00:01:51,080
What happens next?

50
00:01:51,080 --> 00:01:53,840
Stage two is privilege escalation.

51
00:01:53,840 --> 00:01:56,880
Now, they're trying to get their hands on some admin credentials,

52
00:01:56,880 --> 00:01:59,160
essentially giving them the keys to the kingdom.

53
00:01:59,160 --> 00:02:02,040
They might steal passwords, exploit vulnerabilities,

54
00:02:02,040 --> 00:02:04,880
or even trick users into giving them access.

55
00:02:04,880 --> 00:02:05,920
Sneaky.

56
00:02:05,920 --> 00:02:09,360
So once they've got those admin privileges, what's stopping them?

57
00:02:09,360 --> 00:02:10,400
Nothing, really.

58
00:02:10,400 --> 00:02:12,160
That's where lateral movement comes in.

59
00:02:12,160 --> 00:02:15,040
They can then use their newfound power to access

60
00:02:15,040 --> 00:02:19,600
sensitive data spread malware, or take control of other systems.

61
00:02:19,600 --> 00:02:21,520
It's like they have an all-access past

62
00:02:21,520 --> 00:02:23,600
to your entire network.

63
00:02:23,600 --> 00:02:25,560
This is sounding pretty scary.

64
00:02:25,560 --> 00:02:27,760
And this whole process can actually take time, right?

65
00:02:27,760 --> 00:02:30,400
It's not like they just break in and steal everything at once.

66
00:02:30,400 --> 00:02:31,760
You're absolutely right.

67
00:02:31,760 --> 00:02:34,240
Studies have shown that attackers can linger in a network

68
00:02:34,240 --> 00:02:36,320
for months before they're detected,

69
00:02:36,320 --> 00:02:38,240
slowly expanding their control,

70
00:02:38,240 --> 00:02:40,320
and doing a lot of damage along the way.

71
00:02:40,320 --> 00:02:43,640
That's why understanding their specific tactics is so important.

72
00:02:43,640 --> 00:02:45,600
OK, so let's get into some of those tactics then.

73
00:02:45,600 --> 00:02:47,760
What are some of the ways attackers can actually break

74
00:02:47,760 --> 00:02:49,360
into active directory?

75
00:02:49,360 --> 00:02:51,440
One very common technique involves what

76
00:02:51,440 --> 00:02:54,320
they're called alternate authentication methods.

77
00:02:54,320 --> 00:02:57,760
Essentially, it's a way to bypass normal login procedures.

78
00:02:57,760 --> 00:02:59,200
Interesting. How does that work?

79
00:02:59,200 --> 00:03:01,680
Well, two popular methods are past the hash,

80
00:03:01,680 --> 00:03:05,680
PTH for short, and past the ticket, or PTT.

81
00:03:05,680 --> 00:03:08,960
They both exploit weaknesses in how windows handles authentication.

82
00:03:08,960 --> 00:03:11,280
So instead of trying to steal my password directly,

83
00:03:11,280 --> 00:03:12,480
they're going after something else.

84
00:03:12,480 --> 00:03:13,520
Exactly.

85
00:03:13,520 --> 00:03:16,480
With PTH, they're targeting a specific protocol called

86
00:03:16,480 --> 00:03:20,880
NTLM, which is used to verify your identity on the network.

87
00:03:20,880 --> 00:03:22,640
OK, so what's wrong with NTLM?

88
00:03:22,640 --> 00:03:25,840
The issue is that NTLM relies on a pre-computed hash

89
00:03:25,840 --> 00:03:26,960
of your password.

90
00:03:26,960 --> 00:03:30,000
It's kind of like a secret code that represents your password.

91
00:03:30,000 --> 00:03:31,920
If an attacker can steal this hash,

92
00:03:31,920 --> 00:03:34,000
they can actually impersonate you on the network

93
00:03:34,000 --> 00:03:36,000
without ever knowing your actual password.

94
00:03:36,000 --> 00:03:38,960
Wow, so they're basically creating a copy of my key,

95
00:03:38,960 --> 00:03:40,400
and the system doesn't even know the difference.

96
00:03:40,400 --> 00:03:41,840
That's the danger.

97
00:03:41,840 --> 00:03:44,080
And there are a few ways they can get this hash.

98
00:03:44,080 --> 00:03:46,400
They might infect your computer with malware,

99
00:03:46,400 --> 00:03:50,560
snoop on network traffic, or even find it in system backups.

100
00:03:50,560 --> 00:03:54,000
Tools like MIMICATPS are specifically designed to extract these hashes.

101
00:03:54,000 --> 00:03:56,640
MIMICATPS sounds like something out of a spy movie.

102
00:03:56,640 --> 00:03:57,840
It does, doesn't it?

103
00:03:57,840 --> 00:03:58,160
Yeah.

104
00:03:58,160 --> 00:03:59,760
But it's a very real threat.

105
00:03:59,760 --> 00:04:02,080
Once they have your hash, they can use it to authenticate

106
00:04:02,080 --> 00:04:04,800
to other systems and move laterally through the network.

107
00:04:04,800 --> 00:04:08,080
It's a fast and effective way to escalate privileges.

108
00:04:08,080 --> 00:04:10,960
OK, so PTH is all about exploiting NTLM.

109
00:04:12,000 --> 00:04:13,280
What about past the ticket?

110
00:04:13,280 --> 00:04:14,240
How does that one work?

111
00:04:14,240 --> 00:04:18,800
PTT focuses on Caberos, another authentication protocol used by windows.

112
00:04:18,800 --> 00:04:21,600
This time they're after something called a ticket granting ticket,

113
00:04:21,600 --> 00:04:22,720
or TGT.

114
00:04:22,720 --> 00:04:24,640
A TGT, what's so special about that?

115
00:04:24,640 --> 00:04:26,960
Think of it as like a master key for your network.

116
00:04:26,960 --> 00:04:30,160
Once you have a TGT, you can access many resources

117
00:04:30,160 --> 00:04:32,720
without needing to enter your password every single time.

118
00:04:32,720 --> 00:04:37,120
So if an attacker steals my TGT, they can just roam freely through my network.

119
00:04:37,120 --> 00:04:38,960
You got it, and it gets even worse.

120
00:04:39,520 --> 00:04:44,320
They can use that stolen TGT to request additional tickets for specific services,

121
00:04:44,320 --> 00:04:46,080
giving them even more access.

122
00:04:46,080 --> 00:04:48,880
It's like they're collecting keys to every room in your house.

123
00:04:48,880 --> 00:04:52,560
Yikes, how did they even get their hands on these TGTs in the first place?

124
00:04:52,560 --> 00:04:56,640
Tools like Mimicats, Kekio, and Rubius are their weapons of choice.

125
00:04:56,640 --> 00:05:01,040
These tools are specifically designed to extract and manipulate Caberos tickets.

126
00:05:01,040 --> 00:05:02,000
This is a lot to take in.

127
00:05:02,000 --> 00:05:05,280
Is there any way to tell if these attacks are actually happening in my network right now?

128
00:05:05,280 --> 00:05:06,000
Absolutely.

129
00:05:06,000 --> 00:05:11,680
There are specific events in your system logs that can signal PTH or PTT activity.

130
00:05:11,680 --> 00:05:16,800
Things like event IDs, 1, 5, 10, 4, 6, 24, and a few others.

131
00:05:16,800 --> 00:05:20,080
If you see these events popping up especially in unusual patterns,

132
00:05:20,080 --> 00:05:22,000
it could be a sign that something's wrong.

133
00:05:22,000 --> 00:05:24,480
Okay, so we need to keep a close eye on those event logs.

134
00:05:25,040 --> 00:05:26,880
But what about defenses?

135
00:05:26,880 --> 00:05:31,920
How can we make it harder for attackers to pull off these PTH and PTT attacks in the first place?

136
00:05:31,920 --> 00:05:36,000
One of the most effective measures is enabling Windows Defender Credential Guard.

137
00:05:36,000 --> 00:05:39,680
It uses virtualization to protect those sensitive credential materials,

138
00:05:39,680 --> 00:05:43,440
making it much harder for attackers to steal those hashes or tickets.

139
00:05:43,440 --> 00:05:46,480
So lock down those credentials, make them fortenox level secure.

140
00:05:46,480 --> 00:05:47,120
Exactly.

141
00:05:47,120 --> 00:05:50,720
And on top of that, good old fashioned password hygiene is still crucial.

142
00:05:51,360 --> 00:05:53,680
Randomizing those local admin passwords,

143
00:05:53,680 --> 00:05:58,240
restricting who has admin privileges and limiting the number of devices with admin rights can

144
00:05:58,240 --> 00:05:59,280
make a world of different.

145
00:05:59,280 --> 00:06:01,120
Right, so it's not just about the technical solutions.

146
00:06:01,120 --> 00:06:04,000
It's also about good security practices in general.

147
00:06:04,000 --> 00:06:04,880
Absolutely.

148
00:06:04,880 --> 00:06:09,200
And of course, staying informed about new threats and mitigation techniques is key.

149
00:06:09,200 --> 00:06:11,920
The cybersecurity landscape is always evolving.

150
00:06:11,920 --> 00:06:12,720
Always learning.

151
00:06:12,720 --> 00:06:13,520
Always adapting.

152
00:06:14,080 --> 00:06:15,920
All right, we've covered PTH and PTT.

153
00:06:17,360 --> 00:06:20,800
What other sneaky active directory attacks do we need to know about?

154
00:06:20,800 --> 00:06:22,640
Well, let's talk about curb roasting.

155
00:06:22,640 --> 00:06:27,040
This one targets service accounts with SPNs that stands for service principal names.

156
00:06:27,040 --> 00:06:29,120
Okay, you're going to have to break that down for me.

157
00:06:29,120 --> 00:06:31,760
What are service accounts and SPNs?

158
00:06:31,760 --> 00:06:34,720
Think of service accounts as special users on your network.

159
00:06:34,720 --> 00:06:38,400
They're responsible for running specific applications or services.

160
00:06:38,400 --> 00:06:41,600
They need their own set of credentials and that's where SPNs come in.

161
00:06:41,600 --> 00:06:44,080
So SPNs are like IDs for these service accounts.

162
00:06:44,080 --> 00:06:44,800
Exactly.

163
00:06:44,800 --> 00:06:48,400
They help clients identify and connect to the right service on the network.

164
00:06:48,400 --> 00:06:51,520
The problem is these STNs are often linked to passwords.

165
00:06:51,520 --> 00:06:55,280
And Crabaros uses those passwords to encrypt certain tickets.

166
00:06:55,280 --> 00:06:57,360
Oh, I'm sensing a vulnerability here.

167
00:06:57,360 --> 00:06:57,760
You're right.

168
00:06:57,760 --> 00:07:02,400
Attackers can request these encrypted tickets, often using tools like impact it in rubies.

169
00:07:02,400 --> 00:07:06,080
And then they'll try to crack the encryption offline using bootforce methods.

170
00:07:06,080 --> 00:07:10,080
So they're basically trying to crack the passwords associated with these service accounts.

171
00:07:10,080 --> 00:07:11,680
What happens if they succeed?

172
00:07:11,680 --> 00:07:15,840
If they managed to crack the encryption, will they gain control of that service,

173
00:07:15,840 --> 00:07:20,640
which could give them access to sensitive data or even allow them to take control of critical systems?

174
00:07:20,640 --> 00:07:23,200
This is sounding like a disaster waiting to happen.

175
00:07:24,080 --> 00:07:26,880
How can we tell if a curb roasting attack is going on?

176
00:07:26,880 --> 00:07:32,160
Keep an eye out for event IDs 4769 and 4770 in your logs.

177
00:07:32,160 --> 00:07:37,120
These events record Crabaros service ticket requests and any unusual patterns can point to

178
00:07:37,120 --> 00:07:38,320
curb roasting activity.

179
00:07:38,320 --> 00:07:40,800
Another red flag for our log analysis checklist.

180
00:07:41,840 --> 00:07:42,720
Got it.

181
00:07:42,720 --> 00:07:45,360
So how do we protect ourselves from curb roasting?

182
00:07:45,360 --> 00:07:49,600
First and foremost, make sure those service account passwords are strong and unique.

183
00:07:49,600 --> 00:07:51,840
Think long complex and random.

184
00:07:51,840 --> 00:07:54,160
Don't reuse passwords across different accounts.

185
00:07:54,160 --> 00:07:55,920
It's a good password advice in general.

186
00:07:55,920 --> 00:07:56,560
It is.

187
00:07:56,560 --> 00:08:00,960
Another effective measure is to enable something called Crabaros Armoring or Fast.

188
00:08:00,960 --> 00:08:04,480
It makes it much harder to crack that encryption used in those Crabaros tickets.

189
00:08:04,480 --> 00:08:08,640
So it's like putting extra layers of armor around those passwords making them harder to break.

190
00:08:08,640 --> 00:08:09,520
Exactly.

191
00:08:09,520 --> 00:08:14,160
And if possible, try to move away from the RC4 encryption protocol in Crabaros.

192
00:08:14,160 --> 00:08:16,960
It's known to be weak and vulnerable to attacks.

193
00:08:16,960 --> 00:08:18,400
Okay, strong passwords.

194
00:08:18,400 --> 00:08:21,200
Crabaros Armoring Ditch RC4.

195
00:08:22,000 --> 00:08:22,880
Got it.

196
00:08:22,880 --> 00:08:26,640
What other active directory attack techniques should we be aware of?

197
00:08:26,640 --> 00:08:29,680
Let's talk about the infamous golden ticket attack.

198
00:08:29,680 --> 00:08:31,280
This one's a real showstopper.

199
00:08:31,280 --> 00:08:34,240
Golden ticket sounds almost desirable.

200
00:08:34,240 --> 00:08:35,200
Not so much.

201
00:08:35,200 --> 00:08:38,240
It's more like the ultimate skeleton key for your entire network.

202
00:08:38,240 --> 00:08:39,440
Okay, now you've got my attention.

203
00:08:40,160 --> 00:08:41,920
How does this golden ticket attack work?

204
00:08:41,920 --> 00:08:46,080
It all hinges on a special account called the CARBTGD account.

205
00:08:46,080 --> 00:08:49,200
Think of it as the Master Keyholder for your entire domain.

206
00:08:49,680 --> 00:08:53,120
It has the power to encrypt and sign all the Crabaros tickets.

207
00:08:53,120 --> 00:08:57,440
So if you control the CARBTGD account, you control the entire Crabaros system.

208
00:08:57,440 --> 00:09:01,280
Bingo. And that's exactly what the golden ticket attack aims to do.

209
00:09:01,280 --> 00:09:04,800
Attackers try to steal the CARBTG account's password hash.

210
00:09:04,800 --> 00:09:06,400
It's incredibly powerful.

211
00:09:06,400 --> 00:09:09,120
Hold on, this CARBTGD account sounds pretty important.

212
00:09:09,120 --> 00:09:10,880
How do they even get access to it the first place?

213
00:09:10,880 --> 00:09:12,080
It must be heavily guarded.

214
00:09:12,080 --> 00:09:13,680
It is, but no system is perfect.

215
00:09:13,680 --> 00:09:16,640
They might exploit vulnerabilities, use social engineering tricks,

216
00:09:16,640 --> 00:09:20,000
or if they've already gained admin access, they can just dump the hash from the domain

217
00:09:20,000 --> 00:09:21,120
controllers memory.

218
00:09:21,120 --> 00:09:23,280
Okay, let's say they got the CARBTGD hash.

219
00:09:23,920 --> 00:09:25,120
What do they do with it?

220
00:09:25,120 --> 00:09:29,200
They use it to forge a special Crabaros ticket, and that's the golden ticket.

221
00:09:29,200 --> 00:09:33,520
It grants them virtually unlimited access to the network for as long as they want.

222
00:09:33,520 --> 00:09:35,920
Wait, as long as they want, that's terrifying.

223
00:09:35,920 --> 00:09:40,720
It is. They can impersonate any user access, any resource, and basically do whatever they please.

224
00:09:40,720 --> 00:09:42,160
And here's the kicker.

225
00:09:42,160 --> 00:09:45,760
Because it's forged with the actual CARBTGD hash,

226
00:09:45,760 --> 00:09:48,400
it looks completely legitimate to the system.

227
00:09:48,400 --> 00:09:50,400
So it's like a magic key that never expires.

228
00:09:50,400 --> 00:09:51,280
Precisely.

229
00:09:51,280 --> 00:09:53,360
And it's incredibly difficult to detect.

230
00:09:53,360 --> 00:09:55,200
Okay, I'm officially freaked out.

231
00:09:55,200 --> 00:09:58,240
Are there any tools used for these golden ticket attacks?

232
00:09:58,240 --> 00:10:00,800
Mimicats and impact it are the usual suspects.

233
00:10:00,800 --> 00:10:05,040
Again, Mimicats can extract the CARBTGD hash and forge the ticket,

234
00:10:05,040 --> 00:10:07,760
while impact it is used to inject the ticket and gain access.

235
00:10:07,760 --> 00:10:10,080
Like, those tools seem to be popping up everywhere.

236
00:10:10,080 --> 00:10:11,920
We definitely need to be on the lookout for them.

237
00:10:11,920 --> 00:10:16,800
But more importantly, how can we prevent these golden ticket attacks from happening in the first place?

238
00:10:16,800 --> 00:10:21,440
Regularly changing the CARYTGD account password is crucial.

239
00:10:21,440 --> 00:10:25,200
And I mean, regularly every few months, even more often, if you can.

240
00:10:25,200 --> 00:10:27,360
Treat that password like it's made of solid gold.

241
00:10:27,360 --> 00:10:28,080
You got it.

242
00:10:28,080 --> 00:10:30,480
And of course, make sure it's strong and unique.

243
00:10:30,480 --> 00:10:31,840
No password reuse.

244
00:10:31,840 --> 00:10:33,120
Strong passwords.

245
00:10:33,120 --> 00:10:34,480
Regular changes.

246
00:10:34,480 --> 00:10:35,360
Check and check.

247
00:10:36,560 --> 00:10:37,360
Anything else?

248
00:10:37,920 --> 00:10:42,000
Minimizing the number of accounts with elevated privileges is also key.

249
00:10:42,000 --> 00:10:46,160
The fewer accounts that have access to sensitive data and systems,

250
00:10:46,160 --> 00:10:51,280
the harder it is for attackers to get a hold of that CARBTGD hash in the first place.

251
00:10:51,280 --> 00:10:53,600
So limit those VIP passes to the network.

252
00:10:53,600 --> 00:10:54,560
Exactly.

253
00:10:54,560 --> 00:10:59,200
And don't forget about restricting admin privileges across security boundaries.

254
00:10:59,200 --> 00:11:01,840
If an attacker compromises a workstation,

255
00:11:01,840 --> 00:11:05,440
they shouldn't be able to easily escalate their privileges to the domain controller.

256
00:11:05,440 --> 00:11:07,200
Right, contain the damage.

257
00:11:07,200 --> 00:11:09,760
This is a lot to absorb, but it's definitely eye-opening.

258
00:11:09,760 --> 00:11:11,360
It's crucial information.

259
00:11:11,360 --> 00:11:15,840
Active directory security is an ongoing process and understanding these attacks is the first step

260
00:11:15,840 --> 00:11:17,040
towards preventing them.

261
00:11:17,040 --> 00:11:19,280
Right, we've covered PTH, PTT,

262
00:11:19,280 --> 00:11:21,760
curb roasting and golden ticket attacks.

263
00:11:21,760 --> 00:11:23,200
There's a lot more ground to cover.

264
00:11:23,200 --> 00:11:26,400
So let's dive into some more advanced techniques in the next part of this deep dive.

265
00:11:26,400 --> 00:11:30,320
Ready to keep exploring the dark arts of Active Directory attacks?

266
00:11:30,320 --> 00:11:31,200
Absolutely.

267
00:11:31,200 --> 00:11:33,600
Hit me with your next mind-blowing technique.

268
00:11:33,600 --> 00:11:35,440
Well, let's talk about BC Shadow.

269
00:11:35,440 --> 00:11:39,840
This one's a bit like creating a phantom puppet master that can control your entire network.

270
00:11:39,840 --> 00:11:43,120
Okay, that sounds both intriguing and terrifying.

271
00:11:43,920 --> 00:11:44,800
Break it down for me.

272
00:11:44,800 --> 00:11:46,880
What is DC Shadow and how does it work?

273
00:11:46,880 --> 00:11:53,760
Imagine this. An attacker sets up a rogue server that pretends to be a legitimate domain controller.

274
00:11:53,760 --> 00:11:58,720
This fake domain controller can then manipulate Active Directory and making changes that

275
00:11:58,720 --> 00:12:00,880
ripple throughout the entire network.

276
00:12:00,880 --> 00:12:03,280
So they're creating a counterfeit brain for the network.

277
00:12:03,280 --> 00:12:04,160
Exactly.

278
00:12:04,160 --> 00:12:08,720
And because these changes get replicated to other domain controllers, they become persistent.

279
00:12:08,720 --> 00:12:12,160
Even if the attacker removes their rogue server, it's poisoning them.

280
00:12:12,160 --> 00:12:14,320
Well, the damage is done even after they're gone.

281
00:12:14,320 --> 00:12:15,920
This is some seriously advanced stuff.

282
00:12:15,920 --> 00:12:16,920
Yeah.

283
00:12:16,920 --> 00:12:19,120
How do they even pull off creating a fake domain controller?

284
00:12:19,120 --> 00:12:20,640
It does require a bit of groundwork.

285
00:12:20,640 --> 00:12:25,520
First, they need admin privileges, which, as we discussed, is often their primary objective.

286
00:12:25,520 --> 00:12:28,080
Once they have that, they can use a tool like MIMICATS.

287
00:12:28,080 --> 00:12:29,360
Yes, that versatile tool.

288
00:12:29,360 --> 00:12:32,760
Again, to create and register their rogue domain controller.

289
00:12:32,760 --> 00:12:36,920
MIMICATS really is the Swiss Army knife of Active Directory attacks.

290
00:12:36,920 --> 00:12:40,800
So they set up this fake domain controller using MIMICATS.

291
00:12:40,800 --> 00:12:41,800
Then what?

292
00:12:41,800 --> 00:12:43,040
That's when the real fun begins.

293
00:12:43,040 --> 00:12:47,600
They can start replicating changes from legitimate domain controllers to the rogue server.

294
00:12:47,600 --> 00:12:52,800
They could add new users, grant themselves elevated permissions, even modify security policies

295
00:12:52,800 --> 00:12:54,040
all under the radar.

296
00:12:54,040 --> 00:12:57,120
So they're essentially rewriting the rules of the network without anyone knowing.

297
00:12:57,120 --> 00:12:58,120
Precisely.

298
00:12:58,120 --> 00:13:01,720
And because these changes are replicated, they become embedded in the system.

299
00:13:01,720 --> 00:13:04,280
It's a stealthy and incredibly powerful attack.

300
00:13:04,280 --> 00:13:06,400
Okay, I'm officially concerned.

301
00:13:06,400 --> 00:13:09,640
How do we even detect this DC shadow attack?

302
00:13:09,640 --> 00:13:12,040
If it's designed to blend in so seamlessly.

303
00:13:12,040 --> 00:13:13,040
Good question.

304
00:13:13,040 --> 00:13:16,200
This is where network monitoring becomes absolutely vital.

305
00:13:16,200 --> 00:13:22,040
You need to be able to spot an usual DRS-UAPI or PC request, particularly something called

306
00:13:22,040 --> 00:13:24,600
the DRS-UAPI or Bracad operation.

307
00:13:24,600 --> 00:13:27,400
That's a big red flag that a DC shadow attack might be in progress.

308
00:13:27,400 --> 00:13:28,600
So that's our smoking gun.

309
00:13:28,600 --> 00:13:30,400
Anything else we should be looking out for?

310
00:13:30,400 --> 00:13:34,360
Analyzing Windows event logs can also offer some clues, though it might not paint the full

311
00:13:34,360 --> 00:13:35,760
picture.

312
00:13:35,760 --> 00:13:41,000
Events, 5136 and 5141, which log changes to directory service objects could reveal

313
00:13:41,000 --> 00:13:43,440
suspicious activity.

314
00:13:43,440 --> 00:13:48,600
So network monitoring and event lag analysis are our detective tools in this case.

315
00:13:48,600 --> 00:13:52,160
But how do we prevent DC shadow attacks from happening in the first place?

316
00:13:52,160 --> 00:13:56,280
Like most Active Directory attacks, it boils down to tightly controlling admin privileges

317
00:13:56,280 --> 00:13:58,280
and securing your network.

318
00:13:58,280 --> 00:14:02,080
Make sure only a select few have the authority to add computer objects to Active Directory

319
00:14:02,080 --> 00:14:07,200
control access to remote management protocols like RDP and keep your Active Directory environment

320
00:14:07,200 --> 00:14:11,080
clean, removing unused sites and computer objects reduces the attack surface.

321
00:14:11,080 --> 00:14:12,760
So keep a tidy keep it locked down.

322
00:14:12,760 --> 00:14:13,760
Got it.

323
00:14:13,760 --> 00:14:16,240
What other attack techniques should we be adding to our watch list?

324
00:14:16,240 --> 00:14:18,960
Let's shift gears and talk about ASRP roasting.

325
00:14:18,960 --> 00:14:22,520
This one prays on accounts that have Caberos preauthentication disabled.

326
00:14:22,520 --> 00:14:25,480
Okay, remind me what Caberos preauthentication is again.

327
00:14:25,480 --> 00:14:30,880
It's an extra layer of security that verifies a user's identity before issuing any tickets.

328
00:14:30,880 --> 00:14:34,880
Think of it as a security checkpoint that helps prevent attackers from simply guessing

329
00:14:34,880 --> 00:14:35,880
passwords.

330
00:14:35,880 --> 00:14:40,960
So ASRP roasting targets accounts that don't have this extra security checkpoint.

331
00:14:40,960 --> 00:14:41,960
Exactly.

332
00:14:41,960 --> 00:14:46,400
Attackers send a special request to the domain controller and if preauthentication is disabled,

333
00:14:46,400 --> 00:14:50,000
the server responds with a message containing the user's password hash.

334
00:14:50,000 --> 00:14:53,000
Wait, it's the server just hands over the hash that doesn't sound very secure.

335
00:14:53,000 --> 00:14:56,960
It's definitely a weakness and that's precisely what attackers exploit.

336
00:14:56,960 --> 00:15:01,280
They can then try to crack that hash offline using tools like hash cap.

337
00:15:01,280 --> 00:15:04,080
So it's a bit like a smashing grab for password hashes.

338
00:15:04,080 --> 00:15:09,000
It's a good analogy and the scary part is that it can be done remotely and relatively quietly.

339
00:15:09,000 --> 00:15:13,280
Okay, so what can we do to detect these ASRP roasting attacks?

340
00:15:13,280 --> 00:15:16,720
Event ID 4708 should be on your radar.

341
00:15:16,720 --> 00:15:21,000
This event logs user account changes and it can be a telltale sign of an attacker

342
00:15:21,000 --> 00:15:23,840
manipulating domain objects for this attack.

343
00:15:23,840 --> 00:15:26,840
Another red flag for our log analysis tool kit.

344
00:15:26,840 --> 00:15:28,480
What about defenses?

345
00:15:28,480 --> 00:15:31,720
How can we prevent ASRP roasting from happening?

346
00:15:31,720 --> 00:15:34,440
The most effective solution is simple.

347
00:15:34,440 --> 00:15:37,760
Enable Kubernetes preauthentication for all user accounts.

348
00:15:37,760 --> 00:15:41,120
It's a straightforward change that makes a huge difference in security.

349
00:15:41,120 --> 00:15:43,440
Enable preauthentication check.

350
00:15:43,440 --> 00:15:44,640
Anything else we should be doing?

351
00:15:44,640 --> 00:15:48,280
Of course, strong password policies are always a good idea.

352
00:15:48,280 --> 00:15:52,920
Enforce long complex passwords that are difficult to crack and encourage users to use a password

353
00:15:52,920 --> 00:15:56,240
manager to help them keep track of everything securely.

354
00:15:56,240 --> 00:15:59,200
Strong passwords, it's the cybersecurity mantra.

355
00:15:59,200 --> 00:16:03,240
All right, what's next on our Active Directory attack technique tour?

356
00:16:03,240 --> 00:16:06,040
Let's dive into LDD injection attacks.

357
00:16:06,040 --> 00:16:10,360
This one exploits the way Active Directory uses the LDAT protocol for communication.

358
00:16:10,360 --> 00:16:12,240
Okay, backup for a second.

359
00:16:12,240 --> 00:16:17,080
What exactly IS LDAPI and how does it fit into the Active Directory world?

360
00:16:17,080 --> 00:16:20,080
Think of LDAP as the language that Active Directory speaks.

361
00:16:20,080 --> 00:16:24,680
It's a protocol specifically designed for accessing and managing directory services and Active

362
00:16:24,680 --> 00:16:27,600
Directory relies heavily on it for all sorts of communication.

363
00:16:27,600 --> 00:16:30,800
So it's like the underlying communication system, what's the problem with that?

364
00:16:30,800 --> 00:16:35,600
The problem arises when applications that interact with Active Directory don't properly

365
00:16:35,600 --> 00:16:38,160
validate user input.

366
00:16:38,160 --> 00:16:44,000
This can allow attackers to sneak malicious code into LDAC queries, essentially hijacking

367
00:16:44,000 --> 00:16:45,400
the conversation.

368
00:16:45,400 --> 00:16:48,960
So they're injecting bad commands into the system's communication channels.

369
00:16:48,960 --> 00:16:49,960
Exactly.

370
00:16:49,960 --> 00:16:54,800
And that can lead to all sorts of trouble by passing authentication, escalating privileges,

371
00:16:54,800 --> 00:16:56,600
even stealing sensitive data.

372
00:16:56,600 --> 00:16:59,800
Okay, this LDAPI injection thing sounds pretty dangerous.

373
00:16:59,800 --> 00:17:03,640
Are there different ways attackers can exploit this vulnerability?

374
00:17:03,640 --> 00:17:06,520
There are several types of LDAPI injection attacks.

375
00:17:06,520 --> 00:17:10,960
One common technique is privilege escalation, where they inject code that tricks the server

376
00:17:10,960 --> 00:17:13,960
into thinking they have higher privileges than they actually do.

377
00:17:13,960 --> 00:17:15,720
So they're forging their credentials, essentially.

378
00:17:15,720 --> 00:17:16,720
He got it.

379
00:17:16,720 --> 00:17:19,960
Another common technique is access control bypass.

380
00:17:19,960 --> 00:17:25,240
They craft a query that lets them completely bypass authentication, gaining access without

381
00:17:25,240 --> 00:17:26,680
needing a valid password.

382
00:17:26,680 --> 00:17:28,280
Sneaking in through the back door.

383
00:17:28,280 --> 00:17:31,480
And what about data theft can that use LDAPI injection for that as well?

384
00:17:31,480 --> 00:17:32,480
Absolutely.

385
00:17:32,480 --> 00:17:37,000
They can inject code that retrieve sensitive information from the directory, effectively

386
00:17:37,000 --> 00:17:40,360
turning LDAPI into a data exfiltration tool.

387
00:17:40,360 --> 00:17:44,360
Okay, this LDAPI injection vulnerability sounds like a major headache.

388
00:17:44,360 --> 00:17:45,960
How can we even spot it happening?

389
00:17:45,960 --> 00:17:48,040
Unfortunately, it can be quite tricky to detect.

390
00:17:48,040 --> 00:17:53,480
It often requires digging into application logs and looking for unusual patterns and LDAP queries.

391
00:17:53,480 --> 00:17:54,920
It's detective work for sure.

392
00:17:54,920 --> 00:17:58,560
So it's a bit like searching for a needle in a hay stack.

393
00:17:58,560 --> 00:17:59,560
What about prevention?

394
00:17:59,560 --> 00:18:02,640
How do we stop these LDAP injections from happening in the first place?

395
00:18:02,640 --> 00:18:05,160
Input validation is absolutely crucial here.

396
00:18:05,160 --> 00:18:08,320
Developers need to make sure their applications are thoroughly sanitizing and escaping

397
00:18:08,320 --> 00:18:11,480
all user input before sending it to active directory.

398
00:18:11,480 --> 00:18:15,440
It's like installing a filter that catches any malicious code before it reaches the system.

399
00:18:15,440 --> 00:18:18,280
So clean up those queries before they even get a chance to cause trouble.

400
00:18:18,280 --> 00:18:19,280
Precisely.

401
00:18:19,280 --> 00:18:23,000
And pay close attention to escaping special characters in D.N.s.

402
00:18:23,000 --> 00:18:25,520
English names and search filters.

403
00:18:25,520 --> 00:18:29,840
Those are often used in LDate queries and attackers can manipulate them to slip in their malicious

404
00:18:29,840 --> 00:18:30,840
code.

405
00:18:30,840 --> 00:18:37,680
Okay, so input validation and proper escaping are our best defenses against LDAP injection.

406
00:18:37,680 --> 00:18:38,680
Got it.

407
00:18:38,680 --> 00:18:41,760
Are we ready for one more attack technique before we wrap things up?

408
00:18:41,760 --> 00:18:42,760
You bet.

409
00:18:42,760 --> 00:18:45,920
Let's talk about the Petypotem NTLM relay attack.

410
00:18:45,920 --> 00:18:50,520
This one targets active directory certificate services or ADCS for short.

411
00:18:50,520 --> 00:18:52,720
So certificate services, that sounds pretty official.

412
00:18:52,720 --> 00:18:58,640
It is ADCS is responsible for managing and issuing digital certificates within an organization.

413
00:18:58,640 --> 00:19:01,040
It's a crucial part of many security systems.

414
00:19:01,040 --> 00:19:03,480
Okay, so what's the Petypotem attack all about?

415
00:19:03,480 --> 00:19:08,720
It takes advantage of a combination of legacy NTLM authentication, remember that old friend.

416
00:19:08,720 --> 00:19:12,480
And the MSESRPC protocol.

417
00:19:12,480 --> 00:19:17,200
It uses these to trigger authentication requests and relay them to the ADCS server.

418
00:19:17,200 --> 00:19:18,920
I'm starting to see a pattern here.

419
00:19:18,920 --> 00:19:21,080
NTLM keeps cropping up as a vulnerability.

420
00:19:21,080 --> 00:19:22,080
You're not wrong.

421
00:19:22,080 --> 00:19:24,640
It's an older protocol with some inherent weaknesses.

422
00:19:24,640 --> 00:19:28,920
And in this case, the attacker exploits the fact that ADCS often doesn't enforce extended

423
00:19:28,920 --> 00:19:31,360
protection for authentication or EPA.

424
00:19:31,360 --> 00:19:34,440
So it's another case of exploiting a lack of security measures.

425
00:19:34,440 --> 00:19:36,160
Exactly.

426
00:19:36,160 --> 00:19:38,240
The consequences can be pretty severe.

427
00:19:38,240 --> 00:19:43,600
The attacker can essentially trick the ADCS server into issuing them a certificate for

428
00:19:43,600 --> 00:19:45,280
a domain controller account.

429
00:19:45,280 --> 00:19:49,320
Hold on, so they get a certificate that gives them control over a domain controller.

430
00:19:49,320 --> 00:19:51,440
Is that like getting the keys to the kingdom?

431
00:19:51,440 --> 00:19:52,280
It is.

432
00:19:52,280 --> 00:19:54,680
And with that certificate, they can wreak havoc.

433
00:19:54,680 --> 00:20:00,880
They can request a TGT perform a DC sync attack and essentially gain complete control over

434
00:20:00,880 --> 00:20:01,880
the domain.

435
00:20:01,880 --> 00:20:03,480
This is getting pretty intense.

436
00:20:03,480 --> 00:20:06,280
How can we even begin to detect this type of attack?

437
00:20:06,280 --> 00:20:09,120
Network monitoring once again is incredibly important.

438
00:20:09,120 --> 00:20:13,120
You need to be on the lookout for any NTLM relay traffic, especially any that's headed

439
00:20:13,120 --> 00:20:14,560
towards your ADCS servers.

440
00:20:14,560 --> 00:20:17,240
Okay, network monitoring is definitely a must-have.

441
00:20:17,240 --> 00:20:18,240
What about prevention?

442
00:20:18,240 --> 00:20:20,640
How do we stop Petypotem and its tracks?

443
00:20:20,640 --> 00:20:24,360
The abling EPA for your ADCS servers is the most crucial step.

444
00:20:24,360 --> 00:20:28,200
It throws a wrench in the attacker's plans, making it much harder to relay authentication

445
00:20:28,200 --> 00:20:29,200
requests.

446
00:20:29,200 --> 00:20:30,640
Enable EPA check.

447
00:20:30,640 --> 00:20:32,880
Anything else we can do to bolster our defenses?

448
00:20:32,880 --> 00:20:38,920
For extra security, consider enabling SSL only connections for your ADCS web services.

449
00:20:38,920 --> 00:20:42,520
This forces all communication to be encrypted, making it much tougher for attackers

450
00:20:42,520 --> 00:20:44,800
to intercept and manipulate traffic.

451
00:20:44,800 --> 00:20:48,680
It's like adding an extra layer of protection around your communication channels.

452
00:20:48,680 --> 00:20:54,680
Okay, so Petypotem is all about abusing NTLM and ADCS misconfiguration.

453
00:20:54,680 --> 00:20:56,520
We've covered a lot of ground today.

454
00:20:56,520 --> 00:20:59,960
What are some key takeaways you want our listeners to remember as we wrap up this

455
00:20:59,960 --> 00:21:01,240
part of the deep dive?

456
00:21:01,240 --> 00:21:05,520
Active directory, it's really like the nervous system of your organization and unfortunately

457
00:21:05,520 --> 00:21:07,440
attackers know just how important it is.

458
00:21:07,440 --> 00:21:11,640
They're constantly devising new ways to exploit weaknesses and seize control.

459
00:21:11,640 --> 00:21:14,440
Yeah, it sounds like a constant game of cat and mouse.

460
00:21:14,440 --> 00:21:17,200
But surely there are things we can do to protect ourselves, right?

461
00:21:17,200 --> 00:21:18,200
Absolutely.

462
00:21:18,200 --> 00:21:20,080
He is to be proactive.

463
00:21:20,080 --> 00:21:21,880
Don't wait for an attack to happen.

464
00:21:21,880 --> 00:21:23,360
Start building up your defenses now.

465
00:21:23,360 --> 00:21:25,560
Okay, so where do we even begin?

466
00:21:25,560 --> 00:21:28,840
There's so much to consider when it comes to active directory security.

467
00:21:28,840 --> 00:21:31,720
Think of it as building a fortress layer by layer.

468
00:21:31,720 --> 00:21:36,400
You start with the foundations, strong passwords, limiting admin privileges, conducting regular

469
00:21:36,400 --> 00:21:37,400
security audits.

470
00:21:37,400 --> 00:21:41,160
Right, the cybersecurity essentials, the basics that everyone should be doing.

471
00:21:41,160 --> 00:21:42,160
Exactly.

472
00:21:42,160 --> 00:21:45,360
Once you have those in place, you can start adding more advanced layers of protection.

473
00:21:45,360 --> 00:21:50,800
It's like enabling Windows Defender credential guard, implementing Kubernetes armoring,

474
00:21:50,800 --> 00:21:55,760
and ensuring proper input validation for any applications that talk to active directory.

475
00:21:55,760 --> 00:22:00,120
So it's about creating multiple lines of defense, making it as difficult as possible for

476
00:22:00,120 --> 00:22:02,240
attackers to actually breach our systems.

477
00:22:02,240 --> 00:22:03,240
That's the idea.

478
00:22:03,240 --> 00:22:07,280
And don't underestimate the power of network monitoring and event log analysis.

479
00:22:07,280 --> 00:22:12,520
Think of them as your surveillance system constantly watching for any suspicious activity.

480
00:22:12,520 --> 00:22:16,440
The sooner you can spot a potential attack, the better your chances of stopping it before

481
00:22:16,440 --> 00:22:17,960
it causes real damage.

482
00:22:17,960 --> 00:22:20,200
Right, early detection is key.

483
00:22:20,200 --> 00:22:24,200
It's much easier to put out a small fire than a raging inferno.

484
00:22:24,200 --> 00:22:28,640
We've covered a lot of ground today from basic concepts to some seriously advanced attack

485
00:22:28,640 --> 00:22:29,640
techniques.

486
00:22:29,640 --> 00:22:33,360
Is there anything else our listeners should keep in mind as they navigate the world of active

487
00:22:33,360 --> 00:22:34,920
directory security?

488
00:22:34,920 --> 00:22:37,600
The cybersecurity landscape is constantly evolving.

489
00:22:37,600 --> 00:22:41,720
New threats emerge all the time, so staying informed and up to date is crucial.

490
00:22:41,720 --> 00:22:45,240
So where can our listeners go to keep learning and stay ahead of the curve?

491
00:22:45,240 --> 00:22:49,640
Microsoft's security blogs and documentation are a great place to start.

492
00:22:49,640 --> 00:22:55,720
The MITRE 18CK framework is another fantastic resource for understanding the tactics and

493
00:22:55,720 --> 00:22:58,240
techniques used by attackers.

494
00:22:58,240 --> 00:23:00,760
And of course, keep listening to podcasts like this one.

495
00:23:00,760 --> 00:23:04,640
We're always here to break down complex security topics and help you stay informed.

496
00:23:04,640 --> 00:23:06,360
Putting the set at better myself.

497
00:23:06,360 --> 00:23:09,200
Now here's a final thought for our listeners to ponder.

498
00:23:09,200 --> 00:23:13,480
We focused on technical attacks today, but let's not forget that human error can often

499
00:23:13,480 --> 00:23:16,520
be the weakest link in any security system.

500
00:23:16,520 --> 00:23:20,240
Fishing scams, weak passwords, clicking on suspicious links.

501
00:23:20,240 --> 00:23:24,400
These are all things that can compromise even the most secure active directory environment.

502
00:23:24,400 --> 00:23:25,840
That's an important point.

503
00:23:25,840 --> 00:23:28,960
Security awareness training for all users is absolutely essential.

504
00:23:28,960 --> 00:23:29,960
Absolutely.

505
00:23:29,960 --> 00:23:31,560
Technology can only take you so far.

506
00:23:31,560 --> 00:23:35,960
Ultimately it's up to each individual to be vigilant and follow good security practices.

507
00:23:35,960 --> 00:23:40,400
To stay informed, stay vigilant and stay safe out there until next time.

508
00:23:40,400 --> 00:24:05,360
That's all, see we'll see you in the next video.