diff --git a/7.Securing_AD/Securing Active Directory with PowerShell and Other Tools.md b/7.Securing_AD/Securing Active Directory with PowerShell and Other Tools.md new file mode 100644 index 0000000..8d5d4f4 --- /dev/null +++ b/7.Securing_AD/Securing Active Directory with PowerShell and Other Tools.md @@ -0,0 +1,365 @@ +# Securing Active Directory with PowerShell and Other Tools + +## Security is never a Destination + +We need to follow a cyclical approach to information security + +### ACT Cycle + +Configure -> Test -> Assess + + +## Guiding Principle + +### Least Privilege / Need-to-know + +Limiting user access rights to only what is strictly necessary for their role. + +Benefits: +- Reduces risk of unauthorized access. +- Mitigates damage from compromised accounts. + +### Minimize Privileged Accounts + +Reducing the number of Privileged accounts to a minimum. + +Why It Matters: + +- Privileged accounts are prime targets for attackers. +- Fewer privileged accounts lead to reduced attack surface. + +Best Practices: + +- Use Role-Based Access Control (RBAC). +- Assign temporary elevated privileges only when necessary. + +**Active Directory is Not Security Software** + +## Why is Active Directory such a risk? + +- Active Directory is a centralized, network control structure. +- Active Directory is very complex and a lot of things are hidden. +- Active Directoy does not warn you about bad configurations. +- Active Directory users have a lot of permissions to a lot of resources. + +Active is the starting point for many threat actors following this +simple pattern of compromise: + +1.Credentials +2.Access +3.Control + +## Known Active Directory Related Breaches + +### Colonial Pipeline Attack (2021) + +Utilized disabled account password hashes to laterally compromise other accounts, +infiltrating the network via VPN that had no MFA. + +### Waikato District Halth Board (New Zealand - 2021) + +Redacted, but attackers used Windows 7 PCs as initial catalyst for account +presumably laterally moving around the ntwork with AD permissions. + +## ACT Cycle + +### Step 1 - Assess + +Objective: Evaluate and identify vulnerabilities and misconfigurations in +Active Directory, including those related to ransomware attacks. + +#### Tools + + +##### Ping Castle + +https://www.pingcastle.com/ + +Generate health reports and identify privilege escalation paths +outdated policies, and risks related to ransomware attacks. + +- Provides health check analysis of Active Directory environment +- Provides actionable remediation steps for misconfigurations +- reports should be run quarterly or annyally + +##### Adeleg + +https://github.com/mtth-bfft/adeleg + +Audit delegation rights to find over-privileged +accounts and unnecessary permissions. + +- An Active Directory delgation management tool. It allows you to make a detailled +inventory of delegations set up so far in a forest, along with their potential issues: + - Objects owned by users + - Objects with ACEs (access control entries) for users + - Non-canonical ACL + - Disabled ACL inheritance + - Default ACL modified in schema + - Deleted delegation trustees + +##### Script Sentry + +https://github.com/techspence/ScriptSentry + +Review PowerShell scripts running accross the ntwork for malicious +or unauthorized executions. + +- ScriptSentry finds misconfigured and dangerous logon scripts. +- Not in PSGallery, but easy to invoke. + +##### Locksmith + +https://github.com/TrimarcJake/Locksmith?tab=readme-ov-file + +- A small tool buit to find and fix common misconfigurations in Active Directory +Certificate Services. +- Easy installation -Locksmith is in PSGalley +- Install-Module -Name Locksmith -Scope CurrentUser + +Review privileged accounts and group memberships to ensure least privilege +principles are enforced. + +##### PurpleKnight + +Conducts Active Directory and Entra ID reports + + +### Step 2 - Configure + +#### Storing Credentials and API Keys + +The Powershell SecretManagement module provides a convenient way for a user +to store and retrieve secrets. + +The SecretManagement module handles creating and configuring secrets, while +the SecretStore module acts as the local secure vault for storing them. + +```powershell +Install-Module Microsoft.PowerShell.SecretManagement +Install-Module Microsoft.PowerShell.SecretStore +``` + +to store credentials, you need to register a secret vault: + +```powershell +Register-SecretVault -ame mrsh - ModuleName Microsoft.PowerShell.SecretStore -DefaultVault +``` + +to set a password on the Secret Store: + +```powershell + +Get-SecretStoreConfiguration +Set-Secret -Vault mrsh -Nae adm_ncs -Secret (Get-Credential mrsh.local\adm_ncs) - Metadata @ {Description = "Admin account mrsh.local"} +``` + +view a password: + +```powershell +(Get-Secret -Vault mrsh -Name adm_ncs).Password | ConvertFrom-SecureString -AsPlainText +``` + +Paasing the credential safely to a command: + +```powershell + -credential (Get-Secret -Vault mrsh -Name adm_ncs) +``` + + +#### Domain Admins Audit + +Generate health reports and identify privilege escalation paths, +outdated policies, and risks related to ransomware attacks. + +The Domain Admins group is a built-in security group in Active Directory +that has wide-ranging administrative privileges within a domain + +Domain Adimns Group + +**Privileges**: Member of the Domain Admins group have full control over all domain resources. +They can manage user accounts, create and delete objects, modify group memberships, +and perform other administrative task. + +**Members**: By default, the Administrator account is a member of the Domain Admins group. +Additional users or groups can be added as needed, but this should be done sparingly due +to the high level of access provided + +**Defaults**: The Domain Admins group is part of the Administrators group on all domain-joined +computers by default, giving its memebers local administrative rights on these machines. + +**LDAP Service Accounts should not be domain Admins**: The typical use case for an LDAP +account does not require write permissions. LDAP service accounts only need to be able +to read users and group perissions in a directory + +#### Disabled Users Audit + +Audit delegation rights to find over-privileged accounts +and unnecessary permissions. + +#### Disabling SMB v1 + +**Probably the biggest hole in ransomware.** + +SMB v1 is an outdated protocol with several known vulnerabilities, including those +exploited by ransomware like **WannaCry**. You can disable it using Powershell with thes comands: + +```powershell +Set-SmbServerConfiguration -EnableSMB1Protocol $false + +Disalble-WindowsOptionalFeature -Online - FeatureName smb1protocol +``` + +#### KRBTGT Rotation: Rotating Kerberos Passwords + +The most important point of this process is that the Kerberos Ticket Granting Tickets (TGT) +is encrypted and signed by the KRBTGT account. this means that anyone can create a valid +Kerberos TGT if they have The KRTGT password hash. +Futhermore, despite the Active Directory domain policy for Kerberos ticket lifetime, +the KDC trusts the TGT, so the custom ticket can iclude a custom ticket lifetime (even one that +exceeds the domain kereros policy). + +- Prevents Golden Ticket attacks +- The password for the krbtgt account should be rotated at leat twice a year. +- Script : https://github.com/microsoftarchive/New-KrbtgtKeys.ps1 + +#### Restrict Powershell Script Execution and Remoting + +WinRM allows remote management using WS-Management. if not required, it should +be disabled to reduce potential remote exploitation. + +```powershell +Disable-PSRemoting -Force +``` + +Powershell uses an execution policy to control how scripts can be executed. By default +the execution policy might be set to restricted, but if not, you can enforce this with +this command + +```powershell +Set-ExecutionPolicy Restricted -Force +``` + +#### Disable Services and Protocols + +##### Disalble RDP (or Secure it) + +RDP can be a major attack vector if not properly secured. if RDP is not needed, disable it. +If needed, restrict access, use Network Level Authentification (NLA), and enable encryption + +```powershell +Set-ItemProperty -Path 'HKLM:\System\CurrntControlSet\Control\Terminal Server\' -Name "fDenyTSConnections" -Value 1 +``` + +Secure RDP: if you must use RDP, ensure that: NLA is enabled, RDP is limited to necessary IP addresses, and +that RDP sessions are monitored and logged. + +To enable Network Level Authentification (NLA) for Remote Desktop Protocol (RDP) +on Windows, You can do the following: +- Open the Control Panel +- Select System and Security +- Click Allow Remote Access +- In the Remote tab, check the box labled Allow remote connections only from computers +running Remote Desktop with Network Level Authentication + +##### Disable Link-Local Multicast Name Resolution (LLMNR) + +LLMNR is used for name resolution when DNS is unavailable, but it can be exploited +in man-in-th-midde attacks. + +```powershell +Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Winows NT\DNSClient" -Name "EnableMulticast" -Value 0 +``` + +##### Disable ICMP + +While disabling ICMP is not always recommended (since it helps in troubleshooting), +blocking ICMP echo requests (pings) can reduce exposure ti reconnaissance attacks. + +```powershell +New-NetFirewallRule - DispalyName "Block ICMPv4-In" -Protocol ICMPv4 -IvmpType 8 - Action Block +``` + +### Step 3 - Test + +Penetraton testing, also known as ethical hacking, is a vital component of modern +cyberecurity. It involves simulating real-world attacks on your network to identify +vulnerabilites before malicious actors can expolit them. +While this proactive approach is essential for safeguarding your infrastructure, it is +crucial to obtain formal approval before conduting any penetration test on your network + + +- **Obtain Formal Approval**: Secure written authorization from senior management or +legal teams befor proceeding with any form of penetration testing. + +- **Define the Scope and Objectives**: Clearly outline what systems and areas will be +tested, as well as the goals of the testing, to prevent unintende consequences. + +- **Plan for Recovery**: Prepare contigency plans for any service disruptions, and ensure +that sytem settings are properly restored after testing is complete. + +##### Have i been pwned? + +Checks to see if an email has been in a data breach. Useful for explaining why +pentesting needs to be done, as these breaches are used for password spraying by +threat actors. + +https://www.haveibeenpwend.com + +##### Kali Linux + +Using Kali Linux, there are three critical tools you can yse to +conduct penetration testing on your environement + +###### Legion + +Legion is a powerfull GUI-based tool for network scanning and exploitation. +Features: +- Easy to set up and run +- Acts as a multitool for testing/scanning networks (similar to Nmap) +- Automates tasks like SMB enumeration and service discovery +- Can quickly identify vulnerale services in AD environements + +###### Mimikatz + +Mimikatz is used to extract credentials from Windows systems, including plaintext passwrds +and NTLM hashes. + +Pass-the-Hash (PTH) Attack Leverages NTLM hashs to authenticate without cracking the password + +###### Hashcat + +Hashcat is powersul password-cracking tool that can crack NTLM hashs offline. + +https://hashcat.net/hashcat + +```powershell +hashcat -m 1000 ntlm_hashes.txt wordlist.txt +``` +###### CrackMapExec + +CrackMapExec (CME) is a post-exploitation tool targeting AD environments. + +- Enumerate users, groups, and computers +- Test credentials across the network +- Perform SMB and LDAP attacks + +```powershell +crackmapexec smb 10.0.0.1 -u admin -p password123 --shares +``` + +https://github.com/byt3bl33d3r/CrackMapExec + +## Summary + +We need to follow a cyclical approach to information security. + +**ACT Cycle** + +| Assess | Configure | Test | +| ------------- | --------------------------- | ------------ | +| Ping Castle | PowerShell | Kali Linux | +| Script Sentry | Admin Services | Mimikatz | +| ADeleg | Admin Protocols | Hashcat | +| Locksmith | Minimize Privileged Accounts| CrackMapExec | +