mrsh/Powershell-Training
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4c4c40b3dc0303f4a5d95da9d757875cfaa07b56
Powershell-Training/7.Securing_AD/Securing Active Directory with PowerShell and Other Tools.md
mrsh f6f3b3989b end of the course
2026-01-10 14:21:38 +01:00

366 lines
11 KiB
Markdown
Raw Blame History

# Securing Active Directory with PowerShell and Other Tools
## Security is never a Destination
We need to follow a cyclical approach to information security
### ACT Cycle
Configure -> Test -> Assess
## Guiding Principle
### Least Privilege / Need-to-know
Limiting user access rights to only what is strictly necessary for their role.
Benefits:
- Reduces risk of unauthorized access.
- Mitigates damage from compromised accounts.
### Minimize Privileged Accounts
Reducing the number of Privileged accounts to a minimum.
Why It Matters:
- Privileged accounts are prime targets for attackers.
- Fewer privileged accounts lead to reduced attack surface.
Best Practices:
- Use Role-Based Access Control (RBAC).
- Assign temporary elevated privileges only when necessary.
**Active Directory is Not Security Software**
## Why is Active Directory such a risk?
- Active Directory is a centralized, network control structure.
- Active Directory is very complex and a lot of things are hidden.
- Active Directoy does not warn you about bad configurations.
- Active Directory users have a lot of permissions to a lot of resources.
Active is the starting point for many threat actors following this
simple pattern of compromise:
1.Credentials
2.Access
3.Control
## Known Active Directory Related Breaches
### Colonial Pipeline Attack (2021)
Utilized disabled account password hashes to laterally compromise other accounts,
infiltrating the network via VPN that had no MFA.
### Waikato District Halth Board (New Zealand - 2021)
Redacted, but attackers used Windows 7 PCs as initial catalyst for account
presumably laterally moving around the ntwork with AD permissions.
## ACT Cycle
### Step 1 - Assess
Objective: Evaluate and identify vulnerabilities and misconfigurations in
Active Directory, including those related to ransomware attacks.
#### Tools
##### Ping Castle
https://www.pingcastle.com/
Generate health reports and identify privilege escalation paths
outdated policies, and risks related to ransomware attacks.
- Provides health check analysis of Active Directory environment
- Provides actionable remediation steps for misconfigurations
- reports should be run quarterly or annyally
##### Adeleg
https://github.com/mtth-bfft/adeleg
Audit delegation rights to find over-privileged
accounts and unnecessary permissions.
- An Active Directory delgation management tool. It allows you to make a detailled
inventory of delegations set up so far in a forest, along with their potential issues:
- Objects owned by users
- Objects with ACEs (access control entries) for users
- Non-canonical ACL
- Disabled ACL inheritance
- Default ACL modified in schema
- Deleted delegation trustees
##### Script Sentry
https://github.com/techspence/ScriptSentry
Review PowerShell scripts running accross the ntwork for malicious
or unauthorized executions.
- ScriptSentry finds misconfigured and dangerous logon scripts.
- Not in PSGallery, but easy to invoke.
##### Locksmith
https://github.com/TrimarcJake/Locksmith?tab=readme-ov-file
- A small tool buit to find and fix common misconfigurations in Active Directory
Certificate Services.
- Easy installation -Locksmith is in PSGalley
- Install-Module -Name Locksmith -Scope CurrentUser
Review privileged accounts and group memberships to ensure least privilege
principles are enforced.
##### PurpleKnight
Conducts Active Directory and Entra ID reports
### Step 2 - Configure
#### Storing Credentials and API Keys
The Powershell SecretManagement module provides a convenient way for a user
to store and retrieve secrets.
The SecretManagement module handles creating and configuring secrets, while
the SecretStore module acts as the local secure vault for storing them.
```powershell
Install-Module Microsoft.PowerShell.SecretManagement
Install-Module Microsoft.PowerShell.SecretStore
```
to store credentials, you need to register a secret vault:
```powershell
Register-SecretVault -ame mrsh - ModuleName Microsoft.PowerShell.SecretStore -DefaultVault
```
to set a password on the Secret Store:
```powershell
Get-SecretStoreConfiguration
Set-Secret -Vault mrsh -Nae adm_ncs -Secret (Get-Credential mrsh.local\adm_ncs) - Metadata @ {Description = "Admin account mrsh.local"}
```
view a password:
```powershell
(Get-Secret -Vault mrsh -Name adm_ncs).Password | ConvertFrom-SecureString -AsPlainText
```
Paasing the credential safely to a command:
```powershell
<Command> -credential (Get-Secret -Vault mrsh -Name adm_ncs)
```
#### Domain Admins Audit
Generate health reports and identify privilege escalation paths,
outdated policies, and risks related to ransomware attacks.
The Domain Admins group is a built-in security group in Active Directory
that has wide-ranging administrative privileges within a domain
Domain Adimns Group
**Privileges**: Member of the Domain Admins group have full control over all domain resources.
They can manage user accounts, create and delete objects, modify group memberships,
and perform other administrative task.
**Members**: By default, the Administrator account is a member of the Domain Admins group.
Additional users or groups can be added as needed, but this should be done sparingly due
to the high level of access provided
**Defaults**: The Domain Admins group is part of the Administrators group on all domain-joined
computers by default, giving its memebers local administrative rights on these machines.
**LDAP Service Accounts should not be domain Admins**: The typical use case for an LDAP
account does not require write permissions. LDAP service accounts only need to be able
to read users and group perissions in a directory
#### Disabled Users Audit
Audit delegation rights to find over-privileged accounts
and unnecessary permissions.
#### Disabling SMB v1
**Probably the biggest hole in ransomware.**
SMB v1 is an outdated protocol with several known vulnerabilities, including those
exploited by ransomware like **WannaCry**. You can disable it using Powershell with thes comands:
```powershell
Set-SmbServerConfiguration -EnableSMB1Protocol $false
Disalble-WindowsOptionalFeature -Online - FeatureName smb1protocol
```
#### KRBTGT Rotation: Rotating Kerberos Passwords
The most important point of this process is that the Kerberos Ticket Granting Tickets (TGT)
is encrypted and signed by the KRBTGT account. this means that anyone can create a valid
Kerberos TGT if they have The KRTGT password hash.
Futhermore, despite the Active Directory domain policy for Kerberos ticket lifetime,
the KDC trusts the TGT, so the custom ticket can iclude a custom ticket lifetime (even one that
exceeds the domain kereros policy).
- Prevents Golden Ticket attacks
- The password for the krbtgt account should be rotated at leat twice a year.
- Script : https://github.com/microsoftarchive/New-KrbtgtKeys.ps1
#### Restrict Powershell Script Execution and Remoting
WinRM allows remote management using WS-Management. if not required, it should
be disabled to reduce potential remote exploitation.
```powershell
Disable-PSRemoting -Force
```
Powershell uses an execution policy to control how scripts can be executed. By default
the execution policy might be set to restricted, but if not, you can enforce this with
this command
```powershell
Set-ExecutionPolicy Restricted -Force
```
#### Disable Services and Protocols
##### Disalble RDP (or Secure it)
RDP can be a major attack vector if not properly secured. if RDP is not needed, disable it.
If needed, restrict access, use Network Level Authentification (NLA), and enable encryption
```powershell
Set-ItemProperty -Path 'HKLM:\System\CurrntControlSet\Control\Terminal Server\' -Name "fDenyTSConnections" -Value 1
```
Secure RDP: if you must use RDP, ensure that: NLA is enabled, RDP is limited to necessary IP addresses, and
that RDP sessions are monitored and logged.
To enable Network Level Authentification (NLA) for Remote Desktop Protocol (RDP)
on Windows, You can do the following:
- Open the Control Panel
- Select System and Security
- Click Allow Remote Access
- In the Remote tab, check the box labled Allow remote connections only from computers
running Remote Desktop with Network Level Authentication
##### Disable Link-Local Multicast Name Resolution (LLMNR)
LLMNR is used for name resolution when DNS is unavailable, but it can be exploited
in man-in-th-midde attacks.
```powershell
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Winows NT\DNSClient" -Name "EnableMulticast" -Value 0
```
##### Disable ICMP
While disabling ICMP is not always recommended (since it helps in troubleshooting),
blocking ICMP echo requests (pings) can reduce exposure ti reconnaissance attacks.
```powershell
New-NetFirewallRule - DispalyName "Block ICMPv4-In" -Protocol ICMPv4 -IvmpType 8 - Action Block
```
### Step 3 - Test
Penetraton testing, also known as ethical hacking, is a vital component of modern
cyberecurity. It involves simulating real-world attacks on your network to identify
vulnerabilites before malicious actors can expolit them.
While this proactive approach is essential for safeguarding your infrastructure, it is
crucial to obtain formal approval before conduting any penetration test on your network
- **Obtain Formal Approval**: Secure written authorization from senior management or
legal teams befor proceeding with any form of penetration testing.
- **Define the Scope and Objectives**: Clearly outline what systems and areas will be
tested, as well as the goals of the testing, to prevent unintende consequences.
- **Plan for Recovery**: Prepare contigency plans for any service disruptions, and ensure
that sytem settings are properly restored after testing is complete.
##### Have i been pwned?
Checks to see if an email has been in a data breach. Useful for explaining why
pentesting needs to be done, as these breaches are used for password spraying by
threat actors.
https://www.haveibeenpwend.com
##### Kali Linux
Using Kali Linux, there are three critical tools you can yse to
conduct penetration testing on your environement
###### Legion
Legion is a powerfull GUI-based tool for network scanning and exploitation.
Features:
- Easy to set up and run
- Acts as a multitool for testing/scanning networks (similar to Nmap)
- Automates tasks like SMB enumeration and service discovery
- Can quickly identify vulnerale services in AD environements
###### Mimikatz
Mimikatz is used to extract credentials from Windows systems, including plaintext passwrds
and NTLM hashes.
Pass-the-Hash (PTH) Attack Leverages NTLM hashs to authenticate without cracking the password
###### Hashcat
Hashcat is powersul password-cracking tool that can crack NTLM hashs offline.
https://hashcat.net/hashcat
```powershell
hashcat -m 1000 ntlm_hashes.txt wordlist.txt
```
###### CrackMapExec
CrackMapExec (CME) is a post-exploitation tool targeting AD environments.
- Enumerate users, groups, and computers
- Test credentials across the network
- Perform SMB and LDAP attacks
```powershell
crackmapexec smb 10.0.0.1 -u admin -p password123 --shares
```
https://github.com/byt3bl33d3r/CrackMapExec
## Summary
We need to follow a cyclical approach to information security.
**ACT Cycle**
| Assess | Configure | Test |
| ------------- | --------------------------- | ------------ |
| Ping Castle | PowerShell | Kali Linux |
| Script Sentry | Admin Services | Mimikatz |
| ADeleg | Admin Protocols | Hashcat |
| Locksmith | Minimize Privileged Accounts| CrackMapExec |
Reference in New Issue View Git Blame Copy Permalink