11 KiB
Securing Active Directory with PowerShell and Other Tools
Security is never a Destination
We need to follow a cyclical approach to information security
ACT Cycle
Configure -> Test -> Assess
Guiding Principle
Least Privilege / Need-to-know
Limiting user access rights to only what is strictly necessary for their role.
Benefits:
- Reduces risk of unauthorized access.
- Mitigates damage from compromised accounts.
Minimize Privileged Accounts
Reducing the number of Privileged accounts to a minimum.
Why It Matters:
- Privileged accounts are prime targets for attackers.
- Fewer privileged accounts lead to reduced attack surface.
Best Practices:
- Use Role-Based Access Control (RBAC).
- Assign temporary elevated privileges only when necessary.
Active Directory is Not Security Software
Why is Active Directory such a risk?
- Active Directory is a centralized, network control structure.
- Active Directory is very complex and a lot of things are hidden.
- Active Directoy does not warn you about bad configurations.
- Active Directory users have a lot of permissions to a lot of resources.
Active is the starting point for many threat actors following this simple pattern of compromise:
1.Credentials 2.Access 3.Control
Known Active Directory Related Breaches
Colonial Pipeline Attack (2021)
Utilized disabled account password hashes to laterally compromise other accounts, infiltrating the network via VPN that had no MFA.
Waikato District Halth Board (New Zealand - 2021)
Redacted, but attackers used Windows 7 PCs as initial catalyst for account presumably laterally moving around the ntwork with AD permissions.
ACT Cycle
Step 1 - Assess
Objective: Evaluate and identify vulnerabilities and misconfigurations in Active Directory, including those related to ransomware attacks.
Tools
Ping Castle
Generate health reports and identify privilege escalation paths outdated policies, and risks related to ransomware attacks.
- Provides health check analysis of Active Directory environment
- Provides actionable remediation steps for misconfigurations
- reports should be run quarterly or annyally
Adeleg
https://github.com/mtth-bfft/adeleg
Audit delegation rights to find over-privileged accounts and unnecessary permissions.
- An Active Directory delgation management tool. It allows you to make a detailled
inventory of delegations set up so far in a forest, along with their potential issues:
- Objects owned by users
- Objects with ACEs (access control entries) for users
- Non-canonical ACL
- Disabled ACL inheritance
- Default ACL modified in schema
- Deleted delegation trustees
Script Sentry
https://github.com/techspence/ScriptSentry
Review PowerShell scripts running accross the ntwork for malicious or unauthorized executions.
- ScriptSentry finds misconfigured and dangerous logon scripts.
- Not in PSGallery, but easy to invoke.
Locksmith
https://github.com/TrimarcJake/Locksmith?tab=readme-ov-file
- A small tool buit to find and fix common misconfigurations in Active Directory Certificate Services.
- Easy installation -Locksmith is in PSGalley
- Install-Module -Name Locksmith -Scope CurrentUser
Review privileged accounts and group memberships to ensure least privilege principles are enforced.
PurpleKnight
Conducts Active Directory and Entra ID reports
Step 2 - Configure
Storing Credentials and API Keys
The Powershell SecretManagement module provides a convenient way for a user to store and retrieve secrets.
The SecretManagement module handles creating and configuring secrets, while the SecretStore module acts as the local secure vault for storing them.
Install-Module Microsoft.PowerShell.SecretManagement
Install-Module Microsoft.PowerShell.SecretStore
to store credentials, you need to register a secret vault:
Register-SecretVault -ame mrsh - ModuleName Microsoft.PowerShell.SecretStore -DefaultVault
to set a password on the Secret Store:
Get-SecretStoreConfiguration
Set-Secret -Vault mrsh -Nae adm_ncs -Secret (Get-Credential mrsh.local\adm_ncs) - Metadata @ {Description = "Admin account mrsh.local"}
view a password:
(Get-Secret -Vault mrsh -Name adm_ncs).Password | ConvertFrom-SecureString -AsPlainText
Paasing the credential safely to a command:
<Command> -credential (Get-Secret -Vault mrsh -Name adm_ncs)
Domain Admins Audit
Generate health reports and identify privilege escalation paths, outdated policies, and risks related to ransomware attacks.
The Domain Admins group is a built-in security group in Active Directory that has wide-ranging administrative privileges within a domain
Domain Adimns Group
Privileges: Member of the Domain Admins group have full control over all domain resources. They can manage user accounts, create and delete objects, modify group memberships, and perform other administrative task.
Members: By default, the Administrator account is a member of the Domain Admins group. Additional users or groups can be added as needed, but this should be done sparingly due to the high level of access provided
Defaults: The Domain Admins group is part of the Administrators group on all domain-joined computers by default, giving its memebers local administrative rights on these machines.
LDAP Service Accounts should not be domain Admins: The typical use case for an LDAP account does not require write permissions. LDAP service accounts only need to be able to read users and group perissions in a directory
Disabled Users Audit
Audit delegation rights to find over-privileged accounts and unnecessary permissions.
Disabling SMB v1
Probably the biggest hole in ransomware.
SMB v1 is an outdated protocol with several known vulnerabilities, including those exploited by ransomware like WannaCry. You can disable it using Powershell with thes comands:
Set-SmbServerConfiguration -EnableSMB1Protocol $false
Disalble-WindowsOptionalFeature -Online - FeatureName smb1protocol
KRBTGT Rotation: Rotating Kerberos Passwords
The most important point of this process is that the Kerberos Ticket Granting Tickets (TGT) is encrypted and signed by the KRBTGT account. this means that anyone can create a valid Kerberos TGT if they have The KRTGT password hash. Futhermore, despite the Active Directory domain policy for Kerberos ticket lifetime, the KDC trusts the TGT, so the custom ticket can iclude a custom ticket lifetime (even one that exceeds the domain kereros policy).
- Prevents Golden Ticket attacks
- The password for the krbtgt account should be rotated at leat twice a year.
- Script : https://github.com/microsoftarchive/New-KrbtgtKeys.ps1
Restrict Powershell Script Execution and Remoting
WinRM allows remote management using WS-Management. if not required, it should be disabled to reduce potential remote exploitation.
Disable-PSRemoting -Force
Powershell uses an execution policy to control how scripts can be executed. By default the execution policy might be set to restricted, but if not, you can enforce this with this command
Set-ExecutionPolicy Restricted -Force
Disable Services and Protocols
Disalble RDP (or Secure it)
RDP can be a major attack vector if not properly secured. if RDP is not needed, disable it. If needed, restrict access, use Network Level Authentification (NLA), and enable encryption
Set-ItemProperty -Path 'HKLM:\System\CurrntControlSet\Control\Terminal Server\' -Name "fDenyTSConnections" -Value 1
Secure RDP: if you must use RDP, ensure that: NLA is enabled, RDP is limited to necessary IP addresses, and that RDP sessions are monitored and logged.
To enable Network Level Authentification (NLA) for Remote Desktop Protocol (RDP) on Windows, You can do the following:
- Open the Control Panel
- Select System and Security
- Click Allow Remote Access
- In the Remote tab, check the box labled Allow remote connections only from computers running Remote Desktop with Network Level Authentication
Disable Link-Local Multicast Name Resolution (LLMNR)
LLMNR is used for name resolution when DNS is unavailable, but it can be exploited in man-in-th-midde attacks.
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Winows NT\DNSClient" -Name "EnableMulticast" -Value 0
Disable ICMP
While disabling ICMP is not always recommended (since it helps in troubleshooting), blocking ICMP echo requests (pings) can reduce exposure ti reconnaissance attacks.
New-NetFirewallRule - DispalyName "Block ICMPv4-In" -Protocol ICMPv4 -IvmpType 8 - Action Block
Step 3 - Test
Penetraton testing, also known as ethical hacking, is a vital component of modern cyberecurity. It involves simulating real-world attacks on your network to identify vulnerabilites before malicious actors can expolit them. While this proactive approach is essential for safeguarding your infrastructure, it is crucial to obtain formal approval before conduting any penetration test on your network
-
Obtain Formal Approval: Secure written authorization from senior management or legal teams befor proceeding with any form of penetration testing.
-
Define the Scope and Objectives: Clearly outline what systems and areas will be tested, as well as the goals of the testing, to prevent unintende consequences.
-
Plan for Recovery: Prepare contigency plans for any service disruptions, and ensure that sytem settings are properly restored after testing is complete.
Have i been pwned?
Checks to see if an email has been in a data breach. Useful for explaining why pentesting needs to be done, as these breaches are used for password spraying by threat actors.
https://www.haveibeenpwend.com
Kali Linux
Using Kali Linux, there are three critical tools you can yse to conduct penetration testing on your environement
Legion
Legion is a powerfull GUI-based tool for network scanning and exploitation. Features:
- Easy to set up and run
- Acts as a multitool for testing/scanning networks (similar to Nmap)
- Automates tasks like SMB enumeration and service discovery
- Can quickly identify vulnerale services in AD environements
Mimikatz
Mimikatz is used to extract credentials from Windows systems, including plaintext passwrds and NTLM hashes.
Pass-the-Hash (PTH) Attack Leverages NTLM hashs to authenticate without cracking the password
Hashcat
Hashcat is powersul password-cracking tool that can crack NTLM hashs offline.
hashcat -m 1000 ntlm_hashes.txt wordlist.txt
CrackMapExec
CrackMapExec (CME) is a post-exploitation tool targeting AD environments.
- Enumerate users, groups, and computers
- Test credentials across the network
- Perform SMB and LDAP attacks
crackmapexec smb 10.0.0.1 -u admin -p password123 --shares
https://github.com/byt3bl33d3r/CrackMapExec
Summary
We need to follow a cyclical approach to information security.
ACT Cycle
| Assess | Configure | Test |
|---|---|---|
| Ping Castle | PowerShell | Kali Linux |
| Script Sentry | Admin Services | Mimikatz |
| ADeleg | Admin Protocols | Hashcat |
| Locksmith | Minimize Privileged Accounts | CrackMapExec |