Cookie Consent by Free Privacy Policy Generator ๐Ÿ“Œ FarsightAD - PowerShell Script That Aim To Help Uncovering (Eventual) Persistence Mechanisms Deployed By A Threat Actor Following An Active Directory Domain Compromise

๐Ÿ  Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security



๐Ÿ“š FarsightAD - PowerShell Script That Aim To Help Uncovering (Eventual) Persistence Mechanisms Deployed By A Threat Actor Following An Active Directory Domain Compromise


๐Ÿ’ก Newskategorie: IT Security Nachrichten
๐Ÿ”— Quelle: kitploit.com


FarsightAD is a PowerShell script that aim to help uncovering (eventual) persistence mechanisms deployed by a threat actor following an Active Directory domain compromise.

The script produces CSV / JSON file exports of various objects and their attributes, enriched with timestamps from replication metadata. Additionally, if executed with replication privileges, the Directory Replication Service (DRS) protocol is leveraged to detect fully or partially hidden objects.

For more information, refer to the SANS DFIR Summit 2022 introductory slides.

Prerequisite

FarsightAD requires PowerShell 7 and the ActiveDirectory module updated for PowerShell 7.

On Windows 10 / 11, the module can be installed through the Optional Features as RSAT: Active Directory Domain Services and Lightweight Directory Services Tools. Already installed module can be updated with:

Add-WindowsCapability -Online -Name Rsat.ServerManager.Tools~~~~0.0.1.0

If the module is correctly updated, Get-Command Get-ADObject should return:

CommandType     Name                                               Version    Source
----------- ---- ------- ------
Cmdlet Get-ADObject 1.0.X.X ActiveDirectory

Basic usage

. .\FarsightAD.ps1

Invoke-ADHunting [-Server <DC_IP | DC_HOSTNAME>] [-Credential <PS_CREDENTIAL>] [-ADDriveName <AD_DRIVE_NAME>] [-OutputFolder <OUTPUT_FOLDER>] [-ExportType <CSV | JSON>]

AD Hunting cmdlets

Cmdlet Synopsis
Invoke-ADHunting Execute all the FarsightAD AD hunting cmdlets (mentionned below).
Export-ADHuntingACLDangerousAccessRights Export dangerous ACEs, i.e ACE that allow takeover of the underlying object, on all the domain's objects.

May take a while on larger domain.
Export-ADHuntingACLDefaultFromSchema Export the ACL configured in the defaultSecurityDescriptor attribute of Schema classes.

Non-default (as defined in the Microsoft documentation) ACLs are identified and potentially dangerous ACEs are highlighted.
Export-ADHuntingACLPrivilegedObjects Export the ACL configured on the privileged objects in the domain and highlight potentially dangerous access rights.
Export-ADHuntingADCSCertificateTemplates Export information and access rights on certificate templates.

The following notable parameters are retrieved: certificate template publish status, certificate usage, if the subject is constructed from user-supplied data, and access control (enrollment / modification).
Export-ADHuntingADCSPKSObjects Export information and access rights on sensitive PKS objects (NTAuthCertificates, certificationAuthority, and pKIEnrollmentService).
Export-ADHuntingGPOObjectsAndFilesACL Export ACL access rights information on GPO objects and files, highlighting GPOs are applied on privileged users or computers.
Export-ADHuntingGPOSettings Export information on various settings configured by GPOs that could be leveraged for persistence (privileges and logon rights, restricted groups membership, scheduled and immediate tasks V1 / V2, machine and user logon / logoff scripts).
Export-ADHuntingHiddenObjectsWithDRSRepData Export the objects' attributes that are accessible through replication (with the Directory Replication Service (DRS) protocol) but not by direct query.

Access control are not taken into account for replication operations, which allows to identify access control blocking access to specific objects attribute(s).

Only a limited set of sensitive attributes are assessed.
Export-ADHuntingKerberosDelegations Export the Kerberos delegations that are considered dangerous (unconstrained, constrained to a privileged service, or resources-based constrained on a privileged service).
Export-ADHuntingPrincipalsAddedViaMachineAccountQuota Export the computers that were added to the domain by non-privileged principals (using the ms-DS-MachineAccountQuota mechanism).
Export-ADHuntingPrincipalsCertificates Export parsed accounts' certificate(s) (for accounts having a non empty userCertificate attribute).

The certificates are parsed to retrieve a number of parameters: certificate validity timestamps, certificate purpose, certificate subject and eventual SubjectAltName(s), ...
Export-ADHuntingPrincipalsDontRequirePreAuth Export the accounts that do not require Kerberos pre-authentication.
Export-ADHuntingPrincipalsOncePrivileged Export the accounts that were once member of privileged groups.
Export-ADHuntingPrincipalsPrimaryGroupID Export the accounts that have a non default primaryGroupID attribute, highlighting RID linked to privileged groups.
Export-ADHuntingPrincipalsPrivilegedAccounts Export detailed information about members of privileged groups.
Export-ADHuntingPrincipalsPrivilegedGroupsMembership Export privileged groups' current and past members, retrieved using replication metadata.
Export-ADHuntingPrincipalsSIDHistory Export the accounts that have a non-empty SID History attribute, with resolution of the associated domain and highlighting of privileged SIDs.
Export-ADHuntingPrincipalsShadowCredentials Export parsed Key Credentials information (of accounts having a non-empty msDS-KeyCredentialLink attribute).
Export-ADHuntingPrincipalsTechnicalPrivileged Export the technical privileged accounts (SERVER_TRUST_ACCOUNT and INTERDOMAIN_TRUST_ACCOUNT).
Export-ADHuntingPrincipalsUPNandAltSecID Export the accounts that define a UserPrincipalName or AltSecurityIdentities attribute, highlighting potential anomalies.
Export-ADHuntingTrusts Export the trusts of all the domains in the forest.

A number of parameters are retrieved for each trust: transivity, SID filtering, TGT delegation.

More information on each cmdlet usage can be retrieved using Get-Help -Full <CMDLET>.

Demo

Fully / partially hidden objects detection

Adding a fully hidden user

Hiding the SID History attribute of an user

Uncovering the fully and partially hidden users with Export-ADHuntingHiddenObjectsWithDRSRepData

Acknowledgements

Thanks

  • Antoine Cauchois (@caucho_a) for the proofreading, testing and ideas.

Author

Thomas DIOT (Qazeer)

Licence

CC BY 4.0 licence - https://creativecommons.org/licenses/by/4.0/



...



๐Ÿ“Œ PersistBOF - Tool To Help Automate Common Persistence Mechanisms


๐Ÿ“ˆ 45.51 Punkte

๐Ÿ“Œ Agari Active Defense delivers actionable BEC intelligence through active threat actor engagement


๐Ÿ“ˆ 39.63 Punkte

๐Ÿ“Œ New Netwrix Auditor Bug Could Let Attackers Compromise Active Directory Domain


๐Ÿ“ˆ 37.55 Punkte

๐Ÿ“Œ Netwrix Auditor Bug Could Lead to Active Directory Domain Compromise


๐Ÿ“ˆ 37.55 Punkte

๐Ÿ“Œ Netwrix Auditor Bug Could Lead to Active Directory Domain Compromise


๐Ÿ“ˆ 37.55 Punkte

๐Ÿ“Œ Your Active DAD (Active Domain Active Defense) Primer


๐Ÿ“ˆ 36.75 Punkte

๐Ÿ“Œ WEBCAST: Active Domain Active Defense (Active DAD) Primer with John Strand


๐Ÿ“ˆ 36.75 Punkte

๐Ÿ“Œ Uncovering threat infrastructure via URL, domain and IP address advanced pivots a.k.a. Netloc Intelligence


๐Ÿ“ˆ 36.3 Punkte

๐Ÿ“Œ Threat Actor Attempted Email Compromise Attack For $36 Million


๐Ÿ“ˆ 34.05 Punkte

๐Ÿ“Œ Newly Discovered Ivanti Secure VPN Zero-Day Vulnerabilities Allow Chinese Threat Actor to Compromise Systems


๐Ÿ“ˆ 34.05 Punkte

๐Ÿ“Œ MSSQLi-DUET - SQL Injection Script For MSSQL That Extracts Domain Users From An Active Directory Environment Based On RID Bruteforcing


๐Ÿ“ˆ 32.72 Punkte

๐Ÿ“Œ Apple's First Headset To Be Niche Precursor To Eventual AR Glasses


๐Ÿ“ˆ 32.07 Punkte

๐Ÿ“Œ Eventual Consistency: โ€žBei guter Vorbereitung und der richtigen Domรคne muss man keine Angst haben.โ€œ


๐Ÿ“ˆ 32.07 Punkte

๐Ÿ“Œ Google Fiber Touts 20Gbps Download Speed In Test, Promises Eventual 100Gbps


๐Ÿ“ˆ 32.07 Punkte

๐Ÿ“Œ Active Directory Domains and Forests Introduction โ€“ Best Active Directory Tools


๐Ÿ“ˆ 30.81 Punkte

๐Ÿ“Œ Active Directory Domains and Forests Introduction โ€“ Best Active Directory Tools


๐Ÿ“ˆ 30.81 Punkte

๐Ÿ“Œ Vulnerable-AD - Create A Vulnerable Active Directory That'S Allowing You To Test Most Of Active Directory Attacks In Local Lab


๐Ÿ“ˆ 30.81 Punkte

๐Ÿ“Œ AIM Discontinued โ€“ 6 Secure Alternatives to AIM


๐Ÿ“ˆ 29.73 Punkte

๐Ÿ“Œ APT40: Examining a China-Nexus Espionage Actor ยซ APT40: Examining a China-Nexus Espionage Actor


๐Ÿ“ˆ 29.3 Punkte

๐Ÿ“Œ THIS is what Threat Actors are Using #infosec #cybersecurity #podcast #threat #actor


๐Ÿ“ˆ 28.49 Punkte

๐Ÿ“Œ Hackers Using Bumblebee Loader to Compromise Active Directory Services


๐Ÿ“ˆ 27.88 Punkte

๐Ÿ“Œ Hackers Using Bumblebee Loader To Compromise Active Directory Services


๐Ÿ“ˆ 27.88 Punkte

๐Ÿ“Œ Bumblebee attacks, from initial access to the compromise of Active Directory Services


๐Ÿ“ˆ 27.88 Punkte

๐Ÿ“Œ Three SonicWall Zero-Day Bugs Under Active Attack โ€“ Patches Deployed โ€“ Update Now


๐Ÿ“ˆ 27.49 Punkte

๐Ÿ“Œ Uncovering advanced threat actors in Southeast Asia


๐Ÿ“ˆ 26.63 Punkte

๐Ÿ“Œ Domain Persistence, Javelin Networks - Enterprise Security Weekly #80


๐Ÿ“ˆ 26.3 Punkte

๐Ÿ“Œ Domain Persistence: DSRM


๐Ÿ“ˆ 26.3 Punkte

๐Ÿ“Œ Domain Persistence: Silver Ticket Attack


๐Ÿ“ˆ 26.3 Punkte

๐Ÿ“Œ Domain Persistence: DC Shadow Attack


๐Ÿ“ˆ 26.3 Punkte

๐Ÿ“Œ Domain Persistence AdminSDHolder


๐Ÿ“ˆ 26.3 Punkte

๐Ÿ“Œ How Do I Use the Domain Score to Determine if a Domain Is a Threat?


๐Ÿ“ˆ 26.26 Punkte

๐Ÿ“Œ KPOT Deployed via AutoIt Script, (Mon, Mar 23rd)


๐Ÿ“ˆ 26.11 Punkte

๐Ÿ“Œ Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard


๐Ÿ“ˆ 25.89 Punkte











matomo