This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.

1. Offensive Active
Directory
Will Schroeder (@harmj0y)
With PowerShell!

2. Agenda
• Offensive Active Directory 101
• Hunting for Users
• Local Administrator Enumeration
• GPO Enumeration and Abuse
• Active Directory ACLs
• Domain Trusts

3. Offensive AD 101
• Red teams and ‘real’ bad guys have been
abusing AD for years, but not much
offensive AD information has existed
publicly (until recently)
• See http://adsecurity.org/
• A lot of what we do on a red team is
essentially just (authorized) domain
administration
• We find misconfigurations and chain
access/trust relationships to turn one

4. PowerView
• A pure PowerShell domain/network
situational awareness tool
• Version 2.0 compliant
• Fully self-contained and loadable in memory
• Now part of PowerSploit™ (not really
trademarked)
• Many modules are implemented in Empire
• Built to automate large components of the
tradecraft on our red team engagements

5. Sidenote
“The best tool these days
for understanding windows
networks is Powerview
[1].”
-Phineas Fisher
http://pastebin.com/raw/0SNSvyjJ

6. Hunting for Users
• On nearly every engagement, we end up
wanting to know where specific users are
logged in
• We break this down into:
• Pre-elevated access, where we have regular
domain user privileges. This is out “lateral
spread” phase
• Post-elevated access, where we have some type
of elevated (e.g. Domain Admin) access. This
is usually our ‘demonstrate impact’ phase

7. Win32 API Access
• Several techniques we rely on for user-
hunting depend on various Windows API
calls
• Specifically NetWkstaUserEnum and
NetSessionEnum
• There are several methods to access these
API calls through PowerShell
• C# Add-Type, straight reflection, PSReflect
• See Matt Graeber’s US PowerShell Summit
talk on Win32 API access for more details

8. • Windows allows any domain-authenticated
user to enumerate the members of a local
group on a remote machine
• Either through the NetLocalGroupGetMembers
Win32 API call or the WinNT service provider
• “Derivative Local Admin”
• Alice is (effectively) an admin on Bob’s
machine, and Bob is (effectively) an admin on
Eve’s machine
• Alice can derive Eve’s rights though
compromising and leveraging Bob’s credentials
Local Administrator Enumeration

9. • Machines obviously have to somehow
determine what users have administrative
rights
• Usually set through restricted groups or
group policy preferences
• These GPO policies are accessible by
anyone on the domain
• From of offensive perspective, we can
often query a domain controller, and
determine who has administrative rights
to what machines
GPO Enumeration and Abuse

10. • Very few organizations properly audit AD
ACLs or alert on their alteration
• Almost every organization has some kind
of misconfiguration SOMEWHERE in the
object access rights in their domain
structure
• This is also a great candidate place for
‘sneaky’ persistence!
Active Directory ACLs

11. • Trusts allow separate domains to form
inter-connected relationships
• Often utilized during acquisitions (i.e.
forest trusts or cross-link trusts)
• A trust just links up the authentication
systems of two domains and allows
authentication traffic to flow between
them
• Allows for the possibility of privileged
access between domains, but doesn’t guarantee
it*
Domain Trusts

12. • Mimikatz Golden Tickets now accept
SidHistories though the new /sids:<X>
argument
• If you compromise a DC in a child domain,
you can create a golden ticket with the
“Enterprise Admins” in the SID history
• This can let you compromise the parent
domain!
• The FOREST is the trust boundary, not the
domain!
Sidenote: The Mimikatz
Trustpocalypse

13. Summary
• There’s a lot of overlap between
offensive engagements and legitimate
domain administration
• You can find where users are logged in
WITHOUT elevated domain privileges
• You can enumerate the local users of a
remote machine WITHOUT elevated domain
privileges
• Domain trusts can easily be enumerated,

14. Questions?

15. • Will Schroeder (@harmj0y)
• http://blog.harmj0y.net | will [at]
harmj0y.net
• Security researcher and red teamer for
Veris Group‘s Adaptive Threat Division
• Offensive open-source developer:
• Veil-Evasion, Empire, PowerSploit
• Recent Microsoft CDM/PowerShell MVP
About_Author

16. • The Mimikatz Trustpocalypse brought to
you by:
• Benjamin Delpy (@gentilkiwi)
• Sean Metacalf (@pyrotek3) -
http://adsecurity.org
• My Active Directory background brought to
you by:
• Carlos Perez (@darkoperator)
• Sean Metcalf (@pyrotek3) -
http://adsecurity.org
• Get PowerView:
About_References