Resource-Based Constrained Delegation
PowerView - Situational Awareness PowerShell framework
BloodHound - Six Degrees of Domain Admin
Impacket - Impacket is a collection of Python classes for working with network protocols
aclpwn.py - Active Directory ACL exploitation with BloodHound
CrackMapExec - A swiss army knife for pentesting networks
ADACLScanner - A tool with GUI or command linte used to create reports of access control lists (DACLs) and system access control lists (SACLs) in Active Directory
zBang - zBang is a risk assessment tool that detects potential privileged account threats
SafetyKatz - SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subTee's .NET PE Loader.
SharpDump - SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality.
PowerUpSQL - A PowerShell Toolkit for Attacking SQL Server
Rubeus - Rubeus is a C# toolset for raw Kerberos interaction and abuses
ADRecon - A tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment
Mimikatz - Utility to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory but also perform pass-the-hash, pass-the-ticket or build Golden tickets
Grouper - A PowerShell script for helping to find vulnerable settings in AD Group Policy.
Powermad - PowerShell MachineAccountQuota and DNS exploit tools
RACE - RACE is a PowerShell module for executing ACL attacks against Windows targets.
DomainPasswordSpray - DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain.
MailSniper - MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.)
LAPSToolkit - Tool to audit and attack LAPS environments.
CredDefense - Credential and Red Teaming Defense for Windows Environments
Tools Cheat Sheets - Tools (PowerView, PowerUp, Empire, and PowerSploit)
Create-Tiers in AD - Project Title Active Directory Auto Deployment of Tiers in any environment
SAMRi10 - Hardening SAM Remote Access in Windows 10/Server 2016
Net Cease - Hardening Net Session Enumeration
PingCastle - A tool designed to assess quickly the Active Directory security level with a methodology based on risk assessment and a maturity framework
Aorato Skeleton Key Malware Remote DC Scanner - Remotely scans for the existence of the Skeleton Key Malware
Reset the krbtgt account password/keys - This script will enable you to reset the krbtgt account password and related keys while minimizing the likelihood of Kerberos authentication issues being caused by the operation
RiskySPN - RiskySPNs is a collection of PowerShell scripts focused on detecting and abusing accounts associated with SPNs (Service Principal Name).
Deploy-Deception - A PowerShell module to deploy active directory decoy objects
SpoolerScanner - Check if MS-RPRN is remotely available with powershell/c#
dcept - A tool for deploying and detecting use of Active Directory honeytokens
LogonTracer - Investigate malicious Windows logon by visualizing and analyzing Windows event log
DCSYNCMonitor - Monitors for DCSYNC and DCSHADOW attacks and create custom Windows Events for these events
Sigma - Generic Signature Format for SIEM Systems
Sysmon - System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log.
SysmonSearch - Investigate suspicious activity by visualizing Sysmon's event log
ClrGuard - ClrGuard is a proof of concept project to explore instrumenting the Common Language Runtime (CLR) for security purposes.
Get-ClrReflection - Detects memory-only CLR (.NET) modules.
Get-InjectedThread - Get-InjectedThread looks at each running thread to determine if it is the result of memory injection.
SilkETW - SilkETW & SilkService are flexible C# wrappers for ETW, they are meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection.
sysmon-modular - A Sysmon configuration repository for everybody to customise
sysmon-dfir - Sources, configuration and how to detect evil things utilizing Microsoft Sysmon.
sysmon-config - Sysmon configuration file template with default high-quality event tracing
Manage local Administrator passwords (LAPS).
Implement RDP Restricted Admin mode (as needed).
Remove unsupported OSs from the network.
Monitor scheduled tasks on sensitive systems (DCs, etc.).
Ensure that OOB management passwords (DSRM) are changed regularly & securely stored.
Use SMB v2/v3+
Default domain Administrator & KRBTGT password should be changed every year & when an AD admin leaves.
Remove trusts that are no longer necessary & enable SID filtering as appropriate.
All domain authentications should be set (when possible) to: "Send NTLMv2 response onlyrefuse LM & NTLM."
Block internet access for DCs, servers, & all administration systems.
Protect Admin Credentials
No "user" or computer accounts in admin groups.
Ensure all admin accounts are "sensitive & cannot be delegated".
Add admin accounts to "Protected Users" group (requires Windows Server 2012 R2 Domain Controllers, 2012R2 DFL for domain protection).
Disable all inactive admin accounts and remove from privileged groups.
Protect AD Admin Credentials
Limit AD admin membership (DA, EA, Schema Admins, etc.) & only use custom delegation groups.
‘Tiered’ Administration mitigating credential theft impact.
Ensure admins only logon to approved admin workstations & servers.
Leverage time-based, temporary group membership for all admin accounts
Protect Service Account Credentials
Limit to systems of the same security level.
Leverage “(Group) Managed Service Accounts” (or PW >20 characters) to mitigate credential theft (kerberoast).
Implement FGPP (DFL =>2008) to increase PW requirements for SAs and administrators.
Logon restrictions – prevent interactive logon & limit logon capability to specific computers.
Disable inactive SAs & remove from privileged groups.
Segment network to protect admin & critical systems.
Deploy IDS to monitor the internal corporate network.
Network device & OOB management on separate network.
Protect Domain Controllers
Only run software & services to support AD.
Minimal groups (& users) with DC admin/logon rights.
Ensure patches are applied before running DCPromo (especially MS14-068 and other critical patches).
Validate scheduled tasks & scripts.
Protect Workstations (& Servers)
Patch quickly, especially privilege escalation vulnerabilities.
Deploy security back-port patch (KB2871997).
Set Wdigest reg key to 0 (KB2871997/Windows 8.1/2012R2+): HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersWdigest
Deploy workstation whitelisting (Microsoft AppLocker) to block code exec in user folders – home dir & profile path.
Deploy workstation app sandboxing technology (EMET) to mitigate application memory exploits (0-days).
Enable enhanced auditing
“Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings”
Enable PowerShell module logging (“*”) & forward logs to central log server (WEF or other method).
Enable CMD Process logging & enhancement (KB3004375) and forward logs to central log server.
SIEM or equivalent to centralize as much log data as possible.
User Behavioural Analysis system for enhanced knowledge of user activity (such as Microsoft ATA).
Security Pro’s Checks
Identify who has AD admin rights (domain/forest).
Identify who can logon to Domain Controllers (& admin rights to virtual environment hosting virtual DCs).
Scan Active Directory Domains, OUs, AdminSDHolder, & GPOs for inappropriate custom permissions.
Ensure AD admins (aka Domain Admins) protect their credentials by not logging into untrusted systems (workstations).
Limit service account rights that are currently DA (or equivalent).
Windows NTLM Tampering Vulnerability
A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection, aka 'Windows NTLM Tampering Vulnerability'.
Active Directory Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists in Active Directory Forest trusts due to a default setting that lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest, aka 'Active Directory Elevation of Privilege Vulnerability'.
Remote Desktop Services Remote Code Execution Vulnerability
A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.
Microsoft Exchange Server Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka "Microsoft Exchange Server Elevation of Privilege Vulnerability." This affects Microsoft Exchange Server.
Windows SMB Remote Code Execution Vulnerability
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.
Windows SAM and LSAD Downgrade Vulnerability
The SAM and LSAD protocol implementations in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 do not properly establish an RPC channel, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka "Windows SAM and LSAD Downgrade Vulnerability" or "BADLOCK."
Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780)
The Kerberos Key Distribution Center (KDC) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote authenticated domain users to obtain domain administrator privileges via a forged signature in a ticket, as exploited in the wild in November 2014, aka "Kerberos Checksum Vulnerability."
Vulnerability in Group Policy Preferences could allow elevation of privilege
The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly handle distribution of passwords, which allows remote authenticated users to obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share, as exploited in the wild in May 2014, aka "Group Policy Preferences Password Elevation of Privilege Vulnerability."
Account and Group Enumeration
4798: A user's local group membership was enumerated 4799: A security-enabled local group membership was enumerated
4780: The ACL was set on accounts which are members of administrators groups
4624: Account Logon 4672: Admin Logon 4768: Kerberos TGS Request
4624: Account Logon 4634: Account Logoff 4672: Admin Logon
4624: Account Logon 4672: Admin Logon
4103: Script Block Logging 400: Engine Lifecycle 403: Engine Lifecycle 4103: Module Logging 600: Provider Lifecycle
4742: A computer account was changed 5137: A directory service object was created 5141: A directory service object was deleted 4929: An Active Directory replica source naming context was removed
4673: A privileged service was called 4611: A trusted logon process has been registered with the Local Security Authority 4688: A new process has been created 4689: A new process has exited
4672: Admin Logon 4624: Account Logon 4768: Kerberos TGS Request
4769: A Kerberos ticket was requested
4769: A Kerberos ticket was requested
4688: A new process has been created 4689: A process has exited 4624: An account was successfully logged on 4625: An account failed to log on
770: DNS Server plugin DLL has been loaded
541: The setting serverlevelplugindll on scope . has been set to
4662: An operation was performed on an object
4625: An account failed to log on 4771: Kerberos pre-authentication failed 4648: A logon was attempted using explicit credentials