Tree's Notes
  • Overview
  • Tools & Cheatsheets
  • Hacking Methodology
  • Hands-on Practice
  • Linux
    • Linux Basics
  • Windows
    • Windows Basics
  • MacOS
    • MacOS Basics
  • Web
    • Web Basics
  • Mobile
    • iOS
    • Android
  • OS Agnostic
    • Template
  • Courses
    • Hack The Box
      • Bug Bounty Hunter
        • Module 1: Web Requests
        • Module 2: Introduction to Web Applications
        • Module 3: Using Web Proxies
        • Module 4: Information Gathering - Web Edition
        • Module 5: Attacking Web Applications with Ffuf
        • Module 6: JavaScript Deobfuscation
        • Module 7: Cross-Site Scripting (XSS)
        • Module 8: SQL Injection Fundamentals
        • Module 9: SQLMap Essentials
        • Module 10: Command Injections
        • Module 11: File Upload Attacks
        • Module 12: Server-Side Attacks
        • Module 13: Login Brute Forcing
        • Module 14: Broken Authentication
        • Module 15: Web Attacks
        • Module 16: File Inclusion
        • Module 17: Session Security
        • Module 18: Web Service & API Attacks
        • Module 19: Hacking Wordpress
        • Module 20: Bug Bounty Hunting Process
    • OffSec
      • 🦊EXP-301
        • Module 1: Windows User Mode Exploit Development: General Course Information
        • Module 2: WinDbg and x86 Architecture
        • Module 3: Exploiting Stack Overflows
        • Module 4: Exploiting SEH Overflows
        • Module 5: Introduction to IDA Pro
        • Module 6: Overcoming Space Restrictions: Egghunters
        • Module 7: Creating Custom Shellcode
        • Module 8: Reverse Engineering for Bugs
        • Module 9: Stack Overflows and DEP Bypass
        • Module 10: Stack Overflows and ASLR Bypass
        • Module 11: Format String Specifier Attack Part I
        • Module 12: Format String Specifier Attack Part II
        • Module 13: Trying Harder: The Labs
      • 🐙EXP-312
        • Module 1: macOS Control Bypasses: General Course Information
        • Module 2: Virtual Machine Setup Guide
        • Module 3: Introduction to macOS
        • Module 4: macOS Binary Analysis Tools
        • Module 5: The Art of Crafting Shellcodes
        • Module 6: The Art of Crafting Shellcodes (Apple Silicon Edition)
        • Module 7: Dylib Injection
        • Module 8: The Mach Microkernel
        • Module 9: XPC Attacks
        • Module 10: Function Hooking on macOS
        • Module 11: The macOS Sandbox
        • Module 12: Bypassing Transparency, Consent, and Control (Privacy)
        • Module 13: GateKeeper Internals
        • Module 14: Bypassing GateKeeper
        • Module 15: Symlink and Hardlink Attacks
        • Module 16: Injecting Code into Electron Applications
        • Module 17: Getting Kernel Code Execution
        • Module 18: Mach IPC Exploitation
        • Module 19: macOS Penetration Testing
        • Module 20: Chaining Exploits on macOS Ventura
        • Module 21: Mount(ain) of Bugs (archived)
      • ⚓IR-200
        • Module 1: Incident Response Overview
        • Module 2: Fundamentals of Incident Response
        • Module 3: Phases of Incident Response
        • Module 4: Incident Response Communication Plans
        • Module 5: Common Attack Techniques
        • Module 6: Incident Detection and Identification
        • Module 7: Initial Impact Assessment
        • Module 8: Digital Forensics for Incident Responders
        • Module 9: Incident Response Case Management
        • Module 10: Active Incident Containment
        • Module 11: Incident Eradication and Recovery
        • Module 12: Post-Mortem Reporting
        • Module 13: Incident Response Challenge Labs
      • 🐉PEN-103
      • 🐲PEN-200
        • Module 1: Copyright
        • Module 2: Penetration Testing with Kali Linux: General Course Information
        • Module 3: Introduction to Cybersecurity
        • Module 4: Effective Learning Strategies
        • Module 5: Report Writing for Penetration Testers
        • Module 6: Information Gathering
        • Module 7: Vulnerability Scanning
        • Module 8: Introduction to Web Application Attacks
        • Module 9: Common Web Application Attacks
        • Module 10: SQL Injection Attacks
        • Module 11: Client-side Attacks
        • Module 12: Locating Public Exploits
        • Module 13: Fixing Exploits
        • Module 14: Antivirus Evasion
        • Module 15: Password Attacks
        • Module 16: Windows Privilege Escalation
        • Module 17: Linux Privilege Escalation
        • Module 18: Port Redirection and SSH Tunneling
        • Module 19: Tunneling Through Deep Packet Inspection
        • Module 20: The Metasploit Framework
        • Module 21: Active Directory Introduction and Enumeration
        • Module 22: Attacking Active Directory Authentication
        • Module 23: Lateral Movement in Active Directory
        • Module 24: Enumerating AWS Cloud Infrastructure
        • Module 25: Attacking AWS Cloud Infrastructure
        • Module 26: Assembling the Pieces
        • Module 27: Trying Harder: The Challenge Labs
      • 🛜PEN-210
        • Module 1: IEEE 802.11
        • Module 2: Wireless Networks
        • Module 3: Wi-Fi Encryption
        • Module 4: Linux Wireless Tools, Drivers, and Stacks
        • Module 5: Wireshark Essentials
        • Module 6: Frames and Network Interaction
        • Module 7: Aircrack-ng Essentials
        • Module 8: Cracking Authentication Hashes
        • Module 9: Attacking WPS Networks
        • Module 10: Rogue Access Points
        • Module 11: Attacking Captive Portals
        • Module 12: Attacking WPA Enterprise
        • Module 13: bettercap Essentials
        • Module 14: Determining Chipsets and Drivers
        • Module 15: Kismet Essentials
        • Module 16: Manual Network Connections
      • 🔗PEN-300
        • Module 1: Evasion Techniques and Breaching Defenses: General Course Information
        • Module 2: Operating System and Programming Theory
        • Module 3: Client Side Code Execution With Office
        • Module 4: Phishing with Microsoft Office
        • Module 5: Client Side Code Execution With Windows Script Host
        • Module 6: Reflective PowerShell
        • Module 7: Process Injection and Migration
        • Module 8: Introduction to Antivirus Evasion
        • Module 9: Advanced Antivirus Evasion
        • Module 10: Application Whitelisting
        • Module 11: Bypassing Network Filters
        • Module 12: Linux Post-Exploitation
        • Module 13: Kiosk Breakouts
        • Module 14: Windows Credentials
        • Module 15: Windows Lateral Movement
        • Module 16: Linux Lateral Movement
        • Module 17: Microsoft SQL Attacks
        • Module 18: Active Directory Exploitation
        • Module 19: Attacking Active Directory
        • Module 20: Combining the Pieces
        • Module 21: Trying Harder: The Labs
      • ⚛️SEC-100
      • 🛡️SOC-200
        • Module 1: Introduction to SOC-200
        • Module 2: Attacker Methodology Introduction
        • Module 3: Windows Endpoint Introduction
        • Module 4: Windows Server Side Attacks
        • Module 5: Windows Client-Side Attacks
        • Module 6: Windows Privilege Escalation
        • Module 7: Windows Persistence
        • Module 8: Linux Endpoint Introduction
        • Module 9: Linux Server Side Attacks
        • Module 10: Linux Privilege Escalation
        • Module 11: Network Detections
        • Module 12: Antivirus Alerts and Evasion
        • Module 13: Active Directory Enumeration
        • Module 14: Network Evasion and Tunneling
        • Module 15: Windows Lateral Movement
        • Module 16: Active Directory Persistence
        • Module 17: SIEM Part One: Intro to ELK
        • Module 18: SIEM Part Two: Combining the Logs
        • Module 19: Trying Harder: The Labs
      • TH-200
        • Module 1: Threat Hunting Concepts and Practices
        • Module 2: Threat Actor Landscape Overview
        • Module 3: Communication and Reporting for Threat Hunters
        • Module 4: Hunting With Network Data
        • Module 5: Hunting on Endpoints
        • Module 6: Theat Hunting Without IoCs
        • Module 7: Threat Hunting Challenge Labs
      • 🦉WEB-200
        • Module 1: Introduction to WEB-200
        • Module 2: Tools (archived)
        • Module 3: Web Application Enumeration Methodology
        • Module 4: Introduction to Burp Suite
        • Module 5: Cross-Site Scripting Introduction and Discovery
        • Module 6: Cross-Site Scripting Exploitation and Case Study
        • Module 7: Cross-Origin Attacks
        • Module 8: Introduction to SQL
        • Module 9: SQL Injection
        • Module 10: Directory Traversal Attacks
        • Module 11: XML External Entities
        • Module 12: Server-side Template Injection - Discovery and Exploitation
        • Module 13: Command Injection
        • Module 14: Server-side Request Forgery
        • Module 15: Insecure Direct Object Referencing
        • Module 16: Assembling the Pieces: Web Application Assessment Breakdown
      • 🕷️WEB-300
        • Module 1: Introduction
        • Module 2: Tools & Methodologies
        • Module 3: ManageEngine Applications Manager AMUserResourcesSyncServlet SSQL Injection RCE
        • Module 4: DotNetNuke Cookie Deserialization RCE
        • Module 5: ERPNext Authentication Bypass and Remote Code Execution
        • Module 6: openCRX Authentication Bypass and Remote Code Execution
        • Module 7: openITCOCKPIT XSS and OS Command Injection - Blackbox
        • Module 8: Concord Authentication Bypass to RCE
        • Module 9: Server-Side Request Forgery
        • Module 10: Guacamole Lite Prototype Pollution
        • Module 11: Dolibarr Eval Filter Bypass RCE
        • Module 12: RudderStack SQLi and Coraza WAF Bypass
        • Module 13: Conclusion
        • Module 14: ATutor Authentication Bypass and RCE (archived)
        • Module 15: ATutor LMS Type Juggling Vulnerability (archived)
        • Module 16: Atmail Mail Server Appliance: from XSS to RCE (archived)
        • Module 17: Bassmaster NodeJS Arbitrary JavaScript Injection Vulnerability (archived)
    • SANS
      • FOR572
Powered by GitBook
On this page
  • Abusing Lightweight Directory Access Protocol
  • Understanding LDAP
  • Interacting with LDAP
  • Enumerating Active Directory with PowerView
  • Detecting Active Directory Enumeration
  • Auditing Object Access
  • Baseline Monitoring
  • Using Honey Tokens
Edit on GitHub
  1. Courses
  2. OffSec
  3. SOC-200

Module 13: Active Directory Enumeration

PreviousModule 12: Antivirus Alerts and EvasionNextModule 14: Network Evasion and Tunneling

Last updated 4 months ago

Abusing Lightweight Directory Access Protocol

Understanding LDAP

LDAP was designed to interact with a directory service, such as Active Directory. It is built upon the client-server model.

LDAP clients send requests called operations to an LDAP server. These are used to authenticated clients or retrieve/modify entries within a directory.

Interacting with LDAP

LDAP is inter-operable with custom applications, which is largely possible due to the inclusion of Active Directory Service Interfaces (ADSI).

PowerShell script to perform LDAP lookup

PS C:\Users\offsec> $Searcher = New-Object System.DirectoryServices.DirectorySearcher

PS C:\Users\offsec> $Searcher.Filter = '(distinguishedName=CN=DC-2,OU=Domain Controllers,DC=corp,DC=com)'

PS C:\Users\offsec> $Searcher.FindOne()

By default, DirectorySearcher instantiates an object with the Filter property to the value of (objectClass=*), which is an LDAP query returning every entry within a directory service.

PowerShell script to execute LDAP as a different user

PS C:\Users\offsec> $Searcher = New-Object System.DirectoryServices.DirectorySearcher

PS C:\Users\offsec> $Searcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry("LDAP://DC=corp,DC=com", 'corp\jdoe','Qwerty09!')

PS C:\Users\offsec> $Searcher.Filter = '(&(objectClass=computer)(cn=*dc*))'

PS C:\Users\offsec> $Searcher.FindAll()

Path                                                Properties
----                                                ----------
LDAP://CN=DC01,OU=Domain Controllers,DC=corp,DC=com {ridsetreferences, logoncount, codepage, ob...
LDAP://CN=DC-2,OU=Domain Controllers,DC=corp,DC=com {logoncount, codepage, objectcategory, iscr...

Enumerating Active Directory with PowerView

PowerView contains dozens of functions that can be used to enumerate Active Directory. They incorporate OS APIs.

Detecting Active Directory Enumeration

Auditing Object Access

To identify malicious enumeration events taking place against AD, we need to implement an audit policy. These are extensions of the built-in Windows logging.

We can display and configure audit policies with the auditpol command line utility.

Listing audit policy categories

PS C:\Windows\system32> auditpol /list /category
Category/Subcategory
Account Logon
Account Management
Detailed Tracking
DS Access
Logon/Logoff
Object Access
Policy Change
Privilege Use
System

Listing audit policy subcategories

and PS C:\Windows\system32> auditpol /list /subcategory:*
Category/Subcategory
...
DS Access
  Directory Service Access
  Directory Service Changes
  Directory Service Replication
  Detailed Directory Service Replication
...

Listing audit policy subcategory setting

PS C:\Windows\system32> auditpol /get /subcategory:"Directory Service Access"
System audit policy
Category/Subcategory                      Setting
DS Access
  Directory Service Access                Success

Object audit security elements

Element
Description

Principal

The identity that is being targeted for auditing

Type

Target success, failure, or both types of events

Access

Types of permissions that can be granted (and tracked)

Inherited From

Designates whether an audit entry was configured at a higher level than the target object, which would recurse down to any sub entries.

Applies To

Designates whether the entry is targeting only the current object, descendant objects, or specific object types

Key information

  • Subject: Details about the Account that accessed the object.

  • Object: Details about the object accessed.

  • Operation: Details about the action taken place.

Baseline Monitoring

Utilize XPath filters to select specific nodes from an XML document. When using the "Filter Current Log" option in Event Viewer, we are essentially building an XPath query that is parsed by the logging engine to provide the requested data.

XPath query for expected access

$FilterXML = @'
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
     *[System[(EventID=4662)]] and *[EventData[(Data[@Name='SubjectUserSid']='S-1-5-21-2154860315-1826001137-329834519-1107')]] and *[EventData[(Data[@Name='ObjectName']='%{0ca1d341-b9ee-4d46-ab3b-3a2732aa4b51}')]] and *[EventData[(Data[@Name='OperationType']='Object Access')]]
   </Select>
  </Query>
</QueryList>
'@

Running Get-WinEvent with created XPath

PS C:\Windows\system32> Get-WinEvent -FilterXml $FilterXML
   ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
1/19/2022 11:24:04 AM   4662 Information   An operation was performed on an object....
1/19/2022 11:24:04 AM   4662 Information   An operation was performed on an object....
1/19/2022 11:24:04 AM   4662 Information   An operation was performed on an object....
...

Get-WinEvent script with XML parsing

$Logs = Get-WinEvent -LogName Security -FilterXPath $FilterXML
ForEach ($L in $Logs) {
   [xml]$XML = $L.toXml()
   $TimeStamp = $XML.Event.System.TimeCreated.SystemTime
   $SubjectUserName = $XML.Event.EventData.Data[1].'#text'
   $ObjectName = $XML.Event.EventData.Data[6].'#text'
   $AccessMask = $XML.Event.EventData.Data[10].'#text'
   [PSCustomObject]@{'TimeStamp' = $TimeStamp; 'SubjectUserName' = $SubjectUserName; 'ObjectName' = $ObjectName; 'AccessMask' = $AccessMask }
}

Results from updated Get-WinEvent script

PS C:\Windows\system32> C:\Users\offsec\Desktop\Audit.ps1

TimeStamp SubjectUserName ObjectName AccessMask
--------- --------------- ---------- ----------
2022-01-19T16:24:04.312607600Z offsec   %{0ca1d341-b9ee-4d46-ab3b-3a2732aa4b51} 0x10      
2022-01-19T16:24:04.312154600Z offsec   %{0ca1d341-b9ee-4d46-ab3b-3a2732aa4b51} 0x10      
2022-01-19T16:24:04.048692000Z offsec   %{0ca1d341-b9ee-4d46-ab3b-3a2732aa4b51} 0x10      
2022-01-19T16:24:04.048326000Z offsec   %{0ca1d341-b9ee-4d46-ab3b-3a2732aa4b51} 0x10      
...

We could perform LDAP lookups to dynamically retrieve the friendly name of the Access Mask, however this would generate access alerts.

XPath filter to suppress displaying events where the SID matches offsec's SID

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
     *[System[(EventID=4662)]] and 
     *[EventData[(Data[@Name='ObjectName']='%{0ca1d341-b9ee-4d46-ab3b-3a2732aa4b51}')]] and
     *[EventData[(Data[@Name='OperationType']='Object Access')]]
     </Select>
   <Suppress Path="Security">
    *[EventData[(Data[@Name='SubjectUserSid']='S-1-5-21-2154860315-1826001137-329834519-1107')]]
   </Suppress>
  </Query>
</QueryList>

Using Honey Tokens

The difference between a honey token and a general honeypot is that a honey token is a collection of different types of objects created throughout the directory. Any traffic destined to these lures should be considered suspect.

🛡️
Simple LDAP client-server model
DC-2 Options
DC-2 Properties
Auditing permissions on DC-2
Object Access event
Event log filter through GUI
Event log filter in XPath form