When we are talking about PowerShell security, an important factor is to understand the importance of identities. It’s not PowerShell that gets hacked when an organization is attacked; identities get stolen and abused for lateral movement within the organization to steal more identities and to find as many identities as possible.

The adversary’s goal is to find a privileged identity, such as a domain administrator or shared local administrator credential, to get control over the entire environment.

And if we are talking about identities, one of the most important assets is Active Directory, the directory service developed by Microsoft to provide authentication and manage device configuration. In most organizations, it is the heart, where all identities are kept and managed.

So, whenever we authenticate a user, connect remotely, or use PowerShell at all, most of the time, there’s a user account involved that...

To get the most out of this chapter, ensure that you have the following:

• PowerShell 7.3 and above
• Visual Studio Code installed
• Access to the GitHub repository for Chapter06:

https://github.com/PacktPublishing/PowerShell-Automation-and-Scripting-for-Cybersecurity/tree/master/Chapter06

Active Directory (AD) is a directory service that you can use to manage your Windows-based networks. Released in 2000, AD quickly became the standard for enterprise identity management.

Using AD, you can arrange your computers, servers, and connected network devices using domains and organizational units. You can structure it within a hierarchy and use domains within the enterprise forest to separate different sub-areas from each other logically.

The domain or enterprise administrator roles are the most powerful roles within a domain or forest. While the domain administrator has full control over the domain they are managing, the enterprise administrator has full control over all domains within the forest, and even control over some additional forest-level attributes. Therefore, these roles should be assigned very wisely and carefully.

Most rights can also be delegated to fine-grain which role is allowed to do...

Attacks in corporate environments usually all follow the same pattern.

To get access to a corporate environment, the adversary usually sends a phishing email or finds a vulnerability on an external-facing server. The latter is not that easy if the company followed best practices in securing their environment (for example, by putting their web servers in a demilitarized zone (DMZ), using Web Application Firewalls (WAFs), and following secure coding best practices).

In case you are unfamiliar with what a WAF is, it is a type of firewall that is specifically designed to protect web applications. It monitors and filters traffic between a web application and the internet, detecting and blocking attacks such as SQL injection and cross-site scripting (XSS) attacks. By using a WAF, companies can significantly reduce the risk of attackers exploiting vulnerabilities in their web applications.

Therefore, the easiest and weakest link is the...

Before we dive deeper into enumeration and AD attacks, let’s first look into some of the most important tools that you can use to access and manipulate directory services such as AD.

One of those tools is called Active Directory Service Interfaces (ADSI), which is a COM-based (Component Object Model) interface for accessing directory services such as AD.

When working with ADSI, developers can use Lightweight Directory Access Protocol (LDAP) filters to define search criteria for directory queries. LDAP filters allow developers to construct complex queries that can return specific sets of directory data based on a variety of criteria, including attribute values, object classes, and more.

To get all user accounts, the LDAP filter query would be (sAMAccountType=805306368).

If you combine that with the useraccountcontrol attribute to find all regular accounts that have the “Password...

As we learned earlier in this chapter, enumeration is always one of the first steps (and repeated several times, depending on what the adversary can access) to get more details about an environment. Enumeration helps to find out what resources are available and what access rights can be abused.

Of course, enumeration is a task that is not only helpful for red teamers but also for blue teamers to regularly audit permissions. It is better to see what can be enumerated in your own environment and fix/adjust it before an attacker finds out.

In AD, every user who has access to the corporate network can enumerate all user accounts, as well as (high-privileged) group membership. In Azure Active Directory (AAD), every user who has access to Office 365 services via the internet can enumerate AAD user accounts and group membership in their tenant.

Let’s start looking into enumeration in AD in this chapter. Refer to the next chapter to find out how enumeration works...

To enumerate which GPOs were linked in the current environment, you can use ADSI accelerators:

By using the [adsi] accelerator, you can provide a DistinguishedName path to show the gplink property, which will display the GPOs linked to that particular path. To query a GPO that was linked to the PSSecComputers OU (OU=PSSecComputers,DC=PSSec,DC=local), we could use the following code snippet to query it:

$DistinguishedName = "LDAP://OU=PSSecComputers,DC=PSSec,DC=local"

$obj = [adsi]$DistinguishedName

$obj.gplink

The following screenshot shows the result of this query:

Figure 6.2 – Querying GPOs using the ADSI accelerator

You can also use [adsisearcher] to filter for GPOs linked to the environment, as shown in the following example:

$GpoFilter = "(objectCategory=groupPolicyContainer)"

$Searcher = [adsisearcher]$GpoFilter

$Searcher.SearchRoot = [adsi]"LDAP://DC=PSSec,DC=local"

Understanding which user accounts are part of which group is very valuable information for an attacker. Through this, they can quickly understand whether certain accounts might have access to other computers.

But this is also a task that blue teamers should pursue on a regular basis; often, systems and access rights are not hardened enough, so it is valuable to understand which users are part of which AD group and to adjust it.

In the longer term, it also makes sense to implement monitoring to immediately get alerted if an AD group membership changes that was not intended.

To get started enumerating your AD groups, I have written a simple script for you, which displays the groups, as well as their members: https://github.com/PacktPublishing/PowerShell-Automation-and-Scripting-for-Cybersecurity/blob/master/Chapter06/Get-UsersAndGroups.ps1.

Once you’ve downloaded the script, you can either use it and progress the output further as a PowerShell object...

A privileged account is an account that has more rights and privileges than a normal account and therefore needs to be cared especially for their security.

Built-in privileged accounts also exist in AD, such as the administrator account, the Guest account, the HelpAssistant account, and the krbtgt account (which is responsible for Kerberos operations).

If you want to read more about AD built-in accounts, please refer to the official documentation: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-default-user-accounts.

Built-in privileged groups in AD

In AD, there are some predefined roles such as the Enterprise or Domain Administrator roles, but those are not the only ones.

Those predefined roles reside in the Builtin container of your domain. To query it you can use the Get-ADGroup cmdlet and specify the Distinguished Name (DN) of your domain-specific Builtin container as -Searchbase; using this parameter...

Password spraying is like a brute force attack and can help attackers identify and abuse accounts with weak passwords. Password spraying is a slow and methodical approach where the attacker tries a list of common and known passwords on a large number of accounts. In contrast, a brute force attack involves an attacker trying a large number of potential passwords, typically against a single account, in rapid succession.

If a login is successful using such a guessed password, the attacker gains control over the designated account and can use it to move laterally and get more credentials or interesting data.

There are many open source scripts and modules available that adversaries can use for a password spray attack, including the following:

• https://github.com/dafthack/domainPasswordSpray
• https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon

Mitigation

It is hard to detect password spraying in your on-prem AD. Although you can see...

Access control can be configured to allow one or multiple users access to a certain resource. Depending on what can be done with each level of access, configuring and maintaining access right configurations is highly sensitive.

Also, in AD, resources are restricted using access control. In this section, let’s have a look at the basics and how to audit access.

What is a SID?

A SID is a unique ID of an account and the primary identifier. It does not change for the lifetime of an account. This allows the concept of renaming users without causing any access or security issues.

There are some well-known SIDs available in every environment – the only difference is the domain ID, which was added to the beginning of the SID.

For example, the well-known SID of the built-in domain administrator follows this schema: S-1-5-21-<domain>-500.

The last number group represents the user number: in this case, 500 is a reserved, well-known SID. Well...

One of the first goals attackers are usually after is to extract identities and use them for lateral movement to get hold of even more identities and repeat this procedure until they find highly privileged credentials (such as those of a domain administrator) to then gain control over AD and quickly, over the entire environment.

In this section, we will investigate the basics of authentication within an on-premises AD environment and how credential-related attacks work.

Authentication protocols

Lateral movement, pass the hash, pass the ticket – these attacks are not limited to PowerShell, so they are not a PowerShell-specific problem. But since PowerShell relies on the same authentication mechanisms as normal authentication, it is important to look a little bit behind the scenes.

When we are talking about authentication, we are jumping into very cold water, diving deep into protocols. After reading these sections, you will not be an expert on authentication...

As general advice, be careful which account is allowed to log on to which machine and protect your privileged accounts. To mitigate these kinds of attacks, it is crucial to control access and to keep good credential hygiene.

Enumeration is a process to get more information about the environment, so mitigating enumeration entirely is not possible. But you can make it harder for adversaries to find valuable targets. Enumerate your AD rights and adjust privileges by using the least-privilege principle before an attacker abuses found vulnerabilities. Also, use the Microsoft baselines to compare your configuration with the official recommendation. We will look into the Microsoft baselines in the next section.

It is important to follow good security practices such as limiting the use of service accounts, implementing strong password policies, and regularly monitoring and auditing authentication logs for suspicious activity. In addition, network segmentation and access controls...

To help with the hardening of organizations’ environments, Microsoft released the Security Compliance Toolkit. Download the Security Compliance Toolkit from https://www.microsoft.com/en-us/download/details.aspx?id=55319.

This toolkit contains the following:

• Policy Analyzer: A tool to evaluate and compare Group Policies.
• LGPO.exe: A tool to analyze local policies.
• SetObjectSecurity.exe: A tool to configure security descriptors for almost every Windows security object.
• Baselines for each recent operating system: These baselines contain monitoring as well as configuration recommendations.

You can find an overview of all security baseline GPOs if you open the respective GP Reports folder of each baseline:

Figure 6.14 – Overview of all GPOs of a single baseline

All security baselines were created for different configuration purposes. Some of the most important...

In this chapter, you have learned some basics of AD security. As AD is a huge topic that would cover an entire book itself, we concentrated on AD security from a credential theft and access rights perspective.

You have learned how to implement some basic auditing checks and which open source tools can help you to enumerate AD.

You now know which accounts and groups are privileged in AD and that you should be very careful when delegating access rights. It is also not enough to just deploy AD out of the box; you also need to harden it.

Finally, we dived deep into the authentication protocols that are used within AD and also explored how they can be abused.

We have also discussed some mitigations, but make sure to also follow the advice in Chapter 13, What Else? – Further Mitigations and Resources.

But when we are talking about AD, AAD (or how it will be called in the future: Entra ID) is not far away. Although both services are amazing identity providers...

If you want to explore more deeply some of the topics that were mentioned in this chapter, check out these resources:

Access rights:

• Get-Acl: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl
• Set-Acl: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl
• DS-Replication-Get-Changes-All extended right: https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-all

Active Directory-related PowerShell modules (Part of the RSAT tool):

• ActiveDirectory module: https://docs.microsoft.com/en-us/powershell/module/activedirectory
• GroupPolicy module: https://docs.microsoft.com/en-us/powershell/module/grouppolicy/

Active Directory-related open source attacker tools:

• Domain Password Spray: https://github.com/dafthack/domainPasswordSpray
• PowerSploit: https://github.com/PowerShellMafia/PowerSploit
• PowerView: https://github...