<!DOCTYPE html><!--[if IE 7]> <html class="ie ie7" lang="en-US" prefix="og: http://ogp.me/ns#"> <![endif]--> <!--[if IE 8]> <html class="ie ie8" lang="en-US" prefix="og: http://ogp.me/ns#"> <![endif]--> <!--[if !(IE 7) & !(IE 8)]><!--> <html lang="en-US" prefix="og: http://ogp.me/ns#"> <!--<![endif]--> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Active Directory Recon Without Admin Rights &#8211; Active Directory Security</title> <meta name='robots' content='max-image-preview:large' /> <link rel="alternate" type="application/rss+xml" title="Active Directory Security &raquo; Feed" href="https://adsecurity.org/?feed=rss2" /> <link rel="alternate" type="application/rss+xml" title="Active Directory Security &raquo; Comments Feed" href="https://adsecurity.org/?feed=comments-rss2" /> <script type="text/javascript"> /* <![CDATA[ */ window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/adsecurity.org\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); /* ]]> */ </script> <style id='wp-emoji-styles-inline-css' type='text/css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='wp-block-library-css' href='https://adsecurity.org/wp-includes/css/dist/block-library/style.min.css?ver=6.5.5' type='text/css' media='all' /> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 14px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 20px;--wp--preset--font-size--x-large: 42px;--wp--preset--font-size--tiny: 10px;--wp--preset--font-size--regular: 16px;--wp--preset--font-size--larger: 26px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}body .is-layout-flex{flex-wrap: wrap;align-items: center;}body .is-layout-flex > *{margin: 0;}body .is-layout-grid{display: grid;}body .is-layout-grid > *{margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} .wp-block-navigation a:where(:not(.wp-element-button)){color: inherit;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} .wp-block-pullquote{font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='bootstrap-css' href='https://adsecurity.org/wp-content/themes/graphene/bootstrap/css/bootstrap.min.css?ver=6.5.5' type='text/css' media='all' /> <link rel='stylesheet' id='font-awesome-css' href='https://adsecurity.org/wp-content/themes/graphene/fonts/font-awesome/css/font-awesome.min.css?ver=6.5.5' type='text/css' media='all' /> <link rel='stylesheet' id='graphene-css' href='https://adsecurity.org/wp-content/themes/graphene/style.css?ver=2.8.4' type='text/css' media='screen' /> <link rel='stylesheet' id='graphene-responsive-css' href='https://adsecurity.org/wp-content/themes/graphene/responsive.css?ver=2.8.4' type='text/css' media='all' /> <link rel='stylesheet' id='graphene-blocks-css' href='https://adsecurity.org/wp-content/themes/graphene/blocks.css?ver=2.8.4' type='text/css' media='all' /> <script type="text/javascript" src="https://adsecurity.org/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script type="text/javascript" src="https://adsecurity.org/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/bootstrap/js/bootstrap.min.js?ver=2.8.4" id="bootstrap-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/bootstrap-hover-dropdown/bootstrap-hover-dropdown.min.js?ver=2.8.4" id="bootstrap-hover-dropdown-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/bootstrap-submenu/bootstrap-submenu.min.js?ver=2.8.4" id="bootstrap-submenu-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/jquery.infinitescroll.min.js?ver=2.8.4" id="infinite-scroll-js"></script> <script type="text/javascript" id="graphene-js-extra"> /* <![CDATA[ */ var grapheneJS = {"siteurl":"https:\/\/adsecurity.org","ajaxurl":"https:\/\/adsecurity.org\/wp-admin\/admin-ajax.php","templateUrl":"https:\/\/adsecurity.org\/wp-content\/themes\/graphene","isSingular":"1","enableStickyMenu":"","shouldShowComments":"1","commentsOrder":"newest","sliderDisable":"","sliderInterval":"7000","infScrollBtnLbl":"Load more","infScrollOn":"","infScrollCommentsOn":"","totalPosts":"1","postsPerPage":"10","isPageNavi":"","infScrollMsgText":"Fetching window.grapheneInfScrollItemsPerPage of window.grapheneInfScrollItemsLeft items left ...","infScrollMsgTextPlural":"Fetching window.grapheneInfScrollItemsPerPage of window.grapheneInfScrollItemsLeft items left ...","infScrollFinishedText":"All loaded!","commentsPerPage":"50","totalComments":"0","infScrollCommentsMsg":"Fetching window.grapheneInfScrollCommentsPerPage of window.grapheneInfScrollCommentsLeft comments left ...","infScrollCommentsMsgPlural":"Fetching window.grapheneInfScrollCommentsPerPage of window.grapheneInfScrollCommentsLeft comments left ...","infScrollCommentsFinishedMsg":"All comments loaded!","disableLiveSearch":"1","txtNoResult":"No result found.","isMasonry":""}; /* ]]> */ </script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/graphene.js?ver=2.8.4" id="graphene-js"></script> <script type="text/javascript" id="wpstg-global-js-extra"> /* <![CDATA[ */ var wpstg = {"nonce":"7d657d8247"}; /* ]]> */ </script> <script type="text/javascript" src="https://adsecurity.org/wp-content/plugins/wp-staging-pro/assets/js/dist/wpstg-blank-loader.min.js?ver=6.5.5" id="wpstg-global-js"></script> <link rel="https://api.w.org/" href="https://adsecurity.org/index.php?rest_route=/" /><link rel="alternate" type="application/json" href="https://adsecurity.org/index.php?rest_route=/wp/v2/posts/2535" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://adsecurity.org/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.5.5" /> <link rel="canonical" href="https://adsecurity.org/?p=2535" /> <link rel='shortlink' href='https://adsecurity.org/?p=2535' /> <link rel="alternate" type="application/json+oembed" href="https://adsecurity.org/index.php?rest_route=%2Foembed%2F1.0%2Fembed&#038;url=https%3A%2F%2Fadsecurity.org%2F%3Fp%3D2535" /> <link rel="alternate" type="text/xml+oembed" href="https://adsecurity.org/index.php?rest_route=%2Foembed%2F1.0%2Fembed&#038;url=https%3A%2F%2Fadsecurity.org%2F%3Fp%3D2535&#038;format=xml" /> <script type="text/javascript"> var _statcounter = _statcounter || []; _statcounter.push({"tags": {"author": "SeanMetcalf"}}); </script> <script> WebFontConfig = { google: { families: ["Lato:400,400i,700,700i&display=swap"] } }; (function(d) { var wf = d.createElement('script'), s = d.scripts[0]; wf.src = 'https://ajax.googleapis.com/ajax/libs/webfont/1.6.26/webfont.js'; wf.async = true; s.parentNode.insertBefore(wf, s); })(document); </script> <style type="text/css"> .header_title, .header_title a, .header_title a:visited, .header_title a:hover, .header_desc {color:#000000}.carousel, .carousel .item{height:400px}@media (max-width: 991px) {.carousel, .carousel .item{height:250px}}#header{max-height:198px}@media (min-width: 1200px) {.container {width:1280px}} </style> <script type="application/ld+json">{"@context":"http:\/\/schema.org","@type":"Article","mainEntityOfPage":"https:\/\/adsecurity.org\/?p=2535","publisher":{"@type":"Organization","name":"Active Directory Security"},"headline":"Active Directory Recon Without Admin Rights","datePublished":"2016-01-27T15:53:29+00:00","dateModified":"2016-01-27T16:02:43+00:00","description":"A fact that is often forgotten (or misunderstood), is that most objects and their attributes can be viewed (read) by authenticated users (most often, domain users). The challenge is that admins may think that since this data is most easily accessible via admin tools such as \"Active Directory User and Computers\" (dsa.msc) or \"Active Directory ...","author":{"@type":"Person","name":"Sean Metcalf"},"image":["https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/ADS-GetADContacts.jpg"]}</script> <style type="text/css">.recentcomments a{display:inline !important;padding:0 !important;margin:0 !important;}</style><meta property="og:type" content="article" /> <meta property="og:title" content="Active Directory Recon Without Admin Rights" /> <meta property="og:url" content="https://adsecurity.org/?p=2535" /> <meta property="og:site_name" content="Active Directory Security" /> <meta property="og:description" content="A fact that is often forgotten (or misunderstood), is that most objects and their attributes can be viewed (read) by authenticated users (most often, domain users). The challenge is that admins may think that since this data is most easily accessible via admin tools such as &quot;Active Directory User and Computers&quot; (dsa.msc) or &quot;Active Directory ..." /> <meta property="og:updated_time" content="2016-01-27T16:02:43+00:00" /> <meta property="article:modified_time" content="2016-01-27T16:02:43+00:00" /> <meta property="article:published_time" content="2016-01-27T15:53:29+00:00" /> <meta property="og:image" content="https://adsecurity.org/wp-content/uploads/2016/01/ADS-GetADContacts.jpg" /> <meta property="og:image:width" content="503" /> <meta property="og:image:height" content="630" /> </head> <body class="post-template-default single single-post postid-2535 single-format-standard custom-background wp-embed-responsive layout-boxed two_col_left two-columns singular"> <div class="container boxed-wrapper"> <div id="top-bar" class="row clearfix top-bar "> <div class="col-md-12 top-bar-items"> <ul class="social-profiles"> <li class="social-profile social-profile-rss"> <a href="https://adsecurity.org/?feed=rss2" title="Subscribe to Tech, News, and Other Ideations&#039;s RSS feed" id="social-id-1" class="mysocial social-rss"> <i class="fa fa-rss"></i> </a> </li> </ul> <button type="button" class="search-toggle navbar-toggle collapsed" data-toggle="collapse" data-target="#top_search"> <span class="sr-only">Toggle search form</span> <i class="fa fa-search-plus"></i> </button> <div id="top_search" class="top-search-form"> <form class="searchform" method="get" action="https://adsecurity.org"> <div class="input-group"> <div class="form-group live-search-input"> <label for="s" class="screen-reader-text">Search for:</label> <input type="text" id="s" name="s" class="form-control" placeholder="Search"> </div> <span class="input-group-btn"> <button class="btn btn-default" type="submit"><i class="fa fa-search"></i></button> </span> </div> </form> </div> </div> </div> <div id="header" class="row"> <img src="https://adsecurity.org/wp-content/themes/graphene/images/headers/fluid.jpg" alt="Active Directory Security" title="Active Directory Security" width="960" height="198" /> </div> <nav class="navbar row navbar-inverse"> <div class="navbar-header align-center"> <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#header-menu-wrap, #secondary-menu-wrap"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <p class="header_title"> <a href="https://adsecurity.org" title="Go back to the front page"> Active Directory Security </a> </p> <p class="header_desc">Active Directory &amp; Enterprise Security, Methods to Secure Active Directory, Attack Methods &amp; Effective Defenses, PowerShell, Tech Notes, &amp; Geek Trivia&#8230;</p> </div> <div class="collapse navbar-collapse" id="header-menu-wrap"> <ul class="nav navbar-nav flip"><li ><a href="https://adsecurity.org/">Home</a></li><li class="menu-item menu-item-8"><a href="https://adsecurity.org/?page_id=8" >About</a></li><li class="menu-item menu-item-41"><a href="https://adsecurity.org/?page_id=41" >AD Resources</a></li><li class="menu-item menu-item-4031"><a href="https://adsecurity.org/?page_id=4031" >Attack Defense &#038; Detection</a></li><li class="menu-item menu-item-293"><a href="https://adsecurity.org/?page_id=293" >Contact</a></li><li class="menu-item menu-item-1821"><a href="https://adsecurity.org/?page_id=1821" >Mimikatz</a></li><li class="menu-item menu-item-1352"><a href="https://adsecurity.org/?page_id=1352" >Presentations</a></li><li class="menu-item menu-item-195"><a href="https://adsecurity.org/?page_id=195" >Schema Versions</a></li><li class="menu-item menu-item-399"><a href="https://adsecurity.org/?page_id=399" >Security Resources</a></li><li class="menu-item menu-item-183"><a href="https://adsecurity.org/?page_id=183" >SPNs</a></li><li class="menu-item menu-item-2532"><a href="https://adsecurity.org/?page_id=2532" >Top Posts</a></li></ul> </div> </nav> <div id="content" class="clearfix hfeed row"> <div id="content-main" class="clearfix content-main col-md-8"> <div class="post-nav post-nav-top clearfix"> <p class="previous col-sm-6"><i class="fa fa-arrow-circle-left"></i> <a href="https://adsecurity.org/?p=2537" rel="prev">ADSecurity.org in the Press!</a></p> <p class="next-post col-sm-6"><a href="https://adsecurity.org/?p=2579" rel="next">Microsoft EMET 5.5 Released &#8211; Benefits, New Features, Protection, Logging, &#038; GPO Config</a> <i class="fa fa-arrow-circle-right"></i></p> </div> <div id="post-2535" class="clearfix post post-2535 type-post status-publish format-standard has-post-thumbnail hentry category-activedirectorysecurity category-microsoft-security tag-applocker tag-emet tag-findadminaccounts tag-findcomputers tag-laps tag-lapsdelegation tag-localadministrator tag-microsoftapplocker tag-microsoftemet tag-ms-mcs-admpwd tag-networkportscan tag-spnscanning item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">Jan</span> <span class="day">27</span> <span class="year">2016</span> </p> </div> <h1 class="post-title entry-title"> Active Directory Recon Without Admin Rights </h1> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-565" href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a>, <a class="term term-category term-11" href="https://adsecurity.org/?cat=11">Microsoft Security</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p>A fact that is often forgotten (or misunderstood), is that most objects and their attributes can be viewed (read) by authenticated users (most often, domain users). The challenge is that admins may think that since this data is most easily accessible via admin tools such as &#8220;Active Directory User and Computers&#8221; (dsa.msc) or &#8220;Active Directory Administrative Center&#8221; (dsac.msc), that others can&#8217;t see user data (beyond what is exposed in Outlook&#8217;s GAL). This often leads to password data being placed in user object attributes or <a href="https://adsecurity.org/?p=2288">in SYSVOL</a>.</p> <p>There is a lot of data that can be gathered from Active Directory which can be used to update documentation or to recon the environment for the next attack stages. It&#8217;s important for defenders to understand the different types of data accessible in AD with a regular user account.</p> <p>Attacks frequently start with a spear-phishing email to one or more users enabling the attacker to get their code running on a computer inside the target network. Once the attacker has their code running inside the enterprise, the first step is performing reconnaissance to discover useful resources to escalate permissions, persist, and of course, plunder information (often the &#8220;crown jewels&#8221; of an organization).</p> <p>This post shows how an attacker can recon the Active Directory environment with just domain user rights. Many people are surprised when they learn how much information can be gathered from AD without elevated rights.</p> <p>Note: Most of the examples in this post use the Active Directory PowerShell module cmdlets. A good alternative is <a href="https://twitter.com/harmj0y">HarmJ0y&#8217;s</a> <a href="https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1">PowerView</a> (now part of <a href="https://github.com/PowerShellMafia/PowerSploit">PowerSploit</a>).</p> <p>I spoke about some of these techniques <a href="https://adsecurity.org/?page_id=1352">at several security conferences in 2015 (BSides, Shakacon, Black Hat, DEF CON, &amp; DerbyCon)</a>. I also covered some of these issues in the post &#8220;<a href="https://adsecurity.org/?p=1684">The Most Common Active Directory Security Issues and What You Can Do to Fix Them</a>&#8220;.</p> <p><span id="more-2535"></span></p> <p><strong>Get Active Directory Information</strong></p> <p>I have covered <a href="https://adsecurity.org/?p=113">using .NET in PowerShell to gather AD data</a> before, so I won&#8217;t reproduce all of the .NET commands here.</p> <p><span style="text-decoration: underline;">Forest Information:</span></p> <blockquote><p>PS C:\&gt; [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()</p> <p><strong>Name</strong>: lab.adsecurity.org<br /> <strong>Sites</strong>: {Default-First-Site-Name}<br /> <strong>Domains</strong>: {lab.adsecurity.org, child.lab.adsecurity.org}<br /> <strong>GlobalCatalogs</strong>: {ADSDC01.lab.adsecurity.org, ADSDC02.lab.adsecurity.org, ADSDC03.lab.adsecurity.org, ADSDC11.child.lab.adsecurity.org}<br /> <strong>ApplicationPartitions</strong>: {DC=DomainDnsZones,DC=child,DC=lab,DC=adsecurity,DC=org, DC=DomainDnsZones,DC=lab,DC=adsecurity,DC=org,<br /> DC=ForestDnsZones,DC=lab,DC=adsecurity,DC=org}<br /> <strong>ForestMode</strong>: Windows2008R2Forest<br /> <strong>RootDomain</strong>: lab.adsecurity.org<br /> <strong>Schema</strong>: CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org<br /> <strong>SchemaRoleOwner</strong>: ADSDC03.lab.adsecurity.org<br /> <strong>NamingRoleOwner</strong>: ADSDC03.lab.adsecurity.org</p></blockquote> <p><span style="text-decoration: underline;">Domain Information:</span></p> <blockquote><p>PS C:\&gt; [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()</p> <p><strong>Forest</strong>: lab.adsecurity.org<br /> <strong>DomainControllers</strong>: {ADSDC01.lab.adsecurity.org, ADSDC02.lab.adsecurity.org, ADSDC03.lab.adsecurity.org}<br /> <strong>Children</strong>: {child.lab.adsecurity.org}<br /> <strong>DomainMode</strong>: Windows2008R2Domain<br /> <strong>Parent</strong>:<br /> <strong>PdcRoleOwner</strong>: ADSDC03.lab.adsecurity.org<br /> <strong>RidRoleOwner</strong>: ADSDC03.lab.adsecurity.org<br /> <strong>InfrastructureRoleOwner</strong>: ADSDC03.lab.adsecurity.org<br /> <strong>Name</strong>: lab.adsecurity.org</p></blockquote> <p><span style="text-decoration: underline;">Forest Trusts:</span></p> <blockquote><p>$ForestRootDomain = &#8216;lab.adsecurity.org&#8217;<br /> ([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext(&#8216;Forest&#8217;, $ForestRootDomain)))).GetAllTrustRelationships()</p> <p>&nbsp;</p></blockquote> <p><span style="text-decoration: underline;">Domain Trusts:</span></p> <blockquote><p>PS C:\&gt; ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()</p> <p><strong>SourceName</strong>:    lab.adsecurity.org<br /> <strong>TargetName</strong>: child.lab.adsecurity.org<br /> <strong>TrustType:   </strong>ParentChild<br /> <strong>TrustDirection</strong>: Bidirectional</p></blockquote> <p><span style="text-decoration: underline;">Get Forest Global Catalogs (typically every Domain Controller is also a GC):</span></p> <blockquote><p>PS C:\&gt; [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().GlobalCatalogs</p> <p>Forest                     : lab.adsecurity.org<br /> CurrentTime                : 1/27/2016 5:31:36 PM<br /> HighestCommittedUsn        : 305210<br /> <strong>OSVersion                  : Windows Server 2008 R2 Datacenter</strong><br /> Roles                      : {}<br /> <strong>Domain                     : lab.adsecurity.org</strong><br /> IPAddress                  : 172.16.11.11<br /> SiteName                   : Default-First-Site-Name<br /> SyncFromAllServersCallback :<br /> InboundConnections         : {36bfdadf-777d-4bad-9427-bc148cea256f, 48594a5d-c2a3-4cd1-a80d-bedf367cc2a9, 549871d2-e238-4423-a6b8-1bb<br /> OutboundConnections        : {9da361fd-0eed-414a-b4ee-0a9caa1b153e, 86690811-f995-4c3e-89fe-73c61fa4a3a0, 8797cbb4-fe09-49dc-8891-952<br /> Name                       : ADSDC01.lab.adsecurity.org<br /> Partitions                 : {DC=lab,DC=adsecurity,DC=org, CN=Configuration,DC=lab,DC=adsecurity,DC=org,<br /> CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org, DC=DomainDnsZones,DC=lab,DC=adsecurity,DC=org&#8230;</p> <p>Forest                     : lab.adsecurity.org<br /> CurrentTime                : 1/27/2016 5:31:37 PM<br /> HighestCommittedUsn        : 274976<br /> <strong>OSVersion                  : Windows Server 2012 R2 Datacenter</strong><br /> <strong>Roles                      : {SchemaRole, NamingRole, PdcRole, RidRole&#8230;}</strong><br /> <strong>Domain                     : lab.adsecurity.org</strong><br /> IPAddress                  : fe80::1881:40d5:fc2e:e744%12<br /> SiteName                   : Default-First-Site-Name<br /> SyncFromAllServersCallback :<br /> InboundConnections         : {86690811-f995-4c3e-89fe-73c61fa4a3a0, dd7b36a8-a52e-446d-95a8-318b69bd9765}<br /> OutboundConnections        : {f901f0b5-8754-44e9-92e8-f56b3d67197b, 549871d2-e238-4423-a6b8-1bb258e2a62f}<br /> Name                       : ADSDC03.lab.adsecurity.org<br /> Partitions                 : {DC=lab,DC=adsecurity,DC=org, CN=Configuration,DC=lab,DC=adsecurity,DC=org,<br /> CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org, DC=DomainDnsZones,DC=lab,DC=adsecurity,DC=org&#8230;</p> <p>Forest                     : lab.adsecurity.org<br /> CurrentTime                : 1/27/2016 5:31:38 PM<br /> HighestCommittedUsn        : 161898<br /> <strong>OSVersion                  : Windows Server 2012 R2 Datacenter</strong><br /> <strong>Roles                      : {PdcRole, RidRole, InfrastructureRole}</strong><br /> <strong>Domain                     : child.lab.adsecurity.org</strong><br /> IPAddress                  : 172.16.11.21<br /> SiteName                   : Default-First-Site-Name<br /> SyncFromAllServersCallback :<br /> InboundConnections         : {612c2d75-1c35-4073-a8a9-d41169665000, 8797cbb4-fe09-49dc-8891-952f38822eda}<br /> OutboundConnections        : {71ea129f-8d56-4bd0-9b68-d80e89ae7385, 36bfdadf-777d-4bad-9427-bc148cea256f}<br /> Name                       : ADSDC11.child.lab.adsecurity.org<br /> Partitions                 : {CN=Configuration,DC=lab,DC=adsecurity,DC=org, CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org,<br /> DC=ForestDnsZones,DC=lab,DC=adsecurity,DC=org, DC=child,DC=lab,DC=adsecurity,DC=org&#8230;}</p></blockquote> <p><span style="text-decoration: underline;"><br /> Mitigation:</span></p> <p>There is no reasonable mitigation. This information can not and should not be obfuscated or hidden.</p> <p>&nbsp;</p> <p><strong>Discover Enterprise Services without Network Scanning<br /> </strong></p> <p>The simplest recon method is to use what I call &#8220;<a href="https://adsecurity.org/?p=1508">SPN Scanning</a>&#8221; which asks the Domain Controller for all Service Principal Names (SPNs) of a specific type. This enables the attacker to discover all SQL servers, Exchange servers, etc. I maintain a <a href="https://adsecurity.org/?page_id=183">SPN directory list which includes the most common SPNs</a> found in an enterprise.</p> <p>SPN scanning can also discover what Windows computers have RDP enabled (TERMSERV), WinRM enabled (WSMAN), etc.</p> <p>Note: In order to discover all enteprise services, target both computers and users (service accounts).</p> <blockquote><p>PS C:\&gt; get-adcomputer -filter {ServicePrincipalName -like &#8220;*TERMSRV*&#8221;} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,<br /> PasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation</p> <p>DistinguishedName          : CN=ADSDC02,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=org<br /> DNSHostName                : ADSDC02.lab.adsecurity.org<br /> Enabled                    : True<br /> LastLogonDate              : 1/20/2016 6:46:18 AM<br /> Name                       : ADSDC02<br /> ObjectClass                : computer<br /> ObjectGUID                 : 1efe44af-d8d9-420b-a66a-8d771d295085<br /> OperatingSystem            : Windows Server 2008 R2 Datacenter<br /> OperatingSystemServicePack : Service Pack 1<br /> OperatingSystemVersion     : 6.1 (7601)<br /> PasswordLastSet            : 12/31/2015 6:34:15 AM<br /> SamAccountName             : ADSDC02$<br /> ServicePrincipalName       : {DNS/ADSDC02.lab.adsecurity.org, HOST/ADSDC02/ADSECLAB, HOST/ADSDC02.lab.adsecurity.org/ADSECLAB,<br /> GC/ADSDC02.lab.adsecurity.org/lab.adsecurity.org&#8230;}<br /> SID                        : S-1-5-21-1581655573-3923512380-696647894-1103<br /> TrustedForDelegation       : True<br /> TrustedToAuthForDelegation : False<br /> UserPrincipalName          :</p> <p>DistinguishedName          : CN=ADSDC01,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=org<br /> DNSHostName                : ADSDC01.lab.adsecurity.org<br /> Enabled                    : True<br /> LastLogonDate              : 1/20/2016 6:47:21 AM<br /> Name                       : ADSDC01<br /> ObjectClass                : computer<br /> ObjectGUID                 : 31b2038d-e63d-4cfe-b7b6-77206c325af9<br /> OperatingSystem            : Windows Server 2008 R2 Datacenter<br /> OperatingSystemServicePack : Service Pack 1<br /> OperatingSystemVersion     : 6.1 (7601)<br /> PasswordLastSet            : 12/31/2015 6:34:14 AM<br /> SamAccountName             : ADSDC01$<br /> ServicePrincipalName       : {ldap/ADSDC01.lab.adsecurity.org/ForestDnsZones.lab.adsecurity.org,<br /> ldap/ADSDC01.lab.adsecurity.org/DomainDnsZones.lab.adsecurity.org, TERMSRV/ADSDC01,<br /> TERMSRV/ADSDC01.lab.adsecurity.org&#8230;}<br /> SID                        : S-1-5-21-1581655573-3923512380-696647894-1000<br /> TrustedForDelegation       : True<br /> TrustedToAuthForDelegation : False<br /> UserPrincipalName          :</p> <p>DistinguishedName          : CN=ADSDC03,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=org<br /> DNSHostName                : ADSDC03.lab.adsecurity.org<br /> Enabled                    : True<br /> LastLogonDate              : 1/20/2016 6:35:16 AM<br /> Name                       : ADSDC03<br /> ObjectClass                : computer<br /> ObjectGUID                 : 0a2d849c-cc59-4785-8ba2-997fd6ca4dc8<br /> OperatingSystem            : Windows Server 2012 R2 Datacenter<br /> OperatingSystemServicePack :<br /> OperatingSystemVersion     : 6.3 (9600)<br /> PasswordLastSet            : 12/31/2015 6:34:16 AM<br /> SamAccountName             : ADSDC03$<br /> ServicePrincipalName       : {DNS/ADSDC03.lab.adsecurity.org, HOST/ADSDC03.lab.adsecurity.org/ADSECLAB,<br /> RPC/c8e1e99e-2aaa-4888-a5d8-23a4355fac48._msdcs.lab.adsecurity.org, GC/ADSDC03.lab.adsecurity.org/lab.adsecurity.org&#8230;}<br /> SID                        : S-1-5-21-1581655573-3923512380-696647894-1601<br /> TrustedForDelegation       : True<br /> TrustedToAuthForDelegation : False<br /> UserPrincipalName          :</p> <p>DistinguishedName          : CN=ADSWRKWIN7,CN=Computers,DC=lab,DC=adsecurity,DC=org<br /> DNSHostName                : ADSWRKWIN7.lab.adsecurity.org<br /> Enabled                    : True<br /> LastLogonDate              : 8/29/2015 6:40:16 PM<br /> Name                       : ADSWRKWIN7<br /> ObjectClass                : computer<br /> ObjectGUID                 : e8b3bed2-75b4-4512-a4f0-6d9c2d975c70<br /> OperatingSystem            : Windows 7 Enterprise<br /> OperatingSystemServicePack : Service Pack 1<br /> OperatingSystemVersion     : 6.1 (7601)<br /> PasswordLastSet            : 8/29/2015 6:40:12 PM<br /> SamAccountName             : ADSWRKWIN7$<br /> ServicePrincipalName       : {TERMSRV/ADSWRKWin7.lab.adsecurity.org, TERMSRV/ADSWRKWIN7, RestrictedKrbHost/ADSWRKWIN7, HOST/ADSWRKWIN7&#8230;}<br /> SID                        : S-1-5-21-1581655573-3923512380-696647894-1104<br /> TrustedForDelegation       : False<br /> TrustedToAuthForDelegation : False<br /> UserPrincipalName          :</p> <p>DistinguishedName          : CN=ADSAP01,CN=Computers,DC=lab,DC=adsecurity,DC=org<br /> DNSHostName                : ADSAP01.lab.adsecurity.org<br /> Enabled                    : True<br /> LastLogonDate              : 1/24/2016 11:03:41 AM<br /> Name                       : ADSAP01<br /> ObjectClass                : computer<br /> ObjectGUID                 : b79bb5e3-8f9e-4ee0-a30c-5f66b61da681<br /> OperatingSystem            : Windows Server 2008 R2 Datacenter<br /> OperatingSystemServicePack : Service Pack 1<br /> OperatingSystemVersion     : 6.1 (7601)<br /> PasswordLastSet            : 1/4/2016 6:38:16 AM<br /> SamAccountName             : ADSAP01$<br /> ServicePrincipalName       : {WSMAN/ADSAP01.lab.adsecurity.org, WSMAN/ADSAP01, TERMSRV/ADSAP01.lab.adsecurity.org, TERMSRV/ADSAP01&#8230;}<br /> SID                        : S-1-5-21-1581655573-3923512380-696647894-1105<br /> TrustedForDelegation       : False<br /> TrustedToAuthForDelegation : False<br /> UserPrincipalName          :</p> <p>DistinguishedName          : CN=ADSWKWIN7,CN=Computers,DC=lab,DC=adsecurity,DC=org<br /> DNSHostName                : ADSWKWIN7.lab.adsecurity.org<br /> Enabled                    : True<br /> LastLogonDate              : 1/20/2016 7:07:11 AM<br /> Name                       : ADSWKWIN7<br /> ObjectClass                : computer<br /> ObjectGUID                 : 2f164d63-d721-4b0e-a553-3ca0e272aa96<br /> OperatingSystem            : Windows 7 Enterprise<br /> OperatingSystemServicePack : Service Pack 1<br /> OperatingSystemVersion     : 6.1 (7601)<br /> PasswordLastSet            : 12/31/2015 8:03:05 AM<br /> SamAccountName             : ADSWKWIN7$<br /> ServicePrincipalName       : {TERMSRV/ADSWKWin7.lab.adsecurity.org, TERMSRV/ADSWKWIN7, RestrictedKrbHost/ADSWKWIN7, HOST/ADSWKWIN7&#8230;}<br /> SID                        : S-1-5-21-1581655573-3923512380-696647894-1602<br /> TrustedForDelegation       : False<br /> TrustedToAuthForDelegation : False<br /> UserPrincipalName          :</p> <p>DistinguishedName          : CN=ADSAP02,CN=Computers,DC=lab,DC=adsecurity,DC=org<br /> DNSHostName                : ADSAP02.lab.adsecurity.org<br /> Enabled                    : True<br /> LastLogonDate              : 1/24/2016 7:39:48 AM<br /> Name                       : ADSAP02<br /> ObjectClass                : computer<br /> ObjectGUID                 : 1006978e-8627-4d01-98b6-3215c4ee4541<br /> OperatingSystem            : Windows Server 2012 R2 Datacenter<br /> OperatingSystemServicePack :<br /> OperatingSystemVersion     : 6.3 (9600)<br /> PasswordLastSet            : 1/4/2016 6:39:25 AM<br /> SamAccountName             : ADSAP02$<br /> ServicePrincipalName       : {WSMAN/ADSAP02.lab.adsecurity.org, WSMAN/ADSAP02, TERMSRV/ADSAP02.lab.adsecurity.org, TERMSRV/ADSAP02&#8230;}<br /> SID                        : S-1-5-21-1581655573-3923512380-696647894-1603<br /> TrustedForDelegation       : False<br /> TrustedToAuthForDelegation : False<br /> UserPrincipalName          :</p></blockquote> <p><span style="text-decoration: underline;">Mitigation:</span></p> <p>There is no mitigation. <a href="https://adsecurity.org/?p=230">Service Principal Names are required for Kerberos to work</a>.</p> <p>&nbsp;</p> <p><strong>Discover Enterprise Services without Network Scanning Part 2<br /> </strong></p> <p>SPN Scanning will discover all enterprise services supporting Kerberos. Other enterprise services that integrate with Active Directory often create a new container in the Domain &#8220;System&#8221; container (CN=System,DC=&lt;<i>domain</i>&gt;). Some enterprise applications that store data in the domain System container include:</p> <ul> <li>SCCM: &#8220;System Management&#8221;</li> </ul> <p>There are some applications like Exchange that create containers in the forest configuration partition &#8220;Services&#8221; container (CN=Services,CN=Configuration,DC=&lt;<i>domain</i>&gt;).</p> <p><span style="text-decoration: underline;">Mitigation:</span></p> <p>There is no reasonable mitigation.</p> <p>&nbsp;</p> <p><strong>Discover Service Accounts<br /> </strong></p> <p>The quickest way to find Service Accounts and the servers the accounts are used on is to SPN Scan for user accounts with Service Principal Names.</p> <p>My <a href="https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Find-PSServiceAccounts">Find-PSServiceAccounts</a> PowerShell script in <a href="https://github.com/PyroTek3/PowerShell-AD-Recon">my GitHub repository</a> performs the sme query without requiring the AD PowerShell module.</p> <blockquote><p>PS C:\&gt; get-aduser -filter {ServicePrincipalName -like &#8220;*&#8221;} -Properties PasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,Truste<br /> dtoAuthForDelegation</p> <p>DistinguishedName          : CN=svc-adsMSSQL11,OU=Test,DC=lab,DC=adsecurity,DC=org<br /> Enabled                    : False<br /> GivenName                  :<br /> LastLogonDate              :<br /> <strong>Name                       : svc-adsMSSQL11</strong><br /> ObjectClass                : user<br /> ObjectGUID                 : 275d3bf4-80d3-42ba-9d77-405c5cc63c07<br /> PasswordLastSet            : 1/4/2016 7:13:03 AM<br /> SamAccountName             : svc-adsMSSQL11<br /> S<strong>ervicePrincipalName       : {MSSQL/adsMSSQL11.lab.adsecurity.org:7434}</strong><br /> SID                        : S-1-5-21-1581655573-3923512380-696647894-3601<br /> Surname                    :<br /> TrustedForDelegation       : False<br /> TrustedToAuthForDelegation : False<br /> UserPrincipalName          :</p> <p>DistinguishedName          : CN=svc-adsSQLSA,OU=Test,DC=lab,DC=adsecurity,DC=org<br /> Enabled                    : False<br /> GivenName                  :<br /> LastLogonDate              :<br /> <strong>Name                       : svc-adsSQLSA</strong><br /> ObjectClass                : user<br /> ObjectGUID                 : 56faaab2-5b05-4bb2-aaea-0bdc1409eab3<br /> PasswordLastSet            : 1/4/2016 7:13:13 AM<br /> SamAccountName             : svc-adsSQLSA<br /> <strong>ServicePrincipalName       : {MSSQL/adsMSSQL23.lab.adsecurity.org:7434, MSSQL/adsMSSQL22.lab.adsecurity.org:5534,</strong>                            <strong>MSSQL/adsMSSQL21.lab.adsecurity.org:9834, MSSQL/adsMSSQL10.lab.adsecurity.org:14434&#8230;}</strong><br /> SID                        : S-1-5-21-1581655573-3923512380-696647894-3602<br /> Surname                    :<br /> TrustedForDelegation       : False<br /> TrustedToAuthForDelegation : False<br /> UserPrincipalName          :</p> <p>DistinguishedName          : CN=svc-adsMSSQL10,OU=Test,DC=lab,DC=adsecurity,DC=org<br /> Enabled                    : False<br /> GivenName                  :<br /> LastLogonDate              :<br /> <strong>Name                       : svc-adsMSSQL10</strong><br /> ObjectClass                : user<br /> ObjectGUID                 : 6c2f15a2-ba4a-485a-a367-39395ad82c86<br /> PasswordLastSet            : 1/4/2016 7:13:24 AM<br /> SamAccountName             : svc-adsMSSQL10<br /> <strong>ServicePrincipalName       : {MSSQL/adsMSSQL10.lab.adsecurity.org:7434}</strong><br /> SID                        : S-1-5-21-1581655573-3923512380-696647894-3603<br /> Surname                    :<br /> TrustedForDelegation       : False<br /> TrustedToAuthForDelegation : False<br /> UserPrincipalName          :</p></blockquote> <p><span style="text-decoration: underline;">Mitigation:</span></p> <p>There is no reasonable mitigation.</p> <p>&nbsp;</p> <p><strong>Discover Computers without Network Scanning<br /> </strong></p> <p>Every computer that joins Active Directory has an associated computer account in AD. When the computer is joined, there are several attributes associated with this computer object that are updated, several of which are quite useful. These include:</p> <ul> <li>Created</li> <li>Modified</li> <li>Enabled</li> <li>Description</li> <li>LastLogonDate (Reboot)</li> <li>PrimaryGroupID (516 = DC)</li> <li>PasswordLastSet (Active/Inactive)OperatingSystem</li> <li>OperatingSystemVersion</li> <li>OperatingSystemServicePack</li> <li>PasswordLastSet</li> <li>LastLogonDate (PowerShell cmdlet attribute)</li> <li>ServicePrincipalName</li> <li><a href="https://adsecurity.org/?p=1667">TrustedForDelegation</a></li> <li>TrustedToAuthForDelegation</li> </ul> <p>&nbsp;</p> <blockquote><p>PS C:\&gt; get-adcomputer -filter {PrimaryGroupID -eq &#8220;515&#8221;} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,Passwo<br /> t,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation</p> <p>DistinguishedName          : CN=ADSWRKWIN7,CN=Computers,DC=lab,DC=adsecurity,DC=org<br /> DNSHostName                : ADSWRKWIN7.lab.adsecurity.org<br /> Enabled                    : True<br /> LastLogonDate              : 8/29/2015 6:40:16 PM<br /> Name                       : ADSWRKWIN7<br /> ObjectClass                : computer<br /> ObjectGUID                 : e8b3bed2-75b4-4512-a4f0-6d9c2d975c70<br /> OperatingSystem            : Windows 7 Enterprise<br /> OperatingSystemServicePack : Service Pack 1<br /> OperatingSystemVersion     : 6.1 (7601)<br /> PasswordLastSet            : 8/29/2015 6:40:12 PM<br /> SamAccountName             : ADSWRKWIN7$<br /> ServicePrincipalName       : {TERMSRV/ADSWRKWin7.lab.adsecurity.org, TERMSRV/ADSWRKWIN7, RestrictedKrbHost/ADSWRKWIN7, HOST/ADSWRKWIN7&#8230;}<br /> SID                        : S-1-5-21-1581655573-3923512380-696647894-1104<br /> TrustedForDelegation       : False<br /> TrustedToAuthForDelegation : False<br /> UserPrincipalName          :</p> <p>DistinguishedName          : CN=ADSAP01,CN=Computers,DC=lab,DC=adsecurity,DC=org<br /> DNSHostName                : ADSAP01.lab.adsecurity.org<br /> Enabled                    : True<br /> LastLogonDate              : 1/24/2016 11:03:41 AM<br /> Name                       : ADSAP01<br /> ObjectClass                : computer<br /> ObjectGUID                 : b79bb5e3-8f9e-4ee0-a30c-5f66b61da681<br /> OperatingSystem            : Windows Server 2008 R2 Datacenter<br /> OperatingSystemServicePack : Service Pack 1<br /> OperatingSystemVersion     : 6.1 (7601)<br /> PasswordLastSet            : 1/4/2016 6:38:16 AM<br /> SamAccountName             : ADSAP01$<br /> ServicePrincipalName       : {WSMAN/ADSAP01.lab.adsecurity.org, WSMAN/ADSAP01, TERMSRV/ADSAP01.lab.adsecurity.org, TERMSRV/ADSAP01&#8230;}<br /> SID                        : S-1-5-21-1581655573-3923512380-696647894-1105<br /> TrustedForDelegation       : False<br /> TrustedToAuthForDelegation : False<br /> UserPrincipalName          :</p> <p>DistinguishedName          : CN=ADSWKWIN7,CN=Computers,DC=lab,DC=adsecurity,DC=org<br /> DNSHostName                : ADSWKWIN7.lab.adsecurity.org<br /> Enabled                    : True<br /> LastLogonDate              : 1/20/2016 7:07:11 AM<br /> Name                       : ADSWKWIN7<br /> ObjectClass                : computer<br /> ObjectGUID                 : 2f164d63-d721-4b0e-a553-3ca0e272aa96<br /> OperatingSystem            : Windows 7 Enterprise<br /> OperatingSystemServicePack : Service Pack 1<br /> OperatingSystemVersion     : 6.1 (7601)<br /> PasswordLastSet            : 12/31/2015 8:03:05 AM<br /> SamAccountName             : ADSWKWIN7$<br /> ServicePrincipalName       : {TERMSRV/ADSWKWin7.lab.adsecurity.org, TERMSRV/ADSWKWIN7, RestrictedKrbHost/ADSWKWIN7, HOST/ADSWKWIN7&#8230;}<br /> SID                        : S-1-5-21-1581655573-3923512380-696647894-1602<br /> TrustedForDelegation       : False<br /> TrustedToAuthForDelegation : False<br /> UserPrincipalName          :</p> <p>DistinguishedName          : CN=ADSAP02,CN=Computers,DC=lab,DC=adsecurity,DC=org<br /> DNSHostName                : ADSAP02.lab.adsecurity.org<br /> Enabled                    : True<br /> LastLogonDate              : 1/24/2016 7:39:48 AM<br /> Name                       : ADSAP02<br /> ObjectClass                : computer<br /> ObjectGUID                 : 1006978e-8627-4d01-98b6-3215c4ee4541<br /> OperatingSystem            : Windows Server 2012 R2 Datacenter<br /> OperatingSystemServicePack :<br /> OperatingSystemVersion     : 6.3 (9600)<br /> PasswordLastSet            : 1/4/2016 6:39:25 AM<br /> SamAccountName             : ADSAP02$<br /> ServicePrincipalName       : {WSMAN/ADSAP02.lab.adsecurity.org, WSMAN/ADSAP02, TERMSRV/ADSAP02.lab.adsecurity.org, TERMSRV/ADSAP02&#8230;}<br /> SID                        : S-1-5-21-1581655573-3923512380-696647894-1603<br /> TrustedForDelegation       : False<br /> TrustedToAuthForDelegation : False<br /> UserPrincipalName          :</p></blockquote> <p>The same data for Domain Controllers can be gathered by changing the PrimaryGroupID value to &#8220;516&#8221;, or get all computers by changing to &#8220;-filter *&#8221;.</p> <blockquote><p>PS C:\&gt; get-adcomputer -filter {PrimaryGroupID -eq &#8220;516&#8221;} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,PasswordLastSe<br /> t,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation</p> <p>DistinguishedName          : CN=ADSDC02,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=org<br /> DNSHostName                : ADSDC02.lab.adsecurity.org<br /> Enabled                    : True<br /> LastLogonDate              : 1/20/2016 6:46:18 AM<br /> Name                       : ADSDC02<br /> ObjectClass                : computer<br /> ObjectGUID                 : 1efe44af-d8d9-420b-a66a-8d771d295085<br /> OperatingSystem            : Windows Server 2008 R2 Datacenter<br /> OperatingSystemServicePack : Service Pack 1<br /> OperatingSystemVersion     : 6.1 (7601)<br /> PasswordLastSet            : 12/31/2015 6:34:15 AM<br /> SamAccountName             : ADSDC02$<br /> ServicePrincipalName       : {DNS/ADSDC02.lab.adsecurity.org, HOST/ADSDC02/ADSECLAB, HOST/ADSDC02.lab.adsecurity.org/ADSECLAB,<br /> GC/ADSDC02.lab.adsecurity.org/lab.adsecurity.org&#8230;}<br /> SID                        : S-1-5-21-1581655573-3923512380-696647894-1103<br /> TrustedForDelegation       : True<br /> TrustedToAuthForDelegation : False<br /> UserPrincipalName          :</p> <p>DistinguishedName          : CN=ADSDC01,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=org<br /> DNSHostName                : ADSDC01.lab.adsecurity.org<br /> Enabled                    : True<br /> LastLogonDate              : 1/20/2016 6:47:21 AM<br /> Name                       : ADSDC01<br /> ObjectClass                : computer<br /> ObjectGUID                 : 31b2038d-e63d-4cfe-b7b6-77206c325af9<br /> OperatingSystem            : Windows Server 2008 R2 Datacenter<br /> OperatingSystemServicePack : Service Pack 1<br /> OperatingSystemVersion     : 6.1 (7601)<br /> PasswordLastSet            : 12/31/2015 6:34:14 AM<br /> SamAccountName             : ADSDC01$<br /> ServicePrincipalName       : {ldap/ADSDC01.lab.adsecurity.org/ForestDnsZones.lab.adsecurity.org,<br /> ldap/ADSDC01.lab.adsecurity.org/DomainDnsZones.lab.adsecurity.org, TERMSRV/ADSDC01,<br /> TERMSRV/ADSDC01.lab.adsecurity.org&#8230;}<br /> SID                        : S-1-5-21-1581655573-3923512380-696647894-1000<br /> TrustedForDelegation       : True<br /> TrustedToAuthForDelegation : False<br /> UserPrincipalName          :</p> <p>DistinguishedName          : CN=ADSDC03,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=org<br /> DNSHostName                : ADSDC03.lab.adsecurity.org<br /> Enabled                    : True<br /> LastLogonDate              : 1/20/2016 6:35:16 AM<br /> Name                       : ADSDC03<br /> ObjectClass                : computer<br /> ObjectGUID                 : 0a2d849c-cc59-4785-8ba2-997fd6ca4dc8<br /> OperatingSystem            : Windows Server 2012 R2 Datacenter<br /> OperatingSystemServicePack :<br /> OperatingSystemVersion     : 6.3 (9600)<br /> PasswordLastSet            : 12/31/2015 6:34:16 AM<br /> SamAccountName             : ADSDC03$<br /> ServicePrincipalName       : {DNS/ADSDC03.lab.adsecurity.org, HOST/ADSDC03.lab.adsecurity.org/ADSECLAB,<br /> RPC/c8e1e99e-2aaa-4888-a5d8-23a4355fac48._msdcs.lab.adsecurity.org, GC/ADSDC03.lab.adsecurity.org/lab.adsecurity.org&#8230;}<br /> SID                        : S-1-5-21-1581655573-3923512380-696647894-1601<br /> TrustedForDelegation       : True<br /> TrustedToAuthForDelegation : False<br /> UserPrincipalName          :</p></blockquote> <p>This provides useful information on Windows OS versions as well as non-Windows devices joined to Active Directory.</p> <p>Some example queries for finding non-Windows devices:</p> <ul> <li>OperatingSystem -Like &#8220;*Samba*&#8221;</li> <li>OperatingSystem -Like &#8220;*OnTap*&#8221;</li> <li>OperatingSystem -Like &#8220;*Data Domain*&#8221;</li> <li>OperatingSystem -Like &#8220;*EMC*&#8221;</li> <li>OperatingSystem -Like &#8220;*Windows NT*&#8221;</li> </ul> <p><span style="text-decoration: underline;">Mitigation:</span></p> <p>There is no mitigation.</p> <p>&nbsp;</p> <p><strong>Identify Admin Accounts</strong></p> <p>There are two effective methods for discovering accounts with elevated rights in Active Directory. The first is the standard group enumeration method which identifies all members of the standard Active Directory admin groups: Domain Admins, Administrators, Enterprise Admins, etc. Typically getting recursive group membership for the domain &#8220;Adminsitrators&#8221; group will provide a list of all AD admins.</p> <p>The second method, which I highlighted at <a href="https://adsecurity.org/?page_id=1352">DerbyCon in 2015</a>, involves identifying all accounts which have the attribute &#8220;AdminCount&#8221; set to 1. The caveat to this is that there may be accounts returned in this query which no longer have admin rights since this value isn&#8217;t automatically reset once the account is removed from the admin groups. More info on SDProp and the AdminCount attribute: &#8220;<a href="https://adsecurity.org/?p=1906">Sneaky Active Directory Persistence #15: Leverage AdminSDHolder &amp; SDProp to (Re)Gain Domain Admin Rights</a>&#8220;.</p> <blockquote><p>PS C:\&gt; get-aduser -filter {AdminCount -eq 1} -Properties Name,AdminCount,ServicePrincipalName,PasswordLastSet,LastLogonDate,MemberOf</p> <p>AdminCount        : 1<br /> DistinguishedName : CN=ADSAdministrator,CN=Users,DC=lab,DC=adsecurity,DC=org<br /> Enabled           : True<br /> GivenName         :<br /> LastLogonDate     : 1/27/2016 8:55:48 AM<br /> MemberOf          : {CN=Administrators,CN=Builtin,DC=lab,DC=adsecurity,DC=org, CN=Schema Admins,CN=Users,DC=lab,DC=adsecurity,DC=org, CN=Group<br /> Policy Creator Owners,CN=Users,DC=lab,DC=adsecurity,DC=org, CN=Enterprise Admins,CN=Users,DC=lab,DC=adsecurity,DC=org&#8230;}<br /> Name              : ADSAdministrator<br /> ObjectClass       : user<br /> ObjectGUID        : 72ac7731-0a76-4e5a-8e5d-b4ded9a304b5<br /> PasswordLastSet   : 12/31/2015 8:45:27 AM<br /> SamAccountName    : ADSAdministrator<br /> SID               : S-1-5-21-1581655573-3923512380-696647894-500<br /> Surname           :<br /> UserPrincipalName :</p> <p>AdminCount           : 1<br /> DistinguishedName    : CN=krbtgt,CN=Users,DC=lab,DC=adsecurity,DC=org<br /> Enabled              : False<br /> GivenName            :<br /> LastLogonDate        :<br /> MemberOf             : {CN=Denied RODC Password Replication Group,CN=Users,DC=lab,DC=adsecurity,DC=org}<br /> Name                 : krbtgt<br /> ObjectClass          : user<br /> ObjectGUID           : 3d5be8dd-df7f-4f84-b2cf-4556310a7292<br /> PasswordLastSet      : 8/27/2015 7:10:22 PM<br /> SamAccountName       : krbtgt<br /> ServicePrincipalName : {kadmin/changepw}<br /> SID                  : S-1-5-21-1581655573-3923512380-696647894-502<br /> Surname              :<br /> UserPrincipalName    :</p> <p>AdminCount        : 1<br /> DistinguishedName : CN=LukeSkywalker,OU=AD Management,DC=lab,DC=adsecurity,DC=org<br /> Enabled           : True<br /> GivenName         :<br /> LastLogonDate     : 8/29/2015 7:29:52 PM<br /> MemberOf          : {CN=Domain Admins,CN=Users,DC=lab,DC=adsecurity,DC=org}<br /> Name              : LukeSkywalker<br /> ObjectClass       : user<br /> ObjectGUID        : 32b5226b-aa6d-4b35-a031-ddbcbde07137<br /> PasswordLastSet   : 8/29/2015 7:26:02 PM<br /> SamAccountName    : LukeSkywalker<br /> SID               : S-1-5-21-1581655573-3923512380-696647894-2629<br /> Surname           :<br /> UserPrincipalName :</p></blockquote> <p><strong>Note</strong>: <em>These methods will not return admin accounts with custom delegation &#8211; admin accounts that aren&#8217;t ultimately a member of the standard AD groups.</em></p> <p><span style="text-decoration: underline;">Mitigation:</span></p> <p>There is no mitigation. Expect attackers to know more about what accounts have elevated rights to important resources.</p> <p>&nbsp;</p> <p><strong>Find Admin Groups<br /> </strong></p> <p>Most organizations have custom admin groups which have different naming schemes, though most include the word &#8220;admin&#8221;. Asking AD for all security groups with &#8220;admin&#8221; in the name is a quick way to get a list.</p> <blockquote><p>PS C:\&gt; get-adgroup -filter {GroupCategory -eq &#8216;Security&#8217; -AND Name -like &#8220;*admin*&#8221;}</p> <p>DistinguishedName : CN=Domain Admins,CN=Users,DC=lab,DC=adsecurity,DC=org<br /> GroupCategory : Security<br /> GroupScope : Global<br /> <strong>Name : Domain Admins</strong><br /> ObjectClass : group<br /> ObjectGUID : 5621cc71-d318-4e2c-b1b1-c181f630e10e<br /> SamAccountName : Domain Admins<br /> <strong>SID : S-1-5-21-1581655573-3923512380-696647894-512</strong></p> <p>DistinguishedName : CN=Workstation Admins,OU=AD Management,DC=lab,DC=adsecurity,DC=org<br /> GroupCategory : Security<br /> GroupScope : Global<br /> <strong>Name : Workstation Admins</strong><br /> ObjectClass : group<br /> ObjectGUID : 88cd4d52-aedb-4f90-9ebd-02d4c0e322e4<br /> SamAccountName : WorkstationAdmins<br /> SID : S-1-5-21-1581655573-3923512380-696647894-2627</p> <p>DistinguishedName : CN=Server Admins,OU=AD Management,DC=lab,DC=adsecurity,DC=org<br /> GroupCategory : Security<br /> GroupScope : Global<br /> <strong>Name : Server Admins</strong><br /> ObjectClass : group<br /> ObjectGUID : 3877c311-9321-41c0-a6b5-c0d88684b335<br /> SamAccountName : ServerAdmins<br /> SID : S-1-5-21-1581655573-3923512380-696647894-2628</p> <p>DistinguishedName : CN=DnsAdmins,CN=Users,DC=lab,DC=adsecurity,DC=org<br /> GroupCategory : Security<br /> GroupScope : DomainLocal<br /> <strong>Name : DnsAdmins</strong><br /> ObjectClass : group<br /> ObjectGUID : 46caa0dd-6a22-42a3-a2d9-bd467934aab5<br /> SamAccountName : DnsAdmins<br /> <strong>SID : S-1-5-21-1581655573-3923512380-696647894-1101</strong></p> <p>DistinguishedName : CN=Administrators,CN=Builtin,DC=lab,DC=adsecurity,DC=org<br /> GroupCategory : Security<br /> GroupScope : DomainLocal<br /> <strong>Name : Administrators</strong><br /> ObjectClass : group<br /> ObjectGUID : d03a4afc-b14e-48c6-893c-bbc1ac872ca2<br /> SamAccountName : Administrators<br /> <strong>SID : S-1-5-32-544</strong></p> <p>DistinguishedName : CN=Hyper-V Administrators,CN=Builtin,DC=lab,DC=adsecurity,DC=org<br /> GroupCategory : Security<br /> GroupScope : DomainLocal<br /> <strong>Name : Hyper-V Administrators</strong><br /> ObjectClass : group<br /> ObjectGUID : 3137943e-f1c3-46d0-acf2-4711bf6f8417<br /> SamAccountName : Hyper-V Administrators<br /> <strong>SID : S-1-5-32-578</strong></p> <p>DistinguishedName : CN=Enterprise Admins,CN=Users,DC=lab,DC=adsecurity,DC=org<br /> GroupCategory : Security<br /> GroupScope : Universal<br /> <strong>Name : Enterprise Admins</strong><br /> ObjectClass : group<br /> ObjectGUID : 7674d6ad-777b-4db1-9fe3-e31fd664eb6e<br /> SamAccountName : Enterprise Admins<br /> <strong>SID : S-1-5-21-1581655573-3923512380-696647894-519</strong></p> <p>DistinguishedName : CN=Schema Admins,CN=Users,DC=lab,DC=adsecurity,DC=org<br /> GroupCategory : Security<br /> GroupScope : Universal<br /> <strong>Name : Schema Admins</strong><br /> ObjectClass : group<br /> ObjectGUID : 420e8ee5-77f5-43b8-9f51-cde3feea0662<br /> SamAccountName : Schema Admins<br /> <strong>SID : S-1-5-21-1581655573-3923512380-696647894-518</strong></p></blockquote> <p>&nbsp;</p> <p><strong>Identify Partner Organizations<br /> </strong></p> <p>External email addresses are added to the organization&#8217;s Global Address List (GAL) in order to facilitate collaboration among partner organization. These email addresses are created as contact objects in Active Directory.</p> <blockquote><p>PS C:\&gt; get-adobject -filter {ObjectClass -eq &#8220;Contact&#8221;} -Prop *</p> <p>CanonicalName                   : lab.adsecurity.org/Contaxts/Admiral Ackbar<br /> CN                              : Admiral Ackbar<br /> Created                         : 1/27/2016 10:00:06 AM<br /> createTimeStamp                 : 1/27/2016 10:00:06 AM<br /> Deleted                         :<br /> Description                     :<br /> DisplayName                     :<br /> DistinguishedName               : CN=Admiral Ackbar,OU=Contaxts,DC=lab,DC=adsecurity,DC=org<br /> dSCorePropagationData           : {12/31/1600 4:00:00 PM}<br /> givenName                       : Admiral<br /> instanceType                    : 4<br /> isDeleted                       :<br /> LastKnownParent                 :<br /> <strong>mail                            : admackbar@RebelFleet.org</strong><br /> Modified                        : 1/27/2016 10:00:24 AM<br /> modifyTimeStamp                 : 1/27/2016 10:00:24 AM<br /> <strong>Name                            : Admiral Ackbar</strong><br /> nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity<br /> ObjectCategory                  : CN=Person,CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org<br /> ObjectClass                     : contact<br /> ObjectGUID                      : 52c80a1d-a614-4889-92d4-1f588387d9f3<br /> ProtectedFromAccidentalDeletion : False<br /> sDRightsEffective               : 15<br /> sn                              : Ackbar<br /> uSNChanged                      : 275113<br /> uSNCreated                      : 275112<br /> whenChanged                     : 1/27/2016 10:00:24 AM<br /> whenCreated                     : 1/27/2016 10:00:06 AM</p> <p>CanonicalName                   : lab.adsecurity.org/Contaxts/Leia Organa<br /> CN                              : Leia Organa<br /> Created                         : 1/27/2016 10:01:25 AM<br /> createTimeStamp                 : 1/27/2016 10:01:25 AM<br /> Deleted                         :<br /> Description                     :<br /> DisplayName                     :<br /> DistinguishedName               : CN=Leia Organa,OU=Contaxts,DC=lab,DC=adsecurity,DC=org<br /> dSCorePropagationData           : {12/31/1600 4:00:00 PM}<br /> givenName                       : Leia<br /> instanceType                    : 4<br /> isDeleted                       :<br /> LastKnownParent                 :<br /> <strong>mail                            : LeiaOrgana@TheAlliance.org</strong><br /> Modified                        : 1/27/2016 10:09:15 AM<br /> modifyTimeStamp                 : 1/27/2016 10:09:15 AM<br /> <strong>Name                            : Leia Organa</strong><br /> nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity<br /> ObjectCategory                  : CN=Person,CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org<br /> ObjectClass                     : contact<br /> ObjectGUID                      : ba8ec318-a0a2-41d5-923e-a3f646d1c7f9<br /> ProtectedFromAccidentalDeletion : False<br /> sDRightsEffective               : 15<br /> sn                              : Organa<br /> uSNChanged                      : 275157<br /> uSNCreated                      : 275132<br /> whenChanged                     : 1/27/2016 10:09:15 AM<br /> whenCreated                     : 1/27/2016 10:01:25 AM</p></blockquote> <p><span style="text-decoration: underline;">Mitigation:</span></p> <p>The only mitigation is to not place contact objects in Active Directory which may no bet an option.</p> <p>&nbsp;</p> <p><strong>Identify Domain Password Policy<br /> </strong></p> <p>The domain password policy is easily enumerated using either &#8220;net accounts&#8221; or the AD PowerShell module &#8220;<a href="https://technet.microsoft.com/en-us/library/ee617244.aspx">Get-ADDefaultDomainPasswordPolicy</a>&#8220;.</p> <blockquote><p>PS C:\&gt; Get-ADDefaultDomainPasswordPolicy</p> <p>ComplexityEnabled           : True<br /> DistinguishedName           : DC=lab,DC=adsecurity,DC=org<br /> LockoutDuration             : 00:30:00<br /> LockoutObservationWindow    : 00:30:00<br /> LockoutThreshold            : 0<br /> MaxPasswordAge              : 42.00:00:00<br /> MinPasswordAge              : 1.00:00:00<br /> MinPasswordLength           : 7<br /> objectClass                 : {domainDNS}<br /> objectGuid                  : bbf0907c-3171-4448-b33a-76a48d859039<br /> PasswordHistoryCount        : 24<br /> ReversibleEncryptionEnabled : False</p></blockquote> <p><span style="text-decoration: underline;">Mitigation:</span></p> <p>There is no reasonable mitigation.</p> <p>&nbsp;</p> <p><strong>Identify Fine-Grained Password Policies<br /> </strong></p> <p>If the Domain Functional Level (DFL) is set to “Windows Server 2008” or higher, a new feature called Fine-Grained Password Policy (FGPP) is available to provide a wide-variety of password policies that can be applied to users or groups (not OUs). While Microsoft made Fine-Grained Password Policies available starting with Windows Server 2008 (DFL), the Active Directory Administrative Center (ADAC) wasn’t updated to support FGPP administration until Windows Server 2012. Enabling “Advanced Features” from the “View” menu option in Active Directory Users and Computers and then browsing down to System, Password Settings Container (CN=Password Settings Container,CN=System,DC=DOMAIN,DC=COM) will typically display any domain FGPP objects. Note that if “Advanced Features” is not enabled, the System container is not visible.</p> <p>FGPP over-rides the domain password policy settings and can be used to require stricter password policies or enable less-restrictive settings for a subset of domain users.</p> <blockquote><p>PS C:\&gt; Get-ADFineGrainedPasswordPolicy -Filter *</p> <p>AppliesTo                   : {CN=Special FGPP Users,OU=Test,DC=lab,DC=adsecurity,DC=org}<br /> ComplexityEnabled           : True<br /> DistinguishedName           : CN=Special Password Policy Group,CN=Password Settings Container,CN=System,DC=lab,DC=adsecurity,DC=org<br /> LockoutDuration             : 12:00:00<br /> LockoutObservationWindow    : 00:15:00<br /> LockoutThreshold            : 10<br /> MaxPasswordAge              : 00:00:00.0000365<br /> MinPasswordAge              : 00:00:00<br /> MinPasswordLength           : 7<br /> Name                        : Special Password Policy Group<br /> ObjectClass                 : msDS-PasswordSettings<br /> ObjectGUID                  : c1301d8f-ba52-4bb3-b160-c449d9c7b8f8<br /> PasswordHistoryCount        : 24<br /> Precedence                  : 100<br /> ReversibleEncryptionEnabled : True</p></blockquote> <p><span style="text-decoration: underline;">Mitigation:</span></p> <p>There is no reasonable mitigation.</p> <p>&nbsp;</p> <p><strong>Identify Managed Service Accounts &amp; Group Managed Service Accounts<br /> </strong></p> <p>Microsoft added <a href="https://technet.microsoft.com/en-us/library/dd548356%28v=ws.10%29.aspx">Managed Service Accounts (MSAs)</a> as a new feature with Windows Server 2008 R2 DFL which automatically manages and updates the MSA password. The key limitation is that a MSA can only be linked to a single computer running Windows 7 or Windows Server 2008 R2 (or newer).</p> <p>Windows Server 2012 DFL introduced a needed update to MSAs called <a href="https://technet.microsoft.com/en-us/library/jj128431.aspx">group Managed Service Accounts (gMSAs)</a> which enable gMSAs to be linked to any number of computers running Windows 8 or Windows Server 2012 (or newer). Once the DFL is raised to Windows Server 2012 or newer, the default AD Service Account creation option creates a new gMSA (using the AD PowerShell module cmdlet <a href="https://technet.microsoft.com/en-us/library/ee617211.aspx">New-ADServiceAccount, for example</a>). Before creating a gMSA, the KDS Root key needs to be created (<em>Add-KDSRootKey –EffectiveImmediately</em>).</p> <blockquote><p>PS C:\&gt; Get-ADServiceAccount -Filter * -Properties *</p> <p>AccountExpirationDate                      : 12/27/2017 11:14:38 AM<br /> accountExpires                             : 131588756787719890<br /> AccountLockoutTime                         :<br /> AccountNotDelegated                        : False<br /> AllowReversiblePasswordEncryption          : False<br /> AuthenticationPolicy                       : {}<br /> AuthenticationPolicySilo                   : {}<br /> BadLogonCount                              : 0<br /> badPasswordTime                            : 0<br /> badPwdCount                                : 0<br /> CannotChangePassword                       : False<br /> CanonicalName                              : lab.adsecurity.org/Managed Service Accounts/ADSMSA12<br /> Certificates                               : {}<br /> CN                                         : ADSMSA12<br /> codePage                                   : 0<br /> CompoundIdentitySupported                  : {False}<br /> countryCode                                : 0<br /> Created                                    : 1/27/2016 11:14:38 AM<br /> createTimeStamp                            : 1/27/2016 11:14:38 AM<br /> Deleted                                    :<br /> Description                                : gMSA for XYZ App<br /> DisplayName                                : ADSMSA12<br /> DistinguishedName                          : CN=ADSMSA12,CN=Managed Service Accounts,DC=lab,DC=adsecurity,DC=org<br /> DNSHostName                                : ADSAP02.lab.adsecurity.org<br /> DoesNotRequirePreAuth                      : False<br /> dSCorePropagationData                      : {12/31/1600 4:00:00 PM}<br /> Enabled                                    : True<br /> HomedirRequired                            : False<br /> HomePage                                   :<br /> HostComputers                              : {}<br /> instanceType                               : 4<br /> isCriticalSystemObject                     : False<br /> isDeleted                                  :<br /> KerberosEncryptionType                     : {RC4, AES128, AES256}<br /> LastBadPasswordAttempt                     :<br /> LastKnownParent                            :<br /> lastLogoff                                 : 0<br /> lastLogon                                  : 0<br /> LastLogonDate                              :<br /> localPolicyFlags                           : 0<br /> LockedOut                                  : False<br /> logonCount                                 : 0<br /> ManagedPasswordIntervalInDays              : {21}<br /> MemberOf                                   : {}<br /> MNSLogonAccount                            : False<br /> Modified                                   : 1/27/2016 11:14:39 AM<br /> modifyTimeStamp                            : 1/27/2016 11:14:39 AM<br /> msDS-ManagedPasswordId                     : {1, 0, 0, 0&#8230;}<br /> msDS-ManagedPasswordInterval               : 21<br /> msDS-SupportedEncryptionTypes              : 28<br /> msDS-User-Account-Control-Computed         : 0<br /> Name                                       : ADSMSA12<br /> nTSecurityDescriptor                       : System.DirectoryServices.ActiveDirectorySecurity<br /> ObjectCategory                             : CN=ms-DS-Group-Managed-Service-Account,CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org<br /> ObjectClass                                : msDS-GroupManagedServiceAccount<br /> ObjectGUID                                 : fe4c287b-f9d2-45ce-abe3-4acd6d09c3ff<br /> objectSid                                  : S-1-5-21-1581655573-3923512380-696647894-3605<br /> PasswordExpired                            : False<br /> PasswordLastSet                            : 1/27/2016 11:14:38 AM<br /> PasswordNeverExpires                       : False<br /> PasswordNotRequired                        : False<br /> PrimaryGroup                               : CN=Domain Computers,CN=Users,DC=lab,DC=adsecurity,DC=org<br /> primaryGroupID                             : 515<br /> PrincipalsAllowedToDelegateToAccount       : {}<br /> PrincipalsAllowedToRetrieveManagedPassword : {}<br /> ProtectedFromAccidentalDeletion            : False<br /> pwdLastSet                                 : 130983956789440119<br /> SamAccountName                             : ADSMSA12$<br /> sAMAccountType                             : 805306369<br /> sDRightsEffective                          : 15<br /> ServicePrincipalNames                      :<br /> SID                                        : S-1-5-21-1581655573-3923512380-696647894-3605<br /> SIDHistory                                 : {}<br /> TrustedForDelegation                       : False<br /> TrustedToAuthForDelegation                 : False<br /> UseDESKeyOnly                              : False<br /> userAccountControl                         : 4096<br /> userCertificate                            : {}<br /> UserPrincipalName                          :<br /> uSNChanged                                 : 275383<br /> uSNCreated                                 : 275380<br /> whenChanged                                : 1/27/2016 11:14:39 AM<br /> whenCreated                                : 1/27/2016 11:14:38 AM</p></blockquote> <p><span style="text-decoration: underline;">Mitigation:</span></p> <p>There is no reasonable mitigation.</p> <p>&nbsp;</p> <p><strong>Identify Groups with Local Admin Rights to Workstations/Servers</strong></p> <p><a href="https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1">PowerView</a> has incorporated this functionality (<a href="https://twitter.com/harmj0y">@HarmJ0y</a> beat me to it! 🙂 ).<br /> Group Policy provides the ability, via Restricted Groups, to enforce local group membership such as the Administrators groups on all computers in an OU. This can be tracked back by identifying the GPOs that are using restricted groups and the OUs they are applied to. This provides the AD groups that have admin rights and the associated list of computers.</p> <p>Using <a href="https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1">PowerView</a> (part of <a href="https://github.com/PowerShellMafia/PowerSploit">PowerSploit</a>), we can quickly identify GPOs that include Restricted Groups.</p> <blockquote><p>PS C:\&gt; Get-NetGPOGroup</p> <p>GPOName        : {E9CABE0F-3A3F-40B1-B4C1-1FA89AC1F212}<br /> GPOPath        : \\lab.adsecurity.org\SysVol\lab.adsecurity.org\Policies\{E9CABE0F-3A3F-40B1-B4C1-1FA89AC1F212}<br /> Members        : {Server Admins}<br /> MemberOf       : {Administrators}<br /> GPODisplayName : Add Server Admins to Local Administrator Group</p> <p>Filters        :<br /> GPOName        : {45556105-EFE6-43D8-A92C-AACB1D3D4DE5}<br /> GPOPath        : \\lab.adsecurity.org\SysVol\lab.adsecurity.org\Policies\{45556105-EFE6-43D8-A92C-AACB1D3D4DE5}<br /> Members        : {Workstation Admins}<br /> MemberOf       : {Administrators}<br /> GPODisplayName : Add Workstation Admins to Local Administrators Group</p></blockquote> <p>Once we have this information, we can check what to what OUs the GPOs link using a <a href="https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1">PowerView</a> cmdlet.</p> <blockquote><p>PS C:\&gt; get-netOU -guid &#8220;E9CABE0F-3A3F-40B1-B4C1-1FA89AC1F212&#8221;<br /> LDAP://OU=Servers,DC=lab,DC=adsecurity,DC=org</p> <p>PS C:\&gt; get-netOU -guid &#8220;45556105-EFE6-43D8-A92C-AACB1D3D4DE5&#8221;<br /> LDAP://OU=Workstations,DC=lab,DC=adsecurity,DC=org</p></blockquote> <p>Next, we identify the computers in these OUs</p> <blockquote><p>PS C:\&gt; get-adcomputer -filter * -SearchBase &#8220;OU=Servers,DC=lab,DC=adsecurity,DC=org&#8221;</p> <p>DistinguishedName : CN=ADSAP01,OU=Servers,DC=lab,DC=adsecurity,DC=org<br /> DNSHostName : ADSAP01.lab.adsecurity.org<br /> Enabled : True<br /> Name : ADSAP01<br /> ObjectClass : computer<br /> ObjectGUID : b79bb5e3-8f9e-4ee0-a30c-5f66b61da681<br /> SamAccountName : ADSAP01$<br /> SID : S-1-5-21-1581655573-3923512380-696647894-1105<br /> UserPrincipalName :</p> <p>DistinguishedName : CN=ADSAP02,OU=Servers,DC=lab,DC=adsecurity,DC=org<br /> DNSHostName : ADSAP02.lab.adsecurity.org<br /> Enabled : True<br /> Name : ADSAP02<br /> ObjectClass : computer<br /> ObjectGUID : 1006978e-8627-4d01-98b6-3215c4ee4541<br /> SamAccountName : ADSAP02$<br /> SID : S-1-5-21-1581655573-3923512380-696647894-1603<br /> UserPrincipalName :</p> <p>&nbsp;</p> <p>PS C:\&gt; get-adcomputer -filter * -SearchBase &#8220;OU=Workstations,DC=lab,DC=adsecurity,DC=org&#8221;</p> <p>DistinguishedName : CN=ADSWRKWIN7,OU=Workstations,DC=lab,DC=adsecurity,DC=org<br /> DNSHostName       : ADSWRKWIN7.lab.adsecurity.org<br /> Enabled           : True<br /> Name              : ADSWRKWIN7<br /> ObjectClass       : computer<br /> ObjectGUID        : e8b3bed2-75b4-4512-a4f0-6d9c2d975c70<br /> SamAccountName    : ADSWRKWIN7$<br /> SID               : S-1-5-21-1581655573-3923512380-696647894-1104<br /> UserPrincipalName :</p> <p>DistinguishedName : CN=ADSWKWIN7,OU=Workstations,DC=lab,DC=adsecurity,DC=org<br /> DNSHostName       : ADSWKWIN7.lab.adsecurity.org<br /> Enabled           : True<br /> Name              : ADSWKWIN7<br /> ObjectClass       : computer<br /> ObjectGUID        : 2f164d63-d721-4b0e-a553-3ca0e272aa96<br /> SamAccountName    : ADSWKWIN7$<br /> SID               : S-1-5-21-1581655573-3923512380-696647894-1602<br /> UserPrincipalName :</p></blockquote> <p>Using a few PowerShell commands, we are able to identify what AD groups are configured via GPO with full admin rights on computers in the domain.</p> <p><span style="text-decoration: underline;">Mitigation:</span></p> <p>The only mitigation is to remove Domain Users from being able to read the GPOs that manage local groups. Only computers in the domain require the ability to read and process these GPOs. Note that once an attacker gains admin rights on a single computer in the domain, they can use the computer account to read the GPO.</p> <p>&nbsp;</p> <p><strong>Identify Microsoft AppLocker Settings<br /> </strong></p> <p><a href="https://technet.microsoft.com/en-us/library/dd723686%28v=ws.10%29.aspx">Microsoft AppLocker</a> can be used to limit application execution to specific approved applications. There are several difference phases I recommend for AppLocker:</p> <ul> <li>Phase 1: Audit Mode &#8211; audit all execution by users and the path they were run from. This logging mode provides information on what programs are run in the enterprise and this data is logged to the event log.</li> <li>Phase 2: &#8220;Blacklist Mode&#8221; &#8211; Configure AppLocker to block execution of any file in a user&#8217;s home directory, profile path, and temporary file location the user has write access to, such as c:\temp.</li> <li>Phase 3: &#8220;Folder Whitelist Mode&#8221; &#8211; Configure AppLocker to build on Phase 2 by adding new rules to only allow execution of files in specific folders such as c:\Windows and c:\Program Files.</li> <li>Phase 4: &#8220;Application Whitelisting&#8221; &#8211; Inventory all applications in use in the enterprise environment and whitelist those applications by location and hash (preferably digital signature). This ensures that only approved organization applications will execute.</li> </ul> <p>The issue is that AppLocker is configured via Group Policy, which is often kept at the default which enables all domain users the ability to read the configuration.</p> <p><span style="text-decoration: underline;">Mitigation:</span></p> <p>The only mitigation is to remove Domain Users from being able to read the GPOs that manage local groups. Only computers in the domain require the ability to read and process these GPOs. Note that once an attacker gains admin rights on a single computer in the domain, they can use the computer account to read the GPO.</p> <p>&nbsp;</p> <p><strong>Identify Microsoft EMET Settings<br /> </strong></p> <p><a href="https://technet.microsoft.com/en-us/security/jj653751">Microsoft Enhanced Mitigation Experience Toolkit (EMET)</a> helps prevent application vulnerabilities from being exploited (including some 0-days). It&#8217;s a free product that effectively &#8220;wraps&#8221; popular applications so when vulnerability exploitation is attempted, the attempt is stopped at the &#8220;wrapper&#8221; and doesn&#8217;t make it to the OS.<br /> Enterprises often use Group Policy to configure EMET, which is often kept at the default which enables all domain users the ability to read the configuration.</p> <p><span style="text-decoration: underline;">Mitigation:</span></p> <p>The only mitigation is to remove Domain Users from being able to read the GPOs that manage local groups. Only computers in the domain require the ability to read and process these GPOs. Note that once an attacker gains admin rights on a single computer in the domain, they can use the computer account to read the GPO.</p> <p>&nbsp;</p> <p><strong>Identify Microsoft LAPS Delegation<br /> </strong></p> <p><a href="https://adsecurity.org/?p=1790">Microsoft Local Administrator Password Solution (LAPS)</a> is a great option for managing local Administrator account passwords for computers in the enterprise. LAPS adds two new attributes to the AD computer object, one to store the local Admin password and one to track the last time the password was changed. A LAPS GPO is used to configure the LAPS client determining when the password is changed, its length, the account managed, etc. The computer&#8217;s local Administrator password is created by the LAPS client on the computer, that password is set as the new value for the LAPS password attribute (ms-Mcs-AdmPwd), and changed locally. In order for the password to be usable by an admin, read access to the ms-Mcs-AdmPwd needs to be delegated. This delegation can be identified by enumerating the security ACLs on the attribute.</p> <p><span style="text-decoration: underline;">Mitigation:</span></p> <p>The only mitigation is to remove Domain Users from being able to read the GPOs that manage local groups. Only computers in the domain require the ability to read and process these GPOs. Note that once an attacker gains admin rights on a single computer in the domain, they can use the computer account to read the GPO.</p> <p>&nbsp;</p> <p><strong>Discover Admin Credentials in the domain SYSVOL Share<br /> </strong></p> <p>Admins often place credentials in scripts or in Group Policy which end up in SYSVOL.<br /> More information on this issue including mitigation: &#8220;<a href="https://adsecurity.org/?p=2288">Finding Passwords in SYSVOL &amp; Exploiting Group Policy Preferences</a>&#8221;</p> <p>&nbsp;</p> <p><strong>Conclusion</strong></p> <p>These are only a few of the interesting data items which can be easily gathered from Active Directory as a domain user. Expect an attacker to gain a foothold in your enterprise and adjust current strategies accordingly.</p> <p><strong>Note</strong>: W<em>hile I have some scripts that perform many of these actions already, they are not ready for sharing. At some point in fhe future, I may be able to share these.</em></p> <div class="tptn_counter" id="tptn_counter_2535">(Visited 72,108 times, 8 visits today)</div> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-818" href="https://adsecurity.org/?tag=applocker">AppLocker</a>, <a class="term term-tagpost_tag term-260" href="https://adsecurity.org/?tag=emet">EMET</a>, <a class="term term-tagpost_tag term-814" href="https://adsecurity.org/?tag=findadminaccounts">FindAdminAccounts</a>, <a class="term term-tagpost_tag term-815" href="https://adsecurity.org/?tag=findcomputers">FindComputers</a>, <a class="term term-tagpost_tag term-631" href="https://adsecurity.org/?tag=laps">LAPS</a>, <a class="term term-tagpost_tag term-637" href="https://adsecurity.org/?tag=lapsdelegation">LAPSDelegation</a>, <a class="term term-tagpost_tag term-769" href="https://adsecurity.org/?tag=localadministrator">LocalAdministrator</a>, <a class="term term-tagpost_tag term-817" href="https://adsecurity.org/?tag=microsoftapplocker">MicrosoftAppLocker</a>, <a class="term term-tagpost_tag term-58" href="https://adsecurity.org/?tag=microsoftemet">MicrosoftEMET</a>, <a class="term term-tagpost_tag term-633" href="https://adsecurity.org/?tag=ms-mcs-admpwd">ms-Mcs-AdmPwd</a>, <a class="term term-tagpost_tag term-816" href="https://adsecurity.org/?tag=networkportscan">NetworkPortScan</a>, <a class="term term-tagpost_tag term-471" href="https://adsecurity.org/?tag=spnscanning">SPNScanning</a></span></li> <li class="addthis col-sm-8"><div class="add-this"></div></li> </ul> </div> </div> <div class="entry-author"> <div class="row"> <div class="author-avatar col-sm-3"> <a href="https://adsecurity.org/?author=2" rel="author"> <img alt='' src='https://secure.gravatar.com/avatar/1f3ad5e878e5d0e6096c5a33718a04d0?s=200&#038;d=mm&#038;r=g' srcset='https://secure.gravatar.com/avatar/1f3ad5e878e5d0e6096c5a33718a04d0?s=400&#038;d=mm&#038;r=g 2x' class='avatar avatar-200 photo' height='200' width='200' decoding='async'/> </a> </div> <div class="author-bio col-sm-9"> <h3 class="section-title-sm">Sean Metcalf</h3> <p>I improve security for enterprises around the world working for TrimarcSecurity.com<br /> Read the About page (top left) for information about me. :)<br /> https://adsecurity.org/?page_id=8</p> <ul class="author-social"> <li><a href="mailto:sean@adsecurity.org"><i class="fa fa-envelope-o"></i></a></li> </ul> </div> </div> </div> </div><!-- #content-main --> <div id="sidebar1" class="sidebar sidebar-right widget-area col-md-4"> <div id="recent-posts-4" class="sidebar-wrap widget_recent_entries"> <h3>Recent Posts</h3> <ul> <li> <a href="https://adsecurity.org/?p=4436">BSides Dublin &#8211; The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations &#8211; Sean Metcalf</a> </li> <li> <a href="https://adsecurity.org/?p=4434">DEFCON 2017: Transcript &#8211; Hacking the Cloud</a> </li> <li> <a href="https://adsecurity.org/?p=4432">Detecting the Elusive: Active Directory Threat Hunting</a> </li> <li> <a href="https://adsecurity.org/?p=4430">Detecting Kerberoasting Activity</a> </li> <li> <a href="https://adsecurity.org/?p=4428">Detecting Password Spraying with Security Event Auditing</a> </li> </ul> </div><div id="text-3" class="sidebar-wrap widget_text"><h3>Trimarc Active Directory Security Services</h3> <div class="textwidget">Have concerns about your Active Directory environment? Trimarc helps enterprises improve their security posture. <p> <a href="http://trimarcsecurity.com/security-services">Find out how...</a> TrimarcSecurity.com</div> </div><div id="widget_tptn_pop-4" class="sidebar-wrap tptn_posts_list_widget"><h3>Popular Posts</h3><div class="tptn_posts tptn_posts_widget tptn_posts_widget4"><ul><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=478" class="tptn_link"><span class="tptn_title">PowerShell Encoding &#038; Decoding (Base64)</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=2362" class="tptn_link"><span class="tptn_title">Attack Methods for Gaining Domain Admin Rights in&hellip;</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=483" class="tptn_link"><span class="tptn_title">Kerberos &#038; KRBTGT: Active Directory&#8217;s&hellip;</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=2288" class="tptn_link"><span class="tptn_title">Finding Passwords in SYSVOL &#038; Exploiting Group&hellip;</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3377" class="tptn_link"><span class="tptn_title">Securing Domain Controllers to Improve Active&hellip;</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3299" class="tptn_link"><span class="tptn_title">Securing Windows Workstations: Developing a Secure Baseline</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3458" class="tptn_link"><span class="tptn_title">Detecting Kerberoasting Activity</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=1729" class="tptn_link"><span class="tptn_title">Mimikatz DCSync Usage, Exploitation, and Detection</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3658" class="tptn_link"><span class="tptn_title">Scanning for Active Directory Privileges &#038;&hellip;</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3164" class="tptn_link"><span class="tptn_title">Microsoft LAPS Security &#038; Active Directory LAPS&hellip;</span></a></span></li></ul><div class="tptn_clear"></div></div></div><div id="categories-4" class="sidebar-wrap widget_categories"><h3>Categories</h3> <ul> <li class="cat-item cat-item-565"><a href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a> </li> <li class="cat-item cat-item-55"><a href="https://adsecurity.org/?cat=55">Apple Security</a> </li> <li class="cat-item cat-item-431"><a href="https://adsecurity.org/?cat=431">Cloud Security</a> </li> <li class="cat-item cat-item-17"><a href="https://adsecurity.org/?cat=17">Continuing Education</a> </li> <li class="cat-item cat-item-396"><a href="https://adsecurity.org/?cat=396">Entertainment</a> </li> <li class="cat-item cat-item-347"><a href="https://adsecurity.org/?cat=347">Exploit</a> </li> <li class="cat-item cat-item-1039"><a href="https://adsecurity.org/?cat=1039">Hacking</a> </li> <li class="cat-item cat-item-168"><a href="https://adsecurity.org/?cat=168">Hardware Security</a> </li> <li class="cat-item cat-item-172"><a href="https://adsecurity.org/?cat=172">Hypervisor Security</a> </li> <li class="cat-item cat-item-126"><a href="https://adsecurity.org/?cat=126">Linux/Unix Security</a> </li> <li class="cat-item cat-item-343"><a href="https://adsecurity.org/?cat=343">Malware</a> </li> <li class="cat-item cat-item-11"><a href="https://adsecurity.org/?cat=11">Microsoft Security</a> </li> <li class="cat-item cat-item-819"><a href="https://adsecurity.org/?cat=819">Mitigation</a> </li> <li class="cat-item cat-item-48"><a href="https://adsecurity.org/?cat=48">Network/System Security</a> </li> <li class="cat-item cat-item-7"><a href="https://adsecurity.org/?cat=7">PowerShell</a> </li> <li class="cat-item cat-item-698"><a href="https://adsecurity.org/?cat=698">RealWorld</a> </li> <li class="cat-item cat-item-21"><a href="https://adsecurity.org/?cat=21">Security</a> </li> <li class="cat-item cat-item-234"><a href="https://adsecurity.org/?cat=234">Security Conference Presentation/Video</a> </li> <li class="cat-item cat-item-1045"><a href="https://adsecurity.org/?cat=1045">Security Recommendation</a> </li> <li class="cat-item cat-item-24"><a href="https://adsecurity.org/?cat=24">Technical Article</a> </li> <li class="cat-item cat-item-4"><a href="https://adsecurity.org/?cat=4">Technical Reading</a> </li> <li class="cat-item cat-item-2"><a href="https://adsecurity.org/?cat=2">Technical Reference</a> </li> <li class="cat-item cat-item-156"><a href="https://adsecurity.org/?cat=156">TheCloud</a> </li> <li class="cat-item cat-item-930"><a href="https://adsecurity.org/?cat=930">Vulnerability</a> </li> </ul> </div><div id="tag_cloud-3" class="sidebar-wrap widget_tag_cloud"><h3>Tags</h3><div class="tagcloud"><a href="https://adsecurity.org/?tag=activedirectory" class="tag-cloud-link tag-link-20 tag-link-position-1" style="font-size: 22pt;" aria-label="ActiveDirectory (55 items)">ActiveDirectory</a> <a href="https://adsecurity.org/?tag=active-directory" class="tag-cloud-link tag-link-75 tag-link-position-2" style="font-size: 10.453608247423pt;" aria-label="Active Directory (8 items)">Active Directory</a> <a href="https://adsecurity.org/?tag=active-directory-security" class="tag-cloud-link tag-link-976 tag-link-position-3" style="font-size: 9.7319587628866pt;" aria-label="Active Directory Security (7 items)">Active Directory Security</a> <a href="https://adsecurity.org/?tag=activedirectorysecurity" class="tag-cloud-link tag-link-113 tag-link-position-4" style="font-size: 13.773195876289pt;" aria-label="ActiveDirectorySecurity (14 items)">ActiveDirectorySecurity</a> <a href="https://adsecurity.org/?tag=adreading" class="tag-cloud-link tag-link-5 tag-link-position-5" style="font-size: 13.340206185567pt;" aria-label="ADReading (13 items)">ADReading</a> <a href="https://adsecurity.org/?tag=ad-security" class="tag-cloud-link tag-link-100 tag-link-position-6" style="font-size: 8pt;" aria-label="AD Security (5 items)">AD Security</a> <a href="https://adsecurity.org/?tag=adsecurity" class="tag-cloud-link tag-link-86 tag-link-position-7" style="font-size: 10.453608247423pt;" aria-label="ADSecurity (8 items)">ADSecurity</a> <a href="https://adsecurity.org/?tag=azure" class="tag-cloud-link tag-link-25 tag-link-position-8" style="font-size: 8pt;" aria-label="Azure (5 items)">Azure</a> <a href="https://adsecurity.org/?tag=azuread" class="tag-cloud-link tag-link-136 tag-link-position-9" style="font-size: 8pt;" aria-label="AzureAD (5 items)">AzureAD</a> <a href="https://adsecurity.org/?tag=dcsync" class="tag-cloud-link tag-link-598 tag-link-position-10" style="font-size: 10.453608247423pt;" aria-label="DCSync (8 items)">DCSync</a> <a href="https://adsecurity.org/?tag=domaincontroller" class="tag-cloud-link tag-link-101 tag-link-position-11" style="font-size: 15.216494845361pt;" aria-label="DomainController (18 items)">DomainController</a> <a href="https://adsecurity.org/?tag=goldenticket" class="tag-cloud-link tag-link-303 tag-link-position-12" style="font-size: 11.175257731959pt;" aria-label="GoldenTicket (9 items)">GoldenTicket</a> <a href="https://adsecurity.org/?tag=grouppolicy" class="tag-cloud-link tag-link-196 tag-link-position-13" style="font-size: 8pt;" aria-label="GroupPolicy (5 items)">GroupPolicy</a> <a href="https://adsecurity.org/?tag=hyperv" class="tag-cloud-link tag-link-3 tag-link-position-14" style="font-size: 8pt;" aria-label="HyperV (5 items)">HyperV</a> <a href="https://adsecurity.org/?tag=invoke-mimikatz" class="tag-cloud-link tag-link-336 tag-link-position-15" style="font-size: 10.453608247423pt;" aria-label="Invoke-Mimikatz (8 items)">Invoke-Mimikatz</a> <a href="https://adsecurity.org/?tag=kb3011780" class="tag-cloud-link tag-link-337 tag-link-position-16" style="font-size: 9.7319587628866pt;" aria-label="KB3011780 (7 items)">KB3011780</a> <a href="https://adsecurity.org/?tag=kdc" class="tag-cloud-link tag-link-80 tag-link-position-17" style="font-size: 8pt;" aria-label="KDC (5 items)">KDC</a> <a href="https://adsecurity.org/?tag=kerberos" class="tag-cloud-link tag-link-81 tag-link-position-18" style="font-size: 15.216494845361pt;" aria-label="Kerberos (18 items)">Kerberos</a> <a href="https://adsecurity.org/?tag=kerberoshacking" class="tag-cloud-link tag-link-298 tag-link-position-19" style="font-size: 11.752577319588pt;" aria-label="KerberosHacking (10 items)">KerberosHacking</a> <a href="https://adsecurity.org/?tag=krbtgt" class="tag-cloud-link tag-link-394 tag-link-position-20" style="font-size: 9.7319587628866pt;" aria-label="KRBTGT (7 items)">KRBTGT</a> <a href="https://adsecurity.org/?tag=laps" class="tag-cloud-link tag-link-631 tag-link-position-21" style="font-size: 9.0103092783505pt;" aria-label="LAPS (6 items)">LAPS</a> <a href="https://adsecurity.org/?tag=lsass" class="tag-cloud-link tag-link-71 tag-link-position-22" style="font-size: 11.175257731959pt;" aria-label="LSASS (9 items)">LSASS</a> <a href="https://adsecurity.org/?tag=mcm" class="tag-cloud-link tag-link-6 tag-link-position-23" style="font-size: 14.061855670103pt;" aria-label="MCM (15 items)">MCM</a> <a href="https://adsecurity.org/?tag=microsoftemet" class="tag-cloud-link tag-link-58 tag-link-position-24" style="font-size: 11.175257731959pt;" aria-label="MicrosoftEMET (9 items)">MicrosoftEMET</a> <a href="https://adsecurity.org/?tag=microsoftwindows" class="tag-cloud-link tag-link-102 tag-link-position-25" style="font-size: 9.7319587628866pt;" aria-label="MicrosoftWindows (7 items)">MicrosoftWindows</a> <a href="https://adsecurity.org/?tag=mimikatz" class="tag-cloud-link tag-link-207 tag-link-position-26" style="font-size: 18.103092783505pt;" aria-label="mimikatz (29 items)">mimikatz</a> <a href="https://adsecurity.org/?tag=ms14068" class="tag-cloud-link tag-link-295 tag-link-position-27" style="font-size: 11.175257731959pt;" aria-label="MS14068 (9 items)">MS14068</a> <a href="https://adsecurity.org/?tag=passthehash" class="tag-cloud-link tag-link-44 tag-link-position-28" style="font-size: 9.7319587628866pt;" aria-label="PassTheHash (7 items)">PassTheHash</a> <a href="https://adsecurity.org/?tag=powershell" class="tag-cloud-link tag-link-575 tag-link-position-29" style="font-size: 18.536082474227pt;" aria-label="PowerShell (31 items)">PowerShell</a> <a href="https://adsecurity.org/?tag=powershellcode" class="tag-cloud-link tag-link-22 tag-link-position-30" style="font-size: 14.927835051546pt;" aria-label="PowerShellCode (17 items)">PowerShellCode</a> <a href="https://adsecurity.org/?tag=powershellhacking" class="tag-cloud-link tag-link-68 tag-link-position-31" style="font-size: 8pt;" aria-label="PowerShellHacking (5 items)">PowerShellHacking</a> <a href="https://adsecurity.org/?tag=powershellv5" class="tag-cloud-link tag-link-69 tag-link-position-32" style="font-size: 8pt;" aria-label="PowerShellv5 (5 items)">PowerShellv5</a> <a href="https://adsecurity.org/?tag=powersploit" class="tag-cloud-link tag-link-232 tag-link-position-33" style="font-size: 10.453608247423pt;" aria-label="PowerSploit (8 items)">PowerSploit</a> <a href="https://adsecurity.org/?tag=presentation" class="tag-cloud-link tag-link-422 tag-link-position-34" style="font-size: 9.7319587628866pt;" aria-label="Presentation (7 items)">Presentation</a> <a href="https://adsecurity.org/?tag=security" class="tag-cloud-link tag-link-576 tag-link-position-35" style="font-size: 8pt;" aria-label="Security (5 items)">Security</a> <a href="https://adsecurity.org/?tag=silverticket" class="tag-cloud-link tag-link-304 tag-link-position-36" style="font-size: 11.175257731959pt;" aria-label="SilverTicket (9 items)">SilverTicket</a> <a href="https://adsecurity.org/?tag=sneakyadpersistence" class="tag-cloud-link tag-link-596 tag-link-position-37" style="font-size: 9.0103092783505pt;" aria-label="SneakyADPersistence (6 items)">SneakyADPersistence</a> <a href="https://adsecurity.org/?tag=spn" class="tag-cloud-link tag-link-294 tag-link-position-38" style="font-size: 9.0103092783505pt;" aria-label="SPN (6 items)">SPN</a> <a href="https://adsecurity.org/?tag=tgs" class="tag-cloud-link tag-link-528 tag-link-position-39" style="font-size: 9.0103092783505pt;" aria-label="TGS (6 items)">TGS</a> <a href="https://adsecurity.org/?tag=tgt" class="tag-cloud-link tag-link-529 tag-link-position-40" style="font-size: 9.0103092783505pt;" aria-label="TGT (6 items)">TGT</a> <a href="https://adsecurity.org/?tag=windows7" class="tag-cloud-link tag-link-117 tag-link-position-41" style="font-size: 8pt;" aria-label="Windows7 (5 items)">Windows7</a> <a href="https://adsecurity.org/?tag=windows10" class="tag-cloud-link tag-link-494 tag-link-position-42" style="font-size: 10.453608247423pt;" aria-label="Windows10 (8 items)">Windows10</a> <a href="https://adsecurity.org/?tag=windowsserver2008r2" class="tag-cloud-link tag-link-46 tag-link-position-43" style="font-size: 9.0103092783505pt;" aria-label="WindowsServer2008R2 (6 items)">WindowsServer2008R2</a> <a href="https://adsecurity.org/?tag=windowsserver2012" class="tag-cloud-link tag-link-47 tag-link-position-44" style="font-size: 11.175257731959pt;" aria-label="WindowsServer2012 (9 items)">WindowsServer2012</a> <a href="https://adsecurity.org/?tag=windowsserver2012r2" class="tag-cloud-link tag-link-54 tag-link-position-45" style="font-size: 9.7319587628866pt;" aria-label="WindowsServer2012R2 (7 items)">WindowsServer2012R2</a></div> </div><div id="search-2" class="sidebar-wrap widget_search"><form class="searchform" method="get" action="https://adsecurity.org"> <div class="input-group"> <div class="form-group live-search-input"> <label for="s" class="screen-reader-text">Search for:</label> <input type="text" id="s" name="s" class="form-control" placeholder="Search"> </div> <span class="input-group-btn"> <button class="btn btn-default" type="submit"><i class="fa fa-search"></i></button> </span> </div> </form></div> <div id="recent-posts-2" class="sidebar-wrap widget_recent_entries"> <h3>Recent Posts</h3> <ul> <li> <a href="https://adsecurity.org/?p=4436">BSides Dublin &#8211; The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations &#8211; Sean Metcalf</a> </li> <li> <a href="https://adsecurity.org/?p=4434">DEFCON 2017: Transcript &#8211; Hacking the Cloud</a> </li> <li> <a href="https://adsecurity.org/?p=4432">Detecting the Elusive: Active Directory Threat Hunting</a> </li> <li> <a href="https://adsecurity.org/?p=4430">Detecting Kerberoasting Activity</a> </li> <li> <a href="https://adsecurity.org/?p=4428">Detecting Password Spraying with Security Event Auditing</a> </li> </ul> </div><div id="recent-comments-2" class="sidebar-wrap widget_recent_comments"><h3>Recent Comments</h3><ul id="recentcomments"><li class="recentcomments"><span class="comment-author-link">Derek</span> on <a href="https://adsecurity.org/?p=3592#comment-13603">Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory</a></li><li class="recentcomments"><span class="comment-author-link"><a href="https://ADSecurity.org" class="url" rel="ugc">Sean Metcalf</a></span> on <a href="https://adsecurity.org/?p=3782#comment-13545">Securing Microsoft Active Directory Federation Server (ADFS)</a></li><li class="recentcomments"><span class="comment-author-link">Brad</span> on <a href="https://adsecurity.org/?p=3782#comment-13544">Securing Microsoft Active Directory Federation Server (ADFS)</a></li><li class="recentcomments"><span class="comment-author-link">Joonas</span> on <a href="https://adsecurity.org/?p=3719#comment-13229">Gathering AD Data with the Active Directory PowerShell Module</a></li><li class="recentcomments"><span class="comment-author-link"><a href="https://ADSecurity.org" class="url" rel="ugc">Sean Metcalf</a></span> on <a href="https://adsecurity.org/?p=3719#comment-13215">Gathering AD Data with the Active Directory PowerShell Module</a></li></ul></div><div id="archives-2" class="sidebar-wrap widget_archive"><h3>Archives</h3> <ul> <li><a href='https://adsecurity.org/?m=202406'>June 2024</a></li> <li><a href='https://adsecurity.org/?m=202405'>May 2024</a></li> <li><a href='https://adsecurity.org/?m=202005'>May 2020</a></li> <li><a href='https://adsecurity.org/?m=202001'>January 2020</a></li> <li><a href='https://adsecurity.org/?m=201908'>August 2019</a></li> <li><a href='https://adsecurity.org/?m=201903'>March 2019</a></li> <li><a href='https://adsecurity.org/?m=201902'>February 2019</a></li> <li><a href='https://adsecurity.org/?m=201810'>October 2018</a></li> <li><a href='https://adsecurity.org/?m=201808'>August 2018</a></li> <li><a href='https://adsecurity.org/?m=201805'>May 2018</a></li> <li><a href='https://adsecurity.org/?m=201801'>January 2018</a></li> <li><a href='https://adsecurity.org/?m=201711'>November 2017</a></li> <li><a href='https://adsecurity.org/?m=201708'>August 2017</a></li> <li><a href='https://adsecurity.org/?m=201706'>June 2017</a></li> <li><a href='https://adsecurity.org/?m=201705'>May 2017</a></li> <li><a href='https://adsecurity.org/?m=201702'>February 2017</a></li> <li><a href='https://adsecurity.org/?m=201701'>January 2017</a></li> <li><a href='https://adsecurity.org/?m=201611'>November 2016</a></li> <li><a href='https://adsecurity.org/?m=201610'>October 2016</a></li> <li><a href='https://adsecurity.org/?m=201609'>September 2016</a></li> <li><a href='https://adsecurity.org/?m=201608'>August 2016</a></li> <li><a href='https://adsecurity.org/?m=201607'>July 2016</a></li> <li><a href='https://adsecurity.org/?m=201606'>June 2016</a></li> <li><a href='https://adsecurity.org/?m=201604'>April 2016</a></li> <li><a href='https://adsecurity.org/?m=201603'>March 2016</a></li> <li><a href='https://adsecurity.org/?m=201602'>February 2016</a></li> <li><a href='https://adsecurity.org/?m=201601'>January 2016</a></li> <li><a href='https://adsecurity.org/?m=201512'>December 2015</a></li> <li><a href='https://adsecurity.org/?m=201511'>November 2015</a></li> <li><a href='https://adsecurity.org/?m=201510'>October 2015</a></li> <li><a href='https://adsecurity.org/?m=201509'>September 2015</a></li> <li><a href='https://adsecurity.org/?m=201508'>August 2015</a></li> <li><a href='https://adsecurity.org/?m=201507'>July 2015</a></li> <li><a href='https://adsecurity.org/?m=201506'>June 2015</a></li> <li><a href='https://adsecurity.org/?m=201505'>May 2015</a></li> <li><a href='https://adsecurity.org/?m=201504'>April 2015</a></li> <li><a href='https://adsecurity.org/?m=201503'>March 2015</a></li> <li><a href='https://adsecurity.org/?m=201502'>February 2015</a></li> <li><a href='https://adsecurity.org/?m=201501'>January 2015</a></li> <li><a href='https://adsecurity.org/?m=201412'>December 2014</a></li> <li><a href='https://adsecurity.org/?m=201411'>November 2014</a></li> <li><a href='https://adsecurity.org/?m=201410'>October 2014</a></li> <li><a href='https://adsecurity.org/?m=201409'>September 2014</a></li> <li><a href='https://adsecurity.org/?m=201408'>August 2014</a></li> <li><a href='https://adsecurity.org/?m=201407'>July 2014</a></li> <li><a href='https://adsecurity.org/?m=201406'>June 2014</a></li> <li><a href='https://adsecurity.org/?m=201405'>May 2014</a></li> <li><a href='https://adsecurity.org/?m=201404'>April 2014</a></li> <li><a href='https://adsecurity.org/?m=201403'>March 2014</a></li> <li><a href='https://adsecurity.org/?m=201402'>February 2014</a></li> <li><a href='https://adsecurity.org/?m=201307'>July 2013</a></li> <li><a href='https://adsecurity.org/?m=201211'>November 2012</a></li> <li><a href='https://adsecurity.org/?m=201203'>March 2012</a></li> <li><a href='https://adsecurity.org/?m=201202'>February 2012</a></li> </ul> </div><div id="categories-2" class="sidebar-wrap widget_categories"><h3>Categories</h3> <ul> <li class="cat-item cat-item-565"><a href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a> </li> <li class="cat-item cat-item-55"><a href="https://adsecurity.org/?cat=55">Apple Security</a> </li> <li class="cat-item cat-item-431"><a href="https://adsecurity.org/?cat=431">Cloud Security</a> </li> <li class="cat-item cat-item-17"><a href="https://adsecurity.org/?cat=17">Continuing Education</a> </li> <li class="cat-item cat-item-396"><a href="https://adsecurity.org/?cat=396">Entertainment</a> </li> <li class="cat-item cat-item-347"><a href="https://adsecurity.org/?cat=347">Exploit</a> </li> <li class="cat-item cat-item-1039"><a href="https://adsecurity.org/?cat=1039">Hacking</a> </li> <li class="cat-item cat-item-168"><a href="https://adsecurity.org/?cat=168">Hardware Security</a> </li> <li class="cat-item cat-item-172"><a href="https://adsecurity.org/?cat=172">Hypervisor Security</a> </li> <li class="cat-item cat-item-126"><a href="https://adsecurity.org/?cat=126">Linux/Unix Security</a> </li> <li class="cat-item cat-item-343"><a href="https://adsecurity.org/?cat=343">Malware</a> </li> <li class="cat-item cat-item-11"><a href="https://adsecurity.org/?cat=11">Microsoft Security</a> </li> <li class="cat-item cat-item-819"><a href="https://adsecurity.org/?cat=819">Mitigation</a> </li> <li class="cat-item cat-item-48"><a href="https://adsecurity.org/?cat=48">Network/System Security</a> </li> <li class="cat-item cat-item-7"><a href="https://adsecurity.org/?cat=7">PowerShell</a> </li> <li class="cat-item cat-item-698"><a href="https://adsecurity.org/?cat=698">RealWorld</a> </li> <li class="cat-item cat-item-21"><a href="https://adsecurity.org/?cat=21">Security</a> </li> <li class="cat-item cat-item-234"><a href="https://adsecurity.org/?cat=234">Security Conference Presentation/Video</a> </li> <li class="cat-item cat-item-1045"><a href="https://adsecurity.org/?cat=1045">Security Recommendation</a> </li> <li class="cat-item cat-item-24"><a href="https://adsecurity.org/?cat=24">Technical Article</a> </li> <li class="cat-item cat-item-4"><a href="https://adsecurity.org/?cat=4">Technical Reading</a> </li> <li class="cat-item cat-item-2"><a href="https://adsecurity.org/?cat=2">Technical Reference</a> </li> <li class="cat-item cat-item-156"><a href="https://adsecurity.org/?cat=156">TheCloud</a> </li> <li class="cat-item cat-item-930"><a href="https://adsecurity.org/?cat=930">Vulnerability</a> </li> </ul> </div><div id="meta-2" class="sidebar-wrap widget_meta"><h3>Meta</h3> <ul> <li><a href="https://adsecurity.org/wp-login.php">Log in</a></li> <li><a href="https://adsecurity.org/?feed=rss2">Entries feed</a></li> <li><a href="https://adsecurity.org/?feed=comments-rss2">Comments feed</a></li> <li><a href="https://wordpress.org/">WordPress.org</a></li> </ul> </div> </div><!-- #sidebar1 --> </div><!-- #content --> <div id="sidebar_bottom" class="sidebar widget-area row footer-widget-col-3"> <div id="text-2" class="sidebar-wrap widget_text col-sm-4"><h3>Copyright</h3> <div class="textwidget">Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2020.</div> </div> </div> <div id="footer" class="row default-footer"> <div class="copyright-developer"> <div id="copyright"> <p>Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. </p> </div> <div id="developer"> <p> Made with <i class="fa fa-heart"></i> by <a href="https://www.graphene-theme.com/" rel="nofollow">Graphene Themes</a>. </p> </div> </div> </div><!-- #footer --> </div><!-- #container --> <!-- Start of StatCounter Code --> <script> <!-- var sc_project=10100711; var sc_security="4b306538"; var sc_invisible=1; var scJsHost = (("https:" == document.location.protocol) ? "https://secure." : "http://www."); //--> </script> <script type="text/javascript" src="https://secure.statcounter.com/counter/counter.js" async></script> <noscript><div class="statcounter"><a title="web analytics" href="https://statcounter.com/"><img class="statcounter" src="https://c.statcounter.com/10100711/0/4b306538/1/" alt="web analytics" /></a></div></noscript> <!-- End of StatCounter Code --> <a href="#" id="back-to-top" title="Back to top"><i class="fa fa-chevron-up"></i></a> <script type="text/javascript" id="tptn_tracker-js-extra"> /* <![CDATA[ */ var ajax_tptn_tracker = {"ajax_url":"https:\/\/adsecurity.org\/wp-admin\/admin-ajax.php","top_ten_id":"2535","top_ten_blog_id":"1","activate_counter":"11","top_ten_debug":"0","tptn_rnd":"916353789"}; /* ]]> */ </script> <script type="text/javascript" src="https://adsecurity.org/wp-content/plugins/top-10/includes/js/top-10-tracker.min.js?ver=1.0" id="tptn_tracker-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-includes/js/comment-reply.min.js?ver=6.5.5" id="comment-reply-js" async="async" data-wp-strategy="async"></script> </body> </html>