CINXE.COM

<!DOCTYPE html>   <html lang="en-US" prefix="og: http://ogp.me/ns#">  <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Scanning for Active Directory Privileges & Privileged Accounts – Active Directory Security</title> <meta name='robots' content='max-image-preview:large' /> <link rel="alternate" type="application/rss+xml" title="Active Directory Security » Feed" href="https://adsecurity.org/?feed=rss2" /> <link rel="alternate" type="application/rss+xml" title="Active Directory Security » Comments Feed" href="https://adsecurity.org/?feed=comments-rss2" /> <link rel="alternate" type="application/rss+xml" title="Active Directory Security » Scanning for Active Directory Privileges & Privileged Accounts Comments Feed" href="https://adsecurity.org/?feed=rss2&p=3658" /> <script type="text/javascript"> /* <![CDATA[ */ window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/adsecurity.org\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); /* ]]> */ </script> <style id='wp-emoji-styles-inline-css' type='text/css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='wp-block-library-css' href='https://adsecurity.org/wp-includes/css/dist/block-library/style.min.css?ver=6.5.5' type='text/css' media='all' /> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 14px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 20px;--wp--preset--font-size--x-large: 42px;--wp--preset--font-size--tiny: 10px;--wp--preset--font-size--regular: 16px;--wp--preset--font-size--larger: 26px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}body .is-layout-flex{flex-wrap: wrap;align-items: center;}body .is-layout-flex > *{margin: 0;}body .is-layout-grid{display: grid;}body .is-layout-grid > *{margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} .wp-block-navigation a:where(:not(.wp-element-button)){color: inherit;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} .wp-block-pullquote{font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='bootstrap-css' href='https://adsecurity.org/wp-content/themes/graphene/bootstrap/css/bootstrap.min.css?ver=6.5.5' type='text/css' media='all' /> <link rel='stylesheet' id='font-awesome-css' href='https://adsecurity.org/wp-content/themes/graphene/fonts/font-awesome/css/font-awesome.min.css?ver=6.5.5' type='text/css' media='all' /> <link rel='stylesheet' id='graphene-css' href='https://adsecurity.org/wp-content/themes/graphene/style.css?ver=2.8.4' type='text/css' media='screen' /> <link rel='stylesheet' id='graphene-responsive-css' href='https://adsecurity.org/wp-content/themes/graphene/responsive.css?ver=2.8.4' type='text/css' media='all' /> <link rel='stylesheet' id='graphene-blocks-css' href='https://adsecurity.org/wp-content/themes/graphene/blocks.css?ver=2.8.4' type='text/css' media='all' /> <script type="text/javascript" src="https://adsecurity.org/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script type="text/javascript" src="https://adsecurity.org/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/bootstrap/js/bootstrap.min.js?ver=2.8.4" id="bootstrap-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/bootstrap-hover-dropdown/bootstrap-hover-dropdown.min.js?ver=2.8.4" id="bootstrap-hover-dropdown-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/bootstrap-submenu/bootstrap-submenu.min.js?ver=2.8.4" id="bootstrap-submenu-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/jquery.infinitescroll.min.js?ver=2.8.4" id="infinite-scroll-js"></script> <script type="text/javascript" id="graphene-js-extra"> /* <![CDATA[ */ var grapheneJS = {"siteurl":"https:\/\/adsecurity.org","ajaxurl":"https:\/\/adsecurity.org\/wp-admin\/admin-ajax.php","templateUrl":"https:\/\/adsecurity.org\/wp-content\/themes\/graphene","isSingular":"1","enableStickyMenu":"","shouldShowComments":"1","commentsOrder":"newest","sliderDisable":"","sliderInterval":"7000","infScrollBtnLbl":"Load more","infScrollOn":"","infScrollCommentsOn":"","totalPosts":"1","postsPerPage":"10","isPageNavi":"","infScrollMsgText":"Fetching window.grapheneInfScrollItemsPerPage of window.grapheneInfScrollItemsLeft items left ...","infScrollMsgTextPlural":"Fetching window.grapheneInfScrollItemsPerPage of window.grapheneInfScrollItemsLeft items left ...","infScrollFinishedText":"All loaded!","commentsPerPage":"50","totalComments":"2","infScrollCommentsMsg":"Fetching window.grapheneInfScrollCommentsPerPage of window.grapheneInfScrollCommentsLeft comments left ...","infScrollCommentsMsgPlural":"Fetching window.grapheneInfScrollCommentsPerPage of window.grapheneInfScrollCommentsLeft comments left ...","infScrollCommentsFinishedMsg":"All comments loaded!","disableLiveSearch":"1","txtNoResult":"No result found.","isMasonry":""}; /* ]]> */ </script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/graphene.js?ver=2.8.4" id="graphene-js"></script> <script type="text/javascript" id="wpstg-global-js-extra"> /* <![CDATA[ */ var wpstg = {"nonce":"7d657d8247"}; /* ]]> */ </script> <script type="text/javascript" src="https://adsecurity.org/wp-content/plugins/wp-staging-pro/assets/js/dist/wpstg-blank-loader.min.js?ver=6.5.5" id="wpstg-global-js"></script> <link rel="https://api.w.org/" href="https://adsecurity.org/index.php?rest_route=/" /><link rel="alternate" type="application/json" href="https://adsecurity.org/index.php?rest_route=/wp/v2/posts/3658" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://adsecurity.org/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.5.5" /> <link rel="canonical" href="https://adsecurity.org/?p=3658" /> <link rel='shortlink' href='https://adsecurity.org/?p=3658' /> <link rel="alternate" type="application/json+oembed" href="https://adsecurity.org/index.php?rest_route=%2Foembed%2F1.0%2Fembed&url=https%3A%2F%2Fadsecurity.org%2F%3Fp%3D3658" /> <link rel="alternate" type="text/xml+oembed" href="https://adsecurity.org/index.php?rest_route=%2Foembed%2F1.0%2Fembed&url=https%3A%2F%2Fadsecurity.org%2F%3Fp%3D3658&format=xml" /> <script type="text/javascript"> var _statcounter = _statcounter || []; _statcounter.push({"tags": {"author": "SeanMetcalf"}}); </script> <script> WebFontConfig = { google: { families: ["Lato:400,400i,700,700i&display=swap"] } }; (function(d) { var wf = d.createElement('script'), s = d.scripts[0]; wf.src = 'https://ajax.googleapis.com/ajax/libs/webfont/1.6.26/webfont.js'; wf.async = true; s.parentNode.insertBefore(wf, s); })(document); </script> <style type="text/css"> .header_title, .header_title a, .header_title a:visited, .header_title a:hover, .header_desc {color:#000000}.carousel, .carousel .item{height:400px}@media (max-width: 991px) {.carousel, .carousel .item{height:250px}}#header{max-height:198px}@media (min-width: 1200px) {.container {width:1280px}} </style> <script type="application/ld+json">{"@context":"http:\/\/schema.org","@type":"Article","mainEntityOfPage":"https:\/\/adsecurity.org\/?p=3658","publisher":{"@type":"Organization","name":"Active Directory Security"},"headline":"Scanning for Active Directory Privileges & Privileged Accounts","datePublished":"2017-06-14T01:18:09+00:00","dateModified":"2019-07-03T15:34:58+00:00","description":"Active Directory Recon is the new hotness since attackers, Red Teamers, and penetration testers have realized that control of Active Directory provides power over the organization. I covered ways to enumerate permissions in AD using PowerView (written by Will @harmj0y) during my Black Hat & DEF CON talks in 2016 from both a Blue Team ...","author":{"@type":"Person","name":"Sean Metcalf"},"image":["https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/06\/ActiveDirectory-Object-Permissions-02.png"]}</script> <style type="text/css">.recentcomments a{display:inline !important;padding:0 !important;margin:0 !important;}</style><meta property="og:type" content="article" /> <meta property="og:title" content="Scanning for Active Directory Privileges & Privileged Accounts" /> <meta property="og:url" content="https://adsecurity.org/?p=3658" /> <meta property="og:site_name" content="Active Directory Security" /> <meta property="og:description" content="Active Directory Recon is the new hotness since attackers, Red Teamers, and penetration testers have realized that control of Active Directory provides power over the organization. I covered ways to enumerate permissions in AD using PowerView (written by Will @harmj0y) during my Black Hat & DEF CON talks in 2016 from both a Blue Team ..." /> <meta property="og:updated_time" content="2019-07-03T15:34:58+00:00" /> <meta property="article:modified_time" content="2019-07-03T15:34:58+00:00" /> <meta property="article:published_time" content="2017-06-14T01:18:09+00:00" /> <meta property="og:image" content="https://adsecurity.org/wp-content/uploads/2017/06/ActiveDirectory-Object-Permissions-02.png" /> <meta property="og:image:width" content="854" /> <meta property="og:image:height" content="630" /> </head> <body class="post-template-default single single-post postid-3658 single-format-standard custom-background wp-embed-responsive layout-boxed two_col_left two-columns singular"> <div class="container boxed-wrapper"> <div id="top-bar" class="row clearfix top-bar "> <div class="col-md-12 top-bar-items"> <ul class="social-profiles"> <li class="social-profile social-profile-rss"> <a href="https://adsecurity.org/?feed=rss2" title="Subscribe to Tech, News, and Other Ideations's RSS feed" id="social-id-1" class="mysocial social-rss"> <i class="fa fa-rss"></i> </a> </li> </ul> <button type="button" class="search-toggle navbar-toggle collapsed" data-toggle="collapse" data-target="#top_search"> <span class="sr-only">Toggle search form</span> <i class="fa fa-search-plus"></i> </button> <div id="top_search" class="top-search-form"> <form class="searchform" method="get" action="https://adsecurity.org"> <div class="input-group"> <div class="form-group live-search-input"> <label for="s" class="screen-reader-text">Search for:</label> <input type="text" id="s" name="s" class="form-control" placeholder="Search"> </div> <span class="input-group-btn"> <button class="btn btn-default" type="submit"><i class="fa fa-search"></i></button> </span> </div> </form> </div> </div> </div> <div id="header" class="row"> <img src="https://adsecurity.org/wp-content/themes/graphene/images/headers/fluid.jpg" alt="Active Directory Security" title="Active Directory Security" width="960" height="198" /> </div> <nav class="navbar row navbar-inverse"> <div class="navbar-header align-center"> <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#header-menu-wrap, #secondary-menu-wrap"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <p class="header_title"> <a href="https://adsecurity.org" title="Go back to the front page"> Active Directory Security </a> </p> <p class="header_desc">Active Directory & Enterprise Security, Methods to Secure Active Directory, Attack Methods & Effective Defenses, PowerShell, Tech Notes, & Geek Trivia…</p> </div> <div class="collapse navbar-collapse" id="header-menu-wrap"> <ul class="nav navbar-nav flip"><li ><a href="https://adsecurity.org/">Home</a></li><li class="menu-item menu-item-8"><a href="https://adsecurity.org/?page_id=8" >About</a></li><li class="menu-item menu-item-41"><a href="https://adsecurity.org/?page_id=41" >AD Resources</a></li><li class="menu-item menu-item-4031"><a href="https://adsecurity.org/?page_id=4031" >Attack Defense & Detection</a></li><li class="menu-item menu-item-293"><a href="https://adsecurity.org/?page_id=293" >Contact</a></li><li class="menu-item menu-item-1821"><a href="https://adsecurity.org/?page_id=1821" >Mimikatz</a></li><li class="menu-item menu-item-1352"><a href="https://adsecurity.org/?page_id=1352" >Presentations</a></li><li class="menu-item menu-item-195"><a href="https://adsecurity.org/?page_id=195" >Schema Versions</a></li><li class="menu-item menu-item-399"><a href="https://adsecurity.org/?page_id=399" >Security Resources</a></li><li class="menu-item menu-item-183"><a href="https://adsecurity.org/?page_id=183" >SPNs</a></li><li class="menu-item menu-item-2532"><a href="https://adsecurity.org/?page_id=2532" >Top Posts</a></li></ul> </div> </nav> <div id="content" class="clearfix hfeed row"> <div id="content-main" class="clearfix content-main col-md-8"> <div class="post-nav post-nav-top clearfix"> <p class="previous col-sm-6"><i class="fa fa-arrow-circle-left"></i> <a href="https://adsecurity.org/?p=3646" rel="prev">AD Reading: Windows Server 2016 Active Directory Features</a></p> <p class="next-post col-sm-6"><a href="https://adsecurity.org/?p=3700" rel="next">Beyond Domain Admins – Domain Controller & AD Administration</a> <i class="fa fa-arrow-circle-right"></i></p> </div> <div id="post-3658" class="clearfix post post-3658 type-post status-publish format-standard has-post-thumbnail hentry category-activedirectorysecurity category-microsoft-security tag-account-operators tag-active-directory-permissions tag-active-directory-privileged-access tag-active-directory-security tag-ad tag-ad-acls tag-ad-delegation tag-ad-groups-in-local-groups tag-ad-security tag-adminsdholder tag-allow-logon-locally tag-allow-logon-over-remote-desktop-services tag-backup-operators tag-bloodhound tag-create-gpo-rights tag-createchild tag-dcsync tag-deletechild tag-domain-admins tag-enable-computer-and-user-accounts-to-be-trusted-for-delegation tag-enterprise-admins tag-extended-right tag-full-control tag-genericall tag-genericwrite tag-gpo tag-greoup-policy-delegation tag-group-membership tag-group-policy-object tag-group-policy-permission tag-impersonate-a-client-after-authentication tag-link-gpo-rights tag-manage-auditing-and-security-log tag-manage-group-policy-link tag-powerview tag-print-operators tag-replicating-directory-changes-all tag-restricted-groups tag-s-1-5-512 tag-s-1-5-517 tag-s-1-5-520 tag-s-1-5-21-1102 tag-s-1-5-21-519 tag-s-1-5-21-525 tag-s-1-5-21-571 tag-s-1-5-32-574 tag-s-1-5-32-544 tag-s-1-5-32-548 tag-s-1-5-32-550 tag-s-1-5-32-551 tag-s-1-5-32-554 tag-s-1-5-32-562 tag-s-1-5-32-573 tag-s-1-5-32-578 tag-sacl tag-schema-admins tag-sddl tag-sdprop tag-self tag-semachineaccountprivilege tag-senetworklogonright tag-setcbprivilege tag-setrustedcredmanaccessprivilege tag-sidhistory tag-synchronize-directory-service-data tag-user-rights-assignments tag-validated-write tag-writedacl tag-writeowner tag-writeproperty item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">Jun</span> <span class="day">14</span> <span class="year">2017</span> </p> </div> <h1 class="post-title entry-title"> Scanning for Active Directory Privileges & Privileged Accounts </h1> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-565" href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a>, <a class="term term-category term-11" href="https://adsecurity.org/?cat=11">Microsoft Security</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p>Active Directory Recon is the new hotness since attackers, Red Teamers, and penetration testers have realized that control of Active Directory provides power over the organization.</p> <p>I covered ways to enumerate permissions in AD using <a href="https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1">PowerView </a>(written by Will <a href="https://twitter.com/harmj0y">@harmj0y</a>) during <a href="https://adsecurity.org/?page_id=1352">my Black Hat & DEF CON talks in 2016</a> from both a Blue Team and Red Team perspective.</p> <p>This post details how privileged access is delegated in Active Directory and how best to discover who has what rights and permissions in AD. When we perform an <a href="https://trimarcsecurity.com/security-services">Active Directory Security Assessment </a>for customers, we review all of the data points listed in this post, including the privileged groups and the rights associated with them by fully interrogating Active Directory and mapping the associated permissions to rights and associating these rights to the appropriate groups (or accounts).</p> <p>I have had this post in draft for a while and with <a href="https://wald0.com/?p=112">Bloodhound now supporting AD ACLs</a> (nice work Will <a href="https://twitter.com/harmj0y">@harmj0y</a> & Andy <a href="https://twitter.com/_wald0">@_Wald0</a>!), it’s time to get more information out about AD permissions. Examples in this post use the <a href="https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1">PowerView</a> PowerShell cmdlets.</p> <p><span style="text-decoration: underline;"><b>Active Directory Privileged Access </b></span></p> <p>The challenge is often determining what access each group actually has. Often the full impact of what access a group actually has is not fully understood by the organization. Attackers <a href="https://adsecurity.org/?p=2362">leverage access (though not always privileged access) to compromise Active Directory</a>.</p> <p>The key point often missed is that rights to Active Directory and key resources is more than just group membership, it is the combined rights the user has which is made up of:</p> <ul> <li>Active Directory group membership.</li> <li>AD groups with privileged rights on computers</li> <li>Delegated rights to AD objects by modifying the default permissions (for security principals, both direct and indirect).</li> <li>Rights assigned to SIDs in SIDHistory to AD objects.</li> <li>Delegated rights to Group Policy Objects.</li> <li>User Rights Assignments configured on workstations, servers, and Domain Controllers via Group Policy (or Local Policy) defines elevated rights and permissions on these systems.</li> <li>Local group membership on a computer or computers (similar to GPO assigned settings).</li> <li>Delegated rights to shared folders.</li> </ul> <p><span id="more-3658"></span></p> <p><span style="text-decoration: underline;"><b>Group Membership</b></span></p> <p>Enumerating group membership is the easy way to discovering privileged accounts in Active Directory, though it often doesn’t tell the full story. Membership in Domain Admins, Administrators, and Enterprise Admins obviously provides full domain/forest admin rights. Custom groups are created and delegated access to resources.</p> <p>This screenshot shows using PowerView to find VMWare groups and list the members.</p> <p><img fetchpriority="high" decoding="async" class="alignnone wp-image-3661" src="https://adsecurity.org/wp-content/uploads/2017/06/AD-Recon-PowerView-Get-NetGroup-And-Member-VMWare.png" alt="" width="512" height="146" srcset="https://adsecurity.org/wp-content/uploads/2017/06/AD-Recon-PowerView-Get-NetGroup-And-Member-VMWare.png 1059w, https://adsecurity.org/wp-content/uploads/2017/06/AD-Recon-PowerView-Get-NetGroup-And-Member-VMWare-300x86.png 300w, https://adsecurity.org/wp-content/uploads/2017/06/AD-Recon-PowerView-Get-NetGroup-And-Member-VMWare-768x219.png 768w, https://adsecurity.org/wp-content/uploads/2017/06/AD-Recon-PowerView-Get-NetGroup-And-Member-VMWare-1024x292.png 1024w" sizes="(max-width: 512px) 100vw, 512px" /></p> <p><a href="https://technet.microsoft.com/en-us/library/dn579255(v=ws.11).aspx">Interesting Groups with default elevated rights</a>:</p> <p><strong>Account Operators</strong>: Active Directory group with default privileged rights on domain users and groups, plus the ability to logon to Domain Controllers<br /> Well-Known SID/RID: S-1-5-32-548<br /> <em>The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers.</em><br /> <em> Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups. Members of this group cannot modify user rights.</em><br /> <em> The Account Operators group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version.</em></p> <p><em>By default, this built-in group has no members, and it can create and manage users and groups in the domain, including its own membership and that of the Server Operators group. This group is considered a service administrator group because it can modify Server Operators, which in turn can modify domain controller settings. As a best practice, leave the membership of this group empty, and do not use it for any delegated administration. This group cannot be renamed, deleted, or moved.</em></p> <p><strong>Administrators</strong>: Local or Active Directory group. The AD group has full admin rights to the Active Directory domain and Domain Controllers<br /> Well-Known SID/RID: S-1-5-32-544<br /> <em>Members of the Administrators group have complete and unrestricted access to the computer, or if the computer is promoted to a domain controller, members have unrestricted access to the domain.</em><br /> <em> The Administrators group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version.</em></p> <p><em>The Administrators group has built-in capabilities that give its members full control over the system. This group cannot be renamed, deleted, or moved. This built-in group controls access to all the domain controllers in its domain, and it can change the membership of all administrative groups.</em><br /> <em> Membership can be modified by members of the following groups: the default service Administrators, Domain Admins in the domain, or Enterprise Admins. This group has the special privilege to take ownership of any object in the directory or any resource on a domain controller. This account is considered a service administrator group because its members have full access to the domain controllers in the domain.</em></p> <p><em>This security group includes the following changes since Windows Server 2008:</em><br /> <em> Default user rights changes: Allow log on through Terminal Services existed in Windows Server 2008, and it was replaced by Allow log on through Remote Desktop Services.</em><br /> <em> Remove computer from docking station was removed in Windows Server 2012 R2.</em></p> <p><strong>Allowed RODC Password Replication Group</strong>: Active Directory group where members can have their domain password cached on a RODC after successfully authenticating (includes user and computer accounts).<br /> Well-Known SID/RID: S-1-5-21-<domain>-571<br /> <em>The purpose of this security group is to manage a RODC password replication policy. This group has no members by default, and it results in the condition that new Read-only domain controllers do not cache user credentials. The Denied RODC Password Replication Group group contains a variety of high-privilege accounts and security groups. The Denied RODC Password Replication group supersedes the Allowed RODC Password Replication group.</em><br /> <em> The Allowed RODC Password Replication group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version.</em><br /> <em> This security group has not changed since Windows Server 2008.</em></p> <p><strong>Backup Operators</strong>: Local or Active Directory group. AD group members can backup or restore Active Directory and have logon rights to Domain Controllers (default).<br /> Well-Known SID/RID: S-1-5-32-551<br /> <em>Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group cannot be renamed, deleted, or moved. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers. Its membership can be modified by the following groups: default service Administrators, Domain Admins in the domain, or Enterprise Admins. It cannot modify the membership of any administrative groups. While members of this group cannot change server settings or modify the configuration of the directory, they do have the permissions needed to replace files (including operating system files) on domain controllers. Because of this, members of this group are considered service administrators.</em><br /> <em> The Backup Operators group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version.</em><br /> <em> This security group has not changed since Windows Server 2008.</em></p> <p><strong>Certificate Service DCOM Access</strong>: Active Directory group.<br /> Well-Known SID/RID: S-1-5-32-<domain>-574<br /> <em>Members of this group are allowed to connect to certification authorities in the enterprise.</em><br /> <em> The Certificate Service DCOM Access group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version.</em><br /> <em> This security group has not changed since Windows Server 2008.</em></p> <p><strong>Cert Publishers</strong>: Active Directory group.<br /> Well-Known SID/RID: S-1-5-<domain>-517<br /> <em>Members of the Cert Publishers group are authorized to publish certificates for User objects in Active Directory.</em><br /> <em> The Cert Publishers group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version.</em><br /> <em> This security group has not changed since Windows Server 2008.</em></p> <p><strong>Distributed COM Users</strong><br /> Well-Known SID/RID: S-1-5-32-562<br /> <em>Members of the Distributed COM Users group are allowed to launch, activate, and use Distributed COM objects on the computer. Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. Distributed Component Object Model (DCOM) allows applications to be distributed across locations that make the most sense to you and to the application. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).</em><br /> <em> The Distributed COM Users group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version.</em><br /> <em> This security group has not changed since Windows Server 2008.</em></p> <p><strong>DnsAdmins</strong>: Local or Active Directory group. Members of this group have admin rights to AD DNS and <strong><a href="https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83">can run code via DLL on a Domain Controller operating as a DNS server</a>.</strong><br /> Well-Known SID/RID: S-1-5-21-<domain>-1102<br /> <em>Members of DNSAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions.</em><br /> <em> For information about other means to secure the DNS server service, see Securing the DNS Server Service.</em><br /> <em> This security group has not changed since Windows Server 2008.</em></p> <p><strong>Domain Admins</strong>: Active Directory group with full admin rights to the Active Directory domain and all computers (default), including all workstations, servers, and Domain Controllers. Gains this right through automatic membership in the Administrators group for the domain as well as all computers when they are joined to the domain.<br /> Well-Known SID/RID: S-1-5-<domain>-512<br /> <em>Members of the Domain Admins security group are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. The Domain Admins group is the default owner of any object that is created in Active Directory for the domain by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.</em><br /> <em> The Domain Admins group controls access to all domain controllers in a domain, and it can modify the membership of all administrative accounts in the domain. Membership can be modified by members of the service administrator groups in its domain (Administrators and Domain Admins), and by members of the Enterprise Admins group. This is considered a service administrator account because its members have full access to the domain controllers in a domain.</em><br /> <em> The Domain Admins group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version.</em><br /> <em> This security group has not changed since Windows Server 2008.</em></p> <p><strong>Enterprise Admins</strong>: Active Directory group with full admin rights to all Active Directory domains in the AD forest and gains this right through automatic membership in the Administrators group in every domain in the forest.<br /> Well-Known SID/RID: S-1-5-21-<root domain>-519<br /> <em>The Enterprise Admins group exists only in the root domain of an Active Directory forest of domains. It is a Universal group if the domain is in native mode; it is a Global group if the domain is in mixed mode. Members of this group are authorized to make forest-wide changes in Active Directory, such as adding child domains.</em><br /> <em> By default, the only member of the group is the Administrator account for the forest root domain. This group is automatically added to the Administrators group in every domain in the forest, and it provides complete access for configuring all domain controllers. Members in this group can modify the membership of all administrative groups. Membership can be modified only by the default service administrator groups in the root domain. This is considered a service administrator account.</em><br /> <em> The Enterprise Admins group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version.</em><br /> <em> This security group has not changed since Windows Server 2008.</em></p> <p><strong>Event Log Readers</strong><br /> Well-Known SID/RID: S-1-5-32-573<br /> <em>Members of this group can read event logs from local computers. The group is created when the server is promoted to a domain controller.</em><br /> <em> The Event Log Readers group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version.</em><br /> <em> This security group has not changed since Windows Server 2008.</em></p> <p><strong>Group Policy Creators Owners</strong>: Active Directory group with the ability to create Group Policies in the domain.<br /> Well-Known SID/RID: S-1-5-<domain>-520<br /> <em>This group is authorized to create, edit, or delete Group Policy Objects in the domain. By default, the only member of the group is Administrator.</em><br /> <em>The Group Policy Creators Owners group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version.</em><br /> <em> This security group has not changed since Windows Server 2008.</em></p> <p><strong>Hyper-V Administrators</strong><br /> Well-Known SID/RID: S-1-5-32-578<br /> <em>Members of the Hyper-V Administrators group have complete and unrestricted access to all the features in Hyper-V. Adding members to this group helps reduce the number of members required in the Administrators group, and further separates access.</em><br /> <em> System_CAPS_noteNote</em><br /> <em> Prior to Windows Server 2012, access to features in Hyper-V was controlled in part by membership in the Administrators group.</em><br /> <em> This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.</em></p> <p><strong>Pre–Windows 2000 Compatible Access</strong><br /> Well-Known SID/RID: S-1-5-32-554<br /> <em>Members of the Pre–Windows 2000 Compatible Access group have Read access for all users and groups in the domain. This group is provided for backward compatibility for computers running Windows NT 4.0 and earlier. By default, the special identity group, Everyone, is a member of this group. Add users to this group only if they are running Windows NT 4.0 or earlier.</em><br /> <em> System_CAPS_warningWarning</em><br /> <em> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).</em><br /> <em> The Pre–Windows 2000 Compatible Access group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version.</em><br /> <em> This security group has not changed since Windows Server 2008.</em></p> <p><strong>Print Operators</strong><br /> Well-Known SID/RID: S-1-5-32-550<br /> <em>Members of this group can manage, create, share, and delete printers that are connected to domain controllers in the domain. They can also manage Active Directory printer objects in the domain. Members of this group can locally sign in to and shut down domain controllers in the domain.</em><br /> <em> This group has no default members. Because members of this group can load and unload device drivers on all domain controllers in the domain, add users with caution. This group cannot be renamed, deleted, or moved.</em><br /> <em> The Print Operators group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version.</em><br /> <em> This security group has not changed since Windows Server 2008. However, in Windows Server 2008 R2, functionality was added to manage print administration. For more information, see Assigning Delegated Print Administrator and Printer Permission Settings in Windows Server 2008 R2.</em></p> <p><strong>Protected Users</strong><br /> Well-known SID/RID: S-1-5-21-<domain>-525<br /> <em>Members of the Protected Users group are afforded additional protection against the compromise of credentials during authentication processes.</em><br /> <em> This security group is designed as part of a strategy to effectively protect and manage credentials within the enterprise. Members of this group automatically have non-configurable protection applied to their accounts. Membership in the Protected Users group is meant to be restrictive and proactively secure by default. The only method to modify the protection for an account is to remove the account from the security group.</em><br /> <em> This domain-related, global group triggers non-configurable protection on devices and host computers running Windows Server 2012 R2 and Windows 8.1, and on domain controllers in domains with a primary domain controller running Windows Server 2012 R2. This greatly reduces the memory footprint of credentials when users sign in to computers on the network from a non-compromised computer.</em></p> <p><em>Depending on the account’s domain functional level, members of the Protected Users group are further protected due to behavior changes in the authentication methods that are supported in Windows.</em><br /> <em> Members of the Protected Users group cannot authenticate by using the following Security Support Providers (SSPs): NTLM, Digest Authentication, or CredSSP. Passwords are not cached on a device running Windows 8.1, so the device fails to authenticate to a domain when the account is a member of the Protected User group.</em></p> <p><em>The Kerberos protocol will not use the weaker DES or RC4 encryption types in the preauthentication process. This means that the domain must be configured to support at least the AES cipher suite.</em></p> <p><em>The user’s account cannot be delegated with Kerberos constrained or unconstrained delegation. This means that former connections to other systems may fail if the user is a member of the Protected Users group.</em><br /> <em> The default Kerberos ticket-granting tickets (TGTs) lifetime setting of four hours is configurable by using Authentication Policies and Silos, which can be accessed through the Active Directory Administrative Center. This means that when four hours has passed, the user must authenticate again.</em></p> <p><em>The Protected Users group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version.</em><br /> <em> This group was introduced in Windows Server 2012 R2. For more information about how this group works, see Protected Users Security Group.</em><br /> <em> The following table specifies the properties of the Protected Users group.</em></p> <p><strong>Remote Desktop Users</strong><br /> Well-Known SID/RID: S-1-5-32-555<br /> <em>The Remote Desktop Users group on an RD Session Host server is used to grant users and groups permissions to remotely connect to an RD Session Host server. This group cannot be renamed, deleted, or moved. It appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).</em><br /> <em> The Remote Desktop Users group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version.</em><br /> <em> This security group has not changed since Windows Server 2008.</em></p> <p><strong>Schema Admins</strong><br /> Well-Known SID/RID: S-1-5-<root domain>-518<br /> <em>Members of the Schema Admins group can modify the Active Directory schema. This group exists only in the root domain of an Active Directory forest of domains. It is a Universal group if the domain is in native mode; it is a Global group if the domain is in mixed mode.</em><br /> <em> The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain. This group has full administrative access to the schema.</em><br /> <em> The membership of this group can be modified by any of the service administrator groups in the root domain. This is considered a service administrator account because its members can modify the schema, which governs the structure and content of the entire directory.</em><br /> <em> For more information, see What Is the Active Directory Schema?: Active Directory.</em><br /> <em> The Schema Admins group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version.</em><br /> <em> This security group has not changed since Windows Server 2008.</em></p> <p><strong>Server Operators</strong><br /> Well-Known SID/RID: S-1-5-32-549<br /> <em>Members in the Server Operators group can administer domain servers. This group exists only on domain controllers. By default, the group has no members. Memebers of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved.</em><br /> <em> By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups, Administrators and Domain Admins, in the domain, and the Enterprise Admins group. Members in this group cannot change any administrative group memberships. This is considered a service administrator account because its members have physical access to domain controllers, they can perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers. Note the default user rights in the following table.</em><br /> <em> The Server Operators group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version.</em><br /> <em> This security group has not changed since Windows Server 2008.</em></p> <p><strong>WinRMRemoteWMIUsers_</strong><br /> Well-Known SID/RID: S-1-5-21-<domain>-1000<br /> <em>In Windows 8 and in Windows Server 2012, a Share tab was added to the Advanced Security Settings user interface. This tab displays the security properties of a remote file share. To view this information, you must have the following permissions and memberships, as appropriate for the version of Windows Server that the file server is running.</em></p> <p><em>The WinRMRemoteWMIUsers_ group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version.</em><br /> <em> If the file share is hosted on a server that is running a supported version of the operating system:</em></p> <ul> <li><em>You must be a member of the WinRMRemoteWMIUsers__ group or the BUILTIN\Administrators group.</em></li> <li><em>You must have Read permissions to the file share.</em></li> </ul> <p><em>If the file share is hosted on a server that is running a version of Windows Server that is earlier than Windows Server 2012:</em></p> <ul> <li><em>You must be a member of the BUILTIN\Administrators group.</em></li> <li><em>You must have Read permissions to the file share.</em></li> </ul> <p><em>In Windows Server 2012, the Access Denied Assistance functionality adds the Authenticated Users group to the local WinRMRemoteWMIUsers__ group. Therefore, when the Access Denied Assistance functionality is enabled, all authenticated users who have Read permissions to the file share can view the file share permissions.</em></p> <p><em>The WinRMRemoteWMIUsers_ group allows running Windows PowerShell commands remotely whereas the Remote Management Users group is generally used to allow users to manage servers by using the Server Manager console.</em><br /> <em> This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.</em></p> <p><span style="text-decoration: underline;"><strong>Active Directory Groups with Privileged Rights on Computers</strong></span></p> <p>Most organizations use Group Policy to add an Active Directory group to a local group on computers (typically the Administrators group). Using PowerView, we can easily discover the AD groups that have admin rights on workstations and servers (which is the typical use case).</p> <p>In the following screenshot, we see that the organization has configured the following GPOs:</p> <p>GPO: “Add Server Admins to Local Administrator Group”<br /> Local Group: Administrators<br /> AD Group: Server Admins (SID is shown in the example)</p> <p>GPO: “Add Workstation Admins to Local Administrator Group”<br /> Local Group: Administrators<br /> AD Group: Workstation Admins (SID is shown in the example)</p> <p><img decoding="async" class="alignnone size-full wp-image-3676" src="https://adsecurity.org/wp-content/uploads/2017/06/AD-Recon-PowerView-GetNetGPOGroup-01.png" alt="" width="1852" height="884" srcset="https://adsecurity.org/wp-content/uploads/2017/06/AD-Recon-PowerView-GetNetGPOGroup-01.png 1852w, https://adsecurity.org/wp-content/uploads/2017/06/AD-Recon-PowerView-GetNetGPOGroup-01-300x143.png 300w, https://adsecurity.org/wp-content/uploads/2017/06/AD-Recon-PowerView-GetNetGPOGroup-01-768x367.png 768w, https://adsecurity.org/wp-content/uploads/2017/06/AD-Recon-PowerView-GetNetGPOGroup-01-1024x489.png 1024w" sizes="(max-width: 1852px) 100vw, 1852px" /></p> <p>We can also use PowerView to identify what AD groups have admin rights on computers by OU.</p> <p><img decoding="async" class="alignnone size-full wp-image-3677" src="https://adsecurity.org/wp-content/uploads/2017/06/AD-Recon-PowerView-FindADGroupsinLocalGroups-GPO.png" alt="" width="1965" height="788" srcset="https://adsecurity.org/wp-content/uploads/2017/06/AD-Recon-PowerView-FindADGroupsinLocalGroups-GPO.png 1965w, https://adsecurity.org/wp-content/uploads/2017/06/AD-Recon-PowerView-FindADGroupsinLocalGroups-GPO-300x120.png 300w, https://adsecurity.org/wp-content/uploads/2017/06/AD-Recon-PowerView-FindADGroupsinLocalGroups-GPO-768x308.png 768w, https://adsecurity.org/wp-content/uploads/2017/06/AD-Recon-PowerView-FindADGroupsinLocalGroups-GPO-1024x411.png 1024w" sizes="(max-width: 1965px) 100vw, 1965px" /></p> <p><span style="text-decoration: underline;"><b>Active Directory Object Permissions (ACLs)</b></span></p> <p>Similar to file system permissions, Active Directory objects have permissions as well.</p> <p>These permissions are called Access Control Lists (ACLs). The permissions set on objects use a cryptic format called <a href="https://blogs.technet.microsoft.com/askds/2008/04/18/the-security-descriptor-definition-language-of-love-part-1/">Security Descriptor Definition Language</a> <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/dd981030(v=vs.85).aspx">(SDDL</a>) which looks like this:<br /> <em>D:PAI(D;OICI;FA;;;BG)(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;FA;;;BU)</em></p> <p>This is translated by the GUI to provide the more user-friendly format we are used to (see screenshot below).</p> <p>Every Active Directory object has permissions configured on them, either explicitly defined, or inherited from an object above them (typically an OU or the domain) and the permission can be defined to either allow or deny permissions on the object and its properties.</p> <p>When performing <a href="https://trimarcsecurity.com/security-services">Active Directory security assessments</a>, we scan Active Directory for AD ACLs and identify the accounts/groups with privileged rights based on the delegation on AD objects such as the domain, OUs, security groups, etc.</p> <p>Every object in Active Directory has default permissions applied to it as well as inherited and any explicit permissions. Given that by default Authenticated Users have read access to objects in AD, most of their properties and the permissions defined on the objects, AD objects, their properties and permissions are easily gathered.</p> <p>One quick note about AD ACLs. There is an object in the System container called “<a href="https://adsecurity.org/?p=1906">AdminSDHolder </a>” which only has one purpose: to be the permissions template object for objects (and their members) with high levels of permissions in the domain.</p> <ul> <li>SDProp Protected Objects (Windows Server 2008 & Windows Server 2008 R2): <ul> <li>Account Operators</li> <li>Administrator</li> <li>Administrators</li> <li>Backup Operators</li> <li>Domain Admins</li> <li>Domain Controllers</li> <li>Enterprise Admins</li> <li>Krbtgt</li> <li>Print Operators</li> <li>Read-only Domain Controllers</li> <li>Replicator</li> <li>Schema Admins</li> <li>Server Operators</li> </ul> </li> </ul> <p>About every 60 minutes, the PDC emulator runs a process to enumerate all of these protected objects and their members and then stamps the permissions configured on the <a href="https://adsecurity.org/?p=1906">AdminSDHolder </a>object (and sets the admin attribute to ‘1’). This ensures that privileged groups and accounts are protected from improper AD permission delegation.</p> <p>It’s extremely difficult to stay on top of custom permissions on AD objects. For example, the following graphic shows permissions on an OU.</p> <p><img loading="lazy" decoding="async" class="alignnone size-full wp-image-3666" src="https://adsecurity.org/wp-content/uploads/2017/06/ActiveDirectory-Object-Permissions-01.png" alt="" width="1707" height="1259" srcset="https://adsecurity.org/wp-content/uploads/2017/06/ActiveDirectory-Object-Permissions-01.png 1707w, https://adsecurity.org/wp-content/uploads/2017/06/ActiveDirectory-Object-Permissions-01-300x221.png 300w, https://adsecurity.org/wp-content/uploads/2017/06/ActiveDirectory-Object-Permissions-01-768x566.png 768w, https://adsecurity.org/wp-content/uploads/2017/06/ActiveDirectory-Object-Permissions-01-1024x755.png 1024w" sizes="(max-width: 1707px) 100vw, 1707px" /></p> <p>There’s a serious issue with the delegation on this OU which is highlighted below.<br /> This issue is delegation to Domain Controllers with Full Control rights on all objects to this OU and all objects contained in it.</p> <p><img loading="lazy" decoding="async" class="alignnone size-full wp-image-3667" src="https://adsecurity.org/wp-content/uploads/2017/06/ActiveDirectory-Object-Permissions-02.png" alt="" width="1808" height="1333" srcset="https://adsecurity.org/wp-content/uploads/2017/06/ActiveDirectory-Object-Permissions-02.png 1808w, https://adsecurity.org/wp-content/uploads/2017/06/ActiveDirectory-Object-Permissions-02-300x221.png 300w, https://adsecurity.org/wp-content/uploads/2017/06/ActiveDirectory-Object-Permissions-02-768x566.png 768w, https://adsecurity.org/wp-content/uploads/2017/06/ActiveDirectory-Object-Permissions-02-1024x755.png 1024w" sizes="(max-width: 1808px) 100vw, 1808px" /></p> <p>An attacker is most interested in <a href="https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights(v=vs.110).aspx">permissions that provide privileged actions</a>. These ACLs include:</p> <ul> <li><a href="https://msdn.microsoft.com/en-us/library/ms684355(v=vs.85).aspx"><b>Replicating Directory Changes All</b></a><br /> <em>Extended right needed to replicate only those changes from a given NC that are also replicated to the Global Catalog (which includes secret domain data). This constraint is only meaningful for Domain NCs.</em><br /> An <a href="https://msdn.microsoft.com/en-us/library/ms683985(v=vs.85).aspx">Extended Right</a> that provides the ability to replicate all data for an object, including password data (I call this the Domain Controller impersonation right) which when combined with Replicating Directory Changes, provides the ability to “<a href="https://adsecurity.org/?p=1729">DCSync</a>” the password data for AD users and computers. See <a href="https://adsecurity.org/?p=1729">my write-up on DCSync usage & detection for more detail</a>.<br /> Example: FIM, Riverbed, SharePoint, and other applications often have a <a href="https://support.microsoft.com/en-us/help/303972/how-to-grant-the-replicating-directory-changes-permission-for-the-microsoft-metadirectory-services-adma-service-account">service account granted this right on the domain root</a>. If an attacker can guess this password (or potentially crack it by <a href="https://adsecurity.org/?p=3458">Kerberoasting</a>), they now own the domain since they can DCSync password hashes for all AD users and computers (including Domain Admins and Domain Controllers).</li> <li>Replicating Directory Changes (<a href="https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772673(v=ws.10)">DS-Replication-Get-Changes</a>)<br /> <em>Control access right that allows the replication of all data in a given replication NC, excluding secret domain data.<br /> </em>This right provides the ability to pull data from Active Directory regardless of configured AD ACLs.</li> <li><b>GenericAll</b>: GenericAll = Full Control<br /> <em>The right to create or delete children, delete a subtree, read and write properties, examine children and the object itself, add and remove the object from the directory, and read or write with an extended right.</em><br /> It provides full rights to the object and all properties, including confidential attributes such as LAPS local Administrator passwords, and BitLocker recovery keys. In many cases, Full Control rights aren’t required, but it’s easier to delegate and get working than determining the actual rights required.<br /> Example: A Server tier group may be delegated Full Control on all Computer objects in an OU that has the computer objects associated with servers. Another common configuration is delegating Full Control on all Computer objects in the Workstations OU for the Desktop Support group, and delegating Full Control on all user objects in the Users OU for the Help Desk.</li> <li><strong>GenericWrite</strong>: Provides write access to all properties.<br /> <em><em>The right to read permissions on this object, write all the properties on this object, and perform all validated writes to this object.</em></em></li> <li><b>WriteDACL</b>: Provides the ability to modify security on an object which can lead to Full Control of the object.<br /> <em>The right to modify the DACL in the object security descriptor.</em><br /> Example: A service account may be granted this right to perform delegation in AD. If an attacker can guess this password (or potentially crack it by Kerberoasting), they now set their own permissions on associated objects which can lead to Full Control of an object which may involve exposure of a LAPS controlled local Administrator password.</li> <li><strong>Self: </strong> Provides the ability to perform <a href="https://msdn.microsoft.com/en-us/library/cc223513.aspx">validated writes</a>.<br /> <em>The right to perform an operation that is controlled by a validated write access right.</em><br /> Validated writes include the following attributes:</p> <ul> <li>Self-Membership(bf9679c0-0de6-11d0-a285-00aa003049e2 / member attribute)</li> <li>Validated-DNS-Host-Name<br /> (72e39547-7b18-11d1-adef-00c04fd8d5cd / dNSHostName attribute)</li> <li>Validated-MS-DS-Additional-DNS-Host-Name<br /> (80863791-dbe9-4eb8-837e-7f0ab55d9ac7 / msDS-AdditionalDnsHostName attribute)</li> <li>Validated-MS-DS-Behavior-Version<br /> (d31a8757-2447-4545-8081-3bb610cacbf2 / msDS-Behavior-Version attribute)</li> <li>Validated-SPN<br /> (f3a64788-5306-11d1-a9c5-0000f80367c1 / servicePrincipalName attribute)</li> </ul> </li> <li><strong>WriteOwner:</strong>: Provides the ability to take ownership of an object. The owner of an object can <a href="https://technet.microsoft.com/en-us/library/dd125370(v=ws.10).aspx">gain full control rights on the object</a>.<br /> <em>The right to assume ownership of the object. The user must be an object trustee. The user cannot transfer the ownership to other users</em>.</li> <li><b>WriteProperty</b>: Typically paired with specific attribute/property information.Example: The help desk group is delegated the ability to modify specific AD object properties like Member (to modify group membership), Display Name, Description, Phone Number, etc.</li> <li><b>CreateChild</b>: Provides the ability to create an object of a specified type (or “All”).</li> <li><b>DeleteChild</b>: Provides the ability to delete an object of a specified type (or “All”).</li> <li><a href="https://msdn.microsoft.com/en-us/library/ms683985(v=vs.85).aspx"><b>Extended Right</b></a>: This is an interesting one because if provides additional rights beyond the obvious.Example: All Extended Right permissions to a computer object <a href="https://adsecurity.org/?p=3164">may provide read access to the LAPS Local Administrator password attribute</a>.</li> </ul> <p>Andy Robbin’s (<a href="https://twitter.com/_wald0">@_Wald0</a>) <a href="https://wald0.com/?p=112">post covers ways these rights can be abused</a>.</p> <p>The ability to create and link GPOs in a domain should be seen as effective Domain Admin rights since it provides the ability to modify security settings, install software, configure user and computer logon (and startup/shutdown) scripts, and run commands.</p> <ul> <li><strong><a href="https://technet.microsoft.com/en-us/library/cc978262.aspx">Manage Group Policy link</a> (LinkGPO)</strong>: Provides the ability to link an existing Group Policy Object in Active Directory to the domain, OU, and/or site where the right is defined. <i>By default, GPO Creator Owners has this right.<br /> </i></li> <li><strong>Create GPOs</strong>: By default, the AD group Group Policy Creator Owners has this right. Can be delegated via the Group Policy Management Console (GPMC).</li> </ul> <p>PowerView provides the ability to to search AD permissions for interesting rights.</p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3673" src="https://adsecurity.org/wp-content/uploads/2017/06/PowerView-FullControlRightsonTheAccountsOU-1.png" alt="" width="694" height="384" srcset="https://adsecurity.org/wp-content/uploads/2017/06/PowerView-FullControlRightsonTheAccountsOU-1.png 1619w, https://adsecurity.org/wp-content/uploads/2017/06/PowerView-FullControlRightsonTheAccountsOU-1-300x166.png 300w, https://adsecurity.org/wp-content/uploads/2017/06/PowerView-FullControlRightsonTheAccountsOU-1-768x425.png 768w, https://adsecurity.org/wp-content/uploads/2017/06/PowerView-FullControlRightsonTheAccountsOU-1-1024x566.png 1024w" sizes="(max-width: 694px) 100vw, 694px" /></p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3674" src="https://adsecurity.org/wp-content/uploads/2017/06/PowerView-ServiceAccountWithDCSyncRights.png" alt="" width="699" height="384" srcset="https://adsecurity.org/wp-content/uploads/2017/06/PowerView-ServiceAccountWithDCSyncRights.png 1520w, https://adsecurity.org/wp-content/uploads/2017/06/PowerView-ServiceAccountWithDCSyncRights-300x165.png 300w, https://adsecurity.org/wp-content/uploads/2017/06/PowerView-ServiceAccountWithDCSyncRights-768x421.png 768w, https://adsecurity.org/wp-content/uploads/2017/06/PowerView-ServiceAccountWithDCSyncRights-1024x562.png 1024w" sizes="(max-width: 699px) 100vw, 699px" /></p> <p><span style="text-decoration: underline;"><b>SIDHistory</b></span></p> <p><a href="https://msdn.microsoft.com/en-us/library/ms679833%28v=vs.85%29.aspx">SID History</a> is an attribute that supports <a href="https://technet.microsoft.com/en-us/library/cc779590%28v=ws.10%29.aspx">migration scenarios</a>. Every user account has an associated <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571%28v=vs.85%29.aspx">Security IDentifier (SID)</a> which is used to track the security principal and the access the account has when connecting to resources. SID History enables access for another account to effectively be cloned to another. This is extremely useful to ensure users retain access when moved (migrated) from one domain to another. Since the user’s SID changes when the new account is created, the old SID needs to map to the new one. When a user in Domain A is migrated to Domain B, a new user account is created in DomainB and DomainA user’s SID is added to DomainB’s user account’s SID History attribute. This ensures that DomainB user can still access resources in DomainA.</p> <p>This means that if an account has privileged accounts or groups in its SIDHistory attribute, <a href="https://adsecurity.org/?p=1772">the account receives all the rights assigned to those accounts or groups, be they assigned directly or indirectly</a>. If an attacker gains control of this account, they have all of the associated rights. The rights provided via SIDs in SIDHistory are likely not obvious and therefore missed.</p> <p><span style="text-decoration: underline;"><b>Group Policy Permissions</b></span></p> <p>Group Policy Objects (GPOs) are created, configured, and linked in Active Directory. When a GPO is linked to an OU, the settings in the GPO are applied to the appropriate objects (users/computers) in that OU.</p> <p>Permissions on GPOs can be configured to delegate GPO modify rights to any security principal.</p> <p>If there are custom permissions configured on Group Policies linked to the domain and an attacker gains access to an account with modify access, the domain can be compromised. An attacker modifies GPO settings to run code or install malware. The impact of this level of access depends on where the GPO is linked. If the GPO is linked to the domain or Domain Controllers container, they own the domain. IF the GPO is linked to a workstations or servers OU, the impact may be less somewhat; however, the ability to run code on all workstations or servers, it may be possible to still compromise the domain.</p> <p>Scanning for GPO permissions identifies which GPOs are improperly permissioned and scanning for where the GPO is linked determines the impact.</p> <p>Fun fact: The creator of a Group Policy retains modify rights to the GPO. A possible result is that a Domain Admin needs to set an audit policy for the domain, but discovers that an OU admin has already created a GPO with the required settings. So, the Domain Admin links this GPO to the domain root which applies the settings to all computers in the domain. The problem is the OU admin can still modify a GPO that is now linked to the domain root providing an escalation path if this OU admin account is compromised. The following graphic shows the OU Admin “Han Solo” with GPO edit rights.</p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3670" src="https://adsecurity.org/wp-content/uploads/2017/06/GPO-Incorrect-Permission.png" alt="" width="709" height="481" srcset="https://adsecurity.org/wp-content/uploads/2017/06/GPO-Incorrect-Permission.png 1793w, https://adsecurity.org/wp-content/uploads/2017/06/GPO-Incorrect-Permission-300x203.png 300w, https://adsecurity.org/wp-content/uploads/2017/06/GPO-Incorrect-Permission-768x521.png 768w, https://adsecurity.org/wp-content/uploads/2017/06/GPO-Incorrect-Permission-1024x694.png 1024w" sizes="(max-width: 709px) 100vw, 709px" /></p> <p><a href="https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1">PowerView</a> provides a quick way to scan all the permissions for all domain GPOs:</p> <pre><span class="crayon-v">Get</span><span class="crayon-o">-</span><span class="crayon-v">NetGPO</span> <span class="crayon-o">|</span> <span class="crayon-o">%</span><span class="crayon-sy">{</span><span class="crayon-v">Get</span><span class="crayon-o">-</span><span class="crayon-v">ObjectAcl</span> <span class="crayon-o">-</span><span class="crayon-v">ResolveGUIDs</span> <span class="crayon-o">-</span><span class="crayon-i">Name</span> <span class="crayon-sy">$</span><span class="crayon-v">_</span><span class="crayon-sy">.</span><span class="crayon-v">Name</span><span class="crayon-sy">}</span></pre> <p>Reference: <a href="http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/">Abusing GPO Permissions</a></p> <p><b>User Rights Assignment</b></p> <p><a href="https://technet.microsoft.com/en-us/library/bb457125.aspx">User Rights Assignments </a>are frequently configured in a computer GPO and defines several rights to the computer.</p> <p>Domain Controllers are often configured with User Rights Assignments in the Default Domain Controllers Policy applied to the Domain Controllers container. Parsing the GPOs linked to Domain Controllers provides useful information about security principals with elevated rights to DCs and the domain.</p> <p><a href="https://technet.microsoft.com/en-us/library/bb457125.aspx">These assignments include</a>:</p> <ul> <li>SeTrustedCredManAccessPrivilege: Access Credential Manager as a trusted caller</li> <li>SeNetworkLogonRight: Access this computer from the network</li> <li>SeTcbPrivilege: Act as part of the operating system</li> <li>SeMachineAccountPrivilege: Add workstations to domain</li> <li>SeIncreaseQuotaPrivilege: Adjust memory quotas for a process</li> <li>SeInteractiveLogonRight: Allow log on locally</li> <li>SeRemoteInteractiveLogonRight: Allow log on through Remote Desktop Services</li> <li>SeBackupPrivilege: Back up files and directories</li> <li>SeChangeNotifyPrivilege: Bypass traverse checking</li> <li>SeSystemtimePrivilege: Change the system time</li> <li>SeTimeZonePrivilege: Change the time zone</li> <li>SeCreatePagefilePrivilege: Create a pagefile</li> <li>SeCreateTokenPrivilege: Create a token object</li> <li>SeCreateGlobalPrivilege: Create global objects</li> <li>SeCreatePermanentPrivilege: Create permanent shared objects</li> <li>SeCreateSymbolicLinkPrivilege: Create symbolic links</li> <li>SeDebugPrivilege: Debug programs</li> <li>SeDenyNetworkLogonRight: Deny access to this computer from the network</li> <li>SeDenyBatchLogonRight: Deny log on as a batch job</li> <li>SeDenyServiceLogonRight: Deny log on as a service</li> <li>SeDenyInteractiveLogonRight: Deny log on locally</li> <li>SeDenyRemoteInteractiveLogonRight: Deny log on through Remote Desktop Services</li> <li>SeEnableDelegationPrivilege: Enable computer and user accounts to be trusted for delegation</li> <li>SeRemoteShutdownPrivilege: Force shutdown from a remote system</li> <li>SeAuditPrivilege: Generate security audits</li> <li>SeImpersonatePrivilege: Impersonate a client after authentication</li> <li>SeIncreaseWorkingSetPrivilege: Increase a process working set</li> <li>SeIncreaseBasePriorityPrivilege: Increase scheduling priority</li> <li>SeLoadDriverPrivilege: Load and unload device drivers</li> <li>SeLockMemoryPrivilege: Lock pages in memory</li> <li>SeBatchLogonRight: Log on as a batch job</li> <li>SeServiceLogonRight: Log on as a service</li> <li>SeSecurityPrivilege: Manage auditing and security log</li> <li>SeRelabelPrivilege: Modify an object label</li> <li>SeSystemEnvironmentPrivilege: Modify firmware environment values</li> <li>SeManageVolumePrivilege: Perform volume maintenance tasks</li> <li>SeProfileSingleProcessPrivilege: Profile single process</li> <li>SeSystemProfilePrivilege: Profile system performance</li> <li>SeUndockPrivilege: Remove computer from docking station</li> <li>SeAssignPrimaryTokenPrivilege: Replace a process level token</li> <li>SeRestorePrivilege: Restore files and directories</li> <li>SeShutdownPrivilege: Shut down the system</li> <li>SeSyncAgentPrivilege: Synchronize directory service data</li> <li>SeTakeOwnershipPrivilege: Take ownership of files or other objects</li> </ul> <p>The interesting ones in this list (especially in GPOs that apply to Domain Controllers):</p> <ul> <li><a href="https://technet.microsoft.com/en-us/library/dn221980(v=ws.11).aspx">Allow logon locally</a> & <a href="https://technet.microsoft.com/en-us/library/dn221985(v=ws.11).aspx">Allow logon over Remote Desktop Services</a>: Provides logon rights.</li> <li><a href="https://technet.microsoft.com/en-us/library/cc957161.aspx">Manage auditing and security log</a>: Provides the ability to view all events in the event logs, including security events, and clear the event log.<br /> Fun Fact: Exchange Servers require this right, which means that if an attacker gains System rights on an Exchange server, they can clear Domain Controller security logs.</li> <li><a href="https://technet.microsoft.com/en-us/library/dn221988(v=ws.11).aspx">Synchronize directory service data</a>: <em>“This policy setting determines which users and groups have authority to synchronize all directory service data, regardless of the protection for objects and properties. This privilege is required to use LDAP directory synchronization (dirsync) services. Domain controllers have this user right inherently because the synchronization process runs in the context of the <strong>System</strong> account on domain controllers.”<br /> </em>This means that an acocunt with this user right on a Domain Controller may be able to run <a href="https://adsecurity.org/?p=1729">DCSync</a>.</li> <li><a href="https://technet.microsoft.com/en-us/library/dn221977(v=ws.11).aspx">Enable computer and user accounts to be trusted for delegation</a>: Provides the ability to configure delegation on computers and users in the domain.<br /> Fun Fact: This provides the ability to set <a href="https://adsecurity.org/?p=1667">Kerberos delegation</a> on a computer or user account.</li> <li><a href="https://technet.microsoft.com/en-us/library/dn221967(v=ws.11).aspx">Impersonate a client after authentication</a>: This one looks like some fun could be had with it…</li> <li><a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects">Take ownership of files or other objects</a>: Administrators only. <em>“Any users with the <strong>Take ownership of files or other objects user right</strong> can take control of any object, regardless of the permissions on that object, and then make any changes that they want to make to that object. Such changes could result in exposure of data, corruption of data, or a denial-of-service condition.”</em></li> <li><a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers">Load and Unload Device Drivers</a>: <em>“Device drivers run as highly privileged code. A user who has the Load and unload device drivers user right could unintentionally install malware that masquerades as a device driver. Administrators should exercise care and install only drivers with verified digital signatures.”</em></li> </ul> <p><span style="text-decoration: underline;"><b>Putting it all together</b></span></p> <p>In order to effectively identify all accounts with privileged access, it’s important to ensure that all avenues are explored to effectively identify the rights. This means that defenders need to check the permission on AD objects, starting with Organizational Units (OUs) and then branching out to security groups.</p> <p>Things to check:</p> <ul> <li>Enumerate group membership of default groups (including sub-groups). Identify what rights are required and remove the others.</li> <li>Scan Active Directory (specifically OUs & security groups) for custom delegation.</li> <li>Scan for accounts with SIDHistory (should only be required during an active migration from one domain to another).</li> <li>Review User Rights Assignments in GPOs that apply to Domain Controllers, Servers, and Workstations.</li> <li>Review GPOs that add AD groups to local groups and ensure these are still required and the level of rights are appropriate.</li> </ul> <p><span style="text-decoration: underline;">Tools for Checking Active Directory Permissions:</span></p> <ul> <li><a href="https://github.com/BloodHoundAD/BloodHound">Bloodhound</a></li> <li><a href="https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1">PowerView</a> (modules used in Bloodhound)</li> <li><a href="https://blogs.technet.microsoft.com/pfesweplat/2013/05/13/take-control-over-ad-permissions-and-the-ad-acl-scanner-tool/">AD ACL Scanner</a></li> </ul> <p><strong>Confused by this and want some help unraveling the AD permissions in your organization? <a href="https://trimarcsecurity.com/contact"><br /> Contact Trimarc</a>, we love this stuff! 🙂</strong></p> <p><span style="text-decoration: underline;"><strong>References</strong></span></p> <ul> <li>BloodHound 1.3 – The ACL Attack Path Update<br /> https://wald0.com/?p=112</li> <li>Abusing Active Directory Permissions with PowerView<br /> http://www.harmj0y.net/blog/redteaming/abusing-active-directory-permissions-with-powerview/</li> <li>Abusing GPO Permissions<br /> http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/</li> <li>AD DS Owner Rights<br /> https://technet.microsoft.com/en-us/library/dd125370(v=ws.10).aspx</li> <li>Security Descriptor Definition Language for Conditional ACEs<br /> https://msdn.microsoft.com/en-us/library/windows/desktop/dd981030(v=vs.85).aspx</li> <li>Sneaky Active Directory Persistence #15: Leverage AdminSDHolder & SDProp to (Re)Gain Domain Admin Rights<br /> https://adsecurity.org/?p=1906</li> <li>The Security Descriptor Definition Language of Love (Part 1)<br /> https://blogs.technet.microsoft.com/askds/2008/04/18/the-security-descriptor-definition-language-of-love-part-1/</li> <li>ActiveDirectoryRights Enumeration<br /> https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights(v=vs.110).aspx</li> <li><a href="https://github.com/BloodHoundAD/BloodHound">Bloodhound</a></li> <li><a href="https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1">PowerView</a></li> <li><a href="https://blogs.technet.microsoft.com/pfesweplat/2013/05/13/take-control-over-ad-permissions-and-the-ad-acl-scanner-tool/">AD ACL Scanner</a></li> <li><a href="https://adsecurity.org/?p=1772">AD Security: SIDHistory</a></li> <li><a href="https://technet.microsoft.com/en-us/library/bb457125.aspx">User Rights Assignments</a></li> <li><a href="https://technet.microsoft.com/en-us/library/dn579255(v=ws.11).aspx">Active Directory Security Groups</a></li> <li><a href="https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights(v=vs.110).aspx">ActiveDirectoryRights Enumeration</a></li> </ul> <div class="tptn_counter" id="tptn_counter_3658">(Visited 159,422 times, 19 visits today)</div> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-1180" href="https://adsecurity.org/?tag=account-operators">Account Operators</a>, <a class="term term-tagpost_tag term-1170" href="https://adsecurity.org/?tag=active-directory-permissions">Active Directory permissions</a>, <a class="term term-tagpost_tag term-1174" href="https://adsecurity.org/?tag=active-directory-privileged-access">Active Directory PRivileged Access</a>, <a class="term term-tagpost_tag term-976" href="https://adsecurity.org/?tag=active-directory-security">Active Directory Security</a>, <a class="term term-tagpost_tag term-1013" href="https://adsecurity.org/?tag=ad">AD</a>, <a class="term term-tagpost_tag term-1169" href="https://adsecurity.org/?tag=ad-acls">AD ACLs</a>, <a class="term term-tagpost_tag term-98" href="https://adsecurity.org/?tag=ad-delegation">AD Delegation</a>, <a class="term term-tagpost_tag term-1214" href="https://adsecurity.org/?tag=ad-groups-in-local-groups">AD groups in Local Groups</a>, <a class="term term-tagpost_tag term-100" href="https://adsecurity.org/?tag=ad-security">AD Security</a>, <a class="term term-tagpost_tag term-654" href="https://adsecurity.org/?tag=adminsdholder">AdminSDHolder</a>, <a class="term term-tagpost_tag term-1211" href="https://adsecurity.org/?tag=allow-logon-locally">Allow logon locally</a>, <a class="term term-tagpost_tag term-1212" href="https://adsecurity.org/?tag=allow-logon-over-remote-desktop-services">Allow logon over Remote Desktop Services</a>, <a class="term term-tagpost_tag term-1179" href="https://adsecurity.org/?tag=backup-operators">Backup Operators</a>, <a class="term term-tagpost_tag term-1173" href="https://adsecurity.org/?tag=bloodhound">Bloodhound</a>, <a class="term term-tagpost_tag term-1226" href="https://adsecurity.org/?tag=create-gpo-rights">Create GPO rights</a>, <a class="term term-tagpost_tag term-1221" href="https://adsecurity.org/?tag=createchild">CreateChild</a>, <a class="term term-tagpost_tag term-598" href="https://adsecurity.org/?tag=dcsync">DCSync</a>, <a class="term term-tagpost_tag term-1222" href="https://adsecurity.org/?tag=deletechild">DeleteChild</a>, <a class="term term-tagpost_tag term-1177" href="https://adsecurity.org/?tag=domain-admins">Domain Admins</a>, <a class="term term-tagpost_tag term-1209" href="https://adsecurity.org/?tag=enable-computer-and-user-accounts-to-be-trusted-for-delegation">Enable computer and user accounts to be trusted for delegation</a>, <a class="term term-tagpost_tag term-1176" href="https://adsecurity.org/?tag=enterprise-admins">Enterprise Admins</a>, <a class="term term-tagpost_tag term-1223" href="https://adsecurity.org/?tag=extended-right">Extended Right</a>, <a class="term term-tagpost_tag term-1227" href="https://adsecurity.org/?tag=full-control">Full Control</a>, <a class="term term-tagpost_tag term-1200" href="https://adsecurity.org/?tag=genericall">GenericAll</a>, <a class="term term-tagpost_tag term-1217" href="https://adsecurity.org/?tag=genericwrite">GenericWrite</a>, <a class="term term-tagpost_tag term-448" href="https://adsecurity.org/?tag=gpo">GPO</a>, <a class="term term-tagpost_tag term-1215" href="https://adsecurity.org/?tag=greoup-policy-delegation">Greoup Policy Delegation</a>, <a class="term term-tagpost_tag term-1175" href="https://adsecurity.org/?tag=group-membership">Group Membership</a>, <a class="term term-tagpost_tag term-1183" href="https://adsecurity.org/?tag=group-policy-object">Group Policy Object</a>, <a class="term term-tagpost_tag term-1182" href="https://adsecurity.org/?tag=group-policy-permission">Group Policy Permission</a>, <a class="term term-tagpost_tag term-1208" href="https://adsecurity.org/?tag=impersonate-a-client-after-authentication">Impersonate a client after authentication</a>, <a class="term term-tagpost_tag term-1225" href="https://adsecurity.org/?tag=link-gpo-rights">Link GPO rights</a>, <a class="term term-tagpost_tag term-1207" href="https://adsecurity.org/?tag=manage-auditing-and-security-log">Manage auditing and security log</a>, <a class="term term-tagpost_tag term-1224" href="https://adsecurity.org/?tag=manage-group-policy-link">Manage Group Policy link</a>, <a class="term term-tagpost_tag term-696" href="https://adsecurity.org/?tag=powerview">PowerView</a>, <a class="term term-tagpost_tag term-1181" href="https://adsecurity.org/?tag=print-operators">Print Operators</a>, <a class="term term-tagpost_tag term-1216" href="https://adsecurity.org/?tag=replicating-directory-changes-all">Replicating Directory Changes All</a>, <a class="term term-tagpost_tag term-1213" href="https://adsecurity.org/?tag=restricted-groups">Restricted Groups</a>, <a class="term term-tagpost_tag term-1192" href="https://adsecurity.org/?tag=s-1-5-512">S-1-5--512</a>, <a class="term term-tagpost_tag term-1189" href="https://adsecurity.org/?tag=s-1-5-517">S-1-5--517</a>, <a class="term term-tagpost_tag term-1195" href="https://adsecurity.org/?tag=s-1-5-520">S-1-5--520</a>, <a class="term term-tagpost_tag term-1191" href="https://adsecurity.org/?tag=s-1-5-21-1102">S-1-5-21--1102</a>, <a class="term term-tagpost_tag term-1193" href="https://adsecurity.org/?tag=s-1-5-21-519">S-1-5-21--519</a>, <a class="term term-tagpost_tag term-1199" href="https://adsecurity.org/?tag=s-1-5-21-525">S-1-5-21--525</a>, <a class="term term-tagpost_tag term-1187" href="https://adsecurity.org/?tag=s-1-5-21-571">S-1-5-21--571</a>, <a class="term term-tagpost_tag term-1188" href="https://adsecurity.org/?tag=s-1-5-32-574">S-1-5-32--574</a>, <a class="term term-tagpost_tag term-1185" href="https://adsecurity.org/?tag=s-1-5-32-544">S-1-5-32-544</a>, <a class="term term-tagpost_tag term-1184" href="https://adsecurity.org/?tag=s-1-5-32-548">S-1-5-32-548</a>, <a class="term term-tagpost_tag term-1198" href="https://adsecurity.org/?tag=s-1-5-32-550">S-1-5-32-550</a>, <a class="term term-tagpost_tag term-1186" href="https://adsecurity.org/?tag=s-1-5-32-551">S-1-5-32-551</a>, <a class="term term-tagpost_tag term-1197" href="https://adsecurity.org/?tag=s-1-5-32-554">S-1-5-32-554</a>, <a class="term term-tagpost_tag term-1190" href="https://adsecurity.org/?tag=s-1-5-32-562">S-1-5-32-562</a>, <a class="term term-tagpost_tag term-1194" href="https://adsecurity.org/?tag=s-1-5-32-573">S-1-5-32-573</a>, <a class="term term-tagpost_tag term-1196" href="https://adsecurity.org/?tag=s-1-5-32-578">S-1-5-32-578</a>, <a class="term term-tagpost_tag term-1171" href="https://adsecurity.org/?tag=sacl">SACL</a>, <a class="term term-tagpost_tag term-1178" href="https://adsecurity.org/?tag=schema-admins">Schema Admins</a>, <a class="term term-tagpost_tag term-1172" href="https://adsecurity.org/?tag=sddl">SDDL</a>, <a class="term term-tagpost_tag term-655" href="https://adsecurity.org/?tag=sdprop">SDProp</a>, <a class="term term-tagpost_tag term-1218" href="https://adsecurity.org/?tag=self">Self</a>, <a class="term term-tagpost_tag term-1206" href="https://adsecurity.org/?tag=semachineaccountprivilege">SeMachineAccountPrivilege</a>, <a class="term term-tagpost_tag term-1204" href="https://adsecurity.org/?tag=senetworklogonright">SeNetworkLogonRight</a>, <a class="term term-tagpost_tag term-1205" href="https://adsecurity.org/?tag=setcbprivilege">SeTcbPrivilege</a>, <a class="term term-tagpost_tag term-1203" href="https://adsecurity.org/?tag=setrustedcredmanaccessprivilege">SeTrustedCredManAccessPrivilege</a>, <a class="term term-tagpost_tag term-547" href="https://adsecurity.org/?tag=sidhistory">SIDHistory</a>, <a class="term term-tagpost_tag term-1210" href="https://adsecurity.org/?tag=synchronize-directory-service-data">Synchronize directory service data</a>, <a class="term term-tagpost_tag term-1106" href="https://adsecurity.org/?tag=user-rights-assignments">User Rights Assignments</a>, <a class="term term-tagpost_tag term-1219" href="https://adsecurity.org/?tag=validated-write">Validated Write</a>, <a class="term term-tagpost_tag term-1201" href="https://adsecurity.org/?tag=writedacl">WriteDACL</a>, <a class="term term-tagpost_tag term-1220" href="https://adsecurity.org/?tag=writeowner">WriteOwner</a>, <a class="term term-tagpost_tag term-1202" href="https://adsecurity.org/?tag=writeproperty">WritePRoperty</a></span></li> <li class="addthis col-sm-8"><div class="add-this"></div></li> </ul> </div> </div> <div class="entry-author"> <div class="row"> <div class="author-avatar col-sm-3"> <a href="https://adsecurity.org/?author=2" rel="author"> <img alt='' src='https://secure.gravatar.com/avatar/1f3ad5e878e5d0e6096c5a33718a04d0?s=200&d=mm&r=g' srcset='https://secure.gravatar.com/avatar/1f3ad5e878e5d0e6096c5a33718a04d0?s=400&d=mm&r=g 2x' class='avatar avatar-200 photo' height='200' width='200' loading='lazy' decoding='async'/> </a> </div> <div class="author-bio col-sm-9"> <h3 class="section-title-sm">Sean Metcalf</h3> <p>I improve security for enterprises around the world working for TrimarcSecurity.com<br /> Read the About page (top left) for information about me. :)<br /> https://adsecurity.org/?page_id=8</p> <ul class="author-social"> <li><a href="mailto:sean@adsecurity.org"><i class="fa fa-envelope-o"></i></a></li> </ul> </div> </div> </div> <div id="comments" class="clearfix no-ping"> <h4 class="comments current"> <i class="fa fa-comments-o"></i> 2 comments </h4> <div class="comments-list-wrapper"> <ol class="clearfix comments-list" id="comments_list"> <li id="comment-13108" class="comment even thread-even depth-1 comment"> <div class="row"> <div class="comment-wrap col-md-12"> <ul class="comment-meta"> <li class="comment-avatar"><img alt='' src='https://secure.gravatar.com/avatar/84f652ca20ba1853ee8c4de4a4e12c88?s=50&d=mm&r=g' srcset='https://secure.gravatar.com/avatar/84f652ca20ba1853ee8c4de4a4e12c88?s=100&d=mm&r=g 2x' class='avatar avatar-50 photo' height='50' width='50' loading='lazy' decoding='async'/></li> <li class="comment-attr"><span class="comment-author"><a href="http://www.improsec.com" class="url" rel="ugc external nofollow">Jakob H. Heidelberg</a></span> on <span class="comment-date">June 14, 2017 <span class="time">at 4:40 pm</span></span></li> <li class="single-comment-link"><a href="https://adsecurity.org/?p=3658#comment-13108">#</a></li> </ul> <div class="comment-entry"> <p>I love this article, thank you Sean.</p> <p>You might also want to check out the following tool + article:<br /> <a href="https://github.com/CyberArkLabs/ACLight" rel="nofollow ugc">https://github.com/CyberArkLabs/ACLight</a><br /> <a href="https://www.cyberark.com/threat-research-blog/shadow-admins-stealthy-accounts-fear/" rel="nofollow ugc">https://www.cyberark.com/threat-research-blog/shadow-admins-stealthy-accounts-fear/</a></p> <p>Best regards<br /> /Jakob</p> </div> </div> </div> </li> <li id="comment-13111" class="comment odd alt thread-odd thread-alt depth-1 comment"> <div class="row"> <div class="comment-wrap col-md-12"> <ul class="comment-meta"> <li class="comment-avatar"><img alt='' src='https://secure.gravatar.com/avatar/1c4dc8118d13f537dcd53ebbcc27e979?s=50&d=mm&r=g' srcset='https://secure.gravatar.com/avatar/1c4dc8118d13f537dcd53ebbcc27e979?s=100&d=mm&r=g 2x' class='avatar avatar-50 photo' height='50' width='50' loading='lazy' decoding='async'/></li> <li class="comment-attr"><span class="comment-author">OSama S.</span> on <span class="comment-date">June 15, 2017 <span class="time">at 5:27 pm</span></span></li> <li class="single-comment-link"><a href="https://adsecurity.org/?p=3658#comment-13111">#</a></li> </ul> <div class="comment-entry"> <p>ACLIght is a neat tool.</p> </div> </div> </div> </li> </ol> </div> </div> <div id="respond"> <h3 id="reply-title"><i class="fa fa-comment-o"></i> Comments have been disabled.</h3> </div> </div> <div id="sidebar1" class="sidebar sidebar-right widget-area col-md-4"> <div id="recent-posts-4" class="sidebar-wrap widget_recent_entries"> <h3>Recent Posts</h3> <ul> <li> <a href="https://adsecurity.org/?p=4436">BSides Dublin – The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations – Sean Metcalf</a> </li> <li> <a href="https://adsecurity.org/?p=4434">DEFCON 2017: Transcript – Hacking the Cloud</a> </li> <li> <a href="https://adsecurity.org/?p=4432">Detecting the Elusive: Active Directory Threat Hunting</a> </li> <li> <a href="https://adsecurity.org/?p=4430">Detecting Kerberoasting Activity</a> </li> <li> <a href="https://adsecurity.org/?p=4428">Detecting Password Spraying with Security Event Auditing</a> </li> </ul> </div><div id="text-3" class="sidebar-wrap widget_text"><h3>Trimarc Active Directory Security Services</h3> <div class="textwidget">Have concerns about your Active Directory environment? Trimarc helps enterprises improve their security posture. <p> <a href="http://trimarcsecurity.com/security-services">Find out how...</a> TrimarcSecurity.com</div> </div><div id="widget_tptn_pop-4" class="sidebar-wrap tptn_posts_list_widget"><h3>Popular Posts</h3><div class="tptn_posts tptn_posts_widget tptn_posts_widget4"><ul><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=478" class="tptn_link"><span class="tptn_title">PowerShell Encoding & Decoding (Base64)</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=2362" class="tptn_link"><span class="tptn_title">Attack Methods for Gaining Domain Admin Rights in…</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=483" class="tptn_link"><span class="tptn_title">Kerberos & KRBTGT: Active Directory’s…</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=2288" class="tptn_link"><span class="tptn_title">Finding Passwords in SYSVOL & Exploiting Group…</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3377" class="tptn_link"><span class="tptn_title">Securing Domain Controllers to Improve Active…</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3299" class="tptn_link"><span class="tptn_title">Securing Windows Workstations: Developing a Secure Baseline</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3458" class="tptn_link"><span class="tptn_title">Detecting Kerberoasting Activity</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=1729" class="tptn_link"><span class="tptn_title">Mimikatz DCSync Usage, Exploitation, and Detection</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3658" class="tptn_link"><span class="tptn_title">Scanning for Active Directory Privileges &…</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3164" class="tptn_link"><span class="tptn_title">Microsoft LAPS Security & Active Directory LAPS…</span></a></span></li></ul><div class="tptn_clear"></div></div></div><div id="categories-4" class="sidebar-wrap widget_categories"><h3>Categories</h3> <ul> <li class="cat-item cat-item-565"><a href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a> </li> <li class="cat-item cat-item-55"><a href="https://adsecurity.org/?cat=55">Apple Security</a> </li> <li class="cat-item cat-item-431"><a href="https://adsecurity.org/?cat=431">Cloud Security</a> </li> <li class="cat-item cat-item-17"><a href="https://adsecurity.org/?cat=17">Continuing Education</a> </li> <li class="cat-item cat-item-396"><a href="https://adsecurity.org/?cat=396">Entertainment</a> </li> <li class="cat-item cat-item-347"><a href="https://adsecurity.org/?cat=347">Exploit</a> </li> <li class="cat-item cat-item-1039"><a href="https://adsecurity.org/?cat=1039">Hacking</a> </li> <li class="cat-item cat-item-168"><a href="https://adsecurity.org/?cat=168">Hardware Security</a> </li> <li class="cat-item cat-item-172"><a href="https://adsecurity.org/?cat=172">Hypervisor Security</a> </li> <li class="cat-item cat-item-126"><a href="https://adsecurity.org/?cat=126">Linux/Unix Security</a> </li> <li class="cat-item cat-item-343"><a href="https://adsecurity.org/?cat=343">Malware</a> </li> <li class="cat-item cat-item-11"><a href="https://adsecurity.org/?cat=11">Microsoft Security</a> </li> <li class="cat-item cat-item-819"><a href="https://adsecurity.org/?cat=819">Mitigation</a> </li> <li class="cat-item cat-item-48"><a href="https://adsecurity.org/?cat=48">Network/System Security</a> </li> <li class="cat-item cat-item-7"><a href="https://adsecurity.org/?cat=7">PowerShell</a> </li> <li class="cat-item cat-item-698"><a href="https://adsecurity.org/?cat=698">RealWorld</a> </li> <li class="cat-item cat-item-21"><a href="https://adsecurity.org/?cat=21">Security</a> </li> <li class="cat-item cat-item-234"><a href="https://adsecurity.org/?cat=234">Security Conference Presentation/Video</a> </li> <li class="cat-item cat-item-1045"><a href="https://adsecurity.org/?cat=1045">Security Recommendation</a> </li> <li class="cat-item cat-item-24"><a href="https://adsecurity.org/?cat=24">Technical Article</a> </li> <li class="cat-item cat-item-4"><a href="https://adsecurity.org/?cat=4">Technical Reading</a> </li> <li class="cat-item cat-item-2"><a href="https://adsecurity.org/?cat=2">Technical Reference</a> </li> <li class="cat-item cat-item-156"><a href="https://adsecurity.org/?cat=156">TheCloud</a> </li> <li class="cat-item cat-item-930"><a href="https://adsecurity.org/?cat=930">Vulnerability</a> </li> </ul> </div><div id="tag_cloud-3" class="sidebar-wrap widget_tag_cloud"><h3>Tags</h3><div class="tagcloud"><a href="https://adsecurity.org/?tag=activedirectory" class="tag-cloud-link tag-link-20 tag-link-position-1" style="font-size: 22pt;" aria-label="ActiveDirectory (55 items)">ActiveDirectory</a> <a href="https://adsecurity.org/?tag=active-directory" class="tag-cloud-link tag-link-75 tag-link-position-2" style="font-size: 10.453608247423pt;" aria-label="Active Directory (8 items)">Active Directory</a> <a href="https://adsecurity.org/?tag=active-directory-security" class="tag-cloud-link tag-link-976 tag-link-position-3" style="font-size: 9.7319587628866pt;" aria-label="Active Directory Security (7 items)">Active Directory Security</a> <a href="https://adsecurity.org/?tag=activedirectorysecurity" class="tag-cloud-link tag-link-113 tag-link-position-4" style="font-size: 13.773195876289pt;" aria-label="ActiveDirectorySecurity (14 items)">ActiveDirectorySecurity</a> <a href="https://adsecurity.org/?tag=adreading" class="tag-cloud-link tag-link-5 tag-link-position-5" style="font-size: 13.340206185567pt;" aria-label="ADReading (13 items)">ADReading</a> <a href="https://adsecurity.org/?tag=ad-security" class="tag-cloud-link tag-link-100 tag-link-position-6" style="font-size: 8pt;" aria-label="AD Security (5 items)">AD Security</a> <a href="https://adsecurity.org/?tag=adsecurity" class="tag-cloud-link tag-link-86 tag-link-position-7" style="font-size: 10.453608247423pt;" aria-label="ADSecurity (8 items)">ADSecurity</a> <a href="https://adsecurity.org/?tag=azure" class="tag-cloud-link tag-link-25 tag-link-position-8" style="font-size: 8pt;" aria-label="Azure (5 items)">Azure</a> <a href="https://adsecurity.org/?tag=azuread" class="tag-cloud-link tag-link-136 tag-link-position-9" style="font-size: 8pt;" aria-label="AzureAD (5 items)">AzureAD</a> <a href="https://adsecurity.org/?tag=dcsync" class="tag-cloud-link tag-link-598 tag-link-position-10" style="font-size: 10.453608247423pt;" aria-label="DCSync (8 items)">DCSync</a> <a href="https://adsecurity.org/?tag=domaincontroller" class="tag-cloud-link tag-link-101 tag-link-position-11" style="font-size: 15.216494845361pt;" aria-label="DomainController (18 items)">DomainController</a> <a href="https://adsecurity.org/?tag=goldenticket" class="tag-cloud-link tag-link-303 tag-link-position-12" style="font-size: 11.175257731959pt;" aria-label="GoldenTicket (9 items)">GoldenTicket</a> <a href="https://adsecurity.org/?tag=grouppolicy" class="tag-cloud-link tag-link-196 tag-link-position-13" style="font-size: 8pt;" aria-label="GroupPolicy (5 items)">GroupPolicy</a> <a href="https://adsecurity.org/?tag=hyperv" class="tag-cloud-link tag-link-3 tag-link-position-14" style="font-size: 8pt;" aria-label="HyperV (5 items)">HyperV</a> <a href="https://adsecurity.org/?tag=invoke-mimikatz" class="tag-cloud-link tag-link-336 tag-link-position-15" style="font-size: 10.453608247423pt;" aria-label="Invoke-Mimikatz (8 items)">Invoke-Mimikatz</a> <a href="https://adsecurity.org/?tag=kb3011780" class="tag-cloud-link tag-link-337 tag-link-position-16" style="font-size: 9.7319587628866pt;" aria-label="KB3011780 (7 items)">KB3011780</a> <a href="https://adsecurity.org/?tag=kdc" class="tag-cloud-link tag-link-80 tag-link-position-17" style="font-size: 8pt;" aria-label="KDC (5 items)">KDC</a> <a href="https://adsecurity.org/?tag=kerberos" class="tag-cloud-link tag-link-81 tag-link-position-18" style="font-size: 15.216494845361pt;" aria-label="Kerberos (18 items)">Kerberos</a> <a href="https://adsecurity.org/?tag=kerberoshacking" class="tag-cloud-link tag-link-298 tag-link-position-19" style="font-size: 11.752577319588pt;" aria-label="KerberosHacking (10 items)">KerberosHacking</a> <a href="https://adsecurity.org/?tag=krbtgt" class="tag-cloud-link tag-link-394 tag-link-position-20" style="font-size: 9.7319587628866pt;" aria-label="KRBTGT (7 items)">KRBTGT</a> <a href="https://adsecurity.org/?tag=laps" class="tag-cloud-link tag-link-631 tag-link-position-21" style="font-size: 9.0103092783505pt;" aria-label="LAPS (6 items)">LAPS</a> <a href="https://adsecurity.org/?tag=lsass" class="tag-cloud-link tag-link-71 tag-link-position-22" style="font-size: 11.175257731959pt;" aria-label="LSASS (9 items)">LSASS</a> <a href="https://adsecurity.org/?tag=mcm" class="tag-cloud-link tag-link-6 tag-link-position-23" style="font-size: 14.061855670103pt;" aria-label="MCM (15 items)">MCM</a> <a href="https://adsecurity.org/?tag=microsoftemet" class="tag-cloud-link tag-link-58 tag-link-position-24" style="font-size: 11.175257731959pt;" aria-label="MicrosoftEMET (9 items)">MicrosoftEMET</a> <a href="https://adsecurity.org/?tag=microsoftwindows" class="tag-cloud-link tag-link-102 tag-link-position-25" style="font-size: 9.7319587628866pt;" aria-label="MicrosoftWindows (7 items)">MicrosoftWindows</a> <a href="https://adsecurity.org/?tag=mimikatz" class="tag-cloud-link tag-link-207 tag-link-position-26" style="font-size: 18.103092783505pt;" aria-label="mimikatz (29 items)">mimikatz</a> <a href="https://adsecurity.org/?tag=ms14068" class="tag-cloud-link tag-link-295 tag-link-position-27" style="font-size: 11.175257731959pt;" aria-label="MS14068 (9 items)">MS14068</a> <a href="https://adsecurity.org/?tag=passthehash" class="tag-cloud-link tag-link-44 tag-link-position-28" style="font-size: 9.7319587628866pt;" aria-label="PassTheHash (7 items)">PassTheHash</a> <a href="https://adsecurity.org/?tag=powershell" class="tag-cloud-link tag-link-575 tag-link-position-29" style="font-size: 18.536082474227pt;" aria-label="PowerShell (31 items)">PowerShell</a> <a href="https://adsecurity.org/?tag=powershellcode" class="tag-cloud-link tag-link-22 tag-link-position-30" style="font-size: 14.927835051546pt;" aria-label="PowerShellCode (17 items)">PowerShellCode</a> <a href="https://adsecurity.org/?tag=powershellhacking" class="tag-cloud-link tag-link-68 tag-link-position-31" style="font-size: 8pt;" aria-label="PowerShellHacking (5 items)">PowerShellHacking</a> <a href="https://adsecurity.org/?tag=powershellv5" class="tag-cloud-link tag-link-69 tag-link-position-32" style="font-size: 8pt;" aria-label="PowerShellv5 (5 items)">PowerShellv5</a> <a href="https://adsecurity.org/?tag=powersploit" class="tag-cloud-link tag-link-232 tag-link-position-33" style="font-size: 10.453608247423pt;" aria-label="PowerSploit (8 items)">PowerSploit</a> <a href="https://adsecurity.org/?tag=presentation" class="tag-cloud-link tag-link-422 tag-link-position-34" style="font-size: 9.7319587628866pt;" aria-label="Presentation (7 items)">Presentation</a> <a href="https://adsecurity.org/?tag=security" class="tag-cloud-link tag-link-576 tag-link-position-35" style="font-size: 8pt;" aria-label="Security (5 items)">Security</a> <a href="https://adsecurity.org/?tag=silverticket" class="tag-cloud-link tag-link-304 tag-link-position-36" style="font-size: 11.175257731959pt;" aria-label="SilverTicket (9 items)">SilverTicket</a> <a href="https://adsecurity.org/?tag=sneakyadpersistence" class="tag-cloud-link tag-link-596 tag-link-position-37" style="font-size: 9.0103092783505pt;" aria-label="SneakyADPersistence (6 items)">SneakyADPersistence</a> <a href="https://adsecurity.org/?tag=spn" class="tag-cloud-link tag-link-294 tag-link-position-38" style="font-size: 9.0103092783505pt;" aria-label="SPN (6 items)">SPN</a> <a href="https://adsecurity.org/?tag=tgs" class="tag-cloud-link tag-link-528 tag-link-position-39" style="font-size: 9.0103092783505pt;" aria-label="TGS (6 items)">TGS</a> <a href="https://adsecurity.org/?tag=tgt" class="tag-cloud-link tag-link-529 tag-link-position-40" style="font-size: 9.0103092783505pt;" aria-label="TGT (6 items)">TGT</a> <a href="https://adsecurity.org/?tag=windows7" class="tag-cloud-link tag-link-117 tag-link-position-41" style="font-size: 8pt;" aria-label="Windows7 (5 items)">Windows7</a> <a href="https://adsecurity.org/?tag=windows10" class="tag-cloud-link tag-link-494 tag-link-position-42" style="font-size: 10.453608247423pt;" aria-label="Windows10 (8 items)">Windows10</a> <a href="https://adsecurity.org/?tag=windowsserver2008r2" class="tag-cloud-link tag-link-46 tag-link-position-43" style="font-size: 9.0103092783505pt;" aria-label="WindowsServer2008R2 (6 items)">WindowsServer2008R2</a> <a href="https://adsecurity.org/?tag=windowsserver2012" class="tag-cloud-link tag-link-47 tag-link-position-44" style="font-size: 11.175257731959pt;" aria-label="WindowsServer2012 (9 items)">WindowsServer2012</a> <a href="https://adsecurity.org/?tag=windowsserver2012r2" class="tag-cloud-link tag-link-54 tag-link-position-45" style="font-size: 9.7319587628866pt;" aria-label="WindowsServer2012R2 (7 items)">WindowsServer2012R2</a></div> </div><div id="search-2" class="sidebar-wrap widget_search"><form class="searchform" method="get" action="https://adsecurity.org"> <div class="input-group"> <div class="form-group live-search-input"> <label for="s" class="screen-reader-text">Search for:</label> <input type="text" id="s" name="s" class="form-control" placeholder="Search"> </div> <span class="input-group-btn"> <button class="btn btn-default" type="submit"><i class="fa fa-search"></i></button> </span> </div> </form></div> <div id="recent-posts-2" class="sidebar-wrap widget_recent_entries"> <h3>Recent Posts</h3> <ul> <li> <a href="https://adsecurity.org/?p=4436">BSides Dublin – The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations – Sean Metcalf</a> </li> <li> <a href="https://adsecurity.org/?p=4434">DEFCON 2017: Transcript – Hacking the Cloud</a> </li> <li> <a href="https://adsecurity.org/?p=4432">Detecting the Elusive: Active Directory Threat Hunting</a> </li> <li> <a href="https://adsecurity.org/?p=4430">Detecting Kerberoasting Activity</a> </li> <li> <a href="https://adsecurity.org/?p=4428">Detecting Password Spraying with Security Event Auditing</a> </li> </ul> </div><div id="recent-comments-2" class="sidebar-wrap widget_recent_comments"><h3>Recent Comments</h3><ul id="recentcomments"><li class="recentcomments"><span class="comment-author-link">Derek</span> on <a href="https://adsecurity.org/?p=3592#comment-13603">Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory</a></li><li class="recentcomments"><span class="comment-author-link"><a href="https://ADSecurity.org" class="url" rel="ugc">Sean Metcalf</a></span> on <a href="https://adsecurity.org/?p=3782#comment-13545">Securing Microsoft Active Directory Federation Server (ADFS)</a></li><li class="recentcomments"><span class="comment-author-link">Brad</span> on <a href="https://adsecurity.org/?p=3782#comment-13544">Securing Microsoft Active Directory Federation Server (ADFS)</a></li><li class="recentcomments"><span class="comment-author-link">Joonas</span> on <a href="https://adsecurity.org/?p=3719#comment-13229">Gathering AD Data with the Active Directory PowerShell Module</a></li><li class="recentcomments"><span class="comment-author-link"><a href="https://ADSecurity.org" class="url" rel="ugc">Sean Metcalf</a></span> on <a href="https://adsecurity.org/?p=3719#comment-13215">Gathering AD Data with the Active Directory PowerShell Module</a></li></ul></div><div id="archives-2" class="sidebar-wrap widget_archive"><h3>Archives</h3> <ul> <li><a href='https://adsecurity.org/?m=202406'>June 2024</a></li> <li><a href='https://adsecurity.org/?m=202405'>May 2024</a></li> <li><a href='https://adsecurity.org/?m=202005'>May 2020</a></li> <li><a href='https://adsecurity.org/?m=202001'>January 2020</a></li> <li><a href='https://adsecurity.org/?m=201908'>August 2019</a></li> <li><a href='https://adsecurity.org/?m=201903'>March 2019</a></li> <li><a href='https://adsecurity.org/?m=201902'>February 2019</a></li> <li><a href='https://adsecurity.org/?m=201810'>October 2018</a></li> <li><a href='https://adsecurity.org/?m=201808'>August 2018</a></li> <li><a href='https://adsecurity.org/?m=201805'>May 2018</a></li> <li><a href='https://adsecurity.org/?m=201801'>January 2018</a></li> <li><a href='https://adsecurity.org/?m=201711'>November 2017</a></li> <li><a href='https://adsecurity.org/?m=201708'>August 2017</a></li> <li><a href='https://adsecurity.org/?m=201706'>June 2017</a></li> <li><a href='https://adsecurity.org/?m=201705'>May 2017</a></li> <li><a href='https://adsecurity.org/?m=201702'>February 2017</a></li> <li><a href='https://adsecurity.org/?m=201701'>January 2017</a></li> <li><a href='https://adsecurity.org/?m=201611'>November 2016</a></li> <li><a href='https://adsecurity.org/?m=201610'>October 2016</a></li> <li><a href='https://adsecurity.org/?m=201609'>September 2016</a></li> <li><a href='https://adsecurity.org/?m=201608'>August 2016</a></li> <li><a href='https://adsecurity.org/?m=201607'>July 2016</a></li> <li><a href='https://adsecurity.org/?m=201606'>June 2016</a></li> <li><a href='https://adsecurity.org/?m=201604'>April 2016</a></li> <li><a href='https://adsecurity.org/?m=201603'>March 2016</a></li> <li><a href='https://adsecurity.org/?m=201602'>February 2016</a></li> <li><a href='https://adsecurity.org/?m=201601'>January 2016</a></li> <li><a href='https://adsecurity.org/?m=201512'>December 2015</a></li> <li><a href='https://adsecurity.org/?m=201511'>November 2015</a></li> <li><a href='https://adsecurity.org/?m=201510'>October 2015</a></li> <li><a href='https://adsecurity.org/?m=201509'>September 2015</a></li> <li><a href='https://adsecurity.org/?m=201508'>August 2015</a></li> <li><a href='https://adsecurity.org/?m=201507'>July 2015</a></li> <li><a href='https://adsecurity.org/?m=201506'>June 2015</a></li> <li><a href='https://adsecurity.org/?m=201505'>May 2015</a></li> <li><a href='https://adsecurity.org/?m=201504'>April 2015</a></li> <li><a href='https://adsecurity.org/?m=201503'>March 2015</a></li> <li><a href='https://adsecurity.org/?m=201502'>February 2015</a></li> <li><a href='https://adsecurity.org/?m=201501'>January 2015</a></li> <li><a href='https://adsecurity.org/?m=201412'>December 2014</a></li> <li><a href='https://adsecurity.org/?m=201411'>November 2014</a></li> <li><a href='https://adsecurity.org/?m=201410'>October 2014</a></li> <li><a href='https://adsecurity.org/?m=201409'>September 2014</a></li> <li><a href='https://adsecurity.org/?m=201408'>August 2014</a></li> <li><a href='https://adsecurity.org/?m=201407'>July 2014</a></li> <li><a href='https://adsecurity.org/?m=201406'>June 2014</a></li> <li><a href='https://adsecurity.org/?m=201405'>May 2014</a></li> <li><a href='https://adsecurity.org/?m=201404'>April 2014</a></li> <li><a href='https://adsecurity.org/?m=201403'>March 2014</a></li> <li><a href='https://adsecurity.org/?m=201402'>February 2014</a></li> <li><a href='https://adsecurity.org/?m=201307'>July 2013</a></li> <li><a href='https://adsecurity.org/?m=201211'>November 2012</a></li> <li><a href='https://adsecurity.org/?m=201203'>March 2012</a></li> <li><a href='https://adsecurity.org/?m=201202'>February 2012</a></li> </ul> </div><div id="categories-2" class="sidebar-wrap widget_categories"><h3>Categories</h3> <ul> <li class="cat-item cat-item-565"><a href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a> </li> <li class="cat-item cat-item-55"><a href="https://adsecurity.org/?cat=55">Apple Security</a> </li> <li class="cat-item cat-item-431"><a href="https://adsecurity.org/?cat=431">Cloud Security</a> </li> <li class="cat-item cat-item-17"><a href="https://adsecurity.org/?cat=17">Continuing Education</a> </li> <li class="cat-item cat-item-396"><a href="https://adsecurity.org/?cat=396">Entertainment</a> </li> <li class="cat-item cat-item-347"><a href="https://adsecurity.org/?cat=347">Exploit</a> </li> <li class="cat-item cat-item-1039"><a href="https://adsecurity.org/?cat=1039">Hacking</a> </li> <li class="cat-item cat-item-168"><a href="https://adsecurity.org/?cat=168">Hardware Security</a> </li> <li class="cat-item cat-item-172"><a href="https://adsecurity.org/?cat=172">Hypervisor Security</a> </li> <li class="cat-item cat-item-126"><a href="https://adsecurity.org/?cat=126">Linux/Unix Security</a> </li> <li class="cat-item cat-item-343"><a href="https://adsecurity.org/?cat=343">Malware</a> </li> <li class="cat-item cat-item-11"><a href="https://adsecurity.org/?cat=11">Microsoft Security</a> </li> <li class="cat-item cat-item-819"><a href="https://adsecurity.org/?cat=819">Mitigation</a> </li> <li class="cat-item cat-item-48"><a href="https://adsecurity.org/?cat=48">Network/System Security</a> </li> <li class="cat-item cat-item-7"><a href="https://adsecurity.org/?cat=7">PowerShell</a> </li> <li class="cat-item cat-item-698"><a href="https://adsecurity.org/?cat=698">RealWorld</a> </li> <li class="cat-item cat-item-21"><a href="https://adsecurity.org/?cat=21">Security</a> </li> <li class="cat-item cat-item-234"><a href="https://adsecurity.org/?cat=234">Security Conference Presentation/Video</a> </li> <li class="cat-item cat-item-1045"><a href="https://adsecurity.org/?cat=1045">Security Recommendation</a> </li> <li class="cat-item cat-item-24"><a href="https://adsecurity.org/?cat=24">Technical Article</a> </li> <li class="cat-item cat-item-4"><a href="https://adsecurity.org/?cat=4">Technical Reading</a> </li> <li class="cat-item cat-item-2"><a href="https://adsecurity.org/?cat=2">Technical Reference</a> </li> <li class="cat-item cat-item-156"><a href="https://adsecurity.org/?cat=156">TheCloud</a> </li> <li class="cat-item cat-item-930"><a href="https://adsecurity.org/?cat=930">Vulnerability</a> </li> </ul> </div><div id="meta-2" class="sidebar-wrap widget_meta"><h3>Meta</h3> <ul> <li><a href="https://adsecurity.org/wp-login.php">Log in</a></li> <li><a href="https://adsecurity.org/?feed=rss2">Entries feed</a></li> <li><a href="https://adsecurity.org/?feed=comments-rss2">Comments feed</a></li> <li><a href="https://wordpress.org/">WordPress.org</a></li> </ul> </div> </div> </div> <div id="sidebar_bottom" class="sidebar widget-area row footer-widget-col-3"> <div id="text-2" class="sidebar-wrap widget_text col-sm-4"><h3>Copyright</h3> <div class="textwidget">Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2020.</div> </div> </div> <div id="footer" class="row default-footer"> <div class="copyright-developer"> <div id="copyright"> <p>Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. </p> </div> <div id="developer"> <p> Made with <i class="fa fa-heart"></i> by <a href="https://www.graphene-theme.com/" rel="nofollow">Graphene Themes</a>. </p> </div> </div> </div> </div>  <script>  </script> <script type="text/javascript" src="https://secure.statcounter.com/counter/counter.js" async></script> <noscript><div class="statcounter"><a title="web analytics" href="https://statcounter.com/"><img class="statcounter" src="https://c.statcounter.com/10100711/0/4b306538/1/" alt="web analytics" /></a></div></noscript>  <a href="#" id="back-to-top" title="Back to top"><i class="fa fa-chevron-up"></i></a> <script type="text/javascript" id="tptn_tracker-js-extra"> /* <![CDATA[ */ var ajax_tptn_tracker = {"ajax_url":"https:\/\/adsecurity.org\/wp-admin\/admin-ajax.php","top_ten_id":"3658","top_ten_blog_id":"1","activate_counter":"11","top_ten_debug":"0","tptn_rnd":"1256223278"}; /* ]]> */ </script> <script type="text/javascript" src="https://adsecurity.org/wp-content/plugins/top-10/includes/js/top-10-tracker.min.js?ver=1.0" id="tptn_tracker-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-includes/js/comment-reply.min.js?ver=6.5.5" id="comment-reply-js" async="async" data-wp-strategy="async"></script> </body> </html>