CINXE.COM
ActiveDirectorySecurity – Active Directory Security
<!DOCTYPE html><!--[if IE 7]> <html class="ie ie7" lang="en-US" prefix="og: http://ogp.me/ns#"> <![endif]--> <!--[if IE 8]> <html class="ie ie8" lang="en-US" prefix="og: http://ogp.me/ns#"> <![endif]--> <!--[if !(IE 7) & !(IE 8)]><!--> <html lang="en-US" prefix="og: http://ogp.me/ns#"> <!--<![endif]--> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>ActiveDirectorySecurity – Active Directory Security</title> <meta name='robots' content='max-image-preview:large' /> <link rel="alternate" type="application/rss+xml" title="Active Directory Security » Feed" href="https://adsecurity.org/?feed=rss2" /> <link rel="alternate" type="application/rss+xml" title="Active Directory Security » Comments Feed" href="https://adsecurity.org/?feed=comments-rss2" /> <link rel="alternate" type="application/rss+xml" title="Active Directory Security » ActiveDirectorySecurity Category Feed" href="https://adsecurity.org/?feed=rss2&cat=565" /> <script type="text/javascript"> /* <![CDATA[ */ window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/adsecurity.org\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); /* ]]> */ </script> <style id='wp-emoji-styles-inline-css' type='text/css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='wp-block-library-css' href='https://adsecurity.org/wp-includes/css/dist/block-library/style.min.css?ver=6.5.5' type='text/css' media='all' /> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 14px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 20px;--wp--preset--font-size--x-large: 42px;--wp--preset--font-size--tiny: 10px;--wp--preset--font-size--regular: 16px;--wp--preset--font-size--larger: 26px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}body .is-layout-flex{flex-wrap: wrap;align-items: center;}body .is-layout-flex > *{margin: 0;}body .is-layout-grid{display: grid;}body .is-layout-grid > *{margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} .wp-block-navigation a:where(:not(.wp-element-button)){color: inherit;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} .wp-block-pullquote{font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='bootstrap-css' href='https://adsecurity.org/wp-content/themes/graphene/bootstrap/css/bootstrap.min.css?ver=6.5.5' type='text/css' media='all' /> <link rel='stylesheet' id='font-awesome-css' href='https://adsecurity.org/wp-content/themes/graphene/fonts/font-awesome/css/font-awesome.min.css?ver=6.5.5' type='text/css' media='all' /> <link rel='stylesheet' id='graphene-css' href='https://adsecurity.org/wp-content/themes/graphene/style.css?ver=2.8.4' type='text/css' media='screen' /> <link rel='stylesheet' id='graphene-responsive-css' href='https://adsecurity.org/wp-content/themes/graphene/responsive.css?ver=2.8.4' type='text/css' media='all' /> <link rel='stylesheet' id='graphene-blocks-css' href='https://adsecurity.org/wp-content/themes/graphene/blocks.css?ver=2.8.4' type='text/css' media='all' /> <script type="text/javascript" src="https://adsecurity.org/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script type="text/javascript" src="https://adsecurity.org/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/bootstrap/js/bootstrap.min.js?ver=2.8.4" id="bootstrap-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/bootstrap-hover-dropdown/bootstrap-hover-dropdown.min.js?ver=2.8.4" id="bootstrap-hover-dropdown-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/bootstrap-submenu/bootstrap-submenu.min.js?ver=2.8.4" id="bootstrap-submenu-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/jquery.infinitescroll.min.js?ver=2.8.4" id="infinite-scroll-js"></script> <script type="text/javascript" id="graphene-js-extra"> /* <![CDATA[ */ var grapheneJS = {"siteurl":"https:\/\/adsecurity.org","ajaxurl":"https:\/\/adsecurity.org\/wp-admin\/admin-ajax.php","templateUrl":"https:\/\/adsecurity.org\/wp-content\/themes\/graphene","isSingular":"","enableStickyMenu":"","shouldShowComments":"","commentsOrder":"newest","sliderDisable":"","sliderInterval":"7000","infScrollBtnLbl":"Load more","infScrollOn":"","infScrollCommentsOn":"","totalPosts":"42","postsPerPage":"10","isPageNavi":"","infScrollMsgText":"Fetching window.grapheneInfScrollItemsPerPage of window.grapheneInfScrollItemsLeft items left ...","infScrollMsgTextPlural":"Fetching window.grapheneInfScrollItemsPerPage of window.grapheneInfScrollItemsLeft items left ...","infScrollFinishedText":"All loaded!","commentsPerPage":"50","totalComments":"0","infScrollCommentsMsg":"Fetching window.grapheneInfScrollCommentsPerPage of window.grapheneInfScrollCommentsLeft comments left ...","infScrollCommentsMsgPlural":"Fetching window.grapheneInfScrollCommentsPerPage of window.grapheneInfScrollCommentsLeft comments left ...","infScrollCommentsFinishedMsg":"All comments loaded!","disableLiveSearch":"1","txtNoResult":"No result found.","isMasonry":""}; /* ]]> */ </script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/graphene.js?ver=2.8.4" id="graphene-js"></script> <script type="text/javascript" id="wpstg-global-js-extra"> /* <![CDATA[ */ var wpstg = {"nonce":"47858d3056"}; /* ]]> */ </script> <script type="text/javascript" src="https://adsecurity.org/wp-content/plugins/wp-staging-pro/assets/js/dist/wpstg-blank-loader.min.js?ver=6.5.5" id="wpstg-global-js"></script> <link rel="https://api.w.org/" href="https://adsecurity.org/index.php?rest_route=/" /><link rel="alternate" type="application/json" href="https://adsecurity.org/index.php?rest_route=/wp/v2/categories/565" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://adsecurity.org/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.5.5" /> <script> WebFontConfig = { google: { families: ["Lato:400,400i,700,700i&display=swap"] } }; (function(d) { var wf = d.createElement('script'), s = d.scripts[0]; wf.src = 'https://ajax.googleapis.com/ajax/libs/webfont/1.6.26/webfont.js'; wf.async = true; s.parentNode.insertBefore(wf, s); })(document); </script> <style type="text/css"> .header_title, .header_title a, .header_title a:visited, .header_title a:hover, .header_desc {color:#000000}.carousel, .carousel .item{height:400px}@media (max-width: 991px) {.carousel, .carousel .item{height:250px}}#header{max-height:198px}@media (min-width: 1200px) {.container {width:1280px}} </style> <style type="text/css">.recentcomments a{display:inline !important;padding:0 !important;margin:0 !important;}</style> </head> <body class="archive category category-activedirectorysecurity category-565 custom-background wp-embed-responsive layout-boxed two_col_left two-columns"> <div class="container boxed-wrapper"> <div id="top-bar" class="row clearfix top-bar "> <div class="col-md-12 top-bar-items"> <ul class="social-profiles"> <li class="social-profile social-profile-rss"> <a href="https://adsecurity.org/?feed=rss2" title="Subscribe to Tech, News, and Other Ideations's RSS feed" id="social-id-1" class="mysocial social-rss"> <i class="fa fa-rss"></i> </a> </li> </ul> <button type="button" class="search-toggle navbar-toggle collapsed" data-toggle="collapse" data-target="#top_search"> <span class="sr-only">Toggle search form</span> <i class="fa fa-search-plus"></i> </button> <div id="top_search" class="top-search-form"> <form class="searchform" method="get" action="https://adsecurity.org"> <div class="input-group"> <div class="form-group live-search-input"> <label for="s" class="screen-reader-text">Search for:</label> <input type="text" id="s" name="s" class="form-control" placeholder="Search"> </div> <span class="input-group-btn"> <button class="btn btn-default" type="submit"><i class="fa fa-search"></i></button> </span> </div> </form> </div> </div> </div> <div id="header" class="row"> <img src="https://adsecurity.org/wp-content/themes/graphene/images/headers/fluid.jpg" alt="Active Directory Security" title="Active Directory Security" width="960" height="198" /> </div> <nav class="navbar row navbar-inverse"> <div class="navbar-header align-center"> <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#header-menu-wrap, #secondary-menu-wrap"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <p class="header_title"> <a href="https://adsecurity.org" title="Go back to the front page"> Active Directory Security </a> </p> <p class="header_desc">Active Directory & Enterprise Security, Methods to Secure Active Directory, Attack Methods & Effective Defenses, PowerShell, Tech Notes, & Geek Trivia…</p> </div> <div class="collapse navbar-collapse" id="header-menu-wrap"> <ul class="nav navbar-nav flip"><li ><a href="https://adsecurity.org/">Home</a></li><li class="menu-item menu-item-8"><a href="https://adsecurity.org/?page_id=8" >About</a></li><li class="menu-item menu-item-41"><a href="https://adsecurity.org/?page_id=41" >AD Resources</a></li><li class="menu-item menu-item-4031"><a href="https://adsecurity.org/?page_id=4031" >Attack Defense & Detection</a></li><li class="menu-item menu-item-293"><a href="https://adsecurity.org/?page_id=293" >Contact</a></li><li class="menu-item menu-item-1821"><a href="https://adsecurity.org/?page_id=1821" >Mimikatz</a></li><li class="menu-item menu-item-1352"><a href="https://adsecurity.org/?page_id=1352" >Presentations</a></li><li class="menu-item menu-item-195"><a href="https://adsecurity.org/?page_id=195" >Schema Versions</a></li><li class="menu-item menu-item-399"><a href="https://adsecurity.org/?page_id=399" >Security Resources</a></li><li class="menu-item menu-item-183"><a href="https://adsecurity.org/?page_id=183" >SPNs</a></li><li class="menu-item menu-item-2532"><a href="https://adsecurity.org/?page_id=2532" >Top Posts</a></li></ul> </div> </nav> <div id="content" class="clearfix hfeed row"> <div id="content-main" class="clearfix content-main col-md-8"> <h1 class="page-title archive-title"> Category: <span>ActiveDirectorySecurity</span> </h1> <div class="entries-wrapper"> <div id="post-4367" class="clearfix post post-4367 type-post status-publish format-standard hentry category-activedirectorysecurity category-hacking category-microsoft-security tag-clear-text-password tag-computer-account tag-convertto-nthash tag-dsinternals tag-get-adreplaccount tag-get-adserviceaccount tag-gmsa tag-gmsa-password tag-gmsa-password-hash tag-gmsa-spn tag-group-managed-service-accounts tag-kerberos tag-kerberos-spn tag-lsass tag-mimikatz tag-msds-groupmanagedserviceaccount tag-msds-groupmsamembership tag-msds-managedpassword tag-msds-managedpasswordid tag-msds-managedpasswordinterval tag-msds-managepasswordinterval tag-principalsallowedtoretrivemanagedpassword tag-psexec tag-sekurlsaekeys tag-sekurlsalogonpasswords tag-service-principal-name tag-serviceprincipalnames tag-spn tag-system tag-_sa_ item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">May</span> <span class="day">29</span> <span class="year">2020</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=4367" rel="bookmark" title="Permalink to Attacking Active Directory Group Managed Service Accounts (GMSAs)"> Attacking Active Directory Group Managed Service Accounts (GMSAs) </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-565" href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a>, <a class="term term-category term-1039" href="https://adsecurity.org/?cat=1039">Hacking</a>, <a class="term term-category term-11" href="https://adsecurity.org/?cat=11">Microsoft Security</a></span></span> </li> </ul> <div class="entry-content clearfix"> <div class="excerpt-thumb"><a href="https://adsecurity.org/?p=4367"><img width="282" height="300" src="https://adsecurity.org/wp-content/uploads/2020/05/image-41-282x300.png" class="attachment-medium size-medium" alt="" decoding="async" fetchpriority="high" srcset="https://adsecurity.org/wp-content/uploads/2020/05/image-41-282x300.png 282w, https://adsecurity.org/wp-content/uploads/2020/05/image-41.png 732w" sizes="(max-width: 282px) 100vw, 282px" /></a></div> <p>In May 2020, I presented some Active Directory security topics in a Trimarc Webcast called “Securing Active Directory: Resolving Common Issues” and included some information I put together relating to the security of AD Group Managed Service Accounts (GMSA). This post includes the expanded version of attacking and defending GMSAs I covered in the webcast.I … </p> <p><a class="more-link btn" href="https://adsecurity.org/?p=4367">Continue reading</a></p> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-1444" href="https://adsecurity.org/?tag=clear-text-password">clear-text password</a>, <a class="term term-tagpost_tag term-1446" href="https://adsecurity.org/?tag=computer-account">Computer Account</a>, <a class="term term-tagpost_tag term-1442" href="https://adsecurity.org/?tag=convertto-nthash">ConvertTo-NTHash</a>, <a class="term term-tagpost_tag term-602" href="https://adsecurity.org/?tag=dsinternals">DSInternals</a>, <a class="term term-tagpost_tag term-1448" href="https://adsecurity.org/?tag=get-adreplaccount">Get-ADReplAccount</a>, <a class="term term-tagpost_tag term-1432" href="https://adsecurity.org/?tag=get-adserviceaccount">Get-ADServiceAccount</a>, <a class="term term-tagpost_tag term-1430" href="https://adsecurity.org/?tag=gmsa">GMSA</a>, <a class="term term-tagpost_tag term-1431" href="https://adsecurity.org/?tag=gmsa-password">GMSA password</a>, <a class="term term-tagpost_tag term-1438" href="https://adsecurity.org/?tag=gmsa-password-hash">GMSA password hash</a>, <a class="term term-tagpost_tag term-1436" href="https://adsecurity.org/?tag=gmsa-spn">GMSA SPN</a>, <a class="term term-tagpost_tag term-1429" href="https://adsecurity.org/?tag=group-managed-service-accounts">Group Managed Service Accounts</a>, <a class="term term-tagpost_tag term-81" href="https://adsecurity.org/?tag=kerberos">Kerberos</a>, <a class="term term-tagpost_tag term-1435" href="https://adsecurity.org/?tag=kerberos-spn">Kerberos SPN</a>, <a class="term term-tagpost_tag term-71" href="https://adsecurity.org/?tag=lsass">LSASS</a>, <a class="term term-tagpost_tag term-207" href="https://adsecurity.org/?tag=mimikatz">mimikatz</a>, <a class="term term-tagpost_tag term-1449" href="https://adsecurity.org/?tag=msds-groupmanagedserviceaccount">msDS-GroupManagedServiceAccount</a>, <a class="term term-tagpost_tag term-1451" href="https://adsecurity.org/?tag=msds-groupmsamembership">msDS-GroupMSAMembership</a>, <a class="term term-tagpost_tag term-1443" href="https://adsecurity.org/?tag=msds-managedpassword">msds-ManagedPassword</a>, <a class="term term-tagpost_tag term-1452" href="https://adsecurity.org/?tag=msds-managedpasswordid">msDS-ManagedPasswordId</a>, <a class="term term-tagpost_tag term-1450" href="https://adsecurity.org/?tag=msds-managedpasswordinterval">msDS-ManagedPasswordInterval</a>, <a class="term term-tagpost_tag term-1440" href="https://adsecurity.org/?tag=msds-managepasswordinterval">msDS-ManagePasswordInterval</a>, <a class="term term-tagpost_tag term-1439" href="https://adsecurity.org/?tag=principalsallowedtoretrivemanagedpassword">PrincipalsAllowedToRetriveManagedPassword</a>, <a class="term term-tagpost_tag term-1447" href="https://adsecurity.org/?tag=psexec">PSEXEC</a>, <a class="term term-tagpost_tag term-1434" href="https://adsecurity.org/?tag=sekurlsaekeys">Sekurlsa::ekeys</a>, <a class="term term-tagpost_tag term-776" href="https://adsecurity.org/?tag=sekurlsalogonpasswords">sekurlsa::logonpasswords</a>, <a class="term term-tagpost_tag term-1137" href="https://adsecurity.org/?tag=service-principal-name">service principal name</a>, <a class="term term-tagpost_tag term-1441" href="https://adsecurity.org/?tag=serviceprincipalnames">ServicePrincipalNames</a>, <a class="term term-tagpost_tag term-294" href="https://adsecurity.org/?tag=spn">SPN</a>, <a class="term term-tagpost_tag term-1445" href="https://adsecurity.org/?tag=system">SYSTEM</a>, <a class="term term-tagpost_tag term-1433" href="https://adsecurity.org/?tag=_sa_">_SA_</a></span></li> </ul> </div> </div> <div id="post-4064" class="clearfix post post-4064 type-post status-publish format-standard hentry category-activedirectorysecurity category-microsoft-security category-technical-reference tag-active-directory tag-dns-server-object-permission tag-dnsadmins tag-dnsplugincleanup tag-dnsplugininitialize tag-dnspluginquery tag-domain-controller tag-from-dnsadmin-to-domain-admin tag-hkey_local_machinesystemcurrentcontrolsetservicesdnsparametersserverlevelplugindll tag-mimikatz-dll tag-run-dll-on-domain-controller tag-serverlevelplugindll tag-uuid-is-50abc2a4-574d-40b3-9d66-ee4fd5fba076 tag-pipednsserver item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">Oct</span> <span class="day">11</span> <span class="year">2018</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=4064" rel="bookmark" title="Permalink to From DNSAdmins to Domain Admin, When DNSAdmins is More than Just DNS Administration"> From DNSAdmins to Domain Admin, When DNSAdmins is More than Just DNS Administration </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-565" href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a>, <a class="term term-category term-11" href="https://adsecurity.org/?cat=11">Microsoft Security</a>, <a class="term term-category term-2" href="https://adsecurity.org/?cat=2">Technical Reference</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p>It’s been almost 1.5 years since the Medium post by Shay Ber was published that explained how to execute a DLL as SYSTEM on a Domain Controller provided the account is a member of DNSAdmins. I finally got around to posting here since many I speak with aren’t aware of this issue. Shay describes this … </p> <p><a class="more-link btn" href="https://adsecurity.org/?p=4064">Continue reading</a></p> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-75" href="https://adsecurity.org/?tag=active-directory">Active Directory</a>, <a class="term term-tagpost_tag term-1335" href="https://adsecurity.org/?tag=dns-server-object-permission">DNS server object permission</a>, <a class="term term-tagpost_tag term-1324" href="https://adsecurity.org/?tag=dnsadmins">DNSAdmins</a>, <a class="term term-tagpost_tag term-1332" href="https://adsecurity.org/?tag=dnsplugincleanup">DnsPluginCleanup</a>, <a class="term term-tagpost_tag term-1331" href="https://adsecurity.org/?tag=dnsplugininitialize">DnsPluginInitialize</a>, <a class="term term-tagpost_tag term-1333" href="https://adsecurity.org/?tag=dnspluginquery">DnsPluginQuery</a>, <a class="term term-tagpost_tag term-79" href="https://adsecurity.org/?tag=domain-controller">Domain Controller</a>, <a class="term term-tagpost_tag term-1326" href="https://adsecurity.org/?tag=from-dnsadmin-to-domain-admin">from DNSAdmin to Domain Admin</a>, <a class="term term-tagpost_tag term-1330" href="https://adsecurity.org/?tag=hkey_local_machinesystemcurrentcontrolsetservicesdnsparametersserverlevelplugindll">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters\ServerLevelPluginDll</a>, <a class="term term-tagpost_tag term-1334" href="https://adsecurity.org/?tag=mimikatz-dll">mimikatz dll</a>, <a class="term term-tagpost_tag term-1325" href="https://adsecurity.org/?tag=run-dll-on-domain-controller">run DLL on Domain Controller</a>, <a class="term term-tagpost_tag term-1329" href="https://adsecurity.org/?tag=serverlevelplugindll">ServerLevelPluginDll</a>, <a class="term term-tagpost_tag term-1327" href="https://adsecurity.org/?tag=uuid-is-50abc2a4-574d-40b3-9d66-ee4fd5fba076">UUID is 50ABC2A4–574D-40B3–9D66-EE4FD5FBA076</a>, <a class="term term-tagpost_tag term-1328" href="https://adsecurity.org/?tag=pipednsserver">\PIPE\DNSSERVER</a></span></li> </ul> </div> </div> <div id="post-4056" class="clearfix post post-4056 type-post status-publish format-standard hentry category-activedirectorysecurity category-exploit category-hacking category-microsoft-security category-security-conference-presentationvideo tag-ad-credential-theft tag-constrained-delegation tag-dcsync tag-delegation tag-dod-stig tag-domain-controller-spooler tag-kerberos tag-kerberos-attack tag-kerberos-delegation tag-kerberos-unconstrained-delegation tag-ms-rprn tag-print-spooler tag-rpcremotefindfirstprinterchangenotification tag-spooler tag-spooler-service item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">Oct</span> <span class="day">10</span> <span class="year">2018</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=4056" rel="bookmark" title="Permalink to Domain Controller Print Server + Unconstrained Kerberos Delegation = Pwned Active Directory Forest"> Domain Controller Print Server + Unconstrained Kerberos Delegation = Pwned Active Directory Forest </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-565" href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a>, <a class="term term-category term-347" href="https://adsecurity.org/?cat=347">Exploit</a>, <a class="term term-category term-1039" href="https://adsecurity.org/?cat=1039">Hacking</a>, <a class="term term-category term-11" href="https://adsecurity.org/?cat=11">Microsoft Security</a>, <a class="term term-category term-234" href="https://adsecurity.org/?cat=234">Security Conference Presentation/Video</a></span></span> </li> </ul> <div class="entry-content clearfix"> <div class="excerpt-thumb"><a href="https://adsecurity.org/?p=4056"><img width="300" height="215" src="https://adsecurity.org/wp-content/uploads/2018/10/DerbyCon-UROTAD-PrinterBugSlide-SO1-300x215.png" class="attachment-medium size-medium" alt="" decoding="async" srcset="https://adsecurity.org/wp-content/uploads/2018/10/DerbyCon-UROTAD-PrinterBugSlide-SO1-300x215.png 300w, https://adsecurity.org/wp-content/uploads/2018/10/DerbyCon-UROTAD-PrinterBugSlide-SO1.png 701w" sizes="(max-width: 300px) 100vw, 300px" /></a></div> <p>At DerbyCon 8 (2018) over the weekend Will Schroeder (@Harmj0y), Lee Christensen (@Tifkin_), & Matt Nelson (@enigma0x3), spoke about the unintended risks of trusting AD. They cover a number of interesting persistence and privilege escalation methods, though one in particular caught my eye. Overview Lee figured out and presents a scenario where there’s an account … </p> <p><a class="more-link btn" href="https://adsecurity.org/?p=4056">Continue reading</a></p> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-1323" href="https://adsecurity.org/?tag=ad-credential-theft">AD credential theft</a>, <a class="term term-tagpost_tag term-1322" href="https://adsecurity.org/?tag=constrained-delegation">constrained delegation</a>, <a class="term term-tagpost_tag term-598" href="https://adsecurity.org/?tag=dcsync">DCSync</a>, <a class="term term-tagpost_tag term-1315" href="https://adsecurity.org/?tag=delegation">delegation</a>, <a class="term term-tagpost_tag term-1321" href="https://adsecurity.org/?tag=dod-stig">DoD STIG</a>, <a class="term term-tagpost_tag term-1318" href="https://adsecurity.org/?tag=domain-controller-spooler">Domain Controller Spooler</a>, <a class="term term-tagpost_tag term-81" href="https://adsecurity.org/?tag=kerberos">Kerberos</a>, <a class="term term-tagpost_tag term-1145" href="https://adsecurity.org/?tag=kerberos-attack">Kerberos attack</a>, <a class="term term-tagpost_tag term-1165" href="https://adsecurity.org/?tag=kerberos-delegation">Kerberos Delegation</a>, <a class="term term-tagpost_tag term-1314" href="https://adsecurity.org/?tag=kerberos-unconstrained-delegation">Kerberos unconstrained delegation</a>, <a class="term term-tagpost_tag term-1320" href="https://adsecurity.org/?tag=ms-rprn">MS-RPRN</a>, <a class="term term-tagpost_tag term-1316" href="https://adsecurity.org/?tag=print-spooler">Print Spooler</a>, <a class="term term-tagpost_tag term-1313" href="https://adsecurity.org/?tag=rpcremotefindfirstprinterchangenotification">RpcRemoteFindFirstPrinterChangeNotification</a>, <a class="term term-tagpost_tag term-1317" href="https://adsecurity.org/?tag=spooler">Spooler</a>, <a class="term term-tagpost_tag term-1319" href="https://adsecurity.org/?tag=spooler-service">Spooler Service</a></span></li> </ul> </div> </div> <div id="post-3993" class="clearfix post post-3993 type-post status-publish format-standard hentry category-activedirectorysecurity category-security-conference-presentationvideo item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">May</span> <span class="day">20</span> <span class="year">2018</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=3993" rel="bookmark" title="Permalink to NolaCon (2018) Active Directory Security Talk Slides Posted"> NolaCon (2018) Active Directory Security Talk Slides Posted </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-565" href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a>, <a class="term term-category term-234" href="https://adsecurity.org/?cat=234">Security Conference Presentation/Video</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p>I recently presented my talk “Active Directory Security: The Journey” at Nolacon in New Orleans, LA. Slides are now posted here. On Sunday, May 19th, 2018, I spoke at NolaCon at 11am. Here’s the talk description: Active Directory is only the beginning. Attackers have set their sights squarely on Active Directory when targeting a company, though … </p> <p><a class="more-link btn" href="https://adsecurity.org/?p=3993">Continue reading</a></p> </div> </div> </div> <div id="post-3592" class="clearfix post post-3592 type-post status-publish format-standard hentry category-activedirectorysecurity category-hacking category-microsoft-security tag-allowed-rodc-password-replication-policy tag-dcsync tag-denied-rodc-password-replication-policy tag-directory-services-restore-mode-password tag-discovering-rodcs tag-domain-controller tag-dsrm tag-golden-ticket tag-hacking-rodcs tag-harden-read-only-domain-controllers tag-harden-rodcs tag-invoke-mimikatz tag-krbtgt tag-krbtgt_ tag-mimikatz tag-msds-authenticatedtoaccountlist tag-msds-keyversionnumber tag-msds-neverrevealgroup tag-msds-reveal-ondemandgroup tag-msds-revealedlist tag-read-only-domain-controller tag-readonly-domain-controller tag-rodc tag-rodc-active-directory tag-rodc-administration tag-rodc-administrators tag-rodc-backlink tag-rodc-golden-ticket tag-rodc-in-the-dmz tag-rodc-krbtgt tag-rodc-managedby-attribute tag-rodc-manager tag-rodc-password tag-rodc-password-replication-policy tag-rodc-replication tag-rodc-security tag-rodc-sysvol tag-silver-tickets item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">Jan</span> <span class="day">01</span> <span class="year">2018</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=3592" rel="bookmark" title="Permalink to Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory"> Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-565" href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a>, <a class="term term-category term-1039" href="https://adsecurity.org/?cat=1039">Hacking</a>, <a class="term term-category term-11" href="https://adsecurity.org/?cat=11">Microsoft Security</a></span></span> </li> </ul> <div class="entry-content clearfix"> <div class="excerpt-thumb"><a href="https://adsecurity.org/?p=3592"><img width="300" height="282" src="https://adsecurity.org/wp-content/uploads/2017/12/RODC-PasswordPolicy-PrepopulatePasswords-02-300x282.png" class="attachment-medium size-medium" alt="" decoding="async" srcset="https://adsecurity.org/wp-content/uploads/2017/12/RODC-PasswordPolicy-PrepopulatePasswords-02-300x282.png 300w, https://adsecurity.org/wp-content/uploads/2017/12/RODC-PasswordPolicy-PrepopulatePasswords-02-768x722.png 768w, https://adsecurity.org/wp-content/uploads/2017/12/RODC-PasswordPolicy-PrepopulatePasswords-02.png 846w" sizes="(max-width: 300px) 100vw, 300px" /></a></div> <p>I have been fascinated with Read-Only Domain Controllers (RODCs) since RODC was released as a new DC promotion option with Windows Server 2008. Microsoft customers wanted a DC that wasn’t really a DC. – something that could be deployed in a location that’s not physically secure and still be able to authenticate users. This post … </p> <p><a class="more-link btn" href="https://adsecurity.org/?p=3592">Continue reading</a></p> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-1296" href="https://adsecurity.org/?tag=allowed-rodc-password-replication-policy">Allowed RODC Password Replication Policy</a>, <a class="term term-tagpost_tag term-598" href="https://adsecurity.org/?tag=dcsync">DCSync</a>, <a class="term term-tagpost_tag term-1297" href="https://adsecurity.org/?tag=denied-rodc-password-replication-policy">Denied RODC Password Replication Policy</a>, <a class="term term-tagpost_tag term-1285" href="https://adsecurity.org/?tag=directory-services-restore-mode-password">Directory Services Restore Mode password</a>, <a class="term term-tagpost_tag term-1302" href="https://adsecurity.org/?tag=discovering-rodcs">discovering RODCs</a>, <a class="term term-tagpost_tag term-79" href="https://adsecurity.org/?tag=domain-controller">Domain Controller</a>, <a class="term term-tagpost_tag term-590" href="https://adsecurity.org/?tag=dsrm">DSRM</a>, <a class="term term-tagpost_tag term-1286" href="https://adsecurity.org/?tag=golden-ticket">golden ticket</a>, <a class="term term-tagpost_tag term-1308" href="https://adsecurity.org/?tag=hacking-rodcs">Hacking RODCs</a>, <a class="term term-tagpost_tag term-1310" href="https://adsecurity.org/?tag=harden-read-only-domain-controllers">harden Read-Only Domain Controllers</a>, <a class="term term-tagpost_tag term-1311" href="https://adsecurity.org/?tag=harden-rodcs">harden RODCs</a>, <a class="term term-tagpost_tag term-336" href="https://adsecurity.org/?tag=invoke-mimikatz">Invoke-Mimikatz</a>, <a class="term term-tagpost_tag term-394" href="https://adsecurity.org/?tag=krbtgt">KRBTGT</a>, <a class="term term-tagpost_tag term-1298" href="https://adsecurity.org/?tag=krbtgt_">KRBTGT_######</a>, <a class="term term-tagpost_tag term-207" href="https://adsecurity.org/?tag=mimikatz">mimikatz</a>, <a class="term term-tagpost_tag term-1306" href="https://adsecurity.org/?tag=msds-authenticatedtoaccountlist">msDS-AuthenticatedToAccountList</a>, <a class="term term-tagpost_tag term-1301" href="https://adsecurity.org/?tag=msds-keyversionnumber">msDS-KeyVersionNumber</a>, <a class="term term-tagpost_tag term-1304" href="https://adsecurity.org/?tag=msds-neverrevealgroup">msDS-NeverRevealGroup</a>, <a class="term term-tagpost_tag term-1303" href="https://adsecurity.org/?tag=msds-reveal-ondemandgroup">msDS-Reveal-OnDemandGroup</a>, <a class="term term-tagpost_tag term-1305" href="https://adsecurity.org/?tag=msds-revealedlist">msDS-RevealedList</a>, <a class="term term-tagpost_tag term-106" href="https://adsecurity.org/?tag=read-only-domain-controller">Read-Only Domain Controller</a>, <a class="term term-tagpost_tag term-1157" href="https://adsecurity.org/?tag=readonly-domain-controller">ReadOnly Domain Controller</a>, <a class="term term-tagpost_tag term-104" href="https://adsecurity.org/?tag=rodc">RODC</a>, <a class="term term-tagpost_tag term-1292" href="https://adsecurity.org/?tag=rodc-active-directory">RODC Active Directory</a>, <a class="term term-tagpost_tag term-1294" href="https://adsecurity.org/?tag=rodc-administration">RODC Administration</a>, <a class="term term-tagpost_tag term-1289" href="https://adsecurity.org/?tag=rodc-administrators">RODC administrators</a>, <a class="term term-tagpost_tag term-1300" href="https://adsecurity.org/?tag=rodc-backlink">RODC backlink</a>, <a class="term term-tagpost_tag term-1287" href="https://adsecurity.org/?tag=rodc-golden-ticket">RODC golden ticket</a>, <a class="term term-tagpost_tag term-1309" href="https://adsecurity.org/?tag=rodc-in-the-dmz">RODC in the DMZ</a>, <a class="term term-tagpost_tag term-1299" href="https://adsecurity.org/?tag=rodc-krbtgt">RODC Krbtgt</a>, <a class="term term-tagpost_tag term-1290" href="https://adsecurity.org/?tag=rodc-managedby-attribute">RODC ManagedBy attribute</a>, <a class="term term-tagpost_tag term-1288" href="https://adsecurity.org/?tag=rodc-manager">RODC Manager</a>, <a class="term term-tagpost_tag term-1284" href="https://adsecurity.org/?tag=rodc-password">RODC password</a>, <a class="term term-tagpost_tag term-1295" href="https://adsecurity.org/?tag=rodc-password-replication-policy">RODC Password Replication Policy</a>, <a class="term term-tagpost_tag term-1293" href="https://adsecurity.org/?tag=rodc-replication">RODC replication</a>, <a class="term term-tagpost_tag term-1312" href="https://adsecurity.org/?tag=rodc-security">RODC security</a>, <a class="term term-tagpost_tag term-1291" href="https://adsecurity.org/?tag=rodc-sysvol">RODC SYSVOL</a>, <a class="term term-tagpost_tag term-1307" href="https://adsecurity.org/?tag=silver-tickets">Silver Tickets</a></span></li> <li class="comment-link col-sm-4"><i class="fa fa-comments"></i> <a href="https://adsecurity.org/?p=3592#comments">1 comments</a></li> </ul> </div> </div> <div id="post-3700" class="clearfix post post-3700 type-post status-publish format-standard has-post-thumbnail hentry category-activedirectorysecurity category-microsoft-security category-technical-reference tag-active-directory-admins tag-active-directory-groups tag-active-directory-security tag-activedirectory tag-ad-administrators tag-ad-admins tag-ad-security tag-allow-log-on-locally tag-back-up-files-directories tag-backup-operators tag-builtin tag-dc-rights tag-dcsync tag-default-ad-groups tag-default-domain-controller-policy tag-domain-administrators-group tag-domain-admins tag-domain-controller tag-domain-controller-groups tag-domain-controller-rights tag-enable-computer-and-user-accounts-to-be-trusted-for-delegation tag-force-shutdown-from-a-remote-system tag-get-adgroupmember tag-log-on-as-a-batch-job tag-log-on-as-a-service tag-manage-auditing-and-security-log tag-print-operators tag-remote-desktop-users tag-restore-files-directories tag-schema-admins tag-server-operators tag-synchronize-directory-service-data item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">Aug</span> <span class="day">10</span> <span class="year">2017</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=3700" rel="bookmark" title="Permalink to Beyond Domain Admins – Domain Controller & AD Administration"> Beyond Domain Admins – Domain Controller & AD Administration </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-565" href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a>, <a class="term term-category term-11" href="https://adsecurity.org/?cat=11">Microsoft Security</a>, <a class="term term-category term-2" href="https://adsecurity.org/?cat=2">Technical Reference</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p class="excerpt-thumb"> <a href="https://adsecurity.org/?p=3700" rel="bookmark" title="Permalink to Beyond Domain Admins – Domain Controller & AD Administration"> <img width="300" height="265" src="https://adsecurity.org/wp-content/uploads/2017/08/AD-Recon-ADAdmins-PowerShell-300x265.png" class="attachment-medium size-medium wp-post-image" alt="" decoding="async" loading="lazy" srcset="https://adsecurity.org/wp-content/uploads/2017/08/AD-Recon-ADAdmins-PowerShell-300x265.png 300w, https://adsecurity.org/wp-content/uploads/2017/08/AD-Recon-ADAdmins-PowerShell-768x678.png 768w, https://adsecurity.org/wp-content/uploads/2017/08/AD-Recon-ADAdmins-PowerShell-1024x904.png 1024w, https://adsecurity.org/wp-content/uploads/2017/08/AD-Recon-ADAdmins-PowerShell.png 1221w" sizes="(max-width: 300px) 100vw, 300px" /> </a> </p> <p>Active Directory has several levels of administration beyond the Domain Admins group. In a previous post, I explored: “Securing Domain Controllers to Improve Active Directory Security” which explores ways to better secure Domain Controllers and by extension, Active Directory. For more information on Active Directory specific rights and permission review my post “Scanning for Active … </p> <p><a class="more-link btn" href="https://adsecurity.org/?p=3700">Continue reading</a></p> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-1246" href="https://adsecurity.org/?tag=active-directory-admins">Active Directory Admins</a>, <a class="term term-tagpost_tag term-1231" href="https://adsecurity.org/?tag=active-directory-groups">Active Directory groups</a>, <a class="term term-tagpost_tag term-976" href="https://adsecurity.org/?tag=active-directory-security">Active Directory Security</a>, <a class="term term-tagpost_tag term-20" href="https://adsecurity.org/?tag=activedirectory">ActiveDirectory</a>, <a class="term term-tagpost_tag term-1236" href="https://adsecurity.org/?tag=ad-administrators">AD Administrators</a>, <a class="term term-tagpost_tag term-1247" href="https://adsecurity.org/?tag=ad-admins">AD Admins</a>, <a class="term term-tagpost_tag term-100" href="https://adsecurity.org/?tag=ad-security">AD Security</a>, <a class="term term-tagpost_tag term-1237" href="https://adsecurity.org/?tag=allow-log-on-locally">allow log on locally</a>, <a class="term term-tagpost_tag term-1238" href="https://adsecurity.org/?tag=back-up-files-directories">Back-up files & directories</a>, <a class="term term-tagpost_tag term-1179" href="https://adsecurity.org/?tag=backup-operators">Backup Operators</a>, <a class="term term-tagpost_tag term-1232" href="https://adsecurity.org/?tag=builtin">Builtin</a>, <a class="term term-tagpost_tag term-1229" href="https://adsecurity.org/?tag=dc-rights">DC rights</a>, <a class="term term-tagpost_tag term-598" href="https://adsecurity.org/?tag=dcsync">DCSync</a>, <a class="term term-tagpost_tag term-1233" href="https://adsecurity.org/?tag=default-ad-groups">Default AD groups</a>, <a class="term term-tagpost_tag term-1243" href="https://adsecurity.org/?tag=default-domain-controller-policy">Default Domain Controller Policy</a>, <a class="term term-tagpost_tag term-1245" href="https://adsecurity.org/?tag=domain-administrators-group">domain Administrators group</a>, <a class="term term-tagpost_tag term-1177" href="https://adsecurity.org/?tag=domain-admins">Domain Admins</a>, <a class="term term-tagpost_tag term-79" href="https://adsecurity.org/?tag=domain-controller">Domain Controller</a>, <a class="term term-tagpost_tag term-1230" href="https://adsecurity.org/?tag=domain-controller-groups">Domain Controller groups</a>, <a class="term term-tagpost_tag term-1228" href="https://adsecurity.org/?tag=domain-controller-rights">Domain Controller rights</a>, <a class="term term-tagpost_tag term-1209" href="https://adsecurity.org/?tag=enable-computer-and-user-accounts-to-be-trusted-for-delegation">Enable computer and user accounts to be trusted for delegation</a>, <a class="term term-tagpost_tag term-1239" href="https://adsecurity.org/?tag=force-shutdown-from-a-remote-system">Force shutdown from a remote system</a>, <a class="term term-tagpost_tag term-1244" href="https://adsecurity.org/?tag=get-adgroupmember">Get-ADGroupMember</a>, <a class="term term-tagpost_tag term-1240" href="https://adsecurity.org/?tag=log-on-as-a-batch-job">Log on as a batch job</a>, <a class="term term-tagpost_tag term-1241" href="https://adsecurity.org/?tag=log-on-as-a-service">Log on as a service</a>, <a class="term term-tagpost_tag term-1207" href="https://adsecurity.org/?tag=manage-auditing-and-security-log">Manage auditing and security log</a>, <a class="term term-tagpost_tag term-1181" href="https://adsecurity.org/?tag=print-operators">Print Operators</a>, <a class="term term-tagpost_tag term-1235" href="https://adsecurity.org/?tag=remote-desktop-users">Remote Desktop users</a>, <a class="term term-tagpost_tag term-1242" href="https://adsecurity.org/?tag=restore-files-directories">Restore files & directories</a>, <a class="term term-tagpost_tag term-1178" href="https://adsecurity.org/?tag=schema-admins">Schema Admins</a>, <a class="term term-tagpost_tag term-1234" href="https://adsecurity.org/?tag=server-operators">Server Operators</a>, <a class="term term-tagpost_tag term-1210" href="https://adsecurity.org/?tag=synchronize-directory-service-data">Synchronize directory service data</a></span></li> <li class="comment-link col-sm-4"><i class="fa fa-comments"></i> <a href="https://adsecurity.org/?p=3700#comments">1 comments</a></li> </ul> </div> </div> <div id="post-3658" class="clearfix post post-3658 type-post status-publish format-standard has-post-thumbnail hentry category-activedirectorysecurity category-microsoft-security tag-account-operators tag-active-directory-permissions tag-active-directory-privileged-access tag-active-directory-security tag-ad tag-ad-acls tag-ad-delegation tag-ad-groups-in-local-groups tag-ad-security tag-adminsdholder tag-allow-logon-locally tag-allow-logon-over-remote-desktop-services tag-backup-operators tag-bloodhound tag-create-gpo-rights tag-createchild tag-dcsync tag-deletechild tag-domain-admins tag-enable-computer-and-user-accounts-to-be-trusted-for-delegation tag-enterprise-admins tag-extended-right tag-full-control tag-genericall tag-genericwrite tag-gpo tag-greoup-policy-delegation tag-group-membership tag-group-policy-object tag-group-policy-permission tag-impersonate-a-client-after-authentication tag-link-gpo-rights tag-manage-auditing-and-security-log tag-manage-group-policy-link tag-powerview tag-print-operators tag-replicating-directory-changes-all tag-restricted-groups tag-s-1-5-512 tag-s-1-5-517 tag-s-1-5-520 tag-s-1-5-21-1102 tag-s-1-5-21-519 tag-s-1-5-21-525 tag-s-1-5-21-571 tag-s-1-5-32-574 tag-s-1-5-32-544 tag-s-1-5-32-548 tag-s-1-5-32-550 tag-s-1-5-32-551 tag-s-1-5-32-554 tag-s-1-5-32-562 tag-s-1-5-32-573 tag-s-1-5-32-578 tag-sacl tag-schema-admins tag-sddl tag-sdprop tag-self tag-semachineaccountprivilege tag-senetworklogonright tag-setcbprivilege tag-setrustedcredmanaccessprivilege tag-sidhistory tag-synchronize-directory-service-data tag-user-rights-assignments tag-validated-write tag-writedacl tag-writeowner tag-writeproperty item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">Jun</span> <span class="day">14</span> <span class="year">2017</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=3658" rel="bookmark" title="Permalink to Scanning for Active Directory Privileges & Privileged Accounts"> Scanning for Active Directory Privileges & Privileged Accounts </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-565" href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a>, <a class="term term-category term-11" href="https://adsecurity.org/?cat=11">Microsoft Security</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p class="excerpt-thumb"> <a href="https://adsecurity.org/?p=3658" rel="bookmark" title="Permalink to Scanning for Active Directory Privileges & Privileged Accounts"> <img width="300" height="221" src="https://adsecurity.org/wp-content/uploads/2017/06/ActiveDirectory-Object-Permissions-02-300x221.png" class="attachment-medium size-medium wp-post-image" alt="" decoding="async" loading="lazy" srcset="https://adsecurity.org/wp-content/uploads/2017/06/ActiveDirectory-Object-Permissions-02-300x221.png 300w, https://adsecurity.org/wp-content/uploads/2017/06/ActiveDirectory-Object-Permissions-02-768x566.png 768w, https://adsecurity.org/wp-content/uploads/2017/06/ActiveDirectory-Object-Permissions-02-1024x755.png 1024w, https://adsecurity.org/wp-content/uploads/2017/06/ActiveDirectory-Object-Permissions-02.png 1808w" sizes="(max-width: 300px) 100vw, 300px" /> </a> </p> <p>Active Directory Recon is the new hotness since attackers, Red Teamers, and penetration testers have realized that control of Active Directory provides power over the organization. I covered ways to enumerate permissions in AD using PowerView (written by Will @harmj0y) during my Black Hat & DEF CON talks in 2016 from both a Blue Team … </p> <p><a class="more-link btn" href="https://adsecurity.org/?p=3658">Continue reading</a></p> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-1180" href="https://adsecurity.org/?tag=account-operators">Account Operators</a>, <a class="term term-tagpost_tag term-1170" href="https://adsecurity.org/?tag=active-directory-permissions">Active Directory permissions</a>, <a class="term term-tagpost_tag term-1174" href="https://adsecurity.org/?tag=active-directory-privileged-access">Active Directory PRivileged Access</a>, <a class="term term-tagpost_tag term-976" href="https://adsecurity.org/?tag=active-directory-security">Active Directory Security</a>, <a class="term term-tagpost_tag term-1013" href="https://adsecurity.org/?tag=ad">AD</a>, <a class="term term-tagpost_tag term-1169" href="https://adsecurity.org/?tag=ad-acls">AD ACLs</a>, <a class="term term-tagpost_tag term-98" href="https://adsecurity.org/?tag=ad-delegation">AD Delegation</a>, <a class="term term-tagpost_tag term-1214" href="https://adsecurity.org/?tag=ad-groups-in-local-groups">AD groups in Local Groups</a>, <a class="term term-tagpost_tag term-100" href="https://adsecurity.org/?tag=ad-security">AD Security</a>, <a class="term term-tagpost_tag term-654" href="https://adsecurity.org/?tag=adminsdholder">AdminSDHolder</a>, <a class="term term-tagpost_tag term-1211" href="https://adsecurity.org/?tag=allow-logon-locally">Allow logon locally</a>, <a class="term term-tagpost_tag term-1212" href="https://adsecurity.org/?tag=allow-logon-over-remote-desktop-services">Allow logon over Remote Desktop Services</a>, <a class="term term-tagpost_tag term-1179" href="https://adsecurity.org/?tag=backup-operators">Backup Operators</a>, <a class="term term-tagpost_tag term-1173" href="https://adsecurity.org/?tag=bloodhound">Bloodhound</a>, <a class="term term-tagpost_tag term-1226" href="https://adsecurity.org/?tag=create-gpo-rights">Create GPO rights</a>, <a class="term term-tagpost_tag term-1221" href="https://adsecurity.org/?tag=createchild">CreateChild</a>, <a class="term term-tagpost_tag term-598" href="https://adsecurity.org/?tag=dcsync">DCSync</a>, <a class="term term-tagpost_tag term-1222" href="https://adsecurity.org/?tag=deletechild">DeleteChild</a>, <a class="term term-tagpost_tag term-1177" href="https://adsecurity.org/?tag=domain-admins">Domain Admins</a>, <a class="term term-tagpost_tag term-1209" href="https://adsecurity.org/?tag=enable-computer-and-user-accounts-to-be-trusted-for-delegation">Enable computer and user accounts to be trusted for delegation</a>, <a class="term term-tagpost_tag term-1176" href="https://adsecurity.org/?tag=enterprise-admins">Enterprise Admins</a>, <a class="term term-tagpost_tag term-1223" href="https://adsecurity.org/?tag=extended-right">Extended Right</a>, <a class="term term-tagpost_tag term-1227" href="https://adsecurity.org/?tag=full-control">Full Control</a>, <a class="term term-tagpost_tag term-1200" href="https://adsecurity.org/?tag=genericall">GenericAll</a>, <a class="term term-tagpost_tag term-1217" href="https://adsecurity.org/?tag=genericwrite">GenericWrite</a>, <a class="term term-tagpost_tag term-448" href="https://adsecurity.org/?tag=gpo">GPO</a>, <a class="term term-tagpost_tag term-1215" href="https://adsecurity.org/?tag=greoup-policy-delegation">Greoup Policy Delegation</a>, <a class="term term-tagpost_tag term-1175" href="https://adsecurity.org/?tag=group-membership">Group Membership</a>, <a class="term term-tagpost_tag term-1183" href="https://adsecurity.org/?tag=group-policy-object">Group Policy Object</a>, <a class="term term-tagpost_tag term-1182" href="https://adsecurity.org/?tag=group-policy-permission">Group Policy Permission</a>, <a class="term term-tagpost_tag term-1208" href="https://adsecurity.org/?tag=impersonate-a-client-after-authentication">Impersonate a client after authentication</a>, <a class="term term-tagpost_tag term-1225" href="https://adsecurity.org/?tag=link-gpo-rights">Link GPO rights</a>, <a class="term term-tagpost_tag term-1207" href="https://adsecurity.org/?tag=manage-auditing-and-security-log">Manage auditing and security log</a>, <a class="term term-tagpost_tag term-1224" href="https://adsecurity.org/?tag=manage-group-policy-link">Manage Group Policy link</a>, <a class="term term-tagpost_tag term-696" href="https://adsecurity.org/?tag=powerview">PowerView</a>, <a class="term term-tagpost_tag term-1181" href="https://adsecurity.org/?tag=print-operators">Print Operators</a>, <a class="term term-tagpost_tag term-1216" href="https://adsecurity.org/?tag=replicating-directory-changes-all">Replicating Directory Changes All</a>, <a class="term term-tagpost_tag term-1213" href="https://adsecurity.org/?tag=restricted-groups">Restricted Groups</a>, <a class="term term-tagpost_tag term-1192" href="https://adsecurity.org/?tag=s-1-5-512">S-1-5--512</a>, <a class="term term-tagpost_tag term-1189" href="https://adsecurity.org/?tag=s-1-5-517">S-1-5--517</a>, <a class="term term-tagpost_tag term-1195" href="https://adsecurity.org/?tag=s-1-5-520">S-1-5--520</a>, <a class="term term-tagpost_tag term-1191" href="https://adsecurity.org/?tag=s-1-5-21-1102">S-1-5-21--1102</a>, <a class="term term-tagpost_tag term-1193" href="https://adsecurity.org/?tag=s-1-5-21-519">S-1-5-21--519</a>, <a class="term term-tagpost_tag term-1199" href="https://adsecurity.org/?tag=s-1-5-21-525">S-1-5-21--525</a>, <a class="term term-tagpost_tag term-1187" href="https://adsecurity.org/?tag=s-1-5-21-571">S-1-5-21--571</a>, <a class="term term-tagpost_tag term-1188" href="https://adsecurity.org/?tag=s-1-5-32-574">S-1-5-32--574</a>, <a class="term term-tagpost_tag term-1185" href="https://adsecurity.org/?tag=s-1-5-32-544">S-1-5-32-544</a>, <a class="term term-tagpost_tag term-1184" href="https://adsecurity.org/?tag=s-1-5-32-548">S-1-5-32-548</a>, <a class="term term-tagpost_tag term-1198" href="https://adsecurity.org/?tag=s-1-5-32-550">S-1-5-32-550</a>, <a class="term term-tagpost_tag term-1186" href="https://adsecurity.org/?tag=s-1-5-32-551">S-1-5-32-551</a>, <a class="term term-tagpost_tag term-1197" href="https://adsecurity.org/?tag=s-1-5-32-554">S-1-5-32-554</a>, <a class="term term-tagpost_tag term-1190" href="https://adsecurity.org/?tag=s-1-5-32-562">S-1-5-32-562</a>, <a class="term term-tagpost_tag term-1194" href="https://adsecurity.org/?tag=s-1-5-32-573">S-1-5-32-573</a>, <a class="term term-tagpost_tag term-1196" href="https://adsecurity.org/?tag=s-1-5-32-578">S-1-5-32-578</a>, <a class="term term-tagpost_tag term-1171" href="https://adsecurity.org/?tag=sacl">SACL</a>, <a class="term term-tagpost_tag term-1178" href="https://adsecurity.org/?tag=schema-admins">Schema Admins</a>, <a class="term term-tagpost_tag term-1172" href="https://adsecurity.org/?tag=sddl">SDDL</a>, <a class="term term-tagpost_tag term-655" href="https://adsecurity.org/?tag=sdprop">SDProp</a>, <a class="term term-tagpost_tag term-1218" href="https://adsecurity.org/?tag=self">Self</a>, <a class="term term-tagpost_tag term-1206" href="https://adsecurity.org/?tag=semachineaccountprivilege">SeMachineAccountPrivilege</a>, <a class="term term-tagpost_tag term-1204" href="https://adsecurity.org/?tag=senetworklogonright">SeNetworkLogonRight</a>, <a class="term term-tagpost_tag term-1205" href="https://adsecurity.org/?tag=setcbprivilege">SeTcbPrivilege</a>, <a class="term term-tagpost_tag term-1203" href="https://adsecurity.org/?tag=setrustedcredmanaccessprivilege">SeTrustedCredManAccessPrivilege</a>, <a class="term term-tagpost_tag term-547" href="https://adsecurity.org/?tag=sidhistory">SIDHistory</a>, <a class="term term-tagpost_tag term-1210" href="https://adsecurity.org/?tag=synchronize-directory-service-data">Synchronize directory service data</a>, <a class="term term-tagpost_tag term-1106" href="https://adsecurity.org/?tag=user-rights-assignments">User Rights Assignments</a>, <a class="term term-tagpost_tag term-1219" href="https://adsecurity.org/?tag=validated-write">Validated Write</a>, <a class="term term-tagpost_tag term-1201" href="https://adsecurity.org/?tag=writedacl">WriteDACL</a>, <a class="term term-tagpost_tag term-1220" href="https://adsecurity.org/?tag=writeowner">WriteOwner</a>, <a class="term term-tagpost_tag term-1202" href="https://adsecurity.org/?tag=writeproperty">WritePRoperty</a></span></li> <li class="comment-link col-sm-4"><i class="fa fa-comments"></i> <a href="https://adsecurity.org/?p=3658#comments">2 comments</a></li> </ul> </div> </div> <div id="post-3621" class="clearfix post post-3621 type-post status-publish format-standard has-post-thumbnail hentry category-activedirectorysecurity category-security-conference-presentationvideo tag-active-directory tag-command-logging tag-domain-controllers tag-event-logging tag-microsoft-wef tag-powershell-logging tag-presentation tag-sp4rkcon tag-sysinternals-sysmon item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">May</span> <span class="day">01</span> <span class="year">2017</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=3621" rel="bookmark" title="Permalink to BSides Charm (2017) Talk Slides Posted – Detecting the Elusive: Active Directory Threat Hunting"> BSides Charm (2017) Talk Slides Posted – Detecting the Elusive: Active Directory Threat Hunting </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-565" href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a>, <a class="term term-category term-234" href="https://adsecurity.org/?cat=234">Security Conference Presentation/Video</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p class="excerpt-thumb"> <a href="https://adsecurity.org/?p=3621" rel="bookmark" title="Permalink to BSides Charm (2017) Talk Slides Posted – Detecting the Elusive: Active Directory Threat Hunting"> <img width="300" height="175" src="https://adsecurity.org/wp-content/uploads/2017/05/BSidesCharm2017Slides-300x175.png" class="attachment-medium size-medium wp-post-image" alt="" decoding="async" loading="lazy" srcset="https://adsecurity.org/wp-content/uploads/2017/05/BSidesCharm2017Slides-300x175.png 300w, https://adsecurity.org/wp-content/uploads/2017/05/BSidesCharm2017Slides-768x449.png 768w, https://adsecurity.org/wp-content/uploads/2017/05/BSidesCharm2017Slides-1024x598.png 1024w, https://adsecurity.org/wp-content/uploads/2017/05/BSidesCharm2017Slides.png 1195w" sizes="(max-width: 300px) 100vw, 300px" /> </a> </p> <p>I recently presented my talk “Detecting the Elusive: Active Directory Threat Hunting” at BSides Charm in Baltimore, MD. Slides are now posted in the Presentations section. I cover some of the information I’ve posted here before: PowerShell Security Detecting Kerberoasting: Part 1 and Part 2 On Sunday, April 30th, 2017, I spoke at BSides Charm in … </p> <p><a class="more-link btn" href="https://adsecurity.org/?p=3621">Continue reading</a></p> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-75" href="https://adsecurity.org/?tag=active-directory">Active Directory</a>, <a class="term term-tagpost_tag term-1159" href="https://adsecurity.org/?tag=command-logging">Command Logging</a>, <a class="term term-tagpost_tag term-1162" href="https://adsecurity.org/?tag=domain-controllers">Domain Controllers</a>, <a class="term term-tagpost_tag term-1163" href="https://adsecurity.org/?tag=event-logging">Event logging</a>, <a class="term term-tagpost_tag term-1161" href="https://adsecurity.org/?tag=microsoft-wef">Microsoft WEF</a>, <a class="term term-tagpost_tag term-959" href="https://adsecurity.org/?tag=powershell-logging">PowerShell logging</a>, <a class="term term-tagpost_tag term-422" href="https://adsecurity.org/?tag=presentation">Presentation</a>, <a class="term term-tagpost_tag term-1158" href="https://adsecurity.org/?tag=sp4rkcon">Sp4rkCon</a>, <a class="term term-tagpost_tag term-1160" href="https://adsecurity.org/?tag=sysinternals-sysmon">Sysinternals SysMon</a></span></li> </ul> </div> </div> <div id="post-3622" class="clearfix post post-3622 type-post status-publish format-standard has-post-thumbnail hentry category-activedirectorysecurity category-security-conference-presentationvideo tag-active-directory-recon tag-ad-admin-tiers tag-credential-theft tag-kerberoasting-detection tag-kerberos-delegation tag-powershell-logging tag-secure-ad-administration item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">May</span> <span class="day">01</span> <span class="year">2017</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=3622" rel="bookmark" title="Permalink to Sp4rkCon (2017) Talk Slides Posted – Active Directory Security: The Good, the Bad, & the UGLY"> Sp4rkCon (2017) Talk Slides Posted – Active Directory Security: The Good, the Bad, & the UGLY </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-565" href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a>, <a class="term term-category term-234" href="https://adsecurity.org/?cat=234">Security Conference Presentation/Video</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p class="excerpt-thumb"> <a href="https://adsecurity.org/?p=3622" rel="bookmark" title="Permalink to Sp4rkCon (2017) Talk Slides Posted – Active Directory Security: The Good, the Bad, & the UGLY"> <img width="300" height="170" src="https://adsecurity.org/wp-content/uploads/2017/05/sp4rkconslides-300x170.png" class="attachment-medium size-medium wp-post-image" alt="" decoding="async" loading="lazy" srcset="https://adsecurity.org/wp-content/uploads/2017/05/sp4rkconslides-300x170.png 300w, https://adsecurity.org/wp-content/uploads/2017/05/sp4rkconslides-768x436.png 768w, https://adsecurity.org/wp-content/uploads/2017/05/sp4rkconslides-1024x582.png 1024w, https://adsecurity.org/wp-content/uploads/2017/05/sp4rkconslides.png 1417w" sizes="(max-width: 300px) 100vw, 300px" /> </a> </p> <p>I recently presented my talk “Active Directory Security: The Good, the Bad, & the UGLY” at Sp4rkCon in Bentonville, AR in April 2017. Slides are now posted in the Presentations section. I cover some of the information I’ve posted here before: PowerShell Security Detecting Kerberoasting: Part 1 and Part 2 Here’s the talk description: Active Directory Security:The Good, the … </p> <p><a class="more-link btn" href="https://adsecurity.org/?p=3622">Continue reading</a></p> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-980" href="https://adsecurity.org/?tag=active-directory-recon">Active Directory recon</a>, <a class="term term-tagpost_tag term-1168" href="https://adsecurity.org/?tag=ad-admin-tiers">AD admin tiers</a>, <a class="term term-tagpost_tag term-1164" href="https://adsecurity.org/?tag=credential-theft">Credential theft</a>, <a class="term term-tagpost_tag term-1166" href="https://adsecurity.org/?tag=kerberoasting-detection">Kerberoasting detection</a>, <a class="term term-tagpost_tag term-1165" href="https://adsecurity.org/?tag=kerberos-delegation">Kerberos Delegation</a>, <a class="term term-tagpost_tag term-959" href="https://adsecurity.org/?tag=powershell-logging">PowerShell logging</a>, <a class="term term-tagpost_tag term-1167" href="https://adsecurity.org/?tag=secure-ad-administration">Secure AD administration</a></span></li> </ul> </div> </div> <div id="post-3513" class="clearfix post post-3513 type-post status-publish format-standard has-post-thumbnail hentry category-activedirectorysecurity category-microsoft-security category-technical-reference tag-ap-req tag-audit-kerberos-service-ticket-operations tag-detect-kerberoast-activity tag-detecting-kerberoast-activity tag-event-id-4769 tag-kerberoast-honeypot tag-kerberoasting-activity tag-kerberos-rc4-encryption tag-kerberos-service-ticket tag-kerberos-tgs tag-kerberos-tgs-ticket tag-ntlm-password tag-rc4_hmac_md5 tag-service-account-honeypot tag-tgs-rep tag-tgs-req item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">Feb</span> <span class="day">08</span> <span class="year">2017</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=3513" rel="bookmark" title="Permalink to Detecting Kerberoasting Activity Part 2 – Creating a Kerberoast Service Account Honeypot"> Detecting Kerberoasting Activity Part 2 – Creating a Kerberoast Service Account Honeypot </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-565" href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a>, <a class="term term-category term-11" href="https://adsecurity.org/?cat=11">Microsoft Security</a>, <a class="term term-category term-2" href="https://adsecurity.org/?cat=2">Technical Reference</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p class="excerpt-thumb"> <a href="https://adsecurity.org/?p=3513" rel="bookmark" title="Permalink to Detecting Kerberoasting Activity Part 2 – Creating a Kerberoast Service Account Honeypot"> <img width="300" height="58" src="https://adsecurity.org/wp-content/uploads/2017/02/Kerberoast-HoneyPot-Account-Discovery1-300x58.jpg" class="attachment-medium size-medium wp-post-image" alt="" decoding="async" loading="lazy" srcset="https://adsecurity.org/wp-content/uploads/2017/02/Kerberoast-HoneyPot-Account-Discovery1-300x58.jpg 300w, https://adsecurity.org/wp-content/uploads/2017/02/Kerberoast-HoneyPot-Account-Discovery1-768x149.jpg 768w, https://adsecurity.org/wp-content/uploads/2017/02/Kerberoast-HoneyPot-Account-Discovery1-1024x198.jpg 1024w, https://adsecurity.org/wp-content/uploads/2017/02/Kerberoast-HoneyPot-Account-Discovery1.jpg 1333w" sizes="(max-width: 300px) 100vw, 300px" /> </a> </p> <p>In my previous post, “Detecting Kerberoasting Activity” I explain how Kerberoasting works and describe how to detect potential Kerberoasting activity. The trick to this is understanding what activity is normal in order to filter out the noise and increase the fidelity of the alert. This post describes how to filter from millions of events to … </p> <p><a class="more-link btn" href="https://adsecurity.org/?p=3513">Continue reading</a></p> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-1132" href="https://adsecurity.org/?tag=ap-req">AP-REQ</a>, <a class="term term-tagpost_tag term-1135" href="https://adsecurity.org/?tag=audit-kerberos-service-ticket-operations">Audit Kerberos Service Ticket Operations</a>, <a class="term term-tagpost_tag term-1125" href="https://adsecurity.org/?tag=detect-kerberoast-activity">Detect Kerberoast Activity</a>, <a class="term term-tagpost_tag term-1133" href="https://adsecurity.org/?tag=detecting-kerberoast-activity">Detecting Kerberoast activity</a>, <a class="term term-tagpost_tag term-1134" href="https://adsecurity.org/?tag=event-id-4769">Event ID 4769</a>, <a class="term term-tagpost_tag term-1153" href="https://adsecurity.org/?tag=kerberoast-honeypot">Kerberoast honeypot</a>, <a class="term term-tagpost_tag term-1126" href="https://adsecurity.org/?tag=kerberoasting-activity">Kerberoasting activity</a>, <a class="term term-tagpost_tag term-1131" href="https://adsecurity.org/?tag=kerberos-rc4-encryption">Kerberos RC4 Encryption</a>, <a class="term term-tagpost_tag term-1129" href="https://adsecurity.org/?tag=kerberos-service-ticket">Kerberos Service Ticket</a>, <a class="term term-tagpost_tag term-1128" href="https://adsecurity.org/?tag=kerberos-tgs">Kerberos TGS</a>, <a class="term term-tagpost_tag term-1127" href="https://adsecurity.org/?tag=kerberos-tgs-ticket">Kerberos TGS Ticket</a>, <a class="term term-tagpost_tag term-1130" href="https://adsecurity.org/?tag=ntlm-password">NTLM Password</a>, <a class="term term-tagpost_tag term-708" href="https://adsecurity.org/?tag=rc4_hmac_md5">RC4_HMAC_MD5</a>, <a class="term term-tagpost_tag term-1154" href="https://adsecurity.org/?tag=service-account-honeypot">service account honeypot</a>, <a class="term term-tagpost_tag term-571" href="https://adsecurity.org/?tag=tgs-rep">TGS-REP</a>, <a class="term term-tagpost_tag term-570" href="https://adsecurity.org/?tag=tgs-req">TGS-REQ</a></span></li> </ul> </div> </div> </div> <div class="pagination-wrapper"> <ul class="pagination"> <li class="disabled"><span class="page-numbers"><i class="fa fa-angle-left"></i></span></li> <li class="active"><span aria-current="page" class="page-numbers current">1</span></li><li><a class="page-numbers" href="https://adsecurity.org/?paged=2&cat=565">2</a></li><li><a class="page-numbers" href="https://adsecurity.org/?paged=3&cat=565">3</a></li><li><span class="page-numbers dots">…</span></li><li><a class="page-numbers" href="https://adsecurity.org/?paged=5&cat=565">5</a></li><li><a class="next page-numbers" href="https://adsecurity.org/?paged=2&cat=565"><i class="fa fa-angle-right"></i></a></li> </ul> </div> </div><!-- #content-main --> <div id="sidebar1" class="sidebar sidebar-right widget-area col-md-4"> <div id="recent-posts-4" class="sidebar-wrap widget_recent_entries"> <h3>Recent Posts</h3> <ul> <li> <a href="https://adsecurity.org/?p=4436">BSides Dublin – The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations – Sean Metcalf</a> </li> <li> <a href="https://adsecurity.org/?p=4434">DEFCON 2017: Transcript – Hacking the Cloud</a> </li> <li> <a href="https://adsecurity.org/?p=4432">Detecting the Elusive: Active Directory Threat Hunting</a> </li> <li> <a href="https://adsecurity.org/?p=4430">Detecting Kerberoasting Activity</a> </li> <li> <a href="https://adsecurity.org/?p=4428">Detecting Password Spraying with Security Event Auditing</a> </li> </ul> </div><div id="text-3" class="sidebar-wrap widget_text"><h3>Trimarc Active Directory Security Services</h3> <div class="textwidget">Have concerns about your Active Directory environment? Trimarc helps enterprises improve their security posture. <p> <a href="http://trimarcsecurity.com/security-services">Find out how...</a> TrimarcSecurity.com</div> </div><div id="widget_tptn_pop-4" class="sidebar-wrap tptn_posts_list_widget"><h3>Popular Posts</h3><div class="tptn_posts tptn_posts_widget tptn_posts_widget4"><ul><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=478" class="tptn_link"><span class="tptn_title">PowerShell Encoding & Decoding (Base64)</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=2362" class="tptn_link"><span class="tptn_title">Attack Methods for Gaining Domain Admin Rights in…</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=483" class="tptn_link"><span class="tptn_title">Kerberos & KRBTGT: Active Directory’s…</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=2288" class="tptn_link"><span class="tptn_title">Finding Passwords in SYSVOL & Exploiting Group…</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3377" class="tptn_link"><span class="tptn_title">Securing Domain Controllers to Improve Active…</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3299" class="tptn_link"><span class="tptn_title">Securing Windows Workstations: Developing a Secure Baseline</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3458" class="tptn_link"><span class="tptn_title">Detecting Kerberoasting Activity</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=1729" class="tptn_link"><span class="tptn_title">Mimikatz DCSync Usage, Exploitation, and Detection</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3658" class="tptn_link"><span class="tptn_title">Scanning for Active Directory Privileges &…</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3164" class="tptn_link"><span class="tptn_title">Microsoft LAPS Security & Active Directory LAPS…</span></a></span></li></ul><div class="tptn_clear"></div></div></div><div id="categories-4" class="sidebar-wrap widget_categories"><h3>Categories</h3> <ul> <li class="cat-item cat-item-565 current-cat"><a aria-current="page" href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a> </li> <li class="cat-item cat-item-55"><a href="https://adsecurity.org/?cat=55">Apple Security</a> </li> <li class="cat-item cat-item-431"><a href="https://adsecurity.org/?cat=431">Cloud Security</a> </li> <li class="cat-item cat-item-17"><a href="https://adsecurity.org/?cat=17">Continuing Education</a> </li> <li class="cat-item cat-item-396"><a href="https://adsecurity.org/?cat=396">Entertainment</a> </li> <li class="cat-item cat-item-347"><a href="https://adsecurity.org/?cat=347">Exploit</a> </li> <li class="cat-item cat-item-1039"><a href="https://adsecurity.org/?cat=1039">Hacking</a> </li> <li class="cat-item cat-item-168"><a href="https://adsecurity.org/?cat=168">Hardware Security</a> </li> <li class="cat-item cat-item-172"><a href="https://adsecurity.org/?cat=172">Hypervisor Security</a> </li> <li class="cat-item cat-item-126"><a href="https://adsecurity.org/?cat=126">Linux/Unix Security</a> </li> <li class="cat-item cat-item-343"><a href="https://adsecurity.org/?cat=343">Malware</a> </li> <li class="cat-item cat-item-11"><a href="https://adsecurity.org/?cat=11">Microsoft Security</a> </li> <li class="cat-item cat-item-819"><a href="https://adsecurity.org/?cat=819">Mitigation</a> </li> <li class="cat-item cat-item-48"><a href="https://adsecurity.org/?cat=48">Network/System Security</a> </li> <li class="cat-item cat-item-7"><a href="https://adsecurity.org/?cat=7">PowerShell</a> </li> <li class="cat-item cat-item-698"><a href="https://adsecurity.org/?cat=698">RealWorld</a> </li> <li class="cat-item cat-item-21"><a href="https://adsecurity.org/?cat=21">Security</a> </li> <li class="cat-item cat-item-234"><a href="https://adsecurity.org/?cat=234">Security Conference Presentation/Video</a> </li> <li class="cat-item cat-item-1045"><a href="https://adsecurity.org/?cat=1045">Security Recommendation</a> </li> <li class="cat-item cat-item-24"><a href="https://adsecurity.org/?cat=24">Technical Article</a> </li> <li class="cat-item cat-item-4"><a href="https://adsecurity.org/?cat=4">Technical Reading</a> </li> <li class="cat-item cat-item-2"><a href="https://adsecurity.org/?cat=2">Technical Reference</a> </li> <li class="cat-item cat-item-156"><a href="https://adsecurity.org/?cat=156">TheCloud</a> </li> <li class="cat-item cat-item-930"><a href="https://adsecurity.org/?cat=930">Vulnerability</a> </li> </ul> </div><div id="tag_cloud-3" class="sidebar-wrap widget_tag_cloud"><h3>Tags</h3><div class="tagcloud"><a href="https://adsecurity.org/?tag=activedirectory" class="tag-cloud-link tag-link-20 tag-link-position-1" style="font-size: 22pt;" aria-label="ActiveDirectory (55 items)">ActiveDirectory</a> <a href="https://adsecurity.org/?tag=active-directory" class="tag-cloud-link tag-link-75 tag-link-position-2" style="font-size: 10.453608247423pt;" aria-label="Active Directory (8 items)">Active Directory</a> <a href="https://adsecurity.org/?tag=active-directory-security" class="tag-cloud-link tag-link-976 tag-link-position-3" style="font-size: 9.7319587628866pt;" aria-label="Active Directory Security (7 items)">Active Directory Security</a> <a href="https://adsecurity.org/?tag=activedirectorysecurity" class="tag-cloud-link tag-link-113 tag-link-position-4" style="font-size: 13.773195876289pt;" aria-label="ActiveDirectorySecurity (14 items)">ActiveDirectorySecurity</a> <a href="https://adsecurity.org/?tag=adreading" class="tag-cloud-link tag-link-5 tag-link-position-5" style="font-size: 13.340206185567pt;" aria-label="ADReading (13 items)">ADReading</a> <a href="https://adsecurity.org/?tag=ad-security" class="tag-cloud-link tag-link-100 tag-link-position-6" style="font-size: 8pt;" aria-label="AD Security (5 items)">AD Security</a> <a href="https://adsecurity.org/?tag=adsecurity" class="tag-cloud-link tag-link-86 tag-link-position-7" style="font-size: 10.453608247423pt;" aria-label="ADSecurity (8 items)">ADSecurity</a> <a href="https://adsecurity.org/?tag=azure" class="tag-cloud-link tag-link-25 tag-link-position-8" style="font-size: 8pt;" aria-label="Azure (5 items)">Azure</a> <a href="https://adsecurity.org/?tag=azuread" class="tag-cloud-link tag-link-136 tag-link-position-9" style="font-size: 8pt;" aria-label="AzureAD (5 items)">AzureAD</a> <a href="https://adsecurity.org/?tag=dcsync" class="tag-cloud-link tag-link-598 tag-link-position-10" style="font-size: 10.453608247423pt;" aria-label="DCSync (8 items)">DCSync</a> <a href="https://adsecurity.org/?tag=domaincontroller" class="tag-cloud-link tag-link-101 tag-link-position-11" style="font-size: 15.216494845361pt;" aria-label="DomainController (18 items)">DomainController</a> <a href="https://adsecurity.org/?tag=goldenticket" class="tag-cloud-link tag-link-303 tag-link-position-12" style="font-size: 11.175257731959pt;" aria-label="GoldenTicket (9 items)">GoldenTicket</a> <a href="https://adsecurity.org/?tag=grouppolicy" class="tag-cloud-link tag-link-196 tag-link-position-13" style="font-size: 8pt;" aria-label="GroupPolicy (5 items)">GroupPolicy</a> <a href="https://adsecurity.org/?tag=hyperv" class="tag-cloud-link tag-link-3 tag-link-position-14" style="font-size: 8pt;" aria-label="HyperV (5 items)">HyperV</a> <a href="https://adsecurity.org/?tag=invoke-mimikatz" class="tag-cloud-link tag-link-336 tag-link-position-15" style="font-size: 10.453608247423pt;" aria-label="Invoke-Mimikatz (8 items)">Invoke-Mimikatz</a> <a href="https://adsecurity.org/?tag=kb3011780" class="tag-cloud-link tag-link-337 tag-link-position-16" style="font-size: 9.7319587628866pt;" aria-label="KB3011780 (7 items)">KB3011780</a> <a href="https://adsecurity.org/?tag=kdc" class="tag-cloud-link tag-link-80 tag-link-position-17" style="font-size: 8pt;" aria-label="KDC (5 items)">KDC</a> <a href="https://adsecurity.org/?tag=kerberos" class="tag-cloud-link tag-link-81 tag-link-position-18" style="font-size: 15.216494845361pt;" aria-label="Kerberos (18 items)">Kerberos</a> <a href="https://adsecurity.org/?tag=kerberoshacking" class="tag-cloud-link tag-link-298 tag-link-position-19" style="font-size: 11.752577319588pt;" aria-label="KerberosHacking (10 items)">KerberosHacking</a> <a href="https://adsecurity.org/?tag=krbtgt" class="tag-cloud-link tag-link-394 tag-link-position-20" style="font-size: 9.7319587628866pt;" aria-label="KRBTGT (7 items)">KRBTGT</a> <a href="https://adsecurity.org/?tag=laps" class="tag-cloud-link tag-link-631 tag-link-position-21" style="font-size: 9.0103092783505pt;" aria-label="LAPS (6 items)">LAPS</a> <a href="https://adsecurity.org/?tag=lsass" class="tag-cloud-link tag-link-71 tag-link-position-22" style="font-size: 11.175257731959pt;" aria-label="LSASS (9 items)">LSASS</a> <a href="https://adsecurity.org/?tag=mcm" class="tag-cloud-link tag-link-6 tag-link-position-23" style="font-size: 14.061855670103pt;" aria-label="MCM (15 items)">MCM</a> <a href="https://adsecurity.org/?tag=microsoftemet" class="tag-cloud-link tag-link-58 tag-link-position-24" style="font-size: 11.175257731959pt;" aria-label="MicrosoftEMET (9 items)">MicrosoftEMET</a> <a href="https://adsecurity.org/?tag=microsoftwindows" class="tag-cloud-link tag-link-102 tag-link-position-25" style="font-size: 9.7319587628866pt;" aria-label="MicrosoftWindows (7 items)">MicrosoftWindows</a> <a href="https://adsecurity.org/?tag=mimikatz" class="tag-cloud-link tag-link-207 tag-link-position-26" style="font-size: 18.103092783505pt;" aria-label="mimikatz (29 items)">mimikatz</a> <a href="https://adsecurity.org/?tag=ms14068" class="tag-cloud-link tag-link-295 tag-link-position-27" style="font-size: 11.175257731959pt;" aria-label="MS14068 (9 items)">MS14068</a> <a href="https://adsecurity.org/?tag=passthehash" class="tag-cloud-link tag-link-44 tag-link-position-28" style="font-size: 9.7319587628866pt;" aria-label="PassTheHash (7 items)">PassTheHash</a> <a href="https://adsecurity.org/?tag=powershell" class="tag-cloud-link tag-link-575 tag-link-position-29" style="font-size: 18.536082474227pt;" aria-label="PowerShell (31 items)">PowerShell</a> <a href="https://adsecurity.org/?tag=powershellcode" class="tag-cloud-link tag-link-22 tag-link-position-30" style="font-size: 14.927835051546pt;" aria-label="PowerShellCode (17 items)">PowerShellCode</a> <a href="https://adsecurity.org/?tag=powershellhacking" class="tag-cloud-link tag-link-68 tag-link-position-31" style="font-size: 8pt;" aria-label="PowerShellHacking (5 items)">PowerShellHacking</a> <a href="https://adsecurity.org/?tag=powershellv5" class="tag-cloud-link tag-link-69 tag-link-position-32" style="font-size: 8pt;" aria-label="PowerShellv5 (5 items)">PowerShellv5</a> <a href="https://adsecurity.org/?tag=powersploit" class="tag-cloud-link tag-link-232 tag-link-position-33" style="font-size: 10.453608247423pt;" aria-label="PowerSploit (8 items)">PowerSploit</a> <a href="https://adsecurity.org/?tag=presentation" class="tag-cloud-link tag-link-422 tag-link-position-34" style="font-size: 9.7319587628866pt;" aria-label="Presentation (7 items)">Presentation</a> <a href="https://adsecurity.org/?tag=security" class="tag-cloud-link tag-link-576 tag-link-position-35" style="font-size: 8pt;" aria-label="Security (5 items)">Security</a> <a href="https://adsecurity.org/?tag=silverticket" class="tag-cloud-link tag-link-304 tag-link-position-36" style="font-size: 11.175257731959pt;" aria-label="SilverTicket (9 items)">SilverTicket</a> <a href="https://adsecurity.org/?tag=sneakyadpersistence" class="tag-cloud-link tag-link-596 tag-link-position-37" style="font-size: 9.0103092783505pt;" aria-label="SneakyADPersistence (6 items)">SneakyADPersistence</a> <a href="https://adsecurity.org/?tag=spn" class="tag-cloud-link tag-link-294 tag-link-position-38" style="font-size: 9.0103092783505pt;" aria-label="SPN (6 items)">SPN</a> <a href="https://adsecurity.org/?tag=tgs" class="tag-cloud-link tag-link-528 tag-link-position-39" style="font-size: 9.0103092783505pt;" aria-label="TGS (6 items)">TGS</a> <a href="https://adsecurity.org/?tag=tgt" class="tag-cloud-link tag-link-529 tag-link-position-40" style="font-size: 9.0103092783505pt;" aria-label="TGT (6 items)">TGT</a> <a href="https://adsecurity.org/?tag=windows7" class="tag-cloud-link tag-link-117 tag-link-position-41" style="font-size: 8pt;" aria-label="Windows7 (5 items)">Windows7</a> <a href="https://adsecurity.org/?tag=windows10" class="tag-cloud-link tag-link-494 tag-link-position-42" style="font-size: 10.453608247423pt;" aria-label="Windows10 (8 items)">Windows10</a> <a href="https://adsecurity.org/?tag=windowsserver2008r2" class="tag-cloud-link tag-link-46 tag-link-position-43" style="font-size: 9.0103092783505pt;" aria-label="WindowsServer2008R2 (6 items)">WindowsServer2008R2</a> <a href="https://adsecurity.org/?tag=windowsserver2012" class="tag-cloud-link tag-link-47 tag-link-position-44" style="font-size: 11.175257731959pt;" aria-label="WindowsServer2012 (9 items)">WindowsServer2012</a> <a href="https://adsecurity.org/?tag=windowsserver2012r2" class="tag-cloud-link tag-link-54 tag-link-position-45" style="font-size: 9.7319587628866pt;" aria-label="WindowsServer2012R2 (7 items)">WindowsServer2012R2</a></div> </div><div id="search-2" class="sidebar-wrap widget_search"><form class="searchform" method="get" action="https://adsecurity.org"> <div class="input-group"> <div class="form-group live-search-input"> <label for="s" class="screen-reader-text">Search for:</label> <input type="text" id="s" name="s" class="form-control" placeholder="Search"> </div> <span class="input-group-btn"> <button class="btn btn-default" type="submit"><i class="fa fa-search"></i></button> </span> </div> </form></div> <div id="recent-posts-2" class="sidebar-wrap widget_recent_entries"> <h3>Recent Posts</h3> <ul> <li> <a href="https://adsecurity.org/?p=4436">BSides Dublin – The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations – Sean Metcalf</a> </li> <li> <a href="https://adsecurity.org/?p=4434">DEFCON 2017: Transcript – Hacking the Cloud</a> </li> <li> <a href="https://adsecurity.org/?p=4432">Detecting the Elusive: Active Directory Threat Hunting</a> </li> <li> <a href="https://adsecurity.org/?p=4430">Detecting Kerberoasting Activity</a> </li> <li> <a href="https://adsecurity.org/?p=4428">Detecting Password Spraying with Security Event Auditing</a> </li> </ul> </div><div id="recent-comments-2" class="sidebar-wrap widget_recent_comments"><h3>Recent Comments</h3><ul id="recentcomments"><li class="recentcomments"><span class="comment-author-link">Derek</span> on <a href="https://adsecurity.org/?p=3592#comment-13603">Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory</a></li><li class="recentcomments"><span class="comment-author-link"><a href="https://ADSecurity.org" class="url" rel="ugc">Sean Metcalf</a></span> on <a href="https://adsecurity.org/?p=3782#comment-13545">Securing Microsoft Active Directory Federation Server (ADFS)</a></li><li class="recentcomments"><span class="comment-author-link">Brad</span> on <a href="https://adsecurity.org/?p=3782#comment-13544">Securing Microsoft Active Directory Federation Server (ADFS)</a></li><li class="recentcomments"><span class="comment-author-link">Joonas</span> on <a href="https://adsecurity.org/?p=3719#comment-13229">Gathering AD Data with the Active Directory PowerShell Module</a></li><li class="recentcomments"><span class="comment-author-link"><a href="https://ADSecurity.org" class="url" rel="ugc">Sean Metcalf</a></span> on <a href="https://adsecurity.org/?p=3719#comment-13215">Gathering AD Data with the Active Directory PowerShell Module</a></li></ul></div><div id="archives-2" class="sidebar-wrap widget_archive"><h3>Archives</h3> <ul> <li><a href='https://adsecurity.org/?m=202406'>June 2024</a></li> <li><a href='https://adsecurity.org/?m=202405'>May 2024</a></li> <li><a href='https://adsecurity.org/?m=202005'>May 2020</a></li> <li><a href='https://adsecurity.org/?m=202001'>January 2020</a></li> <li><a href='https://adsecurity.org/?m=201908'>August 2019</a></li> <li><a href='https://adsecurity.org/?m=201903'>March 2019</a></li> <li><a href='https://adsecurity.org/?m=201902'>February 2019</a></li> <li><a href='https://adsecurity.org/?m=201810'>October 2018</a></li> <li><a href='https://adsecurity.org/?m=201808'>August 2018</a></li> <li><a href='https://adsecurity.org/?m=201805'>May 2018</a></li> <li><a href='https://adsecurity.org/?m=201801'>January 2018</a></li> <li><a href='https://adsecurity.org/?m=201711'>November 2017</a></li> <li><a href='https://adsecurity.org/?m=201708'>August 2017</a></li> <li><a href='https://adsecurity.org/?m=201706'>June 2017</a></li> <li><a href='https://adsecurity.org/?m=201705'>May 2017</a></li> <li><a href='https://adsecurity.org/?m=201702'>February 2017</a></li> <li><a href='https://adsecurity.org/?m=201701'>January 2017</a></li> <li><a href='https://adsecurity.org/?m=201611'>November 2016</a></li> <li><a href='https://adsecurity.org/?m=201610'>October 2016</a></li> <li><a href='https://adsecurity.org/?m=201609'>September 2016</a></li> <li><a href='https://adsecurity.org/?m=201608'>August 2016</a></li> <li><a href='https://adsecurity.org/?m=201607'>July 2016</a></li> <li><a href='https://adsecurity.org/?m=201606'>June 2016</a></li> <li><a href='https://adsecurity.org/?m=201604'>April 2016</a></li> <li><a href='https://adsecurity.org/?m=201603'>March 2016</a></li> <li><a href='https://adsecurity.org/?m=201602'>February 2016</a></li> <li><a href='https://adsecurity.org/?m=201601'>January 2016</a></li> <li><a href='https://adsecurity.org/?m=201512'>December 2015</a></li> <li><a href='https://adsecurity.org/?m=201511'>November 2015</a></li> <li><a href='https://adsecurity.org/?m=201510'>October 2015</a></li> <li><a href='https://adsecurity.org/?m=201509'>September 2015</a></li> <li><a href='https://adsecurity.org/?m=201508'>August 2015</a></li> <li><a href='https://adsecurity.org/?m=201507'>July 2015</a></li> <li><a href='https://adsecurity.org/?m=201506'>June 2015</a></li> <li><a href='https://adsecurity.org/?m=201505'>May 2015</a></li> <li><a href='https://adsecurity.org/?m=201504'>April 2015</a></li> <li><a href='https://adsecurity.org/?m=201503'>March 2015</a></li> <li><a href='https://adsecurity.org/?m=201502'>February 2015</a></li> <li><a href='https://adsecurity.org/?m=201501'>January 2015</a></li> <li><a href='https://adsecurity.org/?m=201412'>December 2014</a></li> <li><a href='https://adsecurity.org/?m=201411'>November 2014</a></li> <li><a href='https://adsecurity.org/?m=201410'>October 2014</a></li> <li><a href='https://adsecurity.org/?m=201409'>September 2014</a></li> <li><a href='https://adsecurity.org/?m=201408'>August 2014</a></li> <li><a href='https://adsecurity.org/?m=201407'>July 2014</a></li> <li><a href='https://adsecurity.org/?m=201406'>June 2014</a></li> <li><a href='https://adsecurity.org/?m=201405'>May 2014</a></li> <li><a href='https://adsecurity.org/?m=201404'>April 2014</a></li> <li><a href='https://adsecurity.org/?m=201403'>March 2014</a></li> <li><a href='https://adsecurity.org/?m=201402'>February 2014</a></li> <li><a href='https://adsecurity.org/?m=201307'>July 2013</a></li> <li><a href='https://adsecurity.org/?m=201211'>November 2012</a></li> <li><a href='https://adsecurity.org/?m=201203'>March 2012</a></li> <li><a href='https://adsecurity.org/?m=201202'>February 2012</a></li> </ul> </div><div id="categories-2" class="sidebar-wrap widget_categories"><h3>Categories</h3> <ul> <li class="cat-item cat-item-565 current-cat"><a aria-current="page" href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a> </li> <li class="cat-item cat-item-55"><a href="https://adsecurity.org/?cat=55">Apple Security</a> </li> <li class="cat-item cat-item-431"><a href="https://adsecurity.org/?cat=431">Cloud Security</a> </li> <li class="cat-item cat-item-17"><a href="https://adsecurity.org/?cat=17">Continuing Education</a> </li> <li class="cat-item cat-item-396"><a href="https://adsecurity.org/?cat=396">Entertainment</a> </li> <li class="cat-item cat-item-347"><a href="https://adsecurity.org/?cat=347">Exploit</a> </li> <li class="cat-item cat-item-1039"><a href="https://adsecurity.org/?cat=1039">Hacking</a> </li> <li class="cat-item cat-item-168"><a href="https://adsecurity.org/?cat=168">Hardware Security</a> </li> <li class="cat-item cat-item-172"><a href="https://adsecurity.org/?cat=172">Hypervisor Security</a> </li> <li class="cat-item cat-item-126"><a href="https://adsecurity.org/?cat=126">Linux/Unix Security</a> </li> <li class="cat-item cat-item-343"><a href="https://adsecurity.org/?cat=343">Malware</a> </li> <li class="cat-item cat-item-11"><a href="https://adsecurity.org/?cat=11">Microsoft Security</a> </li> <li class="cat-item cat-item-819"><a href="https://adsecurity.org/?cat=819">Mitigation</a> </li> <li class="cat-item cat-item-48"><a href="https://adsecurity.org/?cat=48">Network/System Security</a> </li> <li class="cat-item cat-item-7"><a href="https://adsecurity.org/?cat=7">PowerShell</a> </li> <li class="cat-item cat-item-698"><a href="https://adsecurity.org/?cat=698">RealWorld</a> </li> <li class="cat-item cat-item-21"><a href="https://adsecurity.org/?cat=21">Security</a> </li> <li class="cat-item cat-item-234"><a href="https://adsecurity.org/?cat=234">Security Conference Presentation/Video</a> </li> <li class="cat-item cat-item-1045"><a href="https://adsecurity.org/?cat=1045">Security Recommendation</a> </li> <li class="cat-item cat-item-24"><a href="https://adsecurity.org/?cat=24">Technical Article</a> </li> <li class="cat-item cat-item-4"><a href="https://adsecurity.org/?cat=4">Technical Reading</a> </li> <li class="cat-item cat-item-2"><a href="https://adsecurity.org/?cat=2">Technical Reference</a> </li> <li class="cat-item cat-item-156"><a href="https://adsecurity.org/?cat=156">TheCloud</a> </li> <li class="cat-item cat-item-930"><a href="https://adsecurity.org/?cat=930">Vulnerability</a> </li> </ul> </div><div id="meta-2" class="sidebar-wrap widget_meta"><h3>Meta</h3> <ul> <li><a href="https://adsecurity.org/wp-login.php">Log in</a></li> <li><a href="https://adsecurity.org/?feed=rss2">Entries feed</a></li> <li><a href="https://adsecurity.org/?feed=comments-rss2">Comments feed</a></li> <li><a href="https://wordpress.org/">WordPress.org</a></li> </ul> </div> </div><!-- #sidebar1 --> </div><!-- #content --> <div id="sidebar_bottom" class="sidebar widget-area row footer-widget-col-3"> <div id="text-2" class="sidebar-wrap widget_text col-sm-4"><h3>Copyright</h3> <div class="textwidget">Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2020.</div> </div> </div> <div id="footer" class="row default-footer"> <div class="copyright-developer"> <div id="copyright"> <p>Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. </p> </div> <div id="developer"> <p> Made with <i class="fa fa-heart"></i> by <a href="https://www.graphene-theme.com/" rel="nofollow">Graphene Themes</a>. </p> </div> </div> </div><!-- #footer --> </div><!-- #container --> <!-- Start of StatCounter Code --> <script> <!-- var sc_project=10100711; var sc_security="4b306538"; var sc_invisible=1; var scJsHost = (("https:" == document.location.protocol) ? "https://secure." : "http://www."); //--> </script> <script type="text/javascript" src="https://secure.statcounter.com/counter/counter.js" async></script> <noscript><div class="statcounter"><a title="web analytics" href="https://statcounter.com/"><img class="statcounter" src="https://c.statcounter.com/10100711/0/4b306538/1/" alt="web analytics" /></a></div></noscript> <!-- End of StatCounter Code --> <a href="#" id="back-to-top" title="Back to top"><i class="fa fa-chevron-up"></i></a> <script defer type="text/javascript" src="https://adsecurity.org/wp-includes/js/comment-reply.min.js?ver=6.5.5" id="comment-reply-js" async="async" data-wp-strategy="async"></script> </body> </html>