📘
DFIR
  • Networking
    • Networking
      • SDWAN
      • VLANs
      • Virtual Networking
      • Segmentation
      • Applications
        • PAM/SSO
          • Privileged Password Management
          • Authentik
          • Beyond Trust
          • Cyberark
        • Network Tools
          • Palo Alto
          • Sonicwall
          • ZScaler
          • Firewalls
  • Windows
    • Administration
      • Honeypot
      • Deployment
      • Rogue Devices on Network
    • Forensics
      • System Info
      • Memory
        • Pagefile.sys
        • PowerShell Dump
        • Memory Forensics
      • Network Logs
        • UAL
        • Page 1
      • File System
        • Mounting File Systems
        • Log2Timeline
        • Volume Shadow Copies
        • $I30
        • UsnJournal/$LogFile
        • MFT
        • NTFS
        • Shellbags
        • Recycle Bin
      • Registry
        • Logged in Accounts
        • TypedPaths
        • WordWheelQuery
        • Page 5
      • Network Share
      • Exfiltration
        • RDP Clipboard
        • Exfil Exercise
        • DNS Over HTTPS
      • Evidence of Execution
        • Sum UAL
        • Office Apps Forensics
          • LastVisitedPidlMRU
          • File MRU
          • Trusted Documents
        • Run MRU
        • RecentDocs
        • FeatureUsage
        • BAM
          • DAM
        • Prefetch
        • Shimcache
        • RecentApps
        • AmCache
        • PCA
        • MUICache
        • UserAssist
        • SRUM
        • LNK Files
        • JumpLists
      • Hacktool Artifacts
        • DCSync
        • Impackets
          • GetUserSPN.py/Kerberoasting
          • Page
        • Psexec
        • Web Shells
        • BloodHound
      • Event Logs
        • Event Log IDs
          • SMB
            • 30803 Failed to Establish a Network Connection
            • 31010 SMB Client Failed to Connect
            • 551 SMB Auth Failed
            • SMB Forensics
          • 4740 Account Lockout
          • 4642 Logon
          • 5156 Show App IP Connections
        • Windows Defender
        • LOLBins
          • WebDav
          • Crashes (WER)
          • PowerShell
          • Scheduled Tasks
          • Services
          • WinRS
          • WinRM
          • RDP
            • 1024 RDP ClientActiveX is trying to connect
          • WMI
        • DNS Logs
        • Application NTDS.dit
        • Kerberos
        • Exchange
        • GPOs and OUs
        • Anti Forensics
      • 3rd Party Apps
        • IIS
        • Kubernetes
        • GitHub
        • Jenkins
        • Snowflake
        • Misc
          • Veeam
          • MongoDB
        • "TA Tools"
          • Ngrok
          • 7-Zip
          • PDQ Deploy
          • TotalCMD
          • WinSCP
        • Identity Apps
          • Okta
        • Microsoft
          • Microsoft Teams
          • VS Code
          • Excel
          • Notepad
        • SysInternals
          • PsExec.exe
        • RMM
          • ScreenConnect Forensics
          • AnyDesk
        • Zoom
        • Browser Forensics
          • Recovering Deleted History
          • Browser Artifacts
      • Example Page
    • Cheat Sheet
      • Red Team:
      • Windows Event Logs
      • Quick Wins
      • Docker
      • Admin
      • Zimmerman
    • Investigation
      • Malware Analysis
        • Macros Analysis
        • Packers
      • Persistence
        • Host Based Persistence Cheatsheet
        • M365 Persistence Cheatsheet
      • DFIR Tools
        • Volatility
        • Velociraptor
        • KAPE
        • Logman
      • Insider Threats
      • Scattered Identity
    • Internals
      • Structure
        • SMB
          • Admin
          • Attacks
        • Alternate Data Streams
        • Protocols
          • Wdigest
          • DPAPI
          • Kerberos
          • NetLogon
        • WinAPI
        • COM Objects
        • Files Types
        • DLLs
          • Attacks
            • Reflective DLL Injection
            • DLL Hijacking
        • Folders of Interest
      • Privileges
        • UAC
      • Applications
        • Werfault
        • Process Creation
        • Pipes
        • AMSI
        • LOLBins
          • xCyclopedia Index (EXEs)
          • WMI
          • Certutil.exe
          • Rundll32.exe
          • Schtasks.exe
          • Svchost.exe
          • DLLHOST.exe
          • MSIExec.exe
        • PowerShell
          • VBS
          • Forensics
          • Classes
          • Logging
          • PowerShell Modules
        • LSASS
          • Lsass Forensics
    • Active Directory
      • Internals
        • Sysvol
        • Attributes
      • Secure AD
        • Logs
        • Credentials
          • Restricted Admin Mode
          • LAPS
      • Attacks
        • Vulnerabilities
          • ViewState
          • ProxyShell
          • OWASSRF
        • Credential Theft
          • DCSync
        • ADCS
      • MSSQL
        • Admin
        • Attacks
    • MISC
      • Offensive Tool Analysis
      • Investigating Specific Activity
        • User Account Deleted
      • Dumping Domain Hashes with IFM Images
      • Lateral Movement
      • Advanced Obfuscation
      • SCCM
      • Malware Traffic
  • Linux
    • Forensics
      • Cron Jobs
      • File System Types and Timestamps
      • LD_PRELOAD
      • Linux Auditing Logs
      • example page
      • Process Accounting (pacct)
      • mlocate.db
    • SSH
    • Linux WebShells
    • Directories of Interest
    • Internals
      • Logs
      • File Descriptors
      • GTFOBins
  • Enterprise Architecture
    • CI/CD Pipline
      • Jenkins
    • Citrix
      • XenApp
      • Pentesting Guide
      • Forensics
    • Web Applications
      • JWT: JSON Web Tokens
      • Apache
        • CGI-Bins
      • ColdFusion
        • Attacking ColdFusion
    • The Cloud
      • AWS
        • Cases
        • Misconfigurations
        • Attacking AWS
          • SES
          • Privilege Escalation
        • Fundementals
          • Hierarchy
          • Roles
          • Security Services
          • IAM
            • Keys
          • CloudTrail
          • Services
            • S3
            • SES
      • Azure
        • Hunting
        • Admin
        • Securing Azure
          • CA Policies
        • CheatSheet
        • Detections
        • Forensics
        • Attacking Azure
          • Persistence
            • Cloud VMs
            • Applications
            • SSPR/MFA
          • Credential Theft
            • Golden SAML Theft
            • Attacking key vaults
            • Skeleton Keys (PTA Abuse)
            • Family of Client IDs
            • Token Theft
          • Initial Access
            • Subdomain Takeover
            • Authenticated Recon
            • Unauthenticated Recon
            • Password Spraying M365
            • Password Spraying OWA
            • OAuth 2.0 Abuse
            • Device code authentication abuse
            • M365 Business Email Compromise
          • Page 6
          • Test Page
        • Fundementals
          • Security/Service Principals
          • Tokens
          • Hierarchy
          • Roles
          • Architecture
          • Conditional Access
        • Logging
          • Audit Logs
      • M365
        • Forensics
          • Tokens
        • Business Email Compromise
        • Hardening
      • Cloud Labs
    • vSphere
      • Forensics
      • Hardening
      • Admin
    • Containers
      • Troubleshooting
      • Linxserver.io
      • Container Forensics
        • Docker Logs
      • Kubernetes
    • Troubleshooting
      • Cheatsheet
  • Mac
    • Forensics
      • Page 3
  • Attacker Information
    • Adversary Operations
      • c99 Webshell
      • Page 2
    • Actor Playbooks
      • TA Infrastructure
    • Abused Domains
  • IR Playbook
    • Activity from Unmanaged Host
    • Recommendations
  • Reverse Engineering
    • Python - Pyinstaller
Powered by GitBook
On this page
  • Admin Activities
  • Best Practices:
  • Credentials:
  • Registry Hives:
  • Cleartext Protocols:
  • LSA Secrets:
  • Worst Practices
  • Logging
  • Best Practices
  1. Windows
  2. Active Directory

Secure AD

PreviousAttributesNextLogs

Last updated 7 months ago

Admin Activities

Best Practices:

Enable Credential Guard GPO - Protects secrets in memory to prevent credential theft.

Use LAPS for Local Admins - Randomizes passwords for local admins to prevent password reuse.

Non-priv'd accounts for admins - Administrators should use their own, non-privileged accounts for everyday use.

Disabling priv'd accounts - DA, EA, and SA accounts should remain disabled until they are needed

Protected Users Group - All service accounts, admin accounts, and DA/EA/SA accounts should be put into the Protected Users group in AD.

Least Privilege Service Accounts - Service accounts should be privileged with only what they truly need to function

Do not let a vendor dictate the security within your entire organization. - We often find these accounts compromised because they are used where they shouldn’t be, such as for running tasks, services, and processes on servers along with laptops and workstations.

Clear cached admin passwords - If they are in Protected User group then the credentials shouldn't be cached, but it's always a good move to clear the cache with a password reset after adding them into the Protected User group.

3 tiers of accounts.

  • Tier 2: normal user daily productivity accounts. No administrative permissions on the domain at all. Restricted to workstation logon only, enforced via GPO.

  • Tier 1: Server (non-DC) admin accounts. Elevated, but not DA, administrative permission on the domain. Restricted to server logon only, enforced via GPO.

  • Tier 0: Domain admins. Restricted to DC logon only, enforced via GPO.

Credentials:

Registry Hives:

Hive
Details
Format or credential material

SAM

stores locally cached credentials (referred to as SAM secrets)

LM or NT hashes

SECURITY

stores domain cached credentials (referred to as LSA secrets)

Plaintext passwords

LM or NT hashes

Kerberos keys (DES, AES)

Domain Cached Credentials (DCC1 and DCC2)

Security Questions (L$SQSA<SID>)

SYSTEM

contains enough info to decrypt SAM secrets and LSA secrets

N/A

Cleartext Protocols:

  • Wdigest

  • LiveSSP

  • TsPkg

LSA Secrets:

  • Users passwords

  • Internet Explorer passwords

  • Service account passwords (Services on the machine that require authentication with secret)

  • Cached domain password encryption key

  • SQL passwords

  • SYSTEM account passwords

  • Account passwords for configured scheduled tasks

  • Time left until the expiration of an unactivated copy of Windows

Worst Practices

Grant administrator privileges to all users.

  • Malware and TA tools/scripts often require admin privs

  • Making all users admin on their hosts eases the TA’s job

  • Privilege Access Management solutions such as BeyondTrust are useful here.

Over-provisioned service accounts.

  • Service accounts may be Domain Admin accounts (NO!!!)

  • Service accounts should be created for a specific purpose, not used anywhere.

  • Third-party vendors often “require” these settings. NO! Push back on them!

  • Many ransomware incidents involve service account abuse.

Mitigation:

Logging

Best Practices

Must be enabled:

  • Servers Event ID 5140 - A network share object was accessed.

  • Servers Event ID 5145 - A network share object was checked to see whether client can be granted desired access.

Top 25 Active Directory Security Best PracticesActive Directory Pro
Logo
Blocking Remote Use of Local AccountsTECHCOMMUNITY.MICROSOFT.COM
Logo
Lock down your Active Directory Domain Controllers internet access! (Part of my Active Directory Hardening Series)Paul Arquette
Logo
Appendix L - Events to MonitorMicrosoftLearn
Logo
Securing Domain Controllers Against AttackMicrosoftLearn
Logo
Securing Active Directory: Performing an Active Directory Security ReviewTrimarc Content Hub
Logo
Implementing Controls in Active Directory: Protecting Against Privileged Credential SprawlTrimarc Content Hub
Logo
What is protected user groups in active directory - ADAudit Plus
Logo
What is Tier Zero — Part 2Posts By SpecterOps Team Members
Dumping LSA SecretsRed Teaming Experiments
Logo
Logo