Creating Active Directory Labs for Blue and Red Teams

Click on Change:

Change the Computer name:

Restart the machine:

After the reboot, open Server Manager and click on Add roles and features:

As Installation Type choose Role-Based or feature-based installation:

“Select a server from the server pool” will automatically set up your server, you just need to click on Next:

Choose Active Directory Domain Services and click on Add Features in the popup window:

Confirm 3 times with Next and then on Install:

Wait for the installation to finish and click on yellow exclamation mark on top right of the Server Manager and choose Promote this server to a domain controller:

Choose the deployment configuration – Add a new forest and enter your root domain name:

Enter a password and click on Next until you can click on Install:

Login to the domain as administrator:

Set a static IP address for your server in Control Panel\Network and Internet\Network Connections:

Child Domain

The root domain controller is up and running, it is time to promote a child domain controller and build a trust relationship between the parent and the child domain. For this purpose, we will do almost the same steps as for the parent domain. The only difference is that we will not create a new forest but adding a new domain to an existing forest (Deployment Configuration of the parent dc). A user who is in the enterprise admin group of the parent domain must be used to enroll the domain.

Set a static IP for the machine and point its DNS to DC01:

Repeat the steps previous steps (how to promote a domain controller) until choosing the deployment configuration.

As Deployment Configuration, choose Add a new domain to an existing forest and enter your details:

After the reboot you can log in to the child domain controller:

Enrolling Computers

Now, some workstations / servers need to be installed and added to the network.

Give the computers also a static IP address and point the DNS to the domain’s DNS server / DC:

Click on Computer name in the Server Manager and rename the computer:

After the restart, join the domain under Workgroup (below Computer name in the Server Manger):

Enter the password of a user of the enterprise admins group of the domain:

Repeat this step for every machine you want to add to your test network.

Introducing Vulnerabilities / Misconfigurations

Following, some examples on how to introduce vulnerabilities / misconfigurations to the systems.

Vulnerable Services

To introduce a vulnerable service, you can either search for a software which already contains a vulnerable service, or you can just modify an existing service. For example, change the permissions of a service to a user / group to manage it. Vulnerable services must be configured directly on the machine where the service is running using the local administrator of the computer.

To change the permissions of a service one of the following methods can be used:

SC.exe:

A standard built-in Windows method to manage system service permissions supposes using the Service Controller utility (sc.exe). You can get the current permissions to the service like this:

PS > sc.exe sdshow <SERVICE NAME>

To set the permissions the following syntax can be used:

PS > sc.exe sdset <service name> <Security Descriptor in SDDL format>

For example, the spooler service permissions can be changed, that any user can restart the service, using the following command:

PS > sc.exe sdset spooler "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;<SID of user or group>)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

Windows Security Templates:

Another option to grant rights to a service is a Security Template.

First, press Windows + R and open the Microsoft Management Console (mmc.exe):

Add the Security Templates snap-in (CTRL+M for add or remove snap ins). Add Security Configuration and Analysis and Security Templates:

It is possible to specify an own path by right-clicking on Security Templates from the console tree and selecting New Template Search Path…. If no path is selected the default path %username%\documents\security\templates is used.

Right click on the path in the tree structure and choose New Template…:

Choose a Template name and click OK. A new template is visible in the console:

A Security Database is required. Right-click Security Configuration and Analysis from the console tree and select Open Database… Enter a name for the database and click Open:

An Import Template window appears. Browse to the previously created template and select it:

Right-click Security Configuration and Analysis from the console tree and select Analyze Computer …

A tree structure for Security Configuration and Analysis was created:

Double-Click System Services and scroll down to find the service you need to change, e.g. Print Spooler and double click on it. Tick the box Define this policy in the database:

Click the Edit Security… button click on Add and type in the group or user you want to grant permissions to:

Click OK on the Service Properties to bring you back to the console. The service now will appear with an X next to it as well as an Investigate message on the Permission column:

This is because the new permissions causing a conflict with what is configured on the local machine. To apply the new permissions, right click on Security Configuration and Analysis from the console tree and select Configure Computer…

Now the service can be abused by the configured user / group.

PowerShellAccessControl Module:

It will be also possible to use PowerShell to misconfigure a service on a computer. A PowerShell module called PowerShellAccessControl can be found in TechNet gallery. This module can be used for managing permissions for different Windows objects.

To download the module just click here: https://gallery.technet.microsoft.com/scriptcenter/PowerShellAccessControl-d3be7b83

Import the module to your current PowerShell session:

PS > Import-Module PowerShellAccessControl

View granted permissions:
PS > Get-Service spooler | Get-EffectiveAccess -Principal SEC\user01

Change the permissions of a non-administrative user to interact with a service:
Get-Service spooler | Add-AccessControlEntry -ServiceAccessRights Start,Stop -Principal SEC\user01

Now SEC\user01 will be able to start and stop the spooler service.

PS > Import-Module PowerShellAccessControl

View granted permissions:

PS > Get-Service spooler | Get-EffectiveAccess -Principal SEC\user01

Change the permissions of a non-administrative user to interact with a service:

Get-Service spooler | Add-AccessControlEntry -ServiceAccessRights Start,Stop -Principal SEC\user01

Now SEC\user01 will be able to start and stop the spooler service.

Unquoted Service Paths:

If a service is created which executable path contains spaces and isn’t enclosed within quotes, the service is exposed to a vulnerability known as Unquoted Service Path which enables adversaries to elevate privileges.

Edit the ImagePath in the Windows Registry of any installed Service to make it vulnerable:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Name of Service]

To open the registry editor just use Windows+R and type regedit.

Next open the services folder in the tree structure and modify the service as follows:

Service abuse usually leads to local privilege escalation. Once an adversary took over such a user/group which can interact with a service, it will for example be possible to stop the service, exchange its binary with a malicious one and restart the service. More information on local privilege escalation can be found at the SEC Consult article “Windows Privilege Escalaction – an Approach for Penetration Testers“.

Active Sessions

To create an active session, you can either just login to the server manually (and do a snapshot while the machine is running).

Or, use Autologon from the Sysinternals Suite:

https://docs.microsoft.com/en-us/sysinternals/downloads/autologon

It is a portable executable where you just enter the credentials and the domain name and click on Enable. From now on, the selected user will automatically logon to the machine once the machine starts.

The password is encrypted, it is not possible to browse through the registry to find it.

Credential-Manager

Different credentials can be saved in the Windows Credential Manager. Credentials of local or domain users as well as credentials for other programs like Internet Explorer.

To save website credentials for Internet Explorer just browse to a web application and login, click on save credentials. The credentials will now be saved in the credential manager and can be obtained by adversaries.

To expose domain or local credentials the runas command with the parameter /savecred can be used:

PS > runas /user:<DOMAIN\USERNAME> /savecred <PROGRAM>

This will save the user credentials in the local credential manager:

Enter the following commands on the domain controller:

PS > net user user01 ‘Pa$$w0rd’ /ADD /DOMAIN

PS > setspn -s http/srv01.sec.lab.local:80 user01

SPN Misconfiguration (AS-REP Roast)

In order to exploit AS-REP Roast, Kerberos preauthentication needs to be disabled. Without Kerberos Pre-Authentication an adversary can directly send a request for authentication. The KDC will return an encrypted TGT and the attacker can brute force it offline.

The misconfiguration can be introduced on the domain controller like:

Click on Active Directory Users and Computers:

Create a New User by expanding the domain tree and right click on the User tab:

After the user was created and the password was set, right click on the user and open Properties, click on Account and set the option “Do not require Kerberos preauthentication”:

GPO Misconfiguration

A Group Policy Object is an Active directory container and used for group policy settings which can be used as a resource to control users and computers. GPOs can be used to allow or disallow certain actions for a group of users or computers such as disable local admin access.

In our example we will create a GPO which grants local administrator permissions on a specific server. We will then delegate the permissions to another user. If an adversary takes over this user, it will be possible to change the GPO and create own local administrators on the machines which are linked to that GPO.

Perform the following steps on a domain controller:

Click on Tools and on Group Policy Manager:

Link the GPO to the desired OU, click on Create a GPO in this domain, and Link it here:

Create a Group and link it to the GPO. Go to Active Directory Users and Computers, right click on the desired OU and click on New and choose Group:

Create the group:

Configure the GPO:

Press Edit… and the Group Policy Management Editor will pop up. In the editor choose Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups right click and add the previously created group to the GPO. Select This group is a member of administrators:

Click on OK:

Update the Group Policy settings using gpupdate:

PS > gpupdate /force

Now all users in the LocalAdmin group have local admin permission on the linked machines. Add a user of the domain having edit rights on the GPO. Click on the created GPO and go to delegation and Add… a user.

In this example we will be using the previously created LocalAdmins group and grant GenericAll permissions to a specific user:

Open Active Directory Users and Computers on the domain controller and right click on our group and click on Properties, then we choose Member Of and add the Builtin Administrators:

Go to the tab Managed By and click on Change to choose a domain user which will have the permissions managing this group:

Click on Manager can update membership list:

Apply the settings. Adversaries, who compromised SEC\user02, would now be able to add and modify all objects for the LocalAdmins group.

Unconstrained Delegation

Delegation is used when a server or service account needs to impersonate a user. For example, a front-end webserver impersonates users when accessing a backend database. If unconstrained delegation is configured on a server, it allows the server to impersonate connecting users. Computer and user objects can get unconstrained delegation assigned. Normally it will be assigned to computers running services.

How to setup unconstrained delegation:

Go to Active Directory Users and Computers on the domain controller and right click on the computer where the service is running, choose Delegation and tick the following:

Click on OK and verify if everything worked. To verify click on View and tick Advanced Features:

Open Properties of the computer again and click on Attribute Editor. The attribute UserAccountControl should contain the following entry:

The TGT of every user who is connecting to this server will be saved in memory and can be extracted by an adversary.

Constrained Delegation

Constrained Delegation limits what services a machine, which is trusted for delegation, can access on behalf of an authenticated user. If there is a compromised user or computer account where constrained delegation is enabled, it’s possible to impersonate any domain user and authenticate to the service where the account is trusted for delegation.

How to setup constrained delegation:

Open Active Directory Users and Computers on the domain controller and click on the Properties of the computer. Choose Trust this computer for delegation to specific services only – User Kerberos only and click on Add to choose the service:

Verify in the server’s Properties, if our configuration worked by checking if the msDS-AllowedToDelegateTo attribute is set:

In this case constrained delegation limits the server to authenticate on behalf of a user to the SPN CIFS/SRV01.SEC.LAB.LOCAL.

If an adversary compromises the server, he will be able to receive the TGS from the machine. If a server is trusted for CIFS delegation on a machine, it will allow him to read the files on the target system by extracting the cached TGS ticket.

Installing Detection Capabilities

To detect malicious behavior, tools like Splunk, Kibana or Microsoft ATA are being used. In this example we will setup Microsoft ATA as detection capability.

Advanced Threat Analytics (ATA) is a platform that helps protect enterprises from multiple types of cyber-attacks and insider threats. ATA is using a network parsing engine to capture and parse network traffic of multiple protocols (such as Kerberos, DNS, RPC, NTLM, and others) for authentication, authorization, and information gathering. It is monitoring the network using port mirroring from Domain Controllers and other important computers.

More information about ATA can be found at:

https://docs.microsoft.com/en-us/advanced-threat-analytics/what-is-ata

To download a 90-day trial version of ATA visit the following link:

https://www.microsoft.com/en-us/evalcenter/evaluate-microsoft-advanced-threat-analytics

Before we start the installation, make sure that the computer where you install ATA is internet connected. Use a dedicated monitoring machine to set it up, make sure to give the machine enough resources (6GB+ of RAM).

In this example we will setup our ATA on a second domain controller. The installation process is straight forward. First, we attach the downloaded ISO to our monitoring server and open it in the Explorer:

Just double click on Microsoft ATA Center Setup. Choose your language:

Accept terms and conditions and click next:

Check for updates

Choose Database and install path and install a self-signed certificate:

Click on Launch:

Internet Explorer will open, accept the certificate warning (only do this for your lab setup, don’t accept certificate warnings for production machines!):

Create an ATA user on the DC in Active Directory Users and Computers:

Figure 75 – Create ATA userEnter the credentials of the ATA user to the ATA instance and click on Test connection and if the connection succeeded, click on Save:

Click on Download Gateway Setup and Install the first Gateway to install the ATA Gateway:

Click on and the Gateway file to your computer:

Gateway Setupdownload

Download the file to your and start the Gateway Setup:

CopyDomain ControllerMicrosoft ATA Gateway Setup

Choose and click on :

languageNext

Click on and wait until the process is done:

Install

As soon as the installation process is done click on Finish:

Back on the ATA Server, the Domain Controller is added as Gateway:

Click on the name of the and set to :

Domain ControllerDomain synchronizer CandidateOn

The Gateway will be synced:Please note that this process will take some time: