Active Directory Configuration
Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.
Techniques Addressed by Mitigation
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1134 | .005 | Access Token Manipulation: SID-History Injection |
Clean up SID-History attributes after legitimate account migration is complete. Consider applying SID Filtering to interforest trusts, such as forest trusts and external trusts, to exclude SID-History from requests to access domain resources. SID Filtering ensures that any authentication requests over a trust only contain SIDs of security principals from the trusted domain (i.e preventing the trusted domain from claiming a user has membership in groups outside of the domain). SID Filtering of forest trusts is enabled by default, but may have been disabled in some cases to allow a child domain to transitively access forest trusts. SID Filtering of external trusts is automatically enabled on all created external trusts using Server 2003 or later domain controllers. [1] [2] However note that SID Filtering is not automatically applied to legacy trusts or may have been deliberately disabled to allow inter-domain access to resources. SID Filtering can be applied by: [3]
|
Enterprise | T1003 | OS Credential Dumping |
Manage the access control list for "Replicating Directory Changes" and other permissions associated with domain controller replication. [5] [6] Consider adding users to the "Protected Users" Active Directory security group. This can help limit the caching of users' plaintext credentials.[7] |
|
.006 | DCSync |
Manage the access control list for "Replicating Directory Changes" and other permissions associated with domain controller replication.[8][6] |
||
.005 | Cached Domain Credentials |
Consider adding users to the "Protected Users" Active Directory security group. This can help limit the caching of users' plaintext credentials.[7] |
||
Enterprise | T1072 | Software Deployment Tools |
Ensure proper system and access isolation for critical network systems through use of group policy. |
|
Enterprise | T1558 | Steal or Forge Kerberos Tickets |
For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it. |
|
.001 | Golden Ticket |
For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it. |
||
Enterprise | T1552 | Unsecured Credentials |
Remove vulnerable Group Policy Preferences.[9] |
|
.006 | Group Policy Preferences |
Remove vulnerable Group Policy Preferences.[9] |
||
Enterprise | T1550 | .003 | Use Alternate Authentication Material: Pass the Ticket |
To contain the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it.[10] |
References
- Microsoft. (2014, November 19). Security Considerations for Trusts. Retrieved November 30, 2017.
- Microsoft. (n.d.). Configuring SID Filter Quarantining on External Trusts. Retrieved November 30, 2017.
- Microsoft. (2012, September 11). Command-Line Reference - Netdom Trust. Retrieved November 30, 2017.
- Metcalf, S. (2015, August 7). Kerberos Golden Tickets are Now More Golden. Retrieved December 1, 2017.
- Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017.
- Microsoft. (n.d.). How to grant the "Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account. Retrieved December 4, 2017.
- Microsoft. (2016, October 12). Protected Users Security Group. Retrieved May 29, 2020.
- Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved August 7, 2017.
- Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved January 28, 2015.
- Sean Metcalf. (2014, November 10). Kerberos & KRBTGT: Active Directory’s Domain Kerberos Service Account. Retrieved January 30, 2020.