It’s estimated as many as 95 percent of companies use Active Directory (AD) for user management and authentication. It’s also been proved a number of times that there are flaws in AD that allow attackers to do things like change passwords and escalate their privilege to administrator level.

But one of the easiest entry points to an AD server, according to DAn Solutions CTO Sean Metcalf, is built into Windows. PowerShell is a core component of Windows, but as Metcalf demonstrated at Blackhat, utilizing just a few PowerShell tricks allows the use of password hash stealing tools like Mimikatz and the ability to do other things like forge Kerberos tickets. A valid Kerberos ticket, as explained in this post by Lynn Root, provides users with ongoing access to a requested service.


Sean Metcalf demonstrates insecure Kerberos settings during his Blackhat 2015 session.

With a “golden ticket,” it’s fairly easy to give yourself admin credentials for any user–even ones that don’t exist–on any domain running Active Directory. But where things get interesting, Metcalf explained to a crowd at Blackhat USA 2015, is when known attacks like pass-the-hash and Mimikatz hash discovery are done in PowerShell.

“PowerShell is in every version of Windows, and there are a bunch of toolkits for attackers,” Metcalf said. “With Powersploit and other attack tools, attackers can run attacks that don’t get caught by AV or malware detection.”

Security Engineer Joe Bialek demonstrated how this is done during a live hacking session at Defcon 21 in 2013, noting that PowerShell is such a powerful tool (no pun intended) because it can run malicious scripts without ever touching a disk, which means it would not trigger any whitelisting products or any antivirus or malware detection tools.

Metcalf outlined a number of ways to detect uses of PowerShell and typical persistence behaviors that hackers use in AD. Most importantly, he said, it’s a good idea to use an app logging tool–like SCCM–to log any and all PowerShell activity in AD, as well as set default policies to their strictest setting to only allow authorized administrators the access they need.

Metcalf also mentioned that AD admins should consider using Microsoft’s Advanced Threat Analytics (ATA), which will ship this month, as it can detect some of the typical behaviors used to compromise and persist control of AD servers and domain controllers.

Though Metcalf’s talk focused on Powershell and AD persistence methods, it’s a good reminder for security engineers and researchers that even approved, useful tools and software can be subverted for malicious uses.

This post is categorized in: