Active Directory Penetration Testing

Active Directory Pen Testing
Reveal obscure adversarial footpaths
For intruders to get to what they ultimately want—your data—they need a plan in; they need credentials.
The Active Directory (AD) stores all the credentials.

OM’s Security Geeks helps you discover and fix misconfigurations that adversaries generally exploit. We additionally watch all your AD activity—logons, user and group changes, Group Policy Objects (GPO) events—and use behaviour-based threat paradigms to prevent lateral movement attacks.

 

AD Risk Acumens 

65% of organisations have over 1000+ users with passwords that will never expire

60% of user accounts are stale or inactive 

58% of users had passwords that never expire (up from 20% last year)

Analysing Active Directory logs with data access events and network movement and employs advanced machine learning (ML) to establish productive, multi-dimensional behavioural characterisations. When activity varies from what’s familiar, identifies it automatically.

DCShadow is a technique of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and mimicking the behaviour of a DC. Inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.

Our Strategy and Project Plan
roadmap
Kerberoasting
Adversaries may exploit a valid Kerberos ticket-granting ticket (TGT) or employ a packet sniffing the network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force attacksAdversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.
Privilege Escalation – SID History Changes
Account Lockouts – Privileged Account
Frequent Changes to Group Policy Objects (GPO)
Ticket Harvesting Attacks
Pass the Hash
Password Spraying Attacks
Finding Rogue Domain Controller (DC)
Adversaries may enrol a rogue Domain Controller to expedite manipulation of Active Directory data. DCShadow may be used to formulate a rogue Domain Controller (DC). DCShadow is a technique of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and mimicking the behaviour of a DC. Inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.
Kerberos Service Principal Names (SPNs)
Kerberos Service Principal Names (SPNs) - notably those correlated with services (beginning with "GC/") by machines not present in the DC organisational unit (OU). The SPN affiliated with the Directory Replication Service (DRS) Remote Protocol interface (GUID E3514235–4B06–11D1-AB04–00C04FC2DCD2) is set without logging.
AD directory synchronisation (DirSync)
Monitor AD directory synchronisation (DirSync) - monitor modifications to directory environment utilising AD replication cookies