#TR19 Active Directory Security Summaries

This blogpost contains summaries of talks from this year’s TROOPERS19 Active Directory Security Track.

From Workstation to Domain Admin: Why Secure Administration Isn’t Secure and How to Fix It by Sean Metcalf

Active Directory is probably used in almost every corporation today to administer all kinds of Authorization, Authentication and Privileges. This means they are valuable targets for attackers, because once compromised they could do whatever they want. This would be the worst case scenario, right? Therefore securing AD is important and this year TROOPERS19 featured a whole track solely for AD Security.

In this specific talk by Sean Metcalf (@Pyrotek3), he explained why Secure Administration most of the times isn’t secure and what should be done to prevent this. Sean is a Security Consultant/Researcher and Founder of TrimarcSecurity which is a professional service company that helps organizations better secure their Microsoft Platform. He also calls himself an AD Enthusiast, which is probably why he owns and runs ADSecurity, an informational website with articles on Active Directory Security.

As a short intro, Active Directory or short AD is a directory service from Microsoft for Windows domain networks. It can be thought of like a database for all users and their privileges, all workstations and all group policies. Servers that run AD are also called domain controllers, because they authenticate and authorize all users and workstations in a Windows domain network, as well as assigning and enforcing security policies and installing or updating software.

At the beginning of his talk Sean points out that security in companies has improved over time, but not Active Directory Management in particular. He proceeds by explaining the evolution of administration, where it started and how it changed to the present day. From users installing their own software and managing their workstation over dedicated groups of people doing this by hand to agents doing automatic patching. Different software and protocols that got used and have changed over time. After this introduction he starts showing simple techniques and attacks such as keyloggers that nullify the purpose of previously shown software because of how these tools get used. Other problems are misconfigured Group Policies and CVEs in the software used. One example is CVE-2017-12542 which was a Vulnerability for HPs iLO, a embedded server management technology, which allowed you to bypass Authentication just by sending a lot of A‘s to the service. iLo had a lot of critical vulnerabilities which strengthened his Statement: “Patch the Firmware on your Servers”. From Password Vaults being exposed to the Internet and Bypassing MFA to different Admin Forets trusting one another, Misconfiguration everywhere.

So what should you do to not make the same mistakes? To prevent all this Sean presents his four AD Defensive Pillars:

  • Administrative Credential Isolation and Protection
  • Hardening Administrative Methods
  • Reducing and Limiting Service Account Rights
  • Effective Monitoring

These Pillars and what do to in detail gets explained by him afterwards excluding Effective Monitoring.

The conclusion is that most AD enviroments are configured sloppy and therefore many security risks arise, which makes it easy for attackers to gain access to privileged accounts. So Sean’s recommendation is to:

  • Remove accounts and service accounts from AD privileged groups
  • Protect and Isolate AD Admin credentials by ensuring the credentials are limited to specific systems

The video of the talk can be found here.

From Workstation to Domain Admin: Why Secure Administration Isn’t Secure and How to Fix It by Sean Metcalf

Sean Metcalf (Security Consultant / Researcher) is the founder and principal consultant at Trimarc ( Trimarc focuses on improving enterprise security with respect to Microsoft platforms, including the Microsoft Cloud. He speaks for the second time at TROOPERS and was also a speaker at Black Hat, Blue Hat, Bsides, DEF CON, Derby Con, Shakacon and Sp4rkCon. He holds a Microsoft Certified Master Directory Services (MCM) certification and is a Microsoft MVP. He regularly publishes Active Directory security information on his blog (

In a nutshell, Sean’s talk is about how attackers find their way to domain admin. He starts with a rundown of the history of administration practices along with their associated risks. The takeaway, in case you are in a hurry, is that while there are improvements in security awareness and administrative tooling, just implementing them isn‘t enough, You have to take a critical look, ideally through the eyes of an attacker, at your infrastructure to truly understand your attack surface. A variety of best practices for secure administration are covered during the talk. Notably, MFA, Enterprise Password Vaults and Admin Forests are discussed.

The talk starts with a list of security improvements and concepts that are typically deployed in modern company environments. Those range from better security tooling with distributed agents, vulnerability scanning, software security agents as well as the tracking of security events using some form of SIEM. Sean goes on to point out that, at least in the beginning. changes to the way AD is being administered were not among them.

Sean takes the audience through a journey that showcases the evolution of company work environments from the point of view of a security auditor. The journey starts at simple workstations and looks at the implications of added Desktop Support, Patching Agents and Management Systems that take control of the agent. The result is that there are, from his experience, on average around 100 administrative accounts associated with a single workstation.

In the old days, attackers were free to choose from a variety possible paths to gain access to admin rights. In more modern environments, MMC and “run as” are typically not used locally anymore, instead there are RDP manged systems and password vaults. This has the benefit that credentials are not stored on every system locally.

As you would expect, there are still caveats and gotchas involved with those newer methods. Sean takes us through these methods, such as recording the keystrokes, with lots of hands-on examples and war stories. What follows is a very much worthwhile rundown of common security configuration mishaps as well as some notable examples of vulnerabilities in management solutions.

Sean then shares issues with MFA he has encountered in the past, such as problems that come with self-service portals. These can for example allow attackers to update the mobile numbers used for MFA to a cell phone they control. Sean then presents some interesting ways of attacking Password Vaults, such as using  Powersploit scripts to automatically gather clipboard contents. He then describes some more intricate attack paths, along with typical security configuration issues and best practices. He also shows some attacks on smart cards, in case you thought you could blindly rely on those.

In general Sean does not advise against MFA, Enterprise password Vaults and Admin Forests, quite the contrary. However, one should not blindly rely on these technologies. Instead, caution is needed and possible risks need to be considered.

The last part of the talk covers an exhaustive list of recommended measures that need to be implemented to provide an acceptable level of security in a modern environment.

He also discusses the key components needed for designing a secure administrative concept. The focus, according to him, is on working with executives, operations and the security team for a successful implementation.

Nowadays, the level of security has increased in most organizations. The improvement of administrative security has received more attention (two-factor / multi-factor authentication). But this is not enough. If you really can‘t be bothered to see the talk for yourself, which you definitely should, the tldr is this: Priority 1 is to remove the accounts and service accounts from privileged AD groups. Priority 2 is protecting and isolating the AD Admin credentials by ensuring that credentials are restricted to specific systems. But of course, as Sean shows us in this talk, there is great importance in the details and buzzword technology alone will not help you.


CypherDog 2.1 – Attackers Think in Graphs, Management Needs Metrics

At Troopers 19 JD presented his command-line tool CypherDog to the Troopers audience.

JD – who is also known as @SadProcessor – is a security consultant at ERNW in the area of Windows security and describes himself as PowerShell fanboy. He is the creator of tools like EmpireStrike and PoSh_ATTCK.

CypherDog is “just” another user interface for BloodHound. BloodHound offers by default a graphical user interface that shows 2D-graphs of relationships in ADs. Attackers and defenders can use BloodHound’s graph view to determine attack paths in order to either attack or eliminate them.

JD, as a PowerShell fanboy, was not completely happy about not having a command-line interface, so he simply created one:

  • No new functionality, just a new way to access and present the BloodHound information.
  • Short and easy syntax: Speaking command and parameter names for easy use.
  • Tab completion support.
  • Pipeline combos.

As a result, CypherDog let you automate working with BloodHound and easily uses it in combination with other tools. As a side effect, you may use CypherDog to learn BloodHound’s Cypher query language. However, there is no need to learn it.

The biggest part of JD’s talk was a demo of CypherDog’s capabilities and flexibility that you should watch if you are interested in AD security. The video of the talk is available on the Troopers YouTube channel.


Thanks for reading!

Hannes Mohr, Rabea Hasselwander, Kai Sparwald, Florian Bausch, Niklaus Schiess, Marius Walter