Active Directory (Part 7)

By Ashwin Venugopal -

 






Foothold

Gaining initial access through valid AD credentials is a must to gain unauthorized access in an AD domain. There are various ways to obtain these credentials. However, itis not necessary for these credentials to have high privileges as they are only required to authenticate to AD and perform further enumeration. 

OSINT and Phishing

OSINT (Open Source Intelligence) and Phishing techniques are the two most popular methods amongst penetration testers and attackers to gain access of AD credentials. 

OSINT is a process of collecting and analyzing publicly available information from various sources, like social media, news websites, and public databases. It helps in gathering information about target organization or individual. It can help a penetration tester to gain information about an organization's AD environment such as the names and titles of employees, the technologies and software they use, and nay information that can prove useful in a targeted phishing attack. Methods to gather such information are:

  • Google dorking- Advanced search operators of Google can be used to find sensitive information about a target organization, like login pages, unsecured servers, or exposed documents.

  • Public records search- Analyzing public records, such as court documents, corporate filings, and property records, can be used to gather more knowledge of a target organization or individual. 

  • Domain name analysis- Analyzing the domain names registered by an organization can be used to offer information about their online presence and potential discovery of useful subdomains. 

  • Network scanning- Scanning of publicly accessible network resources, like servers and routers, can be used to know more about the technology and software being used the organization. 

Phishing is a type of technique that is used to trick individuals into giving away sensitive information, such as login credentials. The attacker pretends to be a legitimate source and send messages through email, social media, or any other source of communication  to get the malicious work done. Similarly, the penetration tester can use this method to gain initial access into an AD environment via targeted email sent to an employee of an organization disguised as a legit source and request login credentials or other sensitive information. If the employee falls for the trick and revert with the requested information, the tester can use it to gain initial access into the AD environment. Some of its examples are as follows:

  • Email phishing- Sending a targeted email to an employee, pretending to be a legitimate source, such as coworker or a trusted vendor, and requesting login credentials. 

  • Spear phishing- Sending a targeted email to a particular employee or group of employees, with the help of the information gathered via OSINT to make the email seem more legit and increase the probability of success. 

  • SMS phishing- Sending a text message to an employee, pretending to be a legitimate source and requesting login credentials. 

  • Social media phishing- Make use of social media to send a message or post a link that appears to be from a legitimate source, but is designed to trick the recipient into giving away legitimate information.

  • Voice phishing- Using phone calls to trick individuals into giving away sensitive information, such as login credentials. 

Conclusion

In this part, we discussed about two common attack techniques used to gain sensitive information about an organization or network. 











































Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different groups of computers, re
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning of alert rule parameter
Read more

Design Planning (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Complex Organizational Structures SIEM can be an expensive security control, hence, it is common multiple businesses to contribute to the overall expense. Various organizational units may require a level of access to specific dashboards or sets of data. Microsoft Sentinel offers the ability to assign table-level permissions and limit the level of access to the minimum required to perform requisite job functions.  Role-based Access Control (RBAC) Requirements Microsoft Sentinel offers an extensive list of Azure built-in roles that can be used to provide granular access according to the job requirements and permitted level of access. Some of them are various Microsoft Sentinel dedicated roles: Microsoft Sentinel Contributor- Can perform all engineering-related configuration, such as creating alert rules, configuring data connectors, and additional similar tasks.  Microsoft Sentinel Reader- Can query the log data stor
Read more