Vulnerable Active Directory Scripts (Part 2)

By Ashwin Venugopal -

 





Constrained Delegation

This is used to set up authentication delegation for one of the accounts and establish new user accounts in AD.

The following three lines add new AD user accounts. To create new user accounts, use the New-ADUser cmdlet and supply the required parameters, like the account's name, path, and password. The parameters -Name, -Path, and -AccountPassword indicate the user's name, account password, and location in the AD hierarchy, respectively. The ConvertTo-SecureString cmdlet transforms the supplied plaintext password into a secure string.

The script's final line enables user 1 to assign authentication to user 2. The Set-ADUser cmdlet is used to change an AD user's attributes in order to do this. The users or groups that are permitted to delegate to this account are specified using the -PrincipalsAllowedToDelegateToAccount argument. Any user can delegate to this account by using the wildcard (*) character.

GPO Abuse

This script is used in a Windows environment to handle Group Policy Objects. The Group Policy Management Console (GPMC) feature, a collection of tools that let administrators administer GPOs, is installed by the script's first line.

This script modifies the wallpaper's style and other associated parameters in addition to changing the computer's background image to a specified picture.

Kerberoasting

Using this script, a user account in AD can be made "kerberoastable." An attacker can use the attack method known as "kerberoasting" to obtain service tickets for a service account and then decipher the password for the account offline.

By providing the account name to the $user variable, the script defines the user account that has to be made "kerberoastable." The user object is then retrieved from AD using the Get-ADUser cmdlet and assigned to the $userObject variable.

Lastly, the script uses a foreach loop to run over the list of SPNs defined in the $spns variable in order to add a list of SPNs to the user account. The script adds each SPN to the user's ServicePrincipalName property by using the Set-ADUser cmdlet with the -Add argument. Because it enables the attacker to submit service requests for the service account linked to the SPN, this is essential to the Kerberoasting attack.

NTLM Relay

This script is used to set up a Windows computer as a scheduled process that connects to a server called "son.goku" and creates a new PowerShell drive named "Public" by executing a PowerShell command. Additionally, the script specifies that the task will run every five minutes.

The script begins by establishing a number of variables that define the account, task, and scheduling details:

  1. $task contains the PowerShell command to create new PowerShell drive.
  2. $repeatInterval defines the time interval for the task to repeat, every 5 minutes in this case.
  3. $taskName is the name of the scheduled task.
  4. $user and $password define the user account and its password that the task will run under.

The script also checks if a task with the same name exists and unregisters if it does. Lastly, the script uses the Register-ScheduledTask cmdlet to register the task, providing the task name, action, trigger, user, password, and settings. 

Note- This script uses NTLM authentication to connect to the network share.

Conclusion

This part talks about more Vulnerable Active Directory Scripts.









































Comments

  1. AWS CertificationJuly 25, 2024 at 3:46 AM

    Securing an AWS certification validates advanced cloud skills, crucial for career growth in today's tech-driven industries and competitive job market.
    From:
    Regards AWS Certification

    ReplyDelete

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more