Defence
Ok that subject is massive…so this is a bit more of a targeted thought process to consider.
Each network is unique and technology deployments vary. One time I was in a network that was almost entirely Apple MacBooks and a door control panel…. which was ‘fun’.
So this is a general list of some things to consider if you have tech deployed such as:
- Active Directory
- Printers
- SCCM
- MSSQL
This is considering that the threat actors has line or site (routable) or physical adjacent (inside a VLAN/SUBNET) access.
This is NOT every single thing you could do, it’s meant give people an idea of the routes an attacker could take! You need to work through your own networks to see what you have, the services that are running, the network segments, routes etc.
| Test | Authenticated |
| DNS Zone Transfer | No |
| NULL Bind to LDAP | No |
| Responder (local subnet) | No |
| Find open writeable shares to inject a malicious link/responder link | No |
| Username enumeration (LDAPNOMNOM) | No |
| Username enumeration (Kerberos) | No |
| Username enumeration (SMB) | No |
| MITMv6 | No |
| Rouge DHCP (v4) | No |
| Responder + SMB Relay | No |
| Password Spray (commone account names) | No |
| Brute Force (common account names) | No |
| Password Spray (enumerated users via OSINT) | No |
| Password Spray (enumerated users via TCP/IP connected methods) | No |
| Can you access any priner admin panels? | No |
| Unauthenticated PXE spoofing | No |
| NTLM Downgrade | No |
| Run pingcastle | Yes |
| Dump AD (ADExplorer) | Yes |
| Dump AD (Bloodhound) | Yes |
| Dump AD (Adalanche) | Yes |
| LDAP Searches | Yes |
| Copy Sysvol and hunt for credentials | Yes |
| GPP Passwords? | Yes |
| Passwords in description field? | Yes |
| Search shares for credentials | Yes |
| Check if you can RDP to any server/workstation | Yes |
| Check if you have admin rights anywhere | Yes |
| Can you join your own clean VM to the domain? | Yes |
| Can you write DNS records via LDAP and responder more users? (e.g. add DNS wildcard/wpad etc.) | Yes |
| Can you Kerberoast? | Yes |
| Can you AESREPROAST? | Yes |
| Can you Escalate using ADCS paths? | Yes |
| Do you have mailbox/teams access? If so phish for creds? | Yes |
| Can you access SharePoint? Can you find creds? | Yes |
| If you have a domain joined machine, can you find any creds in the system? | Yes |
| PCAP domain joined machine and try and find creds over the wire | Yes |
| Can you write to any Shares? Can you drop a poisoned link for responder? | Yes |
| Misconfigured ACLS/DACLS in ADDS that you can abuse? | Yes |
| Can you access any databases? | Yes |
| Can you access any printer admin panels? | Yes |
| Spray your creds everywhere to see what you can access e.g. other PCs or Servers | Yes |
| Can you modify any GPOs? | Yes |
| Can you create any GPOs? | Yes |
| Can you read LAPS? | Yes |
| Can you find any creds hardcoded in apps? | Yes |
| What scripts are in sysvol, can they help you? | Yes |
| Can you identify any IAM/PAM services you might be able to attack? | Yes |
| Can you identify and backup services you might be able to attack? | Yes |
| Can you find any backups on file shares? | Yes |
| Can you escalate via SCCM? | Yes |
| Can you add a computer and abuse Resource-based constrained delegation (RBCD) | Yes |
So as a defender you should probably consider how to defend against these vectors and approaches.
