A workflow guide for identifying risky conditions in active directory.
Last updated
Epiphany attempts to always try to do the hard work for you to allow you to focus on the solution. As such, when dealing with the complexity of Active Directory, Epiphany focuses you on the most common attacks against Active Directory accounts. The Dashboard contains components specifically designed to track user identity exposures. For the Epiphany-specific process we'll use this workflow:
Go to Identity Tools -> Active Directory.
Check Kerberoastable Users.
Check AS-REP Roastable Users.
Check Unconstrained Devices
Kerberoasting takes advantage of specifically designed protocol components of Kerberos to harvest password hashes for Active Directory user accounts with servicePrincipalName (SPN) values (service accounts). A user can request a ticket-granting service (TGS) ticket for any SPN, and parts of the TGS could be encrypted with RC4 (very weak) using the password hash of the service account assigned to the requested SPN as the key.
An attacker who is able to extract the TGS tickets from memory, or captures them can extract the service account’s password hash and attempt an offline password cracking to obtain the plaintext password. Epiphany finds these accounts for you automatically so that you can take steps to protect them.
Epiphany will show you the account name, how old the password is (Password Age), if the account has a direct path to a Domain Administrator (Path to DA), and how many systems it has direct administrator rights to (Admin To).
NOTE: Clicking on any account will show you details for that account.
AS-REP Roasting is an attack against the Kerberos protocol for user accounts that do not require pre-authentication. Pre-authentication is the first step in Kerberos authentication, and is designed to prevent brute-force password guessing attacks.
During pre-authentication, a user enters their password which is used to encrypt a timestamp, which then will be used by the Domain Controller to attempt to decrypt it and validate that the right password was used while also ensuring that it is not replaying a previous request. From there, the Ticket Granting Ticket (TGT) will be issued for the user to use for future authentication. If pre-authentication is disabled, an attacker could request authentication data for any user and the Domain Controller would return an encrypted TGT that can be brute-forced offline similar to the Kerberoasting mentioned above. Epiphany finds these accounts for you automatically so that you can take steps to protect them.
Epiphany will show you the account name, how old the password is (Password Age), if the account has a direct path to a Domain Administrator (Path to DA), and how many systems it has direct administrator rights to (Admin To), as well as if the user is granted effective Domain Administrator privileges through group membership (Effective DA).
In Epiphany we're often looking for misconfigurations that can lead to large impacts, Unconstrained Devices also know as Unconstrained Delegation is the action of allowing a computer to save a user’s Kerberos authentication tickets, then use those tickets to impersonate the user and act on that user’s behalf. Unconstrained delegation is a configuration setting that many applications require to function. But the setting has massive implications for security, as a computer that stores the tickets for a bunch of users is an ideal objective for attackers. If the attackers can grab those tickets, they can act with the identity and privileges of those users. Epiphany tracks devices with these configuration settings so you don't have to.
The most critical item Epiphany tracks is if there are any user identities currently associated with the unconstrained device (Used By) so you can be aware of any potential exposures this might cause. Identify Risky Conditions in Act
