The Art of Cyber-Warfare: Defending the Fortress — Part 1

Please note: The goal of this article is to eventually separate into several different parts. I really appreciate anyone applauding this article.

The goal of this article is to discuss how to harden your network to defend against cyber-warfare. This article will discuss how to harden your network by fully utilizing Active Directory to improve your overall security. Once your network is fairly hardened, I will discuss turning your network into a “military grade” (Calm down this is a joke) fortress that can begin to enact defensive measures that turn your network into a death trap.

Disclaimer

The emphasis of this article is that security is important, and will require your company to make an investment into cybersecurity. The software I mention may be free, but will require hard-work from your networking team. This may include hiring new staff and a little extra effort from the end user in the company. The goal is to maximize the amount of security, while causing as little of an inconvenience to the end user/employee.

Credit

I think its disgusting for people to take credit for someone else’s work. There is no greater dishonor. If I don’t give you the recognition that you deserve, then I apologize. Please let me know immediately so I can remediate. This is the list that I would like to thank for your resources:

  • Specterops — Special thanks to Harmj0y, Roberto Rodriguez, and several other brilliant members of that team
  • Sean Metcalf and his team at Trimarc Security
  • Dirk-jan Mollema
  • Cyberark
  • MWR InfoSecurity
  • John Strand and others at Blackhills infosec (I strongly recommend checking out john’s book.)
  • David Bianco for creating the pyramid of pain
  • Jessica Payne (Microsoft)
  • Nikhil SamratAshok Mittal — deploy deception powershell toolkit

Introduction

Active Directory (AD) is in use at over 95% of Fortune 1000 for identity management (Kearns, D. 2010.) So why is it so common to watch on the news that company XYZ has just been hacked?

Securing your network is a serious matter and an entire companies well-being is in your hands.

The first item to realize is that you need to create an environment that makes it impossible for any mistakes to happen. This may include preventing a tier 0 administrator from logging into any employee workstations. The goal is to make sure that there won’t be an attack path from domain user to domain admin. You can verify that there are no attack paths with the tool bloodhound.

Please note: Andy and Rohan from Specterop’s released a phenomenal webcast about using bloodhound for defense. I highly recommend checking it out!

Red Forest

What is a Red Forest?

A “Red Forest” or Enhanced Security Administrative Environment (ESAE) is an environment that leverages Microsoft tools to “better prevent privileged identities from being compromised ”(Centrify, M. 2018). The idea is to mitigate the threat of an attacker laterally moving through the domain to breach the network. The following picture describes what the administration tier should look like once hardening is finished.

Picture from —

The idea of a red forest is to create 3 tiers of administration and limit any administrators from logging into any other tier. In essence, you are creating a situation that is impossible for an administrator to make a mistake. It should be impossible for any administrators to move from any other tier.

Tier 0 — Domain Admins

Tier 1 — Server Admins

Tier 2 — Workstation Admins

This includes logging into any resources that’s either higher or lower tier. This creates a layer of defense that improves the overall security of your network. The following picture shows the end result of what your network will look, with significantly more details.

This is the end result of what your network should look like

Picture from —

https://ernw.de/download/AD_Summit_2018/01_AD_Summit_CoreSecPrinciples_fk_hw_v.1.2_signed.pdf

What’s important to note about this picture is that all administrators should have their computer assigned to the specific tier that they are in (PAW).

Recommended approach

The following image describes the recommended approach to create a red forest.

Picture from —

1. Local admin password solution (LAPS)

Microsoft LAPS is a product that hardens the local admin password for a workstation. LAPS assigns one local administrator account a randomly generated password for each computer assigned. This is great for administration because instead of logging into workstations with a workstation admin (domain user) credentials, you would log in as a local administrator. The significance is that even if an attacker were to privilege escalate as an administrator, and retrieve the clear text credentials for the local administrator; there would be no way that the attacker can use those credentials to laterally move. Also, LAPS allows for passwords to expire after a certain period of time. So even if the attacker compromise a local admin credential for a workstation, by the next day it may have already expired.

2. Privileged Access Workstations or PAW.

The idea behind PAW is to have multiple different workstations for administrators to use for each task. What this means is that a tier 2 workstation admin, will have 2 different computers.

Please note: The administrator should have different passwords for each workstation, and there should not have any important files.

The first workstation will be used exclusively for internet, email and have various end-user needed software. The workstation. It is recommended that the workstation is in a workgroup, and not domain joined to separate from other workstations. The workstation will be connected to its own wireless network that other “Bring Your Own Devices” are connected to. If this computer were to be compromised the attacker would have no access to internal resources and cannot be used to escalate privileges.

The second computer will be extremely hardened. This computer will not have access to the internet, emails and can only plug in approved USB devices. This mitigates the potential threat of Internet-based malware, phishing, and human interface Human Interface Device (HID) injection.

A Human Interface Device is a device that looks likes a thumb drive but emulates a device such as a keyboard, and can inject keyboard strokes to your host. In other words, an attacker can open a command prompt and execute commands that can compromise the machine. Over the years, HID devices have advanced to the point that the form factor fits inside of a phone charging cable, and can even charge a iPhone while injecting keystrokes.

Please note: Please verify that the wireless mouse and keyboard driver’s are updated. An attacker could inject keystrokes to a vulnerable wireless device to gain code execution.

3. Privilege Access Management (PAM) and Just In Time (JIT)

The idea of Privilege Access Management or PAM is to isolate administrator permissions and credentials to make sure that the genuine administrator needs to access the resources. The idea is to put these admin accounts in a vault, if an administrator needs to access any resources. An administrator would need to log into the PAM’s 2 factor system to retrieve credentials, that have an expiration date. The idea of the PAM system is also to implement Just In Time (JIT) administration. Administrators accessing resources past a certain time may result in an “access denied” error. By centralizing credentials in one place you are ensuring security, especially because you can log and monitor for any suspicious activities.

4. Just Enough Administration (JEA)

JEA is essential in restricting administrative permissions to resources. By granting administrators access to several different servers, there is a risk that if the administrator were to be compromised, then an attacker can gain code execution to those servers. By implementing a JEA model the administrator will only have enough access to the resources that are required to perform the job. The idea is for the administrator to request access to a resource, and specify a time that is required for the job. That way you can also implement JIT to make sure that administrators only have access to the resources will expire.

5. Creating Tiered Administration

As previously mentioned, the idea of ESAE is to create tiers of administration. If one tier is compromised, then the attacker will not be able to escalate into another tier. The most important item that a company should realize is who is a tier 0 administrator. The clear answer is Domain Admins and Enterprise Admins. Is that really all of the tier 0 administrators? Let’s dive in and find more Tier 0 administrator accounts.

As previously mentioned this is the well-known tier 0 administrators.

  • Administrators
  • Enterprise Admins — a member of the Domain Administrators group in every domain in the forest)
  • Domain Admins — Limited to just one domain but if this account is compromised, you can exploit the entire forest

The following groups aren’t well known but are extremely powerful by default.

  • Backup Operators — Ability to schedule tasks which may provide a escalation path. They also are able to clear the event logs on Domain Controllers.
  • Account Operators — Ability to login to Domain Controllers and shut them down.
  • Server Operators — Ability to login to, shut down, and perform backup/restore operations on Domain Controllers
  • Print Operators — Ability to login to, shut down, and perform backup/restore operations on Domain Controllers (assigned via the Default Domain Controllers Policy GPO)
  • DnsAdmins — Able to run a DLL on a Domain Controller which could provide privilege escalation to Domain Admin rights
  • Group Policy Creator Owners — Can create, modify, and delete Group Policies in the domain
  • Schema Admins — can modify the Active Directory schema
  • Microsoft Advanced Threat Analytics Administrator — Has DACL rights of the main domain object.

Resource —

Shadow Admins

Are there any more tier 0 admins?

The next accounts that I will mention are often hidden and can be a total surprise that an account has tier 0 permissions. These types of administrators are known as shadow admins. These administrator accounts can give an attacker full rights on the domain.

Before I get into details, you need to understand Access Control Lists. There are 2 types that you need to be aware of. The first type is what is known as discretionary access control list (DACL). The best explanation is from Microsoft — “If an object has a DACL, the system allows only the access that is explicitly allowed by the access control entries (ACEs) in the DACL” (Microsoft. 2018). In other words, only authorized entities can access an object.

There are several DACLs that are extremely dangerous. The most dangerous DACL gives a user DC Replication or ”DCSync” privileges. In other words that user can pull a list of all hashed domain user credentials of the entire domain. Attackers can load these hashes to a powerful server and retrieve users cleartext credentials, just by having these 2 rights on the root domain object. The most powerful user account is the KRBTGT account. If you have the ntlm hash for this account then the attacker can create their own ticket, which is known as a “golden ticket”. In other words the attacker can create a ticket of a user that doesn’t exist, and assign that user to every privileged group. The ticket can last 10 years and can only be remediated if the KRTGT password is changed TWICE!

There is good news… Microsoft released a script that will help you through the process.

These are the two rights that you should look for.

1. Replication Directory Changes

2. Replication Directory Changes All

If you find these 2 permissions, you will need to be concerned, because you may have been breached by an attacker. If an attacker has these rights, you need to assume that they have compromised the forest, most implementations of other forest trusts, and every account in those forests.

Full Details of how to implement-

Local Administrator Password Solution (LAPS)

Problem —Administrators can view all of the local admin credentials for every computer is in that particular OU. You must be very careful about what OU you apply LAPS admins too.

The technical details behind LAPS are it generates random differential passwords for ONE local administrator user for the computer. LAPS is one of Microsoft’s response to mitigate passing the hash. Passing the hash is essentially extracting the local administrators NTLM hash and using that to authenticate to other network resources.

Preparation-

The default RID — 500 local administrators already should be disabled. You need to use a different local admin user that LAPS will apply to.

You must CAREFULLY PREPARE THE OUs!

The first thing to realize is that there needs to be at least 2 OUs.

First OU — domain computers. Depending on the size of the company, I would split the domain computers into several different OUs. That way only certain administrators can have read access to a small percentage of computers. This way if a workstation admin user were to be compromised, then the attacker would only have access to a % of employee workstations.

Second OU — application servers.

I really liked this resource to set LAPS correctly —

1. Password Settings: Enabled

a. Complexity: Large letters, small letters, numbers, specials

b. Length: 20 characters

c. Age: 30 days

2. Name of the administrator account to manage: user1

3. Do not allow password expiration time longer than required by policy: Enabled

What if an administrator has multiple roles and needs access to other tiers?

The administrator needs to create an account that is specific to the tier. For example, if the user’s name is joe shmoo, then it would be jshmoo_DA and jsmoo_SA. The administrator will have 3 workstations. One for just the domain admin account, server admin account and another for internet and emails.

What computer objects are located in tier 0?

The computer objects in tier 0 consist of more than just domain controller unless changed from default. Exchange and some versions of SharePoint, should also be included in this tier. If an exchange server is compromised, then the attacker can manipulate the powerful DACL’s of this computer account to assign dcsync privileges to a specified user. As mentioned previously that means the entire forest and any trust that’s connected to the forest are now likely to be compromised.

The path the attacker would take is

1. force the domain controller on the forest root to authenticate to the compromised domain controller that is owned in the forest.

Once the attacker has compromised the forest, the next targets are forest trusts.

2. An Attacker can attack forest trusts and gain code execution to domain controllers belonging to foreign forests using the “print spooler” attack.

That doesn’t make sense? I thought that the forest was a security boundary?

Unfortunately, this is no longer the case anymore; thanks to specterops phenomenal research on print spooler. The idea is the attacker forces any computer object (running print spooler service) to authenticate to your specified target.

An attacker can use “print-spooler” in another attack vector as well. This attack technique would be leveraged to escalate the attackers privilege from tier 1 or 2, to tier0. The attack leverages application servers, which have unconstrained delegated set; to force the Domain controller to authenticate to the compromised application server. Once this authentication occurs the attacker can recover a TGT Kerberos ticket. Now that the attacker has the ticket of the domain controllers computer account, the user can authenticate as the computer object, which runs as nt/authority system.

New Attack Vector

There is a new attack vector that is extremely important to remediate immediately. First off you need to understand a little bit about the attack and all the attacker needs to gain tier 0 — domain admin privileges. Before I get into the details of this attack just know that going from a regular domain user to a domain admin in a couple of mintutes is extremely scary.

The following are the affected versions of Exchange — Exchange 2013–2019 (2010 is not vulnerable)

Let’s say that it’s a 2019 exchange server that is vulnerable. What are some things that an attacker needs? –

· Domain credentials.

· Exchange server to be on-prem.

That’s it. How common is it to see an exchange server on-prem? The answer to that is that it is extremely common to find. I would find that it an extremely rare anomaly for a large company that doesn’t have exchange on-prem.

APT groups certainly do not have any trouble using phishing to gain access to the network. So once an attacker gains access to your network, in less than 10 minutes your entire forest and any trusts are also compromised.

(Mollema, D. 2019)

Ways to prevent or remediate the attack — Excerpted from his blog post:

  • Remove the unnecessary high privileges that Exchange has on the Domain object (see below for some links on this).
  • Enable LDAP signing and enable LDAP channel binding to prevent relaying to LDAP and LDAPS respectively
  • Block Exchange servers from making connections to workstations on arbitrary ports.
  • Enable Extended Protection for Authentication on the Exchange endpoints in IIS (but not the Exchange Back End ones, this will break Exchange). This will verify the channel binding parameters in the NTLM authentication, which ties NTLM authentication to a TLS connection and prevent relaying to Exchange web services.
  • Remove the registry key which makes relaying back to the Exchange server possible, as discussed in Microsoft’s mitigation for CVE-2018–8518.
  • Enforce SMB signing on Exchange servers (and preferably all other servers and workstations in the domain) to prevent cross-protocol relay attacks to SMB.
  • If EWS push/pull subscriptions aren’t used, they can be disabled by setting the EWSMaxSubscriptions to 0 with a throttling policy, as discovered by @gentilkiwi here. I haven’t tested how much these are used by legitimate applications, so testing it with a small user scope is recommended.

https://support.microsoft.com/en-us/help/4490059/using-shared-permissions-model-to-run-exchange-server

GPO’s to get your network sufficiently hardened

These 5 GPO’s are extremely important to mention, later on in the deception section.

1. SMB signing

Problem — legacy computers can rely on smb signing not set. (Woshub, 2018)

When the password length is too long, instead of retrieving a credential to crack offline, you can just relay that credential to an entity. Let’s say a domain admin is browsing network shares. When your computer does an LLMNR/NetBIOS lookup on the host, the attacker’s machine will respond first and say that they are the targeted share, and needs the target to authenticate. Once the target sends NTLMv1/v2 credentials to the attacker, the attacker can just relay the credentials to another machine. This makes password length irrelevant, and can lead to the code execution of several hosts.

This a significant GPO to enforce on at least all servers. The attack vector I mentioned previously could be mitigated by enforcing smb signing on the host. (Jarrod, S. 2017)

· Downsides — it can cause more computer resources to be used.

· Pro’s —Mitigates NTLM relaying to computer objects.

So, let’s get started. First, create a GPO that is called smb signing. I recommend rolling out smb signing to all computer objects.

a. The location of the policy that you want to set is — Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.

b. Set the following

SMB Server Packet Signing

This is relating to the SMB server that “serve out files or printers for instance over SMB to clients within the network.”

Microsoft network server: Digitally sign communications (always)

Microsoft network server: Digitally sign communications (if the client agrees)

SMB Client Packet Signing

The client that connects to the smb server.

Microsoft network client: Digitally sign communications (always)

Microsoft network client: Digitally sign communications (if server agrees)

2. LLMNR/Netbios spoofing

Pro’s — Prevents the danger of sending hashed credentials to an attacker that’s spoofing the resource. With LLMNR and netbios, the first entity to respond to a request to find the resource wins.

a. The location is Computer Configuration -> Administrative Templates -> Network -> DNS Client

a. Enable Turn Off Multicast Name Resolution policy by changing its value to Enabled

3. Change the default domain GPO and edit the password policy

By changing the default password policy, you easily mitigate plenty of entry points for attackers. If you have an application that uses single factor ADFS then you might be saved from external password spraying attacks.

Also, you will mitigate the threat that an attacker can crack the NTLMv2 of the user account. Changing this GPO will not affect most old service accounts that likely have been set up a long time ago. You need to change service accounts password to a password that is extremely strong. The reason is that if an APT has compromised a domain user then they can Kerberoast all of the service accounts. All an attacker would now need to do is upload the service account hashes to their GPU cluster (in other words stop their bitcoin mining farms for a couple of days and start cracking service accounts.)

Please note: The best solution would be to create a fine-grained password policy.

a. The minimum password length should be at least 15 characters.

· Depends on how critical security is for your company. For example, financial institutions are recommended to set a minimum password length of 20–30 characters.

b. Maximum password age should be set to more than 90 days. It is recommended that the password should be changed once or twice a year.

  • The reason is that it can cause stress for both the end user and helpdesk. If you tell a user to remember one extremely strong password, then it will be a lot more secure than asking for the user to add an incrementing digit to their password. Worst case the user might write the password down so it is remembered.

c. Preventing password spraying- Account lockout threshold (attempts) and Account lockout duration (mins).

  • These values need to be considered closely. How much budget do you have to pay for having multiple helpdesk staff to assist in unlocking users.
  • PCI-DSS recommends setting the account lockout duration to 0 (manual unlock) or 30 minute lockout time.
  • PCI-DSS also recommends a lockout threshold of 1–5 attempts. I personally am a fan of 2–3 attempts before lockout. Again, its all about the variables in your company.

d. Passwords should meet complexity requirements.

4. Force NTLMv2

The problem with NTLMv1 is that an attacker can easily offline crack this type of authentication. There are even websites that can even look up your NTLMv1 hash to retrieve a cleartext password as long as the challenge is 1122…etc. The significance of this attack vector is attackers can now use printspooler to force an NTLM response to your listening target.

Let’s say your domain controllers don’t have smb signing. An attacker can force the domain controller to send an NTLM response to the attacker’s machine. After a 1-minute free lookup, the cleartext password can be found and the attacker can authenticate to the domain controller as the computer account (NT/authority system).

The location of the GPO is Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options

Now set the LAN Manager authentication level to NTLMv2 response only/refuse LM and NTLM

5. Disable SEDebugPrivilege from all local administrators

Problem — known to cause problems for users installing SQL

Why should you care?

This privilege is one of 7 dangerous user privileges that administrators have. What this privilege allows is a local administrator computer can now manipulate other processes. The process, in particular, is LSASS.

This process stores authentication details on your computer. In most cases, it stores your clear-text password or a hashed version of it. An attacker would take the swiss army knife — Mimikatz and run the tool to extract credentials.

Removing this right makes the APTs life so much more complicated. There are certainly circumvention techniques but it requires a significant amount of time and is difficult to automate.

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies/User Rights Assignment -> Policy Setting -> Debug programs

Set the user as -BUILTIN\Administrators

Cyber Warfare

Before I go any further, I must mention the story of the beginning of Mimikatz and some cyber warfare. As a quick reminder, Mimikatz is an all in one credential extraction tool for windows. In unprotected windows operating systems such as windows server 2008 and Windows 7, you can extract cleartext credentials from the system.

When Benjamin Delpy was working on the initial beginnings of Mimikatz and was invited to speak at an event in Russia. Benjamin arrived at the hotel and quickly went downstairs to complain about the WIFI. He came back up to his hotel room to find that a man is looking through his laptop. After the event, Benjamin released a binary of Mimikatz. There were various intrusions that happened afterwards. A year later, the Russian invited Benjamin to speak at another event. This time a man approached Benjamin and demanded the source code of Mimikatz. That’s when Benjamin finally released the source code to the public. To this day most of the intrusions are directly linked to Mimikatz at some point and the attacks continue to increase even as Microsoft finally is starting to remediate. (Greenberg, A. 2018)

Deception

Introduction

Congratulations, now you have a network that’s fairly hardened and your boss thinks you are awesome. That’s not good enough. Imagine you are a knight, guarding a fairly well (re)built castle. You are looking out and notice that there are millions of warriors trying to get in. You have no choice but to pray that they don’t get in, because there are absolutely no traps and you have no weapons for your soldiers to use. By the time you try to stop the attacker, you’re too late, and they’ve just disabled your domain admin account.

No weapons and No traps. That is the state of most corporate networks. Sure, there is some security here and there, but APTs have the time and resources to enumerate and leverage some obscure vulnerability. Most of the honeypot techniques recently were poorly thought out and easy to catch (thanks to Blackhills for making this statement false). Before I get into any details, let me explain some deception techniques by one of the greatest minds in warfare Sun Tzu.

Sun Tzu

“All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.” (Tzu, 500 B.C, Art of War)

What does that quote mean for us?

This quote means that rather than showing that you are a sophisticated network, with a genius network admin; you show to the attacker that you are a just a basic network that doesn’t have any defenses in place. Before I get into too many details let me go over the cyber kill chain.

Cyber Kill Chain

The idea of the cyber kill chain is that attackers follow a similar path ALMOST every time they compromise a machine on the target’s network.

A sample scenario may be — the attacker performs reconnaissance of the network, privilege escalates to get cleartext credentials for the user and then compromise more credentials till domain admin is achieved.

In terms of preventing privilege escalation, you have a few options.

  1. The best good practice is to update the operating system as much as possible. I would advice that caution should be taken for each server.
  2. set up a good EDR product, which will assist in catching an attackers binary’s that may not be obfuscated. These 2 steps combined with removing the SEDebugPrivilege user right from all administrators, helps remediate the attacker from extracting credentials from LSASS.

Deception

Resources -

There are a variety of traps for the attacker specific to attacker trying to escalate their privileges in the domain. The most important concept to understand is “what is a SACL?”.

“SACLs are used for establishing system-wide security policies for actions such as logging or auditing resource access. “(Microsoft, 2017)

What you can do is to set up advanced SACL auditing on specific user objects called decoys. These users will have their permissions audited to the point of extreme verbosity. If the user rights are enumerated then you would receive a 4662 event.You can even set a privileged user object that is a member of the domain admin group but “Deny logon” to the user on any machine. As a disclaimer, you need to be careful with this, because the attacker can remove the setting. If there is any attempt to use the user credentials (password or hashes) a 4768 is logged. Any enumeration which reads DACL or all properties for the user will result in a 4662 logging.Now that you’ve created some user objects, its time to weaponize those decoys and make them look interesting. The first item of business is you want to make your network look weak that has no idea about what security is.

1. Group Policy Preference (GPP)

GPP “allows administrators to configure and deploy Windows and application settings that were previously unavailable using Group Policy” (Microsoft, 2007). The significance of this is that Microsoft released the decryption keys for the passwords. Any attacker that compromised a domain user account can decrypt all password values in GPP. This means if you are using a credential that happens to be a member of the domain admins group, then you are now affected.

What if you store the credentials of only decoy users? Not only do you show to the attacker that you are a simple legacy network, but create an easy trap.

2. Kerberoasting

In 2014, Tim Medin came out with an attack known as “Kerberoasting”. Rather than describe it my own words and confuse you, here’s an excerpt from the active directory guru — Sean Metcalf.

“This attack involves requesting a Kerberos service ticket(s) (TGS) for the Service Principal Name (SPN) of the target service account (Step #3 above). This request uses a valid domain user’s authentication ticket (TGT) to request one or several service tickets for a target service running on a server.

The Domain Controller looks up the SPN in Active Directory and encrypts the ticket using the service account associated with the SPN in order for the service to validate user access. The encryption type of the requested Kerberos service ticket is RC4_HMAC_MD5 which means the service account’s NTLM password hash is used to encrypt the service ticket.” (Metcalf, 2017)

In other words, a domain user can request a TGS ticket and offline crack that ticket to find the password of the SPN user account. Once this attack was incorporated into “hashcat” a GPU accelerated password cracking software that the attack becomes relevant. This enables APT groups to immediately turn their monstrous GPU clusters and begin cracking these SPN tickets. Managed service accounts can really help protect your service accounts. Also forcing AES encryption (instead of rc4/ntlm) seems that challenges the attacker to successfully crack the hash.

Please note: A password cracking program “hashcat” just released support for kerberos AES keys. I have not tested the speed comparisons.

So, you just need to create a rc4 enabled service accounts for one of your decoy users. All it takes is one command and then you are done

setspn -A MSSQLSvc/myhost.redmond.microsoft.com:1433 redmond\accountname.

Conclusionagainst APTs.

Citation

[MSFT], N. (2007, November 28). Introducing Group Policy Preferences. Retrieved from

Brown, C. (2015, May 06). Deploying the Local Administrator Password Solution Part 2. Retrieved from

Centrify, M. (2018, May 21). Using Centrify in Microsoft Red Forest Deployments. Retrieved from

Greenberg, A. (2018, November 20). He Perfected a Password-Hacking Tool-Then the Russians Came Calling. Retrieved from

How to Disable NetBIOS Over TCP/IP and LLMNR Using GPO. (2018, February 02). Retrieved from

Jarrod, S. (2017, July 28). Configure SMB signing via Group Policy. Retrieved from

Kearns, D. (2010, February 25). A look back at the launch of Active Directory. Retrieved from

Louw, J. (2018, March 29). Planting the Red Forest: Improving AD on the Road to ESAE. Retrieved from

Metcalf, S. (2017, February 08). Detecting Kerberoasting Activity. Retrieved from

Microsoft. (2018, May 30). DACLs and ACEs — Windows applications. Retrieved from

MicrosoftGuyJFlo. (2019, February 13). Securing Privileged Access Reference Material. Retrieved from

Mollema, D. (2019, January 21). Abusing Exchange: One API call away from Domain Admin. Retrieved from

Unknown. (2018, January 01). System access control list (SACL). Retrieved from

Future work

Applocker

Benchmarks and security

Poweshell logging — really need to touch upon this for deception

Honeytokens — have a bat script in a gpo that will simulate a logon of a user